[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/2] Introduce XSM ability for domain privilege escalation

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 30 Mar 2022 19:05:47 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648667097; h=Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=HO/ZM3ckJO9X3H5rFqGUR3zPwBsdAhdUvZEo1ba69+k=; b=a9ljHLpBZ+5129JuFVL8AYbosiOOhHtFl0A4OdnogjonEqyjX2du91vyBjk+mqOgpzKL6WwxW8VVKZxrxPKGHIFnAcFic4UHa3Mv+LU559CX1w6yuEPEzEQ7gFXwBasmJ8ybc43HuuQ77LSX0EqBqw6zJHVlYO7oemGIdahTqqc=
  • Arc-seal: i=1; a=rsa-sha256; t=1648667097; cv=none; d=zohomail.com; s=zohoarc; b=cdbjdGskC4EwYcQuTTBL3GtZxbBYthMKsFnK7b4501BqDFU/E+UiFRwSin/oCgpYypotgYahnXeP7sQmisdU8nUiADuoPsiLg5zCPeNkJdP88tObuR/I9e75RsFzATdeGmZTntMAC17T/v2PKAbSSs7sLTzsHASiuBJel6RLy5E=
  • Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx
  • Delivery-date: Wed, 30 Mar 2022 19:05:08 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
This series introduces a pair of functions that allow a domain to be escalated 
to
is_privileged or demoted. Internally the functions enforce the policy that this
is only allowed for system domains, the idle domain in particular.

As for the implementation, there is a desire that the logic does not persist 
after
__init code is jettison after setup. This has to be balanced with the fact 
there is no
.c unit files for XSM when only the default policy is in use, i.e. CONFIG_XSM 
is not
set. To balance this the functions were implemented as always_inline functions 
in xsm.h.
This should ensure that if the only usage of these functions are in __init 
code, there
should be no instances of this logic present after __init code is jettisoned. 
Since
this introduces the ability to elevate the idle domain to is_privileged, this 
should
not be left in place when transitioning into the running state. As such, a pair 
of
ASSERTs were introduced, one each, for x86 and Arm to ensure that the idle 
domain
isn't inadvertently left with is_privileged being true.

Daniel P. Smith (2):
  xsm: add ability to elevate a domain to privileged
  arch: ensure idle domain is not left privileged

 xen/arch/arm/setup.c  |  3 +++
 xen/arch/x86/setup.c  |  3 +++
 xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++
 3 files changed, 28 insertions(+)

-- 
2.20.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.