[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages

To: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Mon, 11 Dec 2017 05:12:24 -0700
Cc: Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, sstabellini@xxxxxxxxxx, wei.liu2@xxxxxxxxxx, Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, George.Dunlap@xxxxxxxxxxxxx, tim@xxxxxxx, ian.jackson@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
Delivery-date: Mon, 11 Dec 2017 12:32:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 11.12.17 at 12:06, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 11/12/17 09:14, Jan Beulich wrote:
>>>>> On 08.12.17 at 13:42, <rcojocaru@xxxxxxxxxxxxxxx> wrote:
>>> On 12/08/2017 02:18 PM, Jan Beulich wrote:
>>>>>>> On 24.10.17 at 12:19, <ppircalabu@xxxxxxxxxxxxxxx> wrote:
>>>>> HVMOP_altp2m_set_mem_access_multi has been added as a HVMOP (as opposed 
>>>>> to a
>>>>> DOMCTL) for consistency with its HVMOP_altp2m_set_mem_access counterpart 
> (and
>>>>> hence with the original altp2m design, where domains are allowed - with 
>>>>> the
>>>>> proper altp2m access rights - to alter these settings), in the absence of 
>>>>> an
>>>>> official position on the issue from the original altp2m designers.
>>>> I continue to disagree with this reasoning. I'm afraid I'm not really
>>>> willing to allow widening the badness, unless altp2m was formally
>>>> documented security-unsupported.
>>> Going the DOMCTL route here would have been the (much easier) solution,
>>> and in fact, as stated before, there has been an attempt to do so -
>>> however, IIRC Andrew has insisted that we should take care to use
>>> consistent access privilege across altp2m operations.
>> Andrew, is that the case (I don't recall anything like that)?
> 
> My suggestion was that we don't break usecases.  The Intel usecase
> specifically is for an in-guest entity to have full control of all
> altp2m functionality, and this is fine (security wise) when permitted to
> do so by the toolstack.

IOW you mean that such guests would be considered "trusted", i.e.
whatever bad they can do is by definition not a security concern.
If so, that's fine of course, provided the default mode is secure
(which it looks like it is by virtue of altp2m being disabled altogether
by default). Yet I don't think I know of a place where this is being
spelled out.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: George Dunlap

References:
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Razvan Cojocaru
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [RFC] xen/arm: Handling cache maintenance instructions by set/way
Next by Date: Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
Previous by thread: Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
Next by thread: Re: [Xen-devel] [PATCH v8] x86/altp2m: support for setting restrictions for an array of pages
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.