|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 00/25] Argo: hypervisor-mediated interdomain communication
This patch series implements the Argo hypervisor-mediated interdomain communication mechanism as an experimental feature for incorporation into the Xen hypervisor. Relevant to the ARM deadline for inclusion in the Xen 4.12 release, there are very few and only minor ARM-specific changes in this series. This is derived from the v4v work of XenClient, retained in the OpenXT Project and developed further by Bromium in uxen. It has benefitted from and been improved by previous rounds of review in this Xen community, and is the combined work of a series of Xen engineers that have preceeded the efforts of the current submission. The motivation for this feature continues to be that a non-networking, non-shared memory, hypervisor-mediated communication mechanism between domains concurrently executing on the same hypervisor has attractive properties for use cases that value strong mechanisms for policy enforcement and isolation. In this series, Argo is made optional for inclusion via Kconfig. When included, it defaults to disabled and requires a Xen boot parameter to enable it. It has XSM integration for access control over domain-to-domain communication, and a second boot parameter governs the level of permissiveness over shared communication rings when using the non-XSM/Flask default. Design documentation can be found on the Xen wiki, at: https://wiki.xenproject.org/wiki/Argo:_Hypervisor-Mediated_Exchange_(HMX)_for_Xen and it will be updated to correspond to the submission here in the coming days. Argo has recently been discussed on the Xen x86 Community Call, minutes: https://docs.google.com/document/d/1VUPdWwd1raDOPhjReVVkmb6YoQB3X5oU12E4ExjO1n0/edit#heading=h.mz1wjb9vekjn In (very) short, Argo is implemented by a new hypercall with five operations: * register ring * unregister ring * sendv * notify * get config Ring registration is performed by a domain to provide a region of memory for receiving messages from one or many other domains. A domain can issue a send operation to send messages to another domain's ring. The data is transferred synchronously by the hypervisor. There is no shared memory between domains, allowing for increased confidence by the domain that the memory accesses in the registered ring conform to the expected protocol. The hypervisor is able to enforce access control policy over the communication. == Naming v4v lives on in the Bromium uxen codebase. It is not the same implementation as this, it doesn't have quite the same properties and I don't expect the two to converge (though I do hope continued cross-pollination will happen). Given that, this feature needs to be describable with a different name. It's also a complex enough system, with design details that matter and affect important properties of it, that a generic term (eg. "message rings") is not sufficient. Xen's name originates from Xenia, the ancient Greek concept of hospitality. Argo is the ship from Greek mythology that provided secure transport for the mission to obtain the Golden Fleece. This feature aims to provide secure transport. With this series, I'm proposing that this work shall use the name: argo. (short, pronouncable, unique within Xen's context so acceptable in code and material artefacts will be discoverable with a search engine.) Valued feedback was given in review prior to this posting about whether naming aspects of the implementation 'argo' was ok. I took this seriously, and spent significant time looking at how to reduce the level of argo-ness in this implementation. This version does incorporate changes from that effort but in general, my view is that use of the name in the code assists the clarity of it, so much of it has been retained. The term "Hypervisor-Mediated data eXchange (HMX)" was introduced in a presentation at the Platform Security Summit 2018, to describe the general, hypervisor-agnostic, capability of data transfer between domains performed by the hypervisor. It is viewable at: https://www.platformsecuritysummit.com/2018/speaker/clark/ Argo conforms to HMX as described, as does Hyper-V's message-sending primitive. == Future items The Linux device driver used to test this software is derived from the OpenXT v4v Linux device driver, available at: https://github.com/OpenXT/v4v The Argo implementation is not yet ready to publish (focus has been on the hypervisor code to this point). A Linux device driver suitable for inclusion in Xen will be submitted for a future Xen release and incorporation into OpenXT. This submission does not include a firewall for constraining domain-to-domain communication. The XSM hooks added currently provide granularity of control at domain-to-domain level. We intend to extend this to provide finer-grained access control in a future submission, but the current implementation should be sufficient to provide sufficient isolation for some use cases. Communication between VMs at different levels of nesting in a multi-hypervisor system is of strong interest and will inform near-term enhancements. Optimization of notification delivery to VMs is a known area for improvement. * uxen's v4v uses an edge-triggered interrupt to reduce VMEXIT load. * delivering extended notification data via a dedicated registered ring will allow a guest to avoid a search to identify notification causes. Additional items will be noted on the Xen wiki. == Credits Contributors to the design and implementation of this software include: James McKenzie, Jean Guyader, Ross Philipson, Christopher Clark with the support of the OpenXT Project. Thanks are due for the helpful reviews of earlier revisions by Tim Deegan, Jan Beulich, Ian Campbell and Eric Chanudet. Christopher Clark (25): xen/evtchn: expose evtchn_bind_ipi_vcpu0_domain for use within Xen argo: Introduce the Kconfig option to govern inclusion of Argo argo: introduce the argo_message_op hypercall boilerplate argo: define argo_dprintk for subsystem debugging argo: Add initial argo_init and argo_destroy argo: Xen command line parameter 'argo': bool to enable/disable xen: add errno-returning functions for copy to and from guest xen: define XEN_GUEST_HANDLE_NULL as null XEN_GUEST_HANDLE errno: add POSIX error codes EMSGSIZE, ECONNREFUSED to the ABI arm: introduce guest_handle_for_field() xsm, argo: XSM control for argo register operation, argo_mac bootparam xsm, argo: XSM control for argo message send operation argo: implement the register op argo: implement the unregister op argo: implement the sendv op argo: implement the notify op xsm, argo: XSM control for any access to argo by a domain argo: limit the max number of rings that a domain may register. argo: limit the max number of notify requests in a single operation. argo, xsm: notify: don't describe rings that cannot be sent to argo: add array_index_nospec to guard the result of the hash func xen/evtchn: expose send_guest_global_virq for use within Xen argo: signal x86 HVM and ARM via VIRQ argo: unmap rings on suspend and send signal to ring-owners on resume argo: implement the get_config op to query notification config xen/arch/x86/guest/hypercall_page.S | 2 +- xen/arch/x86/hvm/hypercall.c | 3 + xen/arch/x86/hypercall.c | 3 + xen/arch/x86/pv/hypercall.c | 3 + xen/common/Kconfig | 20 + xen/common/Makefile | 1 + xen/common/argo.c | 1960 +++++++++++++++++++++++++++++++++ xen/common/domain.c | 24 + xen/common/event_channel.c | 37 +- xen/include/asm-arm/guest_access.h | 30 + xen/include/asm-x86/guest_access.h | 31 + xen/include/public/argo.h | 280 +++++ xen/include/public/errno.h | 2 + xen/include/public/xen.h | 6 +- xen/include/xen/argo.h | 32 + xen/include/xen/event.h | 10 + xen/include/xen/guest_access.h | 3 + xen/include/xen/hypercall.h | 9 + xen/include/xen/sched.h | 7 + xen/include/xsm/dummy.h | 25 + xen/include/xsm/xsm.h | 29 + xen/xsm/dummy.c | 6 + xen/xsm/flask/hooks.c | 33 + xen/xsm/flask/policy/access_vectors | 16 + xen/xsm/flask/policy/security_classes | 1 + 25 files changed, 2563 insertions(+), 10 deletions(-) create mode 100644 xen/common/argo.c create mode 100644 xen/include/public/argo.h create mode 100644 xen/include/xen/argo.h -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |