lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5jbt7rwfmdwkdozzrndxhy3git2a4yaazoseb3e2oe24pofohi@wqcviepltkdp>
Date: Wed, 19 Nov 2025 22:49:54 +0530
From: Anirudh Rayabharam <anirudh@...rudhrb.com>
To: Nuno Das Neves <nunodasneves@...ux.microsoft.com>
Cc: Wei Liu <wei.liu@...nel.org>, "K. Y. Srinivasan" <kys@...rosoft.com>, 
	Haiyang Zhang <haiyangz@...rosoft.com>, Dexuan Cui <decui@...rosoft.com>, Long Li <longli@...rosoft.com>, 
	linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Drivers: hv: ioctl for self targeted passthrough
 hvcalls

On Mon, Nov 17, 2025 at 03:42:19PM -0800, Nuno Das Neves wrote:
> On 11/17/2025 11:24 AM, Wei Liu wrote:
> > On Mon, Nov 17, 2025 at 07:18:27PM +0000, Wei Liu wrote:
> >> On Mon, Nov 17, 2025 at 10:16:12AM -0800, Nuno Das Neves wrote:
> >>> On 11/17/2025 1:52 AM, Anirudh Rayabharam wrote:
> >>>> From: Anirudh Rayabharam (Microsoft) <anirudh@...rudhrb.com>
> >>>>
> >>>> Allow MSHV_ROOT_HVCALL IOCTL on the /dev/mshv fd. This IOCTL would
> >>>> execute a passthrough hypercall targeting the root/parent partition
> >>>> i.e. HV_PARTITION_ID_SELF.
> >>>>
> >>>
> >>> I think it's worth taking a moment to check and perhaps explain in
> >>> the commit message/a comment any security implications of the VMM
> >>> process being able to call these hypercalls on the root/parent
> >>> partition.
> >>>
> >>> One implication would be: can the VMM process influence other
> >>> processes in the root partition via these hypercalls,

Thanks for the review! This is a really good point.

> >>> e.g. HVCALL_SET_VP_REGISTERS? I would think that the hypervisor
> >>> itself disallows this but we should check. We can ask the
> >>> hypervisor team what they think, and check the hypervisor code.
> >>>
> >>> Specifically we should check on any hypercall that could possibly
> >>> influence partition state, i.e.:
> >>> HVCALL_SET_PARTITION_PROPERTY
> >>> HVCALL_SET_VP_REGISTERS
> >>> HVCALL_INSTALL_INTERCEPT
> >>> HVCALL_CLEAR_VIRTUAL_INTERRUPT
> >>> HVCALL_REGISTER_INTERCEPT_RESULT
> >>> HVCALL_ASSERT_VIRTUAL_INTERRUPT
> >>> HVCALL_SIGNAL_EVENT_DIRECT
> >>> HVCALL_POST_MESSAGE_DIRECT
> >>>
> >>> If it turns out there is something risky we are enabling here, we can
> >>> introduce a new array of hypercalls to restrict which ones can be
> >>> called on HV_PARTITION_ID_SELF.
> >>>
> >>
> >> This is a good point. Please check with the hypervisor team.
> > 
> > I should add: it is always easier to relax restrictions later than to
> > add them back in, so if there is any doubt and we want this code in as
> > quickly as possible, we can start with a new array and expand it later.
> > 
> 
> Agreed. I think that's a good approach here, we can just enable
> HVCALL_GET_PARTITION_PROPERTY and HVCALL_GET_PARTITION_PROPERTY_EX for 
> self-targeted passthru hypercalls.

I've implemented this in v3.

Anirudh

> 
> > Wei
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