xenbits.xensource.com Git - xen.git/commit

author	Julien Grall <julien.grall@arm.com>
	Mon, 29 Apr 2019 14:05:25 +0000 (15:05 +0100)
committer	Julien Grall <julien.grall@arm.com>
	Fri, 14 Jun 2019 13:49:19 +0000 (14:49 +0100)
commit	8d63ec44c3be08007a79d6be81db670969cfec4d
tree	5de300157c377eb7fb4250fcd68a611f4693c133	tree
parent	1ff6b4daf4bb2e1aacb9593bf0d275672d970d1b	commit \| diff

xen/arm: Turn on SILO mode by default on Arm

On Arm, exclusive load-store atomics should only be used between trusted
thread. As not all the guests are trusted, it may be possible to DoS Xen
when updating shared memory with guest atomically.

Recent patches introduced new helpers to update shared memory with guest
atomically. Those helpers relies on a memory region to be be shared with
Xen and a single guest.

At the moment, nothing prevent a guest sharing a page with Xen and as
well with another guest (e.g via grant table).

For the scope of the XSA, the quickest way is to deny communications
between unprivileged guest. So this patch is enabling and using SILO
mode by default on Arm.

Users wanted finer graine policy could wrote their own Flask policy.

This is part of XSA-295.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/arch/arm/setup.c		diff \| blob \| blame \| history
xen/common/Kconfig		diff \| blob \| blame \| history
xen/include/xsm/xsm.h		diff \| blob \| blame \| history
xen/xsm/xsm_core.c		diff \| blob \| blame \| history