From: Julien Grall <julien.grall@arm.com>
To: Tamas K Lengyel <tamas@tklengyel.com>
Cc: Sergej Proskurin <proskurin@sec.in.tum.de>,
Stefano Stabellini <sstabellini@kernel.org>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Jan Beulich <JBeulich@suse.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs.
Date: Wed, 6 Jul 2016 17:29:38 +0100 [thread overview]
Message-ID: <577D31F2.5090503@arm.com> (raw)
In-Reply-To: <CABfawhn7mXNyWTb3pS+TKHorSf1VUpBjFMWG+DqAF6ELrYaGcQ@mail.gmail.com>
On 06/07/16 17:05, Tamas K Lengyel wrote:
> On Wed, Jul 6, 2016 at 9:54 AM, Julien Grall <julien.grall@arm.com> wrote:
>> Taken aside the VMFUNC, it looks like insecure to expose a HVMOP to the
>> guest which could modify the memaccess attribute of a region.
>>
>> I thought the whole purpose of VM introspection is to avoid trusting the
>> guest (kernel + userspace). The first thing a malware will do is trying to
>> do is getting access to the kernel. Once it gets this access, it could
>> remove all the memory access restriction to avoid trapping.
>
> That's why I'm saying systems that use this will likely do extra steps
> to ensure kernel integrity. In use-cases where this is to be used
> exclusively for external monitoring the system can be restricted with
> XSM to not allow the guest to issue the hvmops. And remember, on x86
> this system is not exclusively used for introspection.
I am not aware on how x86 is using alt2pm. And this series didn't give
much explanation how this is supposed to work...
>>
>>> As for ARM - as there is no hardware features like this available -
>>> our goal is to use altp2m in purely external usecases so exposing
>>> these ops to the guest is not required. For the first prototype it
>>> made sense to mirror the x86 side to reduce the possibility of
>>> introducing some bug.
>>
>>
>> No, this is not the right approach. We should not introduce potential
>> security issue just because x86 side does it and it "reduces the possibility
>> of introducing some bug".
>>
>> You will have to give me another reason to accept a such patch.
>
> The first revision of a large series is highly unlikely to get
> accepted on the first run so we have been working with the assumption
> that there will be new revisions. The prototype has been working well
> enough for our internal tests to warrant not submitting it as PATCH
> RFC. Since this is Sergej's first work with Xen it helped to mirror
> the x86 to get him up to speed while working on the prototype and
> reducing the complexity he has to keep track of. Now that this phase
> is complete the adjustments can be made as required, such as not
> exposing these hvmops to ARM guests.
A such large series is already hard to review, it is even harder when
the contributor leaves code unfinished because he assumed there will be
a new revision. Actually this is the whole purpose of tagging the series
with "RFC". It is used that the series is not in a state where it could
potentially be committed.
Regards,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-07-06 16:29 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-04 11:45 [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support for altp2m on ARM Sergej Proskurin
2016-07-04 12:15 ` Andrew Cooper
2016-07-04 13:02 ` Sergej Proskurin
2016-07-04 13:25 ` Julien Grall
2016-07-04 13:43 ` Sergej Proskurin
2016-07-04 17:42 ` Julien Grall
2016-07-04 17:56 ` Tamas K Lengyel
2016-07-04 21:08 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 13:36 ` Julien Grall
2016-07-04 13:51 ` Sergej Proskurin
2016-07-05 10:19 ` Julien Grall
2016-07-06 9:14 ` Sergej Proskurin
2016-07-06 13:43 ` Julien Grall
2016-07-06 15:23 ` Tamas K Lengyel
2016-07-06 15:54 ` Julien Grall
2016-07-06 16:05 ` Tamas K Lengyel
2016-07-06 16:29 ` Julien Grall [this message]
2016-07-06 16:35 ` Tamas K Lengyel
2016-07-06 18:35 ` Julien Grall
2016-07-07 9:14 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 15:17 ` Julien Grall
2016-07-04 16:40 ` Sergej Proskurin
2016-07-04 16:43 ` Andrew Cooper
2016-07-04 16:56 ` Sergej Proskurin
2016-07-04 17:44 ` Julien Grall
2016-07-04 21:19 ` Sergej Proskurin
2016-07-04 21:35 ` Julien Grall
2016-07-04 21:46 ` Sergej Proskurin
2016-07-04 18:18 ` Julien Grall
2016-07-04 21:37 ` Sergej Proskurin
2016-07-04 18:30 ` Julien Grall
2016-07-04 21:56 ` Sergej Proskurin
2016-07-04 16:15 ` Julien Grall
2016-07-04 16:51 ` Sergej Proskurin
2016-07-04 18:34 ` Julien Grall
2016-07-05 7:45 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 15:39 ` Julien Grall
2016-07-05 8:45 ` Sergej Proskurin
2016-07-05 10:11 ` Julien Grall
2016-07-05 12:05 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 12:12 ` Sergej Proskurin
2016-07-04 15:42 ` Julien Grall
2016-07-05 8:52 ` Sergej Proskurin
2016-07-04 15:55 ` Julien Grall
2016-07-05 9:51 ` Sergej Proskurin
2016-07-04 16:20 ` Julien Grall
2016-07-05 9:57 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 16:32 ` Julien Grall
2016-07-05 11:37 ` Sergej Proskurin
2016-07-05 11:48 ` Julien Grall
2016-07-05 12:18 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 18:43 ` Julien Grall
2016-07-05 13:56 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 12:30 ` Sergej Proskurin
2016-07-04 20:32 ` Julien Grall
2016-07-05 14:48 ` Sergej Proskurin
2016-07-05 15:37 ` Julien Grall
2016-07-05 20:21 ` Sergej Proskurin
2016-07-06 14:28 ` Julien Grall
2016-07-06 14:39 ` Sergej Proskurin
2016-07-07 17:24 ` Julien Grall
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-15 13:45 ` Julien Grall
2016-07-16 15:18 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 20:34 ` Julien Grall
2016-07-05 20:31 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-05 12:49 ` Julien Grall
2016-07-05 21:55 ` Sergej Proskurin
2016-07-06 14:32 ` Julien Grall
2016-07-06 16:12 ` Tamas K Lengyel
2016-07-06 16:59 ` Julien Grall
2016-07-06 17:03 ` Sergej Proskurin
2016-07-06 17:08 ` Julien Grall
2016-07-07 9:16 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 20:53 ` Julien Grall
2016-07-06 8:33 ` Sergej Proskurin
2016-07-06 14:26 ` Julien Grall
2016-07-04 11:45 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-07 16:27 ` Wei Liu
2016-07-24 16:06 ` Sergej Proskurin
2016-07-25 8:32 ` Wei Liu
2016-07-25 9:04 ` Sergej Proskurin
2016-07-25 9:49 ` Julien Grall
2016-07-25 10:08 ` Wei Liu
2016-07-25 11:26 ` Sergej Proskurin
2016-07-25 11:37 ` Wei Liu
2016-07-04 11:45 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 20:58 ` Julien Grall
2016-07-06 8:41 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 13:38 ` Razvan Cojocaru
2016-07-06 8:44 ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support " Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-04 11:46 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-04 11:46 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 11:46 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-04 11:46 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 12:52 ` [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Andrew Cooper
2016-07-04 13:05 ` Sergej Proskurin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577D31F2.5090503@arm.com \
--to=julien.grall@arm.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=proskurin@sec.in.tum.de \
--cc=sstabellini@kernel.org \
--cc=tamas@tklengyel.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).