From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Dongxiao Xu <dongxiao.xu@intel.com>, xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, George.Dunlap@eu.citrix.com,
andrew.cooper3@citrix.com, Ian.Jackson@eu.citrix.com,
JBeulich@suse.com
Subject: Re: [PATCH v11 2/9] xsm: add MSR operation related xsm policy
Date: Tue, 24 Jun 2014 15:20:29 -0400 [thread overview]
Message-ID: <53A9CF7D.6060400@tycho.nsa.gov> (raw)
In-Reply-To: <176dc61669e40a5e55661bb9205334f9151c01b7.1403248468.git.dongxiao.xu@intel.com>
On 06/20/2014 10:31 AM, Dongxiao Xu wrote:
> Add xsm policies for MSR access related hypercall.
>
> Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
As an overall permissions check, this is workable, and is at least
suitable for an initial implementation. I believe a more fine-grained
control over MSR operations will be needed in the long term so that a
disaggregated environment can take advantage of a feature that requires
these MSR operations. Currently, allowing a domain the XEN2__MSR_OP
permission means that the domain is completely trusted by the
hypervisor, since the ability to write to arbitrary MSRs can be used to
gain execution in the hypervisor's context. The most obvious method to
accomplish this would be to change IA32_SYSENTER_EIP while a PV domain
is running.
If a white-list of "safe" MSRs is maintained in the hypervisor while
processing the msr_op, then this concern goes away, but the name of the
permission should be changed to reflect the contents of the whitelist
(so, for this patchset, cqm_op or cqm_msr_op may be a better name).
If a generic MSR read/write operation is actually desired, the security
server should check each read/write with an MSR__READ/MSR__WRITE
permissions using a label for the individual MSR. The security server
would maintain lables for MSRs like it currently labels I/O ports and
PCI devices. This is a significantly more complex change, but provides
maximum flexibility for handling access to arbitrary MSRs.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2014-06-24 19:20 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-20 14:31 [PATCH v11 0/9] enable Cache QoS Monitoring (CQM) feature Dongxiao Xu
2014-06-20 14:31 ` [PATCH v11 1/9] x86: add generic MSR access hypercall Dongxiao Xu
2014-06-20 14:57 ` Andrew Cooper
2014-06-23 6:34 ` Xu, Dongxiao
2014-06-20 15:00 ` Jan Beulich
2014-06-23 6:27 ` Xu, Dongxiao
2014-06-23 6:45 ` Jan Beulich
2014-06-23 7:29 ` Xu, Dongxiao
2014-06-23 7:42 ` Jan Beulich
2014-06-23 13:32 ` Konrad Rzeszutek Wilk
2014-06-20 14:31 ` [PATCH v11 2/9] xsm: add MSR operation related xsm policy Dongxiao Xu
2014-06-24 19:20 ` Daniel De Graaf [this message]
2014-06-20 14:31 ` [PATCH v11 3/9] tools: provide interface for generic MSR access Dongxiao Xu
2014-06-20 17:34 ` Konrad Rzeszutek Wilk
2014-06-23 7:13 ` Jan Beulich
2014-06-23 13:29 ` Konrad Rzeszutek Wilk
2014-06-27 13:05 ` Ian Campbell
2014-06-20 14:31 ` [PATCH v11 4/9] x86: detect and initialize Platform QoS Monitoring feature Dongxiao Xu
2014-06-20 15:04 ` Jan Beulich
2014-06-23 6:38 ` Xu, Dongxiao
2014-06-23 6:50 ` Jan Beulich
2014-06-23 7:30 ` Xu, Dongxiao
2014-06-20 17:35 ` Konrad Rzeszutek Wilk
2014-06-20 14:31 ` [PATCH v11 5/9] x86: dynamically attach/detach QoS monitoring service for a guest Dongxiao Xu
2014-06-20 15:08 ` Jan Beulich
2014-06-23 6:43 ` Xu, Dongxiao
2014-06-20 14:31 ` [PATCH v11 6/9] x86: collect global QoS monitoring information Dongxiao Xu
2014-06-20 15:16 ` Jan Beulich
2014-06-23 6:55 ` Xu, Dongxiao
2014-06-23 7:06 ` Jan Beulich
2014-06-20 14:31 ` [PATCH v11 7/9] x86: enable QoS monitoring for each domain RMID Dongxiao Xu
2014-06-20 15:20 ` Jan Beulich
2014-06-23 6:55 ` Xu, Dongxiao
2014-06-20 14:31 ` [PATCH v11 8/9] xsm: add platform QoS related xsm policies Dongxiao Xu
2014-06-24 19:24 ` Daniel De Graaf
2014-06-20 14:31 ` [PATCH v11 9/9] tools: CMDs and APIs for Platform QoS Monitoring Dongxiao Xu
2014-06-23 15:22 ` Ian Jackson
2014-06-27 7:15 ` Xu, Dongxiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53A9CF7D.6060400@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dongxiao.xu@intel.com \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.