From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Catterall <Ben.Catterall@citrix.com>
Subject: [RFC 4/4] HVM x86 deprivileged mode: Trap handlers for
	deprivileged mode
Date: Thu, 6 Aug 2015 17:45:19 +0100
Message-ID: <1438879519-564-5-git-send-email-Ben.Catterall@citrix.com>
References: <1438879519-564-1-git-send-email-Ben.Catterall@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1438879519-564-1-git-send-email-Ben.Catterall@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xensource.com
Cc: keir@xen.org, ian.campbell@citrix.com, george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com, tim@xen.org, jbeulich@suse.com, Ben Catterall <Ben.Catterall@citrix.com>
List-Id: xen-devel@lists.xenproject.org

Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash the domain as such exceptions
would indicate that either there is a bug in deprivileged mode or it has been
compromised by an attacker.

Signed-off-by: Ben Catterall <Ben.Catterall@citrix.com>
---
 xen/arch/x86/mm/hap/hap.c |  9 +++++++++
 xen/arch/x86/traps.c      | 41 ++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index abc5113..43bde89 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -685,8 +685,17 @@ static int hap_page_fault(struct vcpu *v, unsigned long va,
 {
     struct domain *d = v->domain;
 
+    /* If we get a page fault whilst in HVM security user mode */
+    if( v->user_mode == 1 )
+    {
+        printk("HVM: #PF (%u:%u) whilst in user mode\n",
+                 d->domain_id, v->vcpu_id);
+        domain_crash_synchronous();
+    }
+
     HAP_ERROR("Intercepted a guest #PF (%u:%u) with HAP enabled.\n",
               d->domain_id, v->vcpu_id);
+
     domain_crash(d);
     return 0;
 }
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 9f5a6c6..19d465f 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -74,6 +74,7 @@
 #include <asm/vpmu.h>
 #include <public/arch-x86/cpuid.h>
 #include <xsm/xsm.h>
+#include <xen/hvm/deprivileged.h>
 
 /*
  * opt_nmi: one of 'ignore', 'dom0', or 'fatal'.
@@ -500,6 +501,11 @@ static void do_guest_trap(
     struct trap_bounce *tb;
     const struct trap_info *ti;
 
+    /* If we take the trap whilst in HVM deprivileged mode
+     * then we should crash the domain.
+     */
+    hvm_deprivileged_check_trap(__FUNCTION__);
+
     trace_pv_trap(trapnr, regs->eip, use_error_code, regs->error_code);
 
     tb = &v->arch.pv_vcpu.trap_bounce;
@@ -619,6 +625,11 @@ static void do_trap(struct cpu_user_regs *regs, int use_error_code)
 
     if ( guest_mode(regs) )
     {
+        /* If we take the trap whilst in HVM deprivileged mode
+         * then we should crash the domain.
+         */
+        hvm_deprivileged_check_trap(__FUNCTION__);
+
         do_guest_trap(trapnr, regs, use_error_code);
         return;
     }
@@ -1072,6 +1083,11 @@ void do_invalid_op(struct cpu_user_regs *regs)
 
     if ( likely(guest_mode(regs)) )
     {
+        /* If we take the trap whilst in HVM deprivileged mode
+         * then we should crash the domain.
+         */
+        hvm_deprivileged_check_trap(__FUNCTION__);
+
         if ( !emulate_invalid_rdtscp(regs) &&
              !emulate_forced_invalid_op(regs) )
             do_guest_trap(TRAP_invalid_op, regs, 0);
@@ -1163,7 +1179,12 @@ void do_int3(struct cpu_user_regs *regs)
     {
         debugger_trap_fatal(TRAP_int3, regs);
         return;
-    } 
+    }
+
+    /* If we take the trap whilst in HVM deprivileged mode
+     * then we should crash the domain.
+     */
+    hvm_deprivileged_check_trap(__FUNCTION__);
 
     do_guest_trap(TRAP_int3, regs, 0);
 }
@@ -3231,6 +3252,11 @@ void do_general_protection(struct cpu_user_regs *regs)
     if ( !guest_mode(regs) )
         goto gp_in_kernel;
 
+    /* If we take the trap whilst in HVM deprivileged mode
+     * then we should crash the domain.
+     */
+    hvm_deprivileged_check_trap(__FUNCTION__);
+
     /*
      * Cunning trick to allow arbitrary "INT n" handling.
      * 
@@ -3490,6 +3516,11 @@ void do_device_not_available(struct cpu_user_regs *regs)
 
     BUG_ON(!guest_mode(regs));
 
+    /* If we take the trap whilst in HVM deprivileged mode
+     * then we should crash the domain.
+     */
+    hvm_deprivileged_check_trap(__FUNCTION__);
+
     vcpu_restore_fpu_lazy(curr);
 
     if ( curr->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS )
@@ -3531,6 +3562,14 @@ void do_debug(struct cpu_user_regs *regs)
 
     DEBUGGER_trap_entry(TRAP_debug, regs);
 
+    if( guest_mode(regs) )
+    {
+        /* If we take the trap whilst in HVM deprivileged mode
+         * then we should crash the domain.
+         */
+        hvm_deprivileged_check_trap(__FUNCTION__);
+    }
+
     if ( !guest_mode(regs) )
     {
         if ( regs->eflags & X86_EFLAGS_TF )
-- 
2.1.4