Re: [Xen-devel] [PATCH v3 3/3] x86/hvm: Use white-lists for HVM param guest accessibility checks

[Tim Deegan <tim@xxxxxxx>]

At 11:53 +0100 on 05 May (1430826812), Andrew Cooper wrote:
> On 05/05/15 11:25, Paul Durrant wrote:
> > There are actually very few HVM parameters that a guest needs to read
> > and even fewer that a guest needs to write. Use white-lists to specify
> > those parameters and also ensre that, by default, newly introduced
> > parameters are not accessible.
> >
> > Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
> > Cc: Keir Fraser <keir@xxxxxxx>
> > Cc: Jan Beulich <jbeulich@xxxxxxxx>
> > Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> > ---
> >  xen/arch/x86/hvm/hvm.c |   39 ++++++++++++++++++++++-----------------
> >  1 file changed, 22 insertions(+), 17 deletions(-)
> >
> > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> > index 03543dd..ccf19a4 100644
> > --- a/xen/arch/x86/hvm/hvm.c
> > +++ b/xen/arch/x86/hvm/hvm.c
> > @@ -5650,6 +5650,13 @@ static int hvm_allow_set_param(struct domain *d,
> >  
> >      switch ( a->index )
> >      {
> > +    /* The following parameters can be set by the guest. */
> > +    case HVM_PARAM_CALLBACK_IRQ:
> > +    case HVM_PARAM_VM86_TSS:
> 
> The only case where the VM86_TSS is needed is when VT-x doesn't support
> unrestricted mode, in which case this parameter and IDENT_PT must be set
> up by the domain builder in order to execute hvmloader.  Neither need to
> be settable by the guest.

IDENT_PT is indeed set up by the toolstack, but VM86_TSS is set by
hvmloader, as it's not needed until hvmloader enters real mode.
It would be OK to make those two params set-once param if you're feeling
keen, but in fact there's no harm in letting the guest change them --
after all it can write to the memory they point to.

Cheers,

Tim.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel