Xen project Mailing List

Re: [Xen-devel] [PATCH V2 2/3] xen/vm_event: Support for guest-requested events

To: Jan Beulich <JBeulich@xxxxxxxx>, dgdegra@xxxxxxxxxxxxx

From: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>

Date: Mon, 6 Jul 2015 17:35:25 +0300

Cc: tim@xxxxxxx, kevin.tian@xxxxxxxxx, wei.liu2@xxxxxxxxxx, ian.campbell@xxxxxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, jun.nakajima@xxxxxxxxx, andrew.cooper3@xxxxxxxxxx, ian.jackson@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, eddie.dong@xxxxxxxxx, Aravind.Gopalakrishnan@xxxxxxx, suravee.suthikulpanit@xxxxxxx, keir@xxxxxxx, boris.ostrovsky@xxxxxxxxxx

Comment: DomainKeys? See http://domainkeys.sourceforge.net/

Delivery-date: Mon, 06 Jul 2015 14:35:16 +0000

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=bitdefender.com; b=Q8RsoK/NS0UC0ShL6gaHqYs3RUxd26wEq7kamI3YtRinic/8v+04Fm3N5qR9QTTDDnDa4jSbgX0iI4ogrft8HzZyI+iu1Bn/HPa1sk/XIPfFHXi31LIfzE5t5rx57CBC/wiV6y3wu0y6PibsljRuHLUQJ9yP+AJbAuNVnhcSgwejvg4YtkMUGWZIwCqk/wcHXKr6vp/FZ+Z7HTsF+6OIcQpedO9TexikJQ7d3UMPPlTSAkhyMiaQHnWOb7NeHrFFF+k2iOIM3pnESMaZldWpVnlZ6vMxrXHrexhnJXSwlCh4oPt1XGStnbmOF+Zn9pSoR+M1hZ113S64pI55XB7MlA==; h=Received:Received:Received:Received:Received:Subject:To:References:Cc:From:X-Enigmail-Draft-Status:Message-ID:Date:User-Agent:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-BitDefender-Scanner:X-BitDefender-Spam:X-BitDefender-SpamStamp:X-BitDefender-CF-Stamp;

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 07/06/2015 01:27 PM, Jan Beulich wrote: >>> No XSM check here or in the handler? Shouldn't the admin controlling >>> guest properties from the host perspective be permitted control here? >>> Cc-ing Daniel for his input ... >> >> Thinking more about this, the goal here is to be able to monitor >> non-privileged guests from a privileged domain. Being able to subscribe >> to these events is subject to XSM checks (so an application in dom0 >> would be able to receive them), but if XSM checks are needed for the >> guest as well, then, at least for the purpose the code is intended for >> now, the default would need to be to allow this to happen. > > Daniel? The examples I've seen of XSM checks in hvm_do_op() require that an argument is provided so that the domain id can be retrieved: 6156 case HVMOP_track_dirty_vram: 6157 { 6158 struct xen_hvm_track_dirty_vram a; 6159 struct domain *d; 6160 6161 if ( copy_from_guest(&a, arg, 1) ) 6162 return -EFAULT; 6163 6164 rc = rcu_lock_remote_domain_by_id(a.domid, &d); 6165 if ( rc != 0 ) 6166 return rc; [...] 6175 rc = xsm_hvm_control(XSM_DM_PRIV, d, op); 6176 if ( rc ) 6177 goto param_fail2; We'll now be sending NULL as the hypercall argument (as previously discussed), but even if we decided to set it to an useful value, I'm not sure how a HVM guest, who presumably is not even aware it's running on top of Xen, can pass a correct ID to the hypervisor for XSM checking here. Also, I'm not quite following how this is different from the other vm_events as far as XSM is concerned. Special permissions are not required for EPT, CR or MSR events, and while the VMCALL-based guest-requested events are bit more involved, in the end it's just as easy (or at least not that more difficult) to run a VMCALL in the guest as it is to write a value to a control register. Unless we get a reply from Daniel soon, I'll send V3 later today so that the rest of the changes discussed last week will have a shot at being reviewed, and I'll of course change the code in V4 should more XSM checks be required. Thanks, Razvan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.