From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53362) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YzoQG-0001rn-5z for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:48:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YzoQC-00081c-Up for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:48:12 -0400 Received: from smtp.citrix.com ([66.165.176.89]:43336) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YzoQC-00081D-Qd for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:48:08 -0400 Message-ID: <1433260042.15036.332.camel@citrix.com> From: Ian Campbell Date: Tue, 2 Jun 2015 16:47:22 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Xen-devel] [PATCH 0/11] Xen PCI Passthrough security fixes List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefano Stabellini , Ian Jackson , Wei Liu , Anthony PERARD Cc: xen-devel@lists.xensource.com, qemu-devel@nongnu.org, JBeulich@suse.com On Tue, 2015-06-02 at 16:08 +0100, Stefano Stabellini wrote: > the following is a collection of QEMU security fixes for PCI Passthrough > on Xen. Part of this locks down the PCI cfg space emulation, which means we now need a way for people to request the old "permissive" behaviour for devices which need it. Per the xl docs: It is recommended to enable this option only for trusted VMs under administrator control. The toolstack (libxl, xl etc) already support a permissive flag in the domain cfg, and this series adds a new device property. All we need to do is tie them together. The simple version is below. I also have an incremental update which uses the QMP device-list-properties command to probe for the presence of this property (so things can automatically work with unpatches qemu). I think it's not really necessary in this case. Ian. -----8>--------- >>From c395657b03a1e2b7616d987e7078694874981979 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Mon, 1 Jun 2015 11:32:23 +0100 Subject: [PATCH] tools: libxl: allow permissive qemu-upstream pci passthrough. EMBARGOED UNTIL 2015-06-02 12:00 (WITH XSA-131 ET AL) Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In order to allow local configuration of the existing libxl_device_pci "permissive" flag needs to be plumbed through via the new QMP property added by the XSA-131 patches. Versions of QEMU prior to XSA-131 did not support this permissive property, so we only pass it if it is true. Older versions only supported permissive mode. qemu-xen-traditional already supports the permissive mode setting via xenstore. Signed-off-by: Ian Campbell Cc: Stefano Stabellini Cc: Anthony PERARD --- v2: Only set argument if permissive==true. --- tools/libxl/libxl_qmp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c index 9aa7e2e..6484f5e 100644 --- a/tools/libxl/libxl_qmp.c +++ b/tools/libxl/libxl_qmp.c @@ -849,6 +849,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, int domid, libxl_device_pci *pcidev) QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x", PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn)); } + /* + * Version of QEMU prior to the XSA-131 fix did not support this + * property and were effectively always in permissive mode. The + * fix for XSA-131 switched the default to be restricted by + * default and added the permissive property. + * + * Therefore in order to support both old and new QEMU we only set + * the permissive flag if it is true. Users of older QEMU have no + * reason to set the flag so this is ok. + */ + if (pcidev->permissive) + qmp_parameters_add_bool(gc, &args, "permissive", true); rc = qmp_synchronous_send(qmp, "device_add", args, NULL, NULL, qmp->timeout); -- 1.7.10.4 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: Re: [PATCH 0/11] Xen PCI Passthrough security fixes Date: Tue, 2 Jun 2015 16:47:22 +0100 Message-ID: <1433260042.15036.332.camel@citrix.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini , Ian Jackson , Wei Liu , Anthony PERARD Cc: xen-devel@lists.xensource.com, qemu-devel@nongnu.org, JBeulich@suse.com List-Id: xen-devel@lists.xenproject.org On Tue, 2015-06-02 at 16:08 +0100, Stefano Stabellini wrote: > the following is a collection of QEMU security fixes for PCI Passthrough > on Xen. Part of this locks down the PCI cfg space emulation, which means we now need a way for people to request the old "permissive" behaviour for devices which need it. Per the xl docs: It is recommended to enable this option only for trusted VMs under administrator control. The toolstack (libxl, xl etc) already support a permissive flag in the domain cfg, and this series adds a new device property. All we need to do is tie them together. The simple version is below. I also have an incremental update which uses the QMP device-list-properties command to probe for the presence of this property (so things can automatically work with unpatches qemu). I think it's not really necessary in this case. Ian. -----8>--------- >>From c395657b03a1e2b7616d987e7078694874981979 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Mon, 1 Jun 2015 11:32:23 +0100 Subject: [PATCH] tools: libxl: allow permissive qemu-upstream pci passthrough. EMBARGOED UNTIL 2015-06-02 12:00 (WITH XSA-131 ET AL) Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In order to allow local configuration of the existing libxl_device_pci "permissive" flag needs to be plumbed through via the new QMP property added by the XSA-131 patches. Versions of QEMU prior to XSA-131 did not support this permissive property, so we only pass it if it is true. Older versions only supported permissive mode. qemu-xen-traditional already supports the permissive mode setting via xenstore. Signed-off-by: Ian Campbell Cc: Stefano Stabellini Cc: Anthony PERARD --- v2: Only set argument if permissive==true. --- tools/libxl/libxl_qmp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c index 9aa7e2e..6484f5e 100644 --- a/tools/libxl/libxl_qmp.c +++ b/tools/libxl/libxl_qmp.c @@ -849,6 +849,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, int domid, libxl_device_pci *pcidev) QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x", PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn)); } + /* + * Version of QEMU prior to the XSA-131 fix did not support this + * property and were effectively always in permissive mode. The + * fix for XSA-131 switched the default to be restricted by + * default and added the permissive property. + * + * Therefore in order to support both old and new QEMU we only set + * the permissive flag if it is true. Users of older QEMU have no + * reason to set the flag so this is ok. + */ + if (pcidev->permissive) + qmp_parameters_add_bool(gc, &args, "permissive", true); rc = qmp_synchronous_send(qmp, "device_add", args, NULL, NULL, qmp->timeout); -- 1.7.10.4