[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/hvm: Unilaterally inject #UD for unknown VMExits

  • To: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Mon, 1 Dec 2025 17:02:33 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5wnM6YZ9GXbG4PWy1OEPQoo1KbQ/Pc/X5oKx+uTb8Ew=; b=FwGNm2XE3hn6Ln68qmQ2jI9T9XqYWMyQOG13U6SwlzGoA1FYBAe8UNTagXI+ntIBhGhE84xNMJTvBVDZ3sEp6ZnuA6NYntmW8ZTNDAEUupyZLQg2OEd1HjuTycrtt6RL+frtyAZBr3dGlY493/OCPDc7Im5xLrG9cFr3YwVcQtnrJxYR1q8BlNprz3CLYH49sgv9ilFMVDKRNPNcCEx9IdS1LI+VCyjSpNC79sCbgnLechpU4rEvHS77xMQLEJvSOaV0AVGzrqr5OetvSYVGigIaW3i8xyTv8CXSTV35rc/Gmpg3AVnhgDplOk/tUlrR/tUc4k5RxLJnp2ZppdXBiw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BTPlRgXmZ6sGzvtnxMZGAk+9W9kIH0+457IMTsd3z0+8U+xUUS8OKi2/epJ3B/qPw/Ywu4T7qu2SRzyl2P77dWb/gwl+BSYEF0jLDA+cgRJPRBSd+xBWD/10z7hizvPSvk/e4AEFBbAaye9J4M9QYl6RqfpN3gXT9hKM7atDulnmJvAOqvNdsQjebgI43O5L5xTBttgWBfG+N2YwKVMNWPESaisOIMoLAi5KXjTd38EKsuyLLAZfEW6bp1yUH9hnlEqk7lTIcxO9F6lmvJPPNDQ9jOM1+pFsIdfm3oX1we+XXQeqNCnkk7LgUBeniuDQ1Czi/tjlM0RJzPXYrRwrKQ==
  • Cc: Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen-devel <xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 01 Dec 2025 16:02:50 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Mon Dec 1, 2025 at 3:52 PM CET, Alejandro Vallejo wrote:
> On Fri Nov 28, 2025 at 6:47 PM CET, Andrew Cooper wrote:
>> While we do this for unknown user mode exits, crashing for supervisor mode
>> exits is unhelpful.  Intel in particular expect the unknown case to be #UD
>> because they do introduce new instructions with new VMEXIT_* codes without
>> other enablement controls.  e.g. MSRLIST, USER_MSR, MSR_IMM, but AMD have
>> RDPRU and SKINIT as examples too.
>
> I don't know how often Intel adds intercepts (or whatever the VMX equivalent 
> is)
> without default-off knobs, but there's a potentially dangerous assumption here
> about all intercepts being synchronous with the executed instruction. Some 
> might
> depend on other events (i.e: NMIs, IRQs, IPIs, etc) and injecting #UD in those
> cases would be very insecure for the guest. It might encourage the kernel to
> interpret the current instruction that the kernel can't know wasn't meant to
> ever trigger #UD. This would be an integrity-compromising mistake to make.
>
> IOW, I think this is a dangerous default to have and Xen should just crash the
> domain irrespective of CPL. At least on SVM. If a guest executes SKINIT and it
> doesn't exist 

... and it doesn't exist, it's fine for a guest to crash. The domain crashing is
a Xen bug, but the bug triggering is a guest bug. And that's ok.

Sorry, those linnes got lost.

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.