From patchwork Mon Aug 28 09:38:46 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexandru Stefan ISAILA <aisaila@bitdefender.com>
X-Patchwork-Id: 9925013
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B78C360311 for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 28 Aug 2017 09:41:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B0BD5286AD
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 28 Aug 2017 09:41:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A4E37286B5; Mon, 28 Aug 2017 09:41:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 164AA286B0
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 28 Aug 2017 09:41:53 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1dmGVS-0003s7-O4; Mon, 28 Aug 2017 09:38:54 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <aisaila@bitdefender.com>) id 1dmGVR-0003rz-AT
	for xen-devel@lists.xen.org; Mon, 28 Aug 2017 09:38:53 +0000
Received: from [85.158.143.35] by server-7.bemta-6.messagelabs.com id
	BA/56-03557-CA4E3A95; Mon, 28 Aug 2017 09:38:52 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgkeJIrShJLcpLzFFi42KJPp7Rqrv6yeJ
	Ig9XnLS2WfFzM4sDocXT3b6YAxijWzLyk/IoE1ozWbZNYC7rNKo79u8nSwPhFo4uRk4NZwFqi
	918zYxcjFweLQDOLxLF929kgnJ/MEq++PGYCqRIScJPYcPY9E0hCSGABo8TNmY2sXYwcQI6HR
	OP3CIj4MkaJ9tunwRrYBAwkXn39xghiiwhIS1z7fBlsBbPAdiaJvrbLzCAJYYEAiR0HNoI1sA
	ioSrz+coUVxOYVcJd41NANViMhICdx81wn8wRGvgWMDKsY1YtTi8pSi3Qt9JKKMtMzSnITM3N
	0DQ3M9HJTi4sT01NzEpOK9ZLzczcxAkOFAQh2MM6+7H+IUZKDSUmUd2fF4kghvqT8lMqMxOKM
	+KLSnNTiQ4wyHBxKErwij4FygkWp6akVaZk5wKCFSUtw8CiJ8J4CSfMWFyTmFmemQ6ROMepyb
	Fi9/guTEEtefl6qlDjvbJAiAZCijNI8uBGwCLrEKCslzMsIdJQQT0FqUW5mCar8K0ZxDkYlYd
	6Pj4Cm8GTmlcBtegV0BBPQEYqCC0GOKElESEk1MLauXcYlx9Ch8lJx1h3nC6wH1R+6bbzOVv9
	t66vJBxcdO3Yj5cBCMTM/vdqp+uu2TfWV6NnVp2TQ9+HRN6Nk4+hLasFnDpXLLt2ybtdJfb0F
	18P/5VjOmnxxwYHf/m35E9qnuWSvj1xxSTA55ejFOv5g9lkq8zbssJitbjIl1rdiyQ9ODQfrH
	a5KLMUZiYZazEXFiQCpg80nmwIAAA==
X-Env-Sender: aisaila@bitdefender.com
X-Msg-Ref: server-8.tower-21.messagelabs.com!1503913131!79764256!1
X-Originating-IP: [91.199.104.133]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 22896 invoked from network); 28 Aug 2017 09:38:51 -0000
Received: from mx02.bbu.dsd.mx.bitdefender.com (HELO
	mx02.buh.bitdefender.com) (91.199.104.133)
	by server-8.tower-21.messagelabs.com with DHE-RSA-AES128-GCM-SHA256
	encrypted SMTP; 28 Aug 2017 09:38:51 -0000
Comment: DomainKeys? See http://domainkeys.sourceforge.net/
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=bitdefender.com;
	b=2N3S1eXyu/758mLSEHIzkt66NRG4Mt6gu0Z/RUrcIRmQFJmReLhQAntbgttOXlcYWoJWLAfEMPnvKl26iBWaVjykm5EIUmwB2uKirHcmzXgZow/yxJ81Ce2/QKMsGq/jJ0AET5TgM/pADBqH7KUXzMXOhnHoTCSPW+sZXtpszKu+etlo+uGIqhEhqGorkKgzXrkXw18TvHtvzDBBYjTqrAXW6AdYoin3cgZbHKyb/3n9Wnsv5brh/Hq0uhgEwwZ49yFEJZpCHbhVHzn/VJ23sZhIz/aO5X9lC/lYSAKQX9Ox3yFutLTfBROx83IiOOwGbpN28DemcJlHWVPkeXyHbA==;
	h=Received:Received:Received:Received:From:To:Cc:Subject:Date:Message-Id:X-Mailer;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=bitdefender.com; h=from:to
	:cc:subject:date:message-id; s=default; bh=hHk1WNt6+6I/Mkyfud6Pe
	mE7IYg=; b=WeJMr60fsj9bS/U0Gu6NYS4i5IsvxzGrCvQqi0A4w7jDSa6WrsD7k
	upWFDE7PNgAVvguGaHFKInGWRzV+FTWwOyhtk7LIU5Mkj/8MJUWaWSh9S9rp+NTY
	NXC1fygPj57a+YdVJPkofKM+ovINT+4g7b9XHEtmVnJV3jrk6iXN5ev9WQlys0BW
	EYjWIPWKM26OZ3lvh+QUCMWdBLymvxkvLjBDcV50bV3JZ69gihrtquc+okmrbDcz
	1oGM2B0gyrBD0oOxOVPP/wrQ+xPCyjCueG3mU0q8xNTFGQuzZ72CDbmQh1HEPKMp
	cqsArqAAjVvnrMW5RqYUQQViVtyIZmf6g==
Received: (qmail 354 invoked from network); 28 Aug 2017 12:38:49 +0300
Received: from mx01robo.bbu.dsd.mx.bitdefender.com (10.17.80.60)
	by mx02.buh.bitdefender.com with AES128-GCM-SHA256 encrypted SMTP;
	28 Aug 2017 12:38:49 +0300
Received: (qmail 27604 invoked from network); 28 Aug 2017 12:38:49 +0300
Received: from unknown (HELO aisaila-Latitude-E5570.dsd.bitdefender.biz)
	(10.10.195.54) by mx01robo.bbu.dsd.mx.bitdefender.com with SMTP;
	28 Aug 2017 12:38:49 +0300
From: Alexandru Isaila <aisaila@bitdefender.com>
To: xen-devel@lists.xen.org
Date: Mon, 28 Aug 2017 12:38:46 +0300
Message-Id: <1503913126-13546-1-git-send-email-aisaila@bitdefender.com>
X-Mailer: git-send-email 2.7.4
Cc: sstabellini@kernel.org, wei.liu2@citrix.com, rcojocaru@bitdefender.com,
	George.Dunlap@eu.citrix.com, andrew.cooper3@citrix.com,
	ian.jackson@eu.citrix.com, tim@xen.org, julien.grall@arm.com,
	tamas@tklengyel.com, jbeulich@suse.com,
	Alexandru Isaila <aisaila@bitdefender.com>
Subject: [Xen-devel] [PATCH v7] x86/hvm: Allow guest_request vm_events
	coming from userspace
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

In some introspection usecases, an in-guest agent needs to communicate
with the external introspection agent.  An existing mechanism is
HVMOP_guest_request_vm_event, but this is restricted to kernel usecases
like all other hypercalls.

Introduce a mechanism whereby the introspection agent can whitelist the
use of HVMOP_guest_request_vm_event directly from userspace.

Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
Changes since V6:
	- Added arch specific function in both x86 monitor and arm
	  monitor to replace the assignment from common monitor

Note: Could not test on ARN, compiled both on arm and x86
---
 tools/libxc/include/xenctrl.h |  2 +-
 tools/libxc/xc_monitor.c      |  3 ++-
 xen/arch/x86/hvm/hypercall.c  |  5 +++++
 xen/common/monitor.c          |  1 +
 xen/include/asm-arm/monitor.h |  6 ++++++
 xen/include/asm-x86/domain.h  | 19 ++++++++++---------
 xen/include/asm-x86/monitor.h |  6 ++++++
 xen/include/public/domctl.h   |  1 +
 8 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index bde8313..a3d0929 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -2021,7 +2021,7 @@ int xc_monitor_software_breakpoint(xc_interface *xch, domid_t domain_id,
 int xc_monitor_descriptor_access(xc_interface *xch, domid_t domain_id,
                                  bool enable);
 int xc_monitor_guest_request(xc_interface *xch, domid_t domain_id,
-                             bool enable, bool sync);
+                             bool enable, bool sync, bool allow_userspace);
 int xc_monitor_debug_exceptions(xc_interface *xch, domid_t domain_id,
                                 bool enable, bool sync);
 int xc_monitor_cpuid(xc_interface *xch, domid_t domain_id, bool enable);
diff --git a/tools/libxc/xc_monitor.c b/tools/libxc/xc_monitor.c
index b44ce93..a677820 100644
--- a/tools/libxc/xc_monitor.c
+++ b/tools/libxc/xc_monitor.c
@@ -147,7 +147,7 @@ int xc_monitor_descriptor_access(xc_interface *xch, domid_t domain_id,
 }
 
 int xc_monitor_guest_request(xc_interface *xch, domid_t domain_id, bool enable,
-                             bool sync)
+                             bool sync, bool allow_userspace)
 {
     DECLARE_DOMCTL;
 
@@ -157,6 +157,7 @@ int xc_monitor_guest_request(xc_interface *xch, domid_t domain_id, bool enable,
                                     : XEN_DOMCTL_MONITOR_OP_DISABLE;
     domctl.u.monitor_op.event = XEN_DOMCTL_MONITOR_EVENT_GUEST_REQUEST;
     domctl.u.monitor_op.u.guest_request.sync = sync;
+    domctl.u.monitor_op.u.guest_request.allow_userspace = enable ? allow_userspace : false;
 
     return do_domctl(xch, &domctl);
 }
diff --git a/xen/arch/x86/hvm/hypercall.c b/xen/arch/x86/hvm/hypercall.c
index e7238ce..5742dd1 100644
--- a/xen/arch/x86/hvm/hypercall.c
+++ b/xen/arch/x86/hvm/hypercall.c
@@ -155,6 +155,11 @@ int hvm_hypercall(struct cpu_user_regs *regs)
         /* Fallthrough to permission check. */
     case 4:
     case 2:
+        if ( currd->arch.monitor.guest_request_userspace_enabled &&
+            eax == __HYPERVISOR_hvm_op &&
+            (mode == 8 ? regs->rdi : regs->ebx) == HVMOP_guest_request_vm_event )
+            break;
+
         if ( unlikely(hvm_get_cpl(curr)) )
         {
     default:
diff --git a/xen/common/monitor.c b/xen/common/monitor.c
index 451f42f..0c3e645 100644
--- a/xen/common/monitor.c
+++ b/xen/common/monitor.c
@@ -75,6 +75,7 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop)
         domain_pause(d);
         d->monitor.guest_request_sync = mop->u.guest_request.sync;
         d->monitor.guest_request_enabled = requested_status;
+        arch_allow_userspace(&d->arch, mop->u.guest_request.allow_userspace);
         domain_unpause(d);
         break;
     }
diff --git a/xen/include/asm-arm/monitor.h b/xen/include/asm-arm/monitor.h
index 1c4fea3..a2eec52 100644
--- a/xen/include/asm-arm/monitor.h
+++ b/xen/include/asm-arm/monitor.h
@@ -26,6 +26,12 @@
 #include <public/domctl.h>
 
 static inline
+void arch_allow_userspace(struct arch_domain *arch, uint8_t allow_userspace)
+{
+    return;
+}
+
+static inline
 int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop)
 {
     /* No arch-specific monitor ops on ARM. */
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index c10522b..de02507 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -396,15 +396,16 @@ struct arch_domain
 
     /* Arch-specific monitor options */
     struct {
-        unsigned int write_ctrlreg_enabled       : 4;
-        unsigned int write_ctrlreg_sync          : 4;
-        unsigned int write_ctrlreg_onchangeonly  : 4;
-        unsigned int singlestep_enabled          : 1;
-        unsigned int software_breakpoint_enabled : 1;
-        unsigned int debug_exception_enabled     : 1;
-        unsigned int debug_exception_sync        : 1;
-        unsigned int cpuid_enabled               : 1;
-        unsigned int descriptor_access_enabled   : 1;
+        unsigned int write_ctrlreg_enabled                                 : 4;
+        unsigned int write_ctrlreg_sync                                    : 4;
+        unsigned int write_ctrlreg_onchangeonly                            : 4;
+        unsigned int singlestep_enabled                                    : 1;
+        unsigned int software_breakpoint_enabled                           : 1;
+        unsigned int debug_exception_enabled                               : 1;
+        unsigned int debug_exception_sync                                  : 1;
+        unsigned int cpuid_enabled                                         : 1;
+        unsigned int descriptor_access_enabled                             : 1;
+        unsigned int guest_request_userspace_enabled                       : 1;
         struct monitor_msr_bitmap *msr_bitmap;
         uint64_t write_ctrlreg_mask[4];
     } monitor;
diff --git a/xen/include/asm-x86/monitor.h b/xen/include/asm-x86/monitor.h
index c5c323b..a834d80 100644
--- a/xen/include/asm-x86/monitor.h
+++ b/xen/include/asm-x86/monitor.h
@@ -33,6 +33,12 @@ struct monitor_msr_bitmap {
 };
 
 static inline
+void arch_allow_userspace(struct arch_domain *arch, uint8_t allow_userspace)
+{
+    arch->monitor.guest_request_userspace_enabled = allow_userspace;
+}
+
+static inline
 int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop)
 {
     int rc = 0;
diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
index ff39762..5997c52 100644
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -1124,6 +1124,7 @@ struct xen_domctl_monitor_op {
         struct {
             /* Pause vCPU until response */
             uint8_t sync;
+            uint8_t allow_userspace;
         } guest_request;
 
         struct {