dgit.raspbian.org Git - xen.git/commit

author	Julien Grall <julien.grall@arm.com>
	Mon, 29 Apr 2019 14:05:25 +0000 (15:05 +0100)
committer	Julien Grall <julien.grall@arm.com>
	Fri, 14 Jun 2019 13:27:32 +0000 (14:27 +0100)
commit	cb8e0d28e8df97adc4ba2721f75824acdd3702b7
tree	9f23f4f95eeb36e6421146aedb8d0ea21be45209	tree \| snapshot
parent	86b0bc958373217b986ca3fc8c46597577e83049	commit \| diff

xen/arm: Turn on SILO mode by default on Arm

On Arm, exclusive load-store atomics should only be used between trusted
thread. As not all the guests are trusted, it may be possible to DoS Xen
when updating shared memory with guest atomically.

Recent patches introduced new helpers to update shared memory with guest
atomically. Those helpers relies on a memory region to be be shared with
Xen and a single guest.

At the moment, nothing prevent a guest sharing a page with Xen and as
well with another guest (e.g via grant table).

For the scope of the XSA, the quickest way is to deny communications
between unprivileged guest. So this patch is enabling and using SILO
mode by default on Arm.

Users wanted finer graine policy could wrote their own Flask policy.

This is part of XSA-295.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/arch/arm/setup.c		diff \| blob \| history
xen/common/Kconfig		diff \| blob \| history
xen/include/xsm/xsm.h		diff \| blob \| history
xen/xsm/xsm_core.c		diff \| blob \| history