[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 4 Apr 2022 17:17:52 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8Fjw+RuvsKwN1Lk+kT7VLLfY7fyuKPfG8qTanS8TrOM=; b=enZzrNUyyR8tChQ+HOGJ9Y0jsAlcPKSJ0/vly+cp6ZGJ2kGEVKRGlpG9cj/h89o4c//EhFnqT3pYDdDSV6pRgkv/XuR1WQRf+dfBlrEUIfMPCl9EAiiWZg3i8CW0578wzpsAKIreV7lZJrlUqtDYIF0E4wdsJitf3Oi+AKeI8nrLrQtQkJcDVa/XSFyyI5dI1ygiOunCSgVs3GLjiWPcOpwp6pfTju7bUQYzvv7Hk+zJX0906tUgETV1Mnl7ADMXNhvh+fkXvxO6tbKdRAyEQz1Lx3vOkwhKSLtotZFvIKCZOC64IQi8gLqPCwtYmFysjIThzi4/dWBm/Z4j98w82A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YTha2m2IHaDFTrHORvKMZ57EHrnAFAxUopKGfCKJZUCQkCquIgUUcu8xNUQgTu3j2HY9uI1xmdHC7ca88G+Kan63yS47HM7z9BTwq72LTWCAYOhBiZuwbITWpoKoI9+C3yT++Pgqr6vXGIFZlSMU5x0VrW9nIya6QeGozyvcz1ZY3IKfIBqcr/XC+L6zTwzxxGa74tk/2zbdYzso7DIFMhvh8+rn6bUj85Gg2hbxELPhIjD6tG2tcHvQtby+PB6Nm/FBkvAlzdQuS8g/5/Rt1mtc/tEBSqhyjn96qgbWXb5hizFtOpeYTX7VvMDN1y+ii6pJ6W2lraQMIIxn26tuaA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Delivery-date: Mon, 04 Apr 2022 15:18:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 04.04.2022 17:12, Roger Pau Monné wrote:
> On Mon, Apr 04, 2022 at 10:21:18AM -0400, Daniel P. Smith wrote:
>> On 3/31/22 08:36, Roger Pau Monné wrote:
>>> On Wed, Mar 30, 2022 at 07:05:48PM -0400, Daniel P. Smith wrote:
>>>> There are now instances where internal hypervisor logic needs to make 
>>>> resource
>>>> allocation calls that are protected by XSM checks. The internal hypervisor 
>>>> logic
>>>> is represented a number of system domains which by designed are 
>>>> represented by
>>>> non-privileged struct domain instances. To enable these logic blocks to
>>>> function correctly but in a controlled manner, this commit introduces a 
>>>> pair
>>>> of privilege escalation and demotion functions that will make a system 
>>>> domain
>>>> privileged and then remove that privilege.
>>>>
>>>> Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
>>>> ---
>>>>  xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++
>>>
>>> I'm not sure this needs to be in xsm code, AFAICT it could live in a
>>> more generic file.
>>
>> From my perspective this is access control logic, thus why I advocate
>> for it to be under XSM. A personal goal is to try to get all security,
>> i.e. access control, centralized to the extent that it doing so does not
>> make the code base unnecessarily complicated.
> 
> Maybe others have a different opinion, but IMO setting is_privileged
> is not XSM specific. It happens to solve an XSM issue, but that's no
> reason to place it in the xsm code base.

To be honest I can see justification for either placement.

>>>>  1 file changed, 22 insertions(+)
>>>>
>>>> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
>>>> index e22d6160b5..157e57151e 100644
>>>> --- a/xen/include/xsm/xsm.h
>>>> +++ b/xen/include/xsm/xsm.h
>>>> @@ -189,6 +189,28 @@ struct xsm_operations {
>>>>  #endif
>>>>  };
>>>>  
>>>> +static always_inline int xsm_elevate_priv(struct domain *d)
>>>
>>> I don't think it needs to be always_inline, using just inline would be
>>> fine IMO.
>>>
>>> Also this needs to be __init.
>>
>> AIUI always_inline is likely the best way to preserve the speculation
>> safety brought in by the call to is_system_domain().
> 
> There's nothing related to speculation safety in is_system_domain()
> AFAICT. It's just a plain check against d->domain_id. It's my
> understanding there's no need for any speculation barrier there
> because d->domain_id is not an external input.

Whether is_system_domain() wants hardening really depends on where
it's used. It doesn't matter as much what specific check an is_...()
function performs, but what code paths it sits on where taking the
wrong branch of a conditional could reveal data which shouldn't be
visible.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.