[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2/2] x86/hvm: honor guest's option when updating secondary system time for guest




> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> Sent: Friday, July 25, 2014 4:32 PM
> To: Wu, Feng
> Cc: linux@xxxxxxxxxxxxxx; xen-devel@xxxxxxxxxxxxx; konrad.wilk@xxxxxxxxxx;
> keir@xxxxxxx; tim@xxxxxxx
> Subject: RE: [PATCH 2/2] x86/hvm: honor guest's option when updating
> secondary system time for guest
> 
> >>> On 25.07.14 at 10:03, <feng.wu@xxxxxxxxx> wrote:
> 
> >
> >> -----Original Message-----
> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> Sent: Friday, July 25, 2014 3:40 PM
> >> To: Wu, Feng
> >> Cc: linux@xxxxxxxxxxxxxx; xen-devel@xxxxxxxxxxxxx;
> konrad.wilk@xxxxxxxxxx;
> >> keir@xxxxxxx; tim@xxxxxxx
> >> Subject: RE: [PATCH 2/2] x86/hvm: honor guest's option when updating
> >> secondary system time for guest
> >>
> >> >>> On 25.07.14 at 09:33, <feng.wu@xxxxxxxxx> wrote:
> >>
> >> >
> >> >> -----Original Message-----
> >> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> >> Sent: Friday, July 25, 2014 3:26 PM
> >> >> To: Wu, Feng
> >> >> Cc: linux@xxxxxxxxxxxxxx; xen-devel@xxxxxxxxxxxxx;
> >> konrad.wilk@xxxxxxxxxx;
> >> >> keir@xxxxxxx; tim@xxxxxxx
> >> >> Subject: RE: [PATCH 2/2] x86/hvm: honor guest's option when updating
> >> >> secondary system time for guest
> >> >>
> >> >> >>> On 25.07.14 at 06:30, <feng.wu@xxxxxxxxx> wrote:
> >> >>
> >> >> >
> >> >> >> -----Original Message-----
> >> >> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> >> >> Sent: Wednesday, July 23, 2014 8:19 PM
> >> >> >> To: Wu, Feng
> >> >> >> Cc: linux@xxxxxxxxxxxxxx; xen-devel@xxxxxxxxxxxxx;
> >> >> konrad.wilk@xxxxxxxxxx;
> >> >> >> keir@xxxxxxx; tim@xxxxxxx
> >> >> >> Subject: Re: [PATCH 2/2] x86/hvm: honor guest's option when
> updating
> >> >> >> secondary system time for guest
> >> >> >>
> >> >> >> >>> On 08.07.14 at 01:18, <feng.wu@xxxxxxxxx> wrote:
> >> >> >> > --- a/xen/include/public/vcpu.h
> >> >> >> > +++ b/xen/include/public/vcpu.h
> >> >> >> > @@ -227,6 +227,16 @@ struct vcpu_register_time_memory_area {
> >> >> >> >  typedef struct vcpu_register_time_memory_area
> >> >> >> > vcpu_register_time_memory_area_t;
> >> >> >> >
> DEFINE_XEN_GUEST_HANDLE(vcpu_register_time_memory_area_t);
> >> >> >> >
> >> >> >> > +/*
> >> >> >> > + * Flags to tell Xen whether we need to do the SMAP check when
> >> >> updating
> >> >> >> > + * the secondary copy of the vcpu time when SMAP is enabled.
> Since
> >> the
> >> >> >> > + * memory location for the secondary copy of the vcpu time may be
> >> >> mapped
> >> >> >> > + * into userspace by guests intendedly, we let the guest to
> determine
> >> >> >> > + * whether the check is needed. The default behavior of hypevisor 
> >> >> >> > is
> >> >> >> > + * not doing the check.
> >> >> >> > + */
> >> >> >> > +#define VCPUOP_enable_smap_check_vcpu_time_memory_area
> >> 14
> >> >> >>
> >> >> >> I think the new op to be
> >> VCPUOP_register_vcpu_time_memory_area_smap,
> >> >> >> identical to VCPUOP_register_vcpu_time_memory_area apart from
> also
> >> >> >> setting the flag, would be more natural. But considering what I just
> >> wrote
> >> >> >> in the reply to Tim I guess we can expect a nun-user mapping to be
> >> >> >> presented here anyway, i.e. we wouldn't need to new operation at all.
> >> >> >
> >> >> > Do you mean since the user-paging is r/o, guest will pass a r/w kernel
> page
> >> >> > to
> >> >> > Xen for updating the system time. So we don't need to do the SMAP
> check
> >> >> > in this case?
> >> >>
> >> >> If the user page is r/o, it's VA obviously can't be used for updating by
> >> >> Xen. Hence the kernel has to provide a r/w mapped VA. That should be
> >> >> subject to SMAP checking (consistent with the runstate area handling),
> >> >> to make sure it's not a user accessible mapping.
> >> >
> >> > But there are two possible problems here:
> >> > 1. Is it possible that guest passes a user r/w page to update the system
> >> > time information?
> >>
> >> The guest kernel may pass a page that was originally mapped r/w-
> >> kernel, but the mapping later gets (say inadvertently) changed to
> >> r/w-user. That's why I think the SMAP checking ought to be done
> >> here.
> >
> > But in another case, as what we discussed before, if the guest intended to
> > pass a user r/w page to get the time information. Do we need to do the
> > SMAP checking for this?
> 
> The question is whether we should bother supporting such insecure
> kernels.
> 
> >> > 2. Even the user page is r/o, the kernel can still use it to update the
> >> > system time info when WP is disabled.
> >>
> >> The kernel can - for its own accesses to the page - do whatever
> >> it wants. It can't, however, control Xen's updating of it, and Xen
> >> won't do that with CR0.WP clear (leaving aside Aravindh's PV
> >> mem-access work, where this option is currently being discussed).
> >
> > Just like my comments above, my point is in some case, guest may pass a
> > user page (r/o or r/w) to get the time information, I doubt whether the SMAP
> > checking should be done for this?
> 
> If we want to allow kernels to expose the time data r/w to user mode,
> then yes, we would need to avoid the SMAP check. But as said above,
> I don't think helping kernels to be insecure is of any particular value.

Okay, thanks a lot for your comments! It makes sense. I got your point. I will 
do the
SMAP checking for both of the two cases (runstate area and system time 
information).

Thanks,
Feng

> 
> Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.