From: Anthony Liguori <anthony@codemonkey.ws>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] mark nic as trusted
Date: Wed, 07 Jan 2009 10:34:19 -0600 [thread overview]
Message-ID: <4964D98B.6030404@codemonkey.ws> (raw)
In-Reply-To: <20090107142626.GE3267@redhat.com>
Gleb Natapov wrote:
> This patch allows to mark specific nic as trusted by adding special
> PCI capability. "Trusted" means that it is used for communication
> between host and guest and no malicious entity can inject traffic
> to the nic.
>
> Signed-off-by: Gleb Natapov <gleb@redhat.com>
>
What utility does this have? Does this make Windows happy in some
special way?
Regards,
Anthony Liguori
> diff --git a/hw/e1000.c b/hw/e1000.c
> index c326671..ea4d824 100644
> --- a/hw/e1000.c
> +++ b/hw/e1000.c
> @@ -1045,6 +1045,9 @@ pci_e1000_init(PCIBus *bus, NICInfo *nd, int devfn)
>
> pci_conf[0x3d] = 1; // interrupt pin 0
>
> + if (nd->secure_cookie[0])
> + pci_add_capability(&d->dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> d->mmio_index = cpu_register_io_memory(0, e1000_mmio_read,
> e1000_mmio_write, d);
>
> diff --git a/hw/eepro100.c b/hw/eepro100.c
> index cb3ca09..654b389 100644
> --- a/hw/eepro100.c
> +++ b/hw/eepro100.c
> @@ -1754,6 +1754,9 @@ static void nic_init(PCIBus * bus, NICInfo * nd,
>
> pci_reset(s);
>
> + if (nd->secure_cookie[0])
> + pci_add_capability(&d->dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
> * i82559 and later support 64 or 256 word EEPROM. */
> s->eeprom = eeprom93xx_new(EEPROM_SIZE);
> diff --git a/hw/ne2000.c b/hw/ne2000.c
> index 3f0ccf5..c3f4e22 100644
> --- a/hw/ne2000.c
> +++ b/hw/ne2000.c
> @@ -806,6 +806,10 @@ void pci_ne2000_init(PCIBus *bus, NICInfo *nd, int devfn)
>
> pci_register_io_region(&d->dev, 0, 0x100,
> PCI_ADDRESS_SPACE_IO, ne2000_map);
> +
> + if (nd->secure_cookie[0])
> + pci_add_capability(&d->dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> s = &d->ne2000;
> s->irq = d->dev.irq[0];
> s->pci_dev = (PCIDevice *)d;
> diff --git a/hw/pci.c b/hw/pci.c
> index 8252d21..05bfa4b 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -536,6 +536,23 @@ static void pci_set_irq(void *opaque, int irq_num, int level)
> bus->set_irq(bus->irq_opaque, irq_num, bus->irq_count[irq_num] != 0);
> }
>
> +int pci_add_capability(PCIDevice *d, uint8_t cap_id, uint8_t off, uint8_t *buf,
> + int len)
> +{
> + uint16_t status = le16_to_cpu(*(uint16_t*)(d->config + 0x06));
> +
> + if (off + len + 2 > 0x100 || off < 0x40)
> + return -1;
> +
> + d->config[0x06] = cpu_to_le16(status | 0x10);
> + d->config[off] = cap_id;
> + d->config[off + 1] = d->config[0x34];
> + d->config[0x34] = off;
> + memcpy(d->config + off + 2, buf, len);
> +
> + return 0;
> +}
> +
> /***********************************************************/
> /* monitor info on PCI */
>
> diff --git a/hw/pci.h b/hw/pci.h
> index 3b1caf5..87132ca 100644
> --- a/hw/pci.h
> +++ b/hw/pci.h
> @@ -117,6 +117,8 @@ typedef void (*pci_set_irq_fn)(qemu_irq *pic, int irq_num, int level);
> typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
> PCIBus *pci_register_bus(pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
> qemu_irq *pic, int devfn_min, int nirq);
> +int pci_add_capability(PCIDevice *d, uint8_t cap_id, uint8_t off, uint8_t *buf,
> + int len);
>
> void pci_nic_init(PCIBus *bus, NICInfo *nd, int devfn);
> void pci_data_write(void *opaque, uint32_t addr, uint32_t val, int len);
> diff --git a/hw/pcnet.c b/hw/pcnet.c
> index 30c453c..990afb2 100644
