[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Wed, 19 Feb 2020 15:53:45 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
Delivery-date: Wed, 19 Feb 2020 15:53:56 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Andrew,

Thank you for stepping up and trying to make HVM_PARAM better :).

On 10/02/2020 18:45, Andrew Cooper wrote:

ARM currently has no restrictions on toolstack and guest access to the entire
HVM_PARAM block.  As the paging/monitor/sharing features aren't under security
support, this doesn't need an XSA.

Actually, only monitor is effectively working (yet not securitysupported) on Arm. The two others are x86 specific.


The CALLBACK_IRQ and {STORE,CONSOLE}_{PFN,EVTCHN} details exposed read-only to
the guest, while the *_RING_PFN details are restricted to only toolstack
access.  No other parameters are used.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Julien Grall <julien@xxxxxxx>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

This is only compile tested, and based on my reading of the source.  There
might be other PARAMS needing including.
---
  xen/arch/arm/hvm.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++---
  1 file changed, 62 insertions(+), 3 deletions(-)

diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
index 76b27c9168..1446d4010c 100644
--- a/xen/arch/arm/hvm.c
+++ b/xen/arch/arm/hvm.c
@@ -31,6 +31,60 @@

#include <asm/hypercall.h>+static int hvm_allow_set_param(const struct domain *d, unsigned int param)

+{


Should we move the XSM check here too? This is not too important though.

+    switch ( param )
+    {
+        /*
+         * The following parameters are intended for toolstack usage only.
+         * They may not be set by the domain.
+         *
+         * The {STORE,CONSOLE}_EVTCHN values will need to become read/write if
+         * a new ABI hasn't appeared by the time migration support is added.

The comment suggests {STORE, CONSOLE}_EVTCHN values should not beread/write. But you implement them as read/write. Is it intended?

+         */
+    case HVM_PARAM_CALLBACK_IRQ:
+    case HVM_PARAM_STORE_PFN:
+    case HVM_PARAM_STORE_EVTCHN:
+    case HVM_PARAM_CONSOLE_PFN:
+    case HVM_PARAM_CONSOLE_EVTCHN:
+    case HVM_PARAM_PAGING_RING_PFN:
+    case HVM_PARAM_MONITOR_RING_PFN:
+    case HVM_PARAM_SHARING_RING_PFN:

I would drop HVM_PARAM_PAGING_RING_PFN and HVM_PARAM_SHARING_RING_PFN asthey are not used by Arm and AFAICT the toolstack will not set them.

+        return d == current->domain ? -EPERM : 0;
+

Looking at the list of HVM param, I think you forgot to addHVM_PARAM_VM_GENERATION_ID_ADDR.

+        /* Writeable only by Xen, hole, deprecated, or out-of-range. */
+    default:
+        return -EINVAL;
+    }
+}


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH v5 3/8] xen: add basic hypervisor filesystem support
Next by Date: Re: [Xen-devel] [PATCH v5 7/8] xen: add /buildinfo/config entry to hypervisor filesystem
Previous by thread: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's
Next by thread: Re: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.