From: Julien Grall <julien.grall@citrix.com>
To: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
Julien Grall <julien.grall@citrix.com>
Cc: stefano.stabellini@citrix.com,
Ian Campbell <ian.campbell@citrix.com>,
xen-devel@lists.xen.org
Subject: Re: xen/arm: On chip memory mappings
Date: Wed, 20 May 2015 15:12:24 +0100 [thread overview]
Message-ID: <555C9648.2000403@citrix.com> (raw)
In-Reply-To: <20150520134012.GD13061@toto>
On 20/05/15 14:40, Edgar E. Iglesias wrote:
> Thanks for the pointers,
>
> I agree that fundamental differences like these beteween v7 and v8 wouldn't
> be good.
I didn't find any fundamental differences for device memory behavior in
the spec.
> Possible unpredictable behaviour is worrysome...
> I'm not aware of anything in the ARM architecture specs that would
> cause it in this respect, but I may be missing something.
AFAICT there is nothing in the spec which describe the behavior of a
region access with wrong memory attribute (i.e normal, device, strong).
I guess this would be described in the memory bus or processor spec.
> There might also very well be device/slave specific unpredictability.
> E.g unpredictable behaviour on specific AXI access patterns
> (bursts, sizes etc) to specific devices...
> On the other hand, I suppose giving direct device access to a guest
> carries some kind of trust to behave nicely with the device.
The trust to the device is very limited. We got several Xen Security
Advisory ([1] [2] ...) related to PCI passthrough.
I agree that the guest may act badly with the device, although we don't
want to give him the opportunity to act more badly with a device and the
possibility to access another guest memory.
> I'm not sure I understand Christoffers arguments though.
It's not clear what is the behavior of a device memory mapped with
normal attribute. Many issue can appear.
Unless the behavior is clearly written in the spec, we should take the
worst case and not the best.
> A well behaved guest will map it's devices as DEVICE and there
> won't be any difference at all wether S2 maps them as dev or mem.
Agree.
> A malicious guest could map things as cached memory and try to cause
> cached accesses from other guests to flush out. But these cached accesses
> would only contain data for other guests mapped as cacheable memory. AFAICT,
> to really hurt another guest, the guest under attack has to participate
> in the plot (by incorrectly mapping it's own devs as mem).
Why not RAM?
> Anyway, at the moment it seems like doing a device-tree compatiblity prop
> match for mmio-sram would be the path with least resistance...
I think this is a good solution until we figure out the behavior of
device memory mapped with wrong attribute.
Regards,
[1] http://xenbits.xen.org/xsa/advisory-124.html
[2] http://xenbits.xen.org/xsa/advisory-126.html
--
Julien Grall
next prev parent reply other threads:[~2015-05-20 14:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 5:16 xen/arm: On chip memory mappings Edgar E. Iglesias
2015-05-19 9:09 ` Ian Campbell
2015-05-19 9:23 ` Julien Grall
2015-05-20 13:40 ` Edgar E. Iglesias
2015-05-20 14:12 ` Julien Grall [this message]
2015-05-21 3:48 ` Edgar E. Iglesias
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555C9648.2000403@citrix.com \
--to=julien.grall@citrix.com \
--cc=edgar.iglesias@gmail.com \
--cc=ian.campbell@citrix.com \
--cc=stefano.stabellini@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).