lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251117192402.GA2402579@liuwe-devbox-debian-v2.local>
Date: Mon, 17 Nov 2025 19:24:02 +0000
From: Wei Liu <wei.liu@...nel.org>
To: Nuno Das Neves <nunodasneves@...ux.microsoft.com>
Cc: Anirudh Rayabharam <anirudh@...rudhrb.com>,
	"K. Y. Srinivasan" <kys@...rosoft.com>,
	Haiyang Zhang <haiyangz@...rosoft.com>,
	Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
	Long Li <longli@...rosoft.com>, linux-hyperv@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Drivers: hv: ioctl for self targeted passthrough
 hvcalls

On Mon, Nov 17, 2025 at 07:18:27PM +0000, Wei Liu wrote:
> On Mon, Nov 17, 2025 at 10:16:12AM -0800, Nuno Das Neves wrote:
> > On 11/17/2025 1:52 AM, Anirudh Rayabharam wrote:
> > > From: Anirudh Rayabharam (Microsoft) <anirudh@...rudhrb.com>
> > > 
> > > Allow MSHV_ROOT_HVCALL IOCTL on the /dev/mshv fd. This IOCTL would
> > > execute a passthrough hypercall targeting the root/parent partition
> > > i.e. HV_PARTITION_ID_SELF.
> > > 
> > 
> > I think it's worth taking a moment to check and perhaps explain in
> > the commit message/a comment any security implications of the VMM
> > process being able to call these hypercalls on the root/parent
> > partition.
> > 
> > One implication would be: can the VMM process influence other
> > processes in the root partition via these hypercalls,
> > e.g. HVCALL_SET_VP_REGISTERS? I would think that the hypervisor
> > itself disallows this but we should check. We can ask the
> > hypervisor team what they think, and check the hypervisor code.
> > 
> > Specifically we should check on any hypercall that could possibly
> > influence partition state, i.e.:
> > HVCALL_SET_PARTITION_PROPERTY
> > HVCALL_SET_VP_REGISTERS
> > HVCALL_INSTALL_INTERCEPT
> > HVCALL_CLEAR_VIRTUAL_INTERRUPT
> > HVCALL_REGISTER_INTERCEPT_RESULT
> > HVCALL_ASSERT_VIRTUAL_INTERRUPT
> > HVCALL_SIGNAL_EVENT_DIRECT
> > HVCALL_POST_MESSAGE_DIRECT
> > 
> > If it turns out there is something risky we are enabling here, we can
> > introduce a new array of hypercalls to restrict which ones can be
> > called on HV_PARTITION_ID_SELF.
> > 
> 
> This is a good point. Please check with the hypervisor team.

I should add: it is always easier to relax restrictions later than to
add them back in, so if there is any doubt and we want this code in as
quickly as possible, we can start with a new array and expand it later.

Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