From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Julien Grall <julien.grall@linaro.org>,
Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: "paolo.valente@unimore.it" <paolo.valente@unimore.it>,
Keir Fraser <keir@xen.org>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Tim Deegan <tim@xen.org>,
Dario Faggioli <dario.faggioli@citrix.com>,
"xen.org" <Ian.Jackson@eu.citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Julien Grall <julien.grall@citrix.com>,
Eric Trudeau <etrudeau@broadcom.com>,
Jan Beulich <JBeulich@suse.com>,
Arianna Avanzini <avanzini.arianna@gmail.com>,
"viktor.kleinik@globallogic.com" <viktor.kleinik@globallogic.com>
Subject: Re: [PATCH v4 7/7] tools, libxl: handle the iomem parameter with the memory_mapping hcall
Date: Tue, 01 Apr 2014 16:52:12 -0400 [thread overview]
Message-ID: <533B26FC.8040205@tycho.nsa.gov> (raw)
In-Reply-To: <CAPnVf8xnqGKtBwdk6Nd0b-NMJsncQXu4pHTM8Yf+Uss3EPdQKg@mail.gmail.com>
On 04/01/2014 11:26 AM, Julien Grall wrote:
> On 1 April 2014 16:13, Ian Campbell <Ian.Campbell@eu.citrix.com> wrote:
>> On Tue, 2014-03-25 at 03:02 +0100, Arianna Avanzini wrote:
>>> Currently, the configuration-parsing code concerning the handling of the
>>> iomem parameter only invokes the XEN_DOMCTL_iomem_permission hypercall.
>>> This commit lets the XEN_DOMCTL_memory_mapping hypercall be invoked
>>> after XEN_DOMCTL_iomem_permission when the iomem parameter is parsed
>>> from a domU configuration file, so that the address range can be mapped
>>> to the address space of the domU. The hypercall is invoked only in case
>>> of domains using an auto-translated physmap.
>>
>> Sorry for not noticing this sooner but I've just been looking at this
>> again and it seems that XEN_DOMCTL_memory_mapping is a superset of
>> XEN_DOMCTL_iomem_permission.
>>
>> AFAICT XEN_DOMCTL_memory_mapping does exactly the same
>> iomem_{permit,deny}_access as XEN_DOMCTL_iomem_permission and then iff
>> the guest is paging_mode_translate sets up a p2m mapping for it.
>> (There's also some extra debug logging, lets ignore it).
>>
>> IOW could the toolstack's existing call to XEN_DOMCTL_iomem_permission
>> not be completely replaced with a call to XEN_DOMCTL_memory_mapping and
>> have exactly the same affect as this patch, without the need for the
>> toolstack to infer the paging mode of the guest?
>>
>> I think the answer is yes, can someone confirm?
>
> For x86 HVM, AFAIU only QEMU knows the memory layout of the guest.
> So we can't call XEN_DOMCTL_memory_mapping here (at least map
> the range in the p2m).
>
>> One subtle distinction is that it appears that XEN_DOMCTL_memory_mapping
>> cannot grant access to mfns for which it does not it self have access.
>> That seems reasonable though.
>>
>> In fact the fact that XEN_DOMCTL_iomem_permission does not make this
>> check could be a security issue -- a domain with permission to build
>> domains could construct a sock puppet domain which it could give access
>> to ports which it cannot see. Or maybe this is deliberate and isolates
>> the builder domain from needing h/w permissions, in which case is
>> XEN_DOMTL_memory_mapping wrong? Daniel?
>
> I think XEN_DOMCTL_memory_mapping is correct (and therefore
> XEN_DOMCTL_iomem_permission) wrong. It make senses which the
> builder domain patch series from Daniel:
> see http://lists.xen.org/archives/html/xen-devel/2014-03/msg03553.html
Currently, XEN_DOMCTL_memory_mapping is allowed to device model domains
whereas XEN_DOMCTL_iomem_permission is restricted to dom0 only. This is
probably the reason why an iomem_access_permitted check is not present
in XEN_DOMCTL_iomem_permission.
If FLASK is enabled, both domctls do the same permission checking based
on the security label of the memory range: that the current domain has
the RESOURCE__{ADD,REMOVE}_IOMEM permission, and the target domain has
the RESOURCE__USE permission. This prevents the sock-puppet method from
being used to permit arbitrary accesses to created domains, but requires
that these restrictions be done at the granularity of the security
labels, which may not be as flexible as preferred in some setups.
