[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 02/17] xsm/silo: Support hardware & xenstore domains

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Wed, 16 Jul 2025 17:14:49 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0aY3FMYTuQ7tdFM3fGV+p5FWokH/Sbpk9Ft38bfAWK0=; b=LaqKN67jV7sJbRD2uEJkoLCftLYN7M1YbSjTpp/gWliE0uKW0PF8s1u5jqKy4JG7fB7E5HNczS96cqUGE1cmwhr5tO/GWtTBOJz4oNsPxKGK4FCQxUMcC9n3Bw7MvgDlVoX1FD5qLa2wR1v3YBlafYRs3gCzwy5iF2CbXbdPlYgA3cX58TQ7PbIW1qHmP46ZITcqhvMHvIZUWyEVHvDCBzJWHmXXMxtpflOX0/7yiFunon7mVvuKTPUD7qXb6JaCtLEXqq3Xz+05zTbUVu6n8yy/YzASjCJGA2F2BPDWmqGG+jPy92NPat8zTBSGmy0dSm2Vu4oiiQOhxbtp6Y1HqQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pc7u0fhp9ftcI03MaDLygqb/RKjNEtQngy7y+nv2ZfOdFahqvW3pVx8DAek7XW4ON11sFWpjpw5A1b6KW7vqyG0c3JL+vWcKzrLMoBXjhMW55uKSxJKAKpe0kc2q9oDdeh+Wj4Ec6ASLNP88Ro8gggxNiCs9uVx+Tci7JuM0L7x9RtOrL/qnXC06FOtY8XjEM/sQoMIO56v+jcSpAElxUdYlj1U/cD/V1a58laduR2wi5qyLyhvUZmCw927VXiUXxCx38WcOIK/vA3Y3+uSCl6/89VBDJIxaSrSlyU2tB5Tnz9y/78EKJFcFIzMHtwE5Nv3ACW3Iy2QECkOico6PjQ==
  • Cc: Jason Andryuk <jason.andryuk@xxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 16 Jul 2025 21:22:26 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
In a disaggregated environment, dom0 is split into Control, Hardware,
and Xenstore domains, along with domUs.  The is_control_domain() check
is not sufficient to handle all these cases.  Add is_priv_domain() to
support allowing for the various domains.

The purpose of SILO mode is to prevent domUs from interacting with each
other.  But dom0 was allowed to communicate with domUs to provide
services.

To provide xenstore connections, the Xenstore domain must be allowed to
connect via grants and event channels.  Xenstore domain must also be
allowed to connect to Control and Hardware to provide xenstore to them.

Hardware domain will provide PV devices to domains, so it must be
allowed to connect to domains.

That leaves Control.  Xenstore and Hardware would already allow access
to Control, so it can obtain services that way.  Control should be
"privileged", which would mean it can make the connections.  But with
Xenstore and Hardware providing their services to domUs, there may not
be a reason to allow Control to use grants or event channels with domUs.

This silo check is for grants, event channels and argo.  The dummy
policy handles other calls, so Hardware is prevented from foreign
mapping Control's memory with that.

Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
---
v2:
Use single evaluate_nospec() for checks.
Remove Control
Add xenstore domain
Expand commit message
Remove always_inline
---
 xen/xsm/silo.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index b89b364287..b392f32507 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -20,6 +20,17 @@
 #define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
 
+static bool is_priv_domain(const struct domain *d)
+{
+    /*
+     * Open coding of:
+     *    is_xenstore_domain(d) || is_hardware_domain(d)
+     * to place all within one speculative barrier.
+     */
+    return evaluate_nospec((d->options & XEN_DOMCTL_CDF_xs_domain) ||
+                           d == hardware_domain);
+}
+
 /*
  * Check if inter-domain communication is allowed.
  * Return true when pass check.
@@ -29,8 +40,8 @@ static bool silo_mode_dom_check(const struct domain *ldom,
 {
     const struct domain *currd = current->domain;
 
-    return (is_control_domain(currd) || is_control_domain(ldom) ||
-            is_control_domain(rdom) || ldom == rdom);
+    return (is_priv_domain(currd) || is_priv_domain(ldom) ||
+            is_priv_domain(rdom) || ldom == rdom);
 }
 
 static int cf_check silo_evtchn_unbound(
-- 
2.50.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.