Xen project Mailing List

Re: [PATCH v3 1/2] xsm: create idle domain privileged and demote after setup

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 26 Apr 2022 09:12:53 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mnAj+ibkU6zymtcm59DbtnqdExUD9SINdw3zagV1Wfc=; b=NiaAisvznkeBuWfCkhjiSTOlunf+P7vtnuhaX4JM/xEyLL9hK52ME929f9uZwTec8QXY+0UFTRVBJEKGSl4PyRQMCTfuqY6fx6FDFcCW2DecqbUdTojJZ68Szjmkz8pw/tgb/IA61o3h8SXRq3OXVJsfBeyu2RQNfuqE5Lfr/tAekcK979bpn00IavnxbOB32plsevvdomVoJCuQr7QYj3PGIOlJ3L4V2lq9NgmGfHQAfy1/HdlS7iCC7+t5FB2pU4LW/NncEYE54dHpxCnGFY10gd5sLQJqY2HQqXYqgOit6V+tyxYfOxTExQ8kLs1RdUqdxAIS8C6B+g3jMP/plQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WW6ZmzaZQzWPfcSTHoorTjjH4Yu98jl/t2Rs/WjTgh5f63Cvt6TLTnD5HNynwH/zJ9DirV5ruTe88M9gY0H62pzu0llFRhcjx495c4J6FlNEH7gJ9ulsXIUag5fiKy4BSx1NXdPE8hvY4C34+XQZmcDzheRLKmLOaK/tYL3RFROh0TuifZSSoM98yeJxPQl0nUWS181YyJ8e4u4CYe0AuZ+Q4ec2+RebAk29UNNlpq4w/M0go0gbt0znMoXNK7V3L011Bm24K8yGRSKXd2FrhM3+4BbtePd+McnZRq87lFS4IcT7IvTbBCGSDhJ2YYG3eHjHVqV5A/a4UyTkuquRsA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Tue, 26 Apr 2022 07:13:12 +0000

Ironport-data: A9a23:Yd0JtK3ZwINvDms0X/bD5ZJxkn2cJEfYwER7XKvMYLTBsI5bpzxVz 2caWmuFPa6CZGX3edlwadjlp08BvZGGz9I2HQU5pC1hF35El5HIVI+TRqvS04J+DSFhoGZPt Zh2hgzodZhsJpPkjk7xdOCn9xGQ7InQLlbGILes1htZGEk1EE/NtTo5w7Rj2tIy34Dga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /1vj4SvcxgGGZSTifoAWSgJKBAnAqNJreqvzXiX6aR/zmXgWl61mrBEKhFzOocVvOFqHWtJ6 PoUbigXaQyOjP63x7T9TfRwgsMkL4/gO4Z3VnNIlGmFS6p5B82TBfyVvLe03x9p7ixKNezZa McDLyJmcTzLYgFVO0dRA5U79AutrieuKGcA+QPMzUYxyzjD/AtQ2pLECtHuW4aBVO8Isx22h kuTqgwVBTlfbrRz0wGt/mq3g+7TnQvyQI8ICKCj7flunUGSwWoIThYRUDOTsfS/z0KzRd9bA 0gV4TY167g/8lSxSdvwVAH+p2SL1jYiXN5XH/w/+Ru64KPe6AaEBUAJVjdELtchsaceWjgCx lKP2dTzClRHq7aSVW7b+r6KrCiaIjQcN2sLb2kFSmMt4dDlrJsikxHnQdNqEarzhdrwcRnr2 CyDpiU6g7QVjOYI2r+98FSBhCijzrDLUwo06wP/Tm+jqARja+aNbYGy9ULS6/oGKY+DV0SAp 1ANgc3Y5+cLZbmPniGQROQGHJmy+u2IdjbbhDZHE5co+Dus/HqiVZtN+zw4L0BsWu4IdjPkb 1XakR9A759Uen2xZOl4ZJzZNigx5a3pFNCgXPaEaNNLO8F1bFXeo3goYlOM1WfwlkRqibs4J ZqQbcerCzAdFLhjyz21Aewa1NfH2xwD+I8afrijpzzP7FZUTCf9pWstWLdWUt0E0Q==

