From: Anthony PERARD <anthony.perard@citrix.com>
To: Julien Grall <julien@xen.org>
Cc: xen-devel@lists.xenproject.org, Henry.Wang@arm.com,
Julien Grall <jgrall@amazon.com>, Wei Liu <wl@xen.org>,
Juergen Gross <jgross@suse.com>
Subject: Re: [PATCH for-4.18 v2] tools/light: Revoke permissions when a PCI detach for HVM domain
Date: Mon, 18 Sep 2023 11:24:28 +0100 [thread overview]
Message-ID: <846234c5-c82a-4828-96ab-b41fcc308840@perard> (raw)
In-Reply-To: <20230915125204.22719-1-julien@xen.org>
On Fri, Sep 15, 2023 at 01:52:04PM +0100, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
>
> Currently, libxl will grant IOMEM, I/O port and IRQ permissions when
> a PCI is attached (see pci_add_dm_done()) for all domain types. However,
> the permissions are only revoked for non-HVM domain (see do_pci_remove()).
>
> This means that HVM domains will be left with extra permissions. While
> this look bad on the paper, the IRQ permissions should be revoked
> when the Device Model call xc_physdev_unmap_pirq() and such domain
> cannot directly mapped I/O port and IOMEM regions. Instead, this has to
> be done by a Device Model.
>
> The Device Model can only run in dom0 or PV stubdomain (upstream libxl
> doesn't have support for HVM/PVH stubdomain).
>
> For PV/PVH stubdomain, the permission are properly revoked, so there is
> no security concern.
>
> This leaves dom0. There are two cases:
> 1) Privileged: Anyone gaining access to the Device Model would already
> have large control on the host.
> 2) Deprivileged: PCI passthrough require PHYSDEV operations which
> are not accessible when the Device Model is restricted.
>
> So overall, it is believed that the extra permissions cannot be exploited.
>
> Rework the code so the permissions are all removed for HVM domains.
> This needs to happen after the QEMU has detached the device. So
> the revocation is now moved to pci_remove_detached().
>
> Also add a comment on top of the error message when the PIRQ cannot
> be unbind to explain this could be a spurious error as QEMU may have
> already done it.
>
> Signed-off-by: Julien Grall <jgrall@amazon.com>
>
> ---
>
> Changes since v1:
> * Move the code to revoke in pci_remove_detached()
> * Add a comment on top of the PIRQ unbind error path
> * Use goto to deal with errors.
Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Thanks,
--
Anthony PERARD
prev parent reply other threads:[~2023-09-18 10:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-15 12:52 [PATCH for-4.18 v2] tools/light: Revoke permissions when a PCI detach for HVM domain Julien Grall
2023-09-16 0:11 ` Henry Wang
2023-09-21 10:03 ` Julien Grall
2023-09-18 10:24 ` Anthony PERARD [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=846234c5-c82a-4828-96ab-b41fcc308840@perard \
--to=anthony.perard@citrix.com \
--cc=Henry.Wang@arm.com \
--cc=jgrall@amazon.com \
--cc=jgross@suse.com \
--cc=julien@xen.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.