[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2] xen/xsm: Add new SILO mode for XSM
When SILO is enabled, there would be no page-sharing or event notifications between unprivileged VMs (no grant tables or event channels). Signed-off-by: Xin Li <xin.li@xxxxxxxxxx> --- CC: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Tim Deegan <tim@xxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> CC: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CC: Ming Lu <ming.lu@xxxxxxxxxx> v3: make copies of dummy functions to avoid indirect call. --- docs/misc/xen-command-line.markdown | 5 +- xen/common/Kconfig | 12 +++ xen/include/xsm/xsm.h | 6 ++ xen/xsm/Makefile | 1 + xen/xsm/silo.c | 123 ++++++++++++++++++++++++++++ xen/xsm/xsm_core.c | 9 ++ 6 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 xen/xsm/silo.c diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 6a3c0e71c7..e0a9b4d268 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -900,7 +900,7 @@ Note that specifying zero as domU value means zero, while for dom0 it means to use the default. ### xsm -> `= default | flask` +> `= default | flask | silo` > Default: `default` @@ -911,6 +911,9 @@ the hypervisor was compiled with XSM support. (the dummy module) will be applied. it's also used when XSM is compiled out. * `flask`: this is the policy based access control. To choose this, the separated option in kconfig must also be enabled. +* `silo`: this will deny any unmediated communication channels between + unprivileged VMs. To choose this, the separated option in kconfig must also + be enabled. ### flask > `= permissive | enforcing | late | disabled` diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 1a6d6281c1..2fe668ba5a 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -154,6 +154,18 @@ config XSM_FLASK_POLICY If unsure, say Y. +config XSM_SILO + def_bool y + prompt "SILO support" + depends on XSM + ---help--- + Enables SILO as the access control mechanism used by the XSM framework. + This is not the default module, add boot parameter xsm=silo to choose + it. This will deny any unmediated communication channels (grant tables + and event channels) between unprivileged VMs. + + If unsure, say Y. + config LATE_HWDOM bool "Dedicated hardware domain" default n diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3d67962493..3b192b5c31 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -733,6 +733,12 @@ extern const unsigned char xsm_flask_init_policy[]; extern const unsigned int xsm_flask_init_policy_size; #endif +#ifdef CONFIG_XSM_SILO +extern void silo_init(void); +#else +static inline void silo_init(void) {} +#endif + #else /* CONFIG_XSM */ #include <xsm/dummy.h> diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile index 8bb4a24f09..e4d581e065 100644 --- a/xen/xsm/Makefile +++ b/xen/xsm/Makefile @@ -1,5 +1,6 @@ obj-y += xsm_core.o obj-$(CONFIG_XSM) += xsm_policy.o obj-$(CONFIG_XSM) += dummy.o +obj-$(CONFIG_XSM_SILO) += silo.o subdir-$(CONFIG_XSM_FLASK) += flask diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c new file mode 100644 index 0000000000..020b0c8e94 --- /dev/null +++ b/xen/xsm/silo.c @@ -0,0 +1,123 @@ +/****************************************************************************** + * xsm/silo.c + * + * SILO module for XSM(Xen Security Modules) + * + * Copyright (c) 2018 Citrix Systems Ltd. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; If not, see <http://www.gnu.org/licenses/>. + */ + +#include <xen/sched.h> +#include <xsm/xsm.h> + +struct xsm_operations silo_xsm_ops; + +static int (*dummy_evtchn_unbound) (struct domain *, struct evtchn *, domid_t); +static int (*dummy_evtchn_interdomain) (struct domain *, struct evtchn *, + struct domain *, struct evtchn *); +static int (*dummy_grant_mapref) (struct domain *, struct domain *, uint32_t); +static int (*dummy_grant_transfer) (struct domain *, struct domain *); +static int (*dummy_grant_copy) (struct domain *, struct domain *); + +/* + * Check if inter-domain communication is allowed. + * Return true when pass check. + */ +static bool silo_mode_dom_check(const struct domain *ldom, + const struct domain *rdom) +{ + const struct domain *cur_dom = current->domain; + + return (is_control_domain(cur_dom) || is_control_domain(ldom) || + is_control_domain(rdom) || ldom == rdom); +} + +static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn, + domid_t id2) +{ + int rc = -EPERM; + struct domain *d2 = rcu_lock_domain_by_any_id(id2); + + if ( d2 == NULL ) + rc = -ESRCH; + else + { + if ( silo_mode_dom_check(d1, d2) ) + rc = dummy_evtchn_unbound(d1, chn, id2); + rcu_unlock_domain(d2); + } + + return rc; +} + +static int silo_evtchn_interdomain(struct domain *d1, struct evtchn *chan1, + struct domain *d2, struct evtchn *chan2) +{ + if ( silo_mode_dom_check(d1, d2) ) + return dummy_evtchn_interdomain(d1, chan1, d2, chan2); + return -EPERM; +} + +static int silo_grant_mapref(struct domain *d1, struct domain *d2, + uint32_t flags) +{ + if ( silo_mode_dom_check(d1, d2) ) + return dummy_grant_mapref(d1, d2, flags); + return -EPERM; +} + +static int silo_grant_transfer(struct domain *d1, struct domain *d2) +{ + if ( silo_mode_dom_check(d1, d2) ) + return dummy_grant_transfer(d1, d2); + return -EPERM; +} + +static int silo_grant_copy(struct domain *d1, struct domain *d2) +{ + if ( silo_mode_dom_check(d1, d2) ) + return dummy_grant_copy(d1, d2); + return -EPERM; +} + +void __init silo_init(void) +{ + printk("Initialising XSM SILO mode\n"); + + dummy_evtchn_unbound = dummy_xsm_ops.evtchn_unbound; + dummy_evtchn_interdomain = dummy_xsm_ops.evtchn_interdomain; + dummy_grant_mapref = dummy_xsm_ops.grant_mapref; + dummy_grant_transfer = dummy_xsm_ops.grant_transfer; + dummy_grant_copy = dummy_xsm_ops.grant_copy; + + silo_xsm_ops = dummy_xsm_ops; + + silo_xsm_ops.evtchn_unbound = silo_evtchn_unbound; + silo_xsm_ops.evtchn_interdomain = silo_evtchn_interdomain; + silo_xsm_ops.grant_mapref = silo_grant_mapref; + silo_xsm_ops.grant_transfer = silo_grant_transfer; + silo_xsm_ops.grant_copy = silo_grant_copy; + + xsm_ops = &silo_xsm_ops; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 658af40c6e..58409eb0c7 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -34,6 +34,7 @@ struct xsm_operations *xsm_ops; enum xsm_bootparam { XSM_BOOTPARAM_DUMMY, XSM_BOOTPARAM_FLASK, + XSM_BOOTPARAM_SILO, }; static enum xsm_bootparam __initdata xsm_bootparam = XSM_BOOTPARAM_DUMMY; @@ -47,6 +48,10 @@ static int __init parse_xsm_param(const char *s) #ifdef CONFIG_XSM_FLASK else if ( !strcmp(s, "flask") ) xsm_bootparam = XSM_BOOTPARAM_FLASK; +#endif +#ifdef CONFIG_XSM_SILO + else if ( !strcmp(s, "silo") ) + xsm_bootparam = XSM_BOOTPARAM_SILO; #endif else { printk("XSM: can't parse boot parameter xsm=%s\n", s); @@ -93,6 +98,10 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size) flask_init(policy_buffer, policy_size); break; + case XSM_BOOTPARAM_SILO: + silo_init(); + break; + default: printk("XSM: Invalid value for xsm= boot parameter\n"); break; -- 2.18.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |