Re: [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs.

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Julien Grall <julien.grall@arm.com>
To: Sergej Proskurin <proskurin@sec.in.tum.de>,
	xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Tamas K Lengyel <tamas@tklengyel.com>
Subject: Re: [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs.
Date: Wed, 6 Jul 2016 14:43:31 +0100	[thread overview]
Message-ID: <577D0B03.6010406@arm.com> (raw)
In-Reply-To: <15a29ba5-e8e6-9ddf-9a86-9f18ade4cddb@sec.in.tum.de>

Hello Sergej,

On 06/07/16 10:14, Sergej Proskurin wrote:
> On 07/05/2016 12:19 PM, Julien Grall wrote:
>> Hello Sergej,
>>
>> On 04/07/16 12:45, Sergej Proskurin wrote:
>>> +static int do_altp2m_op(XEN_GUEST_HANDLE_PARAM(void) arg)
>>> +{
>>> +    struct xen_hvm_altp2m_op a;
>>> +    struct domain *d = NULL;
>>> +    int rc = 0;
>>> +
>>> +    if ( !hvm_altp2m_supported() )
>>> +        return -EOPNOTSUPP;
>>> +
>>> +    if ( copy_from_guest(&a, arg, 1) )
>>> +        return -EFAULT;
>>> +
>>> +    if ( a.pad1 || a.pad2 ||
>>> +         (a.version != HVMOP_ALTP2M_INTERFACE_VERSION) ||
>>> +         (a.cmd < HVMOP_altp2m_get_domain_state) ||
>>> +         (a.cmd > HVMOP_altp2m_change_gfn) )
>>> +        return -EINVAL;
>>> +
>>> +    d = (a.cmd != HVMOP_altp2m_vcpu_enable_notify) ?
>>> +        rcu_lock_domain_by_any_id(a.domain) :
>>> rcu_lock_current_domain();
>>> +
>>> +    if ( d == NULL )
>>> +        return -ESRCH;
>>> +
>>> +    if ( (a.cmd != HVMOP_altp2m_get_domain_state) &&
>>> +         (a.cmd != HVMOP_altp2m_set_domain_state) &&
>>> +         !d->arch.altp2m_active )
>>> +    {
>>> +        rc = -EOPNOTSUPP;
>>> +        goto out;
>>> +    }
>>> +
>>> +    if ( (rc = xsm_hvm_altp2mhvm_op(XSM_TARGET, d)) )
>>> +        goto out;
>>
>> I think this is the best place to ask a couple of questions related to
>> who can access altp2m. Based on this call, a guest is allowed to
>> manage its own altp2m. Can you explain why we would want a guest to do
>> that?
>>
>
> On x86, altp2m might be used by the guest in the #VE (Virtualization
> Exception). On ARM, there is indeed not necessary for a guest to access
> altp2m. Could you provide me with information, how to best restrict
> non-privileged guests (not only dom0) from accessing these HVMOPs? Can
> thisbedone by means of xsm? Thank you.

This does not looks safe for both x86 and ARM. From my understanding a 
malware would be able to modify an altp2m, switching between 2 view... 
which would lead to remove the entire purpose of altp2m.

When XSM is not enabled (this is the default on Xen), XSM_TARGET allows 
the guest (see xsm_default_action) to call the operations. So I am not 
convince XSM is the right way to go.

>
>> Also, I have noticed that a guest is allowed to disable ALTP2M on ARM
>> because it set any param (x86 has some restriction on it). Similarly,
>> the ALTP2M parameter can be set multiple time.
>>
>
> Same here.

Give a look how x86 restrict the write to HVMOP_set_param.

Regards,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

next prev parent reply	other threads:[~2016-07-06 13:43 UTC|newest]

