lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 14 Mar 2012 12:58:17 +0200
From:	Gleb Natapov <gleb@...hat.com>
To:	Wen Congyang <wency@...fujitsu.com>
Cc:	Amit Shah <amit.shah@...hat.com>, Avi Kivity <avi@...hat.com>,
	"Daniel P. Berrange" <berrange@...hat.com>,
	kvm list <kvm@...r.kernel.org>,
	qemu-devel <qemu-devel@...gnu.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>,
	Jan Kiszka <jan.kiszka@...mens.com>
Subject: Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

On Wed, Mar 14, 2012 at 06:57:59PM +0800, Wen Congyang wrote:
> At 03/14/2012 06:52 PM, Gleb Natapov Wrote:
> > On Wed, Mar 14, 2012 at 06:52:07PM +0800, Wen Congyang wrote:
> >> At 03/14/2012 06:37 PM, Amit Shah Wrote:
> >>> On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
> >>>> At 03/14/2012 05:24 PM, Avi Kivity Wrote:
> >>>>> On 03/14/2012 10:29 AM, Wen Congyang wrote:
> >>>>>> At 03/13/2012 06:47 PM, Avi Kivity Wrote:
> >>>>>>> On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
> >>>>>>>> On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
> >>>>>>>>> On 03/12/2012 11:04 AM, Wen Congyang wrote:
> >>>>>>>>>> Do you have any other comments about this patch?
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Not really, but I'm not 100% convinced the patch is worthwhile.  It's
> >>>>>>>>> likely to only be used by Linux, which has kexec facilities, and you can
> >>>>>>>>> put talk to management via virtio-serial and describe the crash in more
> >>>>>>>>> details than a simple hypercall.
> >>>>>>>>
> >>>>>>>> As mentioned before, I don't think virtio-serial is a good fit for this.
> >>>>>>>> We want something that is simple & guaranteed always available. Using
> >>>>>>>> virtio-serial requires significant setup work on both the host and guest.
> >>>>>>>
> >>>>>>> So what?  It needs to be done anyway for the guest agent.
> >>>>>>>
> >>>>>>>> Many management application won't know to make a vioserial device available
> >>>>>>>> to all guests they create. 
> >>>>>>>
> >>>>>>> Then they won't know to deal with the panic event either.
> >>>>>>>
> >>>>>>>> Most administrators won't even configure kexec,
> >>>>>>>> let alone virtio serial on top of it. 
> >>>>>>>
> >>>>>>> It should be done by the OS vendor, not the individual admin.
> >>>>>>>
> >>>>>>>> The hypercall requires zero host
> >>>>>>>> side config, and zero guest side config, which IMHO is what we need for
> >>>>>>>> this feature.
> >>>>>>>
> >>>>>>> If it was this one feature, yes.  But we keep getting more and more
> >>>>>>> features like that and we bloat the hypervisor.  There's a reason we
> >>>>>>> have a host-to-guest channel, we should use it.
> >>>>>>>
> >>>>>>
> >>>>>> I donot know how to use virtio-serial.
> >>>>>
> >>>>> I don't either, copying Amit.
> >>>>>
> >>>>>> I start vm like this:
> >>>>>> qemu ...\
> >>>>>>    -device virtio-serial \
> >>>>>>   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
> >>>>>>   -device virtserialport,chardev=foo,name=port1 ...
> >>>>>>
> >>>>>> You said that there are too many channels. Does it mean /tmp/foo is a channel?
> >>>>>
> >>>>> Probably.
> >>>>
> >>>> Hmm, if we use virtio-serial, the guest kernel writes something into the channel when
> >>>> the os is panicked. Is it right?
> >>>
> >>> Depends on how you want to use it.  It could be the kernel, or it
> >>> could be a userspace program which monitors syslogs for panic
> >>> information and passes on that info to the virtio-serial channel.
> >>
> >> When the kernel is panicked, we cannot use userspace program.
> >>
> >>>
> >>>> If so, is this channel visible to guest userspace? If the channle is visible to guest
> >>>> userspace, the program running in userspace may write the same message to the channel.
> >>>
> >>> Access control is via permissions.  You can have udev scripts assign
> >>> whatever uid and gid to the port of your interest.  By default, all
> >>> ports are only accessible to the root user.
> >>
> >> We should also prevent root user writing message to this channel if it is
> >> used for panicked notification.
> >>
> > Why? Root user can also call panic hypercall if he wishes so.
> 
> IIRC, the instruction vmcall needs to run on ring0. The root user is in ring3.
> 
And who will stop the root from loading kernel module?
 
--
			Gleb.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