On 11/01/16 18:32, Andrew Cooper wrote: > On 11/01/16 18:26, David Vrabel wrote: >> On 11/01/16 17:17, Andrew Cooper wrote: >>> So from one point of view, sufficient justification for this change is >>> "because the Linux way isn't the only valid way to do this". >> "Because we can" isn't a good justification for adding something new. > > "Because I need this to sensibly regression test bits of the hypervisor" is.
No. Tests should not require a magic mode -- they should test the existing ABIs guests actually use. >> Particularly something that is trivially easy to (accidentally) misuse >> and open a big security hole between userspace and kernel. > > This is no conceptual difference to incorrectly updating a pagetable, or > having wrong dpl checks in the IDT. Yes there is. This proposed ABI addition is impossible to use safely. > An OS which doesn't use the hypercall can't shoot itself. An OS which > does use it has plenty of other ways to accidentally compromise itself. This ABI allows /untrusted userspace/ to shoot the whole OS in the foot. It's quite different. David _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
