[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support


  • To: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Thu, 23 Aug 2018 13:53:24 -0400
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
  • Delivery-date: Thu, 23 Aug 2018 17:53:50 +0000
  • Ironport-phdr: 9a23:jounQB9RO6+mlf9uRHKM819IXTAuvvDOBiVQ1KB+1+ISIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo+ic4cDCuwMNvtaoYbgvVsDtQawCxeiBO3vyTFGiHH50qI43Os9Hg/LxxAgEtAUvXjIsNn4OqUfXOaox6fI1zXDaPZW1C/z5ofSdBAhoO+DXbZtesTf10YkCgLLjk+KpoP/MTOey+MAvHWU7+V9S+2vhHQnpBtqrzizxsYjlonJhoUPxlDC7iV22pw5JdK/SE5leNOpFoZbuSKCN4ZuX88vTG5ltDw6x7Ebo5K3YicHxIo9yxLCbfGMbpKG7Qj5VOmLJDd1nHdleLWiiBms6UWg0ej8VtWs0FZNsypFjsHAtnAT2BzX7ciKUud98V272TaOygDT8ftIIUEylarVLJ4h2aA/mYYJvUTfHi75hEX2jKiMekUi5ueo8Pjobq/jpp+dM494kgD+MqIwlcyjGek0LwcDUmeB9em8ybHv51P1TbpUgvEsj6XVqJXaKt4apq69DQ9VyIEj6xOnAji739QXgGcILF1feB2dlIXpJ1HPL+z4Dfe4mVislixryOrcMr3uBZXNMGDPkK39crZl905c1A0zwMhB55JTDrEBJ+/8W0/0tN3YFB82Kxe7zPz8B9ph1oMeRGGPD7SHP6PKq1CI4/gjLPWLZI8QoDz9MeQq5+byjX8lnl8QZaao0oURaHyhA/tpPVuZbmTogtoaFWcKvxE+TPDxiFGYXj9ceXCyU7g75jEhB4KsFZ3DSZy1gLydwCe7GYVbaXpACl+RC3fnaYuFV+0QZyKVJc9hiiILVaKvRoI6yR6utRP6y6BmLuvb4CEXqZXj1N1t7e3JiR4y7SB0D9ia02yVTm97gGQIRyU53K9hu0BzxEqD0a58g/NCDdxe/O1GUhogOZHAzux6F8ryWgPOf9uTVFmmRdCmCykrTt0t298Of1p9G9K6gxDCxSWqBaUZl76RC5Mo8aLcxH/xJ8BmxnnYyaktlUUpQspTNW28h65++BLfCJLOk0Wcj6yqb7gT3DbR9GefymqDpENYXxVuXqXYWXAfZ1fZrdTi60PZUr+uEqooPhFdxs6FL6tAcsfpgkleRPf/JNTeZHq8m2S3BRaO3LODdpfld38T3SXcDEgEkBse/XGcNQckGiihp3zRACZyGlLoZkPm6fN+p2+jTk8o0wGKaFVs16Gu+h4Jn/OTUO0c3rYAuCcgrTV0HU2w39HIBNqaoQpuYqFcbck64Fdd2mLTrxZ9MYC4L6B+ml4edBx6v1/v1xVyEYhBntYlrHUwwAp1M6KY30tLdymE0pDoJr3XNm7y8QihaqHI21HSytKW+qYS6PgmsFjsoACpFlY483Vm3NhZyWeT5pLPDAAKS5L+Tl439wRmp7HdeiQ95Z7U1XltMaaqtD/Owd0pBPE/xRake9dSK7mLFBX3E8EAG8euL+kqyBCVaUc6O+RV+L8xLtnuXfKM0662P640gjWiimhW5ZFn5UiF/SF8V+3g0o4MxreT2Q7RE3+2nFqn98z6h41ATTUTBXakjzjpAshWfKI4NdIbBGHrL8Cpy9FWg5/2R2Ue5FOlQVQc15n6VwCVagnR1AtR2EBfjXHvtjGxxjI8xz0moqeQxiXm3/XpdB1BPHVCAmZlkwG/csCPk9kGUR3wPEASnxy/6BO/nvIDqQ==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08/23/2018 09:32 AM, Volodymyr Babchuk wrote:
Hello Daniel,

On 23.08.18 01:44, DeGraaf, Daniel G wrote:
From: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
Sent: Wednesday, August 22, 2018 10:12 AM

As we don't want any guest to access limited resources of TEE, we need a way to 
control who can work with it.

Thus, new access vector class "tee" is added with only ony operation "call" so 
far. tee framework uses this to check if guest has a right
to work with TEE.

Also, example security context domU_with_tee_t was added.
Are you planning to add more access vectors to this class in the future? 
Otherwise, it probably doesn't need its own class - since you use xen_t as the 
target, placing it in class xen/xen2 is preferred (like tmem and others are 
now).


At the moment I can't imagine any other vectors. Reason I created a new class 
is that it seemed wrong to me to use generic xen/xen2 class, because, strictly 
speaking, this vector have nothing to do with xen core.

But, if you think that it is appropriate to have vector "tee_call" in xen2 
class, then I can move it there.

Actually, upon further thought it may better fit in the resource class:
there are already "resource use" and "resource setup" permissions there
that deal with some platform-wide objects.  If there will only ever be
one TEE device, a tee_call permission with target xen_t will cover it,
but this allows for a more natural extension to multiple TEEs (or a TEE
with some hypervisor-inspected function-level access control) that are
themselves labeled like we do for PCI devices.  That's probably not
relevant to this design until someone makes such an interface, however,
so I'd continue using xen_t until then.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.