[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [v8][PATCH 12/17] xen/x86/ept: handle reserved device memory in ept_handle_violation



> From: Chen, Tiejun
> Sent: Monday, December 01, 2014 5:25 PM
> 
> We always reserve these ranges since we never allow any stuff to
> poke them.
> 
> But in theory some untrusted VM can maliciously access them. So we
> need to intercept this approach. But we just don't want to leak
> anything or introduce any side affect since other OSs may touch them
> by careless behavior, so its enough to have a lightweight way, and
> it shouldn't be same as those broken pages which cause domain crush.
> 
> So we just need to return with next eip then let VM/OS itself handle
> such a scenario as its own logic.
> 
> Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
> ---
>  xen/arch/x86/hvm/vmx/vmx.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 2907afa..3ee884a 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2403,6 +2403,7 @@ static void ept_handle_violation(unsigned long
> qualification, paddr_t gpa)
>      p2m_type_t p2mt;
>      int ret;
>      struct domain *d = current->domain;
> +    struct p2m_get_reserved_device_memory pgrdm;
> 
>      /*
>       * We treat all write violations also as read violations.
> @@ -2438,6 +2439,23 @@ static void ept_handle_violation(unsigned long
> qualification, paddr_t gpa)
>          __trace_var(TRC_HVM_NPF, 0, sizeof(_d), &_d);
>      }
> 
> +    /* This means some untrusted VM can maliciously access reserved
> +     * device memory. But we just don't want to leak anything or
> +     * introduce any side affect since other OSs may touch them by
> +     * careless behavior, so its enough to have a lightweight way.
> +     * Here we just need to return with next eip then let VM/OS itself
> +     * handle such a scenario as its own logic.
> +     */
> +    pgrdm.gfn = gfn;
> +    pgrdm.domain = d;
> +    ret =
> iommu_get_reserved_device_memory(p2m_check_reserved_device_memory,
> +                                           &pgrdm);

can this be optimized to not walk rmrr map if no device is assigned?

> +    if ( ret )
> +    {
> +        update_guest_eip();
> +        return;
> +    }
> +
>      if ( qualification & EPT_GLA_VALID )
>      {
>          __vmread(GUEST_LINEAR_ADDRESS, &gla);
> --
> 1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.