All of lore.kernel.org
 help / color / mirror / Atom feed
From: Julien Grall <julien.grall@arm.com>
To: Sergej Proskurin <proskurin@sec.in.tum.de>,
	xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Tamas K Lengyel <tamas@tklengyel.com>
Subject: Re: [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs.
Date: Wed, 6 Jul 2016 14:43:31 +0100	[thread overview]
Message-ID: <577D0B03.6010406@arm.com> (raw)
In-Reply-To: <15a29ba5-e8e6-9ddf-9a86-9f18ade4cddb@sec.in.tum.de>

Hello Sergej,

On 06/07/16 10:14, Sergej Proskurin wrote:
> On 07/05/2016 12:19 PM, Julien Grall wrote:
>> Hello Sergej,
>>
>> On 04/07/16 12:45, Sergej Proskurin wrote:
>>> +static int do_altp2m_op(XEN_GUEST_HANDLE_PARAM(void) arg)
>>> +{
>>> +    struct xen_hvm_altp2m_op a;
>>> +    struct domain *d = NULL;
>>> +    int rc = 0;
>>> +
>>> +    if ( !hvm_altp2m_supported() )
>>> +        return -EOPNOTSUPP;
>>> +
>>> +    if ( copy_from_guest(&a, arg, 1) )
>>> +        return -EFAULT;
>>> +
>>> +    if ( a.pad1 || a.pad2 ||
>>> +         (a.version != HVMOP_ALTP2M_INTERFACE_VERSION) ||
>>> +         (a.cmd < HVMOP_altp2m_get_domain_state) ||
>>> +         (a.cmd > HVMOP_altp2m_change_gfn) )
>>> +        return -EINVAL;
>>> +
>>> +    d = (a.cmd != HVMOP_altp2m_vcpu_enable_notify) ?
>>> +        rcu_lock_domain_by_any_id(a.domain) :
>>> rcu_lock_current_domain();
>>> +
>>> +    if ( d == NULL )
>>> +        return -ESRCH;
>>> +
>>> +    if ( (a.cmd != HVMOP_altp2m_get_domain_state) &&
>>> +         (a.cmd != HVMOP_altp2m_set_domain_state) &&
>>> +         !d->arch.altp2m_active )
>>> +    {
>>> +        rc = -EOPNOTSUPP;
>>> +        goto out;
>>> +    }
>>> +
>>> +    if ( (rc = xsm_hvm_altp2mhvm_op(XSM_TARGET, d)) )
>>> +        goto out;
>>
>> I think this is the best place to ask a couple of questions related to
>> who can access altp2m. Based on this call, a guest is allowed to
>> manage its own altp2m. Can you explain why we would want a guest to do
>> that?
>>
>
> On x86, altp2m might be used by the guest in the #VE (Virtualization
> Exception). On ARM, there is indeed not necessary for a guest to access
> altp2m. Could you provide me with information, how to best restrict
> non-privileged guests (not only dom0) from accessing these HVMOPs? Can
> thisbedone by means of xsm? Thank you.

This does not looks safe for both x86 and ARM. From my understanding a 
malware would be able to modify an altp2m, switching between 2 view... 
which would lead to remove the entire purpose of altp2m.

When XSM is not enabled (this is the default on Xen), XSM_TARGET allows 
the guest (see xsm_default_action) to call the operations. So I am not 
convince XSM is the right way to go.

>
>> Also, I have noticed that a guest is allowed to disable ALTP2M on ARM
>> because it set any param (x86 has some restriction on it). Similarly,
>> the ALTP2M parameter can be set multiple time.
>>
>
> Same here.

Give a look how x86 restrict the write to HVMOP_set_param.

Regards,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  reply	other threads:[~2016-07-06 13:43 UTC|newest]

