[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v12 11/14] flask/policy: allow domU to use previously-mapped I/O-memory

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
From: Arianna Avanzini <avanzini.arianna@xxxxxxxxx>
Date: Sat, 6 Sep 2014 01:25:58 +0200
Cc: julien.grall@xxxxxxxxxx, paolo.valente@xxxxxxxxxx, keir@xxxxxxx, stefano.stabellini@xxxxxxxxxxxxx, Ian.Jackson@xxxxxxxxxxxxx, dario.faggioli@xxxxxxxxxx, tim@xxxxxxx, xen-devel@xxxxxxxxxxxxx, Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>, etrudeau@xxxxxxxxxxxx, JBeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, viktor.kleinik@xxxxxxxxxxxxxxx, andrii.tseglytskyi@xxxxxxxxxxxxxxx
Delivery-date: Fri, 05 Sep 2014 23:26:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hello,

thank you for your thorough explanation.

On Wed, Sep 03, 2014 at 10:45:18AM -0400, Daniel De Graaf wrote:
> On 09/03/2014 07:21 AM, Ian Campbell wrote:
> >On Sat, 2014-08-30 at 18:29 +0200, Arianna Avanzini wrote:
> >>From: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
> >>
> >>This commit allows the domU to access previously-mapped I/O-memory
> >>even if XSM is enabled and FLASK is enforced.
> >
> >CCing Daniel (XSM maintainer).
> >
> >I think this is probably OK, but I'm no XSM expert.
> >
> >(If I were writing the ocmmit message I would have said something like
> >"Update the example XSM policy to allow...")
> 
> The message Ian suggests is a bit clearer as to the effect of the patch.
> 

Thanks to both of you; as I took the liberty of writing the commit message for
Andrii's patch I will certainly fix my mistakes according to your suggestions.

> Regarding the patch: at minimum, a domU should only need the permissions
> defined by "use_device(domU_t, iomem_t)" to access mapped memory.  However,
> it is preferred to label the IO memory being used instead of allowing access
> to the default/fallback iomem_t.
> 
> The intention for handing pass-through devices with FLASK is to label the
> device (either using the tool flask-label-pci or manually in the policy;
> example lines for the latter are present and commented out).  The example
> policy defines the type nic_dev_t as a device that is usable by domU_t, and
> docs/misc/xsm-flask.txt has an example of flask-label-pci's use.
> 
> If you are actually only passing IO memory and not a PCI device, labeling
> the IO memory range would be the preferred solution.  If you cannot label
> it statically, a tool similar to flask-label-pci for memory will be needed -
> something like "flask-label-resource <type> <start>-<end> <label>".  This
> may be more common on ARM than on x86; I am not familiar with pass-through
> on ARM, and the only non-PCI device on x86 that I have used pass-through on
> is the TPM, which has a well-defined IO memory range.
> 

When using the iomem option to make an I/O-memory range available to a domU
the mapping to be performed is explicitly defined by domain configuration,
so labeling it should be possible, if I understood things correctly.



> -- 
> Daniel De Graaf
> National Security Agency

-- 
/*
 * Arianna Avanzini
 * avanzini.arianna@xxxxxxxxx
 * 73628@xxxxxxxxxxxxxxxxxxx
 */

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- Re: [Xen-devel] [PATCH v12 11/14] flask/policy: allow domU to use previously-mapped I/O-memory
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v12 11/14] flask/policy: allow domU to use previously-mapped I/O-memory
  - From: Daniel De Graaf

Prev by Date: Re: [Xen-devel] [PATCH RFC v2 1/4] x86/mm: Shadow and p2m changes for PV mem_access
Next by Date: Re: [Xen-devel] [PATCH v2 7/9] xen: arm: handle variable p2m levels in apply_p2m_changes
Previous by thread: Re: [Xen-devel] [PATCH v12 11/14] flask/policy: allow domU to use previously-mapped I/O-memory
Next by thread: Re: [Xen-devel] [PATCH v12 10/14] xsm/flask: avoid spurious error messages when mapping I/O-memory
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.