[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] arch: ensure idle domain is not left privileged
- To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Thu, 31 Mar 2022 14:46:05 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xZpd2z8XCYD0tvsIKMNxnojqkCSYeA76f3AC6XwkPYI=; b=Fnwsb+NzrpmRwh//PYbWmCfl1O7uyXlTmvIksACK45LImj27HdRxTFuC7EuJo/tQ4hlWB5GG+26NFCBPugx2fcP84HoH00jSoNHpf1cMYp2kVOSISu28ODweaG/NVd/OSu4+/E36ZeCMPkni6y5xbl89+GvAHhfFFUrnx4hc8VJRkDF57qLZxfqySuAXPlOo3fhN0RxeLij18HyxfPYP9HS+nBmTwUHc8dnKkyaITQNAlimSe4oiZe8dt1kqP/2XsE1piUVB+SEb0943afL0353OlEqc/6m/VUqrUrOU32oeZM/WwWIv1nXpThTQohVhu3BHSsxYDfnubGluTb12Bg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cbP2cMhrdAgAlKAal6okduiqkEorbr65amlLQ2RUAwmuuVtDo9uGuaPJ5qnWFnDd9f1XrJLzB/vv1Pi0lFnteTAvLoAejpJlXPkijWaMGcqTStgkRRzPpq/sBttlSyPKIR85V4l3JnBqhtAs0uB2rOSDL/UdDvGdNBMK9ondZP1QOvB4ebeUpu51WJs23+FTD9rwmtHsUuaV2sjHw8cnQt4qy9XkL7ZI6K6uYi7SBq2wCAWHHPoeuDZaL3+BVjxMUhrL0PHkX+m920jBDq50w1GVpygC+ejOJEfBjtSC6jfChh00mXt8wIoBe0auKo/ivCcdQycjudRLJGqeL9DKGA==
- Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, <scott.davis@xxxxxxxxxx>, <jandryuk@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Delivery-date: Thu, 31 Mar 2022 12:46:22 +0000
- Ironport-data: A9a23:BYEBpq9tFHvpF8wlryNHDrUDJX6TJUtcMsCJ2f8bNWPcYEJGY0x3n GBMWz/XbvjZYTH8etl0bt6x/EMH7JfXy4AwQVQ5qHs8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9T8mvU2xbuKU5NTsY0idfic5DnZ54f5fs7Rh2NQw2oPgW1nlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCna62VD4qJ7zRoegQC0leMDtbGaZo/JaSdBBTseTLp6HHW37lwvEoB0AqJ4wIvO1wBAmi9 9RBdmpLNErawbvrnvTrEYGAhex6RCXvFJkYtXx6iynQEN4tQIzZQrWM7thdtNs1rp8WRa2PO JpJAdZpRC7PRFpmMFoXMr4/gdmHjCK4cX5z9WvA8MLb5ECMlVcsgdABKuH9YceWTM9YmkKZo GPu/GnjBBwectuFxlKt8HuqivXegCDTV4cbFbn+/flv6HWRzGEODBwdVXOgvOK0zEW5Xrp3K VEQ+ycohbg/8gqsVNaVdwazp2KY+BIVRdtLO/Ym4RuJw6CS4gHxLlYDSjlNedk3rvgcTDYh1 kKKt97xDDkpu7qQIVqR7qyRrC+yESENIHUeeDQfSg8Y/9jkppp1hRXKJv5zHajwgtDrFDXYx zGRsDN4l7gVldQM1aiw4RbAmT3EjofNZh444EPQRG3N0+9iTNf7PcryswGdtKseatbCJrWcg JQas/qY8dkNFICQrSCAGLULP6uMw/2rNBSJ1DaDAKId3ziq/neie6VZ7zd/OFplP644RNP5X KPAkVgPvcEOZRNGeYcyOtvsUJpykcAMAPy/Dpjpgsxyjo+dneNt1AVnfgau0m/kiyDAeolva M7AIa5A4Zv3YJmLLQZapc9AidfHJQhknAs/oKwXKTz9i9Jyg1bPFd843KOmNLxR0U99iFy9H yxjH8WL0Q5Dd+b1fzPa94UeRXhTcyRrW86r9JINK7HeSuaDJI3HI6WLqV/GU9Y495m5a8+Sp i3tMqOm4ASXaYL7xfWiNSk4NeKHsWdXpnMnJy08VWtEKFB4CbtDGJw3LsNtFZF+rbQL5actE 5EtJpXRatwSG2+v02lMMvHAQHlKKU3DafSmZHH+PlDSvvdIGmT0xzMTVlCxrHNXVHrm6JNWT n/J/lqzfKfvjj9KVa7+QPmu00mwrT4anudzVFHPOd5dZAPn940CFsA7pqRfzx0kQfkb+gan6 g==
- Ironport-hdrordr: A9a23:/FyAdq8iiYsb0AL5yi1uk+DkI+orL9Y04lQ7vn2ZLiYlFvBw9v re+cjzuiWE6wr5NEtApTniAse9qBHnhPlICOAqVN/JMTUO0FHYSr2KhrGSoQEIdRefygd179 YYT0AgY+eaMbEBt6nHCaODYq4dKaK8nJyVuQ==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, Mar 30, 2022 at 07:05:49PM -0400, Daniel P. Smith wrote:
> It is now possible to promote the idle domain to privileged during setup. It
> is not desirable for the idle domain to still be privileged when moving into a
> running state. If the idle domain was elevated and not properly demoted, it is
> desirable to fail at this point. This commit adds an assert for both x86 and
> Arm just before transitioning to a running state that ensures the idle is not
> privileged.
>
> Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> ---
> xen/arch/arm/setup.c | 3 +++
> xen/arch/x86/setup.c | 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
> index 7968cee47d..3de394e946 100644
> --- a/xen/arch/arm/setup.c
> +++ b/xen/arch/arm/setup.c
> @@ -973,6 +973,9 @@ void __init start_xen(unsigned long boot_phys_offset,
> /* Hide UART from DOM0 if we're using it */
> serial_endboot();
>
> + /* Ensure idle domain was not left privileged */
> + ASSERT(current->domain->is_privileged == false) ;
> +
> system_state = SYS_STATE_active;
>
> create_domUs();
Hm, I think you want to use the permission promotion of the idle
domain in create_domUs() likely?
At which point the check should be after create_domUs, and it would
seem that logically SYS_STATE_active should be set after creating the
domUs.
Also, FWIW, I'm not seeing this create_domUs() call in my context,
maybe you have other patches on your queue?
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 885919d5c3..b868463f83 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -589,6 +589,9 @@ static void noinline init_done(void)
> void *va;
> unsigned long start, end;
>
> + /* Ensure idle domain was not left privileged */
> + ASSERT(current->domain->is_privileged == false) ;
^ extra space.
I think you could squash this patch with the previous one and also
squash it with a patch that actually makes use of the introduced
permission promotion functions (or at least in a patch series where
further patches make use the introduced functions).
Thanks, Roger.
|
