From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: Re: [PATCH v3 21/24] tools/(lib)xl: Add partial device tree support for ARM Date: Mon, 23 Feb 2015 18:43:47 +0000 Message-ID: <54EB74E3.2020806@linaro.org> References: <1421159133-31526-1-git-send-email-julien.grall@linaro.org> <1421159133-31526-22-git-send-email-julien.grall@linaro.org> <21739.5877.96434.483449@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YPxzN-00073e-04 for xen-devel@lists.xenproject.org; Mon, 23 Feb 2015 18:44:17 +0000 Received: by wghl2 with SMTP id l2so591517wgh.9 for ; Mon, 23 Feb 2015 10:44:15 -0800 (PST) In-Reply-To: <21739.5877.96434.483449@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Jackson Cc: xen-devel@lists.xenproject.org, tim@xen.org, ian.campbell@citrix.com, stefano.stabellini@citrix.com, Wei Liu List-Id: xen-devel@lists.xenproject.org Hi Ian, On 23/02/15 12:03, Ian Jackson wrote: > Julien Grall writes ("[PATCH v3 21/24] tools/(lib)xl: Add partial device tree support for ARM"): >> Let the user to pass additional nodes to the guest device tree. For this >> purpose, everything in the node /passthrough from the partial device tree \ > will >> be copied into the guest device tree. > > Please wrap your commit messages to 70, not 80. I though commit message has to be wrapped to 80. I will change it. > >> +=item B >> + >> +Specify a partial device tree (compiled via the Device Tree Compiler). >> +Everything under the node "/passthrough" will be copied into the guest >> +device tree. For convenience, the node "/aliases" is also copied to allow >> +the user to defined aliases which can be used by the guest kernel. > > This is rather odd. The config option is `device_tree' but apparently > it is only relevant for passthrough and nothing else can be set with > it. I had to chose a name for the node and "/passthrough" was the best one and it won't collapse with the device tree generated by the toolstack. Although, you can put pretty much everything in the "/passthrough" node. >> +static int check_partial_fdt(libxl__gc *gc, void *fdt, size_t size) >> +{ > ... >> + /* Check if the *size and off* fields doesn't overrun the totalsize >> + * of the partial FDT. >> + */ >> + if (fdt_totalsize(fdt) > size) { >> + LOG(ERROR, "Partial FDT totalsize is too big"); >> + return ERROR_FAIL; >> + } > > There's lots and lots of this very fragile binary parsing code. > > Is this facility supposed to take untrusted or partially-trusted > partial device trees ? It may take untrusted device tree. I review the libfdt code and try to fix all possible security issue in the toolstack. > If so then I suspect we need a different approach. It might be easer > to rewrite this whole functionality in a programming language which is > less fragile in the face of programming errors, than to try to make > this whole thing secure (and review it). > > I'm definitely having XSA-55 flashbacks. It's not my plan to have an XSA-55 like :). As discussed IRL, we can mark this option "unsafe". So any device tree pass to libxl should be trusted. I will add an item in the description. Regards, -- Julien Grall