[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v3 2/5] xen: make evtchn_alloc_unbound public
Hi Daniel, On 25/03/2022 15:45, Daniel P. Smith wrote: The existing XSM check in evtchn_alloc_unbound cannot work and should not work: it is based on the current domain having enough privileges to create the event channel. In this case, we have no current domain at all. The current domain is Xen itself.And DOM_XEN cannot be given the appropriate permission, perhaps explicitly when using a real policy and by default in dummy and SILO modes?The issue is that the check is based on "current", not one of the domains passed as an argument to evtchn_alloc_unbound. Otherwise, passing DOMID_XEN would be straightforward. We would need to use a hack (like Daniel wrote in the other email) to set the idle_domain temporarily as a privileged domain only for the sake of passing an irrelevant (irrelevant as in "not relevant to this case") XSM check. That cannot be an improvement. Also, setting current to a "fake" domain is not great either.My suggestion was not to intended to be simply a hack but looking at the larger issue instead of simply doing a targeted fix for this one instnace. While I cannot give an example right off hand, the reality is, at least for hyperlaunch, that we cannot say for certain there will not be further resource allocations that is protected by the security framework and will require preliminary handling by the construction logic in the hypervisor. The low-complexity approach is to address each one in a case-by-case fashion using direct calls that go around the security framework. A more security conscience, and higher complexity, approach would be to consider a least-privilege approach and look at introducing the ability to do controlled switching of contexts, i.e. moving `current` from DOMID_IDLE to DOMID_CONSTRUCT, to one that is granted only the necessary privileges to do the resource allocations in which it is limited. This is also not the first time this issue has come up, I don't recall the exact thread but several months ago someone ran into the issue they need to make a call to a resource function and was blocked by XSM because DOMID_IDLE has no privileges. This was in the context of Live-Updating Xen. We are trying to re-use as much as possible the code used by the hypercalls. Those functions may contain xsm check that would fail because current would be an idle vCPU. For the full context: https://lore.kernel.org/xen-devel/bfd645cf42ef7786183be15c222ad04beed362c0.camel@xxxxxxx/ The reality is that the idea of monolithic high-privileged entities is being dropped in favor of least-privilege, and where possible hardware enforced, constraint. This can be seen with Intel de-privileging SMM and running SMI handlers in constrained ring 3. Arm is gaining capability pointers, CHERI, that will enable the possibility for constrained, least-privileged kernel subsystems. Would it not be advantageous for Xen to start moving in such a direction that would enable it to provide a new level of safety and security for consumers of Xen? Coming back to the short-term, I would advocate for introducing the concept and abstraction of constrained context switching through a set of function calls, which would likely be under XSM to allow policy enforcement. Likely the introductory implementation would just mask the fact that it is just setting `is_privileged` for DOMID_IDLE. Future evolution of the capability could see the introduction of new "contexts", whether they are represented by a domain could be determined then, and the ability to do controlled switching based on policy. +1 with this idea. Cheers, -- Julien Grall
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |