Xen project Mailing List

Re: XSM and the idle domain

From: Jason Andryuk <jandryuk@xxxxxxxxx>

Date: Wed, 21 Oct 2020 12:21:58 -0400

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Wed, 21 Oct 2020 16:22:22 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Oct 21, 2020 at 10:35 AM Hongyan Xia <hx242@xxxxxxx> wrote: > > Hi, Hi, Hongyan. I'm familiar with Flask but not particularly familiar with other XSMs or CONFIG_XSM=n. > A while ago there was a quick chat on IRC about how XSM interacts with > the idle domain. The conversation did not reach any clear conclusions > so it might be a good idea to summarise the questions in an email. > > Basically there were two questions in that conversation: > > 1. In its current state, are security modules able to limit what the > idle domain can do? > 2. Should security modules be able to restrict the idle domain? > > The first question came up during ongoing work in LiveUpdate. After an > LU, the next Xen needs to restore all domains. To do that, some > hypercalls need to be issued from the idle domain context and > apparently XSM does not like it. We need to introduce hacks in the > dummy module to leave the idle domain alone. Is this modifying xsm_default_action() to add an is_idle_domain() check which always succeeds? >Our work is not compiled > with CONFIG_XSM at all, but with CONFIG_XSM, are we able to enforce > security policies against the idle domain? It's not clear to me if you want to use CONFIG_XSM, or just don't want to break it. > Of course, without any LU > work this does not make any difference because the idle domain does not > do any useful work to be restricted anyway. I think this last sentence is the main point. It's always been labeled xen_t, but since it doesn't go through any of the hook points, it hasn't needed any restrictions. Actually, reviewing the Flask policy there is: # Domain destruction can result in some access checks for actions performed by # the hypervisor. These should always be allowed. allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem }; > Also, should idle domain be restricted? IMO the idle domain is Xen > itself which mostly bootstraps the system and performs limited work > when switched to, and is not something a user (either dom0 or domU) > directly interacts with. I doubt XSM was designed to include the idle > domain (although there is an ID allocated for it in the code), so I > would say just exclude idle in all security policy checks. I think it makes sense to label xen_t, even if it doesn't do anything. As you say, it is a distinct entity from dom0 and domU. Yes, it can circumvent the policy, but it's not actively hurting anything. And it can be good to catch when it does start doing something, as you found. Might it make sense to create a LU domain instead of using the idle domain for Live Update? Another approach could be to run the idle_domain as "dom0" during Live Update, and then transition to the regular idle_domain when it completes? You are re-creating dom0, but you could flip is_privileged on during live update and then remove it once complete. Regards, Jason

Follow-Ups:

Re: XSM and the idle domain
- From: Hongyan Xia

References:

XSM and the idle domain
- From: Hongyan Xia

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.