On Fri, Sep 19, 2014 at 4:35 PM, Theodore Ts'o <tytso@xxxxxxx> wrote: > On Fri, Sep 19, 2014 at 04:29:53PM -0700, H. Peter Anvin wrote: >> >> Actually, a much bigger reason is because it lets rogue guest *user >> space*, even will a well-behaved guest OS, do something potentially >> harmful to the host. > > Right, but if the host kernel is dependent on the guest OS for > security, the game is over. The Guest Kernel must NEVER been able to > do anything harmful to the host. If it can, it is a severe security > bug in KVM that must be fixed ASAP. Nonetheless, I suspect that some OS kernel author, somewhere, will object to having a hypervisor that exposes new capabilities to guest CPL 3 without requiring the guest to opt in, if for no other reason than that it slightly increases the attack surface. I certainly object on these grounds. --Andy -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html