On 12.07.19 17:59, Ralf Ramsauer wrote:
> Hi,
>
> On 6/21/19 12:06 AM, Andrej Utz wrote:
>> This replaces the old static port list with actual port regions from
>> '/proc/ioports'. The static regions from said list are kept and override
>> the data in case of region overlap to retain compability.
>> The generated port list is virtually identicall to the old one but eases
>> manual configuration.
>
> just found a bug in this series. This series creates regions such as:
>
> <snip>
> [ 0x80/8 ... 0x87/8] = -1, /* 0080-0087 : dma page reg */
> [ 0x88/8 ... 0x8f/8] = -1, /* 0088-008f : dma page reg */
> [ 0xa0/8 ... 0xa7/8] = -1, /* 00a0-00a1 : pic2 */
> <snip>
>
> Now we have a hole between [0x90/8 ... 0x1f/8]. A hole means that this
> area will be initialised with zero -> access is permitted.
>
> Root of this bug: In addition known port regions, we must also respect
> unknown port regions and deny access.
>
> @Jan: This brings me to an idea. The TODO says that whitelist-based MSR
> bitmaps are a v1.0 target. I think the PIO bitmap would also benefit if
> it would be whitelist based. Do you agree?
Sure, that is what we tried so far, but not for PCI. And then there is always
the trade-off between locking down the system and running directly into a
violation on first start.
>
> E.g.:
> .pio_bitmap = {
> [ 0x3f8/8 ... 0x3ff/8 ] = -1,
> },
>
> would denote that only access to 3f8-3ff is allowed. All other ports are
> denied. Much easier to write and understand.
The bitmap is encoded in machine format. Both Intel and AMD use the inverse
form, don't ask me why.
Of course, inversion in software would be feasible and hopefully limited to
vcpu_cell_init/exit(). Hmm, no, also i8042_access_handler(). The bigger issue
might be the transformation of existing configs.
Jan
--
You received this message because you are subscribed to the Google Groups
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jailhouse-dev/97013af8-fec9-f42b-6c40-9712fff0c266%40web.de.
For more options, visit https://groups.google.com/d/optout.
