From mboxrd@z Thu Jan  1 00:00:00 1970
From: Razvan Cojocaru <rcojocaru@bitdefender.com>
Subject: Re: [PATCH V5 3/3] xen/vm_event: Deny register writes
 if refused by vm_event reply
Date: Tue, 14 Jul 2015 17:37:33 +0300
Message-ID: <55A51EAD.7090000@bitdefender.com>
References: <1436807687-9826-1-git-send-email-rcojocaru@bitdefender.com>
	<1436807687-9826-4-git-send-email-rcojocaru@bitdefender.com>
	<55A51E1D0200007800090AF4@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <55A51E1D0200007800090AF4@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: jun.nakajima@intel.com, kevin.tian@intel.com, wei.liu2@citrix.com, ian.campbell@citrix.com, stefano.stabellini@eu.citrix.com, george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com, xen-devel@lists.xen.org, eddie.dong@intel.com, Aravind.Gopalakrishnan@amd.com, suravee.suthikulpanit@amd.com, tlengyel@novetta.com, keir@xen.org, boris.ostrovsky@oracle.com
List-Id: xen-devel@lists.xenproject.org

On 07/14/2015 03:35 PM, Jan Beulich wrote:
>> --- a/xen/include/public/vm_event.h
>> +++ b/xen/include/public/vm_event.h
>> @@ -74,6 +74,11 @@
>>   * VM_EVENT_FLAG_SET_EMUL_READ_DATA are set, only the latter will be honored).
>>   */
>>  #define VM_EVENT_FLAG_SET_EMUL_READ_DATA (1 << 5)
>> + /*
>> +  * Deny completion of the operation that triggered the event.
>> +  * Currently only useful for MSR, CR0, CR3 and CR4 write events.
>> +  */
>> +#define VM_EVENT_FLAG_DENY               (1 << 6)
> 
> Wouldn't this want adding to the get-capabilities sub-op too?

Actually, no (sorry for rushing with the answer before), the monitor.c
capabilities issue refers to main event types, whereas this is a
response flag.

 45 static inline uint32_t get_capabilities(struct domain *d)
 46 {
 47     uint32_t capabilities = 0;
 48
 49     /*
 50      * At the moment only Intel HVM domains are supported. However,
event
 51      * delivery could be extended to AMD and PV domains.
 52      */
 53     if ( !is_hvm_domain(d) || !cpu_has_vmx )
 54         return capabilities;
 55
 56     capabilities = (1 << XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG) |
 57                    (1 << XEN_DOMCTL_MONITOR_EVENT_MOV_TO_MSR) |
 58                    (1 << XEN_DOMCTL_MONITOR_EVENT_SOFTWARE_BREAKPOINT) |
 59                    (1 << XEN_DOMCTL_MONITOR_EVENT_GUEST_REQUEST);
 60
 61     /* Since we know this is on VMX, we can just call the hvm func */
 62     if ( hvm_is_singlestep_supported() )
 63         capabilities |= (1 << XEN_DOMCTL_MONITOR_EVENT_SINGLESTEP);
 64
 65     return capabilities;
 66 }

So if we have the (1 << XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG) and (1
<< XEN_DOMCTL_MONITOR_EVENT_MOV_TO_MSR), that also means we can deny
those writes (by setting the VM_EVENT_FLAG_DENY in the vm_event
response), no additional checks are necessary.


Thanks,
Razvan