From: Ian Campbell <ian.campbell@citrix.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: xen-devel@lists.xensource.com, Wei Liu <wei.liu2@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
qemu-devel@nongnu.org, JBeulich@suse.com,
Anthony PERARD <anthony.perard@citrix.com>
Subject: Re: [Qemu-devel] [Xen-devel] [PATCH 0/11] Xen PCI Passthrough security fixes
Date: Wed, 17 Jun 2015 13:38:55 +0100 [thread overview]
Message-ID: <1434544735.13744.360.camel@citrix.com> (raw)
In-Reply-To: <1433260042.15036.332.camel@citrix.com>
On Tue, 2015-06-02 at 16:47 +0100, Ian Campbell wrote:
ping?
> On Tue, 2015-06-02 at 16:08 +0100, Stefano Stabellini wrote:
> > the following is a collection of QEMU security fixes for PCI Passthrough
> > on Xen.
>
> Part of this locks down the PCI cfg space emulation, which means we now
> need a way for people to request the old "permissive" behaviour for
> devices which need it. Per the xl docs:
> It is recommended to enable this option only for trusted VMs
> under administrator control.
>
> The toolstack (libxl, xl etc) already support a permissive flag in the
> domain cfg, and this series adds a new device property. All we need to
> do is tie them together.
>
> The simple version is below. I also have an incremental update which
> uses the QMP device-list-properties command to probe for the presence of
> this property (so things can automatically work with unpatches qemu). I
> think it's not really necessary in this case.
>
> Ian.
>
> -----8>---------
>
> From c395657b03a1e2b7616d987e7078694874981979 Mon Sep 17 00:00:00 2001
> From: Ian Campbell <ian.campbell@citrix.com>
> Date: Mon, 1 Jun 2015 11:32:23 +0100
> Subject: [PATCH] tools: libxl: allow permissive qemu-upstream pci
> passthrough.
>
> EMBARGOED UNTIL 2015-06-02 12:00 (WITH XSA-131 ET AL)
>
> Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In
> order to allow local configuration of the existing libxl_device_pci
> "permissive" flag needs to be plumbed through via the new QMP property
> added by the XSA-131 patches.
>
> Versions of QEMU prior to XSA-131 did not support this permissive
> property, so we only pass it if it is true. Older versions only
> supported permissive mode.
>
> qemu-xen-traditional already supports the permissive mode setting via
> xenstore.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> Cc: Anthony PERARD <anthony.perard@citrix.com>
> ---
> v2: Only set argument if permissive==true.
> ---
> tools/libxl/libxl_qmp.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
> index 9aa7e2e..6484f5e 100644
> --- a/tools/libxl/libxl_qmp.c
> +++ b/tools/libxl/libxl_qmp.c
> @@ -849,6 +849,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, int domid, libxl_device_pci *pcidev)
> QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x",
> PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn));
> }
> + /*
> + * Version of QEMU prior to the XSA-131 fix did not support this
> + * property and were effectively always in permissive mode. The
> + * fix for XSA-131 switched the default to be restricted by
> + * default and added the permissive property.
> + *
> + * Therefore in order to support both old and new QEMU we only set
> + * the permissive flag if it is true. Users of older QEMU have no
> + * reason to set the flag so this is ok.
> + */
> + if (pcidev->permissive)
> + qmp_parameters_add_bool(gc, &args, "permissive", true);
>
> rc = qmp_synchronous_send(qmp, "device_add", args,
> NULL, NULL, qmp->timeout);
WARNING: multiple messages have this Message-ID (diff)
From: Ian Campbell <ian.campbell@citrix.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: xen-devel@lists.xensource.com, Wei Liu <wei.liu2@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
qemu-devel@nongnu.org, JBeulich@suse.com,
Anthony PERARD <anthony.perard@citrix.com>
Subject: Re: [Xen-devel] [PATCH 0/11] Xen PCI Passthrough security fixes
Date: Wed, 17 Jun 2015 13:38:55 +0100 [thread overview]
Message-ID: <1434544735.13744.360.camel@citrix.com> (raw)
In-Reply-To: <1433260042.15036.332.camel@citrix.com>
On Tue, 2015-06-02 at 16:47 +0100, Ian Campbell wrote:
ping?
> On Tue, 2015-06-02 at 16:08 +0100, Stefano Stabellini wrote:
> > the following is a collection of QEMU security fixes for PCI Passthrough
> > on Xen.
>
> Part of this locks down the PCI cfg space emulation, which means we now
> need a way for people to request the old "permissive" behaviour for
> devices which need it. Per the xl docs:
> It is recommended to enable this option only for trusted VMs
> under administrator control.
>
> The toolstack (libxl, xl etc) already support a permissive flag in the
> domain cfg, and this series adds a new device property. All we need to
> do is tie them together.
>
> The simple version is below. I also have an incremental update which
> uses the QMP device-list-properties command to probe for the presence of
> this property (so things can automatically work with unpatches qemu). I
> think it's not really necessary in this case.
>
> Ian.
>
> -----8>---------
>
> From c395657b03a1e2b7616d987e7078694874981979 Mon Sep 17 00:00:00 2001
> From: Ian Campbell <ian.campbell@citrix.com>
> Date: Mon, 1 Jun 2015 11:32:23 +0100
> Subject: [PATCH] tools: libxl: allow permissive qemu-upstream pci
> passthrough.
>
> EMBARGOED UNTIL 2015-06-02 12:00 (WITH XSA-131 ET AL)
>
> Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In
> order to allow local configuration of the existing libxl_device_pci
> "permissive" flag needs to be plumbed through via the new QMP property
> added by the XSA-131 patches.
>
> Versions of QEMU prior to XSA-131 did not support this permissive
> property, so we only pass it if it is true. Older versions only
> supported permissive mode.
>
> qemu-xen-traditional already supports the permissive mode setting via
> xenstore.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> Cc: Anthony PERARD <anthony.perard@citrix.com>
> ---
> v2: Only set argument if permissive==true.
> ---
> tools/libxl/libxl_qmp.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
> index 9aa7e2e..6484f5e 100644
> --- a/tools/libxl/libxl_qmp.c
> +++ b/tools/libxl/libxl_qmp.c
> @@ -849,6 +849,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, int domid, libxl_device_pci *pcidev)
> QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x",
> PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn));
> }
> + /*
> + * Version of QEMU prior to the XSA-131 fix did not support this
> + * property and were effectively always in permissive mode. The
> + * fix for XSA-131 switched the default to be restricted by
> + * default and added the permissive property.
> + *
> + * Therefore in order to support both old and new QEMU we only set
> + * the permissive flag if it is true. Users of older QEMU have no
> + * reason to set the flag so this is ok.
> + */
> + if (pcidev->permissive)
> + qmp_parameters_add_bool(gc, &args, "permissive", true);
>
> rc = qmp_synchronous_send(qmp, "device_add", args,
> NULL, NULL, qmp->timeout);
next prev parent reply other threads:[~2015-06-17 12:39 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-06 8:42 [PATCH] docs: xl.cfg: permissive option is not PV only Ian Campbell
2015-10-06 8:52 ` Wei Liu
2015-06-02 15:08 ` [Qemu-devel] [PATCH 0/11] Xen PCI Passthrough security fixes Stefano Stabellini
2015-06-02 15:08 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 01/11] xen: properly gate host writes of modified PCI CFG contents Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 02/11] xen: don't allow guest to control MSI mask register Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 03/11] xen/MSI-X: limit error messages Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 04/11] xen/MSI: don't open-code pass-through of enable bit modifications Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 05/11] xen/pt: consolidate PM capability emu_mask Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 06/11] xen/pt: correctly handle PM status bit Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 07/11] xen/pt: split out calculation of throughable mask in PCI config space handling Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 08/11] xen/pt: mark all PCIe capability bits read-only Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 09/11] xen/pt: mark reserved bits in PCI config space fields Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 10/11] xen/pt: add a few PCI config space field descriptions Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:10 ` [Qemu-devel] [PATCH 11/11] xen/pt: unknown PCI config space fields should be read-only Stefano Stabellini
2015-06-02 15:10 ` Stefano Stabellini
2015-06-02 15:32 ` [Qemu-devel] [PATCH 0/11] Xen PCI Passthrough security fixes Stefano Stabellini
2015-06-02 15:32 ` Stefano Stabellini
2015-06-02 15:51 ` [Qemu-devel] " Peter Maydell
2015-06-02 15:51 ` Peter Maydell
2015-06-02 15:47 ` [Qemu-devel] [Xen-devel] " Ian Campbell
2015-06-02 15:47 ` Ian Campbell
2015-06-17 12:38 ` Ian Campbell [this message]
2015-06-17 12:38 ` [Xen-devel] " Ian Campbell
2015-06-17 13:52 ` [Qemu-devel] " Stefano Stabellini
2015-06-17 13:52 ` Stefano Stabellini
2015-06-17 13:54 ` [Qemu-devel] " Ian Campbell
2015-06-17 13:54 ` Ian Campbell
2015-07-03 14:49 ` [PATCH] tools: libxl: allow permissive qemu-upstream pci passthrough Ian Campbell
2015-07-06 12:20 ` George Dunlap
2015-07-06 12:59 ` Anthony PERARD
2015-07-07 13:40 ` Wei Liu
2015-07-07 15:41 ` Ian Campbell
2015-10-06 8:36 ` Ian Campbell
2015-10-06 13:07 ` Stefano Stabellini
2015-10-06 15:18 ` Ian Jackson
2015-10-07 11:52 ` [PATCH] docs: xl.cfg: permissive option is not PV only Ian Campbell
2015-10-20 17:09 ` [PATCH] tools: libxl: allow permissive qemu-upstream pci passthrough. [and 1 more messages] Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1434544735.13744.360.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=anthony.perard@citrix.com \
--cc=qemu-devel@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.