[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v11 2/9] xsm: add MSR operation related xsm policy

On 06/20/2014 10:31 AM, Dongxiao Xu wrote:
Add xsm policies for MSR access related hypercall.

Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx>

As an overall permissions check, this is workable, and is at least
suitable for an initial implementation.  I believe a more fine-grained
control over MSR operations will be needed in the long term so that a
disaggregated environment can take advantage of a feature that requires
these MSR operations.  Currently, allowing a domain the XEN2__MSR_OP
permission means that the domain is completely trusted by the
hypervisor, since the ability to write to arbitrary MSRs can be used to
gain execution in the hypervisor's context.  The most obvious method to
accomplish this would be to change IA32_SYSENTER_EIP while a PV domain
is running.

If a white-list of "safe" MSRs is maintained in the hypervisor while
processing the msr_op, then this concern goes away, but the name of the
permission should be changed to reflect the contents of the whitelist
(so, for this patchset, cqm_op or cqm_msr_op may be a better name).

If a generic MSR read/write operation is actually desired, the security
server should check each read/write with an MSR__READ/MSR__WRITE
permissions using a label for the individual MSR. The security server
would maintain lables for MSRs like it currently labels I/O ports and
PCI devices.  This is a significantly more complex change, but provides
maximum flexibility for handling access to arbitrary MSRs.

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.