From 568a94a0b3fe8de8f69fda4a24d8856272172dfb Mon Sep 17 00:00:00 2001 From: "Daniel P. Smith" Date: Thu, 31 Mar 2022 13:20:44 -0700 Subject: [PATCH 2/3] arch: ensure idle domain is not left privileged It is now possible to promote the idle domain to privileged during setup. It is not desirable for the idle domain to still be privileged when moving into a running state. If the idle domain was elevated and not properly demoted, it is desirable to fail at this point. This commit adds an assert for both x86 and Arm just before transitioning to a running state that ensures the idle is not privileged. Signed-off-by: Daniel P. Smith --- xen/arch/arm/setup.c | 3 +++ xen/arch/x86/setup.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index d5d0792ed4..8b9edf5ff3 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -1048,6 +1048,9 @@ void __init start_xen(unsigned long boot_phys_offset, /* Hide UART from DOM0 if we're using it */ serial_endboot(); + /* Ensure idle domain was not left privileged */ + ASSERT(current->domain->is_privileged == false) ; + system_state = SYS_STATE_active; for_each_domain( d ) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index a0ee8d206f..aab61e53a9 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -649,6 +649,9 @@ static void noreturn init_done(void) void *va; unsigned long start, end; + /* Ensure idle domain was not left privileged */ + ASSERT(current->domain->is_privileged == false) ; + system_state = SYS_STATE_active; domain_unpause_by_systemcontroller(dom0); -- 2.25.1