Xen devel - Jun 2007 - Hypercall privilege check

Hello,

I''m wondering where Xen actually checks whether a hypercall is made
from ring 1 or ring 3. Could anyone point me out to the code? Any
pointer would be much appreciated. Thanks!

- Steve

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> I''m wondering where Xen actually checks whether a hypercall is
made
> from ring 1 or ring 3. Could anyone point me out to the code? Any
> pointer would be much appreciated. Thanks!
Hypercalls are made from ring 1.  The userspace tools do make hypercalls 
sometimes, but they do it by calling a special kernel driver, which then does 
the actual hypercall.  *actually* what that does is to jump into the 
hypercall transfer page at the right location.  This page contains the actual 
implementation of the hypercall (using this indirection allows future 
versions of Xen to supply different implementations of the calls, if 
appropriate).

Take a look at:
drivers/xen/privcmd/privcmd.c  in the XenLinux tree.  This is used by the dom0 
tools to do control plane operations.

Also, take a look at: include/asm-i386/mach-xen/asm/hypercall.h which contains 
implementations of some other hypercalls.

HTH,
Cheers,
mark

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Thanks for the quick answer!

But I guess my question was not clear enough, because I was actually
asking about Xen and how it enforces hypercalls to be made only from
ring 1. I just assumed that Xen checks if int 0x82 is executed with
the right privilege. But when I tried to find where Xen actually does
it, I couldn''t find it. I hope my question is more clear this time :)

- Steve

On 6/28/07, Mark Williamson <mark.williamson@cl.cam.ac.uk>
wrote:
> > I''m wondering where Xen actually checks whether a hypercall
is made
> > from ring 1 or ring 3. Could anyone point me out to the code? Any
> > pointer would be much appreciated. Thanks!
>
> Hypercalls are made from ring 1.  The userspace tools do make hypercalls
> sometimes, but they do it by calling a special kernel driver, which then
does
> the actual hypercall.  *actually* what that does is to jump into the
> hypercall transfer page at the right location.  This page contains the
actual
> implementation of the hypercall (using this indirection allows future
> versions of Xen to supply different implementations of the calls, if
> appropriate).
>
> Take a look at:
> drivers/xen/privcmd/privcmd.c  in the XenLinux tree.  This is used by the
dom0
> tools to do control plane operations.
>
> Also, take a look at: include/asm-i386/mach-xen/asm/hypercall.h which
contains
> implementations of some other hypercalls.
>
> HTH,
> Cheers,
> mark
>
> --
> Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
> Mark: To answer a question with a question: What use is a skateboard?
> Dave: Skateboards have wheels.
> Mark: My wheel has a wheel!
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Thanks for the quick answer!
np. ;-)
> But I guess my question was not clear enough, because I was actually
> asking about Xen and how it enforces hypercalls to be made only from
> ring 1. I just assumed that Xen checks if int 0x82 is executed with
> the right privilege. But when I tried to find where Xen actually does
> it, I couldn''t find it. I hope my question is more clear this time
:)
Ah, I see what you mean.

I think the hardware actually enforces this...  lemme see...

Yes, here we are: in xen/arch/x86/x86_32/traps.c::244 we have a:

    /* The hypercall entry vector is only accessible from ring 1. */
    _set_gate(idt_table+HYPERCALL_VECTOR, 14, 1, &hypercall);

So int 0x82 is only permitted to be executed from ring 1.  And the x86 
interrupt gate things enforce it in hardware, I assume.  x86 scares me, and 
so I''m being a bit vague here!

I imagine you''d get a GPF if you tried to hypercall from userspace, but
I''m
not so familiar with lowlevel x86 goop (at least, not when my manual''s
in
another building!) so I can''t be certain.

Trivia: As a result of hypercalls being only allowed from ring 1, the Minix 
port (for Xen 2.0, I think) which uses ring 1, 2 and 3 has portions of the 
kernel in ring 2 calling portions in ring 1 to actually perform hypercalls.

Cheers,
Mark
> - Steve
>
> On 6/28/07, Mark Williamson <mark.williamson@cl.cam.ac.uk> wrote:
> > > I''m wondering where Xen actually checks whether a
hypercall is made
> > > from ring 1 or ring 3. Could anyone point me out to the code? Any
> > > pointer would be much appreciated. Thanks!
> >
> > Hypercalls are made from ring 1.  The userspace tools do make
hypercalls
> > sometimes, but they do it by calling a special kernel driver, which
then
> > does the actual hypercall.  *actually* what that does is to jump into
the
> > hypercall transfer page at the right location.  This page contains the
> > actual implementation of the hypercall (using this indirection allows
> > future versions of Xen to supply different implementations of the
calls,
> > if appropriate).
> >
> > Take a look at:
> > drivers/xen/privcmd/privcmd.c  in the XenLinux tree.  This is used by
the
> > dom0 tools to do control plane operations.
> >
> > Also, take a look at: include/asm-i386/mach-xen/asm/hypercall.h which
> > contains implementations of some other hypercalls.
> >
> > HTH,
> > Cheers,
> > mark
> >
> > --
> > Dave: Just a question. What use is a unicyle with no seat?  And no
> > pedals! Mark: To answer a question with a question: What use is a
> > skateboard? Dave: Skateboards have wheels.
> > Mark: My wheel has a wheel!
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel


-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> > But I guess my question was not clear enough, because I was actually
> > asking about Xen and how it enforces hypercalls to be made only from
> > ring 1. I just assumed that Xen checks if int 0x82 is executed with
> > the right privilege. But when I tried to find where Xen actually does
> > it, I couldn''t find it. I hope my question is more clear this
time :)
>
> Ah, I see what you mean.
>
> I think the hardware actually enforces this...  lemme see...
>
> Yes, here we are: in xen/arch/x86/x86_32/traps.c::244 we have a:
>
>     /* The hypercall entry vector is only accessible from ring 1. */
>     _set_gate(idt_table+HYPERCALL_VECTOR, 14, 1, &hypercall);
>
> So int 0x82 is only permitted to be executed from ring 1.  And the x86
> interrupt gate things enforce it in hardware, I assume.  x86 scares me, and
> so I''m being a bit vague here!
Great! Exactly what I was looking for. Thanks.
> I imagine you''d get a GPF if you tried to hypercall from
userspace, but I''m
> not so familiar with lowlevel x86 goop (at least, not when my
manual''s in
> another building!) so I can''t be certain.
>
> Trivia: As a result of hypercalls being only allowed from ring 1, the Minix
> port (for Xen 2.0, I think) which uses ring 1, 2 and 3 has portions of the
> kernel in ring 2 calling portions in ring 1 to actually perform hypercalls.
This is interesting. I think I should look at Minix port. Thanks a lot.

- Steve
>
> Cheers,
> Mark
>
> > - Steve
> >
> > On 6/28/07, Mark Williamson <mark.williamson@cl.cam.ac.uk>
wrote:
> > > > I''m wondering where Xen actually checks whether a
hypercall is made
> > > > from ring 1 or ring 3. Could anyone point me out to the
code? Any
> > > > pointer would be much appreciated. Thanks!
> > >
> > > Hypercalls are made from ring 1.  The userspace tools do make
hypercalls
> > > sometimes, but they do it by calling a special kernel driver,
which then
> > > does the actual hypercall.  *actually* what that does is to jump
into the
> > > hypercall transfer page at the right location.  This page
contains the
> > > actual implementation of the hypercall (using this indirection
allows
> > > future versions of Xen to supply different implementations of the
calls,
> > > if appropriate).
> > >
> > > Take a look at:
> > > drivers/xen/privcmd/privcmd.c  in the XenLinux tree.  This is
used by the
> > > dom0 tools to do control plane operations.
> > >
> > > Also, take a look at: include/asm-i386/mach-xen/asm/hypercall.h
which
> > > contains implementations of some other hypercalls.
> > >
> > > HTH,
> > > Cheers,
> > > mark
> > >
> > > --
> > > Dave: Just a question. What use is a unicyle with no seat?  And
no
> > > pedals! Mark: To answer a question with a question: What use is a
> > > skateboard? Dave: Skateboards have wheels.
> > > Mark: My wheel has a wheel!
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
>
> --
> Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
> Mark: To answer a question with a question: What use is a skateboard?
> Dave: Skateboards have wheels.
> Mark: My wheel has a wheel!
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>
> Great! Exactly what I was looking for. Thanks.
Cool.
> > I imagine you''d get a GPF if you tried to hypercall from
userspace, but
> > I''m not so familiar with lowlevel x86 goop (at least, not
when my
> > manual''s in another building!) so I can''t be
certain.
> >
> > Trivia: As a result of hypercalls being only allowed from ring 1, the
> > Minix port (for Xen 2.0, I think) which uses ring 1, 2 and 3 has
portions
> > of the kernel in ring 2 calling portions in ring 1 to actually perform
> > hypercalls.
>
> This is interesting. I think I should look at Minix port. Thanks a lot.
Are you doing an OS port by any chance?

The Minix port was done by a Masters student in Ireland.  I think he started 
on Xen 2.0 and I''m not sure he ever moved it over to Xen 3.0 after
writing up
his dissertation.

