[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] Update documentation to describe new PCI front/back drivers.



# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 90ebc45e1bd80150f1ab75eee9d0c74ea882bec5
# Parent  7c720ccec00a26a287eb2e9353e4aa2dd7b5f66b
Update documentation to describe new PCI front/back drivers.

Update the documentation to include the syntax of "hiding" a PCI
device from domain 0 and for specifying the assignment of a PCI device
to a driver domain. It also includes a brief section exploring some of
the security concerns that driver domains address and mentioning some
of those that remain.

Signed-off-by: Ryan Wilson <hap9@xxxxxxxxxxxxxx>

diff -r 7c720ccec00a -r 90ebc45e1bd8 docs/src/user.tex
--- a/docs/src/user.tex Thu Feb 16 22:46:51 2006
+++ b/docs/src/user.tex Thu Feb 16 22:47:58 2006
@@ -1191,6 +1191,65 @@
 integrate with existing bridges) these scripts may be replaced with
 customized variants for your site's preferred configuration.
 
+\section{Driver Domain Configuration}
+\label{s:ddconf}
+
+\subsection{PCI}
+\label{ss:pcidd}
+
+Individual PCI devices can be assigned to a given domain to allow that
+domain direct access to the PCI hardware. To use this functionality, ensure
+that the PCI Backend is compiled in to a privileged domain (e.g. domain 0)
+and that the domains which will be assigned PCI devices have the PCI Frontend
+compiled in. In XenLinux, the PCI Backend is available under the Xen
+configuration section while the PCI Frontend is under the
+architecture-specific "Bus Options" section. You may compile both the backend
+and the frontend into the same kernel; they will not affect each other.
+
+The PCI devices you wish to assign to unprivileged domains must be "hidden"
+from your backend domain (usually domain 0) so that it does not load a driver
+for them. Use the \path{pciback.hide} kernel parameter which is specified on
+the kernel command-line and is configurable through GRUB (see
+Section~\ref{s:configure}). Note that devices are not really hidden from the
+backend domain. The PCI Backend ensures that no other device driver loads
+for those devices. PCI devices are identified by hexadecimal
+slot/funciton numbers (on Linux, use \path{lspci} to determine slot/funciton
+numbers of your devices) and can be specified with or without the PCI domain: 
\\
+\centerline{  {\tt ({\em bus}:{\em slot}.{\em func})} example {\tt (02:1d.3)}} 
\\
+\centerline{  {\tt ({\em domain}:{\em bus}:{\em slot}.{\em func})} example 
{\tt (0000:02:1d.3)}} \\
+
+An example kernel command-line which hides two PCI devices might be: \\
+\centerline{ {\tt root=/dev/sda4 ro console=tty0 
pciback.hide=(02:01.f)(0000:04:1d.0) } } \\
+
+To configure a domU to receive a PCI device:
+
+\begin{description}
+\item[Command-line:]
+  Use the {\em pci} command-line flag. For multiple devices, use the option
+  multiple times. \\
+\centerline{  {\tt xm create netcard-dd pci=01:00.0 pci=02:03.0 }} \\
+
+\item[Flat Format configuration file:]
+  Specify all of your PCI devices in a python list named {\em pci}. \\
+\centerline{  {\tt pci=['01:00.0','02:03.0'] }} \\
+
+\item[SXP Format configuration file:]
+  Use a single PCI device section for all of your devices (specify the numbers
+  in hexadecimal with the preceding '0x'). Note that {\em domain} here refers
+  to the PCI domain, not a virtual machine within Xen.
+{\small
+\begin{verbatim}
+(device (pci
+    (dev (domain 0x0)(bus 0x3)(slot 0x1a)(func 0x1)
+    (dev (domain 0x0)(bus 0x1)(slot 0x5)(func 0x0)
+)
+\end{verbatim}
+}
+\end{description}
+
+There are a number of security concerns associated with PCI Driver Domains
+that you can read about in Section~\ref{s:ddsecurity}.
+
 %% There are two possible types of privileges: IO privileges and
 %% administration privileges.
 
@@ -1595,6 +1654,63 @@
   users to access Domain-0 (even as unprivileged users) you run the risk
   of a kernel exploit making all of your domains vulnerable.
 \end{enumerate}
+
+\section{Driver Domain Security Considerations}
+\label{s:ddsecurity}
+
+Driver domains address a range of security problems that exist regarding
+the use of device drivers and hardware. On many operating systems in common
+use today, device drivers run within the kernel with the same privileges as
+the kernel. Few or no mechanisms exist to protect the integrity of the kernel
+from a misbehaving (read "buggy") or malicious device driver. Driver
+domains exist to aid in isolating a device driver within its own virtual
+machine where it cannot affect the stability and integrity of other
+domains. If a driver crashes, the driver domain can be restarted rather than
+have the entire machine crash (and restart) with it. Drivers written by
+unknown or untrusted third-parties can be confined to an isolated space.
+Driver domains thus address a number of security and stability issues with
+device drivers.
+
+However, due to limitations in current hardware, a number of security
+concerns remain that need to be considered when setting up driver domains (it
+should be noted that the following list is not intended to be exhaustive).
+
+\begin{enumerate}
+\item \textbf{Without an IOMMU, a hardware device can DMA to memory regions
+  outside of its controlling domain.} Architectures which do not have an
+  IOMMU (e.g. most x86-based platforms) to restrict DMA usage by hardware
+  are vulnerable. A hardware device which can perform arbitrary memory reads
+  and writes can read/write outside of the memory of its controlling domain.
+  A malicious or misbehaving domain could use a hardware device it controls
+  to send data overwriting memory in another domain or to read arbitrary
+  regions of memory in another domain.
+\item \textbf{Shared buses are vulnerable to sniffing.} Devices that share
+  a data bus can sniff (and possible spoof) each others' data. Device A that
+  is assigned to Domain A could eavesdrop on data being transmitted by
+  Domain B to Device B and then relay that data back to Domain A.
+\item \textbf{Devices which share interrupt lines can either prevent the
+  reception of that interrupt by the driver domain or can trigger the
+  interrupt service routine of that guest needlessly.} A devices which shares
+  a level-triggered interrupt (e.g. PCI devices) with another device can
+  raise an interrupt and never clear it. This effectively blocks other devices
+  which share that interrupt line from notifying their controlling driver
+  domains that they need to be serviced. A device which shares an
+  any type of interrupt line can trigger its interrupt continually which
+  forces execution time to be spent (in multiple guests) in the interrupt
+  service routine (potentially denying time to other processes within that
+  guest). System architectures which allow each device to have its own
+  interrupt line (e.g. PCI's Message Signaled Interrupts) are less
+  vulnerable to this denial-of-service problem.
+\item \textbf{Devices may share the use of I/O memory address space.} Xen can
+  only restrict access to a device's physical I/O resources at a certain
+  granularity. For interrupt lines and I/O port address space, that
+  granularity is very fine (per interrupt line and per I/O port). However,
+  Xen can only restrict access to I/O memory address space on a page size
+  basis. If more than one device shares use of a page in I/O memory address
+  space, the domains to which those devices are assigned will be able to
+  access the I/O memory address space of each other's devices.
+\end{enumerate}
+
 
 \section{Security Scenarios}
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.