All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
@ 2018-06-14 16:18 DeGraaf, Daniel G
  2018-06-14 21:01 ` Stefano Stabellini
  0 siblings, 1 reply; 4+ messages in thread
From: DeGraaf, Daniel G @ 2018-06-14 16:18 UTC (permalink / raw)
  To: 'Julien Grall', Stefano Stabellini
  Cc: artem_mygaiev, Stefano Stabellini, andrii_anisov, George.Dunlap,
	andrew.cooper3, ian.jackson, xen-devel, tim, jbeulich, wei.liu2,
	dgdegra

-----Original Message-----
> On 13/06/18 23:15, Stefano Stabellini wrote:
> > This is very useful when starting multiple domains from Xen without
> > xenstore access. It will allow them to print out to the Xen console.
> >
> > Signed-off-by: Stefano Stabellini <stefanos@xilinx.com>
> > CC: andrew.cooper3@citrix.com
> > CC: George.Dunlap@eu.citrix.com
> > CC: ian.jackson@eu.citrix.com
> > CC: jbeulich@suse.com
> > CC: konrad.wilk@oracle.com
> > CC: tim@xen.org
> > CC: wei.liu2@citrix.com
> > CC: dgdegra@tycho.nsa.gov
> > ---
> > If there is a better way to do this with XSM, please advise.
> 
> We definitely need to keep the XSM around to avoid opening a hole. We also don't want all the domain to access the console.
> 
> Looking at the implementation, any domain with is_privileged will be able to access the console. IHMO, I don't think we should set
> that for DomU created by Xen.
> 
> So I would suggest to introduce a new variable is_console and to tell whether a domain can access the console. xsm_console_io(...)
> would then need to be updated accordingly.

There is an existing CONFIG_VERBOSE_DEBUG option which, among other things, allows console output from any domain.  The console output part of that (which is just the #ifdef in include/xsm/dummy.h) could be moved to another CONFIG or ORed with an ARM flag. This would apply to all domains; if that's not what you want, you'll need to add a flag (like Julien suggested) or use XSM.

If XSM is enabled, guest hypervisor console output is controlled by the guest_writeconsole boolean in the default policy (tools/flask/policy/modules/guest_features.te) which defaults to allowing it.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
  2018-06-14 16:18 [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM DeGraaf, Daniel G
@ 2018-06-14 21:01 ` Stefano Stabellini
  0 siblings, 0 replies; 4+ messages in thread
From: Stefano Stabellini @ 2018-06-14 21:01 UTC (permalink / raw)
  To: dgdegra
  Cc: artem_mygaiev, Stefano Stabellini, Stefano Stabellini,
	andrii_anisov, George.Dunlap, andrew.cooper3, ian.jackson,
	xen-devel, 'Julien Grall',
	tim, jbeulich, wei.liu2

On Thu, 14 Jun 2018, DeGraaf, Daniel G wrote:
> -----Original Message-----
> > On 13/06/18 23:15, Stefano Stabellini wrote:
> > > This is very useful when starting multiple domains from Xen without
> > > xenstore access. It will allow them to print out to the Xen console.
> > >
> > > Signed-off-by: Stefano Stabellini <stefanos@xilinx.com>
> > > CC: andrew.cooper3@citrix.com
> > > CC: George.Dunlap@eu.citrix.com
> > > CC: ian.jackson@eu.citrix.com
> > > CC: jbeulich@suse.com
> > > CC: konrad.wilk@oracle.com
> > > CC: tim@xen.org
> > > CC: wei.liu2@citrix.com
> > > CC: dgdegra@tycho.nsa.gov
> > > ---
> > > If there is a better way to do this with XSM, please advise.
> > 
> > We definitely need to keep the XSM around to avoid opening a hole. We also don't want all the domain to access the console.
> > 
> > Looking at the implementation, any domain with is_privileged will be able to access the console. IHMO, I don't think we should set
> > that for DomU created by Xen.
> > 
> > So I would suggest to introduce a new variable is_console and to tell whether a domain can access the console. xsm_console_io(...)
> > would then need to be updated accordingly.
> 
> There is an existing CONFIG_VERBOSE_DEBUG option which, among other things, allows console output from any domain.  The console output part of that (which is just the #ifdef in include/xsm/dummy.h) could be moved to another CONFIG or ORed with an ARM flag. This would apply to all domains; if that's not what you want, you'll need to add a flag (like Julien suggested) or use XSM.
> 
> If XSM is enabled, guest hypervisor console output is controlled by the guest_writeconsole boolean in the default policy (tools/flask/policy/modules/guest_features.te) which defaults to allowing it.

I think the best user experience would be:
- do not to require XSM to be enabled
- do not to allow all domains to use the Xen console, only the ones started
  from Xen
- domUs started from Xen should not be is_privileged

Indeed, the best approach would be be to add a new is_console option.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
  2018-06-13 22:15 ` [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM Stefano Stabellini
@ 2018-06-14 15:33   ` Julien Grall
  0 siblings, 0 replies; 4+ messages in thread
From: Julien Grall @ 2018-06-14 15:33 UTC (permalink / raw)
  To: Stefano Stabellini
  Cc: artem_mygaiev, Stefano Stabellini, andrii_anisov, George.Dunlap,
	andrew.cooper3, ian.jackson, xen-devel, tim, jbeulich, wei.liu2,
	dgdegra

Hi Stefano,

On 13/06/18 23:15, Stefano Stabellini wrote:
> This is very useful when starting multiple domains from Xen without
> xenstore access. It will allow them to print out to the Xen console.
> 
> Signed-off-by: Stefano Stabellini <stefanos@xilinx.com>
> CC: andrew.cooper3@citrix.com
> CC: George.Dunlap@eu.citrix.com
> CC: ian.jackson@eu.citrix.com
> CC: jbeulich@suse.com
> CC: konrad.wilk@oracle.com
> CC: tim@xen.org
> CC: wei.liu2@citrix.com
> CC: dgdegra@tycho.nsa.gov
> ---
> If there is a better way to do this with XSM, please advise.

We definitely need to keep the XSM around to avoid opening a hole. We 
also don't want all the domain to access the console.

Looking at the implementation, any domain with is_privileged will be 
able to access the console. IHMO, I don't think we should set that for 
DomU created by Xen.

So I would suggest to introduce a new variable is_console and to tell 
whether a domain can access the console. xsm_console_io(...) would then 
need to be updated accordingly.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM
  2018-06-13 22:15 [PATCH RFC 00/15] dom0less step1: boot multiple domains from device tree Stefano Stabellini
@ 2018-06-13 22:15 ` Stefano Stabellini
  2018-06-14 15:33   ` Julien Grall
  0 siblings, 1 reply; 4+ messages in thread
From: Stefano Stabellini @ 2018-06-13 22:15 UTC (permalink / raw)
  To: julien.grall
  Cc: artem_mygaiev, Stefano Stabellini, sstabellini, andrii_anisov,
	George.Dunlap, andrew.cooper3, ian.jackson, xen-devel, tim,
	jbeulich, wei.liu2, dgdegra

This is very useful when starting multiple domains from Xen without
xenstore access. It will allow them to print out to the Xen console.

Signed-off-by: Stefano Stabellini <stefanos@xilinx.com>
CC: andrew.cooper3@citrix.com
CC: George.Dunlap@eu.citrix.com
CC: ian.jackson@eu.citrix.com
CC: jbeulich@suse.com
CC: konrad.wilk@oracle.com
CC: tim@xen.org
CC: wei.liu2@citrix.com
CC: dgdegra@tycho.nsa.gov
---
If there is a better way to do this with XSM, please advise.

---
 xen/drivers/char/console.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index 0f05369..dc9e0bb 100644
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -555,9 +555,11 @@ long do_console_io(int cmd, int count, XEN_GUEST_HANDLE_PARAM(char) buffer)
     long rc;
     unsigned int idx, len;
 
+#ifndef CONFIG_ARM
     rc = xsm_console_io(XSM_OTHER, current->domain, cmd);
     if ( rc )
         return rc;
+#endif
 
     switch ( cmd )
     {
-- 
1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-14 21:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-14 16:18 [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM DeGraaf, Daniel G
2018-06-14 21:01 ` Stefano Stabellini
  -- strict thread matches above, loose matches on Subject: below --
2018-06-13 22:15 [PATCH RFC 00/15] dom0less step1: boot multiple domains from device tree Stefano Stabellini
2018-06-13 22:15 ` [PATCH RFC 01/15] xen: allow console_io hypercalls from DomUs on ARM Stefano Stabellini
2018-06-14 15:33   ` Julien Grall

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.