Thread overview: 126+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-04 11:45 [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support for altp2m on ARM Sergej Proskurin
2016-07-04 12:15   ` Andrew Cooper
2016-07-04 13:02     ` Sergej Proskurin
2016-07-04 13:25   ` Julien Grall
2016-07-04 13:43     ` Sergej Proskurin
2016-07-04 17:42   ` Julien Grall
2016-07-04 17:56     ` Tamas K Lengyel
2016-07-04 21:08       ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 13:36   ` Julien Grall
2016-07-04 13:51     ` Sergej Proskurin
2016-07-05 10:19   ` Julien Grall
2016-07-06  9:14     ` Sergej Proskurin
2016-07-06 13:43       ` Julien Grall [this message]
2016-07-06 15:23         ` Tamas K Lengyel
2016-07-06 15:54           ` Julien Grall
2016-07-06 16:05             ` Tamas K Lengyel
2016-07-06 16:29               ` Julien Grall
2016-07-06 16:35                 ` Tamas K Lengyel
2016-07-06 18:35                   ` Julien Grall
2016-07-07  9:14                     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 15:17   ` Julien Grall
2016-07-04 16:40     ` Sergej Proskurin
2016-07-04 16:43       ` Andrew Cooper
2016-07-04 16:56         ` Sergej Proskurin
2016-07-04 17:44           ` Julien Grall
2016-07-04 21:19             ` Sergej Proskurin
2016-07-04 21:35               ` Julien Grall
2016-07-04 21:46               ` Sergej Proskurin
2016-07-04 18:18         ` Julien Grall
2016-07-04 21:37           ` Sergej Proskurin
2016-07-04 18:30       ` Julien Grall
2016-07-04 21:56         ` Sergej Proskurin
2016-07-04 16:15   ` Julien Grall
2016-07-04 16:51     ` Sergej Proskurin
2016-07-04 18:34       ` Julien Grall
2016-07-05  7:45         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 15:39   ` Julien Grall
2016-07-05  8:45     ` Sergej Proskurin
2016-07-05 10:11       ` Julien Grall
2016-07-05 12:05         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 12:12   ` Sergej Proskurin
2016-07-04 15:42     ` Julien Grall
2016-07-05  8:52       ` Sergej Proskurin
2016-07-04 15:55   ` Julien Grall
2016-07-05  9:51     ` Sergej Proskurin
2016-07-04 16:20   ` Julien Grall
2016-07-05  9:57     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 16:32   ` Julien Grall
2016-07-05 11:37     ` Sergej Proskurin
2016-07-05 11:48       ` Julien Grall
2016-07-05 12:18         ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 18:43   ` Julien Grall
2016-07-05 13:56     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 12:30   ` Sergej Proskurin
2016-07-04 20:32   ` Julien Grall
2016-07-05 14:48     ` Sergej Proskurin
2016-07-05 15:37       ` Julien Grall
2016-07-05 20:21         ` Sergej Proskurin
2016-07-06 14:28           ` Julien Grall
2016-07-06 14:39             ` Sergej Proskurin
2016-07-07 17:24           ` Julien Grall
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-15 13:45   ` Julien Grall
2016-07-16 15:18     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 20:34   ` Julien Grall
2016-07-05 20:31     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-05 12:49   ` Julien Grall
2016-07-05 21:55     ` Sergej Proskurin
2016-07-06 14:32       ` Julien Grall
2016-07-06 16:12         ` Tamas K Lengyel
2016-07-06 16:59           ` Julien Grall
2016-07-06 17:03           ` Sergej Proskurin
2016-07-06 17:08   ` Julien Grall
2016-07-07  9:16     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 20:53   ` Julien Grall
2016-07-06  8:33     ` Sergej Proskurin
2016-07-06 14:26       ` Julien Grall
2016-07-04 11:45 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-07 16:27   ` Wei Liu
2016-07-24 16:06     ` Sergej Proskurin
2016-07-25  8:32       ` Wei Liu
2016-07-25  9:04         ` Sergej Proskurin
2016-07-25  9:49           ` Julien Grall
2016-07-25 10:08             ` Wei Liu
2016-07-25 11:26               ` Sergej Proskurin
2016-07-25 11:37                 ` Wei Liu
2016-07-04 11:45 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 20:58   ` Julien Grall
2016-07-06  8:41     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 13:38   ` Razvan Cojocaru
2016-07-06  8:44     ` Sergej Proskurin
2016-07-04 11:45 ` [PATCH 01/18] arm/altp2m: Add cmd-line support " Sergej Proskurin
2016-07-04 11:45 ` [PATCH 02/18] arm/altp2m: Add first altp2m HVMOP stubs Sergej Proskurin
2016-07-04 11:45 ` [PATCH 03/18] arm/altp2m: Add HVMOP_altp2m_get_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 04/18] arm/altp2m: Add altp2m init/teardown routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 05/18] arm/altp2m: Add HVMOP_altp2m_set_domain_state Sergej Proskurin
2016-07-04 11:45 ` [PATCH 06/18] arm/altp2m: Add a(p2m) table flushing routines Sergej Proskurin
2016-07-04 11:45 ` [PATCH 07/18] arm/altp2m: Add HVMOP_altp2m_create_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 08/18] arm/altp2m: Add HVMOP_altp2m_destroy_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 09/18] arm/altp2m: Add HVMOP_altp2m_switch_p2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 10/18] arm/altp2m: Renamed and extended p2m_alloc_table Sergej Proskurin
2016-07-04 11:45 ` [PATCH 11/18] arm/altp2m: Make flush_tlb_domain ready for altp2m Sergej Proskurin
2016-07-04 11:45 ` [PATCH 12/18] arm/altp2m: Cosmetic fixes - function prototypes Sergej Proskurin
2016-07-04 11:46 ` [PATCH 13/18] arm/altp2m: Make get_page_from_gva ready for altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 14/18] arm/altp2m: Add HVMOP_altp2m_set_mem_access Sergej Proskurin
2016-07-04 11:46 ` [PATCH 15/18] arm/altp2m: Add altp2m paging mechanism Sergej Proskurin
2016-07-04 11:46 ` [PATCH 16/18] arm/altp2m: Extended libxl to activate altp2m on ARM Sergej Proskurin
2016-07-04 11:46 ` [PATCH 17/18] arm/altp2m: Adjust debug information to altp2m Sergej Proskurin
2016-07-04 11:46 ` [PATCH 18/18] arm/altp2m: Extend xen-access for altp2m on ARM Sergej Proskurin
2016-07-04 12:52 ` [PATCH 00/18] arm/altp2m: Introducing altp2m to ARM Andrew Cooper
2016-07-04 13:05   ` Sergej Proskurin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=577D0B03.6010406@arm.com \
    --to=julien.grall@arm.com \
    --cc=proskurin@sec.in.tum.de \
    --cc=sstabellini@kernel.org \
    --cc=tamas@tklengyel.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.