[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Should PV frontend drivers trust the backends?

  • To: 'Juergen Gross' <jgross@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Paul Durrant <Paul.Durrant@xxxxxxxxxx>
  • Date: Wed, 25 Apr 2018 13:47:09 +0000
  • Accept-language: en-GB, en-US
  • Delivery-date: Wed, 25 Apr 2018 13:47:14 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHT3JMUNelLBKu/xEO++KCtlgXwiqQRfQ5A
  • Thread-topic: [Xen-devel] Should PV frontend drivers trust the backends?

> -----Original Message-----
> From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf
> Of Juergen Gross
> Sent: 25 April 2018 13:43
> To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Subject: [Xen-devel] Should PV frontend drivers trust the backends?
> This is a followup of a discussion on IRC:
> The main question of the discussion was: "Should frontend drivers
> trust their backends not doing malicious actions?"
> This IMO includes:
> 1. The data put by the backend on the ring page(s) is sane and
>    consistent, meaning that e.g. the response producer index is always
>    ahead of the consumer index.
> 2. Response data won't be modified by the backend after the producer
>    index has been incremented signaling the response is valid.
> 3. Response data is sane, e.g. an I/O data length is not larger than
>    the buffer originally was.
> 4. When a response has been sent all grants belonging to the request
>    have been unmapped again by the backend, meaning that the frontend
>    can assume the grants can be removed without conflict.
> Today most frontend drivers (at least in the Linux kernel) seem to
> assume all of the above is true (there are some exceptions, but never
> for all items):
> - they don't check sanity of ring index values
> - they don't copy response data into local memory before looking at it
> - they don't verify returned data length (or do so via BUG_ON())
> - they BUG() in case of a conflict when trying to remove a grant
> So the basic question is: should all Linux frontend drivers be modified
> in order to be able to tolerate buggy or malicious backends? Or is the
> list of trust above fine?
> IMO even in case the frontends do trust the backends to behave sane this
> doesn't mean driver domains don't make sense. Driver domains still make
> a Xen host more robust as they e.g. protect the host against driver
> failures normally leading to a crash of dom0.

I see the general question as being analogous to 'should a Linux device driver 
trust its hardware' and I think the answer for a general purpose OS like linux 
is 'yes'.

Now, having worked on fault tolerant systems in a past life, there are 
definitely cases where you want your OS not to implicitly trust its peripheral 
hardware and hence special device drivers are used. I think the same would 
apply for virtual machines in situations where a driver domain is not wholly 
controlled by a host administrator or is not trusted to the same extent as dom0 
for other reasons; i.e. they should have specialist frontends.


> Juergen
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxxx
> https://lists.xenproject.org/mailman/listinfo/xen-devel
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.