Re: [PATCH 0/11] Xen PCI Passthrough security fixes

[Ian Campbell <ian.campbell@citrix.com>]

On Tue, 2015-06-02 at 16:08 +0100, Stefano Stabellini wrote:
> the following is a collection of QEMU security fixes for PCI Passthrough
> on Xen.

Part of this locks down the PCI cfg space emulation, which means we now
need a way for people to request the old "permissive" behaviour for
devices which need it. Per the xl docs:
        It is recommended to enable this option only for trusted VMs
        under administrator control.

The toolstack (libxl, xl etc) already support a permissive flag in the
domain cfg, and this series adds a new device property. All we need to
do is tie them together.

The simple version is below. I also have an incremental update which
uses the QMP device-list-properties command to probe for the presence of
this property (so things can automatically work with unpatches qemu). I
think it's not really necessary in this case.

Ian.

-----8>---------

>From c395657b03a1e2b7616d987e7078694874981979 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ian.campbell@citrix.com>
Date: Mon, 1 Jun 2015 11:32:23 +0100
Subject: [PATCH] tools: libxl: allow permissive qemu-upstream pci
 passthrough.

EMBARGOED UNTIL 2015-06-02 12:00 (WITH XSA-131 ET AL)

Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In
order to allow local configuration of the existing libxl_device_pci
"permissive" flag needs to be plumbed through via the new QMP property
added by the XSA-131 patches.

Versions of QEMU prior to XSA-131 did not support this permissive
property, so we only pass it if it is true. Older versions only
supported permissive mode.

qemu-xen-traditional already supports the permissive mode setting via
xenstore.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Anthony PERARD <anthony.perard@citrix.com>
---
v2: Only set argument if permissive==true.
---
 tools/libxl/libxl_qmp.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
index 9aa7e2e..6484f5e 100644
--- a/tools/libxl/libxl_qmp.c
+++ b/tools/libxl/libxl_qmp.c
@@ -849,6 +849,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, int domid, libxl_device_pci *pcidev)
         QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x",
                                PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn));
     }
+    /*
+     * Version of QEMU prior to the XSA-131 fix did not support this
+     * property and were effectively always in permissive mode. The
+     * fix for XSA-131 switched the default to be restricted by
+     * default and added the permissive property.
+     *
+     * Therefore in order to support both old and new QEMU we only set
+     * the permissive flag if it is true. Users of older QEMU have no
+     * reason to set the flag so this is ok.
+     */
+    if (pcidev->permissive)
+        qmp_parameters_add_bool(gc, &args, "permissive", true);
 
     rc = qmp_synchronous_send(qmp, "device_add", args,
                               NULL, NULL, qmp->timeout);
-- 
1.7.10.4