[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

  • To: christopher.w.clark@xxxxxxxxx, xen-devel@xxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Fri, 18 Aug 2017 17:55:30 -0400
  • Delivery-date: Fri, 18 Aug 2017 21:55:59 +0000
  • Ironport-phdr: 9a23:sWgauxyhuvesLtvXCy+O+j09IxM/srCxBDY+r6Qd2+IWIJqq85mqBkHD//Il1AaPBtSLrasc16GO7OjJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe65+IAm5oAneqsUbg5ZpJ7osxBfOvnZGYfldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2Yu5M32rhbDVheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RSiu4qF2QxDmkicHMyMy/n/RhMJ+kalXpAutqwJjz4LRZoyeKfhwcb7Hfd4CWGRPQMhRWSxCDI2yYYQAAOgOMvpXoYTmu1sDrwGzCRWwCO7hyDJFgGL9060g0+QmFAHLxAIuEMgIsHTVstr1MLoZX+6rw6LVzDvDdelZ1i3z6IPVdR0uvP6MUq9ufsre00kgDRjIjkmQqIP5PzOV0f4Bs26A7+V6T+6vhGknqx9orzWp28wiiZHJi5oIxl3L+ih12oY4KcCiREJlbtOoDoFcuzycOoBrWM0tWXtotzw/yrAevJ67ezUFx4o/yh7EbvyHb5CI4hX+VOaNOTt4hGxqeLa4hxuq7Uiv0Pf8Vsip0FZRtCZFjtnNuWwN1xzU8MSHTOdy/ly91jqV0gDT6+VELVg1lardNZEh3qY9moccvEnMBCP7mFj6gLWIekgr5OSk8fnrbq3jppCGNo90jg/+Mr4pmsy6Gek3LwcOUHWF9uSzzr3s51b0QKlKj/IqkqnZt4rWJcIApqGjGQNV3YEj6winAze8zNsYhWUHLE5CeB+fk4fpO0vOIPHjDfejhFSsiDdryO7cPrH7DJTBNGTMkLP7crZn6E5R0wUzzdVF6JJVDrENOu78Wkj0tNbAFB82LxS0w/r7CNV6zo4fVnyAAqmAPKzPr1CI+PwgI+2XaY8RuTb9MOQl5+X0gX42h1Ade7Ol3ZwNaHC3TbxaJBCSYWDtmcsGCWcHpEwhCufugUeBeTFWbne2Gak743VzGI+gSIvOWI2pqLiAxzugWI1bYCZBEF/fP23vctCoUvENZSbaDsIpvSYNXLbpH4Mu2RyhrgbS16tsLu2S/DYR853kyo4mtKXoiRgu+GksXIym2GaXQjQxxDsF
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 08/18/2017 05:02 PM, christopher.w.clark@xxxxxxxxx wrote:
From: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx>

Isolation of devices passed through to domains usually requires an
active IOMMU. The existing method of requiring an IOMMU is via a Xen
boot parameter ("iommu=force") which will abort boot if an IOMMU is not

More graceful degradation of behaviour when an IOMMU is absent can be
achieved by enabling XSM to perform enforcement of IOMMU requirement.

This patch enables an enforceable XSM policy to specify that an IOMMU is
required for particular domains to access devices and how capable that
IOMMU must be. This allows a Xen system to boot whilst still
ensuring that an IOMMU is active before permitting device use.

Using a XSM policy ensures that the isolation properties remain enforced
even when the large, complex toolstack software changes.

For some hardware platforms interrupt remapping is a strict requirement
for secure isolation. Not all IOMMUs provide interrupt remapping.
The XSM policy can now optionally require interrupt remapping.

The device use hooks now check whether an IOMMU is:
  * Active and securely isolating:
     -- current criteria for this is that interrupt remapping is ok
  * Active but interrupt remapping is not available
  * Not active

This patch also updates the reference XSM policy to use the new
primitives, with policy entries that do not require an active IOMMU.

Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx>

Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

One additional note: if this type of permission expansion needs to be
applied to more permissions based on hypervisor settings, it may be
useful to look at other solutions (such as policy booleans) to implement
this logic.  However, most of those solutions are more complicated than
necessary for a single distinction like this, and the simpler ones do
not provide the same ease of verification that this version has.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.