[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)
- To: Dario Faggioli <dfaggioli@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Mon, 14 Feb 2022 15:25:31 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3YvUr/pK2pqfjGebFFqZNorqgBjA0uiDIOid7t8n1/w=; b=PbGs19KGKqGH6YM/nypFA6DV+o2dwt3qxO5dk5yDdJWF9F6e3YvvOyWgF4gwHQYcVz8AXwXzd5qP5+lGW0gOgKryaEYlGF9OJcB7LJhhXWB++7LKuhybmE0ZGORYUY5+SEO6hEEBah8gtUyle3WZHeNGSoNCQ/5VJZFrhh7DGkDKUQO17QWV/q0VvvI9fiT9Q8FhGXzLzNrEsaREs8hMuzhkKhcFwkfxeFQA2lpQby2AV7+/9yH+ZzUB4Te08hcHT0AewmEfcLWc2Ze8WXkTIYSGxDv/JriVqKNzP2uM+KoMCoRcsjeU50+J/GXUDzFGknms6k4to9PtDi7yQrvKXw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WKWXxLLkMbIxb+SboNm4dqJ+Gdu0ltLaGbwgMqXLbSPT6dIAYyPawNpAfx137q4btuZk7BWu9wplstOilV7Pea8lIZ8mcxxi28q4rlibf0Esec38jAgK4QCf5+2Fd4EkjIu8T5OfN6djOFfzbzd08u01iq6e2N5kgizbdweYIoLi4fIpfsLSh5UyT2EHIo29nMcJdCiYmA1/5HqYwsjYc6SrQ86XcbP/Akd16x42Xm8SVUvnzp+Bm8IgvdMNsuuCciaACgk1oPtOPF2wkcpB5Eicj8wRVwDtJLkah7+Ad/uYHgNlAj4baOSir6QTZZCtBO5QCPhQzO8JhocLLmee1g==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, "marmarek@xxxxxxxxxxxxxxxxxxxxxx" <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "qemu-devel@xxxxxxxxxx" <qemu-devel@xxxxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>
- Delivery-date: Mon, 14 Feb 2022 15:25:47 +0000
- Ironport-data: A9a23:uAa4RqjQHGJ6wG8QJWboDVZHX1618xcKZh0ujC45NGQN5FlHY01je htvWmzTPa7ZajSjeN51aoy//UhVvZPVxt9gG1c4/i43RXwb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0GE/NtTo5w7Rj2tQx3YDja++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /1BpMCCYj0KH5aXgcYUYyUBGiNFGPZZreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHCOo8Ft24m5jbeFfs8GrjIQrnQ5M8e1zA17ixLNaiFO ZJHNmM2BPjGSx4VCkkoM5x5peKHnlrcKhBU9UyFurVitgA/yyQuieOwYbI5YOeiQMxPm0+Cq 2Hu/mLnAwobPtiS1TqE9H23gubF2yj8Xeo6DbC967tmjUOewkQVDxsZU0b9puO24malQM5WI UEQ/isorIAx+VatQ927WAe3yFaIsBcTVNtXF+wS8xyWx+zf5APxLngJSHtNZcIrsOcyRCc2z RmZktXxHzttvbaJD3WH+d+pQSiaYHZPazVYPGldEFVDs4KLTJwPYgznQsc/IoWPrfzOQijSy gC29SE8vJBIkptev0mkxmzvjzWpr5nPawc64ATLQ26ohj9EiJ6Zi5+AsgaCs6sZRGqNZhzY5 SVfxZDChAwbJczVzESwrPMx8KZFDhpvGBnVmhZREpYo7FxBEFbzLNkLsFmSyKqEW/vomAMFg meO42u9B7cJZRNGiJObhKrrVawXIVDIT4iNaxwtRoMmjmJNXAGG5jpyQkWbwnrglkMh+YlmZ 8vHLpb8UCtCUP89pNZTewv6+eV1rh3SOEuJHcyrp/hZ+eb2iIGppUctbwLVM7FRAFKsqwTJ6 ddPX/ZmOD0EONASlhL/qNZJRXhTdCBTLcmv96R/K77SSiI7STpJI6KAntscl3lNwv09ehHgp SrmBCe1CTPX2BX6FOl9Qi4/Oe2/Bc4l9RrW/0UEZD6V5pTqWq72hI83fJorZ7g3sutlyP9/V f4efMucRP9IT1z6F/41NPERdaRuK0amgxygJS2gbGRtdpJsXVWRqNTlYhHu5G8FCS/u7Zkyp Lip1wX6R5sfRls9UJaKOaz3l17h72IAnO9SXlfTJoUBckvb74U3eTf6ieU6Ip9QJEyblCeaz QufHTwRufLJ/90u6NDMiK3d99WpHuJyE1B0BW7e6brqZyDW8nD6md1LUfqSfCCbX2Txof3wa eJQxvD6EfsGgFcV7NYsT+c1lfozvoK9qaVbwwJoGGTwQ26qUr4wcGOb2cRvt7FWwuMLswWBR U/SqMJRPq+EOZ25HQdJdhYldOmKydodhiLWsaYuOEz/6SJ6oOiHXEFVM0XegSBRNuIoYoYsw ONns88K8Q2vzBEtN4/e3CxT8m2NKF0GUrkm6c5GUNO61FJzxwEQe4HYBw/3/IqLOodFPUQdK zOJgLbP2uZHzU3YfntvTXXA0IKxX3jVVMymGLPaG2m0pw==
- Ironport-hdrordr: A9a23:O+ZyDa0xpz3A67sGfKv5owqjBRZyeYIsimQD101hICG9Lfb2qy n+ppgmPEHP5Qr5AEtQ5OxpOMG7MBbhHQYc2/heAV7QZnibhILOFvAi0WKC+UyuJ8SazIBgPM hbAtFD4bHLfDtHZIPBkXOF+rUbsZm6GcKT9J/jJh5WJGkAAcAB0+46MHfhLqQffngdOXNTLu v52iMznUvHRZ1hVLXdOpBqZZmgm/T70LbdJTIWDR8u7weDyRmy7qThLhSe1hACFxtS3LYL6w H+4k/Ez5Tml8v+5g7X1mfV4ZgTssDm0MF/CMuFjdVQAinwizyveJ9qV9S5zXIISaCUmRMXee v30lAd1vdImjXsl6aO0ELQMjzboXITArnZuAelaDXY0JfErXkBerV8bMpiA2XkAgwbzYxBOe twrhKkX9A8N2KwoA3to9fPTB1kjUyyvD4rlvMSlWVWVc8EZKZWtpF3xjIeLH4sJlOz1GkcKp gkMCgc3ocjTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNwd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDmRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dg/22J6IJzIEUaICbQxFreWpe5PdI+c9vcfEzc8 zDTa5rPw==
- Ironport-sdr: O0K8izYdrO6/lyShJr2nIIkNcH2LDnw1lheTYhGd6dzlY6rPC1Q9joWmCmVGKa/tcuEbVWqArl 4IOcQBoO6aNmRCDmu9S/ghdl/dvw1ik4EMPRcPvfQ1JsRAUXzsSZ7FoFo4fnWubYYmALb6iP5n NBFokdxPD/3+ITocTyfc5iUdYWqH970UU6iN80JmtI1+S6r5Nrpt2iAXZ06VhToBQ9lG2AQMr+ Hm4sHPHr2ei8DOst3xE+r+KCXNYnQPqfuWTU/AGjCFPGM4lA/iaRiaRCZUtcTlDrQ8n45Sf7c/ at1ijfwYqktxY7YW2gBC8YOR
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYIbPxFY5Kj3bRXE6t4z/dbeVrR6yTKssA
- Thread-topic: SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)
On 14/02/2022 15:02, Dario Faggioli wrote:
> Hello,
>
> We have run into an issue when trying to use PCI passthrough for a Xen
> VM running on an host where dom0 kernel is 5.14.21 (but we think it
> could be any kernel > 5.4) and SecureBoot is enabled.
Back up a bit...
Xen doesn't support SecureBoot and there's a massive pile of work to
make it function, let alone work in a way that MSFT aren't liable to
revoke your cert on 0 notice.
>
> The error we get, when (for instance) trying to attach a device to an
> (HVM) VM, on such system is:
>
> # xl pci-attach 2-fv-sles15sp4beta2 0000:58:03.0
> libxl: error: libxl_qmp.c:1838:qmp_ev_parse_error_messages: Domain 12:Failed
> to initialize 12/15, type = 0x1, rc: -1
> libxl: error: libxl_pci.c:1777:device_pci_add_done: Domain
> 12:libxl__device_pci_add failed for PCI device 0:58:3.0 (rc -28)
> libxl: error: libxl_device.c:1420:device_addrm_aocomplete: unable to add
> device
>
> QEMU, is telling us the following:
>
> [00:04.0] xen_pt_msix_init: Error: Can't open /dev/mem: Operation not
> permitted
> [00:04.0] xen_pt_msix_size_init: Error: Internal error: Invalid
> xen_pt_msix_init.
>
> And the kernel reports this:
>
> Jan 27 16:20:53 narvi-sr860v2-bps-sles15sp4b2 kernel: Lockdown:
> qemu-system-i38: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
>
> So, it's related to lockdown. Which AFAIUI it's consistent with the
> fact that the problem only shows up when SecureBoot is enabled, as
> that's implies lockdown. It's also consistent with the fact that we
> don't seem to have any problems doing the same with a 5.3.x dom0
> kernel... As there's no lockdown there!
>
> Some digging revealed that QEMU tries to open /dev/mem in
> xen_pt_msix_init():
>
> fd = open("/dev/mem", O_RDWR);
> ...
> msix->phys_iomem_base =
> mmap(NULL,
> total_entries * PCI_MSIX_ENTRY_SIZE +
> msix->table_offset_adjust,
> PROT_READ,
> MAP_SHARED | MAP_LOCKED,
> fd,
> msix->table_base + table_off - msix->table_offset_adjust);
> close(fd);
Yes. Use of /dev/mem is not permitted in lockdown mode. This wants
reworking into something which is lockdown compatible.
The real elephant in the room is that privcmd is not remotely safe to
use in a SecureBoot environment, because it lets any root userspace
trivially escalate privilege into the dom0 kernel, bypassing the
specific protection that SecureBoot is trying to achieve.
~Andrew
|