[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Dario Faggioli <dfaggioli@xxxxxxxx>
  • Date: Mon, 14 Feb 2022 15:02:53 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UIox7dkw3kSLbAPAwaqHJJZcACHo1M82BL2Dud1K1n4=; b=ZOABoM9oti8ypj0hBANedlglXHOIuT24uxPKz9W17FWtZwpoqsSaZ8hRtcJJTEmrVBmhSuc1KhiFXp0PqRPlOczN5qPazH5n8+xvGWA+TVZ5E7EnqTC2u4Xfhlo/GIkkzUDXdctxo2laYIQ5UMgIiHZaUGLoUSo8VX36WGyNmsPPOgQgNELxyDH4x5D1nCGIKfYXoHk4e1yE9G9FSl/1vtd1WqDJFSd8MWFJ/P9sd5/rdmjjr9lHlNj0/v/Uc7E8KPpXVkhhsSrnrPhi4QLtXr8KJd1YbQh5dHeOhnzDq5BOYvwvPVyTUtjITPGt72lEXgpoVVeVXJ+6zjuYmDhjIA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ELWah6MMQO05hJg4BPah9Vzzwb4Mr1gW1V36pAXONDKqGL7kP/GMyWLljz0/vsrZ7j2Y5c3mJhjJESov1z7SYL7M6vtIeLYCqYTQSEuPkJIPOo7pmPi+jttF2NNYVrZaLBPxdWtvPSV+lnLELkjK289roeK6+NRbfql05gud6jmspv5GWrU6H0q3EOXCwWvgNIwkHlMW9ZyxY7A9tAdRhFvZuSGRjmy5i+HTYf2RZN3jgUjzuaM3HejeAJWK3my7SCvkWiiU6CSyxiARrMKacGd+PRorz2ordHwkj5v0yU7tKPAVa8XliDrJk+Akn54IKRio6I5CJFwtRfeASuQxNg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, "marmarek@xxxxxxxxxxxxxxxxxxxxxx" <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "qemu-devel@xxxxxxxxxx" <qemu-devel@xxxxxxxxxx>, "anthony.perard@xxxxxxxxxx" <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Mon, 14 Feb 2022 15:03:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYIbPxFY5Kj3bRXE6t4z/dbeVrRw==
  • Thread-topic: SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)
Hello,

We have run into an issue when trying to use PCI passthrough for a Xen
VM running on an host where dom0 kernel is 5.14.21 (but we think it
could be any kernel > 5.4) and SecureBoot is enabled.

The error we get, when (for instance) trying to attach a device to an
(HVM) VM, on such system is:

# xl pci-attach 2-fv-sles15sp4beta2 0000:58:03.0 
libxl: error: libxl_qmp.c:1838:qmp_ev_parse_error_messages: Domain 12:Failed to 
initialize 12/15, type = 0x1, rc: -1
libxl: error: libxl_pci.c:1777:device_pci_add_done: Domain 
12:libxl__device_pci_add failed for PCI device 0:58:3.0 (rc -28)
libxl: error: libxl_device.c:1420:device_addrm_aocomplete: unable to add device

QEMU, is telling us the following:

[00:04.0] xen_pt_msix_init: Error: Can't open /dev/mem: Operation not permitted
[00:04.0] xen_pt_msix_size_init: Error: Internal error: Invalid 
xen_pt_msix_init.

And the kernel reports this:

Jan 27 16:20:53 narvi-sr860v2-bps-sles15sp4b2 kernel: Lockdown: 
qemu-system-i38: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

So, it's related to lockdown. Which AFAIUI it's consistent with the
fact that the problem only shows up when SecureBoot is enabled, as
that's implies lockdown. It's also consistent with the fact that we
don't seem to have any problems doing the same with a 5.3.x dom0
kernel... As there's no lockdown there!

Some digging revealed that QEMU tries to open /dev/mem in
xen_pt_msix_init():

    fd = open("/dev/mem", O_RDWR);
    ...
    msix->phys_iomem_base =
            mmap(NULL,
                 total_entries * PCI_MSIX_ENTRY_SIZE + 
msix->table_offset_adjust,
                 PROT_READ,
                 MAP_SHARED | MAP_LOCKED,
                 fd,
                 msix->table_base + table_off - msix->table_offset_adjust);
    close(fd);

This comes from commit:

commit 3854ca577dad92c4fe97b4a6ebce360e25407af7
Author: Jiang Yunhong <yunhong.jiang@xxxxxxxxx>
Date:   Thu Jun 21 15:42:35 2012 +0000

    Introduce Xen PCI Passthrough, MSI
    
    A more complete history can be found here:
    git://xenbits.xensource.com/qemu-xen-unstable.git
    
    Signed-off-by: Jiang Yunhong <yunhong.jiang@xxxxxxxxx>
    Signed-off-by: Shan Haitao <haitao.shan@xxxxxxxxx>
    Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
    Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Now, the questions:
- is this (i.e., PCI-Passthrough with a locked-down dom0 kernel) 
  working for anyone? I've Cc-ed Marek, because I think I've read that 
  QubesOS that it does on QubesOS, but I'm not sure if the situation 
  is the same...
- if it's working, how?

Thanks and Regards
-- 
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)

Attachment: signature.asc
Description: This is a digitally signed message part

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.