From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeremy Fitzhardinge Subject: Re: Is exposing shared_info to user-land secure? Date: Fri, 01 Aug 2008 13:31:23 -0700 Message-ID: <4893729B.7060905@goop.org> References: <20080801101339906.00000008444@djm-pc> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20080801101339906.00000008444@djm-pc> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: "dan.magenheimer@oracle.com" Cc: "Xen-Devel (E-mail)" List-Id: xen-devel@lists.xenproject.org Dan Magenheimer wrote: > Is it "safe" in a paravirtualized guest to expose shared_info > (at least read-only) to user-land? That is, is there data > in shared_info that could be used by a malicious program to > compromise a guest OS (ignoring very complex side-channel > attacks anyway)? > > We have apps that constantly do various time syscalls (e.g. > to gettimeofday()) and I'm thinking if vcpu_info(cpu)->time_info > was directly readable by an enterprise app, it could do > the time calculations itself and save the syscall overhead. > You can use the HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_info, ) hypercall to move the vcpu structure out of the shared info structure; that could be placed somewhere mappable. Though currently I use it to put it into the percpu data area for quick kernel access; it definitely wouldn't be mappable by userspace there (well, not without padding it out to its own page, at least). J