Re: [PATCH 2/2] pyjailhouse: x86: implement pio_bitmap generator

Tue, 18 Jun 2019 09:24:04 -0700 



On 18.06.19 18:04, Jan Kiszka wrote:

On 18.06.19 17:55, Andrej Utz wrote:


Hi Jan,

On 07.06.19 09:23, Jan Kiszka wrote:

On 05.06.19 18:17, Andrej Utz wrote:

This replaces the old static port list with actual port regions from

'/proc/ioports'. The static regions from said list are kept and 
override

the data in case of region overlap to retain compability.

The generated port list is virtually identicall to the old one but 
eases

manual configuration.



IOW, the whole PCI IO space remains accessible, is now just 
partitioned in order to ease manual disabling? I wonder if we could 
not go one step further and only allow known regions.


But isn't this the same as the static regions ...



Signed-off-by: Andrej Utz <[email protected]>
---

  pyjailhouse/sysfs_parser.py   | 135 
++++++++++++++++++++++++++++++++++

  tools/jailhouse-config-create |  14 +---
  tools/root-cell-config.c.tmpl |  15 ++--
  3 files changed, 142 insertions(+), 22 deletions(-)

diff --git a/pyjailhouse/sysfs_parser.py b/pyjailhouse/sysfs_parser.py
index 56265fb5..d06a476a 100644
--- a/pyjailhouse/sysfs_parser.py
+++ b/pyjailhouse/sysfs_parser.py
@@ -142,6 +142,57 @@ def parse_iomem(pcidevices):
      return ret, dmar_regions
+def parse_ioports():
+    regions = IOMapTree.parse_ioports_tree(
+        IOMapTree.parse_iomap_file('/proc/ioports', PortRegion))
+
+    tmp = [
+        # static regions
+        PortRegion(0x0, 0x3f, ''),
+        PortRegion(0x40, 0x43, 'PIT', allowed=True),

+        PortRegion(0x60, 0x61, 'NMI', allowed=True), # NMI 
status/control


... do here? Or how do you define "known regions"?



There are a number of known platform regions in the lower IO range, like 
the above. And then there are the IO regions of PCI devices, according 
to their BAR settings. Currently, we permit access to the whole PCI 
range to the root cell.



Does that also mean we need to read the PCI config space to whitelist 
port regions?

If so, I'd like it to be another commit on top of this patch.

Andrej


Jan


--
You received this message because you are subscribed to the Google Groups 
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jailhouse-dev/0b53c6d6-1810-fe2f-f077-20fe8272ff36%40st.oth-regensburg.de.
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to