From nobody Sat Apr 20 15:55:08 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1581360393597592.4602497990361; Mon, 10 Feb 2020 10:46:33 -0800 (PST) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1j1E4C-0005yW-Et; Mon, 10 Feb 2020 18:45:56 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1j1E4B-0005yR-Q5 for xen-devel@lists.xenproject.org; Mon, 10 Feb 2020 18:45:55 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 91371c08-4c35-11ea-b472-bc764e2007e4; Mon, 10 Feb 2020 18:45:54 +0000 (UTC) X-Inumbo-ID: 91371c08-4c35-11ea-b472-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1581360355; h=from:to:cc:subject:date:message-id:mime-version; bh=HIWe98Q8kK8Y/PByWi4/Ldbu9516zRaQv5yzPB+nEc4=; b=UWW/34Mc5nbskd/q4DlBhQ/bhRjhqWMHkKvFlD4gelQiKM+094OFrqfl 35QMF8sa693AJYtMyMlInyQ3xa64Y+6xj/UXcCowJmQGY7QpcJHsW/3uI ou71orKnfFV2ZpS8qsCWVtOtmYLfYcQTKyaRvAoLNKe0ew+HC9xTaqEsk I=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa2.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: SzPvN3P0+SW/Dx9012gRCqhJ297goluRr6SNd3kt8XbRdHgXbPLLTA4EXhtBhdH0gi6qF253on dUZp2qVjYyeFP1KBbb8kcyxRf9qmzw7/FBgiHbv5fZRsV9J1Mu5dFiT05tqzYxoHvMMhmy8Psz 4CMwGmwRC/dEG42K6RO6lMRKigYq4MjIt7Lh2jynEKacN3h7INRTg3X8HA1gy2oQHCJup3GhRE sPRse+EI23kvezMqgu2G2+oE+6q0pCdkxKy3mJHDdyRYVo0X4oyIpAfBEqG4MEytBc4CFEYLDt no8= X-SBRS: 2.7 X-MesageID: 12230334 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.70,425,1574139600"; d="scan'208";a="12230334" From: Andrew Cooper To: Xen-devel Date: Mon, 10 Feb 2020 18:45:49 +0000 Message-ID: <20200210184549.28707-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Stefano Stabellini , Julien Grall , Volodymyr Babchuk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) ARM currently has no restrictions on toolstack and guest access to the enti= re HVM_PARAM block. As the paging/monitor/sharing features aren't under secur= ity support, this doesn't need an XSA. The CALLBACK_IRQ and {STORE,CONSOLE}_{PFN,EVTCHN} details exposed read-only= to the guest, while the *_RING_PFN details are restricted to only toolstack access. No other parameters are used. Signed-off-by: Andrew Cooper --- CC: Stefano Stabellini CC: Julien Grall CC: Volodymyr Babchuk This is only compile tested, and based on my reading of the source. There might be other PARAMS needing including. --- xen/arch/arm/hvm.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++= +--- 1 file changed, 62 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c index 76b27c9168..1446d4010c 100644 --- a/xen/arch/arm/hvm.c +++ b/xen/arch/arm/hvm.c @@ -31,6 +31,60 @@ =20 #include =20 +static int hvm_allow_set_param(const struct domain *d, unsigned int param) +{ + switch ( param ) + { + /* + * The following parameters are intended for toolstack usage only. + * They may not be set by the domain. + * + * The {STORE,CONSOLE}_EVTCHN values will need to become read/writ= e if + * a new ABI hasn't appeared by the time migration support is adde= d. + */ + case HVM_PARAM_CALLBACK_IRQ: + case HVM_PARAM_STORE_PFN: + case HVM_PARAM_STORE_EVTCHN: + case HVM_PARAM_CONSOLE_PFN: + case HVM_PARAM_CONSOLE_EVTCHN: + case HVM_PARAM_PAGING_RING_PFN: + case HVM_PARAM_MONITOR_RING_PFN: + case HVM_PARAM_SHARING_RING_PFN: + return d =3D=3D current->domain ? -EPERM : 0; + + /* Writeable only by Xen, hole, deprecated, or out-of-range. */ + default: + return -EINVAL; + } +} + +static int hvm_allow_get_param(const struct domain *d, unsigned int param) +{ + switch ( param ) + { + /* The following parameters can be read by the guest and toolstack= . */ + case HVM_PARAM_CALLBACK_IRQ: + case HVM_PARAM_STORE_PFN: + case HVM_PARAM_STORE_EVTCHN: + case HVM_PARAM_CONSOLE_PFN: + case HVM_PARAM_CONSOLE_EVTCHN: + return 0; + + /* + * The following parameters are intended for toolstack usage only. + * They may not be read by the domain. + */ + case HVM_PARAM_PAGING_RING_PFN: + case HVM_PARAM_MONITOR_RING_PFN: + case HVM_PARAM_SHARING_RING_PFN: + return d =3D=3D current->domain ? -EPERM : 0; + + /* Hole, deprecated, or out-of-range. */ + default: + return -EINVAL; + } +} + long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) { long rc =3D 0; @@ -46,9 +100,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(= void) arg) if ( copy_from_guest(&a, arg, 1) ) return -EFAULT; =20 - if ( a.index >=3D HVM_NR_PARAMS ) - return -EINVAL; - d =3D rcu_lock_domain_by_any_id(a.domid); if ( d =3D=3D NULL ) return -ESRCH; @@ -59,10 +110,18 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARA= M(void) arg) =20 if ( op =3D=3D HVMOP_set_param ) { + rc =3D hvm_allow_set_param(d, a.index); + if ( rc ) + goto param_fail; + d->arch.hvm.params[a.index] =3D a.value; } else { + rc =3D hvm_allow_get_param(d, a.index); + if ( rc ) + goto param_fail; + a.value =3D d->arch.hvm.params[a.index]; rc =3D copy_to_guest(arg, &a, 1) ? -EFAULT : 0; } --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel