From: Ben Catterall <Ben.Catterall@citrix.com>
To: xen-devel@lists.xensource.com
Cc: keir@xen.org, ian.campbell@citrix.com,
george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com,
tim@xen.org, jbeulich@suse.com,
Ben Catterall <Ben.Catterall@citrix.com>
Subject: [RFC 4/4] HVM x86 deprivileged mode: Trap handlers for deprivileged mode
Date: Thu, 6 Aug 2015 17:45:19 +0100 [thread overview]
Message-ID: <1438879519-564-5-git-send-email-Ben.Catterall@citrix.com> (raw)
In-Reply-To: <1438879519-564-1-git-send-email-Ben.Catterall@citrix.com>
Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash the domain as such exceptions
would indicate that either there is a bug in deprivileged mode or it has been
compromised by an attacker.
Signed-off-by: Ben Catterall <Ben.Catterall@citrix.com>
---
xen/arch/x86/mm/hap/hap.c | 9 +++++++++
xen/arch/x86/traps.c | 41 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index abc5113..43bde89 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -685,8 +685,17 @@ static int hap_page_fault(struct vcpu *v, unsigned long va,
{
struct domain *d = v->domain;
+ /* If we get a page fault whilst in HVM security user mode */
+ if( v->user_mode == 1 )
+ {
+ printk("HVM: #PF (%u:%u) whilst in user mode\n",
+ d->domain_id, v->vcpu_id);
+ domain_crash_synchronous();
+ }
+
HAP_ERROR("Intercepted a guest #PF (%u:%u) with HAP enabled.\n",
d->domain_id, v->vcpu_id);
+
domain_crash(d);
return 0;
}
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 9f5a6c6..19d465f 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -74,6 +74,7 @@
#include <asm/vpmu.h>
#include <public/arch-x86/cpuid.h>
#include <xsm/xsm.h>
+#include <xen/hvm/deprivileged.h>
/*
* opt_nmi: one of 'ignore', 'dom0', or 'fatal'.
@@ -500,6 +501,11 @@ static void do_guest_trap(
struct trap_bounce *tb;
const struct trap_info *ti;
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
trace_pv_trap(trapnr, regs->eip, use_error_code, regs->error_code);
tb = &v->arch.pv_vcpu.trap_bounce;
@@ -619,6 +625,11 @@ static void do_trap(struct cpu_user_regs *regs, int use_error_code)
if ( guest_mode(regs) )
{
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
do_guest_trap(trapnr, regs, use_error_code);
return;
}
@@ -1072,6 +1083,11 @@ void do_invalid_op(struct cpu_user_regs *regs)
if ( likely(guest_mode(regs)) )
{
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
if ( !emulate_invalid_rdtscp(regs) &&
!emulate_forced_invalid_op(regs) )
do_guest_trap(TRAP_invalid_op, regs, 0);
@@ -1163,7 +1179,12 @@ void do_int3(struct cpu_user_regs *regs)
{
debugger_trap_fatal(TRAP_int3, regs);
return;
- }
+ }
+
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
do_guest_trap(TRAP_int3, regs, 0);
}
@@ -3231,6 +3252,11 @@ void do_general_protection(struct cpu_user_regs *regs)
if ( !guest_mode(regs) )
goto gp_in_kernel;
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
/*
* Cunning trick to allow arbitrary "INT n" handling.
*
@@ -3490,6 +3516,11 @@ void do_device_not_available(struct cpu_user_regs *regs)
BUG_ON(!guest_mode(regs));
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
vcpu_restore_fpu_lazy(curr);
if ( curr->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS )
@@ -3531,6 +3562,14 @@ void do_debug(struct cpu_user_regs *regs)
DEBUGGER_trap_entry(TRAP_debug, regs);
+ if( guest_mode(regs) )
+ {
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+ }
+
if ( !guest_mode(regs) )
{
if ( regs->eflags & X86_EFLAGS_TF )
--
2.1.4
next prev parent reply other threads:[~2015-08-06 16:45 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-06 16:45 [RFC 0/4] HVM x86 enhancements to run Xen deprivileged mode operations Ben Catterall
2015-08-06 16:45 ` [RFC 1/4] HVM x86 deprivileged mode: Page allocation helper Ben Catterall
2015-08-06 19:22 ` Andrew Cooper
2015-08-07 9:57 ` Ben Catterall
2015-08-07 13:14 ` Andrew Cooper
2015-08-10 8:50 ` Tim Deegan
2015-08-10 8:52 ` Tim Deegan
2015-08-10 8:55 ` Andrew Cooper
2015-08-10 10:08 ` Tim Deegan
2015-08-06 16:45 ` [RFC 2/4] HVM x86 deprivileged mode: Create deprivileged page tables Ben Catterall
2015-08-06 19:52 ` Andrew Cooper
2015-08-07 13:19 ` Ben Catterall
2015-08-07 15:20 ` Andrew Cooper
2015-08-06 16:45 ` [RFC 3/4] HVM x86 deprivileged mode: Code for switching into/out of deprivileged mode Ben Catterall
2015-08-06 20:55 ` Andrew Cooper
2015-08-07 12:51 ` Ben Catterall
2015-08-07 13:08 ` David Vrabel
2015-08-07 14:24 ` Andrew Cooper
2015-08-11 9:45 ` Ian Campbell
2015-08-10 9:49 ` Tim Deegan
2015-08-10 10:14 ` Andrew Cooper
2015-08-11 9:55 ` Tim Deegan
2015-08-11 16:51 ` Ben Catterall
2015-08-11 17:05 ` Tim Deegan
2015-08-11 17:19 ` Andrew Cooper
2015-08-11 18:29 ` Boris Ostrovsky
2015-08-12 13:29 ` Andrew Cooper
2015-08-12 13:33 ` Andrew Cooper
2015-08-17 13:53 ` Ben Catterall
2015-08-17 15:07 ` Tim Deegan
2015-08-17 15:17 ` Jan Beulich
2015-08-18 10:25 ` Ben Catterall
2015-08-18 10:26 ` Ben Catterall
2015-08-18 14:22 ` Jan Beulich
2015-08-18 16:55 ` Andrew Cooper
2015-08-19 10:36 ` Ben Catterall
2015-08-12 10:10 ` Jan Beulich
2015-08-12 13:22 ` Ben Catterall
2015-08-12 13:26 ` Tim Deegan
2015-08-20 14:42 ` Ben Catterall
2015-08-11 10:35 ` Ben Catterall
2015-08-06 16:45 ` Ben Catterall [this message]
2015-08-06 21:24 ` [RFC 4/4] HVM x86 deprivileged mode: Trap handlers for " Andrew Cooper
2015-08-07 12:32 ` Ben Catterall
2015-08-07 13:19 ` Andrew Cooper
2015-08-07 13:26 ` Ben Catterall
2015-08-10 10:07 ` Tim Deegan
2015-08-11 10:33 ` Ben Catterall
2015-08-17 13:59 ` Ben Catterall
2015-08-17 14:58 ` Tim Deegan
2015-08-17 15:14 ` Jan Beulich
2015-08-12 9:50 ` [RFC 0/4] HVM x86 enhancements to run Xen deprivileged mode operations Jan Beulich
2015-08-12 11:27 ` Ben Catterall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438879519-564-5-git-send-email-Ben.Catterall@citrix.com \
--to=ben.catterall@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@eu.citrix.com \
--cc=ian.campbell@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.