|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 2/6] x86/boot: Map the trampoline as read-only
On 07.01.2020 16:51, Andrew Cooper wrote: > On 07/01/2020 15:21, Jan Beulich wrote: >> On 06.01.2020 16:54, Andrew Cooper wrote: >>> c/s ec92fcd1d08, which caused the trampoline GDT Access bits to be set, >>> removed the final writes which occurred between enabling paging and >>> switching >>> to the high mappings. There don't plausibly need to be any memory writes in >>> few instructions is takes to perform this transition. >>> >>> As a consequence, we can remove the RWX mapping of the trampoline. It is RX >>> via its identity mapping below 1M, and RW via the directmap. >>> >>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> >> >>> This probably wants backporting, alongside ec92fcd1d08 if it hasn't yet. >> This is just cleanup, largely cosmetic in nature. It could be argued >> that once the directmap has disappeared this can serve as additional >> proof that the trampoline range has no (intended) writable mappings >> anymore, but prior to that point I don't see much further benefit. >> Could you expand on the reasons why you see both as backporting >> candidates? > > Defence in depth. > > An RWX mapping is very attractive for an attacker who's broken into Xen > and is looking to expand the damage they can do. Such an attacker is typically in the position though to make themselves RWX mappings. Having as little as possible is only complicating their job, not making it impossible, I would say. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |