From patchwork Mon Feb 10 18:45:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 11373941 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8F8891395 for ; Mon, 10 Feb 2020 18:46:57 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6BDEC20715 for ; Mon, 10 Feb 2020 18:46:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="UWW/34Mc" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6BDEC20715 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1j1E4C-0005yW-Et; Mon, 10 Feb 2020 18:45:56 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1j1E4B-0005yR-Q5 for xen-devel@lists.xenproject.org; Mon, 10 Feb 2020 18:45:55 +0000 X-Inumbo-ID: 91371c08-4c35-11ea-b472-bc764e2007e4 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 91371c08-4c35-11ea-b472-bc764e2007e4; Mon, 10 Feb 2020 18:45:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1581360355; h=from:to:cc:subject:date:message-id:mime-version; bh=HIWe98Q8kK8Y/PByWi4/Ldbu9516zRaQv5yzPB+nEc4=; b=UWW/34Mc5nbskd/q4DlBhQ/bhRjhqWMHkKvFlD4gelQiKM+094OFrqfl 35QMF8sa693AJYtMyMlInyQ3xa64Y+6xj/UXcCowJmQGY7QpcJHsW/3uI ou71orKnfFV2ZpS8qsCWVtOtmYLfYcQTKyaRvAoLNKe0ew+HC9xTaqEsk I=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa2.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: SzPvN3P0+SW/Dx9012gRCqhJ297goluRr6SNd3kt8XbRdHgXbPLLTA4EXhtBhdH0gi6qF253on dUZp2qVjYyeFP1KBbb8kcyxRf9qmzw7/FBgiHbv5fZRsV9J1Mu5dFiT05tqzYxoHvMMhmy8Psz 4CMwGmwRC/dEG42K6RO6lMRKigYq4MjIt7Lh2jynEKacN3h7INRTg3X8HA1gy2oQHCJup3GhRE sPRse+EI23kvezMqgu2G2+oE+6q0pCdkxKy3mJHDdyRYVo0X4oyIpAfBEqG4MEytBc4CFEYLDt no8= X-SBRS: 2.7 X-MesageID: 12230334 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.70,425,1574139600"; d="scan'208";a="12230334" From: Andrew Cooper To: Xen-devel Date: Mon, 10 Feb 2020 18:45:49 +0000 Message-ID: <20200210184549.28707-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] xen/arm: Restrict access to most HVM_PARAM's X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Stefano Stabellini , Julien Grall , Volodymyr Babchuk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" ARM currently has no restrictions on toolstack and guest access to the entire HVM_PARAM block. As the paging/monitor/sharing features aren't under security support, this doesn't need an XSA. The CALLBACK_IRQ and {STORE,CONSOLE}_{PFN,EVTCHN} details exposed read-only to the guest, while the *_RING_PFN details are restricted to only toolstack access. No other parameters are used. Signed-off-by: Andrew Cooper --- CC: Stefano Stabellini CC: Julien Grall CC: Volodymyr Babchuk This is only compile tested, and based on my reading of the source. There might be other PARAMS needing including. --- xen/arch/arm/hvm.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c index 76b27c9168..1446d4010c 100644 --- a/xen/arch/arm/hvm.c +++ b/xen/arch/arm/hvm.c @@ -31,6 +31,60 @@ #include +static int hvm_allow_set_param(const struct domain *d, unsigned int param) +{ + switch ( param ) + { + /* + * The following parameters are intended for toolstack usage only. + * They may not be set by the domain. + * + * The {STORE,CONSOLE}_EVTCHN values will need to become read/write if + * a new ABI hasn't appeared by the time migration support is added. + */ + case HVM_PARAM_CALLBACK_IRQ: + case HVM_PARAM_STORE_PFN: + case HVM_PARAM_STORE_EVTCHN: + case HVM_PARAM_CONSOLE_PFN: + case HVM_PARAM_CONSOLE_EVTCHN: + case HVM_PARAM_PAGING_RING_PFN: + case HVM_PARAM_MONITOR_RING_PFN: + case HVM_PARAM_SHARING_RING_PFN: + return d == current->domain ? -EPERM : 0; + + /* Writeable only by Xen, hole, deprecated, or out-of-range. */ + default: + return -EINVAL; + } +} + +static int hvm_allow_get_param(const struct domain *d, unsigned int param) +{ + switch ( param ) + { + /* The following parameters can be read by the guest and toolstack. */ + case HVM_PARAM_CALLBACK_IRQ: + case HVM_PARAM_STORE_PFN: + case HVM_PARAM_STORE_EVTCHN: + case HVM_PARAM_CONSOLE_PFN: + case HVM_PARAM_CONSOLE_EVTCHN: + return 0; + + /* + * The following parameters are intended for toolstack usage only. + * They may not be read by the domain. + */ + case HVM_PARAM_PAGING_RING_PFN: + case HVM_PARAM_MONITOR_RING_PFN: + case HVM_PARAM_SHARING_RING_PFN: + return d == current->domain ? -EPERM : 0; + + /* Hole, deprecated, or out-of-range. */ + default: + return -EINVAL; + } +} + long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) { long rc = 0; @@ -46,9 +100,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) if ( copy_from_guest(&a, arg, 1) ) return -EFAULT; - if ( a.index >= HVM_NR_PARAMS ) - return -EINVAL; - d = rcu_lock_domain_by_any_id(a.domid); if ( d == NULL ) return -ESRCH; @@ -59,10 +110,18 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) if ( op == HVMOP_set_param ) { + rc = hvm_allow_set_param(d, a.index); + if ( rc ) + goto param_fail; + d->arch.hvm.params[a.index] = a.value; } else { + rc = hvm_allow_get_param(d, a.index); + if ( rc ) + goto param_fail; + a.value = d->arch.hvm.params[a.index]; rc = copy_to_guest(arg, &a, 1) ? -EFAULT : 0; }