On 11/17/2025 11:24 AM, Wei Liu wrote: > On Mon, Nov 17, 2025 at 07:18:27PM +0000, Wei Liu wrote: >> On Mon, Nov 17, 2025 at 10:16:12AM -0800, Nuno Das Neves wrote: >>> On 11/17/2025 1:52 AM, Anirudh Rayabharam wrote: >>>> From: Anirudh Rayabharam (Microsoft) <[email protected]> >>>> >>>> Allow MSHV_ROOT_HVCALL IOCTL on the /dev/mshv fd. This IOCTL would >>>> execute a passthrough hypercall targeting the root/parent partition >>>> i.e. HV_PARTITION_ID_SELF. >>>> >>> >>> I think it's worth taking a moment to check and perhaps explain in >>> the commit message/a comment any security implications of the VMM >>> process being able to call these hypercalls on the root/parent >>> partition. >>> >>> One implication would be: can the VMM process influence other >>> processes in the root partition via these hypercalls, >>> e.g. HVCALL_SET_VP_REGISTERS? I would think that the hypervisor >>> itself disallows this but we should check. We can ask the >>> hypervisor team what they think, and check the hypervisor code. >>> >>> Specifically we should check on any hypercall that could possibly >>> influence partition state, i.e.: >>> HVCALL_SET_PARTITION_PROPERTY >>> HVCALL_SET_VP_REGISTERS >>> HVCALL_INSTALL_INTERCEPT >>> HVCALL_CLEAR_VIRTUAL_INTERRUPT >>> HVCALL_REGISTER_INTERCEPT_RESULT >>> HVCALL_ASSERT_VIRTUAL_INTERRUPT >>> HVCALL_SIGNAL_EVENT_DIRECT >>> HVCALL_POST_MESSAGE_DIRECT >>> >>> If it turns out there is something risky we are enabling here, we can >>> introduce a new array of hypercalls to restrict which ones can be >>> called on HV_PARTITION_ID_SELF. >>> >> >> This is a good point. Please check with the hypervisor team. > > I should add: it is always easier to relax restrictions later than to > add them back in, so if there is any doubt and we want this code in as > quickly as possible, we can start with a new array and expand it later. >
Agreed. I think that's a good approach here, we can just enable HVCALL_GET_PARTITION_PROPERTY and HVCALL_GET_PARTITION_PROPERTY_EX for self-targeted passthru hypercalls. > Wei
