WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] address mapping between domains

To: "Rik van Riel" <riel@xxxxxxxxxx>, "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Subject: RE: [Xen-devel] address mapping between domains
From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date: Tue, 8 Mar 2005 15:46:54 -0800
Cc: "Mark Williamson" <Mark.Williamson@xxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxxx>, <hzy@xxxxxxxxxxxxxx>, <ian.pratt@xxxxxxxxxxxx>
Delivery-date: Tue, 08 Mar 2005 23:48:19 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
Thread-index: AcUkN59c4TAhkIouTOuKRVCt649pBgAABcAQ
Thread-topic: [Xen-devel] address mapping between domains
On Tuesday, March 08, Rik van Riel wrote:

> On Tue, 8 Mar 2005, Ian Pratt wrote:
> 
>> At the expense of protection, yes.
> 
> Protection against mistakes, which can be mitigated by having the
> full physical memory map at a different address from where the
> kernel usually accesses its memory.
> 
> I suspect we won't have to try protecting against a malicious
> domain 0 ;)

While domain 0 may not start out being malicious, all it takes is one
remotely exploitable buffer overflow to make it so.

>> With sane DMA-capable hardware the driver domain never needs to
>> actually map the page into its address space anyhow. However, the
>> grant table stuff will still be required to enable us to configure
>> the IO MMU appropriately to allow the DMA (we expect to see such h/w
>> support become commonplace).
> 
> True for some kinds of IO.  Network IO needs sorting through
> packets, so no direct DMA will be done.

But if we generalize this to every I/O domain that owns a DMA device and
provides access to it to other domains (for whatever reason) then it is
easy to see how protection quickly deteriorates.  And if we don't
generalize it then we should ask why domain 0 should be special in this
regard.

Perhaps a better way to tackle this is to understand what you feel the
issues with grant tables and selective mappings are.

Joseph Cihula
(Linux) Software Security Architect
Intel Corp.

*** These opinions are not necessarily those of my employer ***


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel