|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [RFC 4/4] HVM x86 deprivileged mode: Trap handlers for deprivileged mode
Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash the domain as such exceptions
would indicate that either there is a bug in deprivileged mode or it has been
compromised by an attacker.
Signed-off-by: Ben Catterall <Ben.Catterall@xxxxxxxxxx>
---
xen/arch/x86/mm/hap/hap.c | 9 +++++++++
xen/arch/x86/traps.c | 41 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index abc5113..43bde89 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -685,8 +685,17 @@ static int hap_page_fault(struct vcpu *v, unsigned long va,
{
struct domain *d = v->domain;
+ /* If we get a page fault whilst in HVM security user mode */
+ if( v->user_mode == 1 )
+ {
+ printk("HVM: #PF (%u:%u) whilst in user mode\n",
+ d->domain_id, v->vcpu_id);
+ domain_crash_synchronous();
+ }
+
HAP_ERROR("Intercepted a guest #PF (%u:%u) with HAP enabled.\n",
d->domain_id, v->vcpu_id);
+
domain_crash(d);
return 0;
}
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 9f5a6c6..19d465f 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -74,6 +74,7 @@
#include <asm/vpmu.h>
#include <public/arch-x86/cpuid.h>
#include <xsm/xsm.h>
+#include <xen/hvm/deprivileged.h>
/*
* opt_nmi: one of 'ignore', 'dom0', or 'fatal'.
@@ -500,6 +501,11 @@ static void do_guest_trap(
struct trap_bounce *tb;
const struct trap_info *ti;
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
trace_pv_trap(trapnr, regs->eip, use_error_code, regs->error_code);
tb = &v->arch.pv_vcpu.trap_bounce;
@@ -619,6 +625,11 @@ static void do_trap(struct cpu_user_regs *regs, int
use_error_code)
if ( guest_mode(regs) )
{
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
do_guest_trap(trapnr, regs, use_error_code);
return;
}
@@ -1072,6 +1083,11 @@ void do_invalid_op(struct cpu_user_regs *regs)
if ( likely(guest_mode(regs)) )
{
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
if ( !emulate_invalid_rdtscp(regs) &&
!emulate_forced_invalid_op(regs) )
do_guest_trap(TRAP_invalid_op, regs, 0);
@@ -1163,7 +1179,12 @@ void do_int3(struct cpu_user_regs *regs)
{
debugger_trap_fatal(TRAP_int3, regs);
return;
- }
+ }
+
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
do_guest_trap(TRAP_int3, regs, 0);
}
@@ -3231,6 +3252,11 @@ void do_general_protection(struct cpu_user_regs *regs)
if ( !guest_mode(regs) )
goto gp_in_kernel;
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
/*
* Cunning trick to allow arbitrary "INT n" handling.
*
@@ -3490,6 +3516,11 @@ void do_device_not_available(struct cpu_user_regs *regs)
BUG_ON(!guest_mode(regs));
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+
vcpu_restore_fpu_lazy(curr);
if ( curr->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS )
@@ -3531,6 +3562,14 @@ void do_debug(struct cpu_user_regs *regs)
DEBUGGER_trap_entry(TRAP_debug, regs);
+ if( guest_mode(regs) )
+ {
+ /* If we take the trap whilst in HVM deprivileged mode
+ * then we should crash the domain.
+ */
+ hvm_deprivileged_check_trap(__FUNCTION__);
+ }
+
if ( !guest_mode(regs) )
{
if ( regs->eflags & X86_EFLAGS_TF )
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |