Xen project Mailing List

Re: [PATCH v2 1/2] xsm: create idle domain privieged and demote after setup

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 21 Apr 2022 11:53:36 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ifnSTuDJqOZURT7kjFvAZMERUIas8xwYlFOSRtNG4cQ=; b=WsUJu8qms5Q0mc7iMmVolk3FkSu8X/23X71/T79642MRcYLvwqka3VaaImt102twIesL4hMLmYdgVO41Xh8fV+5k8NriUSr0EgLpmVGoRxQtj2aXTHUI6EtnPaddBbszs9jGJGtMNfGAjn1QrGqRtICicEU1/A1dP04p1oWcDvQObhZzA2upa4WlY7Ku0j1cfmaLTPZFv99V4aQWWLi9R/sNE7lTNleAIH/qXH5ERhTV/RuUeAI6DDNFxSEhCJiYRCLg7qVbbO8ssBos2cwd5wvzcwZRM8LkJRr5y25HvN19SZ4uckV6VkjpckRX2BWPGAZlFZcwiczdF4KVrXbOWw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k1jC+cHEnVv/iKXWkRRrVsFghsExpZp0QEOM7kubGEounyNB6YD4TPiCD8+COuDzzn5gcnlhrFfRKuurklNoLARdqRltyv3hxcywGF0A5SIPB4qsWbhdzfAw1f88ykxIi/nikXFr1ye22BUxsXml1tShW0T8txLcv85lgMjs2Tk3T/Ss/iWYL5UJFGEKf1XbuMmIBEBZs4bop5rSd2XeLt2TrXU4SradN37wOXadHbbDXk5sBBWsHokdtpsG49BfmByxKQijjCq2tza4q/XvtIRJZHy9vAHJcAOTQIn2YBUAYCJKV90d9cjW2hPifVsCbcKhrEYIEMaWgkKy4C7svA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Thu, 21 Apr 2022 09:53:51 +0000

Ironport-data: A9a23:7tamc6g8DPQJHfjITSgohtI0X161IRAKZh0ujC45NGQN5FlHY01je htvWG2Bb/iLMWGgf4h0bom3/R8D6pDWnYMwSFA9/iw1Qygb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhX1nU4 YqaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YQwYBKnvl+I0aSkCTT1BYoRnypPoHkHq5KR/z2WeG5ft69NHKRhueKc+paNwC2wI8 uEEIjcQaBzFn/ix3L+wVuhrgIIkMdXvO4Qc/HpnyFk1D95/GcyFH/qMuocehW9t7ixNNa+2i 84xcz1gYQ6GexRSElwWFIg/jKGjgXyXnzhw9gPL/PBsuDK7IApZzqW0EOaSRt22bOZomUHJj Gvr3GCoK0RPXDCY4X/fmp62vcfDhTj+WZ4SPLSg++R2nUaIwWgOFBwRU0D9qv684mauVtQaJ 0EK9y4Gqakp6FftXtT7Rwe/onOPolgbQdU4O9M97AaB26/F+TGzD2IPTiNCQNE+vcpwTjsvv neWm/v5CDopt6eaIVqG/bCIsXW+MDYUNkcZeSYeSQIPpdjkyKkxhxTDVMd+E4a6i9T0HXf7x DXihDMlm7wZgMoP1qO61VPKmTShot7OVAFdzgfKWmOo6CtpaYjjYJangXDR4OxcNo+fQh+Et WIdhsmFxOkUCNeGkynlaOcHEayt5v2FGCbBmlMpFJ4knxyh9XescoFX5DBWP1pyP4APfjqBS EPctQ5e/pZ7IGqhbagxZZm4Tcst08Dd+c/NU/nVap9EZMd3fQrepCV2PxfIgibqjVQmlrw5N dGDa8GwAH0GCKNhij2rW+Ma1rxtzSc7rY/Oea3GI92c+eL2TBaopX0taTNisshRAHu4nTjo

