Hi Stefano,
On 20/12/2016 22:33, Stefano Stabellini wrote:
On Tue, 20 Dec 2016, Christoffer Dall wrote:
On Mon, Dec 19, 2016 at 12:24:18PM -0800, Stefano Stabellini wrote:
On Mon, 19 Dec 2016, Christoffer Dall wrote:
On Fri, Dec 16, 2016 at 05:03:13PM +0000, Julien Grall wrote:
hvm_param is very easy to use, but the guest has access to it too. If we
used hvm_param, we would need to make sure that the guest is not able to
cause any damage.
On the other hand, if we introduced a new hypercall, then we wouldn't
have to worry about the guest. But it would be another new hypercall.
Another option we would be to introduce a set of hvm_params which are
not guest-readable. Today all hvm_params are XSM_TARGET, so both "self"
and Dom0 (and stubdoms) can issue hvm_params. We could restrict a few of
them to XSM_DM_PRIV, which only allow Dom0 (and stubdoms) to issue them.
It would be as simple as changing the xsm check for a subset of them.
Obviously we would clearly document which are which.
Thoughts?
That would work. FWIW, x86 is already restricting the access to some HVM
parameter (see hvm_allow_set_param).
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
