From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA0C2C43603 for ; Wed, 11 Dec 2019 15:49:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8E82C2073D for ; Wed, 11 Dec 2019 15:49:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388637AbfLKPtS (ORCPT ); Wed, 11 Dec 2019 10:49:18 -0500 Received: from mx2.suse.de ([195.135.220.15]:51652 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388678AbfLKPtO (ORCPT ); Wed, 11 Dec 2019 10:49:14 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 3E48CAFA9; Wed, 11 Dec 2019 15:49:12 +0000 (UTC) Subject: Re: [PATCH v1] xen-pciback: optionally allow interrupt enable flag writes To: =?UTF-8?Q?Marek_Marczykowski-G=c3=b3recki?= Cc: xen-devel@lists.xenproject.org, Ross Lagerwall , YueHaibing , Simon Gaiser , Stefano Stabellini , Boris Ostrovsky , Juergen Gross , open list References: <20191203054222.7966-1-marmarek@invisiblethingslab.com> From: Jan Beulich Message-ID: <17bf38dc-a606-bb92-50a8-9bd8f269acc2@suse.com> Date: Wed, 11 Dec 2019 16:49:29 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191203054222.7966-1-marmarek@invisiblethingslab.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03.12.2019 06:41, Marek Marczykowski-Górecki wrote: > QEMU running in a stubdom needs to be able to set INTX_DISABLE, and the > MSI(-X) enable flags in the PCI config space. This adds an attribute > 'allow_interrupt_control' which when set for a PCI device allows writes > to this flag(s). The toolstack will need to set this for stubdoms. > When enabled, guest (stubdomain) will be allowed to set relevant enable > flags, but only one at a time - i.e. it refuses to enable more than one > of INTx, MSI, MSI-X at a time. > > This functionality is needed only for config space access done by device > model (stubdomain) serving a HVM with the actual PCI device. It is not > necessary and unsafe to enable direct access to those bits for PV domain > with the device attached. For PV domains, there are separate protocol > messages (XEN_PCI_OP_{enable,disable}_{msi,msix}) for this purpose. > Those ops in addition to setting enable bits, also configure MSI(-X) in > dom0 kernel - which is undesirable for PCI passthrough to HVM guests. > > This should not introduce any new security issues since a malicious > guest (or stubdom) can already generate MSIs through other ways, see > [1] page 8. True, albeit this doesn't cover INTX_DISABLE. > Additionally, when qemu runs in dom0, it already have direct > access to those bits. True again, but any bug here (as in: too wide exposure) is a qemu bug (possibly security issue). The statement also isn't really correct for de-privileged qemu, I think (but I also think PCI pass-through doesn't work in that mode at all yet). On the whole this looks to be an acceptable approach to me. But I'm not the maintainer, so my opinion may not count much. Some issues with the implementation itself were already pointed out. Jan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DFDCC43603 for ; Wed, 11 Dec 2019 15:49:55 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 19E49208C3 for ; Wed, 11 Dec 2019 15:49:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 19E49208C3 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1if4Eu-0003oq-S6; Wed, 11 Dec 2019 15:49:24 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1if4Es-0003ol-Sd for xen-devel@lists.xenproject.org; Wed, 11 Dec 2019 15:49:22 +0000 X-Inumbo-ID: c711aa1a-1c2d-11ea-b6f1-bc764e2007e4 Received: from mx1.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id c711aa1a-1c2d-11ea-b6f1-bc764e2007e4; Wed, 11 Dec 2019 15:49:13 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 3E48CAFA9; Wed, 11 Dec 2019 15:49:12 +0000 (UTC) To: =?UTF-8?Q?Marek_Marczykowski-G=c3=b3recki?= References: <20191203054222.7966-1-marmarek@invisiblethingslab.com> From: Jan Beulich Message-ID: <17bf38dc-a606-bb92-50a8-9bd8f269acc2@suse.com> Date: Wed, 11 Dec 2019 16:49:29 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191203054222.7966-1-marmarek@invisiblethingslab.com> Content-Language: en-US Subject: Re: [Xen-devel] [PATCH v1] xen-pciback: optionally allow interrupt enable flag writes X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Stefano Stabellini , YueHaibing , open list , Simon Gaiser , Ross Lagerwall , xen-devel@lists.xenproject.org, Boris Ostrovsky Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" T24gMDMuMTIuMjAxOSAwNjo0MSwgTWFyZWsgTWFyY3p5a293c2tpLUfDs3JlY2tpICB3cm90ZToK PiBRRU1VIHJ1bm5pbmcgaW4gYSBzdHViZG9tIG5lZWRzIHRvIGJlIGFibGUgdG8gc2V0IElOVFhf RElTQUJMRSwgYW5kIHRoZQo+IE1TSSgtWCkgZW5hYmxlIGZsYWdzIGluIHRoZSBQQ0kgY29uZmln IHNwYWNlLiBUaGlzIGFkZHMgYW4gYXR0cmlidXRlCj4gJ2FsbG93X2ludGVycnVwdF9jb250cm9s JyB3aGljaCB3aGVuIHNldCBmb3IgYSBQQ0kgZGV2aWNlIGFsbG93cyB3cml0ZXMKPiB0byB0aGlz IGZsYWcocykuIFRoZSB0b29sc3RhY2sgd2lsbCBuZWVkIHRvIHNldCB0aGlzIGZvciBzdHViZG9t cy4KPiBXaGVuIGVuYWJsZWQsIGd1ZXN0IChzdHViZG9tYWluKSB3aWxsIGJlIGFsbG93ZWQgdG8g c2V0IHJlbGV2YW50IGVuYWJsZQo+IGZsYWdzLCBidXQgb25seSBvbmUgYXQgYSB0aW1lIC0gaS5l LiBpdCByZWZ1c2VzIHRvIGVuYWJsZSBtb3JlIHRoYW4gb25lCj4gb2YgSU5UeCwgTVNJLCBNU0kt WCBhdCBhIHRpbWUuCj4gCj4gVGhpcyBmdW5jdGlvbmFsaXR5IGlzIG5lZWRlZCBvbmx5IGZvciBj b25maWcgc3BhY2UgYWNjZXNzIGRvbmUgYnkgZGV2aWNlCj4gbW9kZWwgKHN0dWJkb21haW4pIHNl cnZpbmcgYSBIVk0gd2l0aCB0aGUgYWN0dWFsIFBDSSBkZXZpY2UuIEl0IGlzIG5vdAo+IG5lY2Vz c2FyeSBhbmQgdW5zYWZlIHRvIGVuYWJsZSBkaXJlY3QgYWNjZXNzIHRvIHRob3NlIGJpdHMgZm9y IFBWIGRvbWFpbgo+IHdpdGggdGhlIGRldmljZSBhdHRhY2hlZC4gRm9yIFBWIGRvbWFpbnMsIHRo ZXJlIGFyZSBzZXBhcmF0ZSBwcm90b2NvbAo+IG1lc3NhZ2VzIChYRU5fUENJX09QX3tlbmFibGUs ZGlzYWJsZX1fe21zaSxtc2l4fSkgZm9yIHRoaXMgcHVycG9zZS4KPiBUaG9zZSBvcHMgaW4gYWRk aXRpb24gdG8gc2V0dGluZyBlbmFibGUgYml0cywgYWxzbyBjb25maWd1cmUgTVNJKC1YKSBpbgo+ IGRvbTAga2VybmVsIC0gd2hpY2ggaXMgdW5kZXNpcmFibGUgZm9yIFBDSSBwYXNzdGhyb3VnaCB0 byBIVk0gZ3Vlc3RzLgo+IAo+IFRoaXMgc2hvdWxkIG5vdCBpbnRyb2R1Y2UgYW55IG5ldyBzZWN1 cml0eSBpc3N1ZXMgc2luY2UgYSBtYWxpY2lvdXMKPiBndWVzdCAob3Igc3R1YmRvbSkgY2FuIGFs cmVhZHkgZ2VuZXJhdGUgTVNJcyB0aHJvdWdoIG90aGVyIHdheXMsIHNlZQo+IFsxXSBwYWdlIDgu CgpUcnVlLCBhbGJlaXQgdGhpcyBkb2Vzbid0IGNvdmVyIElOVFhfRElTQUJMRS4KCj4gQWRkaXRp b25hbGx5LCB3aGVuIHFlbXUgcnVucyBpbiBkb20wLCBpdCBhbHJlYWR5IGhhdmUgZGlyZWN0Cj4g YWNjZXNzIHRvIHRob3NlIGJpdHMuCgpUcnVlIGFnYWluLCBidXQgYW55IGJ1ZyBoZXJlIChhcyBp bjogdG9vIHdpZGUgZXhwb3N1cmUpIGlzIGEgcWVtdQpidWcgKHBvc3NpYmx5IHNlY3VyaXR5IGlz c3VlKS4gVGhlIHN0YXRlbWVudCBhbHNvIGlzbid0IHJlYWxseQpjb3JyZWN0IGZvciBkZS1wcml2 aWxlZ2VkIHFlbXUsIEkgdGhpbmsgKGJ1dCBJIGFsc28gdGhpbmsgUENJCnBhc3MtdGhyb3VnaCBk b2Vzbid0IHdvcmsgaW4gdGhhdCBtb2RlIGF0IGFsbCB5ZXQpLgoKT24gdGhlIHdob2xlIHRoaXMg bG9va3MgdG8gYmUgYW4gYWNjZXB0YWJsZSBhcHByb2FjaCB0byBtZS4gQnV0CkknbSBub3QgdGhl IG1haW50YWluZXIsIHNvIG15IG9waW5pb24gbWF5IG5vdCBjb3VudCBtdWNoLiBTb21lCmlzc3Vl cyB3aXRoIHRoZSBpbXBsZW1lbnRhdGlvbiBpdHNlbGYgd2VyZSBhbHJlYWR5IHBvaW50ZWQgb3V0 LgoKSmFuCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpY ZW4tZGV2ZWwgbWFpbGluZyBsaXN0Clhlbi1kZXZlbEBsaXN0cy54ZW5wcm9qZWN0Lm9yZwpodHRw czovL2xpc3RzLnhlbnByb2plY3Qub3JnL21haWxtYW4vbGlzdGluZm8veGVuLWRldmVs