[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)

To: Jan Beulich <JBeulich@xxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Fri, 12 Aug 2016 10:44:42 +0100
Cc: StefanoStabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, dgdegra@xxxxxxxxxxxxx
Delivery-date: Fri, 12 Aug 2016 09:45:14 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 09/08/16 12:30, Jan Beulich wrote:
>>>> On 09.08.16 at 12:48, <ian.jackson@xxxxxxxxxxxxx> wrote:
>> Jan Beulich writes ("Re: Device model operation hypercall (DMOP, re qemu 
>> depriv)"):
>>> Actually, having thought about this some more, and taking this
>>> together with the expectations to the privcmd driver previously
>>> outlined, I think this part is problematic: If all the driver is to know
>>> is the position (within the interface structure) of the target domain
>>> ID, then any guest handles embedded in the interface structure
>>> (XEN_HVMCTL_track_dirty_vram only for now) couldn't get
>>> validated, and hence user mode code would have a way to access
>>> or modify kernel memory.
>>
>> Could the hypervisor know the difference between user and kernel
>> memory, in principle ?
> 
> Not without further new hypercalls, as the guest kernel would need
> to tell Xen what address ranges are kernel vs user (and that implies
> that any OS wishing to be able to act as Dom0 has a uniform
> separation of address spaces).

Couldn't Xen tell from the guest pagetables whether the memory being
accessed was user-mode or kernel mode?

>> Alternatively, would it be possible for the ABI to specify somehow
>> what parameters are guest handles, so that the privcmd driver could
>> check them ?
> 
> We could presumably invent something, but I'm afraid it would end
> up quite ugly.
> 
>>  (Would it be sufficient to check the starts, or would
>> the ends need to be checked too?)
> 
> Both would need to be checked, so the size field(s) would need to
> be locatable too.

We could have the "fixed" part of the structure contain domid and an
array of <ptr, len> which the privcmd driver could check.  I don't think
that would be terrible.

Alternately, the "fixed" part of the hypercall could contain a
<start,end> range, which if non-zero, Xen should use to check any
pointer contained in the struct -- that would be more flexible probably.

Or we could do as Jan hints at above -- have some way to have dom0
communicate the kernel address range to Xen (either via hypercall, or
maybe via the shared info page) so that Xen just knows the address
layout for any individual domain.

And unless we're positive the guest kernel will never need these
hypercalls, we probably need a flag that allows kernel-mode pointers.

It's worth pointing out that the problem Xen has distinguishing
user/kernel mode pointers is the same even if we use the alternate
suggestion of per-process XSM labels.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich

References:
- [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Wei Liu
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: George Dunlap
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich

Prev by Date: [Xen-devel] [PATCH v2] Remove ambiguities in the COPYING file; add CONTRIBUTING file
Next by Date: Re: [Xen-devel] [PATCH] xen: credit1: fix a race when picking initial pCPU for a vCPU
Previous by thread: Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
Next by thread: Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.