From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Teoh <htmldeveloper@gmail.com>
Subject: dom0 vs non-dom0 differentiation inside Xen hypervisor
Date: Sun, 02 Sep 2007 15:12:08 +0800
Message-ID: <46DA6248.4010101@singnet.com.sg>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

In some parts of IA64 I can see that domain==dom0 checking is done, but 
in all  x86 - I have yet to find a proper checking that the hypercalls 
comes from a dom0 domain instead of any other domain.

Theoretically, this means that any domain (PV or HVM) can always modify 
its own kernel binary and then make a direct hypercall (via int 0x82 or 
SYSENTER) into the hypervisor, executing domain controller commands like 
create domain etc.

Is this possible?   Access control should be done from the hypervisor 
side, so any existing dom0 checking (CONFIG_XEN_PRIVILEGED_GUEST 
compilation option - done from the dom0 side) seems like useless, 
because another domU can always modify its own kernel binaries to 
achieve all the features what CONF_XEN_PRIVILEGED_GUEST restrict.

Am I right?