Code is probably about ... somewhere.  Google knows, I expect ;-)

Cheers,
Mark
> - Steve
>
> > Cheers,
> > Mark
> >
> > > - Steve
> > >
> > > On 6/28/07, Mark Williamson <mark.williamson@cl.cam.ac.uk>
wrote:
> > > > > I''m wondering where Xen actually checks
whether a hypercall is made
> > > > > from ring 1 or ring 3. Could anyone point me out to the
code? Any
> > > > > pointer would be much appreciated. Thanks!
> > > >
> > > > Hypercalls are made from ring 1.  The userspace tools do
make
> > > > hypercalls sometimes, but they do it by calling a special
kernel
> > > > driver, which then does the actual hypercall.  *actually*
what that
> > > > does is to jump into the hypercall transfer page at the
right
> > > > location.  This page contains the actual implementation of
the
> > > > hypercall (using this indirection allows future versions of
Xen to
> > > > supply different implementations of the calls, if
appropriate).
> > > >
> > > > Take a look at:
> > > > drivers/xen/privcmd/privcmd.c  in the XenLinux tree.  This
is used by
> > > > the dom0 tools to do control plane operations.
> > > >
> > > > Also, take a look at:
include/asm-i386/mach-xen/asm/hypercall.h which
> > > > contains implementations of some other hypercalls.
> > > >
> > > > HTH,
> > > > Cheers,
> > > > mark
> > > >
> > > > --
> > > > Dave: Just a question. What use is a unicyle with no seat? 
And no
> > > > pedals! Mark: To answer a question with a question: What use
is a
> > > > skateboard? Dave: Skateboards have wheels.
> > > > Mark: My wheel has a wheel!
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
> >
> > --
> > Dave: Just a question. What use is a unicyle with no seat?  And no
> > pedals! Mark: To answer a question with a question: What use is a
> > skateboard? Dave: Skateboards have wheels.
> > Mark: My wheel has a wheel!


-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Are you doing an OS port by any chance?
No I''m just trying to mess around with privilege levels :)
> The Minix port was done by a Masters student in Ireland.  I think he
started
> on Xen 2.0 and I''m not sure he ever moved it over to Xen 3.0 after
writing up
> his dissertation.
>
> Code is probably about ... somewhere.  Google knows, I expect ;-)
Thanks for your help. I appreciate it.

- Steve
>
> Cheers,
> Mark
>
> > - Steve
> >
> > > Cheers,
> > > Mark
> > >
> > > > - Steve
> > > >
> > > > On 6/28/07, Mark Williamson
<mark.williamson@cl.cam.ac.uk> wrote:
> > > > > > I''m wondering where Xen actually checks
whether a hypercall is made
> > > > > > from ring 1 or ring 3. Could anyone point me out
to the code? Any
> > > > > > pointer would be much appreciated. Thanks!
> > > > >
> > > > > Hypercalls are made from ring 1.  The userspace tools
do make
> > > > > hypercalls sometimes, but they do it by calling a
special kernel
> > > > > driver, which then does the actual hypercall. 
*actually* what that
> > > > > does is to jump into the hypercall transfer page at the
right
> > > > > location.  This page contains the actual implementation
of the
> > > > > hypercall (using this indirection allows future
versions of Xen to
> > > > > supply different implementations of the calls, if
appropriate).
> > > > >
> > > > > Take a look at:
> > > > > drivers/xen/privcmd/privcmd.c  in the XenLinux tree. 
This is used by
> > > > > the dom0 tools to do control plane operations.
> > > > >
> > > > > Also, take a look at:
include/asm-i386/mach-xen/asm/hypercall.h which
> > > > > contains implementations of some other hypercalls.
> > > > >
> > > > > HTH,
> > > > > Cheers,
> > > > > mark
> > > > >
> > > > > --
> > > > > Dave: Just a question. What use is a unicyle with no
seat?  And no
> > > > > pedals! Mark: To answer a question with a question:
What use is a
> > > > > skateboard? Dave: Skateboards have wheels.
> > > > > Mark: My wheel has a wheel!
> > > >
> > > > _______________________________________________
> > > > Xen-devel mailing list
> > > > Xen-devel@lists.xensource.com
> > > > http://lists.xensource.com/xen-devel
> > >
> > > --
> > > Dave: Just a question. What use is a unicyle with no seat?  And
no
> > > pedals! Mark: To answer a question with a question: What use is a
> > > skateboard? Dave: Skateboards have wheels.
> > > Mark: My wheel has a wheel!
>
>
>
> --
> Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
> Mark: To answer a question with a question: What use is a skateboard?
> Dave: Skateboards have wheels.
> Mark: My wheel has a wheel!
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel