lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d65a1b2d-2fdf-4cd1-bd04-a438205c7a70@linux.microsoft.com>
Date: Mon, 17 Nov 2025 15:42:19 -0800
From: Nuno Das Neves <nunodasneves@...ux.microsoft.com>
To: Wei Liu <wei.liu@...nel.org>
Cc: Anirudh Rayabharam <anirudh@...rudhrb.com>,
 "K. Y. Srinivasan" <kys@...rosoft.com>,
 Haiyang Zhang <haiyangz@...rosoft.com>, Dexuan Cui <decui@...rosoft.com>,
 Long Li <longli@...rosoft.com>, linux-hyperv@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Drivers: hv: ioctl for self targeted passthrough
 hvcalls

On 11/17/2025 11:24 AM, Wei Liu wrote:
> On Mon, Nov 17, 2025 at 07:18:27PM +0000, Wei Liu wrote:
>> On Mon, Nov 17, 2025 at 10:16:12AM -0800, Nuno Das Neves wrote:
>>> On 11/17/2025 1:52 AM, Anirudh Rayabharam wrote:
>>>> From: Anirudh Rayabharam (Microsoft) <anirudh@...rudhrb.com>
>>>>
>>>> Allow MSHV_ROOT_HVCALL IOCTL on the /dev/mshv fd. This IOCTL would
>>>> execute a passthrough hypercall targeting the root/parent partition
>>>> i.e. HV_PARTITION_ID_SELF.
>>>>
>>>
>>> I think it's worth taking a moment to check and perhaps explain in
>>> the commit message/a comment any security implications of the VMM
>>> process being able to call these hypercalls on the root/parent
>>> partition.
>>>
>>> One implication would be: can the VMM process influence other
>>> processes in the root partition via these hypercalls,
>>> e.g. HVCALL_SET_VP_REGISTERS? I would think that the hypervisor
>>> itself disallows this but we should check. We can ask the
>>> hypervisor team what they think, and check the hypervisor code.
>>>
>>> Specifically we should check on any hypercall that could possibly
>>> influence partition state, i.e.:
>>> HVCALL_SET_PARTITION_PROPERTY
>>> HVCALL_SET_VP_REGISTERS
>>> HVCALL_INSTALL_INTERCEPT
>>> HVCALL_CLEAR_VIRTUAL_INTERRUPT
>>> HVCALL_REGISTER_INTERCEPT_RESULT
>>> HVCALL_ASSERT_VIRTUAL_INTERRUPT
>>> HVCALL_SIGNAL_EVENT_DIRECT
>>> HVCALL_POST_MESSAGE_DIRECT
>>>
>>> If it turns out there is something risky we are enabling here, we can
>>> introduce a new array of hypercalls to restrict which ones can be
>>> called on HV_PARTITION_ID_SELF.
>>>
>>
>> This is a good point. Please check with the hypervisor team.
> 
> I should add: it is always easier to relax restrictions later than to
> add them back in, so if there is any doubt and we want this code in as
> quickly as possible, we can start with a new array and expand it later.
> 

Agreed. I think that's a good approach here, we can just enable
HVCALL_GET_PARTITION_PROPERTY and HVCALL_GET_PARTITION_PROPERTY_EX for 
self-targeted passthru hypercalls.

> Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