From: Andrew Cooper <andrew.cooper3@citrix.com>
To: George Dunlap <george.dunlap@eu.citrix.com>,
Jan Beulich <JBeulich@suse.com>,
Dongxiao Xu <dongxiao.xu@intel.com>,
xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, Ian.Jackson@eu.citrix.com,
dgdegra@tycho.nsa.gov
Subject: Re: [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access hypercall
Date: Tue, 8 Jul 2014 10:20:42 +0100 [thread overview]
Message-ID: <53BBB7EA.3080609@citrix.com> (raw)
In-Reply-To: <53BBB288.5050902@eu.citrix.com>
On 08/07/14 09:57, George Dunlap wrote:
> On 07/04/2014 11:52 AM, Andrew Cooper wrote:
>> On 04/07/14 11:30, Jan Beulich wrote:
>>>>>> On 04.07.14 at 11:40, <andrew.cooper3@citrix.com> wrote:
>>>> On 04/07/14 09:34, Dongxiao Xu wrote:
>>>>> Add a generic resource access hypercall for tool stack or other
>>>>> components, e.g., accessing MSR, port I/O, etc.
>>>>>
>>>>> Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
>>>> This still permits a user of the hypercalls to play with EFER or
>>>> SYSENTER_EIP, which obviously is a very bad thing.
>>>>
>>>> There needs to be a whitelist of permitted MSRs which can be accessed.
>>> Hmm, I'm not sure. One particular purpose I see here is to allow the
>>> tool stack (or Dom0) access to MSRs Xen may not know about (yet).
>>> Furthermore, this being a platform op, only the hardware domain
>>> should ever have access, and it certainly ought to know what it's
>>> doing. So the sum of these two considerations is: If at all, we may
>>> want a black list here.
>>>
>>> Jan
>>>
>>
>> I don't think it is safe for the toolstack to ever be playing with MSRs
>> which Xen is completely unaware of. There is no guarentee whatsoever
>> that a new MSR which Xen is unaware of doesn't have security
>> implications if the toolstack were to play with it.
>
> But the toolstack is part of the trusted base; it should be thinking
> about the security implications as much as Xen should.
> -George
>
No - it very much isn't. It has more privileges than a standard Xen
domain, and in some cases has powers to shoot itself in the foot, but
all these powers are all behind the Xen API which does provide
restrictions on what dom0/toolstack is permitted to do.
~Andrew
next prev parent reply other threads:[~2014-07-08 9:20 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-04 8:34 [PATCH v12 0/9] enable Cache QoS Monitoring (CQM) feature Dongxiao Xu
2014-07-04 8:34 ` [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access hypercall Dongxiao Xu
2014-07-04 9:40 ` Andrew Cooper
2014-07-04 10:30 ` Jan Beulich
2014-07-04 10:52 ` Andrew Cooper
2014-07-08 7:06 ` Xu, Dongxiao
2014-07-08 9:07 ` Andrew Cooper
2014-07-08 9:30 ` Jürgen Groß
2014-07-09 2:06 ` Xu, Dongxiao
2014-07-09 14:17 ` Daniel De Graaf
2014-07-08 8:57 ` George Dunlap
2014-07-08 9:20 ` Andrew Cooper [this message]
2014-07-04 10:44 ` Jan Beulich
2014-07-11 4:29 ` Xu, Dongxiao
2014-07-11 9:24 ` Andrew Cooper
2014-07-04 8:34 ` [PATCH v12 2/9] xsm: add resource operation related xsm policy Dongxiao Xu
2014-07-08 21:22 ` Daniel De Graaf
2014-07-09 5:28 ` Xu, Dongxiao
2014-07-09 14:17 ` Daniel De Graaf
2014-07-04 8:34 ` [PATCH v12 3/9] tools: provide interface for generic MSR access Dongxiao Xu
2014-07-04 11:42 ` Jan Beulich
2014-07-09 16:58 ` Ian Campbell
2014-07-23 7:48 ` Jan Beulich
2014-07-24 6:31 ` Xu, Dongxiao
2014-07-24 6:56 ` Jan Beulich
2014-07-24 6:36 ` Xu, Dongxiao
2014-07-09 17:01 ` Ian Campbell
2014-07-04 8:34 ` [PATCH v12 4/9] x86: detect and initialize Platform QoS Monitoring feature Dongxiao Xu
2014-07-04 11:56 ` Jan Beulich
2014-07-15 6:18 ` Xu, Dongxiao
2014-07-04 8:34 ` [PATCH v12 5/9] x86: dynamically attach/detach QoS monitoring service for a guest Dongxiao Xu
2014-07-04 12:06 ` Jan Beulich
2014-07-15 5:31 ` Xu, Dongxiao
2014-07-23 7:53 ` Jan Beulich
2014-07-04 8:34 ` [PATCH v12 6/9] x86: collect global QoS monitoring information Dongxiao Xu
2014-07-04 12:14 ` Jan Beulich
2014-08-01 8:26 ` Xu, Dongxiao
2014-08-01 9:19 ` Jan Beulich
2014-07-04 8:34 ` [PATCH v12 7/9] x86: enable QoS monitoring for each domain RMID Dongxiao Xu
2014-07-04 12:15 ` Jan Beulich
2014-07-04 8:34 ` [PATCH v12 8/9] xsm: add platform QoS related xsm policies Dongxiao Xu
2014-07-08 21:22 ` Daniel De Graaf
2014-07-04 8:34 ` [PATCH v12 9/9] tools: CMDs and APIs for Platform QoS Monitoring Dongxiao Xu
2014-07-10 15:50 ` Ian Campbell
2014-07-04 10:26 ` [PATCH v12 0/9] enable Cache QoS Monitoring (CQM) feature Jan Beulich
-- strict thread matches above, loose matches on Subject: below --
2014-07-15 2:23 [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access hypercall Xu, Dongxiao
2014-07-15 10:00 ` Andrew Cooper
2014-07-23 7:45 ` Jan Beulich
2014-07-23 9:09 ` Andrew Cooper
2014-07-28 10:01 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53BBB7EA.3080609@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=dongxiao.xu@intel.com \
--cc=george.dunlap@eu.citrix.com \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).