Xen project Mailing List

Re: [RFC PATCH 01/10] headers: introduce new default privilege model

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Fri, 18 Jun 2021 15:56:24 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R0IlHbQIb8QAuQiCHRkHuq1/u0D/+ApbhwMnMZj1PMg=; b=TSPqOrhu8x2ESt3WanAdbSA7fKnUyOmBF/NWgN52HOKRHT+p2rC15j71wTVA49jebf7+Ui6wg5nk7zxtVmomVOLjrCHU/jQlHr8vUeVnOoKwBnDh2oMNqPDamXkeIWT3YcFisEw0rDChRBxFdqqyZGgGfMlN8uMKPJyop81ha7wfTHnXJOoqUmce/YckbMoTMB6rHCO8JLwWpQGKRNZJLpAi9kENkZjs8dz2gtcmOCCTusQXbjRVR2HJGDUygZSh70bE0mTn1e9c3ENa3QlKEdZsuvgfZ81ZTouXZkp3ywRNmdCQ3TcyXEhb7kPUOXRGkPkbRMiGb0g1fctpu2JTVA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q5LYxYfsUOQIUOBpPn2p8l3xsi/N2x0Sp933Q1cApTDjkSfWW5xPMeIb2uL+IiLj1VJW1X/98Wd1TTkl7oLtN4VXXmim2gmPGy8ZTOkIQTrKEiolhRB4bFnLK3PLYK+UuXoA+AQZlD6fV4SXr+/8OvlAuVMT2rkZy4rdSKyVvq6skz97hze2LNWwQTJXEck0Qh7so5YR6xrjlOjEWj/8hUHx/HL76aUuP8CuEwpCEiDCN4S1Bj7rC5QSbhgFalQWMMXpZOFkyncd8Vg7/166AIMxUfC9a0Vz9pvbAhcAKL2C3ypIG5/xjEO7O1RBiBLEP2Knrd7y1ZLOfuAV8n6+ZA==

Authentication-results: starlab.io; dkim=none (message not signed) header.d=none;starlab.io; dmarc=none action=none header.from=suse.com;

Cc: sstabellini@xxxxxxxxxx, julien@xxxxxxx, Volodymyr_Babchuk@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, george.dunlap@xxxxxxxxxx, iwj@xxxxxxxxxxxxxx, wl@xxxxxxx, roger.pau@xxxxxxxxxx, tamas@xxxxxxxxxxxxx, tim@xxxxxxx, jgross@xxxxxxxx, aisaila@xxxxxxxxxxxxxxx, ppircalabu@xxxxxxxxxxxxxxx, dfaggioli@xxxxxxxx, paul@xxxxxxx, kevin.tian@xxxxxxxxx, dgdegra@xxxxxxxxxxxxx, adam.schwalm@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, scott.davis@xxxxxxxxxx

Delivery-date: Fri, 18 Jun 2021 13:56:43 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14.05.2021 22:54, Daniel P. Smith wrote: > --- a/xen/include/xen/sched.h > +++ b/xen/include/xen/sched.h > @@ -457,6 +457,24 @@ struct domain > */ > bool creation_finished; > > + /* When SILO or Flask are not in use, a domain may have one or more roles > + * that are desired for it to fulfill. To accomplish these role a set of > + * privilege is required. A break down of the basic privilege is mapped > + * to a bit field for assignment and verification. > + */ > +#define XSM_NONE (1U<<0) /* No role required to make the call */ > +#define XSM_SELF (1U<<1) /* Allowed to make the call on self */ > +#define XSM_TARGET (1U<<2) /* Allowed to make the call on a domain's > target */ > +#define XSM_PLAT_CTRL (1U<<3) /* Platform Control: domain that control the > overall platform */ > +#define XSM_DOM_BUILD (1U<<4) /* Domain Builder: domain that does domain > construction and destruction */ > +#define XSM_DOM_SUPER (1U<<5) /* Domain Supervisor: domain that control the > lifecycle, of all domains */ > +#define XSM_DEV_EMUL (1U<<6) /* Device Emulator: domain that provides its > target domain's device emulator */ > +#define XSM_DEV_BACK (1U<<7) /* Device Backend: domain that provides a > device backend */ > +#define XSM_HW_CTRL (1U<<8) /* Hardware Control: domain with physical > hardware access and its allocation for domain usage */ > +#define XSM_HW_SUPER (1U<<9) /* Hardware Supervisor: domain that control > allocated physical hardware */ > +#define XSM_XENSTORE (1U<<31) /* Xenstore: domain that can do privileged > operations on xenstore */ > + uint32_t xsm_roles; > + > /* Which guest this guest has privileges on */ > struct domain *target; Besides the request to correct various issues with style, I'm struggling with the differences between some of these, e.g. XSM_HW_CTRL ("allocation for domain usage") and XSM_HW_SUPER ("control allocated physical hardware"). In the latter case it's not even clear to me what "allocated physical hardware" is when comparing to just "physical hardware". IOW I think there's some context (reference to doc) or further commentary missing here. As a nit, I think in many cases you mean "controls". I also wonder on what basis you've chosen the place at which you're inserting the new struct member. I'd expect this to either live next to related fields, or be put in an available 32-bit padding slot. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.