Re: [XEN v4 1/3] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option

[Julien Grall <julien@xxxxxxx>]

Hi Michal,

On 07/02/2024 11:52, Michal Orzel wrote:
> On 07/02/2024 11:06, Julien Grall wrote:
> > Hi Michal,
> >
> > On 07/02/2024 07:45, Michal Orzel wrote:
> > > On 06/02/2024 19:49, Julien Grall wrote:
> > > > On 31/01/2024 12:10, Ayan Kumar Halder wrote:
> > > > > There can be situations when the registers cannot be emulated to their full
> > > > > functionality. This can be due to the complexity involved. In such cases, one
> > > > > can emulate those registers as RAZ/WI for example. We call them as partial
> > > > > emulation.
> > > > >
> > > > > Some registers are non-optional and as such there is nothing preventing an OS
> > > > > from accessing them.
> > > > > Instead of injecting undefined exception (thus crashing a guest), one may want
> > > > > to prefer a partial emulation to let the guest running (in some cases accepting
> > > > > the fact that it might result in unwanted behavior).
> > > > >
> > > > > A suitable example of this (as seen in subsequent patches) is emulation of
> > > > > DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
> > > > > registers can be emulated as RAZ/WI and they can be enclosed within
> > > > > CONFIG_PARTIAL_EMULATION.
> > > > >
> > > > > Further, "partial-emulation" command line option allows us to
> > > > > enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
> > > > > enables support for partial emulation at compile time (i.e. adds code for
> > > > > partial emulation), this option may be enabled or disabled by Yocto or other
> > > > > build systems. However if the build system turns this option on, users
> > > > > can use scripts like Imagebuilder to generate uboot-script which will append
> > > > > "partial-emulation=false" to xen command line to turn off the partial
> > > > > emulation. Thus, it helps to avoid rebuilding xen.
> > > > >
> > > > > By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
> > > > > This is done so that Xen supports partial emulation. However, customers are
> > > > > fully aware when they enable partial emulation. It's important to note that
> > > > > enabling such support might result in unwanted/non-spec compliant behavior.
> > > > Can you remind me why this is built by default? In particular...
> > > This is the result of RFC discussion we had, where both Bertrand and Stefano 
> > > agreed on having
> > > the Kconfig enabled by default to improve user experience:
> > > Bertrand:
> > > https://lore.kernel.org/xen-devel/C0ADC33B-1966-4D3E-B081-A3AA0C3AE76D@xxxxxxx/
> > > Stefano:
> > > https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2312081514450.1703076@ubuntu-linux-20-04-desktop/
> > Thanks for the pointer. I thought a bit more and per-se the default of
> > the Kconfig doesn't really matter too much. So I am fine to keep it on
> > by default.
> >
> > That said, I think we need to detail the security support for the
> > command line in SUPPORT.md. I think we want to consider to not security
> > support any issue that would allow the userland to attack the guest OS
> > due to a bug in the partial emulation.
> >
> > I would be fine with security supporting any issue that would
> > DoS/compromise Xen.
> Sounds good to me. Something like:
> ### ARM/Partial emulation
>
> Enable partial emulation of registers, otherwise considered unimplemented,
> that would normally trigger a fault injection.
>
>      Status: Supported, with caveats
>
> Bugs allowing the userspace to attack the guest OS will not be considered
> security vulnerabilities.
>
> Bugs that could compromise Xen will be considered security vulnerabilities.
LGTM.

Cheers,

--
Julien Grall