On 27/07/17 11:36, Andrii Anisov wrote:
Dear Julien,
On 27.07.17 12:55, Julien Grall wrote:
It really depends on the security impact here. If the reserved memory
is shared with other device, what would be the impact of a domain
using the wrong memory attribute?
I'm sorry, I did not get the point.
Could you please provide an example of a security impact?
Let's rephrase it differently. Is the reserved memory always RAM or
could it be other things?
Furthermore, using the weakest one would imply cache maintenance when
the region is assigned/deassigned to/from a domain to prevent leaking
data.
Could you please provide an example scenario for data leakage?
Well, if your region is cacheable it might be possible to have some data
left in the cache after the domain destruction.
If you start a domain afterwards, it may be able to read data that
belonged to the previous domain. Hence data leak.
All region of page allocated by the memory allocator in Xen will be
clean and invalidate to prevent such leak. This will not be the case for
reserved memory as this will not be managed by the memory allocator.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
