Xen project Mailing List

Re: [PATCH 4/4] xsm/dummy: Allow hwdom SYSCTL_readconsole/physinfo

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Mon, 7 Jul 2025 14:52:21 -0700 (PDT)

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 07 Jul 2025 21:52:37 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, 20 Jun 2025, Jan Beulich wrote: > On 19.06.2025 02:36, Stefano Stabellini wrote: > > On Tue, 17 Jun 2025, Jan Beulich wrote: > >> On 17.06.2025 02:10, Stefano Stabellini wrote: > >>> On Mon, 16 Jun 2025, Jan Beulich wrote: > >>>> On 14.06.2025 00:51, Stefano Stabellini wrote: > >>>>> On Wed, 11 Jun 2025, Jason Andryuk wrote: > >>>>>> On 2025-06-11 09:27, Jan Beulich wrote: > >>>>>>> On 11.06.2025 00:57, Jason Andryuk wrote: > >>>>>>>> Allow the hwdom to access the console, and to access physical > >>>>>>>> information about the system. > >>>>>>>> > >>>>>>>> xenconsoled can read Xen's dmesg. If it's in hwdom, then that > >>>>>>>> permission would be required. > >>>>>>> > >>>>>>> Why would xenconsoled run in the hardware domain? It's purely a > >>>>>>> software > >>>>>>> construct, isn't it? As a daemon, putting it in the control domain may > >>>>>>> make sense. Otherwise it probably ought to go in a service domain. > >>>>>> > >>>>>> My approach has been to transform dom0 into the hardware domain and > >>>>>> add a new > >>>>>> control domain. xenconsoled was left running in the hardware domain. > >>>>> > >>>>> I think we should keep xenconsoled in the hardware domain because the > >>>>> control domain should be just optional. (However, one could say that > >>>>> with > >>>>> Denis' recent changes xenconsoled is also optional because one can use > >>>>> console hypercalls or emulators (PL011, NS16550) for all DomUs.) > >>>>> > >>>>> > >>>>> > >>>>>> I suppose it could move. Maybe that would be fine? I haven't tried. > >>>>>> The > >>>>>> Hyperlaunch code populates the console grants to point at the hardware > >>>>>> domain, > >>>>>> and I just followed that. > >>>>>> > >>>>>> One aspect of why I left most things running in the Hardware domain > >>>>>> was to not > >>>>>> run things in the Control domain. If Control is the highest privileged > >>>>>> entity, we'd rather run software in lower privileged places. Especially > >>>>>> something like xenconsoled which is receiving data from the domUs. > >>>>> > >>>>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the > >>>>> Control Domain because the Control Domain is meant to be safe from > >>>>> interference. We want to keep the number of potential vehicles for > >>>>> interference down to a minimum and shared memory between Control Domain > >>>>> and DomUs is certainly a vehicle for interference. > >>>> > >>>> As much as it is when xenconsoled runs in the hardware domain? Especially > >>>> if the hardware domain is also running e.g. PV backends or qemu > >>>> instances? > >>> > >>> It looks like you are thinking of the possible > >>> interference from the Hardware Domain to the Control Domain via > >>> xenconsoled, correct? > >> > >> More like interference with the system as a whole, which simply includes > >> Control. > >> > >>> If that is the case, good thinking. I can see that you have really > >>> understood the essence of the problem we are trying to solve. > >>> > >>> That is not an issue because the Control Domain shouldn't use PV > >>> console. Instead, it should use the console hypercall, or the > >>> PL011/NS16550 emulators in Xen. > >> > >> Well. I think the underlying concept of Control Domain being highly > >> privileged needs more general discussion. As indicated elsewhere, I > >> didn't think disaggregation (whichever way done) would leave any > >> domain with effectively full privilege. I wonder what others think. > > > > Keep in mind that the threat model here is different from the > > datacenter. > > > > But the Control Domain is optional. If the user doesn't want it, the > > user can avoid it. > > > > Even on a fully static system (no VM creation), it is convenient to have > > a domain that can monitor the others and trigger domain reset (we are > > reimplementing domain reboot to be more like a soft reset so that the VM > > doesn't need to be destroyed and recreated). > > Suggesting that in such an environment Control should have no permission > to create domains. This would avoid various threats, including e.g. > massive amounts of dynamic memory allocation. +1 > > As an example, the Control > > Domain could be used to monitor a non-safe domain such as Android, > > detect an Android crash, and trigger an Android reboot. > > Yet at the same time it would have to be prevented from interfering with > any of the critical domains. > > Altogether this doesn't sound like "highest privilege" to me then. You are right. We should be more precise with our wording.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.