On 02.10.2021 04:35, Elliott Mitchell wrote:
> On Thu, Sep 30, 2021 at 09:08:34AM +0200, Jan Beulich wrote:
>> On 29.09.2021 17:31, Elliott Mitchell wrote:
>>>
>>> Copy and paste from the xl.cfg man page:
>>>
>>> nestedhvm=BOOLEAN
>>> Enable or disables guest access to hardware virtualisation
>>> features, e.g. it allows a guest Operating System to also
>>> function
>>> as a hypervisor. You may want this option if you want to run
>>> another hypervisor (including another copy of Xen) within a Xen
>>> guest or to support a guest Operating System which uses hardware
>>> virtualisation extensions (e.g. Windows XP compatibility mode on
>>> more modern Windows OS). This option is disabled by default.
>>>
>>> "This option is disabled by default." doesn't mean "this is an
>>> experimental feature with no security support and is likely to crash the
>>> hypervisor".
>>
>> Correct, but this isn't the only place to look at. Quoting
>> SUPPORT.md:
>
> You expect everyone to memorize SUPPORT.md (almost 1000 lines) before
> trying to use Xen?
I don't see why you say "memorize". When the file was introduced, it was
(aiui) indeed the intention for _it_ to become the main reference. Feel
free to propose alternatives.
> Your statement amounts to saying you really expect that. People who want
> to get work done will look at `man xl.cfg` when needed, and follow
> instructions.
>
> Mentioning something in `man xl.cfg` amounts to a statment "this is
> supported". Experimental/unsupported options need to be marked
> "EXPERIMENTAL: DO NOT ENABLE IN PRODUCTION ENVIRONMENTS".
>
>
>> Yet that's still a configuration error (of the guest), not a bug in
>> Xen.
>
> Documentation that poor amounts to a security vulnerability.
I disagree.
> I would suggest this needs 2 extra enablers.
>
> First, this has potential to panic the hypervisor. As such there needs
> to be an "enable_experimental=" option for the Xen command-line. The
> argument would be a list of features to enable ("nestedhvm" for this
> case). If this is absent, the hypervisor should ideally disable as much
> of the code related to the unsupported/experimental features as possible.
>
> Second, since this needs to be enabled per-domain, there should be a
> similar "enable_experimental" setting for xl.cfg options.
>
>
>
> I think this really is bad enough to warrant a security vulnerability
> and updates to all branches.
As above, I don't think I agree. But please feel free to propose patches.
What I'm personally more curious about is whether the patch I did send
you actually made a difference.
Jan
