dom0-provided kernels should end use of PoD memory before loading untrusted code

[DemiMarie]

How to file a helpful issue

The problem you're addressing (if any)

There have been several XSAs related to populate on demand code.

The solution you'd like

dom0-provided kernels should ensure they have eliminated all use of PoD memory before running untrusted code.

The value to a user, and who that user might be

All users will benefit from improved security.

[marmarek]

dom0-provided kernels should ensure they have eliminated all use of PoD memory before running untrusted code.

This is already the case, kernel waits for balloon down to finish before spawning init.

[DemiMarie]

dom0-provided kernels should ensure they have eliminated all use of PoD memory before running untrusted code.

This is already the case, kernel waits for balloon down to finish before spawning init.

Does this mean that populate-on-demand vulnerabilities only impact users who use VM-provided kernels or who allow VMs to influence kernel command line via the Admin API?

[marmarek]

Or non-Linux OSes (which is sub-category of VM-provided kernel), or older kernel (it's this way upstream since 5.16, but we backported it to our 5.15, 5.10 and 5.4 at some point).

BTW, kind of related - PoD isn't going to be used at all with #7956 (for kernels supporting it).

[DemiMarie]

Or non-Linux OSes (which is sub-category of VM-provided kernel), or older kernel (it's this way upstream since 5.16, but we backported it to our 5.15, 5.10 and 5.4 at some point).

BTW, kind of related - PoD isn't going to be used at all with #5956 (for kernels supporting it).

Are there non-Linux kernels that support PoD but not memory hotplug?

[marmarek]

support PoD

That's literally any OS - the whole point of this mechanism is to be fully guest-transparent.