[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Domctl and physdevop for passthrough (Was: Re: Stabilising some tools only HVMOPs?)



>>> On 23.02.16 at 18:24, <JBeulich@xxxxxxxx> wrote:
>>>> On 23.02.16 at 18:09, <wei.liu2@xxxxxxxxxx> wrote:
>> On Tue, Feb 23, 2016 at 08:46:14AM -0700, Jan Beulich wrote:
>>> >>> On 23.02.16 at 15:31, <wei.liu2@xxxxxxxxxx> wrote:
>>> > On Mon, Feb 22, 2016 at 04:28:19AM -0700, Jan Beulich wrote:
>>> >> >>> On 19.02.16 at 17:05, <wei.liu2@xxxxxxxxxx> wrote:
>>> >> > On Wed, Feb 17, 2016 at 05:28:08PM +0000, Wei Liu wrote:
>>> >> >> Hi all
>>> >> >> 
>>> >> >> Tools people are in the process of splitting libxenctrl into a set of
>>> >> >> stable libraries. One of the proposed libraries is libxendevicemodel
>>> >> >> which has a collection of APIs that can be used by device model.
>>> >> >> 
>>> >> >> Currently we use QEMU as reference to extract symbols and go through
>>> >> >> them one by one. Along the way we discover QEMU is using some tools
>>> >> >> only HVMOPs.
>>> >> >> 
>>> >> >> The list of tools only HVMOPs used by QEMU are:
>>> >> >> 
>>> >> >>   #define HVMOP_track_dirty_vram    6
>>> >> >>   #define HVMOP_modified_memory    7
>>> >> >>   #define HVMOP_set_mem_type    8
>>> >> >>   #define HVMOP_inject_msi         16
>>> >> >>   #define HVMOP_create_ioreq_server 17
>>> >> >>   #define HVMOP_get_ioreq_server_info 18
>>> >> >>   #define HVMOP_map_io_range_to_ioreq_server 19
>>> >> >>   #define HVMOP_unmap_io_range_from_ioreq_server 20
>>> >> >>   #define HVMOP_destroy_ioreq_server 21
>>> >> >>   #define HVMOP_set_ioreq_server_state 22
>>> >> >> 
>>> >> > 
>>> >> > In the process of ploughing through QEMU symbols, there are some 
>>> >> > domctls
>>> >> > and physdevops used to do  passthrough. To make passthrough APIs in
>>> >> > libxendevicemodel we need to stabilise them as well. Can I use the same
>>> >> > trick __XEN_TOOLS_STABLE__ here? If not, what would be the preferred 
>>> >> > way
>>> >> > of doing this?
>>> >> > 
>>> >> > PASSTHRU
>>> >> > `xc_domain_bind_pt_pci_irq`     `XEN_DOMCTL_bind_pt_irq`    
>>> >> > `xc_domain_ioport_mapping`      `XEN_DOMCTL_ioport_mapping` 
>>> >> > `xc_domain_memory_mapping`      `XEN_DOMCTL_memory_mapping` 
>>> >> > `xc_domain_unbind_msi_irq`      `XEN_DOMCTL_unbind_pt_irq`  
>>> >> > `xc_domain_unbind_pt_irq`       `XEN_DOMCTL_unbind_pt_irq`  
>>> >> > `xc_domain_update_msi_irq`      `XEN_DOMCTL_bind_pt_irq`    
>>> >> > `xc_physdev_map_pirq`           `PHYSDEVOP_map_pirq`        
>>> >> > `xc_physdev_map_pirq_msi`       `PHYSDEVOP_map_pirq`        
>>> >> > `xc_physdev_unmap_pirq`         `PHYSDEVOP_unmap_pirq`      
>>> >> 
>>> >> Mechanically I would say yes, but anything here which is also on
>>> >> the XSA-77 waiver list would first need removing there (with
>>> >> proper auditing and, if necessary, fixing).
>>> >> 
>>> > 
>>> > I admit I failed to parse xsm-flask.txt and XSA-77 and its implication,
>>> > so let's take a concrete example instead.
>>> > 
>>> > Say, now I need to stabilise XEN_DOMCTL_pin_mem_cacheattr, which is on
>>> > the list of domctls listed in xsm-flask.txt (presumably that's the
>>> > waiver list you talked about).
>>> > 
>>> > You said "needs removing there", and xsm-flask.txt says "suops not
>>> > listed here are considered safe for disaggregation", so the implication
>>> > is that we need to make XEN_DOMCTL_pin_mem_cacheattr safe for
>>> > disaggregation in order to move it off the list. Is this correct?
>>> 
>>> Yes.
>>> 
>>> > And in order to make it safe for disaggregation, I need to add adequate
>>> > XSM checks for it. Is this correct?
>>> 
>>> Well, that depends on what accessibility scope you mean to give
>>> it: If domains other than the hardware and control domain are
>>> meant to be permitted to access this with the dummy policy, then
>> 
>> All the domctls and physdev ops are  going to used by device model. So
>> it is going to be either Dom0 or stub device model domain.
> 
> Right, but a stub domain needs to be treated as untrusted, so in
> a way it's even worse than tool stack disaggregation.
> 
>> I do notice the following paragraph in xsm-flask.txt:
>> 
>>   This policy does not apply to bugs which affect stub device models,
>>   driver domains, or stub xenstored - even if those bugs do no worse
>>   than reduce the security of such a system to one whose device models,
>>   backend drivers, or xenstore, run in dom0.
>> 
>> Not sure how it changes the perspective.
> 
> This tightens things (whereas I get the impression you view it as
> relaxing them), in that issues in these interfaces which can be
> exploited by any of the named entities would still be security
> issues.

And note how, using your example, xsm/dummy.h enforces XSM_PRIV
for XEN_DOMCTL_pin_mem_cacheattr.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.