| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
 Re: [PATCH] xen/arm: fix SBDF calculation for vPCI MMIO handlers
 
To: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>From: Roger Pau Monné <roger.pau@xxxxxxxxxx>Date: Tue, 2 Nov 2021 10:32:03 +0100Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=noneArc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v3AnRFwkrlq0U9ks2qadyGRXD36GeyiCQyvDp6bHxig=; b=Y7IFDRKB/YWBXOw/GcHyqxchiNBvLSWHEwkDZCKlZZRf36SvqJAWHr+2QKMX/yVdHh/q3JR66EGXuK0ll53WkgxI1EAUIbnnmANO593KI2auMWvTs2/+eWXCnPAHZdHpYKQZDV83RXH1nbs9Sa4yRQ6D2cyN8YXkl0jzlFzfo+0cBSum+42lOTBG50279g6Cbth46dBCjVoAMG3ue/tNUj6UjbpoiLHm+TbcE/48P+KMR2t/ixSJoE0D1Q9/eT4bOqXGsiYX7KZOb3E6XI7xYuIyPytv7ioWAW/y0gw+w8ZB+p7SmIWOqU5TrX80OtAEryqDb72/HpqYhK9959Fdww==Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A+PO9Pi4+Utu0++DEDXL5Aa0ApNGgbmIqQwVDE4b6H4cUaq/zgWtXVy1H5K/KUqSOIbNg3dzvOrntO4t1qa8aaUMQc12E/b9bBZYbFKyf5zX458BJw1eNPDx4WU50WYkjg/OWMLxxVgNUHJX2QRHVdpGzmewNAN81DHp71B2KJP/6hh3XJuq/kg4KgwBjr0MthA7eVp3oEb5Z3ueyUBkTtLuvrMXyMzEhyHxv7Mfmrhmji8T8drvC+9p6hPLtJAta16KCTu+jb0q4zL9OxJY0Tofy6hp99BtRNfE0H9VFHR2II6TnhndsTfCobXJz96VQZSXTPNXu5l4cfRwLWAc+w==Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.comCc: Julien Grall <julien@xxxxxxx>, Bertrand Marquis	<bertrand.marquis@xxxxxxx>, "sstabellini@xxxxxxxxxx"	<sstabellini@xxxxxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>,	"xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>Delivery-date: Tue, 02 Nov 2021 09:32:23 +0000Ironport-data: A9a23:wp5gtqgbWcR3rbZjif0vj/aoX1610RcKZh0ujC45NGQN5FlHY01je htvXT/QOfeDYWv8L94nO4u/8kME6pOHzN8yTFY/qHsxRnsb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0F0/NtTo5w7Rg29cw24Dga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /0KqLqvexoEM5aUgeQSdARYFgB6BKhvreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHxO4wSoDd4xCzxBvc6W5HTBa7N4Le02R9t1p8fRqaGO 6L1bxJ3cwbCMg9fMWw1M5J9h+qqqmnZUQ1H/Qf9Sa0fvDGIkV0ZPKLWGMHOZtWASMFRn0CZj mHL5WL0BlcdLtP34SCM8m+owPTOmyz7cIsIEfuz8fsCqE2ewCkfBQMbUXO/oOKlkQiuVtRHM UsW9yEy668o+ySDad3wXAaxpnKeiTcaV8BNCO0x6AyLya387h6QAy4PSTspQN47sM47QxQ62 1nPmMnmbRRlvaeJU3ub+vGRpCmrJCkOBWYYYGkPSg5t3jX4iNht1FSVFI8lSfPryI2ucd3t/ 9yUhG8joaohkOMG7P2i/V/gnjKph5zwSydgs207QVmZxg9+YYekYamh5l7a8etMIe6lc7WRg JQXs5PAtb5TVPlhgATIGbxQR+/xu55pJRWF2QY3d6TN4QhB7JJKkWp4xDhlbHlkPc8fEdMCS B+C4FgBjHO/0ZbDUEOWX25TI5h6pUQDPY68PhwxUjaoSsIoHONg1Ho2DXN8J0i3zCARfVgXY P93i/qEA3cAErhAxzGrXeob2rJD7nlgnj6MFMqjkE79iOb2iJuppVEtagLmggcRt/vsneko2 4wHa5viJ+t3CbWWjtbrHX47cglRcClT6WHeoM1LbO+TSjeK60l6Y8I9NYgJItQ/94wMz7+g1 ijkBidwlQqu7VWaeF7iQi0yN9vSsWNX8CtT0doEZg3zhRDOoO+Hsc8iSnfAVeB8qbE4kqIsF 5HouayoW5xyd9gOwBxEBbHVp41+bhW7wwWIOiuuej8keJB8AQfO/7fZksHHrUHi1wK76pkzp aOOzATeTcZRTghuFp+OOvmu00mwrT4Wn+crBxnEJdxaeUPN9ol2KnOu0q9rcp9UcRiTlCGH0 wu2AAsDobWfqYEC79SU17uPqJ2kErUiExMCTXXb97u/KQLT4nGnnd1bSO+NcD2EDDH09ayua P971fb5NPFbzl9Gv5AlS+RgzL4k5suprLhfl1w2EHLOZlWtK7VhPnjZgpUf6vwTnudU4FLkV FiO999WPaSyFPnkSFNBdhA4aumj1O0PnmWA5/oCP0intjR8+6CKUBsOMkDU2jBdNrZ8LKgs3 fwl5JwN8wW6hxcnboSGgyRT+zjeJ3AMSfx65JQTAYutgQs30FBSJ5fbD3ausp2IbtxNNGgsI yOV2/We1+gNmBKafiphD2XJ0MpcmY8K6UJDw1I1LliUnsbI260s1xpL/DVrFglYw32rCQ6o1 rSH46GtGZizwg==Ironport-hdrordr: A9a23:Wc1SIqAGITTkE0vlHeg2sceALOsnbusQ8zAXPh9KJiC9I/b1qy nxppkmPH/P6Qr4WBkb6Le90Y27MAnhHPlOkPQs1NaZLXLbUQ6TQr2KgrGSoQEIdxeOk9K1kJ 0QD5SWa+eAfGSS7/yKmTVQeuxIqLLskNHK9JfjJjVWPHlXgslbnnlE422gYytLrWd9dP4E/M 323Ls5m9PsQwVcUu2LQl0+G8TTrdzCk5zrJTYAGh4c8QGLyRel8qTzHRS01goXF2on+8ZvzU H11yjCoomzufCyzRHRk0fV8pRtgdPkjv9OHtaFhMQ5IijlziyoeINicbufuy1dmpDj1H8a1P 335zswNcV67H3cOkmzvBvWwgHllA0j7nfzoGXoyEfLkIjcfnYXGsBBjYVWfl/y8Ew7puxx16 pNwiawq4dXJQmoplW92/H4EzVR0makq3srluAey1ZFV5EFVbNXpYsDuGtIDZY7Gj7g4oxPKp ghMCjl3ocUTbqmVQGagoE2q+bcG0jbXy32DXTqg/blkwS/xxtCvg8lLM92pAZ3yHtycegC2w 3+CNUbqFh5dL5gUUtMPpZzfSKJMB25ffvtChPbHb21LtBNB5ryw6SHlIndotvaPqA18A==Ironport-sdr: nvEN43kiGKYOOMCHpw5yPuxDuEygdWKZ2zPojRXFjDxhDY2Mvz0/GOchmL5w1pZiNOZzxh7qq/ Sq4lklcBKX/WdnF0EHKG24JfLkw3sytP4cW50yC4ci7xf0MVOCy4f+BuwWkM/9nTNNlWrGiHj8 2VvlK82H8tpctYP/ZN3c54YNdMOaXpG25h1dsw60eBPaNG8fObnhIu/TGhqKRkh32SS+nseo8R 0FI7PUBBZKeywDItYfTmlzp0PQpf5q6GBG++qOK8MkNO470IZC4rMPa7yP3thgd2BLeYd4OXug qvMrFgsK94xhiWjvHzGYDW9RList-id: Xen developer discussion <xen-devel.lists.xenproject.org> 
 On Tue, Nov 02, 2021 at 09:07:56AM +0000, Oleksandr Andrushchenko wrote:
> 
> 
> On 02.11.21 10:48, Roger Pau Monné wrote:
> > On Mon, Nov 01, 2021 at 06:14:40AM +0000, Oleksandr Andrushchenko wrote:
> >>
> >> On 29.10.21 10:33, Roger Pau Monné wrote:
> >>> On Thu, Oct 28, 2021 at 05:55:25PM +0000, Oleksandr Andrushchenko wrote:
> >>>> On 28.10.21 19:03, Roger Pau Monné wrote:
> >>>>> On Thu, Oct 28, 2021 at 02:23:34PM +0000, Oleksandr Andrushchenko wrote:
> >>>>>> On 28.10.21 16:36, Roger Pau Monné wrote:
> >>>>>>> And for domUs you really need to fix vpci_{read,write} to not
> >>>>>>> passthrough accesses not explicitly handled.
> >>>>>> Do you mean that we need to validate SBDFs there?
> >>>>>> This can be tricky if we have a use-case when a PCI device being
> >>>>>> passed through if not put at 0000:00:0.0, but requested to be, for
> >>>>>> example, 0000:0d:0.0. So, we need to go over the list of virtual
> >>>>>> devices and see if SBDF the guest is trying to access is a valid SBDF.
> >>>>>> Is this what you mean?
> >>>>> No, you need to prevent accesses to registers not explicitly handled
> >>>>> by vpci. Ie: do not forward unhandled accesses to
> >>>>> vpci_{read,wrie}_hw).
> >>>> I see, so those which have no handlers are not passed to the hardware.
> >>>> I need to see how to do that
> >>> Indeed. Without fixing that passthrough to domUs is completely unsafe,
> >>> as you allow domUs full access to registers not explicitly handled by
> >>> current vPCI code.
> >> Well, my understanding is: we can let the guest access whatever
> >> registers it wants with the following exceptions:
> >> - "special" registers we already trap in vPCI, e.g. command, BARs
> >> - we must not let the guest go out of the configuration space of a
> >> specific PCI device, e.g. prevent it from accessing configuration
> >> spaces of other devices.
> >> The rest accesses seem to be ok to me as we do not really want:
> >> - have handlers and emulate all possible registers
> >> - we do not want the guest to fail if it accesses a valid register which
> >> we do not emulate.
> > IMO that's not good from a security PoV. Xen needs to be sure that
> > every registers a guest accesses is not going to cause the system to
> > malfunction, so Xen needs to keep a list of the registers it's safe
> > for a guest to access.
> >
> > For example we should only expose the PCI capabilities that we know
> > are safe for a guest to use, ie: MSI and MSI-X initially. The rest of
> > the capabilities should be blocked from guest access, unless we audit
> > them and declare safe for a guest to access.
> >
> > As a reference you might want to look at the approach currently used
> > by QEMU in order to do PCI passthrough. A very limited set of PCI
> > capabilities known to be safe for untrusted access are exposed to the
> > guest, and registers need to be explicitly handled or else access is
> > rejected. We need a fairly similar model in vPCI or else none of this
> > will be safe for unprivileged access.
> I do agree with this. But at the moment we only emulate some of them,
> so in the future we will need revisiting the emulation and put many
> more registers under Xen's control
Indeed. That's my main point - there's still a lot of work to do
internally in vPCI in order to be safe for unprivileged guests to
use.
Thanks, Roger.
 |