Ironport-hdrordr: A9a23:RiSeT69N2rh/UECPIttuk+FKdb1zdoMgy1knxilNoENuH/Bwxv rFoB1E73TJYVYqN03IV+rwXZVoZUmsjaKdhrNhRotKPTOWwVdASbsP0WKM+V3d8kHFh41gPO JbAtJD4b7LfCdHZKTBkW6F+r8bqbHokZxAx92uqUuFJTsaF52IhD0JbjpzfHcGJjWvUvECZe ehD4d81nOdUEVSSv7+KmgOXuDFqdGOvJX6YSQeDxpizAWVlzun5JPzDhDdh34lInhy6IZn1V KAvx3y562lvf3+4hjA11XL55ATvNf60NNMCOGFl8BQADTxjQSDYphnRtS5zXgIidDqzGxvvM jHoh8mMcg2w3TNflutqR+o4AXk2CZG0Q6X9XaoxV/Y5eDpTjMzDMRMwahDdAHC1kYmtNZglI pWwmOwrfNsfFz9tRW4w+KNewBhl0Kyr3Znu/UUlWZjXYwXb6IUhZAD/XlSDIwLEEvBmcwa+d FVfYDhDcttABOnhyizhBgt/DXsZAV/Iv6+eDlNhiTPuAIm3kyQzCMjtbkidzk7hdcAoqJ/lp X525RT5c9zp/AtHNJA7cc6MLyK4z/2MGTx2Fz7GyWVKIg3f1TwlrXQ3JIZoMmXRb1g9upBpH 2GaiITiVIP

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Apr 25, 2022 at 12:39:17PM -0400, Daniel P. Smith wrote: > On 4/25/22 05:44, Roger Pau Monné wrote: > > On Fri, Apr 22, 2022 at 12:34:57PM -0400, Daniel P. Smith wrote: > >> diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c > >> index d5d0792ed4..e71fa3f860 100644 > >> --- a/xen/arch/arm/setup.c > >> +++ b/xen/arch/arm/setup.c > >> @@ -1048,6 +1048,9 @@ void __init start_xen(unsigned long boot_phys_offset, > >> /* Hide UART from DOM0 if we're using it */ > >> serial_endboot(); > >> > >> + if ( xsm_set_system_active() != 0) > >> + panic("xsm: unable to set hypervisor to SYSTEM_ACTIVE > >> privilege\n"); > >> + > >> system_state = SYS_STATE_active; > >> > >> for_each_domain( d ) > >> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c > >> index 6f20e17892..a3ce288ef9 100644 > >> --- a/xen/arch/x86/setup.c > >> +++ b/xen/arch/x86/setup.c > >> @@ -621,6 +621,9 @@ static void noreturn init_done(void) > >> void *va; > >> unsigned long start, end; > >> > >> + if ( xsm_set_system_active() != 0) > > ^ extra space. > > > > Since the function returns an error code you might as well add it to > > the panic message, or else just make the function return bool instead. > > > > Or just make the function void and panic in the handler itself (like > > in previous versions), as I don't think it's sensible to continue > > normal execution if xsm_set_system_active fails. > > After reflecting on it, I believe that was not the correct action. The > policy should handle setting/checking all access control state and fail > with an error of why and then allow the hypervisor logic decided what to > do with that failure. For the policies that are present today, yes it is > an immediate panic. Ultimately this will future proof the interface > should a future policy type be introduced with a more varied result that > could allow the hypervisor to continue to boot, for instance to a > limited and/or debug state. That's all fine, but if you return an error code, please print it as part of the panic message. The more information we can add in case of panic, the better. > >> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c > >> index 8c044ef615..e6ffa948f7 100644 > >> --- a/xen/xsm/dummy.c > >> +++ b/xen/xsm/dummy.c > >> @@ -14,6 +14,7 @@ > >> #include <xsm/dummy.h> > >> > >> static const struct xsm_ops __initconst_cf_clobber dummy_ops = { > >> + .set_system_active = xsm_set_system_active, > >> .security_domaininfo = xsm_security_domaininfo, > >> .domain_create = xsm_domain_create, > >> .getdomaininfo = xsm_getdomaininfo, > >> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > >> index 0bf63ffa84..8a62de2fd6 100644 > >> --- a/xen/xsm/flask/hooks.c > >> +++ b/xen/xsm/flask/hooks.c > >> @@ -186,6 +186,26 @@ static int cf_check > >> flask_domain_alloc_security(struct domain *d) > >> return 0; > >> } > >> > >> +static int cf_check flask_set_system_active(void) > >> +{ > >> + struct domain *d = current->domain; > > > > Nit: you should also add the assert for d->is_privileged, I don't see > > a reason for the xsm and flask functions to differ in that regard. > > This goes back to an issued I have raised before, is_privileged really > encompasses two properties of a domain. Whether the domain is filling > the special control domain role versus what accesses the domain has > based on the context under which is_control_domain() is called. For > instance the function init_domain_msr_policy() uses is_control_domain() > not to make an access control decision but configure behavior. Under > flask is_privileged no longer reflects the accesses a domain with it set > will have, thus whether it is cleared when flask is enabled is > irrelevant as far as flask is concerned. For the ASSERT, what matters is > that the label was set to xenboot_t on construction and that it was not > changed before reaching this point. Or in a short form, when under the > default policy the expected state is concerned with is_privilege while > for flask it is only the SID. I certainly don't care that much, but you do set d->is_privileged = false in flask_set_system_active, hence it would seem logic to expect d->is_privileged == true also? If not for anything else, just to assert that the function is not called twice. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.