[PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall
Paul Mackerras
paulus at ozlabs.org
Mon Nov 11 15:19:24 AEDT 2019
On Mon, Nov 04, 2019 at 09:47:59AM +0530, Bharata B Rao wrote:
> From: Sukadev Bhattiprolu <sukadev at linux.ibm.com>
>
> Implement the H_SVM_INIT_ABORT hcall which the Ultravisor can use to
> abort an SVM after it has issued the H_SVM_INIT_START and before the
> H_SVM_INIT_DONE hcalls. This hcall could be used when Ultravisor
> encounters security violations or other errors when starting an SVM.
>
> Note that this hcall is different from UV_SVM_TERMINATE ucall which
> is used by HV to terminate/cleanup an SVM.
>
> In case of H_SVM_INIT_ABORT, we should page-out all the pages back to
> HV (i.e., we should not skip the page-out). Otherwise the VM's pages,
> possibly including its text/data would be stuck in secure memory.
> Since the SVM did not go secure, its MSR_S bit will be clear and the
> VM wont be able to access its pages even to do a clean exit.
It seems fragile to me to have one more transfer back into the
ultravisor after this call. Why does the UV need to do this call and
then get control back again one more time? Why can't the UV defer
doing this call until it can do it without expecting to see a return
from the hcall? And if it does need to see a return from the hcall,
what would happen if a malicious hypervisor doesn't do the return?
Paul.
More information about the Linuxppc-dev
mailing list