Xen project Mailing List

Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Mon, 2 Sep 2019 16:23:25 +0200

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=roger.pau@xxxxxxxxxx; spf=Pass smtp.mailfrom=roger.pau@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, TimDeegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 02 Sep 2019 14:23:40 +0000

Ironport-sdr: +IrF6fJwe8Uhres2O+LN3f1qySQ1hil/Eqwnf8ff28ZCnU/y2RPQN95eD9ldK2s2gJIcPSM+T/ Y+I617xBdfni/lDcbCyaHklHucJnqZbtrTxr6kgSDax73wpFnVB736QMjKQcTx5w+OwIiWJgj3 Zfqf+oZhzNp2quismSxD/qXjBFG65BpvuOrQRMu3rqAlH9StoB6SL/rbHE/fLVhHADEeB0k+sO 5UmznzjQ/Iej5JWIGEN2DG4AEnm0lot7fthrq9pOxNBukCmj8aqB0G49HoN70ZjqSxrbgqqoW9 F7o=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Sep 02, 2019 at 04:15:02PM +0200, Jan Beulich wrote: > On 02.09.2019 15:58, Roger Pau Monné wrote: > > On Mon, Sep 02, 2019 at 01:58:07PM +0200, Jan Beulich wrote: > >> On 02.09.2019 13:30, Roger Pau Monne wrote: > >>> Don't allow the hardware domain to access the PCI config space of > >>> devices not assigned to it. Ie: the config space of iommu devices > >>> in use by Xen should not be accessible to the hardware domain. > >> > >> Well, I agree with what you say above, but the code change disallows > >> much more than this. In particular Dom0 (and maybe stub domains too) > >> need to be able to access the config space of devices assigned to > >> guests, e.g. for qemu to control MSI and/or MSI-X. > > > > Right, I was overlooking the fact that a domain using vPCI itself > > should be able to handle passthrough backends for other domains. > > > > I think the condition should instead check if the device is assigned > > to dom_xen, and don't allow domains access to devices assigned to > > dom_xen. > > Even that goes too far imo: We deliberately allow read access to > r/o devices, in order to avoid anomalies in bus enumeration in > Dom0. And I'd very much hope write attempts already honor the > pseg->ro_map bit for a device. Hm, no, AFAICT vPCI was just bypassing the ro_map ATM. So the problem I found, and that I was trying to address with this patch is that a PVH dom0 on AMD hardware finds the iommus by scanning the PCI bus, and a Linux dom0 seems to immediately turn off the MSI enable control bit on any devices it finds, thus leaving the iommu without being able to generate interrupts. I can implement the RO stuff, but it seems weird to me. AFAICT the only devices owned by Xen should be the serial console, the iommu and the HPET maybe. How can hiding those cause anomalies in bus enumeration? Thanks, Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.