|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v11 2/9] xsm: add MSR operation related xsm policy
On 06/20/2014 10:31 AM, Dongxiao Xu wrote: Add xsm policies for MSR access related hypercall. Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx> As an overall permissions check, this is workable, and is at least suitable for an initial implementation. I believe a more fine-grained control over MSR operations will be needed in the long term so that a disaggregated environment can take advantage of a feature that requires these MSR operations. Currently, allowing a domain the XEN2__MSR_OP permission means that the domain is completely trusted by the hypervisor, since the ability to write to arbitrary MSRs can be used to gain execution in the hypervisor's context. The most obvious method to accomplish this would be to change IA32_SYSENTER_EIP while a PV domain is running. If a white-list of "safe" MSRs is maintained in the hypervisor while processing the msr_op, then this concern goes away, but the name of the permission should be changed to reflect the contents of the whitelist (so, for this patchset, cqm_op or cqm_msr_op may be a better name). If a generic MSR read/write operation is actually desired, the security server should check each read/write with an MSR__READ/MSR__WRITE permissions using a label for the individual MSR. The security server would maintain lables for MSRs like it currently labels I/O ports and PCI devices. This is a significantly more complex change, but provides maximum flexibility for handling access to arbitrary MSRs. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |