[PATCH 2/2] xen/xsm: Add new SILO mode for XSM

[Xin Li <talons.lee@gmail.com>]

When SILO is enabled, there would be no page-sharing between
unprivileged VMs (no grant tables or event channels).

Signed-off-by: Xin Li <xin.li@citrix.com>

---
CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Jan Beulich <JBeulich@suse.com>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Tim Deegan <tim@xen.org>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Sergey Dyasli <sergey.dyasli@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Ming Lu <ming.lu@citrix.com>
---
 docs/misc/xen-command-line.markdown |   3 +
 xen/common/Kconfig                  |  11 +++
 xen/include/xsm/xsm.h               |   6 ++
 xen/xsm/Makefile                    |   1 +
 xen/xsm/silo.c                      | 106 ++++++++++++++++++++++++++++
 xen/xsm/xsm_core.c                  |   9 +++
 6 files changed, 136 insertions(+)
 create mode 100644 xen/xsm/silo.c

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 7c689b8225..454de11c3d 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -877,6 +877,9 @@ the hypervisor was compiled with XSM support.
   it's also used when XSM is compiled out.
 * `flask`: this is the policy based access control.  To choose this, the
   separated option in kconfig must also be enabled.
+* `silo`: this will deny any unmediated communication channels between
+  unprivileged VMs.  To choose this, the separated option in kconfig must also
+  be enabled.
 
 ### flask
 > `= permissive | enforcing | late | disabled`
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 068c3206a1..f3f8e5afbc 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -143,6 +143,17 @@ config XSM_FLASK_POLICY
 
 	  If unsure, say Y.
 
+config XSM_SILO
+	def_bool y
+	prompt "SILO support"
+	depends on XSM
+	---help---
+	  Enables SILO as the access control mechanism used by the XSM framework.
+	  This will deny any unmediated communication channels between unprivileged
+	  VMs.
+
+	  If unsure, say Y.
+
 config LATE_HWDOM
 	bool "Dedicated hardware domain"
 	default n
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 70e7a6849f..11518e5bd6 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -733,6 +733,12 @@ extern const unsigned char xsm_init_flask_policy[];
 extern const unsigned int xsm_init_flask_policy_size;
 #endif
 
+#ifdef CONFIG_XSM_SILO
+extern void silo_init(void);
+#else
+static inline void silo_init(void) {}
+#endif
+
 #else /* CONFIG_XSM */
 
 #include <xsm/dummy.h>
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index 8bb4a24f09..e4d581e065 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,5 +1,6 @@
 obj-y += xsm_core.o
 obj-$(CONFIG_XSM) += xsm_policy.o
 obj-$(CONFIG_XSM) += dummy.o
+obj-$(CONFIG_XSM_SILO) += silo.o
 
 subdir-$(CONFIG_XSM_FLASK) += flask
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
new file mode 100644
index 0000000000..cac22432da
--- /dev/null
+++ b/xen/xsm/silo.c
@@ -0,0 +1,106 @@
+/******************************************************************************
+ * xsm/silo.c
+ *
+ * SILO module for XSM(Xen Security Modules)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright (c) 2018 Citrix Systems Ltd.
+ */
+
+#include <xen/sched.h>
+#include <xsm/xsm.h>
+
+struct xsm_operations silo_xsm_ops;
+
+/*
+ * check if inter-domain communication is allowed
+ * return true when pass check
+ */
+static bool silo_mode_dom_check(domid_t ldom, domid_t rdom)
+{
+    domid_t hd_dom = hardware_domain->domain_id;
+    domid_t cur_dom = current->domain->domain_id;
+
+    if ( ldom == DOMID_SELF )
+        ldom = cur_dom;
+    if ( rdom == DOMID_SELF )
+        rdom = cur_dom;
+
+    return (hd_dom == cur_dom || hd_dom == ldom || hd_dom == rdom ||
+            ldom == rdom);
+}
+
+static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn,
+                               domid_t id2)
+{
+    if ( silo_mode_dom_check(d1->domain_id, id2) )
+        return dummy_xsm_ops.evtchn_unbound(d1, chn, id2);
+    return -EPERM;
+}
+
+static int silo_evtchn_interdomain(struct domain *d1, struct evtchn *chan1,
+                                   struct domain *d2, struct evtchn *chan2)
+{
+    if ( silo_mode_dom_check(d1->domain_id, d2->domain_id) )
+        return dummy_xsm_ops.evtchn_interdomain(d1, chan1, d2, chan2);
+    return -EPERM;
+}
+
+static int silo_grant_mapref(struct domain *d1, struct domain *d2,
+                             uint32_t flags)
+{
+    if ( silo_mode_dom_check(d1->domain_id, d2->domain_id) )
+        return dummy_xsm_ops.grant_mapref(d1, d2, flags);
+    return -EPERM;
+}
+
+static int silo_grant_transfer(struct domain *d1, struct domain *d2)
+{
+    if ( silo_mode_dom_check(d1->domain_id, d2->domain_id) )
+        return dummy_xsm_ops.grant_transfer(d1, d2);
+    return -EPERM;
+}
+
+static int silo_grant_copy(struct domain *d1, struct domain *d2)
+{
+    if ( silo_mode_dom_check(d1->domain_id, d2->domain_id) )
+        return dummy_xsm_ops.grant_copy(d1, d2);
+    return -EPERM;
+}
+
+void __init silo_init(void)
+{
+    printk("Initialising XSM SILO mode");
+
+    silo_xsm_ops = dummy_xsm_ops;
+
+    silo_xsm_ops.evtchn_unbound = silo_evtchn_unbound;
+    silo_xsm_ops.evtchn_interdomain = silo_evtchn_interdomain;
+    silo_xsm_ops.grant_mapref = silo_grant_mapref;
+    silo_xsm_ops.grant_transfer = silo_grant_transfer;
+    silo_xsm_ops.grant_copy = silo_grant_copy;
+
+    xsm_ops = &silo_xsm_ops;
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index e002200578..7842f6dd44 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -34,6 +34,7 @@ struct xsm_operations *xsm_ops;
 enum xsm_bootparam {
     XSM_BOOTPARAM_DUMMY,
     XSM_BOOTPARAM_FLASK,
+    XSM_BOOTPARAM_SILO,
     XSM_BOOTPARAM_INVALID,
 };
 
@@ -46,6 +47,10 @@ static int __init parse_xsm_param(const char *s)
 #ifdef CONFIG_XSM_FLASK
     else if ( !strcmp(s, "flask") )
         xsm_bootparam = XSM_BOOTPARAM_FLASK;
+#endif
+#ifdef CONFIG_XSM_SILO
+    else if ( !strcmp(s, "silo") )
+        xsm_bootparam = XSM_BOOTPARAM_SILO;
 #endif
     else
         xsm_bootparam = XSM_BOOTPARAM_INVALID;
@@ -92,6 +97,10 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
         flask_init(policy_buffer, policy_size);
         break;
 
+    case XSM_BOOTPARAM_SILO:
+        silo_init();
+        break;
+
     default:
         printk("XSM: Invalid value for xsm= boot parameter.\n");
     }
-- 
2.18.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel