On 08.12.2011, at 10:59, Avi Kivity <avi@xxxxxxxxxx> wrote: > On 12/08/2011 11:53 AM, Sasha Levin wrote: >> On Thu, 2011-12-08 at 11:45 +0200, Avi Kivity wrote: >>> On 12/08/2011 11:25 AM, Sasha Levin wrote: >>>> On Thu, 2011-12-08 at 10:12 +0100, Carsten Otte wrote: >>>>> plain text document attachment (enable-ucontrol.patch) >>>>> This patch introduces a new config option for user controlled kernel >>>>> virtual machines. It introduces an optional parameter to >>>>> KVM_CREATE_VM in order to create a user controlled virtual machine. >>>>> The parameter is passed to kvm_arch_init_vm for all architectures. >>>>> Valid values for the new parameter are KVM_VM_REGULAR (defined to 0 >>>>> for backward compatibility to old KVM_CREATE_VM) and >>>>> KVM_VM_S390_UCONTROL for s390 only. >>>> >>>> Why is it s390 specific? why isn't it KVM_VM_UCONTROL which is currently >>>> only implemented on s390? >>> >>> It's not possible (or at least very difficult) to implement ucontrol on >>> x86. For example, to update VMCSs you need privileged instructions. It >>> might be doable on svm, but there's no point, really. >> >> Might not work for x86, but maybe on arm? ppc? or some other random arch >> that will be added in the future? >> >> No point in limiting it to s390 from day one. > > Agree. I don't think I would want to see full exposure of the vm control block to user space on any architecture really. If the 390 folks like to shoot themselves in the security foot, I'm ok with that, but the whole idea of kvm is to abstract these hw details. By giving user space direct access to the vm control block, you essentially give user space a mkcpl(0) ioctl. The vm control block in memory is also pretty specific to s390. The only other thing that comes close, where mmap'ing something actually gives you control over the full vm description is SVM's VMCB. All other archs (not 100% sure on arm) need to modify registers from cpl0 code. So overall I dislike the idea of exposing the SIE block to user space. Imagine a system with containers on it where container vms should still be able to run kvm vms. From a security pov, this would break it, as you essentially give the user full access over the host. Unless CAP_ADMIN is not set in such a scenario of course. Then it's only as bad as /dev/mem which any random trojan or virus could use to inject itself into the kernel. If you really have to do this, please 1) make it s390 only. I don't even want to have to see this uglyness in other archs 2) make it a config option, so sane people can disable it. (which you already do, good) Thanks, Alex -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
