>>> On 03.06.15 at 18:50, <george.dun...@eu.citrix.com> wrote:
> On 06/03/2015 05:36 PM, Don Slutz wrote:
>> On 06/03/15 11:58, Andrew Cooper wrote:
>>> On 03/06/15 16:26, George Dunlap wrote:
>>>> On 05/22/2015 04:50 PM, Don Slutz wrote:
>>>>> Summary is that VMware treats "in (%dx),%eax" (or "out %eax,(%dx)")
>>>>> to port 0x5658 specially.  Note: since many operations return data
>>>>> in EAX, "in (%dx),%eax" is the one to use.  The other lengths like
>>>>> "in (%dx),%al" will still do things, only AL part of EAX will be
>>>>> changed.  For "out %eax,(%dx)" of all lengths, EAX will remain
>>>>> unchanged.
>>>>>
>>>>> This instruction is allowed to be used from ring 3.  To
>>>>> support this the vmexit for GP needs to be enabled.  I have not
>>>>> fully tested that nested HVM is doing the right thing for this.
>>>>>
>>>>> Enable no-fault of pio in x86_emulate for VMware port
>>>>>
>>>>> Also adjust the emulation registers after doing a VMware
>>>>> backdoor operation.
>>>>>
>>>>> Add new routine hvm_emulate_one_gp() to be used by the #GP fault
>>>>> handler.
>>>>>
>>>>> Some of the best info is at:
>>>>>
>>>>> https://sites.google.com/site/chitchatvmback/backdoor 
>>>>>
>>>>> Signed-off-by: Don Slutz <dsl...@verizon.com>
>>>> So let me get this straight.
>>>>
>>>> VMWare allows ring3 to access the magic port regardless of whether the
>>>> guest OS has enabled access to that IO port or not.
>>>>
>>>> In order to emulate this, we need to:
>>>> * Trap to Xen on #GPs rather than just letting the hardware handle it
>>>> * Emulate all instructions which cause a #GP, just to see if they might
>>>> be an IO instruction accessing the magic port.
>>>> * If it is an IO instruction, and it's accessing the magic port, then we
>>>> skip the ioport access checks (which will cause the instruction to
>>>> execute as though it had been given access).
>>>> * Under all other circumstances (we hope) the emulator in Xen will do
>>>> exactly what the hardware just did, and deliver a #GP to the guest.
>>>>
>>>> In an attempt to make this more safe, emulation ops that write (such as
>>>> write and cmpxchg) are replaced with stubs which always return an error.
>>>>
>>>> Is that about right?
>> 
>> Yes, however it is missing that Jan Beulich wanted the emulator in Xen
>> to be used.  I had started with code that did not use the emulator.
> 
> I agree with him that the emulator should be used to emulate the
> instructions we *want* to emulate.  I'm just not happy with using the
> emulator to emulate all the instructions we *don't* want to emulate
> (i.e., all the ones that really do need to #GP).

And hence the suggestion to stub out hooks that shouldn't get
involved. Of course us running into the problem of wanting to limit
what gets emulated now the second or third time perhaps we
should rather consider an extension to the emulator interface that
callers can use to control what kinds of operations it wants
emulated (with anything else causing failure) - in the case here,
I/O instructions.

>>>> That sounds completely insane.  It opens up an almost infinite surface
>>>> of attack onto the Xen emulator.
>>>>
>>>> I understand that having the "VMWare compatible" is a nice tick-box to
>>>> have, but seriously, I cannot imagine that having unprivileged
>>>> user-space tools know the real clock frequency without having to involve
>>>> the OS is anywhere close to worth the risk involved.
>> 
>> Not sure how you moved from attack surface to "real clock frequency"
>> (which I am not sure which of the many "clock frequency" you are
>> referring to.  The only new one that leaps to mind is the emulated lapic
>> bus frequency (which Linux attempts to determine from other clocks).
> 
> I'm talking about cost-benefits analysis.  What's the benefit of
> accepting this patch, and is it worth the cost?

The basic idea of allowing guests originally having got installed on
VMware to continue their lives on Xen is certainly something worth
accepting some cost. It's really hard to judge whether in the case
here things go too far (and that would equally apply to the hand
crafted instruction decoding done in earlier versions of this series).

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Reply via email to