[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Date: Thu, 1 Aug 2024 14:41:14 +0200
Cc: "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <gwd@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony@xxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stewart Hildebrand <Stewart.Hildebrand@xxxxxxx>, Huang Rui <ray.huang@xxxxxxx>, Jiqian Chen <Jiqian.Chen@xxxxxxx>
Delivery-date: Thu, 01 Aug 2024 12:41:35 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Aug 01, 2024 at 01:36:16PM +0200, Jan Beulich wrote:
> On 01.08.2024 13:06, Roger Pau Monné wrote:
> > On Mon, Jul 08, 2024 at 07:41:21PM +0800, Jiqian Chen wrote:
> >> Remaining comment @Daniel P . Smith:
> >> +        ret = -EPERM;
> >> +        if ( !irq_access_permitted(currd, irq) ||
> >> +             xsm_irq_permission(XSM_HOOK, d, irq, access_flag) )
> >> +            goto gsi_permission_out;
> >> Is it okay to issue the XSM check using the translated value, 
> >> not the one that was originally passed into the hypercall?
> > 
> > FWIW, I don't see the GSI -> IRQ translation much different from the
> > pIRQ -> IRQ translation done by pirq_access_permitted(), which is also
> > ahead of the xsm check.
> 
> The question (which I raised originally) isn't an ordering one, but an
> auditing one: Is it okay to pass the XSM hook a value that isn't what
> was passed into the hypercall?

But that's also the case with the current XEN_DOMCTL_irq_permission
implementation?  As the hypercall parameter is a pIRQ, and the XSM
check is done against the translated IRQ obtained from the pIRQ
parameter.

Not saying you question is not relevant, but we already have at least
one very similar instance of doing the XSM check against a value
derived from an hypercall parameter.

Thanks, Roger.

Follow-Ups:
- Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Jan Beulich

References:
- Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Roger Pau Monné
- Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Jan Beulich

Prev by Date: Re: [PATCH v3 8/9] xen/riscv: page table handling
Next by Date: [PATCH] 9pfsd: fix release build with old gcc
Previous by thread: Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
Next by thread: Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.