[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC PATCH 2/3] arch, arm32: add the XEN_DOMCTL_memory_mapping hypercall



> -----Original Message-----
> From: Julien Grall [mailto:julien.grall@xxxxxxxxxx]
> Sent: Monday, March 03, 2014 10:21 AM
> To: Dario Faggioli
> Cc: Arianna Avanzini; xen-devel@xxxxxxxxxxxxx; paolo.valente@xxxxxxxxxx;
> stefano.stabellini@xxxxxxxxxxxxx; julien.grall@xxxxxxxxxx; Eric Trudeau;
> viktor.kleinik@xxxxxxxxxxxxxxx; Ian Campbell; Tim Deegan
> Subject: Re: [Xen-devel] [RFC PATCH 2/3] arch, arm32: add the
> XEN_DOMCTL_memory_mapping hypercall
> 
> 
> 
> On 03/03/14 19:56, Dario Faggioli wrote:
> > On dom, 2014-03-02 at 17:56 +0800, Julien Grall wrote:
> >> On 02/03/14 08:49, Arianna Avanzini wrote:
> >
> >>> +
> >>> +        ret = -EPERM;
> >>> + /*
> >>> +  * NOTE: dom0 seems to have empty iomem_caps but to be however
> able to
> >>> +  *       access I/O memory ranges. The following check takes for granted
> >>> +  *       that any iomem range can be mapped to a domU if the current
> >>> +  *       domain is dom0.
> >>> +  */
> >>> +        if ( current->domain->domain_id != 0 &&
> >>> +             !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns 
> >>> -
> 1) )
> >>> +            return ret;
> >>
> >> This check can be removed by adding in construct_dom0
> >> (arch/arm/domain_build.c) something like that:
> >>     /* DOM0 is permitted full I/O capabilities */
> >>     rc = iomem_permit_access(d, 0UL, ~OUL);
> >>
> > Right. FTR, xen/arch/x86/domain_build.c, has this (also in
> > construct_dom0):
> >
> >      /* DOM0 is permitted full I/O capabilities. */
> >      rc |= ioports_permit_access(dom0, 0, 0xFFFF);
> >      rc |= iomem_permit_access(dom0, 0UL, ~0UL);
> >      rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
> >
> > Do you want a patch to that/similar effect?
> 
> Yes. Maybe a bit more smarter than permitting full I/0 caps for dom0.
> 

Our implementation does not require Dom0 access permission in order
for it to grant access permission to a DomU.  I suppose it wouldn't hurt
for iomem_permit_access because we allow iomem regions to be mapped
into multiple domains; however, I think the irqs_permit_access call keeps
multiple domains from "owning" the same IRQ.  I might be wrong about that.

> >> I'm wondering if we can even restrict dom0 I/0 access by only permit
> >> access on devices passthrough to it. Because dom0 should not be allowed
> >> to map I/O ranges which belong to device used by Xen e.g : GIC, RAM,...
> >>
> > So, this is probably me messing up with the terminology, but what
> > 'devices passthrough to it [dom0]' would mean, for example in cases
> > where we don't have an IOMMU (like cubie* boards), and hence where
> > proper passtrhogh will never be, I think, supported? Or do we plan to
> > have it working there too?
> 
> My term seems to be wrong for dom0 :).
> 
> On ARM, some device is used by Xen and therefore not exposed to dom0. By
> passthrough to dom0 I meant every device that are given to dom0, no
> matter if the platform has an IOMMU.
> 
> I think DOM0 should only be able to map theses devices to a guest. It
> seems stupid to allow dom0 mapping RAM or the UART used by Xen.
> 
> --
> Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.