Markus Armbruster <[email protected]> writes: > Rusty Russell <[email protected]> writes: >> The litmus test: does *your* guest handle failures other than by giving >> up on the device? If so, sure, you need to have a sane error-reporting >> strategy. > > Err, isn't this a circular argument? No need for QEMU to report the > failure, because the guest won't handle it; no need to handle the > failure, because QEMU won't report it. > > What about this: would you make your guest handle failures if they were > reported?
Perhaps I was unclear, that's what I meant. >>> The main reason I'm considering this stuff is for security reasons if >>> the guest asks for something really illegal or crazy what should the >>> expected behaviour of the host be? (at least secure I know that). >> >> If the guest userspace can do it, don't exit. If the kernel only, and >> it's should have known better, abort is OK. >> >> Sure that doesn't help much! > > Immediate exit() or abort() denies the guest the ability to degrade > service gracefully (disable the device, cry for help and try to hobble > on), or report its brokenness ungracefully (kernel panic, crash dump). > I doubt denying that is okay unless the device is so important that > without it you can't even hope to panic. Oh yes, I completely agree with you! But QEMU practice doesn't :) Cheers, Rusty.
