|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] tools/libxl: report trusted backend status to frontends
commit 54d8f27d0477937e1f99a414fc1ffd93d184b38a
Author: Roger Pau Monne <roger.pau@xxxxxxxxxx>
AuthorDate: Fri Apr 8 10:21:11 2022 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jul 5 14:16:26 2022 +0200
tools/libxl: report trusted backend status to frontends
Allow administrators to notify a frontend driver that it's backend
counterpart is not to be trusted, so the frontend can deploy whatever
mitigations required in order to secure itself.
Allow such option for disk and network frontends only, as those are
the only hardened ones currently supported.
This is part of XSA-403
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
---
docs/man/xl-disk-configuration.5.pod.in | 29 +++++++++++++++++++++++++++++
docs/man/xl-network-configuration.5.pod.in | 9 +++++++++
tools/include/libxl.h | 8 ++++++++
tools/libs/light/libxl_disk.c | 3 +++
tools/libs/light/libxl_nic.c | 5 +++++
tools/libs/light/libxl_types.idl | 6 ++++--
tools/libs/util/libxlu_disk_l.l | 3 +++
tools/xl/check-xl-disk-parse | 26 ++++++++++++++++++++++++++
tools/xl/check-xl-vif-parse | 18 ++++++++++++++++++
tools/xl/xl_parse.c | 4 ++++
xen/include/public/io/blkif.h | 8 ++++++++
xen/include/public/io/netif.h | 6 ++++++
12 files changed, 123 insertions(+), 2 deletions(-)
diff --git a/docs/man/xl-disk-configuration.5.pod.in
b/docs/man/xl-disk-configuration.5.pod.in
index 71d0e86e3d..95d039655a 100644
--- a/docs/man/xl-disk-configuration.5.pod.in
+++ b/docs/man/xl-disk-configuration.5.pod.in
@@ -344,6 +344,35 @@ can be used to disable "hole punching" for file based
backends which
were intentionally created non-sparse to avoid fragmentation of the
file.
+=item B<trusted> / B<untrusted>
+
+=over 4
+
+=item Description
+
+Reports whether the backend should be trusted by the frontend
+
+=item Supported values
+
+trusted, untrusted
+
+=item Mandatory
+
+No
+
+=item Default value
+
+trusted
+
+=back
+
+An advisory setting for the frontend driver on whether the backend should be
+trusted. The frontend should deploy whatever protections it has available to
+prevent an untrusted backend from accessing guest data not related to the I/O
+processing or causing malfunction to the frontend or the whole domain.
+
+Note frontends can ignore such recommendation.
+
=back
diff --git a/docs/man/xl-network-configuration.5.pod.in
b/docs/man/xl-network-configuration.5.pod.in
index cf92d7960c..f3e379bcf8 100644
--- a/docs/man/xl-network-configuration.5.pod.in
+++ b/docs/man/xl-network-configuration.5.pod.in
@@ -258,3 +258,12 @@ NOTE: This should not be set unless you have a reason to.
Specifies the MTU (i.e. the maximum size of an IP payload, exclusing headers).
The
default value is 1500 but, if the VIF is attached to a bridge, it will be set
to match
unless overridden by this parameter.
+
+=head2 trusted / untrusted
+
+An advisory setting for the frontend driver on whether the backend should be
+trusted. The frontend should deploy whatever protections it has available to
+prevent an untrusted backend from accessing guest data not related to the I/O
+processing or causing malfunction to the frontend or the whole domain.
+
+Note frontends can ignore such recommendation.
diff --git a/tools/include/libxl.h b/tools/include/libxl.h
index 7ce978e83c..835dfabc50 100644
--- a/tools/include/libxl.h
+++ b/tools/include/libxl.h
@@ -527,6 +527,14 @@
*/
#define LIBXL_HAVE_MAX_GRANT_VERSION 1
+/*
+ * LIBXL_HAVE_{DISK,NIC}_TRUSTED indicates that the libxl_device_disk and
+ * libxl_device_nic structs have a field to signal whether the backend of the
+ * device is to be trusted. Such information is propagated to the frontend.
+ */
+#define LIBXL_HAVE_DISK_TRUSTED 1
+#define LIBXL_HAVE_NIC_TRUSTED 1
+
/*
* libxl ABI compatibility
*
diff --git a/tools/libs/light/libxl_disk.c b/tools/libs/light/libxl_disk.c
index a5ca77850f..9da2b2ed27 100644
--- a/tools/libs/light/libxl_disk.c
+++ b/tools/libs/light/libxl_disk.c
@@ -159,6 +159,7 @@ static int libxl__device_disk_setdefault(libxl__gc *gc,
uint32_t domid,
libxl_defbool_setdefault(&disk->discard_enable, !!disk->readwrite);
libxl_defbool_setdefault(&disk->colo_enable, false);
libxl_defbool_setdefault(&disk->colo_restore_enable, false);
+ libxl_defbool_setdefault(&disk->trusted, true);
rc = libxl__resolve_domid(gc, disk->backend_domname, &disk->backend_domid);
if (rc < 0) return rc;
@@ -395,6 +396,8 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
flexarray_append(front, GCSPRINTF("%d", device->devid));
flexarray_append(front, "device-type");
flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk");
+ flexarray_append(front, "trusted");
+ flexarray_append(front, libxl_defbool_val(disk->trusted) ? "1" : "0");
/*
* Old PV kernel disk frontends before 2.6.26 rely on tool stack to
diff --git a/tools/libs/light/libxl_nic.c b/tools/libs/light/libxl_nic.c
index 0b9e70c9d1..d6bf06fc34 100644
--- a/tools/libs/light/libxl_nic.c
+++ b/tools/libs/light/libxl_nic.c
@@ -116,6 +116,8 @@ static int libxl__device_nic_setdefault(libxl__gc *gc,
uint32_t domid,
abort();
}
+ libxl_defbool_setdefault(&nic->trusted, true);
+
return rc;
}
@@ -255,6 +257,9 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t
domid,
flexarray_append(back, "hotplug-status");
flexarray_append(back, "");
+ flexarray_append(front, "trusted");
+ flexarray_append(front, libxl_defbool_val(nic->trusted) ? "1" : "0");
+
return 0;
}
diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl
index 2a42da2f7d..89962218b4 100644
--- a/tools/libs/light/libxl_types.idl
+++ b/tools/libs/light/libxl_types.idl
@@ -712,7 +712,8 @@ libxl_device_disk = Struct("device_disk", [
("colo_port", integer),
("colo_export", string),
("active_disk", string),
- ("hidden_disk", string)
+ ("hidden_disk", string),
+ ("trusted", libxl_defbool),
])
libxl_device_nic = Struct("device_nic", [
@@ -780,7 +781,8 @@ libxl_device_nic = Struct("device_nic", [
("colo_filter_sec_redirector1_outdev", string),
("colo_filter_sec_rewriter0_queue", string),
("colo_checkpoint_host", string),
- ("colo_checkpoint_port", string)
+ ("colo_checkpoint_port", string),
+ ("trusted", libxl_defbool),
])
libxl_device_pci = Struct("device_pci", [
diff --git a/tools/libs/util/libxlu_disk_l.l b/tools/libs/util/libxlu_disk_l.l
index 3bd639aab0..e115460d99 100644
--- a/tools/libs/util/libxlu_disk_l.l
+++ b/tools/libs/util/libxlu_disk_l.l
@@ -208,6 +208,9 @@ colo-export=[^,]*,? { STRIP(','); SAVESTRING("colo-export",
colo_export, FROMEQU
active-disk=[^,]*,? { STRIP(','); SAVESTRING("active-disk", active_disk,
FROMEQUALS); }
hidden-disk=[^,]*,? { STRIP(','); SAVESTRING("hidden-disk", hidden_disk,
FROMEQUALS); }
+trusted,? { libxl_defbool_set(&DPC->disk->trusted, true); }
+untrusted,? { libxl_defbool_set(&DPC->disk->trusted, false); }
+
/* the target magic parameter, eats the rest of the string */
