Xen project Mailing List

Re: XSM and the idle domain

From: Hongyan Xia <hx242@xxxxxxx>

Date: Thu, 22 Oct 2020 12:29:22 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Thu, 22 Oct 2020 11:29:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

(also replying to others in this thread.) On Wed, 2020-10-21 at 12:21 -0400, Jason Andryuk wrote: > On Wed, Oct 21, 2020 at 10:35 AM Hongyan Xia <hx242@xxxxxxx> wrote: > > > > Hi, > > ... > > > > The first question came up during ongoing work in LiveUpdate. After > > an > > LU, the next Xen needs to restore all domains. To do that, some > > hypercalls need to be issued from the idle domain context and > > apparently XSM does not like it. We need to introduce hacks in the > > dummy module to leave the idle domain alone. > > Is this modifying xsm_default_action() to add an is_idle_domain() > check which always succeeds? Yes. We had to do exactly that to avoid LU actions being denied by XSM. > > Our work is not compiled > > with CONFIG_XSM at all, but with CONFIG_XSM, are we able to enforce > > security policies against the idle domain? > > It's not clear to me if you want to use CONFIG_XSM, or just don't > want > to break it. We don't (and won't) enable XSM in our build, but still we need a hack to work around it, so I am just curious about what happens when people use both LU and XSM at the same time. > > Of course, without any LU > > work this does not make any difference because the idle domain does > > not > > do any useful work to be restricted anyway. > > I think this last sentence is the main point. It's always been > labeled xen_t, but since it doesn't go through any of the hook > points, > it hasn't needed any restrictions. Actually, reviewing the Flask > policy there is: > # Domain destruction can result in some access checks for actions > performed by > # the hypervisor. These should always be allowed. > allow xen_t resource_type : resource { remove_irq remove_ioport > remove_iomem }; > > > Also, should idle domain be restricted? IMO the idle domain is Xen > > itself which mostly bootstraps the system and performs limited work > > when switched to, and is not something a user (either dom0 or domU) > > directly interacts with. I doubt XSM was designed to include the > > idle > > domain (although there is an ID allocated for it in the code), so I > > would say just exclude idle in all security policy checks. > > I think it makes sense to label xen_t, even if it doesn't do > anything. > As you say, it is a distinct entity from dom0 and domU. Yes, it can > circumvent the policy, but it's not actively hurting anything. And > it > can be good to catch when it does start doing something, as you > found. > > Might it make sense to create a LU domain instead of using the idle > domain for Live Update? Another approach could be to run the > idle_domain as "dom0" during Live Update, and then transition to the > regular idle_domain when it completes? You are re-creating dom0, but > you could flip is_privileged on during live update and then remove it > once complete. Actually I think your suggestion and what Daniel suggested make sense. We could just have a domLU that does all the restore work which has its own security policies. That sounds like a clean solution to me. However, one top priority of LU is to minimise the down time so that domains won't feel a thing and every millisecond counts. I don't know how much overhead this adds (maybe negligible if we just let domLU sit in idle domain's page tables so switching and passing the LU save stream to it is painless), but is something we need to keep in mind. But this still sidesteps the question of whether the idle domain should be subject to security policies. From another reply it sounds like the idle domain should not be exempt from XSM. Although, to me restrictions on idle domain are more like a debugging feature than a security policy, since it prevents, e.g., accidentally issuing hypercalls from it, but if the idle domain really wants to do something then there is nothing to stop it. This is different from enforcing policies on a real domain which guarantees things won't happen and the domain simply has no mechanism to circumvent it (hopefully). My experience with XSM is only the idle domain hack for LU so what I said about it here may not make sense. Hongyan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.