pool/xen
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
976abffc2e
xen/53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch
Charles Arnold 66e0c5e297 - When the xl command is used, check to see if the domain being 
modified is managed by libvirt and print warning if it is.
  xl-check-for-libvirt-managed-domain.patch

- Upstream patches from Jan
  53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch
  5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch
  534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch
  534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch
  53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch
  5357baff-x86-add-missing-break-in-dom0_pit_access.patch
- XSA-92
  xsa92.patch 

- Add # needssslcertforbuild to use the project's certificate when
  building in a home project. (bnc#872354)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=312
2014-05-01 03:35:21 +00:00

83 lines
3.5 KiB
Diff
Raw Blame History

# Commit 061eebe0e99ad45c9c3b1a778b06140de4a91f25
# Date 2014-04-22 12:04:20 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/MSI: drop workaround for insecure Dom0 kernels
Considering that
- the workaround is expensive (iterating through the entire P2M space
of a domain),
- the planned elimination of the expensiveness (by propagating the type
change step by step to the individual P2M leaves) wouldn't address
the IOMMU side of things (as for it to obey to the changed
permissions the adjustments must be pushed down immediately through
the entire tree)
- the proper solution (PHYSDEVOP_msix_prepare) should by now be
implemented by all security conscious Dom0 kernels
remove the workaround, killing eventual guests that would be known to
become a security risk instead.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -679,7 +679,7 @@ static void ept_change_entry_type_global
return;
BUG_ON(p2m_is_grant(ot) || p2m_is_grant(nt));
- BUG_ON(ot != nt && (ot == p2m_mmio_direct || nt == p2m_mmio_direct));
+ BUG_ON(p2m_is_mmio(ot) || p2m_is_mmio(nt));
ept_change_entry_type_page(_mfn(ept_get_asr(ept)),
ept_get_wl(ept), ot, nt);
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -825,32 +825,22 @@ static int msix_capability_init(struct p
msix->pba.last) )
WARN();
- if ( dev->domain )
- p2m_change_entry_type_global(dev->domain,
- p2m_mmio_direct, p2m_mmio_direct);
- if ( desc && (!dev->domain || !paging_mode_translate(dev->domain)) )
+ if ( desc )
{
- struct domain *d = dev->domain;
+ struct domain *currd = current->domain;
+ struct domain *d = dev->domain ?: currd;
- if ( !d )
- for_each_domain(d)
- if ( !paging_mode_translate(d) &&
- (iomem_access_permitted(d, msix->table.first,
- msix->table.last) ||
- iomem_access_permitted(d, msix->pba.first,
- msix->pba.last)) )
- break;
- if ( d )
- {
- if ( !is_hardware_domain(d) && msix->warned != d->domain_id )
- {
- msix->warned = d->domain_id;
- printk(XENLOG_ERR
- "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
- seg, bus, slot, func, d->domain_id);
- }
- /* XXX How to deal with existing mappings? */
- }
+ if ( !is_hardware_domain(currd) || d != currd )
+ printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
+ is_hardware_domain(currd)
+ ? XENLOG_WARNING "Potentially insecure"
+ : XENLOG_ERR "Insecure",
+ seg, bus, slot, func, d->domain_id);
+ if ( !is_hardware_domain(d) &&
+ /* Assume a domain without memory has no mappings yet. */
+ (!is_hardware_domain(currd) || d->tot_pages) )
+ domain_crash(d);
+ /* XXX How to deal with existing mappings? */
}
}
WARN_ON(msix->nr_entries != nr_entries);
Reference in New Issue View Git Blame Copy Permalink