From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH v3 20/24] xen/passthrough: Extend
 XEN_DOMCTL_assign_device to support DT device
Date: Tue, 10 Mar 2015 18:45:21 -0400
Message-ID: <54FF7401.6070900@tycho.nsa.gov>
References: <1421159133-31526-1-git-send-email-julien.grall@linaro.org>	
	<1421159133-31526-21-git-send-email-julien.grall@linaro.org>
	<1424452643.30924.368.camel@citrix.com>
	<54EB5475.3060900@tycho.nsa.gov> <54FF214C.10508@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <dgdegra@tycho.nsa.gov>) id 1YVSug-0008GR-MA
	for xen-devel@lists.xenproject.org; Tue, 10 Mar 2015 22:46:11 +0000
In-Reply-To: <54FF214C.10508@linaro.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Julien Grall <julien.grall@linaro.org>, Ian Campbell <ian.campbell@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>, tim@xen.org, stefano.stabellini@citrix.com, Jan Beulich <jbeulich@suse.com>, Machon Gregory <mbgrego@tycho.ncsc.mil>, xen-devel@lists.xenproject.org
List-Id: xen-devel@lists.xenproject.org

On 03/10/2015 12:52 PM, Julien Grall wrote:
> Hi Daniel,
>
> On 23/02/15 16:25, Daniel De Graaf wrote:
>> On 02/20/2015 12:17 PM, Ian Campbell wrote:
>>> On Tue, 2015-01-13 at 14:25 +0000, Julien Grall wrote:
>>>> TODO: Update the commit message
>>>>
>>>> A device node is described by a path. It will be used to retrieved the
>>>> node in the device tree and assign the related device to the domain.
>>>>
>>>> Only device protected by an IOMMU can be assigned to a guest.
>>>>
>>>> Signed-off-by: Julien Grall <julien.grall@linaro.org>
>>>> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
>>>> Cc: Wei Liu <wei.liu2@citrix.com>
>>>> Cc: Jan Beulich <jbeulich@suse.com>
>>>>
>>>> ---
>>>>       Changes in v2:
>>>>           - Use a different number for XEN_DOMCTL_assign_dt_device
>>>> ---
>>>>    tools/libxc/include/xenctrl.h         | 10 ++++
>>>>    tools/libxc/xc_domain.c               | 95
>>>> ++++++++++++++++++++++++++++++++--
>>>
>>> These bits all look fine.
>>>
>>>> +int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d,
>>>> +                       XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
>>>> +{
>>>> +    int ret;
>>>> +    struct dt_device_node *dev;
>>>> +
>>>> +    /* TODO: How to deal with XSM? */
>>>
>>> Adding Daniel.
>>>
>>> It seems the PCI ones are protected by
>>>           xsm_test_assign_device(XSM_HOOK,
>>> domctl->u.assign_device.machine_sbdf);
>>>
>>> So it seem that either this needs to become "test_assign_pci_device" and
>>> a similar "test_assign_dt_device" needs to be added and plumbed through
>>> or it needs to grow a type parameter and take the union for the
>>> identifier.
>>
>> Either would work, but a distinct hook seems simpler to me, especially as
>> the call sites are distinct and the hook would process them differently.
>
> Sounds good.
>
>>> The code to apply an XSM context to a DT node would need consideration
>>> too I suppose?
>>
>> This may require a bit more thought.  At first glance, the dt_phandle
>> field seems to be an identifier that could be used by FLASK to identify a
>> device using an ocontext lookup.  Labeling would then be done in the same
>> way as PCI devices and x86 legacy I/O ports.
>
> We don't always have a dt_phandle in hand. They are mostly used for
> referencing a node within another (such as IOMMU, interrupt
> controller...). Also, the value is controlled by the compiler.
>
> AFAICT, the only unique value we have in hand is the path of the device.

OK. I was hoping that there would be a unique numeric identifier.  If
there is not, it may be necessary to either create one or to add a new
field to device nodes (like the one for event channels) so that they
can be labeled.

> BTW, do you have any pointer on how to write a policy for device/IRQ
> passthrough?

There is a bit of documentation in xsm-flask.txt about device labeling,
which is the hard part of making passthrough work.  Labels can be set
either statically in the security policy (as documented in the section
"Device Labeling") or dynamically using a tool like flask-label-pci
as documented in "Resource Policy".  Once that is done, then rules to
allow the passthrough operation can be added, similar to the example
resource nic_dev_t in xen.te.

In order to do static labeling for device passthrough, the nodes in a
device tree need a 32-bit numeric identifier.  IO memory uses the MFN,
PCI devices use SBDF, and IRQs and x86 legacy IOs just use the number.

If device tree nodes can be labeled in this way, they could be added
as another resource type in the policy.  If not, then the label of a
device node will need to be set at boot using the XSM hypercalls;
this label would be stored in a security field added to device tree
nodes.

-- 
Daniel De Graaf
National Security Agency