[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Revert "evtchn: refuse EVTCHNOP_status for Xen-bound event channels"

  • To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 21 May 2024 08:17:07 +0200
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 21 May 2024 06:17:11 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 17.05.2024 22:28, Stefano Stabellini wrote:
> On Fri, 17 May 2024, Jan Beulich wrote:
>> On 17.05.2024 03:21, Stefano Stabellini wrote:
>>> On Thu, 16 May 2024, Jan Beulich wrote:
>>>> 1) In the discussion George claimed that exposing status information in
>>>> an uncontrolled manner is okay. I'm afraid I have to disagree, seeing
>>>> how a similar assumption by CPU designers has led to a flood of
>>>> vulnerabilities over the last 6+ years. Information exposure imo is never
>>>> okay, unless it can be _proven_ that absolutely nothing "useful" can be
>>>> inferred from it. (I'm having difficulty seeing how such a proof might
>>>> look like.)
>>>
>>> Many would agree that it is better not to expose status information in
>>> an uncontrolled manner. Anyway, let's focus on the actionable.
>>>
>>>
>>>> 2) Me pointing out that the XSM hook might similarly get in the way of
>>>> debugging, Andrew suggested that this is not an issue because any sensible
>>>> XSM policy used in such an environment would grant sufficient privilege to
>>>> Dom0. Yet that then still doesn't cover why DomU-s also can obtain status
>>>> for Xen-internal event channels. The debugging argument then becomes weak,
>>>> as in that case the XSM hook is possibly going to get in the way.
>>>>
>>>> 3) In the discussion Andrew further gave the impression that evtchn_send()
>>>> had no XSM check. Yet it has; the difference to evtchn_status() is that
>>>> the latter uses XSM_TARGET while the former uses XSM_HOOK. (Much like
>>>> evtchn_status() may indeed be useful for debugging, evtchn_send() may be
>>>> similarly useful to allow getting a stuck channel unstuck.)
>>>>
>>>> In summary I continue to think that an outright revert was inappropriate.
>>>> DomU-s should continue to be denied status information on Xen-internal
>>>> event channels, unconditionally and independent of whether dummy, silo, or
>>>> Flask is in use.
>>>
>>> I think DomU-s should continue to be denied status information on
>>> Xen-internal event channels *based on the default dummy, silo, or Flask
>>> policy*. It is not up to us to decide the security policy, only to
>>> enforce it and provide sensible defaults.
>>>
>>> In any case, the XSM_TARGET check in evtchn_status seems to do what we
>>> want?
>>
>> No. XSM_TARGET permits the "owning" (not really, but it's its table) domain
>> access. See xsm_default_action() in xsm/dummy.h.
> 
> Sorry I still don't understand. Why is that a problem? It looks like the
> wanted default behavior?

For ordinary event channels - yes. But not for Xen-internal ones, at least
from my pov.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.