[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page

  • To: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
  • From: Sergej Proskurin <proskurin@xxxxxxxxxxxxx>
  • Date: Mon, 9 Jul 2018 10:50:28 -0400
  • Autocrypt: addr=proskurin@xxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFQpTPYBEADCoSruTkW7q3AwG6+hPu9lsYC1NUTihxMX8KcNWGP3ejtRA8N2sqPkZN1b Je8iEIey6//8KiWF8z06ykwopMtgqoUYFshEtrscYE37fuHdnjBJtiLFxabeMNCMuFG7RrB9 ctWwSMY/nzLqCH/gCQ6otfZTIHpYrU+7lDpp5tKa5LyxfPeLut7zWigfcZ4HTLTu5zpssGKu cGKIvcPc4aPUUTd4TuMQL91B4QiNYpudrtkUSFVMtTKF+3Oh/s9ip9b0y4xMuXd2qQLSzCRO tt+mT6iMhKfv/jH/B77noXE0y54bgAUJsEDQ95Rdyw5Tmc676aCmThqgycCvHDMQI/zUzWlT 9RreoKK66EJIemPFFS+G15NW0DEX/rZXRmmH8Upnw7dOhJfNsKqV1CzsuPUHVm3ndNP9kN73 xJSMCPsY+rdBP8nYGlDi7lgvzSbw4QfA+bD4Qb2IaCtFeSCFR5rUVK3NfU9wa6E/Zo6y1K3E IXvrja4fGloNujJH3AMO7rm2zinQuMABtL95Kn1/3mhUtmdo3RL8bs8fjbkUtXBfD0/tlQ4P Lc1IwLJHM+CIa+UjSk5w1CcUEYMVWUKxAX1IdYl1pMs2cZb/ZQ5XRWRsVDRL5386P3MJAJ6Q kVhaG0af8vG1EKtMtP0GGMXEOXTIrUlV9INcBrkC/CsIpvedfQARAQABzUhTZXJnZWogUHJv c2t1cmluIChDaGFpciBmb3IgSVQtU2VjdXJpdHkgLSBUVU0pIDxwcm9za3VyaW5Ac2VjLmlu LnR1bS5kZT7CwZQEEwEIAD4WIQQvJcEAao1sKV6q7oy8lguMfzhbkQUCWsyA5QIbIwUJCWYB gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC8lguMfzhbkSVjEACJQGLFLobYmjYmUFvH M+JmWACVRodDttMQnjesmvYdZb74avXlBPrfBp8BcupstTZlutJh7ubhtyC+I+4kTe8pLKeo 2yf08eeOD+ANxqrNWoicD6nYNcrxwlFZN/W9rG3ADmmWTOx2bJEsQDVjPYTSx9UGVvvmGFfq qbNaZfQBwY/WeyHVESQ7pDjn6wtuGF9gcfzq8HgKHTdbrjPJi4orSEnSfcFhmZMnJEZh/IRc 6++C8QknJ0qUpsEYD3hdXTf1ZkOZK9k517p19+LiuThS34JFJ7WIsuQcQ/xVlQ6UW6Pme4Rf xVk4rTfUFcGmUc53zCB8FdZ9TJemOuJwKL8KBight1csenQNqPMlFLAsKxQg3h3/Pe0J5JnH qV+cCgva0H/FN8py+I3rWS4Dwngo3erspb6AlU96GFI6TMsWGbE9clET3hqpO1nth/DCA8Jd UaSTZxOOdbhl/LHog+RPJcP7Cs5OSoVpw28GOv3mKua3RxfEjqwnU47dbGQBgs79fsjBolf6 3JLcVg/Y1RsRlZWISWXhz8/XgbDmre108kTTE/pgGy/dlOzEBM1mjsikbsMZvr+WxTC2xdRF qpS9yMKLqGXFul0Nid+hgYDU2devvDjKnnSDtDtrb2U4vR89uEorThtr5IttHJ7fucZVO8HC dH3PHUmzSUQjbWFufs7BTQRUKUz2ARAAzmFui95lCU/Eje57+jAjb3E2fUkq6LhW9wSKv/Dy r7j9pZSJi/IGn7Lw1D5bdnwpPw07PE/cV2kdp0qgWqM4OWdrrxrLUMbLZDFZVn2tQj2fWUwx ZhLfHP9QiITM36Out6hBlCjZsx93OtPtNBFzu5bWFMJ1caPbVRvpR3GI0TXKOIt2S1wLcPZ5 NyNe4SUK2pczSNjiqDM9Qa0xuOX2VlR/7BTdLv03Q9gMssZR6mJG4nQDJOwr7BBdBRT1jQW8 NrZfr+MlWLjgYgfQyWCwggAjrHRevTMoUQFHxJVQWy9MB3pyPOm9wqm1JDP+csGYr9OtkAy5 5+7QSz8z7iA7pftRYSaF0l6BgRYnwVI1T16SrVeSWnUutvQ+0ojugVmE5c7ZSaX9ktI5U0OA 43dkBrKO7iapixwWFXx0BK0ZultF6vmJ7prb1RuOR1+7AecfFHq0CCSXjaXE+wWNW8RZaaJ6 WgK3Zd6DL7LP3dOoBRuxuMVsE7FUQ34GcPe0yt3kPBGRuscEjASaA1g5lNvmFrLDjLXnFrB3 MOG/EKy8rwV7c8v1iIKop5BkE2lxZJsCLFqDCKm+7xoCuI8+EdmtAW5K/Z4w9vmGwbftCGNX oIqgux+IV1+WDkICHPr2a2MeW9hL8T3Klg/ZDCmgHpDEmP7EK3ov+F0pUScPDEXqMwcAEQEA AcLBZQQYAQIADwUCVClM9gIbDAUJCWYBgAAKCRC8lguMfzhbkSxjD/9LMdiefxZcmqWr8dVF 0HJRzPH6G8+JT9MuRUkJvsjXz48EqTYXXhfMnqeX1nAYUAejAjgdJIVivnsoa0qB1XDqh3DW APXD98L4sPPlauO53TtKG93AMJelSWWPociXdrMt3tAgqevcLTef9ri52s4YrlhvdAvvJajM HicdsOVp5gVrmxzw1thh55kzw/4/+57nB0afmtDyCvZ4syhAln/01GoAM5XgUC008eAD1jNn fKAApk1QwFAeGwaSNKsDT4iAuJ1T3Bmtp3sZaix0vnZy7gpZ2fENOCG9u9/JeqJ3WrVTWsFw gp54VZmNotFR5r2rs0sn90+2mcQU787ZkAeRFhmPyRd0GNa9m7TZUjhuDFynWBeu43Kic1mX gWXfRt+6P6imZluiHNaALU/C+TOa7Tj89RZXyieJndVoyFmBkwQjTNw+eiwPnfhQzFrJJM/D 4sGT/ERRsMj0iXNbxiGdXBZkHMj2TS2O4rPWhY8oZ5o4LqaTYiy8o0C13cYyYkTn6OEng+QO 6DPD99J7hAvisdT682sMV0K7BchuCZE6/II1BenDkoppWgDa7mIoMvpWUEBLGbs7JXvsisHB 8qN8ZA5i5oqblS1FOIGXklzTzbMCSAHZHh7TDgprnMEkq8O8P3euDXD7Jqo6g/MDR5mO4sQP 6Tc5iSRCo87CQG+k+g==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Adrian Pop <apop@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>
  • Delivery-date: Mon, 09 Jul 2018 14:50:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Openpgp: preference=signencrypt
Hi all,

