[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
- To: 'Julien Grall' <julien.grall@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
- From: "DeGraaf, Daniel G" <dgdegra@xxxxxxx>
- Date: Thu, 14 Jun 2018 16:18:03 +0000
- Accept-language: en-US
- Cc: "artem_mygaiev@xxxxxxxx" <artem_mygaiev@xxxxxxxx>, Stefano Stabellini <stefanos@xxxxxxxxxx>, "andrii_anisov@xxxxxxxx" <andrii_anisov@xxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "ian.jackson@xxxxxxxxxxxxx" <ian.jackson@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "tim@xxxxxxx" <tim@xxxxxxx>, "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>, "wei.liu2@xxxxxxxxxx" <wei.liu2@xxxxxxxxxx>, "dgdegra@xxxxxxxxxxxxx" <dgdegra@xxxxxxxxxxxxx>
- Delivery-date: Thu, 14 Jun 2018 16:18:11 +0000
- Ironport-phdr: 9a23:wlp/4BexetSuLuQV1kVs2duxlGMj4u6mDksu8pMizoh2WeGdxc29ZxWN2/xhgRfzUJnB7Loc0qyK6/2mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbN/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwUX2pBWttaWTJHDI2ycoADC/MNMfhEo4X4oVYFsBmwChS2BO73yjFGmGL43bE03eoiCwHG3RAvEd0Bv3nPsNX1LaMfXfypwKXU0znOae5d1zfn6IjPdxAsuf+AU7xufsTQ00kgDRnKjluIpYf4MT2azOINs2mF4OpkSOmhimAroBx2rzeyyccjl5fGho0Pyl/e7ih5xp01KseiRE50Zt6kDoJduieHPIV1WsMvW3xktDogxrEYpJK2fDIGxIo5yxPdcfCLbouF7g/7WOqMPTt0nmxpdK+/ihqo70StxO/xWtOq3FpXsCZJisTAu3EJ2hDJ9MSKSvRw8l2g1DqVygze5eFJLEYpnqTBMZEh2KQ/lp8LvETGGS/5hVv5gbeNdkUh5uio8+PnYqj6ppOEN497lAX+MqM2l8K4HOo2MBYAU3Ga9+q+ybHv5EP2TrpWg/EqjKXVqozVJcMBpq6hGQNV1J0j5AylAzep19QYg2ELLFNDeB2Zk4jkI0zCLOziAfuhnlihkC1ny+7YMrDjGJnBM3vOnKr5cbZ48UFcyQ4zzd5F55JTD7EMOO/8WkDsu9PGAR85KRa7zv3hCNVmzIwSQ22PAqiHMK/Kq1+H+vovI/WQZI8SoDv9KeMq6ODzjX89mF8SYamp0IAMaHClBfRpPV+VbmbrgtcECW0KpBYxTPT2iF2eVj5ef3eyULg65j0hCoKpF5vMRoO2gLyG2ie2BYNZZn1cBl+QEHfoa5+EW/YDaS6IPsBhlTkEX6C7S4A9zRGuqBP6y71/I+TV5CIYsojj1Ndr6OHJmx8y6Dp0D8CH3GGVVGx7gH4ISyUq06B+vUx90FaD0Kdij/NEEtxT4utDUh0mOp7E0+x6F9fyVxrCfteOTlamWM+pDiwrQtM/wt8OZ0V9Fs6ljhDZxSWlH7sVmKKRCJMo9aLc2mD7J9xhxHbeyKkhk14mT9NSOm2pm6Fw6QfTB5TTnEiCi6ardbgT3C7K9GuZy2qOp1tXXBR/UaXCQ3AVflHWosjh5kPeU7+uDqwqMwVfxs6DMKdKbtzpjUhYSPr4JNveYn6xm32xBReH3L+DcI3qe2AF1iXHFEcEixwT/WqBNQUmGiehomfeASdhFF3xZUPg6+5+qGm0TkUs1QGFc1Vh16ap+h4SnfGdRO0c3rQdtCg8tTp0Akiy39bNBtqEpgphZ7lcYcgn7FZIy23ZsRZxPpu6L6BtnlQeaRh4v1vy1xVrDYVNidMqrGg2zAVoMq2XzldBdzeZ3ZD2O73aMWry8w61a67QxF7e1Mya+qAV6PQ3s1/jph2mFlI+83V71NlYy3mc5ojODAoTT53xVFw79xdgp77AZik945jZ2md2MamxqDPNx9UpBO49wBa6Y9hfKL+EFBP1E8ACHceuLvElm0KobhIFJO9d7qg0P8K9d/uBxq