[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Replacing IRET by a hypercall

  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: "Furquan Shaikh" <furquan.m.shaikh@xxxxxxxxx>
  • Date: Tue, 30 Dec 2008 15:52:53 +0530
  • Delivery-date: Tue, 30 Dec 2008 02:23:22 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=i5Wi9AIxKNBx73X7OWw60bwmWUES86MTy10z92mvsZtYFwgfr1WtnaD69+SFn1mfbm OL8lvnUZgqqnpor2rr+fijYpE27sgGECe5bVCSS0tXOVqruoAGZekaeukRo+82EKd0r5 KkpJr1laUMQKB35FLNdlNtBW5m9KhWJ4Bv8xM=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Hello,
I am trying to implement a security system using Xen, in which i need to replace the iret instruction by a hypercall so that the control comes to xen before going back to user-space process so that i can perform some security checks.

I am trying to replace each iret in linux-2.6.18-xen.hg/arch/i386/kernel/entry-xen.S with my hypercall. I check the cs for privilege level of return code. If it is ring 2/3 then i execute my hypercall else normal iret instruction is executed.
 1:      pushl %eax
          movl $0,%eax   
          movw 8(%esp),%ax
          testl $2,%eax
          jz 678f
          testl $1,vmcloak_on
           jz 678f
    
           jmp  hypercall_page + (__HYPERVISOR_debug_iret * 32)

678:    popl %eax
           iret
This code is added at all four places just before iret is called in entry-xen.S

In the file xen-3.3.0/xen/arch/x86/x86_32/entry.S at the point ENTRY(hypercall),  I check the contents of %eax with my hypercall number which is 38. If my hypercall is made, I replace the stack contents of ring 0 with those of ring 1 so that hardware performs normal iret i.e. control goes back normally to the user mode process had the hypercall not been made.

I am assuming the stack contents of ring 1 to be as follows:
________
| ss        |
| esp      |
| eflags  |
| cs        |
| eip      |
| eax     |  ** This is pushed so that the value of eax is preserved across hypercall.
Ring 1 stack

I am assuming the stack contents of ring 0 to be as follows:
________
| ss        |
| esp      |
| eflags  |
| cs        |
| eip      |
Ring 0 stack

The code added in entry.S after ENTRY(hypercall) is as follows:
    cli
    cmpl $38,%eax
    jne 679f
 
   movw 16(%esp),%gs
   movl 12(%esp),%esi

/************************   Moving EIP   ***********************************/
movl %gs:4(%esi),%eax
movl %eax,(%esp)

/************************  CS  *******************************************/
movl %gs:8(%esi),%eax
movl %eax,4(%esp)

/***********************   EFLAGS   *************************************/
movl %gs:12(%esi),%eax
movl %eax,8(%esp)

/***********************   ESP    *************************************/
movl %gs:16(%esi),%eax
movl %eax,12(%esp)

/***********************   SS    **************************************/
movl %gs:20(%esi),%eax
movl %eax,16(%esp)

/************************Restoring eax*****************************/
movl %gs:(%esi),%eax
iret

679: // remaining code of ENTRY(hypercall)

Are my assumptions correct? I am unable to understand whether this code is correct. Can you please tell me the mistakes that I might be making.

Please help me,

Furquan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.