Re: [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc

[Andrew Cooper <andrew.cooper3@citrix.com>]

On 02/07/14 17:58, Mihai Donțu wrote:
> On Wed, 2 Jul 2014 17:00:08 +0100 Andrew Cooper wrote:
>> On 02/07/14 16:51, Jan Beulich wrote:
>>>>>> On 02.07.14 at 15:33, <rcojocaru@bitdefender.com> wrote:
>>>> Added new XEN_DOMCTL_set_pagefault_info hypercall, used by libxc's
>>>> new xc_domain_set_pagefault_info() function to set per-domain page
>>>> fault injection information. This information is then used to call
>>>> hvm_inject_page_fault() at the first VMENTRY where the guest status
>>>> matches and there are no other pending traps.
>>> So the first question that strikes me here: What good can it do to
>>> be able to inject arbitrary page faults, possibly at times where
>>> the guest OS is absolutely not expecting them?
> I have not yet had the chance to say: thank you all for your review!

No worries - this certainly is an interesting series to consider.

>
> There were times when we wanted to get certain information from the
> guest but couldn't because it was swapped out. We now handle that
> situation by injecting a #PF and then let the OS respond as it would
> under a normal circumstance. After the data is brought in, it traps
> again into our application and we get what we need, but yes, it
> requires deep knowledge about the guest OS in order to do it without
> crashing it. It's doable only if you have the means necessary to
> inspect its state fully, which is why some of the submitted patches
> exist.

What is the threat model here?

It seems to me that the only safe place to organise this is from a
device driver in the guest.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel