[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XSM and the idle domain

To: Hongyan Xia <hx242@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, jbeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, jandryuk@xxxxxxxxx, dgdegra@xxxxxxxxxxxxx
From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Oct 2020 21:23:18 -0400
Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx> header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1603329831; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=stFXklIoiHG3PHIWlVEZraIR0nK8W927Dv5q75eD7oQ=; b=Me9++XvXTmYhNv+sKnYL9X2mgcCdQk66KcxE8snvxdmVaCPMQJlIw8onX7lEhPMbWwUN1Y/56EFhsa7v0aCIK7SM16BiXVA6ZQ8X7VNXr7nmSNmz5vPBxqG74eNbrP9HOVeX/sniHwuSf+VKhb1lA22A4mKoO0rjCg/zZ/bDRrI=
Arc-seal: i=1; a=rsa-sha256; t=1603329831; cv=none; d=zohomail.com; s=zohoarc; b=Gtp42vUhCZZYbSwUBHL+kPs0nVV+qubxqnOsbtv/VInei1/SP4N2YjV3d69YD3jTxwB/Ex8a50ItH4yiuyMjUI1G5NUs5VLmtyoRRuTUI64romQkcBTpy09SEkbIMRpsB0F4vEw0CzVo4+MpesOWb8FpWOwv1saZnD86wLNnPmo=
Delivery-date: Thu, 22 Oct 2020 01:24:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 10/21/20 10:34 AM, Hongyan Xia wrote:

Hi,

A while ago there was a quick chat on IRC about how XSM interacts with
the idle domain. The conversation did not reach any clear conclusions
so it might be a good idea to summarise the questions in an email.

Basically there were two questions in that conversation:

1. In its current state, are security modules able to limit what the
idle domain can do?

Yes in the fact that the idle domain has a type and you can constrainwhat actions the type is allowed. Now in reality the idle domain isgiven the same type as the hypervisor itself thus must have the abilityto make certain actions.

2. Should security modules be able to restrict the idle domain?

IMHO I think this question should be reversed to ask whether the actionsthe idle domain is being used for is appropriate from a security pointof view. AIUI the idle domain is a mechanism for the scheduler to use asa place to schedule an idle vcpu. And yes I understand that some limitedwork is done there, e.g. memory scrubbing, but 1.) there is a differencebetween light/limited work that can be done within the confines of adomain and work requiring hypercalls, and 2.) this precedence may havebeen due to limitations vs being the necessarily correct approach.

The first question came up during ongoing work in LiveUpdate. After an
LU, the next Xen needs to restore all domains. To do that, some
hypercalls need to be issued from the idle domain context and
apparently XSM does not like it. We need to introduce hacks in the
dummy module to leave the idle domain alone. Our work is not compiled
with CONFIG_XSM at all, but with CONFIG_XSM, are we able to enforce
security policies against the idle domain? Of course, without any LU
work this does not make any difference because the idle domain does not
do any useful work to be restricted anyway.

Why do they "need to be issued from the idle domain"? As was suggestedby Jason, why isn't this done from a construction domain context? I willinterject here that with DomB that is what we will be doing and itsounds like LiveUpdate is very similar to the relaunch concept that DomBis being constructed to support.

Yes XSM did not like it because an analogy of what is being done is liketrying to do a system call from inside an OS kernel. Again AIUI the idledomain is not a real domain but an internal construct for the schedulerto manage idle vcpu and attempting to make hypercalls from it is in factattempting to turn into a full fledged domain.

From a security perspective, if hacks to the XSM hooks are necessary tomake something work then it is highly recommended to take a step backand ask why and whether you are doing something that is not safe from asecurity perspective.

Also, should idle domain be restricted? IMO the idle domain is Xen
itself which mostly bootstraps the system and performs limited work
when switched to, and is not something a user (either dom0 or domU)
directly interacts with. I doubt XSM was designed to include the idle
domain (although there is an ID allocated for it in the code), so I
would say just exclude idle in all security policy checks.

The idle domain is a limited, internal construct within the hypervisorand should be constrained as part of the hypervisor, which is why itsdomain id gets labeled with the same label as the hypervisor. For thisreason I would wholeheartedly disagree with exempting the idle domain idfrom XSM hooks as that would effectively be saying the core hypervisorshould not be constrained. The purpose of the XSM hooks is to controlthe flow of information in the system in a non-bypassable way. Codifyingbypasses completely subverts the security model behind XSM for which theflask security server is dependent upon.

I may have missed some points in that discussion, so please feel free
to add.

Hongyan


V/r,
DPS

Follow-Ups:
- Re: XSM and the idle domain
  - From: Jan Beulich

References:
- XSM and the idle domain
  - From: Hongyan Xia

Prev by Date: Re: [PATCH] xen/acpi: Don't fail if SPCR table is absent
Next by Date: [PATCH] xen/arm: Remove EXPERT dependancy
Previous by thread: Re: XSM and the idle domain
Next by thread: Re: XSM and the idle domain
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.