WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Replacing IRET by a hypercall

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Replacing IRET by a hypercall
From: "Furquan Shaikh" <furquan.m.shaikh@xxxxxxxxx>
Date: Tue, 30 Dec 2008 15:52:53 +0530
Delivery-date: Tue, 30 Dec 2008 02:23:22 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=f+8yukucXUvnHQUWPXavCt/ZqjR+Aiv963L7Aq0VzAc=; b=aNPl+uxC14yVWtEEZ9N7nAUkGdiL7EBMb8x5Em7g+gWpxa0HxvtWdhq0B6c6zuCnlq iFrMx0Ehzha4W94vRzdcfSOdHKYvhMJswM5w9YZNoDwTQrtJzLGNP2vcn44UUsVi9FaO mFZcA90eVazLvBKGBTZ6JiTSNs1km6Fy/xxh8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=i5Wi9AIxKNBx73X7OWw60bwmWUES86MTy10z92mvsZtYFwgfr1WtnaD69+SFn1mfbm OL8lvnUZgqqnpor2rr+fijYpE27sgGECe5bVCSS0tXOVqruoAGZekaeukRo+82EKd0r5 KkpJr1laUMQKB35FLNdlNtBW5m9KhWJ4Bv8xM=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hello,
I am trying to implement a security system using Xen, in which i need to replace the iret instruction by a hypercall so that the control comes to xen before going back to user-space process so that i can perform some security checks.

I am trying to replace each iret in linux-2.6.18-xen.hg/arch/i386/kernel/entry-xen.S with my hypercall. I check the cs for privilege level of return code. If it is ring 2/3 then i execute my hypercall else normal iret instruction is executed.
 1:      pushl %eax
          movl $0,%eax   
          movw 8(%esp),%ax
          testl $2,%eax
          jz 678f
          testl $1,vmcloak_on
           jz 678f
    
           jmp  hypercall_page + (__HYPERVISOR_debug_iret * 32)


678:    popl %eax
           iret

This code is added at all four places just before iret is called in entry-xen.S

In the file xen-3.3.0/xen/arch/x86/x86_32/entry.S at the point ENTRY(hypercall),  I check the contents of %eax with my hypercall number which is 38. If my hypercall is made, I replace the stack contents of ring 0 with those of ring 1 so that hardware performs normal iret i.e. control goes back normally to the user mode process had the hypercall not been made.

I am assuming the stack contents of ring 1 to be as follows:
________
| ss        |
| esp      |
| eflags  |
| cs        |
| eip      |
| eax     |  ** This is pushed so that the value of eax is preserved across hypercall.
Ring 1 stack

I am assuming the stack contents of ring 0 to be as follows:
________
| ss        |
| esp      |
| eflags  |
| cs        |
| eip      |
Ring 0 stack

The code added in entry.S after ENTRY(hypercall) is as follows:
    cli
    cmpl $38,%eax
    jne 679f
 
   movw 16(%esp),%gs
   movl 12(%esp),%esi

/************************   Moving EIP   ***********************************/
movl %gs:4(%esi),%eax
movl %eax,(%esp)

/************************  CS  *******************************************/
movl %gs:8(%esi),%eax
movl %eax,4(%esp)

/***********************   EFLAGS   *************************************/
movl %gs:12(%esi),%eax
movl %eax,8(%esp)

/***********************   ESP    *************************************/
movl %gs:16(%esi),%eax
movl %eax,12(%esp)

/***********************   SS    **************************************/
movl %gs:20(%esi),%eax
movl %eax,16(%esp)

/************************Restoring eax*****************************/
movl %gs:(%esi),%eax
iret

679: // remaining code of ENTRY(hypercall)


Are my assumptions correct? I am unable to understand whether this code is correct. Can you please tell me the mistakes that I might be making.

Please help me,

Furquan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] Replacing IRET by a hypercall, Furquan Shaikh <=