From: Julien Grall <julien.grall@citrix.com>
To: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
Julien Grall <julien.grall@citrix.com>
Cc: stefano.stabellini@citrix.com,
Ian Campbell <ian.campbell@citrix.com>,
xen-devel@lists.xen.org
Subject: Re: xen/arm: On chip memory mappings
Date: Wed, 20 May 2015 15:12:24 +0100 [thread overview]
Message-ID: <555C9648.2000403@citrix.com> (raw)
In-Reply-To: <20150520134012.GD13061@toto>
On 20/05/15 14:40, Edgar E. Iglesias wrote:
> Thanks for the pointers,
>
> I agree that fundamental differences like these beteween v7 and v8 wouldn't
> be good.
I didn't find any fundamental differences for device memory behavior in
the spec.
> Possible unpredictable behaviour is worrysome...
> I'm not aware of anything in the ARM architecture specs that would
> cause it in this respect, but I may be missing something.
AFAICT there is nothing in the spec which describe the behavior of a
region access with wrong memory attribute (i.e normal, device, strong).
I guess this would be described in the memory bus or processor spec.
> There might also very well be device/slave specific unpredictability.
> E.g unpredictable behaviour on specific AXI access patterns
> (bursts, sizes etc) to specific devices...
> On the other hand, I suppose giving direct device access to a guest
> carries some kind of trust to behave nicely with the device.
The trust to the device is very limited. We got several Xen Security
Advisory ([1] [2] ...) related to PCI passthrough.
I agree that the guest may act badly with the device, although we don't
want to give him the opportunity to act more badly with a device and the
possibility to access another guest memory.
> I'm not sure I understand Christoffers arguments though.
It's not clear what is the behavior of a device memory mapped with
normal attribute. Many issue can appear.
Unless the behavior is clearly written in the spec, we should take the
worst case and not the best.
> A well behaved guest will map it's devices as DEVICE and there
> won't be any difference at all wether S2 maps them as dev or mem.
Agree.
> A malicious guest could map things as cached memory and try to cause
> cached accesses from other guests to flush out. But these cached accesses
> would only contain data for other guests mapped as cacheable memory. AFAICT,
> to really hurt another guest, the guest under attack has to participate
> in the plot (by incorrectly mapping it's own devs as mem).
Why not RAM?
> Anyway, at the moment it seems like doing a device-tree compatiblity prop
> match for mmio-sram would be the path with least resistance...
I think this is a good solution until we figure out the behavior of
device memory mapped with wrong attribute.
Regards,
[1] http://xenbits.xen.org/xsa/advisory-124.html
[2] http://xenbits.xen.org/xsa/advisory-126.html
--
Julien Grall
next prev parent reply other threads:[~2015-05-20 14:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 5:16 xen/arm: On chip memory mappings Edgar E. Iglesias
2015-05-19 9:09 ` Ian Campbell
2015-05-19 9:23 ` Julien Grall
2015-05-20 13:40 ` Edgar E. Iglesias
2015-05-20 14:12 ` Julien Grall [this message]
2015-05-21 3:48 ` Edgar E. Iglesias
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555C9648.2000403@citrix.com \
--to=julien.grall@citrix.com \
--cc=edgar.iglesias@gmail.com \
--cc=ian.campbell@citrix.com \
--cc=stefano.stabellini@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.