[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4] xen-pciback: optionally allow interrupt enable flag writes



On Wed, Jan 15, 2020 at 05:32:32PM -0500, Boris Ostrovsky wrote:
> 
> 
> On 1/15/20 11:48 AM, Roger Pau Monné wrote:
> > On Wed, Jan 15, 2020 at 02:46:29AM +0100, Marek Marczykowski-Górecki wrote:
> > > QEMU running in a stubdom needs to be able to set INTX_DISABLE, and the
> > > MSI(-X) enable flags in the PCI config space. This adds an attribute
> > > 'allow_interrupt_control' which when set for a PCI device allows writes
> > > to this flag(s). The toolstack will need to set this for stubdoms.
> > > When enabled, guest (stubdomain) will be allowed to set relevant enable
> > > flags, but only one at a time - i.e. it refuses to enable more than one
> > > of INTx, MSI, MSI-X at a time.
> > > 
> > > This functionality is needed only for config space access done by device
> > > model (stubdomain) serving a HVM with the actual PCI device. It is not
> > > necessary and unsafe to enable direct access to those bits for PV domain
> > > with the device attached. For PV domains, there are separate protocol
> > > messages (XEN_PCI_OP_{enable,disable}_{msi,msix}) for this purpose.
> > > Those ops in addition to setting enable bits, also configure MSI(-X) in
> > > dom0 kernel - which is undesirable for PCI passthrough to HVM guests.
> > > 
> > > This should not introduce any new security issues since a malicious
> > > guest (or stubdom) can already generate MSIs through other ways, see
> > > [1] page 8. Additionally, when qemu runs in dom0, it already have direct
> > > access to those bits.
> > > 
> > > This is the second iteration of this feature. First was proposed as a
> > > direct Xen interface through a new hypercall, but ultimately it was
> > > rejected by the maintainer, because of mixing pciback and hypercalls for
> > > PCI config space access isn't a good design. Full discussion at [2].
> > > 
> > > [1]: 
> > > https://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
> > > [2]: https://xen.markmail.org/thread/smpgpws4umdzizze
> > > 
> > > [part of the commit message and sysfs handling]
> > > Signed-off-by: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>
> > > [the rest]
> > > Signed-off-by: Marek Marczykowski-Górecki 
> > > <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> > Some minor nits below, but LGTM:
> > 
> > Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > 
> > > 
> > > diff --git a/Documentation/ABI/testing/sysfs-driver-pciback 
> > > b/Documentation/ABI/testing/sysfs-driver-pciback
> > > index 6a733bfa37e6..566a11f2c12f 100644
> > > --- a/Documentation/ABI/testing/sysfs-driver-pciback
> > > +++ b/Documentation/ABI/testing/sysfs-driver-pciback
> > > @@ -11,3 +11,16 @@ Description:
> > >                   #echo 00:19.0-E0:2:FF > 
> > > /sys/bus/pci/drivers/pciback/quirks
> > >                   will allow the guest to read and write to the 
> > > configuration
> > >                   register 0x0E.
> > > +
> > > +What:           /sys/bus/pci/drivers/pciback/allow_interrupt_control
> > > +Date:           Jan 2020
> > > +KernelVersion:  5.5
> 
> 5.6
> 
> I can fix this and the things that Roger mentioned while committing if Marek
> is OK with that.

Yes, thanks!

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.