On 30.07.2025 23:30, Jason Andryuk wrote:
> On 2025-07-30 11:06, Jan Beulich wrote:
>> On 16.07.2025 23:14, Jason Andryuk wrote:
>>> Add a new create domain flag to indicate if a domain can be the target
>>> of hypercalls. By default all domains can be targetted - subject to any
>>> other permission checks.
>>
>> I think terminology needs clarifying here: What exactly does "targeted"
>> mean? Is that e.g. also intended to cover
>> XENMEM_{current,maximum}_reservation, which "target" a particular domain,
>> when at the same time they don't interfere with the targeted domain in
>> any way?
>
> Avoiding interference is the primary goal. Those hypercalls definitely
> need to be blocked. xsm_default_action() has limited information
> available, so we can't differentiate particular hypercalls. Blocking
> extra non-interfering hypercalls is not a problem for us.
Except that later patches then "punch holes" into the fence pulled up here.
And over time we may learn that more holes are needed, or at least wanted.
>>> --- a/xen/include/xsm/dummy.h
>>> +++ b/xen/include/xsm/dummy.h
>>> @@ -91,12 +91,16 @@ static always_inline int xsm_default_action(
>>> return 0;
>>> fallthrough;
>>> case XSM_DM_PRIV:
>>> + if ( target && !is_hypercall_target(target) )
>>> + return -EPERM;
>>> if ( is_dm_domain(src) )
>>> return 0;
>>> if ( target && evaluate_nospec(src->target == target) )
>>> return 0;
>>> fallthrough;
>>> case XSM_PRIV:
>>> + if ( target && !is_hypercall_target(target) )
>>> + return -EPERM;
>>
>> Hmm, for TARGET, XS_PRIV, and DM_PRIV we're now doing the same check
>> twice.
>
> The different cases need to be covered somehow. I didn't see a good way
> to avoid the duplication.
Maybe this is the point where the fall-through wants (needs?) doing away with.
Jan
