[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 9/9] x86/P2M: relax permissions of PVH Dom0's MMIO entries
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Thu, 23 Sep 2021 17:32:41 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GNggsnDnIbmEeToVRGIezV+HEFw+Kkt3ctCENGZ+mME=; b=asW/NMPOKpzYvvcVqCjtcUhyY5ouvMipwpqK/MZZ9wy7GJ3WtUD1J9rytyC4i350bPgI8MvesQ/LMXI+wBd8yP+SIEWGi1XhZrB8WbQZmNLUWouyJ4MSW4AI0nAs8IdDQaeLg/raC7HKY/nDCl8lwDinjv2dGU5sBa7L5NB0J5vGJjOY/MaozcU1NB+iS+0DO5ei3hOMHWsl8MZJ+f4j2ldFGyxnSNBeoS9ckr8chxsHU4lEzKAYjMfZhSJctaxkQX/xWTk87GqW4yVQWsYjvkZFzmjeQv8bAjW00Lb2ySFmBMhHPGV6dWYhsa+6GgoGmcD8N55lcSBIshrS0ZC+rg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O0GzuGB+4YLxoZRtukIlmPVu1ArzaH2pIAPm0kneKxwvAZ4JL4gnB1P5938JCy6X0pvSZZ6u92xamCgC4Z+scSNnuS0ZfwK9x9xL6MOS+5l9Tl8nozlQ+DyXx97t22kBXFZj1KfB04eLUWV7TAo8vVt2tS3MnLpo+tRABCr7WYoWAwF0uW8gbFvjYq1EHltWce3zMSx3L3EVp5dH8xlAT7qDY3ItHH7arpfI3AxMN/Bmr53Np4KW95Q2LXllK4waDjZe2OH/2Y8QSJNLfsjXBgvdfDA25nHZwCdLcdSXqWG2G99cMAXM/vFHsDgtUGknlnx0FdiFv3jyTMgD9AdHrw==
- Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
- Delivery-date: Thu, 23 Sep 2021 15:32:52 +0000
- Ironport-data: A9a23:KqBYBq3TlRf24cPxrfbD5Q12kn2cJEfYwER7XKvMYLTBsI5bpz0Hz GVODT3QO/qLYzD1copzOd638E5QvMKBn9dhTAY6pC1hF35El5HIVI+TRqvS04J+DSFhoGZPt Zh2hgzodZhsJpPkS5PE3oHJ9RGQ74nRLlbHILOCan0ZqTNMEn970EoywbVh2+aEvPDia++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFMZH4rHomjLmOQf2VhNrXSq 9Avbl2O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/TrS+NbPqsTbZIhhUlrZzqhz/dI1 fQdjMWKWAoFG7OdmuEhbxZ5DHQrVUFG0OevzXmXtMWSywvNcmf2wuUoB0YzVWEa0r8pWycUr 6VecW1TKEDY7w616OvTpu1EnMMsIdOtJIoCknph0SvYHbAtRpWrr6DiuIQEgGdg15gm8fD2Z uA4azlsagn6PTp+HwZMN801jPr2vyyqG9FfgA3M/vdmi4TJ9yRu1JD9PdyTfcaFLe1Fk0Ddq m/Y8mDRBhABKMfZ2TeD6mirhOLEgWX8Qo16PL+y++NugVaT7ncOExBQXly+ycRVkWbnBYgZc RZNvHNz8+5iryRHU+URQTXoh0eZn04lAuBBHsEf9lCPz5bo7CeGUz1soiF6VPQqs8o/RDoP3 1CPns/0CTEHjIB5WU5x5Z/P8mjvY3Z9wXsqIHZeFFpYv4CLTJQb00qXJuuPBpJZmTEc9dvY+ DmMsCF2rLEal8djO06TrA2f3mrESnQkSGcICuTrsoCNslgRiG2NPdXABb3nARBodt3xor6p5 iRspiRmxLpSZaxhbQTUKAn3IJmn5uyeLBrXikN1Ep8q+lyFoiD4J9sLuGkleh04Y67onAMFh meJ4mu9A7cJYBOXgVJfOdrtW6zGM4C6fTgaahwkRoUXOcUgHON21CpveVSRzwjQfLsEy8kC1 WOgWZ/0Vx4yUP0/pBLvHrt1+eJ7l0gWmDKILbimnkvP7FZrTCPMIVvzGADVNb5RAWLtiFi9z uuzwOPQkEgADL2iPHOHmWPRRHhTRUUG6VnNg5U/XsaIIxZ8GXFnDPnUwLg7fJdikbgTneDNl kxRkGcDoLYmrXGYewiMdF55b7bjAcR2oX4hZHR+Nle0wXkzJ42o6f5HJZcweLAm8s1lzOJ1E KZZK5nRXKwXR2SV4SkZYLn8sJdmKEahizWRMnf3ezM4ZZNhGVDEo4e2Ygv1+SASJSOrrs9i8 aa43wbWTMNbFQRvBcrbcty1yFa1sSRPke5+RRKQcNJSZF/t4M5hLCmo1q07JMQFKBPiwDqG1 lnJXUdE9LeV+4JsqYvHn6GJqYutAtBSJEsCEjmJ96uyOAnb4nGnnd1KXtGXcG2PT2jz4qijO 7lYlqmuLP0dkV9WmINgCLI3n7km7t7iqrIGnARpGHLHMwaiBr96eyTU2MBOsutGx6NDuBvwU UWKo4EINbKMMcLjMVgQOAt6MbjTiaBKwmHfvaYvPUH3xC5r577WA0xdMi6FhDFZMLYoYpgux v0suZJO5gGy4vbw3g1qUsyAG7ywE0E9
- Ironport-hdrordr: A9a23:/Wh1gK87Pv5+oL65Xgxuk+HIdr1zdoMgy1knxilNoENuHfBwxv rDoB1E73LJYW4qKQodcdDpAtjkfZquz+8O3WBxB8bsYOCCggWVxe5ZnPLfKlHbak7DH41mpO ldmspFeaXN5DFB5K6QimjZLz9K+qjizEncv5a5854bd3AMV0gP1XYaNi+rVmlNACVWD5swE5 SRouBdoSC7RHgRZsOnQlEYQunqvbTw5dLbSC9DIyRixBiFjDuu5rK/OQOfxA0iXzRGxqpn2X TZkjb++r6ov5iAu1zhPi7ontZrcenau59+7f+3+48ow/LX+0CVjbFaKvi/VfYO0biSARgR4Y HxSlwbTrlOAjvqDx2ISF3Wqkjd+Qdr0mTlz1CAh3vlvIjWeBIWYvAx3r5xQ1/h8Ewns8h70K VXm0Sjl7QSIy/hsU3GloL1vzcDrDvpnZPnq59Ps5UXa/puVFdcwLZvg399CosPEi7h9YwrJu FyEcnX5fJbdk6tdXzCpGlox+qtUx0Ib2m7a1lHtcqP3zdMmndli0Me2cwEh38FsIkwUp9e+o 3/Q+5VfZx1P4crhJhGdaw8qAqMexjwaAOJNHjXLUXsFakBNX6Io5nr4K8t7OXvfJAT1pM9lJ nITVsd7AcJCg7TINzL2IcO/gHGQW27UziowsZC54Jhsrm5QLbwKyWMRF0njsPlqfQCBc/QXe q1JfttcrLeBHqrHZwM0xz1WpFUJ3VbWMoJuswjU1bLuc7PIp2CjJ2TTB8SHsuaLd8AYBKLPp IuZkmBGCxw1DHdZpajummgZ5rEQD2Mwa5N
- Ironport-sdr: 6wUaDRBw9jS01BN8Po48pkde8pPtEGawwOJK7nIdLKya1KfWtZ3LFY/qTAsESwDGwo63G8PYAj yIVhQlCzyykIQmJI0W0UBf/nNeijQYwQ5QJzaXfvh7olR+TCVYrGZfl1ZFAt0/oDpMnp06JKhv xw/AKTjOJZYWWCnndwPl6zC4ZAx/jsg5ciRrAf7lM7QN850DIfXogHDszWrXDY3O51hq60WfTS lP3myj6Kq1DwNZXmsHolHkfCr7pelHzMWgeh/T+9rZeggMLdVUxhCQLvqplB8LOle+FZeiZOyr n7+W9p1RC6kTWkf8Jg3+kR4a
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Sep 23, 2021 at 05:22:08PM +0200, Jan Beulich wrote:
> On 23.09.2021 17:15, Roger Pau Monné wrote:
> > On Thu, Sep 23, 2021 at 02:15:25PM +0200, Jan Beulich wrote:
> >> On 23.09.2021 13:54, Roger Pau Monné wrote:
> >>> On Thu, Sep 23, 2021 at 01:32:52PM +0200, Jan Beulich wrote:
> >>>> On 23.09.2021 13:10, Roger Pau Monné wrote:
> >>>>> On Tue, Sep 21, 2021 at 09:21:11AM +0200, Jan Beulich wrote:
> >>>>>> --- a/xen/arch/x86/mm/p2m.c
> >>>>>> +++ b/xen/arch/x86/mm/p2m.c
> >>>>>> @@ -1319,6 +1319,18 @@ static int set_typed_p2m_entry(struct do
> >>>>>> return -EPERM;
> >>>>>> }
> >>>>>>
> >>>>>> + /*
> >>>>>> + * Gross bodge, to go away again rather sooner than later:
> >>>>>> + *
> >>>>>> + * For MMIO allow access permissions to accumulate, but only
> >>>>>> for Dom0.
> >>>>>> + * Since set_identity_p2m_entry() and set_mmio_p2m_entry()
> >>>>>> differ in
> >>>>>> + * the way they specify "access", this will allow the
> >>>>>> ultimate result
> >>>>>> + * to be independent of the sequence of operations.
> >>>>>
> >>>>> Wouldn't it be better to 'fix' those operations so that they can work
> >>>>> together?
> >>>>
> >>>> Yes, but then we should do this properly by removing all abuse of
> >>>> p2m_access_t.
> >>>
> >>> I'm not sure I follow what that abuse is.
> >>
> >> As was clarified, p2m_access_t should be solely used by e.g.
> >> introspection agents, who are then the entity responsible for
> >> resolving the resulting faults. Any other uses (to e.g. merely
> >> restrict permissions for other reasons) are really abuses.
> >
> > But some p2m types don't really have a fixed access tied to them, for
> > example MMIO regions just inherit whatever is the default access for
> > the domain, which makes all this look slightly weird. If the access
> > should solely be used by introspection, then each type should have a
> > fixed access tied to it?
>
> I think so, yes. Hence e.g. p2m_ram_ro and p2m_grant_map_r{w,o}.
>
> >> That
> >> is, if e.g. a r/o direct-MMIO mapping is needed, this should not
> >> be expressed as (p2m_mmio_direct, p2m_access_r) tuple, but would
> >> require a distinct p2m_mmio_direct_ro type.
> >
> > I guess we would then require a p2m_mmio_direct_ro,
> > p2m_mmio_direct_rwx and a p2m_mmio_direct_n at least, and ideally we
> > would need to differentiate the mandatory regions as present in ACPI
> > tables using yet different types.
>
> What would we need p2m_mmio_direct_n for?
AMD can specify no access at all for certain regions on the ACPI
tables from what I've read on the manual (IW = IR = 0 in IVMD Flags).
AFAICT amd_iommu_reserve_domain_unity_map can already call
iommu_identity_mapping with access p2m_access_n and that would get
propagated into set_identity_p2m_entry.
> And what's the (present,
> not future) reason for the x in p2m_mmio_direct_rwx?
Mapped ROM BARs, but I'm also unsure we shouldn't just map MMIO with
execute permissions by default unless stated otherwise.
Thanks, Roger.
|
