Xen project Mailing List

Re: [PATCH] vpci: add permission checks to map_range()

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 26 Jul 2023 15:37:11 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ej03+lMAaLOLBjlUuvv0T0UXsgOo/q90Ko3UE49jVZ8=; b=fRz77yjB2JwKjhPm0qFrwdb/gbPadBm7KE2D+01P2TfJ6hrtRddjk1mRA9R6DjNLZ/+GikyS5gEXB4Qp9j/iOW0nas+neEk9Zz0GGy+KCnKDj3kZzONoaV7Pkh2eoTEcNyXFeZmZM1TcrUmfYmt0D5Uur4TMw+43ZUvjgZq6ukR7g0BPdxpejaR3nJR1EkKamRGX9VDxteD4neS3VQ+rcPGV48/JjqLR52fAiIE76fRbv34M3iE99zNSGMJ6s3xeEq8TrzssUXtGlJIhtWg1i20HwvsGc3bLCb2gZTWTnw69T66blSFoHmaAQDoLhKpi5UwuU8TVIYGmq3DqPuEnBw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KEgZPc3iUetaGkRwje5bqbms9oo1Mr0OHqEEnv4EHwCPyB7Sy3hxhBWX8Y+u2XCwrPUCUYpwl+AdeWHZWUCjwrYUoeJhaTIREiugxRvtqHp76UU1XLaW2VoptUFb3avbsz8hu8sR3bDZM0vLf0NSDfWbEXoSA0ruOPK7tEwyGoMbYLP8zANvwj5STHcSKArUEpkbtOyb9Oif7Wx4pUQqtfo8wmC9ycoS58w8xEtUq6qxnhE126vptaHyM6Zuh9TZ7JErCFf8lh3cxXILLT151nvAkE+nsCs0goPj5lVcBhrlykbFlrAKo+KvM2dPehIl48vC1YtaK9DGK8llbn2NkQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Wed, 26 Jul 2023 13:37:42 +0000

Ironport-data: A9a23:9RB8fa5ePRGCJjgktAx6NgxRtP3GchMFZxGqfqrLsTDasY5as4F+v mcXWm2PPf2JNDTze4gjb4rg/BsH7JTSx4VlTlZq+3hhHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35ZwehBtC5gZlPa8R4geH/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m+ tgnCwEJYEG5g+O4mpaGEqpNm+88FZy+VG8fkikIITDxK98DGcyGb4CUoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6Ml0otiNABM/KMEjCObd9SkUuC4 HrP4kzyAw0ANczZwj2Amp6prraWw3yqCdtPStVU8NZyvQGU52M5CyEbelmE+fmW1nXgBMp2f hl8Fi0G6PJaGFaQZtv3UgC8oXWElgUBQNcWGOo/gCmSzoLE7gDfAXILJhZNcMcjtdM2bTUy2 0WVgsjyAjhyrLyST2nb/bCRxRuiNC5QIWIcaCssSQoe/8KlsIw1lgjITNtoDOiylNKdJN3r6 zWDrSx7i7BNi8cOj/m/5Qqf32rqoYXVRAko4AmRRnii8g5yeI+iYcqv9ETf6vFDao2eSzFto UQ5piRX18hWZbnlqcBHaL5l8G2BjxpdDADhvA==

Ironport-hdrordr: A9a23:pTt4mKFWajbgmyHLpLqE18eALOsnbusQ8zAXPo5KOGVom62j5r iTdZEgvyMc5wxhPU3I9erwWpVoBEmslqKdgrNxAV7BZniDhILAFugLhrcKgQeBJ8SUzJ876U 4PSdkZNDQyNzRHZATBjTVQ3+xO/DBPys6Vuds=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Jul 26, 2023 at 02:36:17PM +0200, Jan Beulich wrote: > On 24.07.2023 17:37, Roger Pau Monne wrote: > > @@ -1184,6 +1177,20 @@ int __init dom0_construct_pvh(struct domain *d, > > const module_t *image, > > > > printk(XENLOG_INFO "*** Building a PVH Dom%d ***\n", d->domain_id); > > > > + if ( is_hardware_domain(d) ) > > + { > > + /* > > + * Setup permissions early so that calls to add MMIO regions to the > > + * p2m as part of vPCI setup don't fail due to permission checks. > > + */ > > + rc = dom0_setup_permissions(d); > > + if ( rc ) > > + { > > + printk("%pd unable to setup permissions: %d\n", d, rc); > > The switch from panic() to printk() may want mentioning in the description > as deliberate. (The usefulness of %pd here is debatable, as it can't be > other than Dom0. But I don't mind.) The printk just above uses Dom%d, so I assumed it was best to not hardcode 0 here either. > > @@ -43,6 +46,21 @@ static int cf_check map_range( > > { > > unsigned long size = e - s + 1; > > > > + if ( !iomem_access_permitted(map->d, s, e) ) > > + { > > + gprintk(XENLOG_WARNING, > > + "%pd denied access to MMIO range [%#lx, %#lx]\n", s, > > e); > > This doesn't look like it would compile. Also gprintk() logs current, > which I'm not sure is generally applicable here. IOW I think it wants > to be > > printk(XENLOG_G_WARNING, > "%pd denied access to MMIO range [%#lx, %#lx]\n", > map->d, s, e); > > Same for the other log message then. Oh great. I changed the format of those before sending and didn't rebuild properly. > Another Dom0 related concern can probably be put off until we actually > get a report of this failing (which may be more likely because of the > XSM check below): The function being used as a callback passed to > rangeset_consume_ranges(), failure may affect just a single BAR, while > the incoming range may cover multiple of them in one go. Depending on > what functionality such a BAR covers, the device may remain usable (a > typical example of what I'm thinking of is a multi-function device > having serial and/or parallel port on it, which are fine to be driven > via I/O ports even if driving via MMIO is possible [and would likely > be more efficient]). Of course, to allow some MMIO bars to be used > while prohibiting use of some others, further trickery may be needed. > But not exposing the device to Dom0 at all doesn't seem very nice in > such a case. Hm, I see. For dom0 we might want to consider ignoring mapping failures, the problem is that we would need to narrow down the pages not allowed to be mapped, as part of the range passed to map_range() might be allowed. We would need to resort to checking permissions on a page by page basis, which is not overly nice. I think it's more likely for such BARs to be marked as read-only (instead of denying access), in which case the checking here would still be OK. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.