From: Wei Liu <wei.liu2@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <ian.campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
PaulDurrant <Paul.Durrant@citrix.com>,
Anthony PERARD <anthony.perard@citrix.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Domctl and physdevop for passthrough (Was: Re: Stabilising some tools only HVMOPs?)
Date: Tue, 23 Feb 2016 17:55:30 +0000 [thread overview]
Message-ID: <20160223175530.GA23681@citrix.com> (raw)
In-Reply-To: <56CCA3F202000078000D5586@prv-mh.provo.novell.com>
On Tue, Feb 23, 2016 at 10:24:50AM -0700, Jan Beulich wrote:
> >>> On 23.02.16 at 18:09, <wei.liu2@citrix.com> wrote:
> > On Tue, Feb 23, 2016 at 08:46:14AM -0700, Jan Beulich wrote:
> >> >>> On 23.02.16 at 15:31, <wei.liu2@citrix.com> wrote:
> >> > On Mon, Feb 22, 2016 at 04:28:19AM -0700, Jan Beulich wrote:
> >> >> >>> On 19.02.16 at 17:05, <wei.liu2@citrix.com> wrote:
> >> >> > On Wed, Feb 17, 2016 at 05:28:08PM +0000, Wei Liu wrote:
> >> >> >> Hi all
> >> >> >>
> >> >> >> Tools people are in the process of splitting libxenctrl into a set of
> >> >> >> stable libraries. One of the proposed libraries is libxendevicemodel
> >> >> >> which has a collection of APIs that can be used by device model.
> >> >> >>
> >> >> >> Currently we use QEMU as reference to extract symbols and go through
> >> >> >> them one by one. Along the way we discover QEMU is using some tools
> >> >> >> only HVMOPs.
> >> >> >>
> >> >> >> The list of tools only HVMOPs used by QEMU are:
> >> >> >>
> >> >> >> #define HVMOP_track_dirty_vram 6
> >> >> >> #define HVMOP_modified_memory 7
> >> >> >> #define HVMOP_set_mem_type 8
> >> >> >> #define HVMOP_inject_msi 16
> >> >> >> #define HVMOP_create_ioreq_server 17
> >> >> >> #define HVMOP_get_ioreq_server_info 18
> >> >> >> #define HVMOP_map_io_range_to_ioreq_server 19
> >> >> >> #define HVMOP_unmap_io_range_from_ioreq_server 20
> >> >> >> #define HVMOP_destroy_ioreq_server 21
> >> >> >> #define HVMOP_set_ioreq_server_state 22
> >> >> >>
> >> >> >
> >> >> > In the process of ploughing through QEMU symbols, there are some domctls
> >> >> > and physdevops used to do passthrough. To make passthrough APIs in
> >> >> > libxendevicemodel we need to stabilise them as well. Can I use the same
> >> >> > trick __XEN_TOOLS_STABLE__ here? If not, what would be the preferred way
> >> >> > of doing this?
> >> >> >
> >> >> > PASSTHRU
> >> >> > `xc_domain_bind_pt_pci_irq` `XEN_DOMCTL_bind_pt_irq`
> >> >> > `xc_domain_ioport_mapping` `XEN_DOMCTL_ioport_mapping`
> >> >> > `xc_domain_memory_mapping` `XEN_DOMCTL_memory_mapping`
> >> >> > `xc_domain_unbind_msi_irq` `XEN_DOMCTL_unbind_pt_irq`
> >> >> > `xc_domain_unbind_pt_irq` `XEN_DOMCTL_unbind_pt_irq`
> >> >> > `xc_domain_update_msi_irq` `XEN_DOMCTL_bind_pt_irq`
> >> >> > `xc_physdev_map_pirq` `PHYSDEVOP_map_pirq`
> >> >> > `xc_physdev_map_pirq_msi` `PHYSDEVOP_map_pirq`
> >> >> > `xc_physdev_unmap_pirq` `PHYSDEVOP_unmap_pirq`
> >> >>
> >> >> Mechanically I would say yes, but anything here which is also on
> >> >> the XSA-77 waiver list would first need removing there (with
> >> >> proper auditing and, if necessary, fixing).
> >> >>
> >> >
> >> > I admit I failed to parse xsm-flask.txt and XSA-77 and its implication,
> >> > so let's take a concrete example instead.
> >> >
> >> > Say, now I need to stabilise XEN_DOMCTL_pin_mem_cacheattr, which is on
> >> > the list of domctls listed in xsm-flask.txt (presumably that's the
> >> > waiver list you talked about).
> >> >
> >> > You said "needs removing there", and xsm-flask.txt says "suops not
> >> > listed here are considered safe for disaggregation", so the implication
> >> > is that we need to make XEN_DOMCTL_pin_mem_cacheattr safe for
> >> > disaggregation in order to move it off the list. Is this correct?
> >>
> >> Yes.
> >>
> >> > And in order to make it safe for disaggregation, I need to add adequate
> >> > XSM checks for it. Is this correct?
> >>
> >> Well, that depends on what accessibility scope you mean to give
> >> it: If domains other than the hardware and control domain are
> >> meant to be permitted to access this with the dummy policy, then
> >
> > All the domctls and physdev ops are going to used by device model. So
> > it is going to be either Dom0 or stub device model domain.
>
> Right, but a stub domain needs to be treated as untrusted, so in
> a way it's even worse than tool stack disaggregation.
>
Yes, I agree.
> > I do notice the following paragraph in xsm-flask.txt:
> >
> > This policy does not apply to bugs which affect stub device models,
> > driver domains, or stub xenstored - even if those bugs do no worse
> > than reduce the security of such a system to one whose device models,
> > backend drivers, or xenstore, run in dom0.
> >
> > Not sure how it changes the perspective.
>
> This tightens things (whereas I get the impression you view it as
> relaxing them), in that issues in these interfaces which can be
> exploited by any of the named entities would still be security
> issues.
>
Indeed. I was thinking that relaxes things and got very confused
(couldn't even convince myself). Your explanation makes more sense.
Wei.
> Jan
next prev parent reply other threads:[~2016-02-23 17:55 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 17:28 Stabilising some tools only HVMOPs? Wei Liu
2016-02-18 10:24 ` Ian Campbell
2016-02-18 10:37 ` Jan Beulich
2016-02-18 10:45 ` Wei Liu
2016-02-18 10:53 ` Ian Campbell
2016-02-18 10:55 ` Wei Liu
2016-02-18 10:56 ` Jan Beulich
2016-02-18 10:31 ` Jan Beulich
2016-02-18 10:36 ` Wei Liu
2016-02-18 10:44 ` Ian Campbell
2016-02-18 10:55 ` Jan Beulich
2016-02-18 10:59 ` Wei Liu
2016-02-18 11:04 ` Jan Beulich
2016-02-18 12:51 ` Wei Liu
2016-02-18 16:28 ` Ian Jackson
2016-02-18 16:29 ` Wei Liu
2016-02-18 16:41 ` Jan Beulich
2016-02-18 16:45 ` Ian Jackson
2016-02-18 16:49 ` Wei Liu
2016-02-18 16:37 ` Ian Campbell
2016-02-19 16:05 ` Domctl and physdevop for passthrough (Was: Re: Stabilising some tools only HVMOPs?) Wei Liu
2016-02-22 11:28 ` Jan Beulich
2016-02-22 11:56 ` Wei Liu
2016-02-23 14:31 ` Wei Liu
2016-02-23 15:46 ` Jan Beulich
2016-02-23 17:09 ` Wei Liu
2016-02-23 17:24 ` Jan Beulich
2016-02-23 17:28 ` Jan Beulich
2016-02-23 17:55 ` Wei Liu [this message]
2016-02-29 12:23 ` Wei Liu
2016-02-29 12:29 ` Jan Beulich
2016-02-29 18:12 ` Wei Liu
2016-03-01 7:54 ` Jan Beulich
2016-03-01 10:52 ` Wei Liu
2016-03-01 11:10 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160223175530.GA23681@citrix.com \
--to=wei.liu2@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Paul.Durrant@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=ian.campbell@citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).