From: "Jan Beulich" <JBeulich@suse.com>
To: George Dunlap <george.dunlap@citrix.com>
Cc: StefanoStabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
David Vrabel <david.vrabel@citrix.com>,
Anthony Perard <anthony.perard@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
dgdegra@tycho.nsa.gov
Subject: Re: Device model operation hypercall (DMOP, re qemu depriv)
Date: Mon, 15 Aug 2016 04:19:43 -0600 [thread overview]
Message-ID: <57B1B35F0200007800105DE9@prv-mh.provo.novell.com> (raw)
In-Reply-To: <dc7592ee-416a-a6ac-2756-ef8d095c2617@citrix.com>
>>> On 15.08.16 at 11:39, <george.dunlap@citrix.com> wrote:
> On 12/08/16 12:50, Jan Beulich wrote:
>>>>> On 12.08.16 at 11:44, <george.dunlap@citrix.com> wrote:
>>> On 09/08/16 12:30, Jan Beulich wrote:
>>>>>>> On 09.08.16 at 12:48, <ian.jackson@eu.citrix.com> wrote:
>>>>> Jan Beulich writes ("Re: Device model operation hypercall (DMOP, re qemu
>>>>> depriv)"):
>>>>>> Actually, having thought about this some more, and taking this
>>>>>> together with the expectations to the privcmd driver previously
>>>>>> outlined, I think this part is problematic: If all the driver is to know
>>>>>> is the position (within the interface structure) of the target domain
>>>>>> ID, then any guest handles embedded in the interface structure
>>>>>> (XEN_HVMCTL_track_dirty_vram only for now) couldn't get
>>>>>> validated, and hence user mode code would have a way to access
>>>>>> or modify kernel memory.
>>>>>
>>>>> Could the hypervisor know the difference between user and kernel
>>>>> memory, in principle ?
>>>>
>>>> Not without further new hypercalls, as the guest kernel would need
>>>> to tell Xen what address ranges are kernel vs user (and that implies
>>>> that any OS wishing to be able to act as Dom0 has a uniform
>>>> separation of address spaces).
>>>
>>> Couldn't Xen tell from the guest pagetables whether the memory being
>>> accessed was user-mode or kernel mode?
>>
>> That would be possible, but would feel like adding heuristics instead
>> of a proper distinction. Clearly we'd already be in some trouble if
>> there were cases where some structure doesn't get written to (and
>> hence could live in user-r/o mapped space), but others would need
>> to be verified to be user-r/w mapped. A lot of special casing, that is,
>> and hence of lot of things to be got wrong.
>>
>> And then there is the problem of calling code being in rings 1 or 2:
>> Page tables don't guard ring 0 against such, and we don't even have
>> the notion of selectors (and hence address ranges) bounding
>> accessible regions. We can't even say we assume all of them to be
>> %ds-relative, as it would certainly be legitimate for such a structure
>> to e.g. live on the stack. Of course an option would be to require
>> the kernel driver to not allow requests from other than ring 3.
>>
>> Plus finally - how would we tell interface structures coming from a
>> kernel invoked hypercall from those originating from user mode?
>> There would need to be at least some kind of flag then, which the
>> privcmd driver set, but normal hypercalls originating in the kernel
>> don't. Or would you envision to allow this DMOP hypercall to only
>> be made by user mode tools? If so, does stubdom run its qemu in
>> ring 3 or rather in ring 0?
>>
>> [breaking the order of quoting]
>>> And unless we're positive the guest kernel will never need these
>>> hypercalls, we probably need a flag that allows kernel-mode pointers.
>>
>> Ah, you actually mention that already.
>>
>>>>> (Would it be sufficient to check the starts, or would
>>>>> the ends need to be checked too?)
>>>>
>>>> Both would need to be checked, so the size field(s) would need to
>>>> be locatable too.
>>>
>>> We could have the "fixed" part of the structure contain domid and an
>>> array of <ptr, len> which the privcmd driver could check. I don't think
>>> that would be terrible.
>>
>> Doable, yes, but not really nice, especially for the party invoking
>> the hypercall as well as the backing implementation in Xen (as
>> opposed to the privcmd driver, for which such a model would likely
>> work quite well), as they then can't use the normal, simple reading
>> of structure fields, but instead would need to populate array
>> elements in the right order.
>
> So on the whole, what would be your suggestion for how to solve the
> userspace-pointer problem?
