[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 08/23] xen/arm: dom0less seed xenstore grant table entry

To: Julien Grall <julien@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jason Andryuk <jason.andryuk@xxxxxxx>
Date: Mon, 10 Mar 2025 10:12:27 -0400
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=xen.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M1Mf68D1nxUB0NHlNKf0e3ivA18nJLQbFdwBqlgWvSs=; b=JFqRzKsIVgMCpNxHqbarqX9PFlF/sMEgULDLR6UHmzAuhT3uqWl3e0pbe5yIB0o4O6fgFgferA893/DC20dnHRX6hsf7e+wqyJcRinKW6s0SWJZC4QrpbVoSoqik/ajZx2yMe+p0edrvzkgj7l4Mcn8N+LufykmpRJg657eUgQqFY5aftukQgEGAwSOuPNtaRb9FCA0VmzRJLtZvgtCDUNAKq3Lydm1WxYEh9sH1dixksWdR1oco/xqqk8KizVEpGqB7OjquWZcfLwOgyDU/VohGtk7LVT6AeOGFmCpEWUWDsgoCsAK/JUdQPaVQYNh6kAxWS/1hn/H2me+wh4QpHw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wQ+cYJ7Yo4yTqKP/6HnAy/a2kq7zw2uJD7O1BmTVGzUr90RUoeIewBdrRpqKuDo3tv7rtbLCRMbFCE3jQkjLQNrP6DDQxNoJ7j1ZNdrXXKSmyPBfze1vnzVmp0z9iJxZSY+tk6EhZdvjFw+JoLxOzfn0h56E0n3i9SUA34kwEiSJKtOtVsuJXbf029Z3gUlyd++xFijwGT623ZhQGfG6mfjIlboRAr7Us3gTLh55xb+i/dWBnqk5BnGtedcz/Hc3cTWrf3oJ4ymhTN6ZbPtf224tPJR1nu6pdc2Anf89cEZSNgx9YDIdb2CaVUa+EX1cYIqrYEsmicrX9DjpDU+yoQ==
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, "Volodymyr Babchuk" <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Mon, 10 Mar 2025 14:12:40 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-03-10 05:32, Julien Grall wrote:

Hi Jason,

On 06/03/2025 22:03, Jason Andryuk wrote:

With a split hardware and control domain, the control domain may still
want and xenstore access.  Currently this relies on init-dom0less to
seed the grants.  This is problematic since we don't want hardware
domain to be able to map the control domain's resources.  Instead have
the hypervisor see the grant table entry.  The grant is then accessible
as normal.

This is also useful with a xenstore stubdom to setup the xenbus page
much earlier.

This works with C xenstored.  OCaml xenstored does not use grants and
would fail to foreign map the page.

Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
---
  xen/arch/arm/dom0less-build.c |  9 +++++++++
  xen/common/grant_table.c      | 10 ++++++++++
  xen/include/xen/grant_table.h |  8 ++++++++
  3 files changed, 27 insertions(+)

diff --git a/xen/arch/arm/dom0less-build.c b/xen/arch/arm/dom0less-build.c

index 068bf99294..f1d5bbb097 100644
--- a/xen/arch/arm/dom0less-build.c
+++ b/xen/arch/arm/dom0less-build.c
@@ -21,6 +21,8 @@
  #include <asm/static-memory.h>
  #include <asm/static-shmem.h>
+static domid_t __initdata xs_domid = DOMID_INVALID;
+
  bool __init is_dom0less_mode(void)
  {
      struct bootmodules *mods = &bootinfo.modules;

@@ -753,6 +755,10 @@ static int __init alloc_xenstore_page(structdomain *d)

      interface->connection = XENSTORE_RECONNECT;
      unmap_domain_page(interface);
+    if ( xs_domid != DOMID_INVALID )

Looking at this patch again, is this guarantee that the xenstore domainwill be created first? If not, then I think your series needs to be re-ordered so patch #10 is before this patch.


Yes, you are right.

+        gnttab_seed_entry(d, GNTTAB_RESERVED_XENSTORE, xs_domid,
+                          gfn_x(gfn), GTF_permit_access);
+
      return 0;
  }
@@ -1173,6 +1179,9 @@ void __init create_domUs(void)
          if ( rc )
              panic("Could not set up domain %s (rc = %d)\n",
                    dt_node_name(node), rc);
+
+        if ( d_cfg.flags & XEN_DOMCTL_CDF_xs_domain )
+            xs_domid = d->domain_id;

What if there is multiple domain with XEN_DOMCTL_CDF_xs_domain? Shouldwe throw an error?

Before this series, there was no restriction on its use, but onlyinit-xenstore-domain used it. The XEN_DOMCTL_CDF_xs_domain flag allowsthe domain XSM_XS_PRIV, which grants a few more operations to anotherwise unprivileged domU

With the use of xs_domid (only during construction), maybe it should belimited to just 1 to avoid surprises. Otherwise the last built xenstoredomain would be configured as the backend. Nothing would break - itwould just be surprising. I'll restrict to just 1.


Thanks,
Jason

References:
- [PATCH 00/23] ARM split hardware and control domains
  - From: Jason Andryuk
- [PATCH 08/23] xen/arm: dom0less seed xenstore grant table entry
  - From: Jason Andryuk
- Re: [PATCH 08/23] xen/arm: dom0less seed xenstore grant table entry
  - From: Julien Grall

Prev by Date: Re: [PATCH 06/23] xen/domctl: Expose privileged and hardware capabilities
Next by Date: Re: [PATCH 08/23] xen/arm: dom0less seed xenstore grant table entry
Previous by thread: Re: [PATCH 08/23] xen/arm: dom0less seed xenstore grant table entry
Next by thread: [PATCH 09/23] tools/init-dom0less: Only seed legacy xenstore grants
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.