Jiang Wang
2009-May-06 02:10 UTC
[Xen-devel] How to check a physical address belonging to a PV guest or not?
Hi: I am working on a research project to protect against malicious device drivers without using IOMMU. Currently, a driver domain is trusted. A compromised driver can potentially use DMA to access the physical address that belong to other domains and steal some information. IOMMU can prevent this. But I think software protection is also feasible. For example, on x86-32 architecture, the dom0 or domU is running at ring 1. The access to the IO ports are trapped and then checked against IO or memory permission. I want to add extra check, which not only check whether the port (or memory) is allowed to access by a domain but also check the actual parameter for the IO access. The hypervisor should somehow know which IO port is for DMA access. It can then check the physical access for the DMA. If the physical address is not belonging to the calling PV guest, permission denied. I have two questions: 1) What is a good way to notify the hypervisor that an IO port (or memory) is for DMA? Maybe use some booting options? Or configuration files for domU? Is there any configuration files for dom0? Any examples? 2) How to check a physical address belonging to a guest or not? I guess when the device driver in a PV tries to write an IO port, it is using machine address, right? After the hypervisor gets that address, how to find out it is legal or not? Use some function to get the mfn for that address and search it in the dom''s machine frame table? Any suggestions or comments? Thanks. Regards, Jiang _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel