[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target

To: Jason Andryuk <jason.andryuk@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien@xxxxxxx>
Date: Mon, 21 Jul 2025 18:58:45 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 21 Jul 2025 17:58:56 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Jason,

On 16/07/2025 22:14, Jason Andryuk wrote:

Add a new create domain flag  to indicate if a domain can be the target
of hypercalls.  By default all domains can be targetted - subject to any
other permission checks.

This property is useful in a safety environment to isolate domains for
freedom from interference.

I see the flag is exposed to the toolstack. However, I don't see how youcan successfully create a VM if you are not allowed to call hypercalls(for instance to add some memory).

I think, at minimum, you would want to allow hypercalls while the domainis created. That said, I wonder if this setup would not be better todescribe with XSM?



[...]

diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
index 88a294c5be..f1f6f96bc2 100644
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -70,9 +70,11 @@ struct xen_domctl_createdomain {
  #define XEN_DOMCTL_CDF_trap_unmapped_accesses  (1U << 8)
  /* Allow domain to provide device model for multiple other domains */
  #define XEN_DOMCTL_CDF_device_model   (1U << 9)
+/* Domain cannot be the target of hypercalls */
+#define XEN_DOMCTL_CDF_not_hypercall_target   (1U << 10)

/* Max XEN_DOMCTL_CDF_* constant. Used for ABI checking. */

-#define XEN_DOMCTL_CDF_MAX XEN_DOMCTL_CDF_device_model
+#define XEN_DOMCTL_CDF_MAX XEN_DOMCTL_CDF_not_hypercall_target


I am not sure where to comment. But aren't both flags mutually exclusive?

diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 0b341efd18..f2205575ed 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -91,12 +91,16 @@ static always_inline int xsm_default_action(
              return 0;
          fallthrough;
      case XSM_DM_PRIV:
+        if ( target && !is_hypercall_target(target) )
+            return -EPERM;
          if ( is_dm_domain(src) )
              return 0;
          if ( target && evaluate_nospec(src->target == target) )
              return 0;
          fallthrough;
      case XSM_PRIV:
+        if ( target && !is_hypercall_target(target) )
+            return -EPERM;
          if ( is_control_domain(src) )
              return 0;
          return -EPERM;


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target
  - From: Jason Andryuk

References:
- [PATCH v2 00/17] XSM changes for split hardware / control domain
  - From: Jason Andryuk
- [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target
  - From: Jason Andryuk

Prev by Date: RE: Discussion on the delayed start of major frame with ARINC653 scheduler
Next by Date: Re: [PATCH] xen/passthrough: add missing error-report include
Previous by thread: Re: [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target
Next by thread: Re: [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.