Xen project Mailing List

Re: [PATCH 7/7] x86: don't allow Dom0 access to ELCR ports

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 26 Oct 2023 14:51:56 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PXAMHMuCJERcxtt0Dm7d2ZZhd1RzhcRCfpNzWo3MrWE=; b=jZjym7LyMvRwLYt6LSpLwvK9rUDYbvS2joMUkO8zuKcdTTvHZsSaNqc0dmg0kycAyNtIthY2McbgR2vtSALrfe8apH3loLfZXnzPgbryQoaRdS3IQcGRqYtxLHn1IhxW3Yc+Qvoy74hR0ZkWfPIZvNYG4hQDPuZ9+xkJbrB20nq3P/F9AWVRpnpZ5HbpR7Rqpl6rtOUVjn9d0BjZa/F+0mCop2NZCyuBCQWP/pqURDSf5EvQhhu3xuY9q/hnu36fPLQex6ZsKChQlOZy+Cx4FKWZNzse6Mryrm9GNkGjBxAhnmIyMg7U2+fLA8c9s+aPTB26Rmoy0nX0vncWIEfTTQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WsHO9iCJrmD8wfNiMPv4cD/vriqu9ZHWnxKEbcM1X6RCaVP5phJJlPd+vu7UdVjJ6SAtEpAhTvCLZpfQgVnIPPJx9ap3Zrq6HwWJXrdRQjR9j0LYlvBOAuPoKiXdXUPwW1oxzQRxgvk0nedRCIiUKvtJFU5eKmk5uY1fTJuJU9+gdhgF3LDStf03bRP5R5rrFm0TktxbGkRK8uHGStK0vFK2AAh/yxGt7mRrtXOZT0F+rfEH4NG/Kl8Kqg3wRU5Ju6ji7oZfs/QhrGvMlURnTRfvLLWghjvhv7sOljL7tYquGTufAw9/VQdhjtNkVCj6ow9ngufa1Q4f2x6hUXnmew==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 26 Oct 2023 12:52:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.10.2023 13:02, Roger Pau Monné wrote: > On Thu, May 11, 2023 at 02:08:09PM +0200, Jan Beulich wrote: >> Much like the other PIC ports, Dom0 has no business touching these. Even >> our own uses are somewhat questionable, as the corresponding IO-APIC >> code in Linux is enclosed in a CONFIG_EISA conditional; I don't think >> there are any x86-64 EISA systems. >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Thanks. >> --- >> RFC: For Linux'es (matching our) construct_default_ioirq_mptable() we >> may need to permit read access at least for PVH, if such default >> table construction is assumed to be sensible there in the first >> place (we assume ACPI and no PIC for PVH Dom0, after all). > > Unless I'm confused, thise ports only control the triggering mode of > the PICs, and hence a PVH dom0 should have no business with them, as > not having a PIC in the first place. It should have no business, but the code I'm referring to still reads these ports. >> RFC: Linux further has ACPI boot code accessing ELCR >> (acpi_pic_sci_set_trigger() and acpi_register_gsi_pic()), which we >> have no equivalent of. > > If access to the port is denied, ~0 will be returned, and hence all > IRQs will be assumed to be level. Some bits reserved and must be 0 > will also be returned as 1. As with any reserved bits, the party reading them would better ignore their values (like we do). >> Taken together, perhaps the hiding needs to be limited to PVH Dom0? > > I very much doubt Xen will ever use the PIC unless forced on the > command line, and we should likely remove such option and just > mandate a working IO-APIC in order to run Xen. > > My only doubt is whether some Linux code will get confused by poking > at ELCR{1,2} and malfunction as a result of not being able to fetch a > sane mask. Over many years this code hasn't changed much, if at all. So simply from it being okay right now this would hopefully be only a theoretical concern. > As a last resort, we could make the register RO? If and when needed, perhaps. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.