[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes

To: Julien Grall <julien.grall@xxxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Date: Fri, 21 Mar 2014 14:09:14 +0000
Cc: paolo.valente@xxxxxxxxxx, keir@xxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, Ian.Jackson@xxxxxxxxxxxxx, dario.faggioli@xxxxxxxxxx, tim@xxxxxxx, xen-devel@xxxxxxxxxxxxx, etrudeau@xxxxxxxxxxxx, JBeulich@xxxxxxxx, Arianna Avanzini <avanzini.arianna@xxxxxxxxx>, viktor.kleinik@xxxxxxxxxxxxxxx
Delivery-date: Fri, 21 Mar 2014 14:09:33 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, 2014-03-21 at 12:45 +0000, Julien Grall wrote:
> On 03/21/2014 12:32 PM, Ian Campbell wrote:
> >> The toolstack will only provide the gfn, except for this
> >> function.
> > 
> > memory_unmap should also only take a gfn, which Xen should lookup to get
> > an mfn. Notice that on x86 the unmap case doesn't use the mfn argument
> > and passes only a gfn to clear_mmio_p2m_entry.
> 
> The MFN argument is used to check if the domain has access to the
> MFN(see iomem_access_permitted at the beginning of the case).
> 
> I think we should implement the behavior you described in the common
> implementation.
> 
> > It's racy to have the toolstack provide it anyway.
> 
> >>>> Otherwise the toolstack may be able to remove any page as long as the
> >>>> MFN is in the iomem permitted range.
> >>>
> >>> Can't it already do this through other paths?
> >>>
> >>> Maybe there is a security implication there, but I would hope that the
> >>> two permissions were pretty closely linked.
> >>
> >> One the main problem is iomem range permitted won't be anymore in sync.
> > 
> > I don't think this is a big issue. Having permission to have a mapping
> > does not necessarily imply having the actual mapping, if the toolstack
> > wants to do it then let it.
> > 
> >> x86 at least check that the gfn is an MMIO. I think we can safely extend
> >> to check that the GFN use the corresponding MFN.
> >>
> >> I don't agree to let the toolstack uses this DOMCTL to do remove any
> >> page in the guess memory.
> > 
> > Well, it already can today AFAICS, via remove_from_physmap.
> 
> remove_from_physmap can't remove MMIO region. There is a specific check
> in get_page_from_gfn for this purpose.

OK.

> IHMO, memory_unmap should avoid to remove other region than MMIO. Mainly
> because apply_p2m_changes might not remove every reference taken on a page.

OK, but then the changes to apply_p2m_changes should be less specific to
this case and usable even for e.g. sanity checking the removal of ram
mappings too.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Julien Grall

References:
- [Xen-devel] [PATCH v3 0/5] Implement the XEN_DOMCTL_memory_mapping hypercall for ARM
  - From: Arianna Avanzini
- [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Arianna Avanzini
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
  - From: Julien Grall

Prev by Date: Re: [Xen-devel] [PATCH v4 01/10] xen/arm: no need to set HCR_VI when using the vgic to inject irqs
Next by Date: [Xen-devel] [PATCH v6 13/17] xenctx: Add convert of more registers to symbols
Previous by thread: Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
Next by thread: Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.