From mboxrd@z Thu Jan  1 00:00:00 1970
From: Razvan Cojocaru <rcojocaru@bitdefender.com>
Subject: Re: [v7][RFC][PATCH 01/13] xen: RMRR fix
Date: Tue, 28 Oct 2014 11:39:40 +0200
Message-ID: <544F645C.5@bitdefender.com>
References: <1414136077-18599-1-git-send-email-tiejun.chen@intel.com>	<544A4B7A0200007800041E0D@mail.emea.novell.com>	<544DA74A.4020505@intel.com>	<544E214F020000780004253D@mail.emea.novell.com>	<544F5570.5050106@intel.com>
	<544F71270200007800042B51@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <544F71270200007800042B51@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>, Tiejun Chen <tiejun.chen@intel.com>
Cc: yang.z.zhang@intel.com, kevin.tian@intel.com, tim@xen.org, xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 10/28/2014 11:34 AM, Jan Beulich wrote:
>>>> On 28.10.14 at 09:36, <tiejun.chen@intel.com> wrote:
>> On 2014/10/27 17:41, Jan Beulich wrote:
>>>>>> On 27.10.14 at 03:00, <tiejun.chen@intel.com> wrote:
>>>> n 2014/10/24 18:52, Jan Beulich wrote:
>>>>>>>> On 24.10.14 at 09:34, <tiejun.chen@intel.com> wrote:
>>>>>> 5. Before we take real device assignment, any access to RMRR may issue
>>>>>> ept_handle_violation because of p2m_access_n. Then we just call
>>>>>> update_guest_eip() to return.
>>>>>
>>>>> I.e. ignore such accesses? Why?
>>>>
>>>> Yeah. This illegal access isn't allowed but its enough to ignore that
>>>> without further protection or punishment.
>>>>
>>>> Or what procedure should be concerned here based on your opinion?
>>>
>>> If the access is illegal, inject a fault to the guest or kill it, unless you
>>
>> Kill means we will crash domain? Seems its radical, isn't it? So I guess 
>> its better to inject a fault.
>>
>> But what kind of fault you prefer currently?
> 
> #GP (but this being arbitrary is why simply killing the guest is another
> option to consider).
> 
>>>>>> Now in our case we add a rule:
>>>>>>    - if p2m_access_n is set we also set this mapping.
>>>>>
>>>>> Does that not conflict with eventual use mem-access makes of this
>>>>> type?
>>
>> Do you mean what will happen after we reset these ranges as 
>> p2m_access_rw? We already reserve these ranges guest shouldn't access 
>> these range actually. And a guest still maliciously access them, that 
>> device may not work well.
> 
> mem-access is functionality used by a control domain, not the domain
> itself. You need to make sure that neither your use of p2m_access_n
> can confuse the mem-access code, nor that their use can confuse you.

Jan makes a very good point. If a guest, as you say, maliciously
accesses any of the guest's pages, a dom0 application (working via the
mem_access mechanism) might want to know about it (regardless of what
the guest itself can and cannot do). :)

So please, make sure that no such application will get confused by the
changes.


Thanks,
Razvan