6mJ/hvnCq8gmRC+oxyzkWM9y9kQO7Sw5kF2+2Y3heAVzrkllihtN34mZpaajAcBGaw1S/kBIlJZqJsZ4YGB3yjLNG2xtVinZ7tWnFZ+ES/CFMB3c+jYQCSYEDl3Q1MyUQXpmSqmTCkzzNqnTEmtKyf3CvVw+n5exsHO2pLRGhkjVbjO4S7k9caXE2wZQgziBSl/Vr6x7RcpKlnNWbTW1tIcDbzL256V6uxtrWCbNRO6Jw2ryVaS/qzYUiARb74uRcVzyTjH24NjAw8In6Ip5H4khoyp3iUKHI85C7bZMVxyBGZ68bVQfp51yADAiJ/jG+TTmOgMteg+9LcrIvKuO26U2OnV9UHajL3xImNsC+642xCAhClmf233Nr9Hl5p6yLj08hWUnCCoBnwb4bx3oymIOlneQ9uH1a65M1kUMkqnoQ8iZ4K0FAGl56V+jwBim61PtJFj/HQdn0IEHQnzvHP6QHrnAVPJ3SIyoaxeT/Vlsdua9S1eGo+3Dk0qc9NFvHHv/R/gSJprw/g/krqav9nk2JYkKF25Q==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AdQD+pTsXwodmeh0SFiUJpU4r4GZ/w==
- Thread-topic: [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
-----Original Message-----
> On 13/06/18 23:15, Stefano Stabellini wrote:
> > This is very useful when starting multiple domains from Xen without
> > xenstore access. It will allow them to print out to the Xen console.
> >
> > Signed-off-by: Stefano Stabellini <stefanos@xxxxxxxxxx>
> > CC: andrew.cooper3@xxxxxxxxxx
> > CC: George.Dunlap@xxxxxxxxxxxxx
> > CC: ian.jackson@xxxxxxxxxxxxx
> > CC: jbeulich@xxxxxxxx
> > CC: konrad.wilk@xxxxxxxxxx
> > CC: tim@xxxxxxx
> > CC: wei.liu2@xxxxxxxxxx
> > CC: dgdegra@xxxxxxxxxxxxx
> > ---
> > If there is a better way to do this with XSM, please advise.
>
> We definitely need to keep the XSM around to avoid opening a hole. We also
> don't want all the domain to access the console.
>
> Looking at the implementation, any domain with is_privileged will be able to
> access the console. IHMO, I don't think we should set
> that for DomU created by Xen.
>
> So I would suggest to introduce a new variable is_console and to tell whether
> a domain can access the console. xsm_console_io(...)
> would then need to be updated accordingly.
There is an existing CONFIG_VERBOSE_DEBUG option which, among other things,
allows console output from any domain. The console output part of that (which
is just the #ifdef in include/xsm/dummy.h) could be moved to another CONFIG or
ORed with an ARM flag. This would apply to all domains; if that's not what you
want, you'll need to add a flag (like Julien suggested) or use XSM.
If XSM is enabled, guest hypervisor console output is controlled by the
guest_writeconsole boolean in the default policy
(tools/flask/policy/modules/guest_features.te) which defaults to allowing it.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|