Re: [PATCH v2 04/17] xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target

Mon, 21 Jul 2025 15:02:45 -0700 

Hi Julien,

Thanks for taking a look.

On 2025-07-21 13:58, Julien Grall wrote:

Hi Jason,

On 16/07/2025 22:14, Jason Andryuk wrote:

Add a new create domain flag  to indicate if a domain can be the target
of hypercalls.  By default all domains can be targetted - subject to any
other permission checks.

This property is useful in a safety environment to isolate domains for
freedom from interference.
I see the flag is exposed to the toolstack. However, I don't see how you can successfully create a VM if you are not allowed to call hypercalls (for instance to add some memory).
Yes, you are right. With dom0less/Hyperlaunch, I'd not been considering the toolstack.
I think, at minimum, you would want to allow hypercalls while the domain is created. That said, I wonder if this setup would not be better to describe with XSM?
Re-labeling with Flask would allow different permissions between building and running. domain_unpause would need to be allowed, but that doesn't stop a domain.
At first glance, like you say, the untargetable property could be enabled when domain creation finishes. 



[...]


diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
index 88a294c5be..f1f6f96bc2 100644
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -70,9 +70,11 @@ struct xen_domctl_createdomain {
  #define XEN_DOMCTL_CDF_trap_unmapped_accesses  (1U << 8)
  /* Allow domain to provide device model for multiple other domains */
  #define XEN_DOMCTL_CDF_device_model   (1U << 9)
+/* Domain cannot be the target of hypercalls */
+#define XEN_DOMCTL_CDF_not_hypercall_target   (1U << 10)
  /* Max XEN_DOMCTL_CDF_* constant.  Used for ABI checking. */
-#define XEN_DOMCTL_CDF_MAX XEN_DOMCTL_CDF_device_model
+#define XEN_DOMCTL_CDF_MAX XEN_DOMCTL_CDF_not_hypercall_target


I am not sure where to comment. But aren't both flags mutually exclusive?
No, XEN_DOMCTL_CDF_device_model is *this* domain providing the device model to other domains:
+ * Device model capability allows the use of the dm_op hypercalls to provide 
+ * the device model emulation (run QEMU) for other domains.  This is a
+ * subset of the Control capability which can be granted to the
+ * Hardware domain for running QEMU.
Whereas XEN_DOMCTL_CDF_not_hypercall_target removes targeting on *this* domain. So the domain with XEN_DOMCTL_CDF_device_model cannot target the XEN_DOMCTL_CDF_not_hypercall_target domain. 

Regards,
Jason

Reply via email to