[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] hvm/altp2m: Clarify the proper way to extend the altp2m interface
Forgot to CC BitDefender On 07/10/2018 10:33 AM, George Dunlap wrote: > The altp2m functionality was originally envisioned to be used in > several different configurations, one of which was a single in-guest > agent that had full operational control of altp2m. This required the > single hypercall to be an HVMOP, which is the only type of hypercall > an HVM guest is allowed to make. > > Exposing the altp2m functionality to the guest was controversial at > the time, but was ultimately accepted. The fact that altp2m is an > HVMOP rather than a DOMCTL has caused some problems, however, for > those moving forward trying to extend the interface: Extending the > interface even for the 'external' use case now means extending an > HVMOP, which implicitly extends the surface of attack for the > 'internal' use case as well. The result has been that every addition > to this interface has also been controversial. > > Settle the controversy once and for all by documenting 1) the purpose > of the altp2m interface, and 2) how to extend it. In particular: > > * Specify that the fully in-guest agent is a target use case > > * Specify that all extensions to altp2m functionality should be subops > of the HVMOP hypercall > > * Specify that new subops should be disabled in ALTP2M_mixed mode by > default, unless specifically evaluated as being useful for the > 'internal' use case. > > Hopefully this will allow the altp2m interface to be developed further > without unnecessary controversy. > > Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> > --- > CC: Ian Jackson <ian.jackson@xxxxxxxxxx> > CC: Wei Liu <wei.liu2@xxxxxxxxxx> > CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: Jan Beulich <jbeulich@xxxxxxxx> > CC: Tim Deegan <tim@xxxxxxx> > CC: Konrad Wilk <konrad.wilk@xxxxxxxxxx> > CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> > CC: Julien Grall <julien.grall@xxxxxxx> > CC: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx> > CC: Lars Kurth <lars.kurth@xxxxxxxxxx> > > As far as I can tell there are three possible solutions to this > controversy: > > A. Remove the 'internal' functionality as a target by converting the > current HVMOP into a DOMCTL. > > B. Have two hypercalls -- an HVMOP which contains functionality > expected to be used by the 'internal' agent, and a DOMCTL for > functionality which is expected to be used only be the 'internal' > agent. > > C. Agree to add all new subops to the current hypercall (HVMOP), even > if we're not sure if they should be exposed to the guest. > > I think A is a terrible idea. Having a single in-guest agent is a > reasonable design choice, and apparently it was even implemented at > some point; we should make it straightforward for someone in the > future to pick up the work if they want to. > > I think B is also a terrible idea. The people extending it at the > moment are primarily concerned with the 'external' use case. There is > nobody around to represent whether new functionality should end up in > the HVMOP or the DOMCTL, which means that by default it will end up in > the DOMCTL. If it is discovered, afterwards, that the new operations > *would* be safe and useful for the 'internal' use case, then we will > have to duplicate them inside the HVMOP. > > It just makes more sense to have all the altp2m operations in a single > place, and a simple way to control whether they're available to the > 'internal' use case or not. As such, I am proposing 'C'. I know Jan > considers this "badness", and objects to the continual "extension" of > the "badness", but I disagree, and I strongly object to the other two > options. > > Disabling new subops for the 'internal' use case by default means that > we can add new subops without worrying about making the 'internal' use > case less secure; but if in the future someone makes the case that > they are safe and necessary, we can enable them without having code > duplication. > > In any case need to come to an agreement once and for all so that > Tamas and Razvan can do their work without continual arguments over a > mode they're not using. > --- > xen/arch/x86/hvm/hvm.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c > index e022f5ab0e..90a4be5e86 100644 > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -4460,6 +4460,34 @@ static int hvmop_get_param( > return rc; > } > > +/* > + * altp2m operations are envisioned as being used in several different > + * modes: > + * > + * - external: All control and decisions are made by an external agent > + * running domain 0. > + * > + * - internal: altp2m operations are used exclusively by an in-guest agent > + * to protect itself from the guest kernel and in-guest attackers. > + * > + * - coordinated: An in-guest agent handles #VE and VMFUNCs locally, > + * but makes requests of an external entity for bigger changes (such > + * as modifying altp2m entires). > + * > + * This corresponds to the three values for HVM_PARAM_ALTP2M > + * (external, mixed, limited). All three models have advantages and > + * disadvantages. > + * > + * Normally hypercalls made by a program in domain 0 in order to > + * control a guest would be DOMCTLs rather than HVMOPs. But in order > + * to properly enable the 'internal' use case, as well as to avoid > + * fragmentation, all altp2m subops should come under this single > + * HVMOP. > + * > + * New subops which may not be suitable for the 'internal' use case > + * should be disabled in the "XEN_ALTP2M_mixed" case in > + * xsm_hvm_altp2mhvm_op(). > + */ > static int do_altp2m_op( > XEN_GUEST_HANDLE_PARAM(void) arg) > { > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |