[Xen-devel] How to check a physical address belonging to a PV guest or not?

[Jiang Wang <jwangzju@xxxxxxxxx>]

Hi:

I am working on a research project to protect against malicious device
drivers without using IOMMU. Currently, a driver domain is trusted. A
compromised driver can potentially use DMA to access the physical
address that belong to other domains and steal some information. IOMMU
can prevent this. But I think software protection is also feasible.

For example, on x86-32 architecture, the dom0 or domU is running at
ring 1. The access to the IO ports are trapped and then checked
against IO or memory permission. I want to add extra check, which not
only check whether the port (or memory) is allowed to access by a
domain but also check the actual parameter for the IO access. The
hypervisor should somehow know which IO port is for DMA access. It can
then check the physical access for the DMA. If the physical address is
not belonging to the calling PV guest, permission denied.
I have two questions:
1) What is a good way to notify the hypervisor that an IO port (or
memory) is for DMA? Maybe use some booting options? Or configuration
files for domU? Is there any configuration files for dom0? Any
examples?
2) How to check a physical address belonging to a guest or not? I
guess when the device driver in a PV tries to write an IO port, it is
using machine address, right? After the hypervisor gets that address,
how to find out it is legal or not? Use some function to get the mfn
for that address and search it in the dom's machine frame table?
Any suggestions or comments? Thanks.

Regards,

Jiang

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel