Xen project Mailing List

Re: [PATCH for-4.18 v2] tools/light: Revoke permissions when a PCI detach for HVM domain

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Mon, 18 Sep 2023 11:24:28 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Henry.Wang@xxxxxxx, Julien Grall <jgrall@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Juergen Gross <jgross@xxxxxxxx>

Delivery-date: Mon, 18 Sep 2023 10:24:42 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Sep 15, 2023 at 01:52:04PM +0100, Julien Grall wrote: > From: Julien Grall <jgrall@xxxxxxxxxx> > > Currently, libxl will grant IOMEM, I/O port and IRQ permissions when > a PCI is attached (see pci_add_dm_done()) for all domain types. However, > the permissions are only revoked for non-HVM domain (see do_pci_remove()). > > This means that HVM domains will be left with extra permissions. While > this look bad on the paper, the IRQ permissions should be revoked > when the Device Model call xc_physdev_unmap_pirq() and such domain > cannot directly mapped I/O port and IOMEM regions. Instead, this has to > be done by a Device Model. > > The Device Model can only run in dom0 or PV stubdomain (upstream libxl > doesn't have support for HVM/PVH stubdomain). > > For PV/PVH stubdomain, the permission are properly revoked, so there is > no security concern. > > This leaves dom0. There are two cases: > 1) Privileged: Anyone gaining access to the Device Model would already > have large control on the host. > 2) Deprivileged: PCI passthrough require PHYSDEV operations which > are not accessible when the Device Model is restricted. > > So overall, it is believed that the extra permissions cannot be exploited. > > Rework the code so the permissions are all removed for HVM domains. > This needs to happen after the QEMU has detached the device. So > the revocation is now moved to pci_remove_detached(). > > Also add a comment on top of the error message when the PIRQ cannot > be unbind to explain this could be a spurious error as QEMU may have > already done it. > > Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> > > --- > > Changes since v1: > * Move the code to revoke in pci_remove_detached() > * Add a comment on top of the PIRQ unbind error path > * Use goto to deal with errors. Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> Thanks, -- Anthony PERARD

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.