[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/arm: fix SBDF calculation for vPCI MMIO handlers


  • To: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 2 Nov 2021 10:32:03 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v3AnRFwkrlq0U9ks2qadyGRXD36GeyiCQyvDp6bHxig=; b=Y7IFDRKB/YWBXOw/GcHyqxchiNBvLSWHEwkDZCKlZZRf36SvqJAWHr+2QKMX/yVdHh/q3JR66EGXuK0ll53WkgxI1EAUIbnnmANO593KI2auMWvTs2/+eWXCnPAHZdHpYKQZDV83RXH1nbs9Sa4yRQ6D2cyN8YXkl0jzlFzfo+0cBSum+42lOTBG50279g6Cbth46dBCjVoAMG3ue/tNUj6UjbpoiLHm+TbcE/48P+KMR2t/ixSJoE0D1Q9/eT4bOqXGsiYX7KZOb3E6XI7xYuIyPytv7ioWAW/y0gw+w8ZB+p7SmIWOqU5TrX80OtAEryqDb72/HpqYhK9959Fdww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A+PO9Pi4+Utu0++DEDXL5Aa0ApNGgbmIqQwVDE4b6H4cUaq/zgWtXVy1H5K/KUqSOIbNg3dzvOrntO4t1qa8aaUMQc12E/b9bBZYbFKyf5zX458BJw1eNPDx4WU50WYkjg/OWMLxxVgNUHJX2QRHVdpGzmewNAN81DHp71B2KJP/6hh3XJuq/kg4KgwBjr0MthA7eVp3oEb5Z3ueyUBkTtLuvrMXyMzEhyHxv7Mfmrhmji8T8drvC+9p6hPLtJAta16KCTu+jb0q4zL9OxJY0Tofy6hp99BtRNfE0H9VFHR2II6TnhndsTfCobXJz96VQZSXTPNXu5l4cfRwLWAc+w==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 02 Nov 2021 09:32:23 +0000
  • Ironport-data: A9a23:wp5gtqgbWcR3rbZjif0vj/aoX1610RcKZh0ujC45NGQN5FlHY01je htvXT/QOfeDYWv8L94nO4u/8kME6pOHzN8yTFY/qHsxRnsb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0F0/NtTo5w7Rg29cw24Dga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /0KqLqvexoEM5aUgeQSdARYFgB6BKhvreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHxO4wSoDd4xCzxBvc6W5HTBa7N4Le02R9t1p8fRqaGO 6L1bxJ3cwbCMg9fMWw1M5J9h+qqqmnZUQ1H/Qf9Sa0fvDGIkV0ZPKLWGMHOZtWASMFRn0CZj mHL5WL0BlcdLtP34SCM8m+owPTOmyz7cIsIEfuz8fsCqE2ewCkfBQMbUXO/oOKlkQiuVtRHM UsW9yEy668o+ySDad3wXAaxpnKeiTcaV8BNCO0x6AyLya387h6QAy4PSTspQN47sM47QxQ62 1nPmMnmbRRlvaeJU3ub+vGRpCmrJCkOBWYYYGkPSg5t3jX4iNht1FSVFI8lSfPryI2ucd3t/ 9yUhG8joaohkOMG7P2i/V/gnjKph5zwSydgs207QVmZxg9+YYekYamh5l7a8etMIe6lc7WRg JQXs5PAtb5TVPlhgATIGbxQR+/xu55pJRWF2QY3d6TN4QhB7JJKkWp4xDhlbHlkPc8fEdMCS B+C4FgBjHO/0ZbDUEOWX25TI5h6pUQDPY68PhwxUjaoSsIoHONg1Ho2DXN8J0i3zCARfVgXY P93i/qEA3cAErhAxzGrXeob2rJD7nlgnj6MFMqjkE79iOb2iJuppVEtagLmggcRt/vsneko2 4wHa5viJ+t3CbWWjtbrHX47cglRcClT6WHeoM1LbO+TSjeK60l6Y8I9NYgJItQ/94wMz7+g1 ijkBidwlQqu7VWaeF7iQi0yN9vSsWNX8CtT0doEZg3zhRDOoO+Hsc8iSnfAVeB8qbE4kqIsF 5HouayoW5xyd9gOwBxEBbHVp41+bhW7wwWIOiuuej8keJB8AQfO/7fZksHHrUHi1wK76pkzp aOOzATeTcZRTghuFp+OOvmu00mwrT4Wn+crBxnEJdxaeUPN9ol2KnOu0q9rcp9UcRiTlCGH0 wu2AAsDobWfqYEC79SU17uPqJ2kErUiExMCTXXb97u/KQLT4nGnnd1bSO+NcD2EDDH09ayua P971fb5NPFbzl9Gv5AlS+RgzL4k5suprLhfl1w2EHLOZlWtK7VhPnjZgpUf6vwTnudU4FLkV FiO999WPaSyFPnkSFNBdhA4aumj1O0PnmWA5/oCP0intjR8+6CKUBsOMkDU2jBdNrZ8LKgs3 fwl5JwN8wW6hxcnboSGgyRT+zjeJ3AMSfx65JQTAYutgQs30FBSJ5fbD3ausp2IbtxNNGgsI yOV2/We1+gNmBKafiphD2XJ0MpcmY8K6UJDw1I1LliUnsbI260s1xpL/DVrFglYw32rCQ6o1 rSH46GtGZizwg==
  • Ironport-hdrordr: A9a23:Wc1SIqAGITTkE0vlHeg2sceALOsnbusQ8zAXPh9KJiC9I/b1qy nxppkmPH/P6Qr4WBkb6Le90Y27MAnhHPlOkPQs1NaZLXLbUQ6TQr2KgrGSoQEIdxeOk9K1kJ 0QD5SWa+eAfGSS7/yKmTVQeuxIqLLskNHK9JfjJjVWPHlXgslbnnlE422gYytLrWd9dP4E/M 323Ls5m9PsQwVcUu2LQl0+G8TTrdzCk5zrJTYAGh4c8QGLyRel8qTzHRS01goXF2on+8ZvzU H11yjCoomzufCyzRHRk0fV8pRtgdPkjv9OHtaFhMQ5IijlziyoeINicbufuy1dmpDj1H8a1P 335zswNcV67H3cOkmzvBvWwgHllA0j7nfzoGXoyEfLkIjcfnYXGsBBjYVWfl/y8Ew7puxx16 pNwiawq4dXJQmoplW92/H4EzVR0makq3srluAey1ZFV5EFVbNXpYsDuGtIDZY7Gj7g4oxPKp ghMCjl3ocUTbqmVQGagoE2q+bcG0jbXy32DXTqg/blkwS/xxtCvg8lLM92pAZ3yHtycegC2w 3+CNUbqFh5dL5gUUtMPpZzfSKJMB25ffvtChPbHb21LtBNB5ryw6SHlIndotvaPqA18A==
  • Ironport-sdr: nvEN43kiGKYOOMCHpw5yPuxDuEygdWKZ2zPojRXFjDxhDY2Mvz0/GOchmL5w1pZiNOZzxh7qq/ Sq4lklcBKX/WdnF0EHKG24JfLkw3sytP4cW50yC4ci7xf0MVOCy4f+BuwWkM/9nTNNlWrGiHj8 2VvlK82H8tpctYP/ZN3c54YNdMOaXpG25h1dsw60eBPaNG8fObnhIu/TGhqKRkh32SS+nseo8R 0FI7PUBBZKeywDItYfTmlzp0PQpf5q6GBG++qOK8MkNO470IZC4rMPa7yP3thgd2BLeYd4OXug qvMrFgsK94xhiWjvHzGYDW9R
