From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH v12 11/14] flask/policy: allow domU to use
 previously-mapped I/O-memory
Date: Wed, 03 Sep 2014 10:45:18 -0400
Message-ID: <5407297E.2080202@tycho.nsa.gov>
References: <1409416189-16564-1-git-send-email-avanzini.arianna@gmail.com>	
	<1409416189-16564-12-git-send-email-avanzini.arianna@gmail.com>
	<1409743296.22712.10.camel@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1409743296.22712.10.camel@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Arianna Avanzini <avanzini.arianna@gmail.com>
Cc: julien.grall@citrix.com, paolo.valente@unimore.it, keir@xen.org, stefano.stabellini@eu.citrix.com, Ian.Jackson@eu.citrix.com, dario.faggioli@citrix.com, tim@xen.org, xen-devel@lists.xen.org, Ian Campbell <Ian.Campbell@eu.citrix.com>, etrudeau@broadcom.com, JBeulich@suse.com, andrew.cooper3@citrix.com, viktor.kleinik@globallogic.com, andrii.tseglytskyi@globallogic.com
List-Id: xen-devel@lists.xenproject.org

On 09/03/2014 07:21 AM, Ian Campbell wrote:
> On Sat, 2014-08-30 at 18:29 +0200, Arianna Avanzini wrote:
>> From: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>
>>
>> This commit allows the domU to access previously-mapped I/O-memory
>> even if XSM is enabled and FLASK is enforced.
>
> CCing Daniel (XSM maintainer).
>
> I think this is probably OK, but I'm no XSM expert.
>
> (If I were writing the ocmmit message I would have said something like
> "Update the example XSM policy to allow...")

The message Ian suggests is a bit clearer as to the effect of the patch.

Regarding the patch: at minimum, a domU should only need the permissions
defined by "use_device(domU_t, iomem_t)" to access mapped memory.  However,
it is preferred to label the IO memory being used instead of allowing access
to the default/fallback iomem_t.

The intention for handing pass-through devices with FLASK is to label the
device (either using the tool flask-label-pci or manually in the policy;
example lines for the latter are present and commented out).  The example
policy defines the type nic_dev_t as a device that is usable by domU_t, and
docs/misc/xsm-flask.txt has an example of flask-label-pci's use.

If you are actually only passing IO memory and not a PCI device, labeling
the IO memory range would be the preferred solution.  If you cannot label
it statically, a tool similar to flask-label-pci for memory will be needed -
something like "flask-label-resource <type> <start>-<end> <label>".  This
may be more common on ARM than on x86; I am not familiar with pass-through
on ARM, and the only non-PCI device on x86 that I have used pass-through on
is the TPM, which has a well-defined IO memory range.

-- 
Daniel De Graaf
National Security Agency