lucab
commented
4 years ago I can provide a quick hotfix to conditionally bypass the iopl call here if you want, but I'd like to see a larger discussion/plan about how to better address this in the longer term.
In the meanwhile I posted this short-term hotfix at https://github.com/vmware/vmw-guestinfo/pull/21, to get things moving. It does not completely fix the underlying problem (see "non-deterministic behavior" above). The longer term approach is still to be discussed/agreed, pending feedback from the VMware devs of this repo. I'll keep the ticket open till then.
This is a followup to https://github.com/coreos/ignition/issues/1092, which is an application/consumer which experienced breakage because of this issue.
On Linux, according to
kernel_lockdownmanpage:As such, on a Linux VM booted with EFI and Secure Boot,
IsVirtualWorld()fails withoperation not permittedbecause of this logic: https://github.com/vmware/vmw-guestinfo/blob/687661b8bd8e72a55ac988ecdb2a1cdef76fa78d/vmcheck/vmcheck_linux.go#L19-L22Empirically, we have observed that older versions of this library were not performing the
iopland still somehow managed to work, however we fear this may be just the result of lucky non-deterministic behavior. It looks likeopen-vm-toolsnowadays may be using a different transport to communicate with the hypervisor, via a vsocket: https://github.com/vmware/open-vm-tools/blob/f72e314e8b0df4e80c6b5f9b0c66ad2e9ce02e19/open-vm-tools/lib/rpcChannel/vsockChannel.cI can provide a quick hotfix to conditionally bypass the
ioplcall here if you want, but I'd like to see a larger discussion/plan about how to better address this in the longer term./cc @frapposelli @sigma