[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages

To: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>
From: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
Date: Fri, 8 Dec 2017 09:56:13 -0700
Cc: Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, tim@xxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "wei.liu2@xxxxxxxxxx" <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Fri, 08 Dec 2017 16:57:22 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Dec 8, 2017 at 5:42 AM, Razvan Cojocaru
<rcojocaru@xxxxxxxxxxxxxxx> wrote:
> On 12/08/2017 02:18 PM, Jan Beulich wrote:
>>>>> On 24.10.17 at 12:19, <ppircalabu@xxxxxxxxxxxxxxx> wrote:
>>> HVMOP_altp2m_set_mem_access_multi has been added as a HVMOP (as opposed to a
>>> DOMCTL) for consistency with its HVMOP_altp2m_set_mem_access counterpart 
>>> (and
>>> hence with the original altp2m design, where domains are allowed - with the
>>> proper altp2m access rights - to alter these settings), in the absence of an
>>> official position on the issue from the original altp2m designers.
>>
>> I continue to disagree with this reasoning. I'm afraid I'm not really
>> willing to allow widening the badness, unless altp2m was formally
>> documented security-unsupported.
>
> Going the DOMCTL route here would have been the (much easier) solution,
> and in fact, as stated before, there has been an attempt to do so -
> however, IIRC Andrew has insisted that we should take care to use
> consistent access privilege across altp2m operations.
>
> This was followed by a lengthy xen-devel discussion and several
> unsuccessful attempts to obtain an official position from the original
> contributors, at which point (after several months), as also discussed
> at the Xen Developer Summit in Budapest, we decided to press on in the
> direction that had seemed the most compatible with the original altp2m
> design. (Please correct me if I'm misremembering or misunderstanding
> something.)
>
> So at this point it looks like we're stuck again: we're happy to go in
> any direction the maintainers decide is the best, but we do need to
> decide on one.
>
> FWIW, Tamas (CC added) has added code to restrict where altp2m calls can
> come from (although that's not XSM code).
>
> Please let us know how to proceed.

I personally don't see anything wrong adding this as an HVMOP. The
original idea with altp2m was that it will be used with VMFUNC where
there is a guest kernel-level component that is trusted and
coordinates with the hypervisor. With the setting I've added to the
altp2m config it is now possible to limit whether the guest actually
has the right to use the HVMOP or not, even without XSM. So adding
this doesn't really mean its "widening the badness", it's configurable
and could very well be appropriate depending on the use-case.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Razvan Cojocaru

Prev by Date: Re: [Xen-devel] [PATCH for-next 07/16] xen/arm: Introduce copy_to_guest_phys_flush_dcache
Next by Date: [Xen-devel] [xen-unstable test] 116952: tolerable FAIL - PUSHED
Previous by thread: Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
Next by thread: Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.