On Mon, Nov 17, 2025 at 10:16:12AM -0800, Nuno Das Neves wrote: > On 11/17/2025 1:52 AM, Anirudh Rayabharam wrote: > > From: Anirudh Rayabharam (Microsoft) <[email protected]> > > > > Allow MSHV_ROOT_HVCALL IOCTL on the /dev/mshv fd. This IOCTL would > > execute a passthrough hypercall targeting the root/parent partition > > i.e. HV_PARTITION_ID_SELF. > > > > I think it's worth taking a moment to check and perhaps explain in > the commit message/a comment any security implications of the VMM > process being able to call these hypercalls on the root/parent > partition. > > One implication would be: can the VMM process influence other > processes in the root partition via these hypercalls, > e.g. HVCALL_SET_VP_REGISTERS? I would think that the hypervisor > itself disallows this but we should check. We can ask the > hypervisor team what they think, and check the hypervisor code. > > Specifically we should check on any hypercall that could possibly > influence partition state, i.e.: > HVCALL_SET_PARTITION_PROPERTY > HVCALL_SET_VP_REGISTERS > HVCALL_INSTALL_INTERCEPT > HVCALL_CLEAR_VIRTUAL_INTERRUPT > HVCALL_REGISTER_INTERCEPT_RESULT > HVCALL_ASSERT_VIRTUAL_INTERRUPT > HVCALL_SIGNAL_EVENT_DIRECT > HVCALL_POST_MESSAGE_DIRECT > > If it turns out there is something risky we are enabling here, we can > introduce a new array of hypercalls to restrict which ones can be > called on HV_PARTITION_ID_SELF. >
This is a good point. Please check with the hypervisor team. Wei
