[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/grants: repurpose command line max options


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 14 Mar 2023 10:22:16 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9i2mqI18arzPGqy/DUV1OvX1QXrC/ctsyR1bAg/QAY0=; b=gz3dl5m5cWPCUgHRsC3A9A7KN3rSgnFf8j0Xp6r7591yv1YbkOANXw7zJpmKMwSrW8tZNAAnlvr98tC8KYKHSMnkppHVLLyzPPxtgIc/1gmlTZcpvzAp1oadqVTkqSmKGoZr0+2LtZletxyinLsnazXLuSGH9dlSYVSghhClfjNNeDAdRu1k6eBOwWlLJLCRuTOI0C+RNpYRpl7+H+HsxBBi5WKBLo+3HKqTbrzwrpera9/F7ZM4zVaKiN0fq3016z/RNmfRbctqFwXfA78izGBU65HXqjvxjDiFo+5z0GNpoEOS0iaodwwDg5HVD4aToZZexbTej3CMpQqDQDBlPg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=loEFYVhgdI2EeNDh9Fff7Dd1G1BTBmb2W6HNmABjXNF7z/ChyCMwGsybxFa6QsUs0n0QUMaJdiWI3HwH881whUQ9i7TvqVuZRq6ZQCobaipflKEi7ZxTo0fnfdH0LIvT4NrHbLpmlaa3UfA6oBOms2mXPROL3YWfRg7/tL1Tt5qJOepOu7p/Bb+2sMwGIf39/P3YDGOja9YPeKzc/OTq4cdkesz5gmxt94hW/Ofk/tVLzc5ZzUOlfZ/6ke9iotql/VCd0ndNvi07blgoSQWrZUgRIyajnRXDRdzhom8O/56J/ATQYcQB9oIF0plV4soxQqrGNG2DLPVde5GMLmVPew==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 14 Mar 2023 09:22:51 +0000
  • Ironport-data: A9a23:9tagc6mbqLFtgj2Glsrkkzvo5gxPJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIcWDyPPveLZmP9fNBwa4yy8BkH7MCAzIUwTFE4qn08QSMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+a6U6icfHgqH2eIcQ954Tp7gek1n4V0ttawBgKJq LvartbWfVSowFaYCEpNg064gE4p7aSaVA8w5ARkPqgQ5QOGzhH5MbpETU2PByqgKmVrNrbSq 9brlNmR4m7f9hExPdKp+p6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTbZLwXXx/mTSR9+2d/ f0W3XCGpaXFCYWX8AgVe0Ew/yiTpsSq8pefSZS0mZT7I0Er7xIAahihZa07FdRwxwp5PY1B3 cwSBR8JTCGovuSVm62icuBCq904I9a+aevzulk4pd3YJdAPZMmaBonvu5pf1jp2gd1SF/HDY cZfcSBocBnLfxxIPBEQFY46m+CrwHL4dlW0qnrM/fZxvzeVkVM3ieexWDbWUoXiqcF9hEGXq 3iA523kKhobKMae2XyO9XfEaurnxHujAdtOReHgnhJsqECx+XdMUy1LbHKQgqmGoBSZVslxC 1NBr0LCqoB3riRHVOLVXRe1vXqFtR40QMdLHqsx7wTl4qjJ5weUAEAUQzgHb8Yp3OctXiAj3 FKNm9LvBBRsvaeTRHbb8a2bxRutPQAFIGlEYjULJSMV7t+mrIwtgxbnStd4DLXzntDzASv3w T2BsG45nbp7sCIQ/6Cy/FSCjzfyoJHMF1cx/l+OAT7j6R5lbom4YYDu8ULc8ftLMIeeSB+Go WQAnM+dqusJCPlhiRCwfQnEJ5nxj97tDdEWqQcH80UJn9h1x0OeQA==
  • Ironport-hdrordr: A9a23:odIvZKrWfs+l0qobSegPJJUaV5o6eYIsimQD101hICG9E/b0qy nKpp9w6faaskdzZJheo6HjBEDtex3hHP1OjbX5X43DYOCOggLBEGgI1+TfKlPbehEW/9QtsJ tdTw==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 13, 2023 at 05:55:09PM +0100, Jan Beulich wrote:
> On 13.03.2023 13:16, Roger Pau Monne wrote:
> > --- a/docs/misc/xen-command-line.pandoc
> > +++ b/docs/misc/xen-command-line.pandoc
> > @@ -1232,9 +1232,8 @@ The usage of gnttab v2 is not security supported on 
> > ARM platforms.
> >  
> >  > Can be modified at runtime
> >  
> > -Specify the maximum number of frames which any domain may use as part
> > -of its grant table. This value is an upper boundary of the per-domain
> > -value settable via Xen tools.
> > +Specify the default maximum number of frames which any domain may use as 
> > part
> > +of its grant table unless a different value is specified at domain 
> > creation.
> >  
> >  Dom0 is using this value for sizing its grant table.
> 
> dom0less DomU-s do as well, at the very least, also ...
> 
> > @@ -1245,9 +1244,10 @@ Dom0 is using this value for sizing its grant table.
> >  
> >  > Can be modified at runtime
> >  
> > -Specify the maximum number of frames to use as part of a domains
> > -maptrack array. This value is an upper boundary of the per-domain
> > -value settable via Xen tools.
> > +Specify the default maximum number of frames to use as part of a domains
> > +maptrack array unless a different value is specified at domain creation.
> > +
> > +Dom0 is using this value for sizing its maptrack array.
> 
> ... here. And even ordinary DomU-s appear to default to that in the
> absence of a specific value in the guest config. IOW at the very least
> the info you add should not be misleading. Better would be if the pre-
> existing info was adjusted at the same time.

