[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 2/4] xsm/silo: Support hwdom/control domains

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Tue, 10 Jun 2025 18:57:35 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ts3RTY6TOei3qYAavMrJU+OXq8P7HWjtk/s03Gzv3uE=; b=OdkVbd/KUZAU2i+D8PRHzvoHJjnfvFYBezC8OS8SSo68neJSjSWw25v3CTDE7IGGS6PuO9RFCYUJ4aA4i74KWFqlkdy7WLeMnk2wRZunad4TeR/lVrpgOPhj4A8ihT9h9QjZp0yK0Op9zliawNv61zn0/l12TZPk4gSkElPZ1vXSy/9wDyfh4f+5XmOv3vxQ8Lx9vRdwC/to7RYEfwDcQQw7GON299Vopm3oMfdpJqJGkozwBZ3sJl9eCImASLu/nZFl9EQx6TIncBoNuKj6Vv8vqI0ulClPd/0YMEJh8+tCbpVhlcfFdBE+5vwMr05t4rWAjU5jUJ8Uk6hwdAC85g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JUgn2NKGswK0DwIFzbwxeWx0LRxNBJBigN7jGE+AQ/4+JCwnczdM3MsdZIurnXb0Aik2z7Gp1Nam1A3TcD48792Rewf5l3K0GtQdjjYfmqEdPfyAfF3wpuzknNsgmUwk8Tezwg7CU9NyMIc29+r+TGopVvw/pyrpFxS0h6lhfm6ilheHbZ89+sUWPGe9SvX9mX6wtqJcJRjuS2hOn8TfWMpwSXD2xzJ7h+nBPhOM4tujR0ARRu3BkxTQ3dJ4Gmp6TmXu5ZxEuwOEHwViPUCtDIo6dX4WAi0Tof3J7xm3pDS5m/LPgXZaa++Z1KDSRWBj8bmqsHngyZJ0t3DwWdo05Q==
  • Cc: Jason Andryuk <jason.andryuk@xxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 11 Jun 2025 00:00:46 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
In a disaggregated environment, dom0 is split into Control, Hardware,
and Xenstore domains, along with domUs.  The is_control_domain() check
is not sufficient to handle all these cases.  Add is_priv_domain() to
support allowing for the various domains.

The purpose of SILO mode is to prevent domUs from interacting with each
other.  But dom0 was allowed to communicate with domUs to provide
services.  As the disaggregation of dom0, Control, Hardware and Xenstore
are all service domains that need to communicate with other domains.

To provide xenstore connections, the Xenstore domain must be allowed to
connect via grants and event channels.  Xenstore domain must also be
allowed to connect to Control and Hardware to provide xenstore to them.

Hardware domain will provide PV devices to domains, so it must be
allowed to connect to domains.

That leaves Control.  Xenstore and Hardware would already allow access
to Control, so it can obtain services that way.  Control should be
"privileged", which would mean it can make the connections.  But with
Xenstore and Hardware providing their services to domUs, there may not
be a reason to allow Control to use grants or event channels with domUs.
Still, Control is privileged, so it should be allowed to do something if
it chooses.  Establishing a grant, or event channel requires action on
both sides, so allow for the possibility.  This does open up an argo
wildcard ring from domUs, FWIW.

This silo check is for grants, event channels and argo.  The dummy
policy handles other calls, so Hardware is prevented from foreign
mapping Control's memory with that.

Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
---
v2:
Add xenstore domain
Expand commit message
Remove always_inline
---
 xen/xsm/silo.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index b89b364287..db48705674 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -20,6 +20,12 @@
 #define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
 
+static bool is_priv_domain(const struct domain *d)
+{
+    return is_xenstore_domain(d) || is_hardware_domain(d) ||
+           is_control_domain(d);
+}
+
 /*
  * Check if inter-domain communication is allowed.
  * Return true when pass check.
@@ -29,8 +35,8 @@ static bool silo_mode_dom_check(const struct domain *ldom,
 {
     const struct domain *currd = current->domain;
 
-    return (is_control_domain(currd) || is_control_domain(ldom) ||
-            is_control_domain(rdom) || ldom == rdom);
+    return (is_priv_domain(currd) || is_priv_domain(ldom) ||
+            is_priv_domain(rdom) || ldom == rdom);
 }
 
 static int cf_check silo_evtchn_unbound(
-- 
2.49.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.