[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 14/14] vpci: add TODO for the registers not explicitly handled


  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 13 Jan 2022 14:38:22 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YksEdwVnUi5xg4in3IpU4mJRqtQ3ODpEONUMzWG/egA=; b=eV9ZK2VkBHKmYNUPnBf7DI+O1VBz5pNT5y9JTy7UGNPrIoCzVtzgGxIw2/XRMcR15PjobJXLCU0AbTrWelOH5EvnrOEghZjArSf+DWe6nupxpbUShPeRcTb1Avyy+uNz/KOlj0Ng/uQJmaQfFr26poSeIxyGNb6ji9+PILnT6zFs5wfF18HaxBvcby1LfhbcLgZtpbCPO6iDFBKZ9B9Aq3FCXRxh9xYrmjQAYzsDIOgC3AyETY4PGjwdlnL3pMoJwqE9JRAaaWFp0PhoLdXy2rs9SBx8VG5eYknx2E8w44/c8/gpJpP2P4JWRE4HYVBHTffIsacgu2fHsOY0D/b+sw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nggCXW3cee/DBhwOWl5IUNrwJuT+D3ALBs47aiinY3J6msZmDU6rxHVoUpd6B7HtZBW5KVebd+HOTPtoqLN323VU/c1yaz2aKoPDA4RY2E6Mv1oUaBifiUTiSkTDVbJbcBaFliw64vH2NlkBGUoir03U3CVid7FedItgz5durtZSgcjOYZ3/D4hT5sUBJ2Pe6f0PJ8albk4T27JMW7cNFR38nU1Pq3Ur40CbN7PphPfJzsD55kuC7lNGudr4pGikSHVsXIxXqCoiTuQSY49yjWPiSKr0GH/8CUfSoIdWZz9Z51DiUUh0bgI1AilfRv20AjUPBTR02ZDFkz04D3x7zw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Oleksandr Andrushchenko <andr2000@xxxxxxxxx>, julien@xxxxxxx, sstabellini@xxxxxxxxxx, oleksandr_tyshchenko@xxxxxxxx, volodymyr_babchuk@xxxxxxxx, Artem_Mygaiev@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, george.dunlap@xxxxxxxxxx, paul@xxxxxxx, bertrand.marquis@xxxxxxx, rahul.singh@xxxxxxx, Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 13 Jan 2022 13:38:46 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 13.01.2022 14:27, Roger Pau Monné wrote:
> On Thu, Nov 25, 2021 at 12:17:32PM +0100, Jan Beulich wrote:
>> On 25.11.2021 12:02, Oleksandr Andrushchenko wrote:
>>> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx>
>>>
>>> For unprivileged guests vpci_{read|write} need to be re-worked
>>> to not passthrough accesses to the registers not explicitly handled
>>> by the corresponding vPCI handlers: without fixing that passthrough
>>> to guests is completely unsafe as Xen allows them full access to
>>> the registers.
>>>
>>> Xen needs to be sure that every register a guest accesses is not
>>> going to cause the system to malfunction, so Xen needs to keep a
>>> list of the registers it is safe for a guest to access.
>>>
>>> For example, we should only expose the PCI capabilities that we know
>>> are safe for a guest to use, i.e.: MSI and MSI-X initially.
>>> The rest of the capabilities should be blocked from guest access,
>>> unless we audit them and declare safe for a guest to access.
>>>
>>> As a reference we might want to look at the approach currently used
>>> by QEMU in order to do PCI passthrough. A very limited set of PCI
>>> capabilities known to be safe for untrusted access are exposed to the
>>> guest and registers need to be explicitly handled or else access is
>>> rejected. Xen needs a fairly similar model in vPCI or else none of
>>> this will be safe for unprivileged access.
>>>
>>> Add the corresponding TODO comment to highlight there is a problem that
>>> needs to be fixed.
>>>
>>> Suggested-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>>> Suggested-by: Jan Beulich <jbeulich@xxxxxxxx>
>>> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx>
>>
>> Looks okay to me in principle, but imo needs to come earlier in the
>> series, before things actually get exposed to DomU-s.
> 
> Are domUs really allowed to use this code? Maybe it's done in a
> separate series, but has_vpci is hardcoded to false on Arm, and
> X86_EMU_VPCI can only be set for the hardware domain on x86.

I'm not sure either. This series gives the impression of exposing things,
but I admit I didn't pay attention to has_vpci() being hardcoded on Arm.
Then again there were at least 3 series in parallel originally, with
interdependencies (iirc) not properly spelled out ...

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.