> --- a/hw/pcnet.c
> +++ b/hw/pcnet.c
> @@ -2024,6 +2024,9 @@ void pci_pcnet_init(PCIBus *bus, NICInfo *nd, int devfn)
> pci_conf[0x3e] = 0x06;
> pci_conf[0x3f] = 0xff;
>
> + if (nd->secure_cookie[0])
> + pci_add_capability(&d->dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> /* Handler for memory-mapped I/O */
> d->mmio_index =
> cpu_register_io_memory(0, pcnet_mmio_read, pcnet_mmio_write, d);
> diff --git a/hw/rtl8139.c b/hw/rtl8139.c
> index c3ab854..6e4c44f 100644
> --- a/hw/rtl8139.c
> +++ b/hw/rtl8139.c
> @@ -3423,6 +3423,9 @@ void pci_rtl8139_init(PCIBus *bus, NICInfo *nd, int devfn)
> pci_conf[0x3d] = 1; /* interrupt pin 0 */
> pci_conf[0x34] = 0xdc;
>
> + if (nd->secure_cookie[0])
> + pci_add_capability(&d->dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> s = &d->rtl8139;
>
> /* I/O handler for memory-mapped I/O */
> diff --git a/hw/virtio-net.c b/hw/virtio-net.c
> index 1f45b2d..186c6bd 100644
> --- a/hw/virtio-net.c
> +++ b/hw/virtio-net.c
> @@ -309,6 +309,9 @@ PCIDevice *virtio_net_init(PCIBus *bus, NICInfo *nd, int devfn)
> if (!n)
> return NULL;
>
> + if (nd->secure_cookie[0])
> + pci_add_capability(&n->vdev.pci_dev, 0x0f, 0xf0, nd->secure_cookie, 14);
> +
> n->vdev.get_config = virtio_net_update_config;
> n->vdev.get_features = virtio_net_get_features;
> n->vdev.set_features = virtio_net_set_features;
> diff --git a/net.c b/net.c
> index 6af4255..000768f 100644
> --- a/net.c
> +++ b/net.c
> @@ -1474,6 +1474,11 @@ int net_client_init(const char *device, const char *p)
> if (get_param_value(buf, sizeof(buf), "model", p)) {
> nd->model = strdup(buf);
> }
> + if (get_param_value(buf, sizeof(buf), "trusted", p)) {
> + strncpy(nd->secure_cookie, buf, sizeof(nd->secure_cookie));
> + } else {
> + nd->secure_cookie[0] = NULL;
> + }
> nd->vlan = vlan;
> nb_nics++;
> vlan->nb_guest_devs++;
> diff --git a/net.h b/net.h
> index 31c7a30..e57e6e5 100644
> --- a/net.h
> +++ b/net.h
> @@ -50,6 +50,7 @@ struct NICInfo {
> uint8_t macaddr[6];
> const char *model;
> VLANState *vlan;
> + uint8_t secure_cookie[14];
> };
>
> extern int nb_nics;
> --
> Gleb.
>
>
>
next prev parent reply other threads:[~2009-01-07 16:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-07 14:26 [Qemu-devel] [PATCH] mark nic as trusted Gleb Natapov
2009-01-07 15:04 ` Mark McLoughlin
2009-01-07 15:19 ` Gleb Natapov
2009-01-07 15:41 ` Mark McLoughlin
2009-01-07 16:02 ` Gleb Natapov
2009-01-07 16:34 ` Anthony Liguori [this message]
2009-01-07 16:50 ` Gleb Natapov
2009-01-07 17:53 ` Anthony Liguori
2009-01-07 17:54 ` Anthony Liguori
2009-01-07 18:41 ` Gleb Natapov
2009-01-07 19:26 ` Anthony Liguori
2009-01-07 19:46 ` Gleb Natapov
2009-01-08 19:58 ` Anthony Liguori
2009-01-08 21:26 ` Gleb Natapov
2009-01-08 21:42 ` Anthony Liguori
2009-01-08 22:49 ` Jamie Lokier
2009-01-08 23:14 ` Dor Laor
2009-01-09 10:41 ` Daniel P. Berrange
2009-01-10 2:18 ` Jamie Lokier
2009-01-10 18:22 ` Anthony Liguori
2009-01-11 4:55 ` Jamie Lokier
2009-01-11 7:10 ` Blue Swirl
2009-01-11 14:08 ` Carl-Daniel Hailfinger
2009-01-11 15:07 ` Dor Laor
2009-01-11 15:34 ` Blue Swirl
2009-01-11 16:01 ` Dor Laor
2009-01-12 2:20 ` Jamie Lokier
2009-01-12 8:05 ` Gleb Natapov
2009-01-12 12:26 ` Dor Laor
2009-01-10 2:27 ` Jamie Lokier
2009-01-08 23:26 ` Anthony Liguori
2009-01-10 2:31 ` Jamie Lokier
2009-01-10 18:24 ` Anthony Liguori
2009-01-11 4:40 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4964D98B.6030404@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).