Re: [PATCH v3 10/10] x86/MSI-X: provide hypercall interface for mask-all control

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Wei Liu <wei.liu2@citrix.com>,
	Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>,
	Ian Campbell <Ian.Campbell@eu.citrix.com>,
	xen-devel <xen-devel@lists.xenproject.org>,
	dgdegra@tycho.nsa.gov, Keir Fraser <keir@xen.org>,
	Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [PATCH v3 10/10] x86/MSI-X: provide hypercall interface for mask-all control
Date: Fri, 12 Jun 2015 09:21:40 -0400	[thread overview]
Message-ID: <20150612132140.GA15651@l.oracle.com> (raw)
In-Reply-To: <557964870200007800083706@mail.emea.novell.com>

On Thu, Jun 11, 2015 at 09:35:51AM +0100, Jan Beulich wrote:
> >>> On 05.06.15 at 13:28, <JBeulich@suse.com> wrote:
> > Qemu shouldn't be fiddling with this bit directly, as the hypervisor
> > may (and now does) use it for its own purposes. Provide it with a
> > replacement interface, allowing the hypervisor to track host and guest
> > masking intentions independently (clearing the bit only when both want
> > it clear).
> 
> Originally I merely meant to ping the tools side changes here
> (considering that the original issue has been pending for months,
> delayed by various security issues as well as slow turnaround on
> understanding the nature and validity of that original issue, I'd
> _really_ like to see this go in now), but thinking about it once
> again over night I realized that what we do here to allow qemu
> to be fixed would then also be made use of by the kernels
> running pciback: While Dom0 fiddling with the MSI-X mask-all bit
> for its own purposes is at least not a security problem, it doing
> so on behalf of (and directed by) a guest would be as soon as
> the hypervisor side patches making use of that bit went in.

It is hard to comment on this since I don't know exactly what
those patches would do.  But the 'pci_msi_ignore_mask'
from 38737d82f9f0168955f9944c3f8bd3bb262c7e88, "PCI/MSI: Add
pci_msi_ignore_mask to prevent writes to MSI/MSI-X Mask Bits""
should have prevented that. That said said patches could change
the pci_msi_ignore_mask of course.

> 
> While I continue to be of the opinion that all direct writes to
> interrupt masking bits (MSI-X mask-all, MSI-X per-entry mask,
> MSI per entry mask) outside of the hypervisor are wrong and
> should be eliminated, the scope of the problem now clearly
> going beyond qemu made me reconsider whether we shouldn't,
> as advocated by Stefano, follow the trap-and-emulate route
> instead. This would not only mean adding code to x86's existing
> port CF8/CFC intercepts, but also write-protecting the MMCFG
> pages for all PCI devices being MSI or MSI-X capable, emulating
> writes with inspection / modification of writes to any of the mask
> bits located in PCI config space. (A subsequent optimization to
> this may then be a hypercall to do config space writes,
> eliminating the emulation overhead, accompanied by a bitmap
> indicating which devices' CFG space can be written directly.)
> 
> For a (from now on) timely resolution of the original problem I'd
> really appreciate opinions (or alternative suggestions).

Weeding out the direct writes is nice, but the process of eliminating
those is going to take time.

I like your idea as it provides a nice mechanism to track which
component is at fault writting to those areas and can help in
fixing that. But on the flip side - it also might delay patches
for the offending code as we would have already an 'firewall'
in place.

> 
> Jan
> 