x86: Add MSR whitelisting to to-do list

We currently allow access to almost all MSRs (except for APIC-related
ones). This has to be changed into a whitelist approach to avoid that
the cell manipulates a CPU state in a way we didn't validate as safe.

CC: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

diff --git a/TODO.md b/TODO.md
index 9c8754d95e57eb5bb93ab657a57e4ac800c8d8cb..4d937b30b07af679ebe0f1873a502cfd20651d88 100644 (file)
--- a/TODO.md
+++ b/TODO.md
@@ -6,6 +6,7 @@ x86 support
     - block
     - allow per cell (managing inter-core/inter-cell impacts)
   - NMI control/status port - moderation or emulation required?
+  - whitelist-based MSR access
 
 ARM support
   - v7 (32-bit) [WIP]

diff --git a/hypervisor/arch/x86/svm.c b/hypervisor/arch/x86/svm.c
index 6be1badbfaa5f346727c4b25f975b662af810632..13d9f67c7f387e84011cbdf5c6b681ded50cd833 100644 (file)
--- a/hypervisor/arch/x86/svm.c
+++ b/hypervisor/arch/x86/svm.c
@@ -49,6 +49,8 @@ static const struct segment invalid_seg;
 
 static struct paging npt_paging[NPT_PAGE_DIR_LEVELS];
 
+/* bit cleared: direct access allowed */
+// TODO: convert to whitelist
 static u8 __attribute__((aligned(PAGE_SIZE))) msrpm[][0x2000/4] = {
        [ SVM_MSRPM_0000 ] = {
                [      0/4 ...  0x017/4 ] = 0,

diff --git a/hypervisor/arch/x86/vmx.c b/hypervisor/arch/x86/vmx.c
index 30ffdd5e80ba88cddace740187b11ebe7b18057b..48054533ebc986e86c3d91317a0582d69b88d359 100644 (file)
--- a/hypervisor/arch/x86/vmx.c
+++ b/hypervisor/arch/x86/vmx.c
@@ -33,6 +33,7 @@ static const struct segment invalid_seg = {
 };
 
 /* bit cleared: direct access allowed */
+// TODO: convert to whitelist
 static u8 __attribute__((aligned(PAGE_SIZE))) msr_bitmap[][0x2000/8] = {
        [ VMX_MSR_BMP_0000_READ ] = {
                [      0/8 ...  0x7ff/8 ] = 0,