[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page

To: Sergej Proskurin <proskurin@xxxxxxxxxxxxx>
From: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
Date: Mon, 9 Jul 2018 18:27:39 -0600
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, Adrian Pop <apop@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>
Delivery-date: Tue, 10 Jul 2018 00:28:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jul 9, 2018 at 8:50 AM Sergej Proskurin <proskurin@xxxxxxxxxxxxx> wrote:
>
> Hi all,
>
> as I am currently working on a concept that uses the #VE functionality
> from inside of the unprivileged guest domain myself, I would like to add
> my opinion to the discussion.
>
>
> On 07/09/2018 07:53 AM, Razvan Cojocaru wrote:
> > On 07/09/2018 02:46 PM, George Dunlap wrote:
> >> On 07/09/2018 12:18 PM, Razvan Cojocaru wrote:
> >>> On 07/09/2018 02:04 PM, George Dunlap wrote:
> >>>> On 07/06/2018 05:52 PM, Tamas K Lengyel wrote:
> >>>>> On Fri, Jul 6, 2018 at 2:56 AM Razvan Cojocaru
> >>>>> <rcojocaru@xxxxxxxxxxxxxxx> wrote:
> >>>>>> On 07/05/2018 07:45 PM, Tamas K Lengyel wrote:
> >>>>>>> On Thu, Jul 5, 2018 at 9:22 AM Razvan Cojocaru
> >>>>>>> <rcojocaru@xxxxxxxxxxxxxxx> wrote:
> >>>>>>>> However, our particular application is only interested in setting 
> >>>>>>>> (and
> >>>>>>>> querying) page restrictions from userspace (from the dom0 agent). It
> >>>>>>>> will also need to be able to set the convertible bit of guest pages 
> >>>>>>>> from
> >>>>>>>> the dom0 agent as well (patches pending). So we're also fine with a
> >>>>>>>> "DOMCTL if nobody wants it as a HVMOP" policy, if polluting the 
> >>>>>>>> DOMCTLs
> >>>>>>>> (possibly temporarily) is an option.
> >>>>>>>>
> >>>>>>>> We could also (at least between Tamas and us) come up with current /
> >>>>>>>> likely use-cases and downgrade all altp2m HVMOPs that could be 
> >>>>>>>> DOMCTLs
> >>>>>>>> in all the scenarios to DOMCTLs.
> >>>>>>> Aye. There is really just one HVMOP that the guest absolutely needs
> >>>>>>> access to so that it can use #VE, and that's
> >>>>>>> HVMOP_altp2m_vcpu_enable_notify. AFAIU everything else could be just a
> >>>>>>> DOMCTL.
> >>>>>> We need even less than that - we want to modify
> >>>>>> HVMOP_altp2m_vcpu_enable_notify to be able to call it from dom0 as 
> >>>>>> well,
> >>>>>> and we don't call it from the in-guest agent ever. Because we agree 
> >>>>>> that
> >>>>>> the smallest attack surface is a requirement, all we ever call that's
> >>>>>> #VE / altp2m related is actually from the privileged domain doing
> >>>>>> introspection. The in-guest driver only needs to do VMFUNC and be able
> >>>>>> to communicate with the dom0 introspection agent.
> >>>> For some reason my impression was that Intel was hoping to be able to
> >>>> enable a guest-only usage as well -- that basically a guest which had
> >>>> been booted (say) with measured boot, and then wrote its own enclave
> >>>> using #VE and altp2ms, should be able to allow an in-guest agent to be
> >>>> reasonably secure and also keep tabs on the operating system.  Was this
> >>>> not your impression?
>
> I absolutely agree upon that Intel was building a system that allows
> guest domains to enable and control the #VE (including the funcitonality
> to set up different altp2ms). Although this functionality has not been
> widely adopted (yet?), I personally would prefer a hybrid solution that
> does not completely prohibit this concept from inside of the
> unprivileged guest domain. I agree with Tamas upon the fact that some
> concepts can be equally implemented by using the guest's page tables
> only. However, (I understand that I am biased, as I am working on a
> concept that makes use of this functionality from inside of domu), I
> also believe that we can apply the functionality given by #VE and VMFUNC
> from inside the guest to harden certain system resources. As such, I
> would be happy to see a hybrid solution that allows this feature to be
> configured either for unlimited or for external use only.

Thanks for the input Sergej. With that and George pointing out other
users of the in-guest use-case we can't just do the switch. Letting
people decide using the existing domain config option / XSM what way
they want to have the interface accessible is not the worst thing in
the world. Introducing further, more restricted in-guest accessible
modes could be done potentially in the future that only allows the #VE
page-setup op to go through - if there is a need for it.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Tamas K Lengyel
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Razvan Cojocaru
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Tamas K Lengyel
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Razvan Cojocaru
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Tamas K Lengyel
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Razvan Cojocaru
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Razvan Cojocaru
- Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
  - From: Sergej Proskurin

Prev by Date: Re: [Xen-devel] [PATCH v2 09/21] xen/arm: move cmdline out of boot_modules
Next by Date: [Xen-devel] [qemu-mainline test] 125042: regressions - FAIL
Previous by thread: Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
Next by thread: Re: [Xen-devel] [PATCH] x86/altp2m: Add a subop for obtaining the mem access of a page
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.