>>> On 19.12.14 at 12:32, <andrew.coop...@citrix.com> wrote: > On 19/12/14 09:11, Jan Beulich wrote: >>>>> On 18.12.14 at 19:51, <andrew.coop...@citrix.com> wrote: >>> On 18/12/14 18:27, Roger Pau Monne wrote: >>>> Prevent Dom0 from accessing HPET MMIO region by adding it to the list of >>>> denied memory regions. >>>> >>>> Signed-off-by: Roger Pau Monné <roger....@citrix.com> >>>> Cc: Jan Beulich <jbeul...@suse.com> >>>> Cc: Andrew Cooper <andrew.coop...@citrix.com> >>> Apologies that this reply is split between patch 0 and 2 - I replied to >>> your cover letter before reading this patch. >>> >>> Denying access is only valid if acpi_table_hpet.flags & >>> ACPI_HPET_PAGE_PROTECT4 is true. >> Having just checked (as an example) the most modern Intel box I >> have direct access to, I wonder how many systems actually supply >> other than 0 here. Perhaps we ought to at once add a command >> line option to trigger the denial? > > I also can't find a server which sets this flag. I wonder how many > systems actually have other things sitting in the remainder of the page.
One would think (or should I say hope) that there's at least nothing with read side effects anywhere, or else Linux'es exposing of the page to user mode would be a security problem. Perhaps we should also limit Dom0 mappings to r/o when we can't hide the page altogether. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
