[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Jason Andryuk <jason.andryuk@xxxxxxx>
Date: Wed, 11 Jun 2025 00:20:27 -0400
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NNAsJZS8YQmk9IWUY3R/H/m7OaIgYl3mYOwfCK6EU4Y=; b=EOpNFjYACjWSM8WvMr0ALyHfDfgrAZQ4WqTSOLL0A1mVlO7cOEMjTA7FkpSQWQX5rzHh1ssDo5lzmzPNwc6POxkBqkmkIo5uIFcV+R4jIChuB/Kb257uexEHF/ojWs3oa3EMAjDpcIQldHGNeix83Mc64rBECqiH/uLdQ1HaHioD8071O+vmhE8MA2s5JAySx+GG+3AapMYpf89UvP2ZdeMJVBbNgcptChovoF2feWxnQ/oZeuSNN7g5bFtvFlTYez0wAGUpODBwcynvLgQJPNOcWnyokclyvhbb7IFYHdf7wHBe3XKuPv7frmNWoI7eny4Y2R3n6bPdB8++S59P2g==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bAet4mpyhMv8ZvNaToqj2QQtkgHDPf/5bahJ5TEA/mz4DA7+oYeHmV7ecbomaBnKq8cqCsukWTN/T5tliN0qD4EkqylY78gNMQmCkEXkNgcI3otFEeHO61HEonxDzT6CcWMLIcHj5U5iQeF2I5ec7dFtilSLLmI7Xi1NYW0tfaMwlKvoBKKLVTLEI5PWTcuenaEQsMRhShawEA9/erqgPWhwyTxZuxiD+LU3AN0VhWG9ZhbWckauBsDd+kUsdrmzFstEqH3b5WGAxZ4sptpYeze4wOWEzBtcPXy823No5yAmFJBxAVKKSh6l4R06bdtUvRBXrmWrNfn8bU3s+Hk5VQ==
Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 11 Jun 2025 16:59:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-06-11 09:17, Jan Beulich wrote:

On 11.06.2025 00:57, Jason Andryuk wrote:

In a disaggregated environment, dom0 is split into Control, Hardware,
and Xenstore domains, along with domUs.  The is_control_domain() check
is not sufficient to handle all these cases.  Add is_priv_domain() to
support allowing for the various domains.

The purpose of SILO mode is to prevent domUs from interacting with each
other.  But dom0 was allowed to communicate with domUs to provide
services.  As the disaggregation of dom0, Control, Hardware and Xenstore
are all service domains that need to communicate with other domains.

To provide xenstore connections, the Xenstore domain must be allowed to
connect via grants and event channels.  Xenstore domain must also be
allowed to connect to Control and Hardware to provide xenstore to them.


Are you suggesting that SILO at present is incompatible with a Xenstore
domain? silo_mode_dom_check() in its original form has no special
precautions, after all.

Yes, it is incompatible with the current silo_mode_dom_check(). OnlyControl domain is allowed to use grants and event channels with a domU.A Xenstore domain would be denied.

Xenstore stubdom only exists for x86 today. My limited attempts to runxenstored in an dedicated Xenstore ARM Linux domain have failed.

Hardware domain will provide PV devices to domains, so it must be
allowed to connect to domains.


As a built-in policy, isn't this already going too far? There could
conceivably be configurations with only pass-through devices in use, in
which case neither grants nor the event channels operations intercepted
by SILO would be required.

Such a domain wouldn't have any PV devices configured? I don't thinkthis changes anything compared to today.

Both sides need to be configured and opt-in. Hardware is a systemdomain, so it should be possible to allow grants and event channels.But they won't be used unless configured.

That leaves Control.  Xenstore and Hardware would already allow access
to Control, so it can obtain services that way.  Control should be
"privileged", which would mean it can make the connections.  But with
Xenstore and Hardware providing their services to domUs, there may not
be a reason to allow Control to use grants or event channels with domUs.
Still, Control is privileged, so it should be allowed to do something if
it chooses.  Establishing a grant, or event channel requires action on
both sides, so allow for the possibility.  This does open up an argo
wildcard ring from domUs, FWIW.


Along the lines of my reply to patch 1, I think Hardware and Control
need to have a pretty strong boundary between them. It's hard to see,
for example, whether grant map/copy/transfer would indeed make sense
between the two.


The Hardware domain might provide a PV device to Control?

I've tested removing control:
static bool is_priv_domain(const struct domain *d)
{
    return is_xenstore_domain(d) || is_hardware_domain(d);
}

And that works in my limited ARM dom0less testing. The toolstack isn'treally exercised in that case. It seems strange that the privilegedcontrol domain is *not* allowed though.

Similarly I'm not convinced a strong boundary isn't also needed
between Xenstore and Hardware.

If hardware is providing PV devices to domains, it will need access toXenstore. I don't see how you can get around it.

I tried to explain this in the first paragraph. SILO's purpose was toisolate domUs from each other, but allow it to access dom0. dom0embodies the control, hardware, and xenstore capabilities. So as afirst approximation, each of Control, Hardware, and Xenstore should beallowed to communicate with domUs.


domUs needs to communicate with Xenstore and Hardware for PV devices.

Xenstore provides Xenstore access to Hardware.

Control would want Xenstore access.

I don't know if this helps, but here's a table:

    | CTL | HW  | XS  | domU
----------------------------
CTL |     |  ?  |  y  |  ?
HW  |  ?  |     |  y  |  y
XS  |  y  |  y  |     |  y
domU|  ?  |  y  |  y  |  x

Control and Hardware would be y if we allow PV devices

Control and domUs - I don't have an immediate rational for them. Exceptthat Control is privileged. I've been running xenconsoled in Hardware.If xenconsoled is in Control, then access would be required.

--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -20,6 +20,12 @@
  #define XSM_NO_WRAPPERS
  #include <xsm/dummy.h>

+static bool is_priv_domain(const struct domain *d)

+{
+    return is_xenstore_domain(d) || is_hardware_domain(d) ||
+           is_control_domain(d);
+}


This construct expands to two evaluate_nospec(), which likely isn't
wanted. Some open-coding may be pretty much unavoidable here.


Thanks, yes, good point.

(I'm
surprised it's not three, i.e. I find it odd that is_xenstore_domain()
doesn't also use that guard.)

It looks okay to me. There were only 2 uses until I added a 3rd in thedom0less code. The XSM check has evaluate_nospec() and the other 2 usesaren't security critical - Setting a domain info flag, and __init codefor dom0less. Maybe moving the evaluate_nospec() would be safer in caseuse grows in the future, but it looks okay to me today.


Regards,
Jason

Follow-Ups:
- Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains
  - From: Jan Beulich

References:
- [PATCH 0/4] XSM changes for split hardware / control domain
  - From: Jason Andryuk
- [PATCH 2/4] xsm/silo: Support hwdom/control domains
  - From: Jason Andryuk
- Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains
  - From: Jan Beulich

Prev by Date: Re: [PATCH v5 04/18] xen/cpufreq: introduce new sub-hypercall to propagate CPPC data
Next by Date: Re: [PATCH 3/4] xen: Add DOMAIN_CAPS_DEVICE_MODEL & XEN_DOMCTL_CDF_device_model
Previous by thread: Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains
Next by thread: Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.