[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] get_page_from_gfn() for foreign pages



>>> On 01.03.18 at 15:17, <Paul.Durrant@xxxxxxxxxx> wrote:
>>  -----Original Message-----
>> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
>> Sent: 01 March 2018 14:00
>> To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>
>> Cc: xen-devel (xen-devel@xxxxxxxxxxxxxxxxxxxx) <xen-
>> devel@xxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: [Xen-devel] get_page_from_gfn() for foreign pages
>> 
>> >>> On 01.03.18 at 12:39, <Paul.Durrant@xxxxxxxxxx> wrote:
>> > Whilst debugging my PV-IOMMU code I ran into an issue with
>> > get_page_from_gfn(): It is failing when the gfn in question is actually a
>> > grant map from another domain, and the reason for this is that
>> get_page(page,
>> > domain) explicitly fails if the page owner is not the domain specified to 
> the
>> > call. However, I find that ARM implementation of get_page_from_gfn() has
>> a
>> > test for foreign p2m entries and completes successfully (by avoiding a call
>> > to get_page() and instead calling page_get_owner_and_reference()
>> directly).
>> >
>> > I can't think of any particular reason why, on x86, get_page_from_gfn()
>> > should not work for foreign mapped or grant mapped pages. Does anyone
>> know
>> > why the restriction is there?
>> 
>> What part of {,p2m_}get_page_from_gfn() are you referring to?
>> p2m_get_page_from_gfn()'s fast path does what you want; it looks
>> like the slow path was wrongly ignored in 50fe6e7370 ("pvh dom0:
>> add and remove foreign pages"). Or are you thinking about this for
>> a PV domain (and hence you look at the second half of
>> get_page_from_gfn())?
> 
> Yes, it's the PV case I'm hitting, i.e:
> 
> page = __mfn_to_page(gfn);
> return mfn_valid(_mfn(gfn)) && get_page(page, d) ? page : NULL;
> 
> In my particular case I have an mfn but it represents a page that dom0 has 
> grant mapped. When I come to look it up as a GFN with DOMID_SELF I get the 
> error.

Sure, and the problem is that for PV there's no P2M type associated
with a page, so we can't know whether the page is legitimately
foreign to the given domain, or a random page belonging to a
domain the requesting one has no privilege over.

>> For grant mapped pages the situation may be a little less clear:
>> How would you deal with a grant being revoked when you have
>> random uses of the page in another domain?
>> 
> 
> I suppose it comes down to whether we want to be able to have domA (which 
> has priv mapping rights over domB) to be able to take a ref on a page from 
> domC that was granted to domB. If, for example, you have a stubdom with a PV 
> backend for a framebuffer which is then exported via a VNC server running in 
> dom0 then that's exactly what you'd probably want to set up. So I don't see 
> why it should be disallowed. In my case domA == domB and it certainly seems 
> reasonable to me that a domain be able to page references on GFNs in its own 
> P2M regardless of the actual page owner.

There may be special cases where it is okay to be allowed, but in
the general case it has to be refused. The grant table interface
allows a guest to specify _exactly_ which domain(s) get(s) granted
access to a given page. Part of me is actually thinking that even
transitive grants already violate the trust put in the backend by a
frontend.

And then you didn't really answer my question.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.