[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/7] x86: Dom0 I/O port access permissions

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Thu, 11 May 2023 14:03:22 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G4PgGZ3pjEle15bDbdUH/uSZ9bCgvWZfEO/3mozQMSI=; b=RT+wP2ZZOxemIGdKpS+usQBUYJp8f8jw5fi0jmHGWvL9JCE2g25/n4Vp2KP0vsQvZyXN+wK39kbZsjqiRCJzkSXD9mHkzeqSwHNnWNqufjWtkDPfIjTSKlesf3nQDV4nujyH9D0RKUM3PEDgdAptiUtzfXmVNs3TK/EhSHWOzVzxT/hjsGXWzQOl4Mi6KJ9+HYwoI+8ZuZjA8rb0k4UBxm4v0n88L+fbveEuXcfos838vP73BxwNwtMpwT/49CC2BbehL5qRI/wSlhd695KUfVSoCTyQQ1bD3RhHVH4o6Sxvps8QkIGuZnE5hUMAdvrYCplQnV/nbcDNIeYCbqA8+w==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kOKnbHRQ7qSA3rMMiJSiBKFak2GpNdzh/DoqUALpIXSHWkaZmOy1lqcPE2Ahkhzw19z9TAJjHl+y39pPwgbbfO3SOisDH9yk2+QSr+d2k2aP8wcvp4CAWekJXdI3XvoW63qiAyle1HBKDPBNs8nAr5WmTYeJYVXzJ/hdJGozz3Jt08tv2gL1koh7+QLg7UH9w0tSG5pywSbkmoC5XQ/SX+Z8JNE3T7CE7tTSTNI5Ldm68cyTz5ZCb7GmulvsCjbBO4sc71XGxFMo0wPYJU0Vu+s3ypmadUWWUt7UlsSDgZ7f6UU8Ih6RDQEkPph3if6Uni7xwJtl5VleKo3lQ1vFcw==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Thu, 11 May 2023 12:03:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Following on from the CMOS/RTC port aliasing change, there are quite
a few more missing restrictions, and there's more port aliasing to be
aware of.

The last two patches are pretty much RFC for now.

Of course an alternative to all of this would be to do away with all
policy-only ioports_deny_access() in dom0_setup_permissions(), leaving
in place only ones which are truly required for functionality reasons.

1: don't allow Dom0 access to port CF9
2: don't allow Dom0 access to port 92
3: PVH: deny Dom0 access to the ISA DMA controller
4: detect PIC aliasing on ports other than 0x[2A][01]
5: detect PIT aliasing on ports other than 0x4[0-3]
6: don't allow Dom0 (direct) access to port F0
7: don't allow Dom0 access to ELCR ports

Jan

Follow-Ups:
- [PATCH 6/7] x86: don't allow Dom0 (direct) access to port F0
  - From: Jan Beulich
- [PATCH 7/7] x86: don't allow Dom0 access to ELCR ports
  - From: Jan Beulich
- [PATCH 5/7] x86: detect PIT aliasing on ports other than 0x4[0-3]
  - From: Jan Beulich
- [PATCH 4/7] x86: detect PIC aliasing on ports other than 0x[2A][01]
  - From: Jan Beulich
- [PATCH 3/7] x86/PVH: deny Dom0 access to the ISA DMA controller
  - From: Jan Beulich
- [PATCH 2/7] x86: don't allow Dom0 access to port 92
  - From: Jan Beulich
- [PATCH 1/7] x86: don't allow Dom0 access to port CF9
  - From: Jan Beulich

Prev by Date: Re: [PATCH] xen/arm: pci: fix -Wtype-limits warning in pci-host-common.c
Next by Date: [PATCH 1/7] x86: don't allow Dom0 access to port CF9
Previous by thread: [PATCH] x86/vRTC: minor adjustment to reads from index port
Next by thread: [PATCH 1/7] x86: don't allow Dom0 access to port CF9
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.