target=.* { STRIP(','); SAVESTRING("target", pdev_path, FROMEQUALS); }
diff --git a/tools/xl/check-xl-disk-parse b/tools/xl/check-xl-disk-parse
index 643f4f4ecb..18fb66940a 100755
--- a/tools/xl/check-xl-disk-parse
+++ b/tools/xl/check-xl-disk-parse
@@ -178,4 +178,30 @@ disk: {
END
one 0 cdrom no-discard vdev=hda target=/some/disk/image.iso
+# test setting trusted
+expected <<END
+disk: {
+ "pdev_path": "/some/disk/image.raw",
+ "vdev": "hda",
+ "format": "raw",
+ "readwrite": 1,
+ "trusted": "True"
+}
+
+END
+one 0 trusted vdev=hda target=/some/disk/image.raw
+
+# test setting untrusted
+expected <<END
+disk: {
+ "pdev_path": "/some/disk/image.raw",
+ "vdev": "hda",
+ "format": "raw",
+ "readwrite": 1,
+ "trusted": "False"
+}
+
+END
+one 0 untrusted vdev=hda target=/some/disk/image.raw
+
complete
diff --git a/tools/xl/check-xl-vif-parse b/tools/xl/check-xl-vif-parse
index 04bd9463d8..d666408d4d 100755
--- a/tools/xl/check-xl-vif-parse
+++ b/tools/xl/check-xl-vif-parse
@@ -160,4 +160,22 @@ one $e rate=4296MB/s@4294s
expected </dev/null
one $e rate=@
+# test trusted setting
+expected <<END
+vif: {
+ "trusted": "True"
+}
+
+END
+one 0 trusted
+
+# test untrusted setting
+expected <<END
+vif: {
+ "trusted": "False"
+}
+
+END
+one 0 untrusted
+
complete
diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
index b98c0de378..644ab8f8fd 100644
--- a/tools/xl/xl_parse.c
+++ b/tools/xl/xl_parse.c
@@ -565,6 +565,10 @@ int parse_nic_config(libxl_device_nic *nic, XLU_Config
**config, char *token)
nic->devid = parse_ulong(oparg);
} else if (MATCH_OPTION("mtu", token, oparg)) {
nic->mtu = parse_ulong(oparg);
+ } else if (!strcmp("trusted", token)) {
+ libxl_defbool_set(&nic->trusted, true);
+ } else if (!strcmp("untrusted", token)) {
+ libxl_defbool_set(&nic->trusted, false);
} else {
fprintf(stderr, "unrecognized argument `%s'\n", token);
return 1;
diff --git a/xen/include/public/io/blkif.h b/xen/include/public/io/blkif.h
index 4cdba79aba..ab863f175a 100644
--- a/xen/include/public/io/blkif.h
+++ b/xen/include/public/io/blkif.h
@@ -363,6 +363,14 @@
* that the frontend requires that the logical block size is 512 as it
* is hardcoded (which is the case in some frontend implementations).
*
+ * trusted
+ * Values: 0/1 (boolean)
+ * Default value: 1
+ *
+ * A value of "0" indicates that the frontend should not trust the
+ * backend, and should deploy whatever measures available to protect from
+ * a malicious backend on the other end.
+ *
*------------------------- Virtual Device Properties -------------------------
*
* device-type
diff --git a/xen/include/public/io/netif.h b/xen/include/public/io/netif.h
index 00dd258712..3509b096f8 100644
--- a/xen/include/public/io/netif.h
+++ b/xen/include/public/io/netif.h
@@ -160,6 +160,12 @@
* be applied if it is set.
*/
+/*
+ * The setting of "trusted" node to "0" in the frontend path signals that the
+ * frontend should not trust the backend, and should deploy whatever measures
+ * available to protect from a malicious backend on the other end.
+ */
+
/*
* Control ring
* ============
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |