[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Should PV frontend drivers trust the backends?

To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>, 'Juergen Gross' <jgross@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Oleksandr Andrushchenko <andr2000@xxxxxxxxx>
Date: Thu, 26 Apr 2018 08:59:42 +0300
Delivery-date: Thu, 26 Apr 2018 06:00:04 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 04/25/2018 04:47 PM, Paul Durrant wrote:

-----Original Message-----
From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf
Of Juergen Gross
Sent: 25 April 2018 13:43
To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Should PV frontend drivers trust the backends?

This is a followup of a discussion on IRC:

The main question of the discussion was: "Should frontend drivers
trust their backends not doing malicious actions?"

This IMO includes:

1. The data put by the backend on the ring page(s) is sane and
    consistent, meaning that e.g. the response producer index is always
    ahead of the consumer index.

2. Response data won't be modified by the backend after the producer
    index has been incremented signaling the response is valid.

3. Response data is sane, e.g. an I/O data length is not larger than
    the buffer originally was.

4. When a response has been sent all grants belonging to the request
    have been unmapped again by the backend, meaning that the frontend
    can assume the grants can be removed without conflict.

Today most frontend drivers (at least in the Linux kernel) seem to
assume all of the above is true (there are some exceptions, but never
for all items):

- they don't check sanity of ring index values
- they don't copy response data into local memory before looking at it
- they don't verify returned data length (or do so via BUG_ON())
- they BUG() in case of a conflict when trying to remove a grant

So the basic question is: should all Linux frontend drivers be modified
in order to be able to tolerate buggy or malicious backends? Or is the
list of trust above fine?

IMO even in case the frontends do trust the backends to behave sane this
doesn't mean driver domains don't make sense. Driver domains still make
a Xen host more robust as they e.g. protect the host against driver
failures normally leading to a crash of dom0.

I see the general question as being analogous to 'should a Linux device driver 
trust its hardware' and I think the answer for a general purpose OS like linux 
is 'yes'.

Now, having worked on fault tolerant systems in a past life, there are 
definitely cases where you want your OS not to implicitly trust its peripheral 
hardware and hence special device drivers are used.

So what do you do if counters provided by the untrusted HW are ok
and the payload is not?

I think the same would apply for virtual machines in situations where a driver 
domain is not wholly controlled by a host administrator or is not trusted to 
the same extent as dom0 for other reasons; i.e. they should have specialist 
frontends.

I believe we might be able to express some common strategy for thefrontends.I do understand though that it all needs to be decided on case by casebasis,but common things could still be there, e.g. if prod/cons counters arenot in sync

what a frontend needs to do:

- should it keep trying to get in sync - might be a bad idea as thereq/resp data may already become inconsistent (net can probably survive, but notblock) - should it tear down the connection with the backend - this mayrender in the whole

   system instability, e.g. imagine you tear down a "/" block device
 - should it BUG_ON and die
To me the second option (tear down the connection) seems to be

more reasonable, although it can still render the guest unusable, but atleast it

gives a chance for the guest to recover in a proper way

And, if my assumption is correct, we still do trust the contents of therequestsand responses, e.g. the payload is still trusted. This also questionsthe approach,e.g. if we don't trust backend's counters, then why do we trust thepayload it sends?

And there is no obvious way to check the payload integrity.

So, either we trust the backend and accept the risks or we need todevelop some

complex approach to address the above.

Thank you,
Oleksandr

   Paul

Juergen

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] Should PV frontend drivers trust the backends?
  - From: Paul Durrant

References:
- [Xen-devel] Should PV frontend drivers trust the backends?
  - From: Juergen Gross
- Re: [Xen-devel] Should PV frontend drivers trust the backends?
  - From: Paul Durrant

Prev by Date: [Xen-devel] [ovmf test] 122396: all pass - PUSHED
Next by Date: Re: [Xen-devel] [RFC PATCH 1/3] xen: Introduce vcpu_sleep_nosync_locked()
Previous by thread: Re: [Xen-devel] Should PV frontend drivers trust the backends?
Next by thread: Re: [Xen-devel] Should PV frontend drivers trust the backends?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.