[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v12 1/9] x86: add generic resource (e.g. MSR) access hypercall

On 08/07/14 09:57, George Dunlap wrote:
> On 07/04/2014 11:52 AM, Andrew Cooper wrote:
>> On 04/07/14 11:30, Jan Beulich wrote:
>>>>>> On 04.07.14 at 11:40, <andrew.cooper3@xxxxxxxxxx> wrote:
>>>> On 04/07/14 09:34, Dongxiao Xu wrote:
>>>>> Add a generic resource access hypercall for tool stack or other
>>>>> components, e.g., accessing MSR, port I/O, etc.
>>>>> Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx>
>>>> This still permits a user of the hypercalls to play with EFER or
>>>> SYSENTER_EIP, which obviously is a very bad thing.
>>>> There needs to be a whitelist of permitted MSRs which can be accessed.
>>> Hmm, I'm not sure. One particular purpose I see here is to allow the
>>> tool stack (or Dom0) access to MSRs Xen may not know about (yet).
>>> Furthermore, this being a platform op, only the hardware domain
>>> should ever have access, and it certainly ought to know what it's
>>> doing. So the sum of these two considerations is: If at all, we may
>>> want a black list here.
>>> Jan
>> I don't think it is safe for the toolstack to ever be playing with MSRs
>> which Xen is completely unaware of.  There is no guarentee whatsoever
>> that a new MSR which Xen is unaware of doesn't have security
>> implications if the toolstack were to play with it.
> But the toolstack is part of the trusted base; it should be thinking
> about the security implications as much as Xen should.
>  -George

No - it very much isn't.  It has more privileges than a standard Xen
domain, and in some cases has powers to shoot itself in the foot, but
all these powers are all behind the Xen API which does provide
restrictions on what dom0/toolstack is permitted to do.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.