[v1] x86: Dom0 I/O port access permissions

[PATCH 0/7] x86: Dom0 I/O port access permissions

Posted by Jan Beulich 11 months, 3 weeks ago

Following on from the CMOS/RTC port aliasing change, there are quite
a few more missing restrictions, and there's more port aliasing to be
aware of.

The last two patches are pretty much RFC for now.

Of course an alternative to all of this would be to do away with all
policy-only ioports_deny_access() in dom0_setup_permissions(), leaving
in place only ones which are truly required for functionality reasons.

1: don't allow Dom0 access to port CF9
2: don't allow Dom0 access to port 92
3: PVH: deny Dom0 access to the ISA DMA controller
4: detect PIC aliasing on ports other than 0x[2A][01]
5: detect PIT aliasing on ports other than 0x4[0-3]
6: don't allow Dom0 (direct) access to port F0
7: don't allow Dom0 access to ELCR ports

Jan

[PATCH 1/7] x86: don't allow Dom0 access to port CF9
[PATCH 2/7] x86: don't allow Dom0 access to port 92
[PATCH 3/7] x86/PVH: deny Dom0 access to the ISA DMA controller
[PATCH 4/7] x86: detect PIC aliasing on ports other than 0x[2A][01]
[PATCH 5/7] x86: detect PIT aliasing on ports other than 0x4[0-3]
[PATCH 6/7] x86: don't allow Dom0 (direct) access to port F0
[PATCH 7/7] x86: don't allow Dom0 access to ELCR ports