[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxxxxx>
Date: Mon, 26 May 2014 15:26:53 +0100
Cc: Ian.Campbell@xxxxxxxxxxxxx, paolo.valente@xxxxxxxxxx, keir@xxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, dario.faggioli@xxxxxxxxxx, Ian.Jackson@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, julien.grall@xxxxxxxxxx, etrudeau@xxxxxxxxxxxx, tim@xxxxxxx, Arianna Avanzini <avanzini.arianna@xxxxxxxxx>, viktor.kleinik@xxxxxxxxxxxxxxx
Delivery-date: Mon, 26 May 2014 14:27:14 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>



On 26/05/14 14:22, Jan Beulich wrote:

On 26.05.14 at 14:15, <julien.grall@xxxxxxxxxx> wrote:


On 26/05/14 12:51, Jan Beulich wrote:

On 26.05.14 at 13:42, <julien.grall@xxxxxxxxxx> wrote:


On 26/05/14 12:37, Jan Beulich wrote:

On 26.05.14 at 13:24, <julien.grall@xxxxxxxxxx> wrote:

On 26/05/14 12:14, Jan Beulich wrote:

On 26.05.14 at 12:53, <julien.grall@xxxxxxxxxx> wrote:

On 26/05/14 11:14, Jan Beulich wrote:


Or maybe I wasn't wrong - the patch context doesn't really make
clear whether it's the granting or mapping operation that gets
adjusted here (since an earlier patch moved the mapping one into
this function).


              ret = -EPERM;
-        if ( !iomem_access_permitted(current->domain, mfn, mfn_end) )
+        if ( !iomem_access_permitted(d, mfn, mfn_end) )
                  break;

              ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add);

There is an xsm_iomem_mapping just after, so the change has been done in
XEN_DOMCTL_memory_mapping.


In which case I indeed stick to my original comment - it's perhaps
best to check _both_.


Why? We may want to map the region in the guest P2M without giving the
permission to the guest (I'm thinking about ARM passthrough case).


How can you put a mapping of memory into a guest's P2M for which
that guest has no access permission? To me this reads like you're
intending to create a security issue here.


iomem_access_permitted is used to check if we allow the current guest to
map a region in another guest P2M.

Once the mapping is done, at least on ARM, we don't use anymore the
permission check. This is because there is no trap involved afterwards.


I don't see how absence or presence of traps is involved here. The
problem I see is that by putting in such a P2M entrry you allow a
guest access to memory that it wasn't granted access to.


In the case of an HVM guest (or ARM guest), the permission seems to be
used only during DOMCTL_memory_mapping hypercall. So I understand the
permission as "I'm allowed to map/unmap this MMIO range from a guest P2M".


Ah, I start seeing where you're coming from: Taking current uses of
a certain construct to imply a meaning of that construct is kind of
backwards. You should start with the meaning, and all of
{iomem,ioports,pirq}_access_permitted() are inquiries to find out
whether the specified domain is permitted to access the specified
resource.

And the fact that for HVM/ARM there's currently only that one use
in the domctl handling isn't indicative of anything. Just take the use
in xen/common/grant_table.c - if the paging_mode_external()
check got dropped (assuming the backing functions can handle this)
you'd all of the sudden have another use. And the check here, from
all I know, isn't there because such an operation makes sense only
for PV guests, but because the same operation just can't be handled
for HVM/PVH/ARM ones. The moment someone finds a legitimate use
of e.g. granting pages from a passed-through frame buffer (to e.g.
snapshot its contents directly to storage) this would need to be
fixed.


I got your point now. Many thanks for your explanation.

I'm still not convince, it's perfectly valid to:
        1) call iomem_permission to set the permission
        2) call memory_mapping
        3) call iomem_permission to remove the permission

In this case the memory mapping will be there without any granting.Hence, we won't be able to remove those mappings.

IHMO, this make the requirement of the permission useless and add morecode in the toolstack to map an MMIO region for peanuts.

If we request the guest to have the permission on this range, we also
allow the guest to map in its P2M (assuming XSM is not there) theses MMIOs.

I don't think, at least on ARM, we want to let the guest doing what it
wants with the mapping MMIO region.


And I didn't say that.


I didn't intend to blame you with this sentence.

Regards,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH v7 00/10] Implement the XEN_DOMCTL_memory_mapping hypercall for ARM
  - From: Arianna Avanzini
- [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Arianna Avanzini
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v4 06/16] xen/arm: segregate and split GIC low level functionality
Next by Date: Re: [Xen-devel] [PATCH v4 07/16] arm/xen: move GIC context data structure to gic driver
Previous by thread: Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
Next by thread: Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.