This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xense-devel] XSM hook for mapping a grant ref

To: "George S. Coker II" <gscoker@xxxxxxxxxxxxxx>
Subject: [Xense-devel] XSM hook for mapping a grant ref
From: Derek Murray <Derek.Murray@xxxxxxxxxxxx>
Date: Tue, 15 May 2007 12:11:33 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 15 May 2007 04:09:55 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
George et al,

In another thread today, my attention has been drawn to the grant_operation_permitted() hook that is called when a domain attempts to map a grant reference. This effectively checks whether or not the mapping domain has any I/O memory capabilities, and allows the mapping if it does. The comment for this macro states that:

"Until TLB flushing issues are sorted out we consider it unsafe for domains with no hardware-access privileges to perform grant map/ transfer operations."

It seems reasonable that we could have trusted domains which one can assume will handle these situations gracefully. Hence, I think there is a case for an XSM hook that determines whether or not a domain is allowed to map any grants. Arguably, this could be combined with the check in xsm_map_grantref, though I would be unsurprised if there is a reason for the grant_operation_permitted hook residing where it is currently.

This also raises the question of whether XSM should be integrated with the existing I/O capabilities system, so that there is one consistent view for a domain's privileges.


Derek Murray.

Xense-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>