[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] about fully UMIP support in Xen

To: Jan Beulich <JBeulich@xxxxxxxx>, Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Wed, 19 Apr 2017 14:49:58 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 19 Apr 2017 13:50:45 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 19/04/17 14:34, Jan Beulich wrote:
>>>> On 19.04.17 at 13:44, <yu.c.zhang@xxxxxxxxxxxxxxx> wrote:
>> On 4/19/2017 7:19 PM, Jan Beulich wrote:
>>>>>> On 19.04.17 at 11:48, <yu.c.zhang@xxxxxxxxxxxxxxx> wrote:
>>>> Does hypervisor need to differentiate dom0 kernel and its
>>>> user space?
>>> If we want to para-virtualize the feature, then yes. Otherwise
>>> we can't assume the guest kernel would deal with user mode faults,
>>> so we'd have to. Arguably there could be a non-default mode in
>>> which we don't (forcing such applications to get a signal or crash).
>> For UMIP is to be para-virtualized,  is it OK to give dom0 kernel the 
>> physical value
>> if instructions are triggered in the kernel?
> Why would you want to special case Dom0 here? I don't see
> anything wrong with giving Dom0 the real values, but since you'll
> have to not give DomU-s the real values, you'd then add more
> code to treat Dom0 specially. Simply give everyone fake values.
>
>> And if the instructions are triggered in dom0 user space, the spec 
>> requires a #GP
>> fault, and we can return 0 to the application in the #GP fault handler, 
>> is it OK?
> Yes, I think so. But the fundamental rule is - make it match what
> native Linux does in that case.

The attack scenario for PV guests is different.  The point of UMIP there
is to protect Xen against guests, including guest kernels.

If a PV kernel is aware of UMIP and turns UMIP on, #GPs from userspace
should be bounced to the kernel, and #GPs from kernel space (as it is
ring-deprivileged) must be emulated and execute successfully.

If Xen is using UMIP to protect itself, it needs to emulate and fake up
the information to both guest userspace and kernelspace.

If both Xen and the PV kernel turn on UMIP, Xen needs to bounce
userspace #GPs to the guest kernel, and fake up information for the
guest kernel.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Jan Beulich

References:
- [Xen-devel] about fully UMIP support in Xen
  - From: Yu Zhang
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Jan Beulich
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Yu Zhang
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Jan Beulich
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Yu Zhang
- Re: [Xen-devel] about fully UMIP support in Xen
  - From: Jan Beulich

Prev by Date: [Xen-devel] [PATCH v2] x86/vlapic: Don't reset APIC ID when handling INIT signal
Next by Date: Re: [Xen-devel] about fully UMIP support in Xen
Previous by thread: Re: [Xen-devel] about fully UMIP support in Xen
Next by thread: Re: [Xen-devel] about fully UMIP support in Xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.