Re: [Xen-devel] [PATCH] x86/hvm: Allow the guest to permit the use of userspace hypercalls

[Andrew Cooper <andrew.cooper3@xxxxxxxxxx>]

On 11/01/16 18:40, David Vrabel wrote:
> On 11/01/16 18:32, Andrew Cooper wrote:
>> On 11/01/16 18:26, David Vrabel wrote:
>>> On 11/01/16 17:17, Andrew Cooper wrote:
>>>> So from one point of view, sufficient justification for this change is
>>>> "because the Linux way isn't the only valid way to do this".
>>> "Because we can" isn't a good justification for adding something new.
>> "Because I need this to sensibly regression test bits of the hypervisor" is.
> No.  Tests should not require a magic mode -- they should test the
> existing ABIs guests actually use.

It isn't a magic mode.

>
>>> Particularly something that is trivially easy to (accidentally) misuse
>>> and open a big security hole between userspace and kernel.
>> This is no conceptual difference to incorrectly updating a pagetable, or
>> having wrong dpl checks in the IDT.
> Yes there is.  This proposed ABI addition is impossible to use safely.

It is perfectly possible to use safely.  "Safe" is a matter of
perspective, and depends on the usecase.  My entire argument here is
that "The Linux way" isn’t the only way, and it is wrong of Xen to
enforce "the Linux way" as the only way.

>
>> An OS which doesn't use the hypercall can't shoot itself.  An OS which
>> does use it has plenty of other ways to accidentally compromise itself.
> This ABI allows /untrusted userspace/ to shoot the whole OS in the foot.
>  It's quite different.

Only if the OS chooses to permit this.  If an OS doesn't want itself to
be shot, it doesn't use this hypercall and everything works as before.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel