On Friday, March 20, 2015 at 6:15:15 AM UTC-7, Jan Kiszka wrote: > From: Jan Kiszka <[email protected]> > > We currently allow access to almost all MSRs (except for APIC-related > ones). This has to be changed into a whitelist approach to avoid that > the cell manipulates a CPU state in a way we didn't validate as safe. > > CC: Valentine Sinitsyn <[email protected]> > Signed-off-by: Jan Kiszka <[email protected]> > --- > TODO.md | 1 + > hypervisor/arch/x86/svm.c | 2 ++ > hypervisor/arch/x86/vmx.c | 1 + > 3 files changed, 4 insertions(+) > > diff --git a/TODO.md b/TODO.md > index 9c8754d..4d937b3 100644 > --- a/TODO.md > +++ b/TODO.md > @@ -6,6 +6,7 @@ x86 support > - block > - allow per cell (managing inter-core/inter-cell impacts) > - NMI control/status port - moderation or emulation required? > + - whitelist-based MSR access > > ARM support > - v7 (32-bit) [WIP] > diff --git a/hypervisor/arch/x86/svm.c b/hypervisor/arch/x86/svm.c > index 6be1bad..13d9f67 100644 > --- a/hypervisor/arch/x86/svm.c > +++ b/hypervisor/arch/x86/svm.c > @@ -49,6 +49,8 @@ static const struct segment invalid_seg; > > static struct paging npt_paging[NPT_PAGE_DIR_LEVELS]; > > +/* bit cleared: direct access allowed */ > +// TODO: convert to whitelist > static u8 __attribute__((aligned(PAGE_SIZE))) msrpm[][0x2000/4] = { > [ SVM_MSRPM_0000 ] = { > [ 0/4 ... 0x017/4 ] = 0, > diff --git a/hypervisor/arch/x86/vmx.c b/hypervisor/arch/x86/vmx.c > index 30ffdd5..4805453 100644 > --- a/hypervisor/arch/x86/vmx.c > +++ b/hypervisor/arch/x86/vmx.c > @@ -33,6 +33,7 @@ static const struct segment invalid_seg = { > }; > > /* bit cleared: direct access allowed */ > +// TODO: convert to whitelist > static u8 __attribute__((aligned(PAGE_SIZE))) msr_bitmap[][0x2000/8] = { > [ VMX_MSR_BMP_0000_READ ] = { > [ 0/8 ... 0x7ff/8 ] = 0, > -- > 2.1.4
Just to get/align the rationale here on the MRS whitelist. The idea is to expose the whitelist as root/inmate cell configs as well, just like the PIO bitmap right now? If so, I wonder if having all accesses besides those already treated denied and then working with a minimal set to have, say, a bootable Linux inmate as a default config would be acceptable or there is another idea... -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
