Xen project Mailing List

Re: [PATCH v4 3/3] xsm: properly handle error from XSM init

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Tue, 7 Jun 2022 09:55:22 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1654610224; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=i+13/atmT2pRkn+f2pb7VWfDJx2TihjcLgz8X3iQ3xw=; b=KZxlGwKk9j9FBxbYKxmd4O/Aului3XMlpWM9ZNPm2Mf1/ehzPqFN/VqMJZn14dQ4TCDRqd3EeBU8wab+eivCV7z8spx/XuuIkwOZItzZTC5HVLgzDFA/6pVHeUF18ahoK9hT7YhjHHVEn//io7/7ufMpl2d0NGriJghoaRXsvWs=

Arc-seal: i=1; a=rsa-sha256; t=1654610224; cv=none; d=zohomail.com; s=zohoarc; b=NgD/lrOma2MdX58Kdyi3sc+FlohT0S9Zd8/aikUnsQDOKnKbquphyoV0N2bSL8mdTq7Ge/clRm5pCL4/xkUs1teONELvrH2wZCC6Gf4ot4IQ+BYeZxkIFxT/lf7cUbQK40dvET9RI1nWXvZN1HF0ImR8ssmG4gWtsHLrPumpn0I=

Cc: "scott.davis@xxxxxxxxxx" <scott.davis@xxxxxxxxxx>, "christopher.clark@xxxxxxxxxx" <christopher.clark@xxxxxxxxxx>, "jandryuk@xxxxxxxxx" <jandryuk@xxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Tue, 07 Jun 2022 13:57:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 5/31/22 15:18, Andrew Cooper wrote: > On 31/05/2022 19:20, Daniel P. Smith wrote: >> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c >> index 53a73010e0..ed67b50c9d 100644 >> --- a/xen/arch/x86/setup.c >> +++ b/xen/arch/x86/setup.c >> @@ -1700,7 +1701,11 @@ void __init noreturn __start_xen(unsigned long mbi_p) >> mmio_ro_ranges = rangeset_new(NULL, "r/o mmio ranges", >> RANGESETF_prettyprint_hex); >> >> - xsm_multiboot_init(module_map, mbi); >> + if ( xsm_multiboot_init(module_map, mbi) ) >> + warning_add("WARNING: XSM failed to initialize.\n" >> + "This has implications on the security of the system,\n" >> + "as uncontrolled communications between trusted and\n" >> + "untrusted domains may occur.\n"); > > The problem with this approach is that it forces each architecture to > opencode the failure string, in a function which is very busy with other > things too. > > Couldn't xsm_{multiboot,dt}_init() be void, and the warning_add() move > into them, like the SLIO warning for ARM already? > > That would simplify both ARM and x86's __start_xen(), and be an > improvement for the RISC-V series just posted to xen-devel... I was trying to address the MISRA review comment by handling the unhandled return while trying to provide a uniform implementation across arch. Moving the xsm_{multiboot,dt}_init() to void will address both and as you point out make it simpler overall. v/r, dps

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.