[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] hvm/altp2m: Clarify the proper way to extend the altp2m interface

To: George Dunlap <george.dunlap@xxxxxxxxxx>
From: Wei Liu <wei.liu2@xxxxxxxxxx>
Date: Thu, 26 Jul 2018 16:59:30 +0100
Cc: Lars Kurth <lars.kurth@xxxxxxxxxx>, Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Adrian Pop <apop@xxxxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 26 Jul 2018 15:59:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jul 23, 2018 at 06:09:51PM +0100, George Dunlap wrote:
>  
> +/*
> + * altp2m operations are envisioned as being used in several different 
> + * modes:
> + * 
> + * - external: All control and decisions are made by an external agent
> + *   running domain 0.
> + *
> + * - internal: altp2m operations are used exclusively by an in-guest
> + *   agent to protect itself from the guest kernel and in-guest
> + *   attackers.
> + * 
> + * - coordinated: An in-guest agent handles #VE and VMFUNCs locally,
> + *   but makes requests of an agent running outside the domain for
> + *   bigger changes (such as modifying altp2m entires).
> + *
> + * This corresponds to the three values for HVM_PARAM_ALTP2M
> + * (external, mixed, limited). All three models have advantages and
> + * disadvantages.
> + *
> + * Normally hypercalls made by a program in domain 0 in order to
> + * control a guest would be DOMCTLs rather than HVMOPs.  But in order
> + * to properly enable the 'internal' use case, as well as to avoid
> + * fragmentation, all altp2m subops should come under this single
> + * HVMOP.
> + * 
> + * Note that 'internal' mode (HVM_PARAM_ALTP2M == XEN_ALTP2M_mixed)
> + * has not been evaluated for safety from a security perspective.
> + * Before using this mode in a security-critical environment, each
> + * subop should be evaluated for safety, with unsafe subops
> + * blacklisted in xsm_hvm_altp2mhvm_op().
> + */

This looks reasonable to me. I don't wonder whether the last paragraph
should also be copied to the public header.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v2] hvm/altp2m: Clarify the proper way to extend the altp2m interface
  - From: George Dunlap

Prev by Date: [Xen-devel] [qemu-mainline test] 125558: regressions - FAIL
Next by Date: Re: [Xen-devel] PVH dom0 creation fails - the system freezes
Previous by thread: Re: [Xen-devel] [PATCH v2] hvm/altp2m: Clarify the proper way to extend the altp2m interface
Next by thread: Re: [Xen-devel] [PATCH v2] hvm/altp2m: Clarify the proper way to extend the altp2m interface
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.