[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/7] x86: don't allow Dom0 access to port 92

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 25 Oct 2023 16:11:13 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Exbs2aNCUu1BzER//EojuRQlRMk2l9zw+4JRzgvNapg=; b=OO4B1QgwsnboYyRxxOhDP88I0o2hP++Bt7NQRImDRkKdKGlIihID10WtRO5w4ckVN/4oWLzPyQ52dHbpcq4vIKhy6mwfcIaZrf+wtOKHkNlOGqmak4BuwftYu0YPy9cRniDlucNGZQo9JJXtjpXMhh5Gz51KdgzaTUrL71dUJm0Cpih5FC+coyaDmfnFo1eA8kkX50zlvFL3IajZMFfCWvPAEVbK6rShN0yUF549E9QtgfdC86zWxYeQqygz71e5jbH7eMZVWyx3mRAn6n1OyaOOU3mVPVdzmAuy7/NtUBLPLtABasWn1gNmfzKRaE+0yef1fXjesgnXUj0QQ7/RZQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XZidpGwcZjfANEUbQzp1065BsEvsbdJ3bJqRANlpyRYSR8iXQzBEyU8Pyl5UU0w74xAYuQHxgGCqBMA+996gYgGaRgYHO/URZzVtE7kChTbna+bCQs17HCHnTCWsoe65NYq+AeoYX5cSKcpq/p5tRtfCM/j+/hJevXWPZPo81BwAYI3aGczpvw96vq21ptxiVRQdGwRDnUrzCgoYixMXKAYyrqYvFydTShIflwpZ7aJsY9Lmd3kKxowuOT+nAxLpB5CBQx14XR68C+F22/9axSINauFI7rI//gs/S5HJZkZfrzNyF+lBbEG3RU1VR45WyQwxSwKK/EK34cqC+KbU8Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Wed, 25 Oct 2023 14:11:29 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 25.10.2023 14:49, Roger Pau Monné wrote:
> On Thu, May 11, 2023 at 02:05:45PM +0200, Jan Beulich wrote:
>> Somewhat like port CF9 this may have a bit controlling the CPU's INIT#
>> signal, and it also may have a bit involved in the driving of A20M#.
>> Neither of these - just like CF9 - we want to allow Dom0 to drive.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks.

> I'm kind of concerned that such ports might be used for other stuff
> not described in the specifications I'm looking at, I guess we will
> find out.

There's a small risk, but there's also a certain risk from not making
the port inaccessible.

>> --- a/xen/arch/x86/dom0_build.c
>> +++ b/xen/arch/x86/dom0_build.c
>> @@ -500,6 +500,10 @@ int __init dom0_setup_permissions(struct
>>      rc |= ioports_deny_access(d, 0x40, 0x43);
>>      /* PIT Channel 2 / PC Speaker Control. */
>>      rc |= ioports_deny_access(d, 0x61, 0x61);
>> +
>> +    /* INIT# and alternative A20M# control. */
>> +    rc |= ioports_deny_access(d, 0x92, 0x92);
> 
> I do wonder whether it would make sense to create an array of [start,
> end] IO ports to deny access to, so that we could loop over them and
> code a single call to ioports_deny_access().  Maybe that's over
> engineering it.

It would compact part of the invocations, but some aren't using build-
time constants, so wouldn't fit well with such a table approach. (I
would probably ack a patch doing such a partial consolidation, but
at least right now I don't think I would put time in making such a
patch.)

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.