as I am currently working on a concept that uses the #VE functionality
from inside of the unprivileged guest domain myself, I would like to add
my opinion to the discussion.


On 07/09/2018 07:53 AM, Razvan Cojocaru wrote:
> On 07/09/2018 02:46 PM, George Dunlap wrote:
>> On 07/09/2018 12:18 PM, Razvan Cojocaru wrote:
>>> On 07/09/2018 02:04 PM, George Dunlap wrote:
>>>> On 07/06/2018 05:52 PM, Tamas K Lengyel wrote:
>>>>> On Fri, Jul 6, 2018 at 2:56 AM Razvan Cojocaru
>>>>> <rcojocaru@xxxxxxxxxxxxxxx> wrote:
>>>>>> On 07/05/2018 07:45 PM, Tamas K Lengyel wrote:
>>>>>>> On Thu, Jul 5, 2018 at 9:22 AM Razvan Cojocaru
>>>>>>> <rcojocaru@xxxxxxxxxxxxxxx> wrote:
>>>>>>>> However, our particular application is only interested in setting (and
>>>>>>>> querying) page restrictions from userspace (from the dom0 agent). It
>>>>>>>> will also need to be able to set the convertible bit of guest pages 
>>>>>>>> from
>>>>>>>> the dom0 agent as well (patches pending). So we're also fine with a
>>>>>>>> "DOMCTL if nobody wants it as a HVMOP" policy, if polluting the DOMCTLs
>>>>>>>> (possibly temporarily) is an option.
>>>>>>>>
>>>>>>>> We could also (at least between Tamas and us) come up with current /
>>>>>>>> likely use-cases and downgrade all altp2m HVMOPs that could be DOMCTLs
>>>>>>>> in all the scenarios to DOMCTLs.
>>>>>>> Aye. There is really just one HVMOP that the guest absolutely needs
>>>>>>> access to so that it can use #VE, and that's
>>>>>>> HVMOP_altp2m_vcpu_enable_notify. AFAIU everything else could be just a
>>>>>>> DOMCTL.
>>>>>> We need even less than that - we want to modify
>>>>>> HVMOP_altp2m_vcpu_enable_notify to be able to call it from dom0 as well,
>>>>>> and we don't call it from the in-guest agent ever. Because we agree that
>>>>>> the smallest attack surface is a requirement, all we ever call that's
>>>>>> #VE / altp2m related is actually from the privileged domain doing
>>>>>> introspection. The in-guest driver only needs to do VMFUNC and be able
>>>>>> to communicate with the dom0 introspection agent.
>>>> For some reason my impression was that Intel was hoping to be able to
>>>> enable a guest-only usage as well -- that basically a guest which had
>>>> been booted (say) with measured boot, and then wrote its own enclave
>>>> using #VE and altp2ms, should be able to allow an in-guest agent to be
>>>> reasonably secure and also keep tabs on the operating system.  Was this
>>>> not your impression?

I absolutely agree upon that Intel was building a system that allows
guest domains to enable and control the #VE (including the funcitonality
to set up different altp2ms). Although this functionality has not been
widely adopted (yet?), I personally would prefer a hybrid solution that
does not completely prohibit this concept from inside of the
unprivileged guest domain. I agree with Tamas upon the fact that some
concepts can be equally implemented by using the guest's page tables
only. However, (I understand that I am biased, as I am working on a
concept that makes use of this functionality from inside of domu), I
also believe that we can apply the functionality given by #VE and VMFUNC
from inside the guest to harden certain system resources. As such, I
would be happy to see a hybrid solution that allows this feature to be
configured either for unlimited or for external use only.

Best,
~Sergej



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.