[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 13/25] argo: implement the register op

To: Roger Pau Monné <royger@xxxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
From: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>
Date: Wed, 9 Jan 2019 18:48:06 +0200
Cc: Julien Grall <julien.grall@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, ross.philipson@xxxxxxxxx, Jason Andryuk <jandryuk@xxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Christopher Clark <christopher.w.clark@xxxxxxxxx>, James McKenzie <voreekf@xxxxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, eric chanudet <eric.chanudet@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Wed, 09 Jan 2019 16:48:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 1/9/19 6:34 PM, Roger Pau Monné wrote:

Maybe this is use-case is different, but how does introspection handle
accesses to the shared info page or the runstate info for example?

I would consider argo to be the same in this regard.


Not exactly: The shared info page is special in any event. For
runstate info (and alike - there's also struct vcpu_time_info)
I'd question correctness of the current handling. If that's
wrong already, I'd prefer if the issue wasn't spread.


There are also grants, which when used together with another guest on
the same host could allow to bypass introspection AFAICT? (unless
there's some policy applied that limit grant sharing to trusted
domains)

TBH I'm not sure how to handle hypoervisor accesses with
introspection.  My knowledge of introspection is fairly limited, but
it pauses the guest and sends a notification to an in guest agent. I'm
not sure this is applicable to hypervisor writes, since it's not
possible to pause hypervisor execution and wait for a response from a
guest agent.


Introspection applications only care about memory accesses performed
by the guest. Hypervisor accesses to monitored pages are not included
when monitoring - it is actually a feature when using the emulator in
Xen to continue guest execution because the hypervisor ignores EPT
memory permissions that trip the guest for introspection. So having
the hypervisor access memory or a grant-shared page being accessed in
another domain are not a problem for introspection.


Can't then two guests running on the same host be able to completely
bypass introspection? I guess you prevent this by limiting to which
guests pages can be shared?

Would these two guests be HVM guests? Introspection only works for HVMguests. I'm not sure I follow your scenario though. How would theseguests collaborate to escape introspection via grants?

If that's the case, and introspection doesn't care about hypervisor
accesses to guest pages, then just getting a reference to the
underlying page when the ring is setup should be enough. There's no
need to check the gfn -> mfn relation every time there's an hypervisor
access to the ring.


I think so, but I might be missing something.


Thanks,
Razvan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Tamas K Lengyel

References:
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Roger Pau Monné
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Roger Pau Monné
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Roger Pau Monné
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Tamas K Lengyel
- Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
  - From: Roger Pau Monné

Prev by Date: [Xen-devel] [xen-unstable-smoke test] 131881: tolerable all pass - PUSHED
Next by Date: Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
Previous by thread: Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
Next by thread: Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.