While the current design does allow for a domain builder to manage
resources that it cannot directly use on its own, I don't think this was
ever really a design decision. There are few (if any) security gains
from being able to block a domain builder from accessing resources if it
can create domains that access these resources, since it can just create
sock-puppet domains or corrupt the domain with access.
I think changing XEN_DOMCTL_iomem_permission to require the current
domain to pass an iomem_access_permitted check before permitting access
is reasonable. It will require some adjustments to my domain builder
series which currently relies on the old behavior, but those should be
fairly simple (cloning the rangesets instead of swapping). If this
change is made, I think similar changes to the other rangeset domctls
(irq, ioport) should be done at the same time.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2014-04-01 20:52 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 2:02 [PATCH v4 0/7] Implement the XEN_DOMCTL_memory_mapping hypercall for ARM Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 1/7] arch, arm: domain build: let dom0 access I/O memory of mapped devices Arianna Avanzini
2014-03-25 12:37 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 2/7] arch, arm: add consistency checks to REMOVE p2m changes Arianna Avanzini
2014-03-25 12:18 ` Stefano Stabellini
2014-03-25 12:51 ` Julien Grall
2014-03-25 13:10 ` Julien Grall
2014-03-25 17:41 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 3/7] arch, arm: let map_mmio_regions() take pfn as parameters Arianna Avanzini
2014-03-25 12:22 ` Stefano Stabellini
2014-03-25 12:54 ` Julien Grall
2014-03-28 12:51 ` Arianna Avanzini
2014-03-28 13:31 ` Julien Grall
2014-03-25 13:00 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 4/7] xen, common: add the XEN_DOMCTL_memory_mapping hypercall Arianna Avanzini
2014-03-25 9:33 ` Jan Beulich
2014-03-28 13:24 ` Arianna Avanzini
2014-03-28 13:30 ` Jan Beulich
2014-03-25 12:35 ` Stefano Stabellini
2014-03-25 14:10 ` Jan Beulich
2014-03-25 15:10 ` Stefano Stabellini
2014-03-25 15:36 ` Jan Beulich
2014-03-25 15:42 ` Stefano Stabellini
2014-04-01 15:01 ` Ian Campbell
2014-04-01 15:18 ` Jan Beulich
2014-04-01 15:37 ` Ian Campbell
2014-03-25 13:17 ` Julien Grall
2014-04-01 14:52 ` Ian Campbell
2014-04-01 15:16 ` Julien Grall
2014-04-01 15:39 ` Ian Campbell
2014-04-01 16:00 ` Julien Grall
2014-04-02 9:43 ` Ian Campbell
2014-04-02 10:06 ` Jan Beulich
2014-04-02 10:19 ` Ian Campbell
2014-04-02 10:53 ` Jan Beulich
2014-04-05 12:08 ` Arianna Avanzini
2014-04-06 16:23 ` Stefano Stabellini
2014-04-07 7:01 ` Jan Beulich
2014-03-25 2:02 ` [PATCH v4 5/7] tools, libxl: parse optional start gfn from the iomem config option Arianna Avanzini
2014-03-25 15:39 ` Julien Grall
2014-03-25 15:45 ` Julien Grall
2014-03-25 16:27 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 6/7] tools, libxl: add helpers to establish if guest is auto-translated Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 7/7] tools, libxl: handle the iomem parameter with the memory_mapping hcall Arianna Avanzini
2014-04-01 15:13 ` Ian Campbell
2014-04-01 15:26 ` Julien Grall
2014-04-01 15:34 ` Ian Campbell
2014-04-01 20:52 ` Daniel De Graaf [this message]
2014-04-02 9:45 ` Ian Campbell
2014-04-02 14:14 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533B26FC.8040205@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=avanzini.arianna@gmail.com \
--cc=dario.faggioli@citrix.com \
--cc=etrudeau@broadcom.com \
--cc=julien.grall@citrix.com \
--cc=julien.grall@linaro.org \
--cc=keir@xen.org \
--cc=paolo.valente@unimore.it \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=viktor.kleinik@globallogic.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).