On Thu, Apr 10, 2025 at 08:27:49AM +0200, Jan Beulich wrote: > On 09.04.2025 17:33, Roger Pau Monné wrote: > > On Wed, Apr 09, 2025 at 04:08:47PM +0200, Jan Beulich wrote: > >> On 09.04.2025 16:01, Roger Pau Monné wrote: > >>> As I understand the checks done in > >>> mmio_ro_emulated_write() are to ensure correctness, but carrying the > >>> access even when the %cr2 check fail wouldn't cause issues to Xen > >>> itself? > >> > >> Well, "wouldn't" is too strong for my taste, "shouldn't" would fit. The > >> checking is there to avoid guests playing games. Whether that prevents > >> merely in-guest just-bugs or actual XSAs we can't know until we find a > >> case where the game playing might make us do something wrong. I expect > >> it's unlikely for Xen itself to be affected. But an in-guest privilege > >> escalation would already be bad enough. > > > > I see. That was kind of my understanding of the checks. At least on > > HVM it feels a bit weird to handle r/o regions this way. It would IMO > > be more natural to use an hvm_io_handler, but that's maybe because I'm > > more familiar with those. > > I guess this would be an option; I assume it's the way it is because PVHv1 > inherited it from PV, and PVHv2 inherited it from PVHv1.
I have a draft with this approach, and it seems quite better, as it allows to get rid of hvm_emulate_one_mmio() and the special casing done in hvm_hap_nested_page_fault(). Thanks, Roger.
