[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN v4 1/3] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option

  • To: Julien Grall <julien@xxxxxxx>, Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Michal Orzel <michal.orzel@xxxxxxx>
  • Date: Wed, 7 Feb 2024 12:52:36 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=xen.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HR5jjJqAJ2mvwGBUKuh+NtUs3U0/RVL3mMDNnR++9p8=; b=gSrp4j+uZQHUCKbCXpBGLjD7ed/OgM2fN0eeW3Omuhe3hs9x2xyGYkXMrW9NtDbl0YGUzMZVREdU6PzsLWZHFRKyOSK92trejwYNQdLbp6iaqgiJdhKnb5b3izUq3EDeMYu7t6m16lWItkEnutFzn7HZ8HmSftvZvLDzFREzgIXkAqT7BwHun5SaXteZu4eVmgcStCTkbQquWMqW03vzmKX8rxP3y20yHyO2/DLu1SGzTcUBI4wImeVPHCi0nSklyinQTOqJL8xWGbmKTkrhd2T8vMznwz9FGDKFqqhCAeJKsJ1iPg2IGDM9ZxMsDByoIk7Nryi5HhYfuW9zCKe2JA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SAZzAqUh+Tg76QtgGyCbHDGAO3okMNFfH7vaLPdUhYBba8rA2lQcZdpFzqMlHwoLjJwMddKuDV7Z1fnM1h0639Tf10TlZr/KXxqvkuPSJDq2XRW+YVXXNFth3vq755wuFs2rUSQ45w/DTQt0FcFqCcDYmjyfJ7HmfCd9QZ07DQjUAvwTZAduYzKJwZwBr7/LuXWn9FTzBNCiCMMS2QsKxNoNnAd6YusEVrh1nGl6lgqjKWaQjOvXeE14Gd5UvRZZo7oXq223hS5bxAab+x+1ElyAuZ5aTSb3pCjcaQOe9655FVVfJLWJ0Eg/IugmJQv/WqFoN7G/ic5nqOBX70kK6w==
  • Cc: <sstabellini@xxxxxxxxxx>, <stefano.stabellini@xxxxxxx>, <Volodymyr_Babchuk@xxxxxxxx>, <bertrand.marquis@xxxxxxx>, <luca.fancellu@xxxxxxx>
  • Delivery-date: Wed, 07 Feb 2024 11:52:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07/02/2024 11:06, Julien Grall wrote:
> 
> 
> Hi Michal,
> 
> On 07/02/2024 07:45, Michal Orzel wrote:
>> On 06/02/2024 19:49, Julien Grall wrote:
>>> On 31/01/2024 12:10, Ayan Kumar Halder wrote:
>>>> There can be situations when the registers cannot be emulated to their full
>>>> functionality. This can be due to the complexity involved. In such cases, 
>>>> one
>>>> can emulate those registers as RAZ/WI for example. We call them as partial
>>>> emulation.
>>>>
>>>> Some registers are non-optional and as such there is nothing preventing an 
>>>> OS
>>>> from accessing them.
>>>> Instead of injecting undefined exception (thus crashing a guest), one may 
>>>> want
>>>> to prefer a partial emulation to let the guest running (in some cases 
>>>> accepting
>>>> the fact that it might result in unwanted behavior).
>>>>
>>>> A suitable example of this (as seen in subsequent patches) is emulation of
>>>> DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
>>>> registers can be emulated as RAZ/WI and they can be enclosed within
>>>> CONFIG_PARTIAL_EMULATION.
>>>>
>>>> Further, "partial-emulation" command line option allows us to
>>>> enable/disable partial emulation at run time. While 
>>>> CONFIG_PARTIAL_EMULATION
>>>> enables support for partial emulation at compile time (i.e. adds code for
>>>> partial emulation), this option may be enabled or disabled by Yocto or 
>>>> other
>>>> build systems. However if the build system turns this option on, users
>>>> can use scripts like Imagebuilder to generate uboot-script which will 
>>>> append
>>>> "partial-emulation=false" to xen command line to turn off the partial
>>>> emulation. Thus, it helps to avoid rebuilding xen.
>>>>
>>>> By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
>>>> This is done so that Xen supports partial emulation. However, customers are
>>>> fully aware when they enable partial emulation. It's important to note that
>>>> enabling such support might result in unwanted/non-spec compliant behavior.
>>>
>>> Can you remind me why this is built by default? In particular...
>> This is the result of RFC discussion we had, where both Bertrand and Stefano 
>> agreed on having
>> the Kconfig enabled by default to improve user experience:
>> Bertrand:
>> https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@xxxxxxx/
>> Stefano:
>> https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/
> 
> Thanks for the pointer. I thought a bit more and per-se the default of
> the Kconfig doesn't really matter too much. So I am fine to keep it on
> by default.
> 
> That said, I think we need to detail the security support for the
> command line in SUPPORT.md. I think we want to consider to not security
> support any issue that would allow the userland to attack the guest OS
> due to a bug in the partial emulation.
> 
> I would be fine with security supporting any issue that would
> DoS/compromise Xen.
Sounds good to me. Something like:
### ARM/Partial emulation

Enable partial emulation of registers, otherwise considered unimplemented,
that would normally trigger a fault injection.

    Status: Supported, with caveats

Bugs allowing the userspace to attack the guest OS will not be considered
security vulnerabilities.

Bugs that could compromise Xen will be considered security vulnerabilities.

~Michal

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.