[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/7] x86: Dom0 I/O port access permissions
- To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Thu, 11 May 2023 14:03:22 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G4PgGZ3pjEle15bDbdUH/uSZ9bCgvWZfEO/3mozQMSI=; b=RT+wP2ZZOxemIGdKpS+usQBUYJp8f8jw5fi0jmHGWvL9JCE2g25/n4Vp2KP0vsQvZyXN+wK39kbZsjqiRCJzkSXD9mHkzeqSwHNnWNqufjWtkDPfIjTSKlesf3nQDV4nujyH9D0RKUM3PEDgdAptiUtzfXmVNs3TK/EhSHWOzVzxT/hjsGXWzQOl4Mi6KJ9+HYwoI+8ZuZjA8rb0k4UBxm4v0n88L+fbveEuXcfos838vP73BxwNwtMpwT/49CC2BbehL5qRI/wSlhd695KUfVSoCTyQQ1bD3RhHVH4o6Sxvps8QkIGuZnE5hUMAdvrYCplQnV/nbcDNIeYCbqA8+w==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kOKnbHRQ7qSA3rMMiJSiBKFak2GpNdzh/DoqUALpIXSHWkaZmOy1lqcPE2Ahkhzw19z9TAJjHl+y39pPwgbbfO3SOisDH9yk2+QSr+d2k2aP8wcvp4CAWekJXdI3XvoW63qiAyle1HBKDPBNs8nAr5WmTYeJYVXzJ/hdJGozz3Jt08tv2gL1koh7+QLg7UH9w0tSG5pywSbkmoC5XQ/SX+Z8JNE3T7CE7tTSTNI5Ldm68cyTz5ZCb7GmulvsCjbBO4sc71XGxFMo0wPYJU0Vu+s3ypmadUWWUt7UlsSDgZ7f6UU8Ih6RDQEkPph3if6Uni7xwJtl5VleKo3lQ1vFcw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Delivery-date: Thu, 11 May 2023 12:03:41 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Following on from the CMOS/RTC port aliasing change, there are quite
a few more missing restrictions, and there's more port aliasing to be
aware of.
The last two patches are pretty much RFC for now.
Of course an alternative to all of this would be to do away with all
policy-only ioports_deny_access() in dom0_setup_permissions(), leaving
in place only ones which are truly required for functionality reasons.
1: don't allow Dom0 access to port CF9
2: don't allow Dom0 access to port 92
3: PVH: deny Dom0 access to the ISA DMA controller
4: detect PIC aliasing on ports other than 0x[2A][01]
5: detect PIT aliasing on ports other than 0x4[0-3]
6: don't allow Dom0 (direct) access to port F0
7: don't allow Dom0 access to ELCR ports
Jan
|