On 2017-07-24 22:40, Gustavo Lima Chaves wrote: > On Friday, March 20, 2015 at 6:15:15 AM UTC-7, Jan Kiszka wrote: >> From: Jan Kiszka <[email protected]> >> >> We currently allow access to almost all MSRs (except for APIC-related >> ones). This has to be changed into a whitelist approach to avoid that >> the cell manipulates a CPU state in a way we didn't validate as safe. >> >> CC: Valentine Sinitsyn <[email protected]> >> Signed-off-by: Jan Kiszka <[email protected]> >> --- >> TODO.md | 1 + >> hypervisor/arch/x86/svm.c | 2 ++ >> hypervisor/arch/x86/vmx.c | 1 + >> 3 files changed, 4 insertions(+) >> >> diff --git a/TODO.md b/TODO.md >> index 9c8754d..4d937b3 100644 >> --- a/TODO.md >> +++ b/TODO.md >> @@ -6,6 +6,7 @@ x86 support >> - block >> - allow per cell (managing inter-core/inter-cell impacts) >> - NMI control/status port - moderation or emulation required? >> + - whitelist-based MSR access >> >> ARM support >> - v7 (32-bit) [WIP] >> diff --git a/hypervisor/arch/x86/svm.c b/hypervisor/arch/x86/svm.c >> index 6be1bad..13d9f67 100644 >> --- a/hypervisor/arch/x86/svm.c >> +++ b/hypervisor/arch/x86/svm.c >> @@ -49,6 +49,8 @@ static const struct segment invalid_seg; >> >> static struct paging npt_paging[NPT_PAGE_DIR_LEVELS]; >> >> +/* bit cleared: direct access allowed */ >> +// TODO: convert to whitelist >> static u8 __attribute__((aligned(PAGE_SIZE))) msrpm[][0x2000/4] = { >> [ SVM_MSRPM_0000 ] = { >> [ 0/4 ... 0x017/4 ] = 0, >> diff --git a/hypervisor/arch/x86/vmx.c b/hypervisor/arch/x86/vmx.c >> index 30ffdd5..4805453 100644 >> --- a/hypervisor/arch/x86/vmx.c >> +++ b/hypervisor/arch/x86/vmx.c >> @@ -33,6 +33,7 @@ static const struct segment invalid_seg = { >> }; >> >> /* bit cleared: direct access allowed */ >> +// TODO: convert to whitelist >> static u8 __attribute__((aligned(PAGE_SIZE))) msr_bitmap[][0x2000/8] = { >> [ VMX_MSR_BMP_0000_READ ] = { >> [ 0/8 ... 0x7ff/8 ] = 0, >> -- >> 2.1.4 > > Just to get/align the rationale here on the MRS whitelist. The idea is to > expose the whitelist as root/inmate cell configs as well, just like the PIO > bitmap right now? If so, I wonder if having all accesses besides those > already treated denied and then working with a minimal set to have, say, a > bootable Linux inmate as a default config would be acceptable or there is > another idea... >
The idea is to first of all try to define a static whitelist of MSRs that are safe to be handed out to the guest because they do not affect the integrity of the hypervisor on that same logical CPU, nor do they have cross-cell effects. If working out that list requires per-board configurations (maybe not unlikely), we may need to extend the config format as well. Jan -- Siemens AG, Corporate Technology, CT RDA ITP SES-DE Corporate Competence Center Embedded Linux -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