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Nov 02, 2021 at 09:07:56AM +0000, Oleksandr Andrushchenko wrote:
> 
> 
> On 02.11.21 10:48, Roger Pau Monné wrote:
> > On Mon, Nov 01, 2021 at 06:14:40AM +0000, Oleksandr Andrushchenko wrote:
> >>
> >> On 29.10.21 10:33, Roger Pau Monné wrote:
> >>> On Thu, Oct 28, 2021 at 05:55:25PM +0000, Oleksandr Andrushchenko wrote:
> >>>> On 28.10.21 19:03, Roger Pau Monné wrote:
> >>>>> On Thu, Oct 28, 2021 at 02:23:34PM +0000, Oleksandr Andrushchenko wrote:
> >>>>>> On 28.10.21 16:36, Roger Pau Monné wrote:
> >>>>>>> And for domUs you really need to fix vpci_{read,write} to not
> >>>>>>> passthrough accesses not explicitly handled.
> >>>>>> Do you mean that we need to validate SBDFs there?
> >>>>>> This can be tricky if we have a use-case when a PCI device being
> >>>>>> passed through if not put at 0000:00:0.0, but requested to be, for
> >>>>>> example, 0000:0d:0.0. So, we need to go over the list of virtual
> >>>>>> devices and see if SBDF the guest is trying to access is a valid SBDF.
> >>>>>> Is this what you mean?
> >>>>> No, you need to prevent accesses to registers not explicitly handled
> >>>>> by vpci. Ie: do not forward unhandled accesses to
> >>>>> vpci_{read,wrie}_hw).
> >>>> I see, so those which have no handlers are not passed to the hardware.
> >>>> I need to see how to do that
> >>> Indeed. Without fixing that passthrough to domUs is completely unsafe,
> >>> as you allow domUs full access to registers not explicitly handled by
> >>> current vPCI code.
> >> Well, my understanding is: we can let the guest access whatever
> >> registers it wants with the following exceptions:
> >> - "special" registers we already trap in vPCI, e.g. command, BARs
> >> - we must not let the guest go out of the configuration space of a
> >> specific PCI device, e.g. prevent it from accessing configuration
> >> spaces of other devices.
> >> The rest accesses seem to be ok to me as we do not really want:
> >> - have handlers and emulate all possible registers
> >> - we do not want the guest to fail if it accesses a valid register which
> >> we do not emulate.
> > IMO that's not good from a security PoV. Xen needs to be sure that
> > every registers a guest accesses is not going to cause the system to
> > malfunction, so Xen needs to keep a list of the registers it's safe
> > for a guest to access.
> >
> > For example we should only expose the PCI capabilities that we know
> > are safe for a guest to use, ie: MSI and MSI-X initially. The rest of
> > the capabilities should be blocked from guest access, unless we audit
> > them and declare safe for a guest to access.
> >
> > As a reference you might want to look at the approach currently used
> > by QEMU in order to do PCI passthrough. A very limited set of PCI
> > capabilities known to be safe for untrusted access are exposed to the
> > guest, and registers need to be explicitly handled or else access is
> > rejected. We need a fairly similar model in vPCI or else none of this
> > will be safe for unprivileged access.
> I do agree with this. But at the moment we only emulate some of them,
> so in the future we will need revisiting the emulation and put many
> more registers under Xen's control

Indeed. That's my main point - there's still a lot of work to do
internally in vPCI in order to be safe for unprivileged guests to
use.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.