From patchwork Mon Jan 11 13:59:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 8004231 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9BD88BEEE5 for ; Mon, 11 Jan 2016 14:04:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 16E13201EC for ; Mon, 11 Jan 2016 14:04:17 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 790AC202DD for ; Mon, 11 Jan 2016 14:04:13 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aId0y-0004st-Ls; Mon, 11 Jan 2016 14:00:08 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aId0x-0004sY-1M for xen-devel@lists.xen.org; Mon, 11 Jan 2016 14:00:07 +0000 Received: from [193.109.254.147] by server-7.bemta-14.messagelabs.com id E0/E4-28221-565B3965; Mon, 11 Jan 2016 14:00:05 +0000 X-Env-Sender: prvs=8114362ae=Andrew.Cooper3@citrix.com X-Msg-Ref: server-8.tower-27.messagelabs.com!1452520804!12266344!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 50630 invoked from network); 11 Jan 2016 14:00:05 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-8.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 11 Jan 2016 14:00:05 -0000 X-IronPort-AV: E=Sophos;i="5.20,553,1444694400"; d="scan'208";a="324187282" From: Andrew Cooper To: Xen-devel Date: Mon, 11 Jan 2016 13:59:34 +0000 Message-ID: <1452520774-16794-1-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 X-DLP: MIA2 Cc: Andrew Cooper , Stefano Stabellini , Ian Campbell , Jan Beulich Subject: [Xen-devel] [PATCH] x86/hvm: Allow the guest to permit the use of userspace hypercalls X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Currently, hypercalls issued from HVM userspace will unconditionally fail with -EPERM. This is inflexible, and a guest may wish to allow userspace to make hypercalls. Introduce HVMOP_set_hypercall_dpl which allows the guest to alter the permissions check for hypercalls. It behaves exactly like the dpl field for GDT/LDT/IDT entries. As the dpl is initialised to 0, hypercalls are restricted to cpl0 code until the OS explicitly chooses an alternative. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Ian Campbell CC: Stefano Stabellini Arm folks: Is something like this sufficiently generic to be useful on Arm, perhaps with more generic naming? PV guest support for userspace hypercalls is substantially more involved, and will take longer to complete. --- xen/arch/x86/hvm/hvm.c | 25 ++++++++++++++++++++++++- xen/include/asm-x86/hvm/domain.h | 2 ++ xen/include/public/hvm/hvm_op.h | 8 ++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 21470ec..e5a08db 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -5228,7 +5228,8 @@ int hvm_do_hypercall(struct cpu_user_regs *regs) case 4: case 2: hvm_get_segment_register(curr, x86_seg_ss, &sreg); - if ( unlikely(sreg.attr.fields.dpl) ) + if ( unlikely(sreg.attr.fields.dpl < + currd->arch.hvm_domain.hypercall_dpl) ) { default: regs->eax = -EPERM; @@ -6839,6 +6840,28 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) rc = do_altp2m_op(arg); break; + case HVMOP_set_hypercall_dpl: + { + xen_hvm_hypercall_dpl_t a; + struct domain *d; + + if ( copy_from_guest(&a, arg, 1 ) ) + return -EFAULT; + + rc = rcu_lock_remote_domain_by_id(a.domid, &d); + if ( rc != 0 ) + return rc; + + if ( current->domain != d ) + return -EPERM; + + if ( !is_hvm_domain(d) || a.dpl > 3 ) + return -EINVAL; + + d->arch.hvm_domain.hypercall_dpl = a.dpl; + break; + } + default: { gdprintk(XENLOG_DEBUG, "Bad HVM op %ld.\n", op); diff --git a/xen/include/asm-x86/hvm/domain.h b/xen/include/asm-x86/hvm/domain.h index a8cc2ad..006a142 100644 --- a/xen/include/asm-x86/hvm/domain.h +++ b/xen/include/asm-x86/hvm/domain.h @@ -137,6 +137,8 @@ struct hvm_domain { bool_t qemu_mapcache_invalidate; bool_t is_s3_suspended; + uint32_t hypercall_dpl; + /* * TSC value that VCPUs use to calculate their tsc_offset value. * Used during initialization and save/restore. diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h index 1606185..f8247db 100644 --- a/xen/include/public/hvm/hvm_op.h +++ b/xen/include/public/hvm/hvm_op.h @@ -489,6 +489,14 @@ struct xen_hvm_altp2m_op { typedef struct xen_hvm_altp2m_op xen_hvm_altp2m_op_t; DEFINE_XEN_GUEST_HANDLE(xen_hvm_altp2m_op_t); +#define HVMOP_set_hypercall_dpl 26 +struct xen_hvm_hypercall_dpl { + domid_t domid; + uint16_t dpl; /* IN[1:0] cpl required to make hypercalls. */ +}; +typedef struct xen_hvm_hypercall_dpl xen_hvm_hypercall_dpl_t; +DEFINE_XEN_GUEST_HANDLE(xen_hvm_hypercall_dpl_t); + #endif /* __XEN_PUBLIC_HVM_HVM_OP_H__ */ /*