From patchwork Fri Jan 17 16:44:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Dyasli X-Patchwork-Id: 11339545 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EDB1B14B4 for ; Fri, 17 Jan 2020 16:46:01 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CA2F22064C for ; Fri, 17 Jan 2020 16:46:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="MYi61zNt" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CA2F22064C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isUjj-000088-2q; Fri, 17 Jan 2020 16:44:43 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isUjh-000083-Rh for xen-devel@lists.xen.org; Fri, 17 Jan 2020 16:44:41 +0000 X-Inumbo-ID: a5f3c7a4-3948-11ea-b595-12813bfff9fa Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id a5f3c7a4-3948-11ea-b595-12813bfff9fa; Fri, 17 Jan 2020 16:44:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1579279477; h=from:to:cc:subject:date:message-id:mime-version; bh=3OK9ICucmvY4btYuyVU/iRu7zAvg+8aI04OWZlF9DEA=; b=MYi61zNtRyjChuY0A82UQ6r+CJRTMsHQUL+Jg4mXpUV0N5kfEoCq4Amu 7AygZ/5Pp3U1op038IW94gtoJnoBjev89CVZajkYKYiQ3ZWDkKMxi57oF jKxeqqAE1pMAQAWr0va72uutWl1sS8s2Am4rhvkHo2ByEIPLujtFrc1+r M=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=sergey.dyasli@citrix.com; spf=Pass smtp.mailfrom=sergey.dyasli@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of sergey.dyasli@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="sergey.dyasli@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of sergey.dyasli@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="sergey.dyasli@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: XNpmbnAFnfnpDrb+xHiaHxMMzpytFNzsH6cFB7Rqec9aUk43InUK391AyxbOZToMlH7PfB7fMI Wx4a6ddd2luTiNlrkFhn1VdfJIK2mxHfcg0OLXW73PdYOqq/dNGcvKMbNdhLxyqluBxg4qyblp FwFQaMnc1dZFDTPn4aNRn5QzZR2UNLPxU/x4/V1Nv3ELhCaQvg7AmUeQ/boB3C3WQ08DBBCIij IuGP0QvdFoqbnEEuuldxQJIE+UDehTn3YOwlI6aKVZZZV/Ajvgxs+vpF9lNBKGvbiYhypr7Pr5 Al8= X-SBRS: 2.7 X-MesageID: 11515041 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.70,330,1574139600"; d="scan'208";a="11515041" From: Sergey Dyasli To: Date: Fri, 17 Jan 2020 16:44:31 +0000 Message-ID: <20200117164432.32245-1-sergey.dyasli@citrix.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 1/2] xsm: add config option for denied string X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Sergey Dyasli , Stefano Stabellini , Julien Grall , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Jan Beulich , Daniel De Graaf , Doug Goldstein Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Signed-off-by: Sergey Dyasli Acked-by: Jan Beulich --- v2 --> v3: - new patch CC: Andrew Cooper CC: George Dunlap CC: Ian Jackson CC: Jan Beulich CC: Julien Grall CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: Wei Liu CC: Daniel De Graaf CC: Doug Goldstein --- xen/common/Kconfig | 8 ++++++++ xen/common/version.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index b3d161d057..f0a3f0da0f 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -236,6 +236,14 @@ choice bool "SILO" if XSM_SILO endchoice +config XSM_DENIED_STRING + string "xen_version denied string" + default "" + depends on XSM + ---help--- + A string which substitutes sensitive information returned via + xen_version hypercall to non-privileged guests + config LATE_HWDOM bool "Dedicated hardware domain" default n diff --git a/xen/common/version.c b/xen/common/version.c index 937eb1281c..14b205af48 100644 --- a/xen/common/version.c +++ b/xen/common/version.c @@ -67,7 +67,7 @@ const char *xen_banner(void) const char *xen_deny(void) { - return ""; + return CONFIG_XSM_DENIED_STRING; } static const void *build_id_p __read_mostly; From patchwork Fri Jan 17 16:44:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Dyasli X-Patchwork-Id: 11339543 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2481014B4 for ; Fri, 17 Jan 2020 16:45:55 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F2B152064C for ; Fri, 17 Jan 2020 16:45:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="ad34LTcD" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F2B152064C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isUjo-00008j-C8; Fri, 17 Jan 2020 16:44:48 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isUjm-00008T-S3 for xen-devel@lists.xen.org; Fri, 17 Jan 2020 16:44:46 +0000 X-Inumbo-ID: a8a313d8-3948-11ea-b595-12813bfff9fa Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id a8a313d8-3948-11ea-b595-12813bfff9fa; Fri, 17 Jan 2020 16:44:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1579279481; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=JWC5+jO7uH6+ccpGtpPe5yjY49WkzsNBd6+b9VfD80E=; b=ad34LTcDWDblYs0nTznxF163zA2EJTVsC9nTXeCkWHjz6XoQrJujpK7G 4uuDwhgYgDq+rUja2pI2twY4bz0xJ0Tk21a0TTeIJB4ONVL8AVigplIAd YwqTD7otA3X/4C5q1LrGYDZbMnQgSSVeMpyFWd8dnhXIie4IV1uABOpjp o=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=sergey.dyasli@citrix.com; spf=Pass smtp.mailfrom=sergey.dyasli@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of sergey.dyasli@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="sergey.dyasli@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of sergey.dyasli@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="sergey.dyasli@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="sergey.dyasli@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: LzXYQFr7p7IzZly5MCi+A4hWdeGV5sEBAtKcHIA6ubb3XjpfQyHbQz0HLGFdfjcF3vg+ZioM6O fdM679mV1uuqUVBQQ6tsRmBtqCC8U+zPrt9GAkWTl/kH597NuZ4uLt8/HqSNMxGx/e1a3qfIFj twEQBFXHDfRpC6FGSqeDkS1EIglTbD0vlBR4ixSw4WfTbIM2cv8VuB91+67G+xGZD9pknsggvx wCYM/c9x+qOgPS/HVWcnfS34VeTWIh+u5KJ0yDoFmYfAJNkAJ7Fvcgc1nunNNoAVSiZQe15UD3 jDk= X-SBRS: 2.7 X-MesageID: 11515042 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.70,330,1574139600"; d="scan'208";a="11515042" From: Sergey Dyasli To: Date: Fri, 17 Jan 2020 16:44:32 +0000 Message-ID: <20200117164432.32245-2-sergey.dyasli@citrix.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200117164432.32245-1-sergey.dyasli@citrix.com> References: <20200117164432.32245-1-sergey.dyasli@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 2/2] xsm: hide detailed Xen version from unprivileged guests X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Sergey Dyasli , Stefano Stabellini , Julien Grall , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Jan Beulich , Daniel De Graaf , Doug Goldstein Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Hide the following information that can help identify the running Xen binary version: XENVER_extraversion, XENVER_compile_info, XENVER_changeset. This makes harder for malicious guests to fingerprint Xen to identify exploitable systems. Add explicit cases for XENVER_commandline and XENVER_build_id as well for better code readability. Signed-off-by: Sergey Dyasli --- v2 --> v3: - Remove hvmloader filtering - Add ASSERT_UNREACHABLE v1 --> v2: - Added xsm_filter_denied() to hvmloader instead of modifying xen_deny() - Made behaviour the same for both Release and Debug builds - XENVER_capabilities is no longer hided CC: Andrew Cooper CC: George Dunlap CC: Ian Jackson CC: Jan Beulich CC: Julien Grall CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: Wei Liu CC: Daniel De Graaf CC: Doug Goldstein --- xen/include/xsm/dummy.h | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b8e185e6fa..c00186d7b6 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -750,16 +750,23 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op) case XENVER_get_features: /* These sub-ops ignore the permission checks and return data. */ return 0; - case XENVER_extraversion: - case XENVER_compile_info: + case XENVER_capabilities: - case XENVER_changeset: case XENVER_pagesize: case XENVER_guest_handle: /* These MUST always be accessible to any guest by default. */ return xsm_default_action(XSM_HOOK, current->domain, NULL); - default: + + case XENVER_extraversion: + case XENVER_compile_info: + case XENVER_changeset: + case XENVER_commandline: + case XENVER_build_id: return xsm_default_action(XSM_PRIV, current->domain, NULL); + + default: + ASSERT_UNREACHABLE(); + return -EPERM; } }