[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] tools/libxl: report trusted backend status to frontends
commit 54d8f27d0477937e1f99a414fc1ffd93d184b38a Author: Roger Pau Monne <roger.pau@xxxxxxxxxx> AuthorDate: Fri Apr 8 10:21:11 2022 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Jul 5 14:16:26 2022 +0200 tools/libxl: report trusted backend status to frontends Allow administrators to notify a frontend driver that it's backend counterpart is not to be trusted, so the frontend can deploy whatever mitigations required in order to secure itself. Allow such option for disk and network frontends only, as those are the only hardened ones currently supported. This is part of XSA-403 Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> --- docs/man/xl-disk-configuration.5.pod.in | 29 +++++++++++++++++++++++++++++ docs/man/xl-network-configuration.5.pod.in | 9 +++++++++ tools/include/libxl.h | 8 ++++++++ tools/libs/light/libxl_disk.c | 3 +++ tools/libs/light/libxl_nic.c | 5 +++++ tools/libs/light/libxl_types.idl | 6 ++++-- tools/libs/util/libxlu_disk_l.l | 3 +++ tools/xl/check-xl-disk-parse | 26 ++++++++++++++++++++++++++ tools/xl/check-xl-vif-parse | 18 ++++++++++++++++++ tools/xl/xl_parse.c | 4 ++++ xen/include/public/io/blkif.h | 8 ++++++++ xen/include/public/io/netif.h | 6 ++++++ 12 files changed, 123 insertions(+), 2 deletions(-) diff --git a/docs/man/xl-disk-configuration.5.pod.in b/docs/man/xl-disk-configuration.5.pod.in index 71d0e86e3d..95d039655a 100644 --- a/docs/man/xl-disk-configuration.5.pod.in +++ b/docs/man/xl-disk-configuration.5.pod.in @@ -344,6 +344,35 @@ can be used to disable "hole punching" for file based backends which were intentionally created non-sparse to avoid fragmentation of the file. +=item B<trusted> / B<untrusted> + +=over 4 + +=item Description + +Reports whether the backend should be trusted by the frontend + +=item Supported values + +trusted, untrusted + +=item Mandatory + +No + +=item Default value + +trusted + +=back + +An advisory setting for the frontend driver on whether the backend should be +trusted. The frontend should deploy whatever protections it has available to +prevent an untrusted backend from accessing guest data not related to the I/O +processing or causing malfunction to the frontend or the whole domain. + +Note frontends can ignore such recommendation. + =back diff --git a/docs/man/xl-network-configuration.5.pod.in b/docs/man/xl-network-configuration.5.pod.in index cf92d7960c..f3e379bcf8 100644 --- a/docs/man/xl-network-configuration.5.pod.in +++ b/docs/man/xl-network-configuration.5.pod.in @@ -258,3 +258,12 @@ NOTE: This should not be set unless you have a reason to. Specifies the MTU (i.e. the maximum size of an IP payload, exclusing headers). The default value is 1500 but, if the VIF is attached to a bridge, it will be set to match unless overridden by this parameter. + +=head2 trusted / untrusted + +An advisory setting for the frontend driver on whether the backend should be +trusted. The frontend should deploy whatever protections it has available to +prevent an untrusted backend from accessing guest data not related to the I/O +processing or causing malfunction to the frontend or the whole domain. + +Note frontends can ignore such recommendation. diff --git a/tools/include/libxl.h b/tools/include/libxl.h index 7ce978e83c..835dfabc50 100644 --- a/tools/include/libxl.h +++ b/tools/include/libxl.h @@ -527,6 +527,14 @@ */ #define LIBXL_HAVE_MAX_GRANT_VERSION 1 +/* + * LIBXL_HAVE_{DISK,NIC}_TRUSTED indicates that the libxl_device_disk and + * libxl_device_nic structs have a field to signal whether the backend of the + * device is to be trusted. Such information is propagated to the frontend. + */ +#define LIBXL_HAVE_DISK_TRUSTED 1 +#define LIBXL_HAVE_NIC_TRUSTED 1 + /* * libxl ABI compatibility * diff --git a/tools/libs/light/libxl_disk.c b/tools/libs/light/libxl_disk.c index a5ca77850f..9da2b2ed27 100644 --- a/tools/libs/light/libxl_disk.c +++ b/tools/libs/light/libxl_disk.c @@ -159,6 +159,7 @@ static int libxl__device_disk_setdefault(libxl__gc *gc, uint32_t domid, libxl_defbool_setdefault(&disk->discard_enable, !!disk->readwrite); libxl_defbool_setdefault(&disk->colo_enable, false); libxl_defbool_setdefault(&disk->colo_restore_enable, false); + libxl_defbool_setdefault(&disk->trusted, true); rc = libxl__resolve_domid(gc, disk->backend_domname, &disk->backend_domid); if (rc < 0) return rc; @@ -395,6 +396,8 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid, flexarray_append(front, GCSPRINTF("%d", device->devid)); flexarray_append(front, "device-type"); flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk"); + flexarray_append(front, "trusted"); + flexarray_append(front, libxl_defbool_val(disk->trusted) ? "1" : "0"); /* * Old PV kernel disk frontends before 2.6.26 rely on tool stack to diff --git a/tools/libs/light/libxl_nic.c b/tools/libs/light/libxl_nic.c index 0b9e70c9d1..d6bf06fc34 100644 --- a/tools/libs/light/libxl_nic.c +++ b/tools/libs/light/libxl_nic.c @@ -116,6 +116,8 @@ static int libxl__device_nic_setdefault(libxl__gc *gc, uint32_t domid, abort(); } + libxl_defbool_setdefault(&nic->trusted, true); + return rc; } @@ -255,6 +257,9 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid, flexarray_append(back, "hotplug-status"); flexarray_append(back, ""); + flexarray_append(front, "trusted"); + flexarray_append(front, libxl_defbool_val(nic->trusted) ? "1" : "0"); + return 0; } diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl index 2a42da2f7d..89962218b4 100644 --- a/tools/libs/light/libxl_types.idl +++ b/tools/libs/light/libxl_types.idl @@ -712,7 +712,8 @@ libxl_device_disk = Struct("device_disk", [ ("colo_port", integer), ("colo_export", string), ("active_disk", string), - ("hidden_disk", string) + ("hidden_disk", string), + ("trusted", libxl_defbool), ]) libxl_device_nic = Struct("device_nic", [ @@ -780,7 +781,8 @@ libxl_device_nic = Struct("device_nic", [ ("colo_filter_sec_redirector1_outdev", string), ("colo_filter_sec_rewriter0_queue", string), ("colo_checkpoint_host", string), - ("colo_checkpoint_port", string) + ("colo_checkpoint_port", string), + ("trusted", libxl_defbool), ]) libxl_device_pci = Struct("device_pci", [ diff --git a/tools/libs/util/libxlu_disk_l.l b/tools/libs/util/libxlu_disk_l.l index 3bd639aab0..e115460d99 100644 --- a/tools/libs/util/libxlu_disk_l.l +++ b/tools/libs/util/libxlu_disk_l.l @@ -208,6 +208,9 @@ colo-export=[^,]*,? { STRIP(','); SAVESTRING("colo-export", colo_export, FROMEQU active-disk=[^,]*,? { STRIP(','); SAVESTRING("active-disk", active_disk, FROMEQUALS); } hidden-disk=[^,]*,? { STRIP(','); SAVESTRING("hidden-disk", hidden_disk, FROMEQUALS); } +trusted,? { libxl_defbool_set(&DPC->disk->trusted, true); } +untrusted,? { libxl_defbool_set(&DPC->disk->trusted, false); } + /* the target magic parameter, eats the rest of the string */ target=.* { STRIP(','); SAVESTRING("target", pdev_path, FROMEQUALS); } diff --git a/tools/xl/check-xl-disk-parse b/tools/xl/check-xl-disk-parse index 643f4f4ecb..18fb66940a 100755 --- a/tools/xl/check-xl-disk-parse +++ b/tools/xl/check-xl-disk-parse @@ -178,4 +178,30 @@ disk: { END one 0 cdrom no-discard vdev=hda target=/some/disk/image.iso +# test setting trusted +expected <<END +disk: { + "pdev_path": "/some/disk/image.raw", + "vdev": "hda", + "format": "raw", + "readwrite": 1, + "trusted": "True" +} + +END +one 0 trusted vdev=hda target=/some/disk/image.raw + +# test setting untrusted +expected <<END +disk: { + "pdev_path": "/some/disk/image.raw", + "vdev": "hda", + "format": "raw", + "readwrite": 1, + "trusted": "False" +} + +END +one 0 untrusted vdev=hda target=/some/disk/image.raw + complete diff --git a/tools/xl/check-xl-vif-parse b/tools/xl/check-xl-vif-parse index 04bd9463d8..d666408d4d 100755 --- a/tools/xl/check-xl-vif-parse +++ b/tools/xl/check-xl-vif-parse @@ -160,4 +160,22 @@ one $e rate=4296MB/s@4294s expected </dev/null one $e rate=@ +# test trusted setting +expected <<END +vif: { + "trusted": "True" +} + +END +one 0 trusted + +# test untrusted setting +expected <<END +vif: { + "trusted": "False" +} + +END +one 0 untrusted + complete diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index b98c0de378..644ab8f8fd 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -565,6 +565,10 @@ int parse_nic_config(libxl_device_nic *nic, XLU_Config **config, char *token) nic->devid = parse_ulong(oparg); } else if (MATCH_OPTION("mtu", token, oparg)) { nic->mtu = parse_ulong(oparg); + } else if (!strcmp("trusted", token)) { + libxl_defbool_set(&nic->trusted, true); + } else if (!strcmp("untrusted", token)) { + libxl_defbool_set(&nic->trusted, false); } else { fprintf(stderr, "unrecognized argument `%s'\n", token); return 1; diff --git a/xen/include/public/io/blkif.h b/xen/include/public/io/blkif.h index 4cdba79aba..ab863f175a 100644 --- a/xen/include/public/io/blkif.h +++ b/xen/include/public/io/blkif.h @@ -363,6 +363,14 @@ * that the frontend requires that the logical block size is 512 as it * is hardcoded (which is the case in some frontend implementations). * + * trusted + * Values: 0/1 (boolean) + * Default value: 1 + * + * A value of "0" indicates that the frontend should not trust the + * backend, and should deploy whatever measures available to protect from + * a malicious backend on the other end. + * *------------------------- Virtual Device Properties ------------------------- * * device-type diff --git a/xen/include/public/io/netif.h b/xen/include/public/io/netif.h index 00dd258712..3509b096f8 100644 --- a/xen/include/public/io/netif.h +++ b/xen/include/public/io/netif.h @@ -160,6 +160,12 @@ * be applied if it is set. */ +/* + * The setting of "trusted" node to "0" in the frontend path signals that the + * frontend should not trust the backend, and should deploy whatever measures + * available to protect from a malicious backend on the other end. + */ + /* * Control ring * ============ -- generated by git-patchbot for /home/xen/git/xen.git#master
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |