From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <george.dunlap@eu.citrix.com>
Subject: Re: [PATCH v12 1/9] x86: add generic resource (e.g.
	MSR) access hypercall
Date: Tue, 8 Jul 2014 09:57:44 +0100
Message-ID: <53BBB288.5050902@eu.citrix.com>
References: <cover.1404462279.git.dongxiao.xu@intel.com>
	<b4aaae8c17e7e1780ae1734fa8018b0ba0991635.1404462280.git.dongxiao.xu@intel.com>
	<53B67699.20608@citrix.com>
	<53B69E490200007800020A70@mail.emea.novell.com>
	<53B68774.4060603@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <53B68774.4060603@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich <JBeulich@suse.com>, Dongxiao Xu <dongxiao.xu@intel.com>, xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com, stefano.stabellini@eu.citrix.com, Ian.Jackson@eu.citrix.com, dgdegra@tycho.nsa.gov
List-Id: xen-devel@lists.xenproject.org

On 07/04/2014 11:52 AM, Andrew Cooper wrote:
> On 04/07/14 11:30, Jan Beulich wrote:
>>>>> On 04.07.14 at 11:40, <andrew.cooper3@citrix.com> wrote:
>>> On 04/07/14 09:34, Dongxiao Xu wrote:
>>>> Add a generic resource access hypercall for tool stack or other
>>>> components, e.g., accessing MSR, port I/O, etc.
>>>>
>>>> Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
>>> This still permits a user of the hypercalls to play with EFER or
>>> SYSENTER_EIP, which obviously is a very bad thing.
>>>
>>> There needs to be a whitelist of permitted MSRs which can be accessed.
>> Hmm, I'm not sure. One particular purpose I see here is to allow the
>> tool stack (or Dom0) access to MSRs Xen may not know about (yet).
>> Furthermore, this being a platform op, only the hardware domain
>> should ever have access, and it certainly ought to know what it's
>> doing. So the sum of these two considerations is: If at all, we may
>> want a black list here.
>>
>> Jan
>>
>
> I don't think it is safe for the toolstack to ever be playing with MSRs
> which Xen is completely unaware of.  There is no guarentee whatsoever
> that a new MSR which Xen is unaware of doesn't have security
> implications if the toolstack were to play with it.

But the toolstack is part of the trusted base; it should be thinking 
about the security implications as much as Xen should.

  -George