Ironport-hdrordr: A9a23:h1Y7A6tPM2pCa+IOYnAxriRA7skC6oMji2hC6mlwRA09TyXGra 2TdaUgvyMc1gx7ZJhBo7+90We7MBbhHLpOkPEs1NaZLXDbUQ6TQL2KgrGD/9SNIVycygcZ79 YaT0EcMqyNMbEZt7ec3ODQKb9Jrri6GeKT9IHjJh9WPHxXgspbnmNE42igYy9LrF4sP+tCKH PQ3LswmxOQPVAsKuirDHgMWObO4/XNiZLdeBYDQzoq8hOHgz+E4KPzV0Hw5GZXbxp/hZMZtU TVmQ3w4auu99m91x/nzmfWq7BbgsHoxNdvDNGFzuIVNjLvoAC1Y5kJYczKgBkF5MWUrHo6mt jFpBkte+x19nPqZ2mw5SDg3gHxuQxenkPK+Bu9uz/OsMb5TDU1B45qnoRCaCbU7EImoZVVzL 9L93jxjesaMTrw2ADGo/TYXRBjkUS55VA4l/QIsnBZWYwCLJdMsI0k+l9PGptoJlO21GkeKp ghMCjg3ocWTbvDBEqp/lWHgebcFEjbJy32DXTr4aeuontrdHMQ9Tpr+CVQpAZDyHsHceg72w 31CNUWqFhwdL5mUUtcPpZ0fSLlMB27ffrzWFjiUWjPJeUgB0/njaLRzfEc2NyKEaZ4v6fa3q 6xG29liQ==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Apr 20, 2022 at 06:28:33PM -0400, Daniel P. Smith wrote: > There are now instances where internal hypervisor logic needs to make resource > allocation calls that are protectd by XSM checks. The internal hypervisor > logic > is represented a number of system domains which by designed are represented by > non-privileged struct domain instances. To enable these logic blocks to > function correctly but in a controlled manner, this commit changes the idle > domain to be created as a privileged domain under the default policy, which is > inherited by the SILO policy, and demoted before transitioning to running. A > new XSM hook, xsm_transition_running, is introduced to allow each XSM policy > type to demote the idle domain appropriately for that policy type. > > For flask a stub is added to ensure that flask policy system will function > correctly with this patch until flask is extended with support for starting > the > idle domain privileged and properly demoting it on the call to > xsm_transtion_running. > > Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > --- > xen/arch/arm/setup.c | 6 ++++++ > xen/arch/x86/setup.c | 6 ++++++ > xen/common/sched/core.c | 7 ++++++- > xen/include/xsm/dummy.h | 12 ++++++++++++ > xen/include/xsm/xsm.h | 6 ++++++ > xen/xsm/dummy.c | 1 + > xen/xsm/flask/hooks.c | 15 +++++++++++++++ > 7 files changed, 52 insertions(+), 1 deletion(-) > > diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c > index d5d0792ed4..763835aeb5 100644 > --- a/xen/arch/arm/setup.c > +++ b/xen/arch/arm/setup.c > @@ -1048,6 +1048,12 @@ void __init start_xen(unsigned long boot_phys_offset, > /* Hide UART from DOM0 if we're using it */ > serial_endboot(); > > + xsm_transition_running(); Could we put depriv or dipriviledge somewhere here? 'transition' seem to ambiguous IMO (but I'm not a native speaker). xsm_{depriv,demote}_current(); > + > + /* Ensure idle domain was not left privileged */ > + if ( current->domain->is_privileged ) > + panic("idle domain did not properly transition from setup > privilege\n"); > + > system_state = SYS_STATE_active; > > for_each_domain( d ) > diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c > index 6f20e17892..72695dcb07 100644 > --- a/xen/arch/x86/setup.c > +++ b/xen/arch/x86/setup.c > @@ -621,6 +621,12 @@ static void noreturn init_done(void) > void *va; > unsigned long start, end; > > + xsm_transition_running(); > + > + /* Ensure idle domain was not left privileged */ > + if ( current->domain->is_privileged ) > + panic("idle domain did not properly transition from setup > privilege\n"); > + > system_state = SYS_STATE_active; > > domain_unpause_by_systemcontroller(dom0); > diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c > index 19ab678181..22a619e260 100644 > --- a/xen/common/sched/core.c > +++ b/xen/common/sched/core.c > @@ -3021,7 +3021,12 @@ void __init scheduler_init(void) > sched_ratelimit_us = SCHED_DEFAULT_RATELIMIT_US; > } > > - idle_domain = domain_create(DOMID_IDLE, NULL, 0); > + /* > + * idle dom is created privileged to ensure unrestricted access during > + * setup and will be demoted by xsm_transition_running when setup is > + * complete > + */ > + idle_domain = domain_create(DOMID_IDLE, NULL, CDF_privileged); > BUG_ON(IS_ERR(idle_domain)); > BUG_ON(nr_cpu_ids > ARRAY_SIZE(idle_vcpu)); > idle_domain->vcpu = idle_vcpu; > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 58afc1d589..b33f0ec672 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -101,6 +101,18 @@ static always_inline int xsm_default_action( > } > } > > +static XSM_INLINE void cf_check xsm_transition_running(void) > +{ > + struct domain *d = current->domain; > + > + if ( d->domain_id != DOMID_IDLE ) > + panic("xsm_transition_running should only be called by idle > domain\n"); Could you also add a check that d->is_privileged == true? Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.