Xen project Mailing List

Re: [PATCH v5 14/14] vpci: add TODO for the registers not explicitly handled

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 13 Jan 2022 14:27:50 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Hr/t8T37Q00mcnVjaTYmfTJGntljtj+YTbwrqPBDY+g=; b=QGZdDair/CJH9//E5O7BR6mzqpKq+aKN3k8bAKWgJIxrCnE1AG1c3Svwto8lmqFv34XjP+Ms/5ij/yg//2T/9N/1MFM+t2yAQmw46yUETfdWPSsSLaR1bXEs6rYzEsT8xK5355icnTGGLyVlBEY+Iy9pAQqAAao+0xBMzXdaeTrTrUt38OlxQ2SmEDaLVJl/LIiNCJCEtsDlljn2HPgUb6mkC8XxP570v45WtV8vy3LMO9bQP+zB4iKmJi0TV09R8oo/kXivCmbUPn9S1ZmZFCwFiz7Sxk+yhLLkr+J4fVumDEzLHlCPL7vkcS4GmlOi72q9sVrRptlBHhglD0lHuQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dcu8ta2Ja8OwCMzOwGQiBhL++JVgkcGmS9+fV9qPTzSzm5GwKbh/9xcg/g7d+GxnLpOuWcCyJ7wO98NuaYF+cJH5CIZQcJvIOis4ilyS4AM1yoTovbV5oY4kL8MsQVIQUIOu16LwH4FPV7x1Qjne1NwzCZdzYNznW+4syf4g8Pm/F5t/7Tb6Zawgdm7j94e6Lfjo0qVMkIB3Z8dM1y+jyFQ1mGuC2qX7zh3SdE/lwc4aXCYDahnAjkSiEAXY4pgFQ6NKf/ycw/5JCtYG5wiHp9wpdxxLiANdZ80ApaW/04OnHxcN2pyVgSakXeuhVD3xhY7Jpq7572EZPJN5CuYPXw==

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Oleksandr Andrushchenko <andr2000@xxxxxxxxx>, <julien@xxxxxxx>, <sstabellini@xxxxxxxxxx>, <oleksandr_tyshchenko@xxxxxxxx>, <volodymyr_babchuk@xxxxxxxx>, <Artem_Mygaiev@xxxxxxxx>, <andrew.cooper3@xxxxxxxxxx>, <george.dunlap@xxxxxxxxxx>, <paul@xxxxxxx>, <bertrand.marquis@xxxxxxx>, <rahul.singh@xxxxxxx>, Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 13 Jan 2022 13:28:18 +0000

Ironport-data: A9a23:GAqUTaqVyNxeNiWWmo0bpS7JGnpeBmLYYxIvgKrLsJaIsI4StFCzt garIBnVa//ZYGHzKI93YNi2/UhTsZbQyNEwTVRvqHpnESxHpJuZCYyVIHmrMnLJJKUvbq7GA +byyDXkBJppJpMJjk71atANlZT4vE2xbuKU5NTsY0idfic5Dndx4f5fs7Rh2NQw2IHiW1nlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCnZ+xUSQTErLVpMEUSkhzCCteHJEb1qCSdBBTseTLp6HHW37lwvEoB0AqJ4wIvO1wBAmi9 9RBdmpLNErawbvrnvTrEYGAhex6RCXvFJkYtXx6iynQEN4tQIzZQrWM7thdtNs1rp4XTa2AP JBFAdZpRE3KYhtjBlRNM6sVk+q1plfccTBE9mvA8MLb5ECMlVcsgdABKuH9cNGQWd9cmEreo 2vc5nn4GTkTLtnZwj2Amlq0j/LLtTP2XsQVDrLQ3tdwnFCW8UkCBxQXWEWTrOGwjwi1XNc3A 1wZ/G8ioLY/8GSvT8LhRFuorXicpBkeVtFMVeog52mlza7Z4B2QAGQeeTdHZMY7r889RTEs1 VihksvgAHpkt7j9YWiU9qqQ6yizPycVBWYYYGkPSg5ty9v+pIA+iDrfQ9AlF7S65vX8Hz3qm WjS9AAxgrwSiYgA0KDT1VLNji+op5PJZhUo/QiRVWWghitnY4qia52t+ELs5/9KJ4aETXGMp HEB3cOZ6YgmCpWAlzeERukXK624/PaOMDDagllHEoEo8nKm/HvLVZtL/Dh0KUNtM8AFUTzke knevUVW/pA7AZexRfYpOcTrUZ1slPW+U4S+PhzJUjZQSptwbCy90D53WWuZxjHGi0IMsJ1iF 4jOJK5AEk0mIahgyTO3QcIU3rkq2j0yyAvveHzr8/i0+eHAPSDIEN/pJHPLN7lkt/3c/G055 v4Cb5Pi9vlJbAHpjsA7G6Y3JEtCE3U0DIueRyd/Jr/aeVoO9I3M5pbsLVIdl25Nw/U9egTgp CjVtqpkJLzX3y2vxeKiMCELVV8XdcwjxU/XxAR1VbpS51AtYJy08IAUfIYtcL8s+YRLlKAoF aFcIJ3eXqQUEFwrHgjxi7Gn/OSOkzzx1Gqz09eNOmBjL/aMuSSUkjMbQucf3HZXVXfm3SfPi 7ahyhnaUfI+q/dKV67rhAaU5wrp5xA1wbsqN2ORe4U7UBiyrOBCdnKg5tdqc5BkAUiSnVOyi lfJaSr0UMGQ+efZBvGT2/Ddx2poesMjdndn857ztufpZXKErzv6keetko+gJFjgaY89w437D c19xPDgKvwX2lFMtot3CbFwyqwiodDootdnIs5MRR0ntnynVeFtJGeox85KuvEfz7NVo1LuC EmO5sNbKfOCP8a8SAwdIw8sb+Ki0/AIm2aNsaRpcRuivCInrqCaVUhyPgWXjHAPJrVCL454k /wqv9Qb6lLjh0NyYMqGlC1d60+FMmcED/c8rpgfDYKy0lgrx1hObIbyECjz5J3TOdxAPlNze m2fhbbYhqQazU3HKiJhGX/I1OtbpJIPpBEVkwNSewXXwoLI36Zl0gdQ/DI7ShVu4i9Gi+8ja HJ2M0BVJLmV+2s6jsZ0QG3xSRpKAweU+xKtxgJRxnHZVUShSkfEMHY5ZbSW5Ekc/m9RImpb8 bWfxDq3WDrmZpisjC47WEojoP3/V91hsAbFnZn/TciCGpA7Zxvjg7OvOjVU+0e2X5tpiR2Vv /Ru8cZxdbb/ZHwZrKAMAoWH0agdFUKfL2tYTPA9pK4EEAkwot1pNeRi/6xpRv5wGg==

Ironport-hdrordr: A9a23:4/AZiK6vYhfEoOLo0gPXwVKBI+orL9Y04lQ7vn2ZFiY6TiXIra +TdaoguSMc6AxwZJkh8erwXpVoZUmsiKKdhrNhQYtKPTOWwldASbsC0WKM+UyEJ8STzJ846U 4kSdkANDSSNykLsS+Z2njBLz9I+rDum8rE9ISurUuFDzsaEJ2Ihz0JezpzeXcGPTWua6BJc6 Z1saF81kSdkDksH46GL0hAe9KGi8zAlZrgbxJDLxk76DOWhTftzLLhCRCX0joXTjsKmN4ZgC T4uj28wp/mn+Cwyxfa2WOWx5NKmOH5wt8GIMCXkMAaJhjllw7tToV8XL+puiwzvYiUmRsXue iJhy1lE9V46nvXcG3wiRzx2zP42DJr0HPmwU/wuwqrneXJABYBT+ZRj4NQdRXUr2A6ustn7a 5N12WF87JKEBLphk3Glpn1fiAvsnDxjWspkOYVgXAae5AZcqVtoYsW+14QOIscHRj99JssHI BVfY/hDc5tABCnhk3izytSKITGZAV3Iv7GeDlMhiWt6UkXoJgjpHFogPD2nR87heQAotd/lq P5259T5cNzp/ktHNVA7dc6MLiK41P2MGfx2UKpUBza/fI8SjnwQ6Ce2sRA2AjtQu1P8KcP

Ironport-sdr: wpHwxOFac8K0LSiEBOOx7Afe6wQngGnT8OKlavs7vFueI/waP/m2JiGejdHkOLo5CRlMYMUQIg 3H1T6VJkQ11CKKvZNa2A3DG65lz21uSY/DlgQGx9YG9GkiiyLh6t1ZhIhQYe1bsTDPE+962onO CcZvJlNpT5A8uoo8INxXvHdG3BNwGuMv3yM8IVR0v73tpN3WvBuXKV7I6MvuudxXbSUU0NVbWR sdtUM/w7dIHC3+coUD7nfMeFnr3s2D377NHSuWn1mQjCckio7u76Dn17pgUcW0ALJXS9LTs7TE CuhshV+I4ia+nH5/ZN+6PlFT

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Nov 25, 2021 at 12:17:32PM +0100, Jan Beulich wrote: > On 25.11.2021 12:02, Oleksandr Andrushchenko wrote: > > From: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx> > > > > For unprivileged guests vpci_{read|write} need to be re-worked > > to not passthrough accesses to the registers not explicitly handled > > by the corresponding vPCI handlers: without fixing that passthrough > > to guests is completely unsafe as Xen allows them full access to > > the registers. > > > > Xen needs to be sure that every register a guest accesses is not > > going to cause the system to malfunction, so Xen needs to keep a > > list of the registers it is safe for a guest to access. > > > > For example, we should only expose the PCI capabilities that we know > > are safe for a guest to use, i.e.: MSI and MSI-X initially. > > The rest of the capabilities should be blocked from guest access, > > unless we audit them and declare safe for a guest to access. > > > > As a reference we might want to look at the approach currently used > > by QEMU in order to do PCI passthrough. A very limited set of PCI > > capabilities known to be safe for untrusted access are exposed to the > > guest and registers need to be explicitly handled or else access is > > rejected. Xen needs a fairly similar model in vPCI or else none of > > this will be safe for unprivileged access. > > > > Add the corresponding TODO comment to highlight there is a problem that > > needs to be fixed. > > > > Suggested-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > > Suggested-by: Jan Beulich <jbeulich@xxxxxxxx> > > Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx> > > Looks okay to me in principle, but imo needs to come earlier in the > series, before things actually get exposed to DomU-s. Are domUs really allowed to use this code? Maybe it's done in a separate series, but has_vpci is hardcoded to false on Arm, and X86_EMU_VPCI can only be set for the hardware domain on x86. Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.