|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v1 for-4.6 2/2] xen: prevent access to HPET from Dom0
>>> On 19.12.14 at 12:32, <andrew.cooper3@xxxxxxxxxx> wrote: > On 19/12/14 09:11, Jan Beulich wrote: >>>>> On 18.12.14 at 19:51, <andrew.cooper3@xxxxxxxxxx> wrote: >>> On 18/12/14 18:27, Roger Pau Monne wrote: >>>> Prevent Dom0 from accessing HPET MMIO region by adding it to the list of >>>> denied memory regions. >>>> >>>> Signed-off-by: Roger Pau Monnà <roger.pau@xxxxxxxxxx> >>>> Cc: Jan Beulich <jbeulich@xxxxxxxx> >>>> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >>> Apologies that this reply is split between patch 0 and 2 - I replied to >>> your cover letter before reading this patch. >>> >>> Denying access is only valid if acpi_table_hpet.flags & >>> ACPI_HPET_PAGE_PROTECT4 is true. >> Having just checked (as an example) the most modern Intel box I >> have direct access to, I wonder how many systems actually supply >> other than 0 here. Perhaps we ought to at once add a command >> line option to trigger the denial? > > I also can't find a server which sets this flag. I wonder how many > systems actually have other things sitting in the remainder of the page. One would think (or should I say hope) that there's at least nothing with read side effects anywhere, or else Linux'es exposing of the page to user mode would be a security problem. Perhaps we should also limit Dom0 mappings to r/o when we can't hide the page altogether. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |