All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org, scott.davis@starlab.io,
	jandryuk@gmail.com, Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	Andrew Cooper <Andrew.Cooper3@citrix.com>
Subject: Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged
Date: Mon, 4 Apr 2022 10:21:18 -0400	[thread overview]
Message-ID: <25c10763-36fa-34d4-05b6-655c08fdfee7@apertussolutions.com> (raw)
In-Reply-To: <YkWgXhFVq/fD72CB@Air-de-Roger>

On 3/31/22 08:36, Roger Pau Monné wrote:
> On Wed, Mar 30, 2022 at 07:05:48PM -0400, Daniel P. Smith wrote:
>> There are now instances where internal hypervisor logic needs to make resource
>> allocation calls that are protected by XSM checks. The internal hypervisor logic
>> is represented a number of system domains which by designed are represented by
>> non-privileged struct domain instances. To enable these logic blocks to
>> function correctly but in a controlled manner, this commit introduces a pair
>> of privilege escalation and demotion functions that will make a system domain
>> privileged and then remove that privilege.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>> ---
>>  xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++
> 
> I'm not sure this needs to be in xsm code, AFAICT it could live in a
> more generic file.

From my perspective this is access control logic, thus why I advocate
for it to be under XSM. A personal goal is to try to get all security,
i.e. access control, centralized to the extent that it doing so does not
make the code base unnecessarily complicated.

>>  1 file changed, 22 insertions(+)
>>
>> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
>> index e22d6160b5..157e57151e 100644
>> --- a/xen/include/xsm/xsm.h
>> +++ b/xen/include/xsm/xsm.h
>> @@ -189,6 +189,28 @@ struct xsm_operations {
>>  #endif
>>  };
>>  
>> +static always_inline int xsm_elevate_priv(struct domain *d)
> 
> I don't think it needs to be always_inline, using just inline would be
> fine IMO.
> 
> Also this needs to be __init.

AIUI always_inline is likely the best way to preserve the speculation
safety brought in by the call to is_system_domain().

>> +{
>> +    if ( is_system_domain(d) )
>> +    {
>> +        d->is_privileged = true;
>> +        return 0;
>> +    }
>> +
> 
> I would add an ASSERT_UNREACHABLE(); here, I don't think we have any
> use case for trying to elevate the privileges of a non-system domain.

Ack.

v/r
dps


  parent reply	other threads:[~2022-04-04 14:22 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-30 23:05 [PATCH 0/2] Introduce XSM ability for domain privilege escalation Daniel P. Smith
2022-03-30 23:05 ` [PATCH 1/2] xsm: add ability to elevate a domain to privileged Daniel P. Smith
2022-03-31 12:36   ` Roger Pau Monné
2022-04-01 17:52     ` Julien Grall
2022-04-04  8:08       ` Roger Pau Monné
2022-04-04 12:24         ` Jan Beulich
2022-04-04 14:21     ` Daniel P. Smith [this message]
2022-04-04 15:12       ` Roger Pau Monné
2022-04-04 15:17         ` Jan Beulich
2022-04-04 16:08         ` Daniel P. Smith
2022-04-05  7:42           ` Roger Pau Monné
2022-04-05 12:06             ` Daniel P. Smith
2022-04-05 15:01               ` Roger Pau Monné
2022-03-31 13:16   ` Jason Andryuk
2022-04-04 15:33     ` Daniel P. Smith
2022-04-05 17:17       ` Jason Andryuk
2022-04-05 19:05         ` Daniel P. Smith
2022-04-06  7:06         ` Jan Beulich
2022-04-06  8:46           ` Roger Pau Monné
2022-04-06  8:48             ` Jan Beulich
2022-04-06  9:09               ` Roger Pau Monné
2022-04-06  9:16                 ` Jan Beulich
2022-04-06  9:40                   ` Roger Pau Monné
2022-04-06 12:31           ` Jason Andryuk
2022-04-01 17:53   ` Julien Grall
2022-03-30 23:05 ` [PATCH 2/2] arch: ensure idle domain is not left privileged Daniel P. Smith
2022-03-31 12:46   ` Roger Pau Monné
2022-03-31 12:54     ` Julien Grall
2022-03-31 20:30       ` Stefano Stabellini
2022-04-04 14:56     ` Daniel P. Smith
2022-04-05  8:26   ` Jan Beulich
2022-04-05 12:24     ` Daniel P. Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=25c10763-36fa-34d4-05b6-655c08fdfee7@apertussolutions.com \
    --to=dpsmith@apertussolutions.com \
    --cc=Andrew.Cooper3@citrix.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=jandryuk@gmail.com \
    --cc=roger.pau@citrix.com \
    --cc=scott.davis@starlab.io \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.