[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.18 v2] tools/light: Revoke permissions when a PCI detach for HVM domain

  • To: Julien Grall <julien@xxxxxxx>
  • From: Henry Wang <Henry.Wang@xxxxxxx>
  • Date: Sat, 16 Sep 2023 00:11:04 +0000
  • Accept-language: zh-CN, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sM67iHv0IKbrWuZH9RGW5LwXFiTmFPB3F3UtyiNqnbY=; b=R8cKIVzgiS4M77IWAlDyi3DWS8IK17RxgSRqD8YFWzxEGWyTKGBhB8qMSrraQ3Ul4sKdIx0SYi8KKyxlKU9dIrvP+vaIpzsRoGTVQwwQeL5MHxmbCdlRsD+GJLKO8FBuGw6IfyZJ2mGQp7pQSfm7b10QsOjWEufw+QpZVeKwk141QKb5EeclnLW5ACLkA7fzIvXZbE30o8c+HLMOCHRh9Zzp8Pz4WeDX4Yv0MUePDWY9tfq6eRu7z3NPLVWWVEUt5bdnd+oYHAQxGEb+POtfignTXez/ytYSdC/gKTxrEvTXu5gVug0iQw9f4qRcNx9j/S8Ctxoi6RkF4efpdxZsiw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UYYmju2HrmdrnGSmA1CUlwIoxDHFapCQIYfrBPnGYSq1FYAPLvsxKHDrEXftlduqv7SuYtpOp7xuDR1jEFe/VkIvJZDq5M2yQKCUakVsD5+B1/0UFxDsy+6Jrg6+YsnRm0Peq+nX72kEXKw5ke7HLOkeMChmABHyC0RB20wapFFCmfZ2MASfzswFz2XoWb7c+3LiNiidfBK6wuFTLKcwmJcaRiwAtmaomOZH1D/vf/RIzryZhOZLQLqKtk2VXvzdMWC6L7xTAlzWl1PlBMyncQAhHQ/IXdm8fwBZZGg8m82OOQOt5wCz8kbDQnBLQrz055eE8Z5tuU8Aqe7GHK30cw==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
  • Delivery-date: Sat, 16 Sep 2023 00:11:37 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHZ59N2VPLX7/ND60C+IG0RkhZBdLAclN0A
  • Thread-topic: [PATCH for-4.18 v2] tools/light: Revoke permissions when a PCI detach for HVM domain
Hi Julien,

> On Sep 15, 2023, at 20:52, Julien Grall <julien@xxxxxxx> wrote:
> 
> From: Julien Grall <jgrall@xxxxxxxxxx>
> 
> Currently, libxl will grant IOMEM, I/O port and IRQ permissions when
> a PCI is attached (see pci_add_dm_done()) for all domain types. However,
> the permissions are only revoked for non-HVM domain (see do_pci_remove()).
> 
> This means that HVM domains will be left with extra permissions. While
> this look bad on the paper, the IRQ permissions should be revoked
> when the Device Model call xc_physdev_unmap_pirq() and such domain
> cannot directly mapped I/O port and IOMEM regions. Instead, this has to
> be done by a Device Model.
> 
> The Device Model can only run in dom0 or PV stubdomain (upstream libxl
> doesn't have support for HVM/PVH stubdomain).
> 
> For PV/PVH stubdomain, the permission are properly revoked, so there is
> no security concern.
> 
> This leaves dom0. There are two cases:
>  1) Privileged: Anyone gaining access to the Device Model would already
>     have large control on the host.
>  2) Deprivileged: PCI passthrough require PHYSDEV operations which
>     are not accessible when the Device Model is restricted.
> 
> So overall, it is believed that the extra permissions cannot be exploited.
> 
> Rework the code so the permissions are all removed for HVM domains.
> This needs to happen after the QEMU has detached the device. So
> the revocation is now moved to pci_remove_detached().
> 
> Also add a comment on top of the error message when the PIRQ cannot
> be unbind to explain this could be a spurious error as QEMU may have
> already done it.
> 
> Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>

As in discussion in v1, it is agreed that this patch should be included in
4.18, although technically my release-ack tag should be effective after
code freeze, I am still providing the tag to avoid possible confusion:

Release-acked-by: Henry Wang <Henry.Wang@xxxxxxx>

Kind regards,
Henry

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.