[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HVM/PVH Balloon crash

On Thu, Sep 30, 2021 at 09:08:34AM +0200, Jan Beulich wrote:
> On 29.09.2021 17:31, Elliott Mitchell wrote:
> > 
> > Copy and paste from the xl.cfg man page:
> > 
> >        nestedhvm=BOOLEAN
> >            Enable or disables guest access to hardware virtualisation
> >            features, e.g. it allows a guest Operating System to also 
> > function
> >            as a hypervisor. You may want this option if you want to run
> >            another hypervisor (including another copy of Xen) within a Xen
> >            guest or to support a guest Operating System which uses hardware
> >            virtualisation extensions (e.g. Windows XP compatibility mode on
> >            more modern Windows OS).  This option is disabled by default.
> > 
> > "This option is disabled by default." doesn't mean "this is an
> > experimental feature with no security support and is likely to crash the
> > hypervisor".
> 
> Correct, but this isn't the only place to look at. Quoting
> SUPPORT.md:

You expect everyone to memorize SUPPORT.md (almost 1000 lines) before
trying to use Xen?

Your statement amounts to saying you really expect that.  People who want
to get work done will look at `man xl.cfg` when needed, and follow
instructions.

Mentioning something in `man xl.cfg` amounts to a statment "this is
supported".  Experimental/unsupported options need to be marked
"EXPERIMENTAL: DO NOT ENABLE IN PRODUCTION ENVIRONMENTS".


> Yet that's still a configuration error (of the guest), not a bug in
> Xen.

Documentation that poor amounts to a security vulnerability.



I would suggest this needs 2 extra enablers.

First, this has potential to panic the hypervisor.  As such there needs
to be an "enable_experimental=" option for the Xen command-line.  The
argument would be a list of features to enable ("nestedhvm" for this
case).  If this is absent, the hypervisor should ideally disable as much
of the code related to the unsupported/experimental features as possible.

Second, since this needs to be enabled per-domain, there should be a
similar "enable_experimental" setting for xl.cfg options.



I think this really is bad enough to warrant a security vulnerability
and updates to all branches.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sigmsg@xxxxxxx  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.