Well, none of the options considered so far are really nice or
readily available. I think the easiest to use for both the caller and
the implementation of the hypercall would be the auxiliary
hypercall for a kernel to indicate user/kernel boundaries plus a
flag on the DMOP one for the kernel mode driver to indicate its
user mode origin. The main (purely theoretical afaict) downside
of this is the difficulty to use it in OSes with variable user/kernel
boundaries.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-08-15 10:19 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-28 17:01 XenProject/XenServer QEMU working group, Friday 8th July, 2016, 15:00 Jennifer Herbert
2016-08-01 11:32 ` Device model operation hypercall (DMOP, re qemu depriv) Ian Jackson
2016-08-01 12:41 ` Jan Beulich
2016-08-02 11:38 ` Wei Liu
2016-08-02 11:58 ` Jan Beulich
2016-08-02 13:02 ` David Vrabel
2016-08-02 13:29 ` Jan Beulich
2016-08-03 10:29 ` Ian Jackson
2016-08-03 12:03 ` Jan Beulich
2016-08-03 13:37 ` Ian Jackson
2016-08-03 14:16 ` Jan Beulich
2016-08-03 14:21 ` George Dunlap
2016-08-03 16:10 ` Ian Jackson
2016-08-03 16:18 ` Jan Beulich
2016-08-04 11:21 ` Ian Jackson
2016-08-04 13:24 ` Jan Beulich
2016-08-05 16:28 ` Ian Jackson
2016-08-08 11:18 ` Jan Beulich
2016-08-08 13:46 ` Ian Jackson
2016-08-08 14:07 ` Jan Beulich
2016-08-26 11:38 ` Ian Jackson
2016-08-26 12:58 ` Jan Beulich
2016-08-26 14:35 ` Ian Jackson
2016-08-26 15:13 ` Jan Beulich
2016-08-30 11:02 ` Ian Jackson
2016-08-30 21:47 ` Stefano Stabellini
2016-09-02 14:08 ` Wei Liu
2016-08-09 10:29 ` Jan Beulich
2016-08-09 10:48 ` Ian Jackson
2016-08-09 11:30 ` Jan Beulich
2016-08-12 9:44 ` George Dunlap
2016-08-12 11:50 ` Jan Beulich
2016-08-15 9:39 ` George Dunlap
2016-08-15 10:19 ` Jan Beulich [this message]
2016-08-15 10:47 ` George Dunlap
2016-08-15 11:20 ` Jan Beulich
2016-08-15 12:07 ` Ian Jackson
2016-08-15 14:20 ` Jan Beulich
2016-08-15 14:57 ` George Dunlap
2016-08-15 15:22 ` Jan Beulich
2016-08-15 14:50 ` David Vrabel
2016-08-15 15:24 ` Jan Beulich
2016-08-26 11:29 ` Ian Jackson
2016-08-26 12:58 ` Jan Beulich
2016-08-02 11:37 ` Wei Liu
2016-08-02 11:42 ` George Dunlap
2016-08-02 12:34 ` Wei Liu
2016-09-09 15:16 ` Jennifer Herbert
2016-09-09 15:34 ` David Vrabel
2016-09-12 13:47 ` George Dunlap
2016-09-12 14:32 ` Jan Beulich
2016-09-13 10:37 ` George Dunlap
2016-09-13 11:53 ` Jan Beulich
2016-09-13 16:07 ` David Vrabel
2016-09-14 9:51 ` Jan Beulich
2016-09-21 11:21 ` Ian Jackson
2016-09-21 11:28 ` George Dunlap
2016-09-21 11:58 ` Jan Beulich
2016-09-21 11:55 ` Jan Beulich
2016-09-21 12:23 ` Device model operation hypercall (DMOP, re qemu depriv) [and 1 more messages] Ian Jackson
2016-09-21 12:48 ` Jan Beulich
2016-09-21 13:24 ` Ian Jackson
2016-09-21 13:56 ` Jan Beulich
2016-09-21 15:06 ` Ian Jackson
2016-09-21 17:09 ` George Dunlap
2016-09-22 8:47 ` Jan Beulich
2016-09-09 16:18 ` XenProject/XenServer QEMU working group minutes, 30th August 2016 Jennifer Herbert
2016-09-12 7:16 ` Juergen Gross
2016-10-14 18:01 ` QEMU XenServer/XenProject Working group meeting 29th September 2016 Jennifer Herbert
2016-10-18 19:54 ` Stefano Stabellini
2016-10-20 17:37 ` Lars Kurth
2016-10-20 18:53 ` Stefano Stabellini
2017-02-28 18:18 ` QEMU XenServer/XenProject Working group meeting 10th February 2017 Jennifer Herbert
2017-06-05 13:48 ` QEMU XenServer/XenProject Working group meeting 10th May 2017 Jennifer Herbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57B1B35F0200007800105DE9@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=david.vrabel@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=george.dunlap@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.