From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access hypercall Date: Tue, 8 Jul 2014 10:07:32 +0100 Message-ID: <53BBB4D4.40402@citrix.com> References: <53B67699.20608@citrix.com> <53B69E490200007800020A70@mail.emea.novell.com> <53B68774.4060603@citrix.com> <40776A41FC278F40B59438AD47D147A911A57CC8@SHSMSX104.ccr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <40776A41FC278F40B59438AD47D147A911A57CC8@SHSMSX104.ccr.corp.intel.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: "Xu, Dongxiao" , Jan Beulich , "xen-devel@lists.xen.org" Cc: "keir@xen.org" , "Ian.Campbell@citrix.com" , "stefano.stabellini@eu.citrix.com" , "George.Dunlap@eu.citrix.com" , "Ian.Jackson@eu.citrix.com" , "dgdegra@tycho.nsa.gov" List-Id: xen-devel@lists.xenproject.org On 08/07/14 08:06, Xu, Dongxiao wrote: >> -----Original Message----- >> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com] >> Sent: Friday, July 04, 2014 6:53 PM >> To: Jan Beulich; Xu, Dongxiao; xen-devel@lists.xen.org >> Cc: Ian.Campbell@citrix.com; George.Dunlap@eu.citrix.com; >> Ian.Jackson@eu.citrix.com; stefano.stabellini@eu.citrix.com; >> konrad.wilk@oracle.com; dgdegra@tycho.nsa.gov; keir@xen.org >> Subject: Re: [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access >> hypercall >> >> On 04/07/14 11:30, Jan Beulich wrote: >>>>>> On 04.07.14 at 11:40, wrote: >>>> On 04/07/14 09:34, Dongxiao Xu wrote: >>>>> Add a generic resource access hypercall for tool stack or other >>>>> components, e.g., accessing MSR, port I/O, etc. >>>>> >>>>> Signed-off-by: Dongxiao Xu >>>> This still permits a user of the hypercalls to play with EFER or >>>> SYSENTER_EIP, which obviously is a very bad thing. >>>> >>>> There needs to be a whitelist of permitted MSRs which can be accessed. >>> Hmm, I'm not sure. One particular purpose I see here is to allow the >>> tool stack (or Dom0) access to MSRs Xen may not know about (yet). >>> Furthermore, this being a platform op, only the hardware domain >>> should ever have access, and it certainly ought to know what it's >>> doing. So the sum of these two considerations is: If at all, we may >>> want a black list here. >>> >>> Jan >>> >> I don't think it is safe for the toolstack to ever be playing with MSRs >> which Xen is completely unaware of. There is no guarentee whatsoever >> that a new MSR which Xen is unaware of doesn't have security >> implications if the toolstack were to play with it. >> >> Adding entries to a whitelist is easy and could be considered a >> maintenance activity similar to keeping the model/stepping information >> up-to-date. > This resource access mechanism is useful according to some conversation with IPDC customers. Per their description, once the machine and VMs are online, they will not be turned off. Sometimes administrators may need to dynamically modify some resource values to fix/workaround certain issues, and our patch may serve this purpose. > > Adding the white/black list will bring certain constraints for the above use case. Also considering that the tool stack resides in dom0, I think it is not so dangerous. The whole purpose of XSM is to split the toolstack up so it isn't all in dom0. Extending a whitelist is trivial, and requires a positive action on behalf of someone to decide that the added MSR *is* safe. Anything else is a security bug waiting to happen. ~Andrew