Thread overview: 126+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-04 11:45 [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support for altp2m on ARM Sergej Proskurin
2016-07-04 12:15   ` Andrew Cooper
2016-07-04 13:02     ` Sergej Proskurin
2016-07-04 13:25   ` Julien Grall
2016-07-04 13:43     ` Sergej Proskurin
2016-07-04 17:42   ` Julien Grall
2016-07-04 17:56     ` Tamas K Lengyel
2016-07-04 21:08       ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 13:36   ` Julien Grall
2016-07-04 13:51     ` Sergej Proskurin
2016-07-05 10:19   ` Julien Grall
2016-07-06  9:14     ` Sergej Proskurin
2016-07-06 13:43       ` Julien Grall [this message]
2016-07-06 15:23         ` Tamas K Lengyel
2016-07-06 15:54           ` Julien Grall
2016-07-06 16:05             ` Tamas K Lengyel
2016-07-06 16:29               ` Julien Grall
2016-07-06 16:35                 ` Tamas K Lengyel
2016-07-06 18:35                   ` Julien Grall
2016-07-07  9:14                     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 15:17   ` Julien Grall
2016-07-04 16:40     ` Sergej Proskurin
2016-07-04 16:43       ` Andrew Cooper
2016-07-04 16:56         ` Sergej Proskurin
2016-07-04 17:44           ` Julien Grall
2016-07-04 21:19             ` Sergej Proskurin
2016-07-04 21:35               ` Julien Grall
2016-07-04 21:46               ` Sergej Proskurin
2016-07-04 18:18         ` Julien Grall
2016-07-04 21:37           ` Sergej Proskurin
2016-07-04 18:30       ` Julien Grall
2016-07-04 21:56         ` Sergej Proskurin
2016-07-04 16:15   ` Julien Grall
2016-07-04 16:51     ` Sergej Proskurin
2016-07-04 18:34       ` Julien Grall
2016-07-05  7:45         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 15:39   ` Julien Grall
2016-07-05  8:45     ` Sergej Proskurin
2016-07-05 10:11       ` Julien Grall
2016-07-05 12:05         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 12:12   ` Sergej Proskurin
2016-07-04 15:42     ` Julien Grall
2016-07-05  8:52       ` Sergej Proskurin
2016-07-04 15:55   ` Julien Grall
2016-07-05  9:51     ` Sergej Proskurin
2016-07-04 16:20   ` Julien Grall
2016-07-05  9:57     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 16:32   ` Julien Grall
2016-07-05 11:37     ` Sergej Proskurin
2016-07-05 11:48       ` Julien Grall
2016-07-05 12:18         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 18:43   ` Julien Grall
2016-07-05 13:56     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 12:30   ` Sergej Proskurin
2016-07-04 20:32   ` Julien Grall
2016-07-05 14:48     ` Sergej Proskurin
2016-07-05 15:37       ` Julien Grall
2016-07-05 20:21         ` Sergej Proskurin
2016-07-06 14:28           ` Julien Grall
2016-07-06 14:39             ` Sergej Proskurin
2016-07-07 17:24           ` Julien Grall
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-15 13:45   ` Julien Grall
2016-07-16 15:18     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 20:34   ` Julien Grall
2016-07-05 20:31     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-05 12:49   ` Julien Grall
2016-07-05 21:55     ` Sergej Proskurin
2016-07-06 14:32       ` Julien Grall
2016-07-06 16:12         ` Tamas K Lengyel
2016-07-06 16:59           ` Julien Grall
2016-07-06 17:03           ` Sergej Proskurin
2016-07-06 17:08   ` Julien Grall
2016-07-07  9:16     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 20:53   ` Julien Grall
2016-07-06  8:33     ` Sergej Proskurin
2016-07-06 14:26       ` Julien Grall
2016-07-04 11:45 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-07 16:27   ` Wei Liu
2016-07-24 16:06     ` Sergej Proskurin
2016-07-25  8:32       ` Wei Liu
2016-07-25  9:04         ` Sergej Proskurin
2016-07-25  9:49           ` Julien Grall
2016-07-25 10:08             ` Wei Liu
2016-07-25 11:26               ` Sergej Proskurin
2016-07-25 11:37                 ` Wei Liu
2016-07-04 11:45 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 20:58   ` Julien Grall
2016-07-06  8:41     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 13:38   ` Razvan Cojocaru
2016-07-06  8:44     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support " Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-04 11:46 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-04 11:46 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 11:46 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-04 11:46 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 12:52 ` [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Andrew Cooper
2016-07-04 13:05   ` Sergej Proskurin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=577D0B03.6010406@arm.com \
    --to=julien.grall@arm.com \
    --cc=proskurin@sec.in.tum.de \
    --cc=sstabellini@kernel.org \
    --cc=tamas@tklengyel.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).