Aren't domUs already clearly covered by the sentence:

"Specify the default maximum number of frames to use as part of a domains..."

IMO dom0 needs to be explicitly mentioned because in that case the
value provided is not the one used by default, but rather the one that
gets used.

> I also wonder about the specific wording down here: While the max grant
> table size can indeed be queried, this isn't the case for the maptrack
> array. A domain also doesn't need to know its size, so maybe "This value
> is used to size all domains' maptrack arrays, unless overridden by their
> guest config"?

I think the wording I've added already conveys this meaning:

"Specify the default maximum number of frames to use as part of a domains
maptrack array unless a different value is specified at domain creation."

> > --- a/xen/common/grant_table.c
> > +++ b/xen/common/grant_table.c
> > @@ -1956,18 +1956,15 @@ int grant_table_init(struct domain *d, int 
> > max_grant_frames,
> >          return -EINVAL;
> >      }
> >  
> > -    /* Default to maximum value if no value was specified */
> > +    /* Apply defaults if no value was specified */
> >      if ( max_grant_frames < 0 )
> >          max_grant_frames = opt_max_grant_frames;
> >      if ( max_maptrack_frames < 0 )
> >          max_maptrack_frames = opt_max_maptrack_frames;
> >  
> > -    if ( max_grant_frames < INITIAL_NR_GRANT_FRAMES ||
> > -         max_grant_frames > opt_max_grant_frames ||
> > -         max_maptrack_frames > opt_max_maptrack_frames )
> > +    if ( max_grant_frames < INITIAL_NR_GRANT_FRAMES )
> >      {
> > -        dprintk(XENLOG_INFO, "Bad grant table sizes: grant %u, maptrack 
> > %u\n",
> > -                max_grant_frames, max_maptrack_frames);
> > +        dprintk(XENLOG_INFO, "Bad grant table size %u\n", 
> > max_grant_frames);
> >          return -EINVAL;
> >      }
> 
> I think I agree with the relaxation done here, but I also think this not
> introducing security concerns wants spelling out in the description: My
> understanding is that even in disaggregated environments we assume only
> fully privileged entities can create domains.

Yes, that's my understanding, as domain creation can only be done by
privileged domains.  Of course when using a custom XSM policy
the permissions can be changed, but it's then the job of the user to
asses the security implications in that case, and there are existing
paths to cause resource exhausting when having access to the domain
create hypercall. I can add:

"The relaxation in the logic for the maximum size of the grant and
maptrack table sizes doesn't change the fact that domain creation
hypercall can cause resource exhausting, so disaggregated setups
should take it into account."

But domain creation for example also allows creating a domain that has
MSR relaxed, at which point it could also be vulnerable to other
issues.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.