From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jan Beulich" <JBeulich@suse.com>
Subject: Re: Domctl and physdevop for passthrough (Was: Re:
 Stabilising some tools only HVMOPs?)
Date: Tue, 23 Feb 2016 08:46:14 -0700
Message-ID: <56CC8CD602000078000D54A5@prv-mh.provo.novell.com>
References: <20160217172808.GB3723@citrix.com>
	<20160219160539.GV3723@citrix.com>
	<56CAFEE302000078000D4A74@prv-mh.provo.novell.com>
	<20160223143130.GE3723@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <JBeulich@suse.com>) id 1aYFAK-0007XM-Cq
	for xen-devel@lists.xenproject.org; Tue, 23 Feb 2016 15:46:20 +0000
In-Reply-To: <20160223143130.GE3723@citrix.com>
Content-Disposition: inline
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Ian Jackson <Ian.Jackson@eu.citrix.com>, PaulDurrant <Paul.Durrant@citrix.com>, Anthony PERARD <anthony.perard@citrix.com>, Xen-devel <xen-devel@lists.xenproject.org>
List-Id: xen-devel@lists.xenproject.org

>>> On 23.02.16 at 15:31, <wei.liu2@citrix.com> wrote:
> On Mon, Feb 22, 2016 at 04:28:19AM -0700, Jan Beulich wrote:
>> >>> On 19.02.16 at 17:05, <wei.liu2@citrix.com> wrote:
>> > On Wed, Feb 17, 2016 at 05:28:08PM +0000, Wei Liu wrote:
>> >> Hi all
>> >> 
>> >> Tools people are in the process of splitting libxenctrl into a set of
>> >> stable libraries. One of the proposed libraries is libxendevicemodel
>> >> which has a collection of APIs that can be used by device model.
>> >> 
>> >> Currently we use QEMU as reference to extract symbols and go through
>> >> them one by one. Along the way we discover QEMU is using some tools
>> >> only HVMOPs.
>> >> 
>> >> The list of tools only HVMOPs used by QEMU are:
>> >> 
>> >>   #define HVMOP_track_dirty_vram    6
>> >>   #define HVMOP_modified_memory    7
>> >>   #define HVMOP_set_mem_type    8
>> >>   #define HVMOP_inject_msi         16
>> >>   #define HVMOP_create_ioreq_server 17
>> >>   #define HVMOP_get_ioreq_server_info 18
>> >>   #define HVMOP_map_io_range_to_ioreq_server 19
>> >>   #define HVMOP_unmap_io_range_from_ioreq_server 20
>> >>   #define HVMOP_destroy_ioreq_server 21
>> >>   #define HVMOP_set_ioreq_server_state 22
>> >> 
>> > 
>> > In the process of ploughing through QEMU symbols, there are some domctls
>> > and physdevops used to do  passthrough. To make passthrough APIs in
>> > libxendevicemodel we need to stabilise them as well. Can I use the same
>> > trick __XEN_TOOLS_STABLE__ here? If not, what would be the preferred way
>> > of doing this?
>> > 
>> > PASSTHRU
>> > `xc_domain_bind_pt_pci_irq`     `XEN_DOMCTL_bind_pt_irq`    
>> > `xc_domain_ioport_mapping`      `XEN_DOMCTL_ioport_mapping` 
>> > `xc_domain_memory_mapping`      `XEN_DOMCTL_memory_mapping` 
>> > `xc_domain_unbind_msi_irq`      `XEN_DOMCTL_unbind_pt_irq`  
>> > `xc_domain_unbind_pt_irq`       `XEN_DOMCTL_unbind_pt_irq`  
>> > `xc_domain_update_msi_irq`      `XEN_DOMCTL_bind_pt_irq`    
>> > `xc_physdev_map_pirq`           `PHYSDEVOP_map_pirq`        
>> > `xc_physdev_map_pirq_msi`       `PHYSDEVOP_map_pirq`        
>> > `xc_physdev_unmap_pirq`         `PHYSDEVOP_unmap_pirq`      
>> 
>> Mechanically I would say yes, but anything here which is also on
>> the XSA-77 waiver list would first need removing there (with
>> proper auditing and, if necessary, fixing).
>> 
> 
> I admit I failed to parse xsm-flask.txt and XSA-77 and its implication,
> so let's take a concrete example instead.
> 
> Say, now I need to stabilise XEN_DOMCTL_pin_mem_cacheattr, which is on
> the list of domctls listed in xsm-flask.txt (presumably that's the
> waiver list you talked about).
> 
> You said "needs removing there", and xsm-flask.txt says "suops not
> listed here are considered safe for disaggregation", so the implication
> is that we need to make XEN_DOMCTL_pin_mem_cacheattr safe for
> disaggregation in order to move it off the list. Is this correct?

Yes.

> And in order to make it safe for disaggregation, I need to add adequate
> XSM checks for it. Is this correct?

Well, that depends on what accessibility scope you mean to give
it: If domains other than the hardware and control domain are
meant to be permitted to access this with the dummy policy, then
it'll take more than XSM checks. In particular, it would then need
auditing to ensure that its use cannot compromise the system in
any way. For the particular example you gave, together with
XSA-154, I consider this close to impossible without perhaps
extensive code changes.

Jan