Xen project Mailing List

Re: [PATCH] xen/arm: fix SBDF calculation for vPCI MMIO handlers

To: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 2 Nov 2021 09:48:22 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PQfaRdk0WQYaBpJN3Gi0z2LuijTg4/LxYun6RXSlJ8k=; b=g4IW1LzxyYcNkchXzmVmynyCwFyCXtFnO33xSHjuUKWbU6K223w5Ou2U7SoPSA4Ob3DKbd8FOYZm5dSaaC5QxNxVqOidnk74VcwLhUAwIOGaDuzrWZIFgpW7U5hd4oqIZUgQgj0ANWN/P8/Vje50jn/oZtmhRJ1sWSEIQ/FQ1/jQJx/iLdhyIDV3Pl1Tvroeg0CPFaAS+6+ZFQMMhLSHaqvC+c/br9ZjOqaUNVh1rWQXkhcvOr37xBCgwkRqYe3WJwacFPQeFhXPWizcPi93EQBjJ3Yh43FrCuY3vBgvvWbIQA48ttaPD6t71c3lP61QdKOVcm4KlMRzc4ftYYRdJg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SlLVKL82c1DDO85hNz1fMZkqYkfRYfJDJ5xvfeKFULyewNkCxaPyM67I29mafIAjkzj1h7Lvw1oWRbt+n9nCpfHB4XZzvSKEoJFOFTaMmRtbo4PmkxykGI4RhFbLU5Bv+fLoxcBO8HuBm1XT0hqBqM2xeumVHakpVcnRG8ESYgQc+DUJW7oVkjrA1yUnlp7YJPtcOdJfmjtmVxnpM6hNo23yrmwToBHJzWDHLnkSeqUNyoeN65agykpET5qaJhhC/B356atYUyaqHdxIkRlw4wbq89u6E08Km6T2rNChE4OyrCeT5bfQXCStllzeX2GVT4hFdJf3C2b28se7jtwlJA==

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 02 Nov 2021 08:48:44 +0000

Ironport-data: A9a23:D4Y84qCxd3eZzBVW/5jkw5YqxClBgxIJ4kV8jS/XYbTApDIl0mQGn 2ZOXjyEb/eCYGSnctp1boq+8RwD7ZfXmNYxQQY4rX1jcSlH+JHPbTi7wuYcHM8wwunrFh8PA xA2M4GYRCwMo/u1Si6FatANl1ElvU2zbue6WLGs1hxZH1c+EX540Ug7wobVv6Yz6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eH/5UhN7oNJLnZEpfNatI88thW5 Qr05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkQLb9crSiEai84G2PQghUh/pguJxNB18 fZ3lI2zGDwyHamSuMlHekwNe81+FfUuFL7vJHG+tYqYzlHccmuqyPJrZK00FdRGoKAtWzgIr KFGbmBWBvyAr7veLLaTUO5ji95lNMD2FIgepmth3XfSCvNOrZXrHvWVtIYChmtYasZmD9LyW OQYbGFVdRH/XERpIH4NAs0ug7L97pX4W2IB8w/EzUYt2EDI1xB42rXpNNvTe/SJSN9Tk0Leo XjJl0zjCxEHMJqEyDyK8lqlnOqJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN80g0qoKsp/UqnVO7UWRGivWWEtR4RXdlXO+Ai4QTLwa3Riy6bG2wFQzhpeNEg8sgsSlQC3 FKTg8ngAzAptbSPUG+c7Z+dtzb0Mi8QRVLufgddE1FDuYO65thu0FSfFb6PDZJZkPXYJzGrw zSzjxIflrZCttUo0/ub0Aru1mfESofyciY54QDeX2SA5wx/ZZK4a4HA1WU3/cqsP67CEADf4 SFsd9y2qblXUMrTzHDlrPAlRenxv5643CvgbUmD9nXL3xCk4DadcI9Z+1mSz285Y59fKVcFj KI+0D69BaO/3lP2PcebgKrrUqzGKJQM8/y/D5g4ifIVOvBMmPevpn0GWKJp9zmFfLIQua8+I 4yHVs2nEGwXD69qpBLvGbxAju5xnn9knzqPLXwe8/hB+eDHDJJyYexdWGZik8hjtP/UyOkr2 48HXyd19/mveLKnOXSGmWLiBVsLMWI6FfjLRz9/LYa+zv5dMDh5UZf5mOp5E6Q8xvg9vrqYr xmVBx4DoHKi1CKvFOl/Qi06AF8Zdc0k9ixT0O1FFQvA5kXPlq72t/pCLMRrJeFPGS4K5accc sTpsv6oW5xnYj/G5y4cfd/6qoljfw6sngWAI2yuZz1XQnKqb1WhFgbMclS9+S8QIDCwsMdi8 bSs2hmCGcgIRhh4DdaQY/WqlgvjsX8YkeN0fk3JPtgMJxm8rNk0c3T83q0tPsUBCRTf3T/Gh QyYNggV+LvWqIgv/diX2a3d99W1E/FzF1ZxFnXA6erkLjHT+2eumNcSUOuBcT3Hennz/aGuO bdcw/3maaVVl1dWqYtsVb1syPtmtdfoorZbyCViHWnKMAv3Wu8xfCHe0JAW5KNXx7JftQ+nY W61+4FXaeeTJcfoMF8NPw55PO6N4u4Zx2vJ5vMvLUSkuCIupOibUV9fNgWngTBGKOcnK5ssx OostZJE6wG7jRZ2YN+KgjoNqjaJJ30EFa4mqosbEMngjQ9ykgNOZpnVCynX5pCTaooTbhl2c 2HM3KeS1a5BwkficmYoESmf1OVQsp0CpRRWwQJQPF+OgNfE2qc60RA5He7bleiJIsGrC95OB 1U=

Ironport-hdrordr: A9a23:JR57YaHP7nFGc3zVpLqEEseALOsnbusQ8zAXPiBKJCC9vPb5qy nOpoV+6faQslwssR4b9uxoVJPvfZq+z+8R3WByB8bAYOCOggLBQL2KhbGI/9SKIVydygcy78 Zdm6gVMqyMMbB55/yKnDVRxbwbsaa6GKPDv5ah8590JzsaDJ2Jd21Ce32m+ksdfnghObMJUK Cyy+BgvDSadXEefq2AdwM4t7iqnayzqHr+CyR2fyIa1A==

Ironport-sdr: 0MFhZP2WmPEWDRFKb4CUXUoj8/INKiWBPFOINljpJ9sU47O/Ep42IlPcSA92B2M+cgK0jiCBoG upo/Sq0OK9hvabS61k3/Ke+HGpfS4eZoQkf2IpEu+Ro73J1btuJvIdxl6MkftDGYmZp5EIqOAr 1ppas9TCK9vycM/py89uUaXab2BZ+KGxkG9f6PoApLGNK65nEZBPY+72zjIY0WrvKEI1pYXaYo MClva39pDmkQ0ambeiKlfMYIkEJ/0dVUebpRRYloEG8kIAPhWM73RmCAxUR65SyGc64funAxE+ PdNRNVs29iEUoQ8VcMLvIIAN

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Nov 01, 2021 at 06:14:40AM +0000, Oleksandr Andrushchenko wrote: > > > On 29.10.21 10:33, Roger Pau Monné wrote: > > On Thu, Oct 28, 2021 at 05:55:25PM +0000, Oleksandr Andrushchenko wrote: > >> > >> On 28.10.21 19:03, Roger Pau Monné wrote: > >>> On Thu, Oct 28, 2021 at 02:23:34PM +0000, Oleksandr Andrushchenko wrote: > >>>> On 28.10.21 16:36, Roger Pau Monné wrote: > >>>>> And for domUs you really need to fix vpci_{read,write} to not > >>>>> passthrough accesses not explicitly handled. > >>>> Do you mean that we need to validate SBDFs there? > >>>> This can be tricky if we have a use-case when a PCI device being > >>>> passed through if not put at 0000:00:0.0, but requested to be, for > >>>> example, 0000:0d:0.0. So, we need to go over the list of virtual > >>>> devices and see if SBDF the guest is trying to access is a valid SBDF. > >>>> Is this what you mean? > >>> No, you need to prevent accesses to registers not explicitly handled > >>> by vpci. Ie: do not forward unhandled accesses to > >>> vpci_{read,wrie}_hw). > >> I see, so those which have no handlers are not passed to the hardware. > >> I need to see how to do that > > Indeed. Without fixing that passthrough to domUs is completely unsafe, > > as you allow domUs full access to registers not explicitly handled by > > current vPCI code. > Well, my understanding is: we can let the guest access whatever > registers it wants with the following exceptions: > - "special" registers we already trap in vPCI, e.g. command, BARs > - we must not let the guest go out of the configuration space of a > specific PCI device, e.g. prevent it from accessing configuration > spaces of other devices. > The rest accesses seem to be ok to me as we do not really want: > - have handlers and emulate all possible registers > - we do not want the guest to fail if it accesses a valid register which > we do not emulate. IMO that's not good from a security PoV. Xen needs to be sure that every registers a guest accesses is not going to cause the system to malfunction, so Xen needs to keep a list of the registers it's safe for a guest to access. For example we should only expose the PCI capabilities that we know are safe for a guest to use, ie: MSI and MSI-X initially. The rest of the capabilities should be blocked from guest access, unless we audit them and declare safe for a guest to access. As a reference you might want to look at the approach currently used by QEMU in order to do PCI passthrough. A very limited set of PCI capabilities known to be safe for untrusted access are exposed to the guest, and registers need to be explicitly handled or else access is rejected. We need a fairly similar model in vPCI or else none of this will be safe for unprivileged access. Regards, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.