From mboxrd@z Thu Jan 1 00:00:00 1970 From: Haitao Shan Subject: Re: [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management Date: Tue, 12 Jul 2011 21:32:01 +0800 Message-ID: References: <4E1C0E4A020000780004D118@nat28.tlf.novell.com> <4E1C3499020000780004D1AD@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Return-path: In-Reply-To: <4E1C3499020000780004D1AD@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Jan Beulich Cc: George Dunlap , Keir Fraser , xen-devel@lists.xensource.com, Ian Jackson , Tim Deegan List-Id: xen-devel@lists.xenproject.org 2011/7/12 Jan Beulich : >>>> On 12.07.11 at 11:30, Haitao Shan wrote: >> I am not aware of any context of larger scope of MSI-X cleaning ups if >> you are planning to do so. As a result, I might be missing some >> important points. So please just go ahead and submit your patches. > > No, I didn't have any plans besides the dealing with the proper > determination of virtual functions' MSI-X table and PBA addresses. > >> 2011/7/12 Jan Beulich : >>>>>> On 12.07.11 at 07:24, Haitao Shan wrote: >>>> Hi, >>>> >>>> As reported by Jan, current Qemu does not handle MSIX table mapping >>>> properly. >>>> >>>> Details: >>>> >>>> MSI-X table resides in one of the physical BARs. When Qemu handles >>>> guest's changes to BAR register (within which, MSI-X table resides), >>>> Qemu first allows access of the whole BAR MMIO ranges and then removes >>>> those of MSI-X. There is a small window here. It is possible that on a >>>> SMP guests one vcpu could have access to the physical MSI-X >>>> configurations when another vcpu is writing BAR registers. >>>> >>>> The patch fixes this issue by first producing the valid MMIO ranges by >>>> removing MSI-X table's range from the whole BAR mmio range and later >>>> passing these ranges to Xen. >>> >>> That's only half of it - something similar would need to be done for the >>> pending bit array. >> Please justify why this read-only PBA should also be removed from >> guest access. > > Because it being stated to be read-only accessible only doesn't mean > that all devices implement only read accesses (and discard writes). I will agree the statement itself above. The spec does say writes will have undefined behavior. But unless there is proven case that this undefined behavior harms the system, I don't see the need for Xen to defend more on that. For example, MMIOs are assigned to guests with IOMMU. Typically there would be reserved space in MMIOs. Writes to these reserved space also has undefined behavior. I don't believe this is the area that Xen can defend. > >> Note that we actually mask physical MSI via MSI-X table >> when guests mask it via virtualized MSI-X table. > > As long as this happens from Xen, that's fine, but see below. > >>> Further I'm having the impression that while you avoid assigning the >>> questionable MMIO range to the guest (which isn't a security concern >>> as long as the BAR determination for the device in the hypervisor is >>> correct), your patch doesn't prevent qemu actually mapping these >>> ranges writably and allow pci_msix_writel() to access it (which is the >>> actual open security problem). >> I totally disagree. I think Dom0 together with its management SW >> entities such as Qemu and libxc/libxl are to be trusted. It can be >> arguable to what extent Xen can trust them. > > It's not a matter of trust, but one of correctness. > >> Mapping that to Qemu is mainly for writing MASK bit to physical MSI-X >> table directly. Handling guests' masking MSI is already too long a >> code path. > > Qemu getting this wrong (e.g. doing an unmask when the guest > requests so, but Xen wants that interrupt to be masked) can > confuse Xen significantly, up to the point where the other > interrupts (and hence the whole system) can be affected. Doing or not doing a mask/unmask on guests' requests is a policy. To me, either one is not perfect. Not allowing Qemu to do the mask/unmask also has made things complex. If guests' settings only affect virtual masking, Qemu has to pass down the virtual masking information to Xen, as Qemu does not have a chance to be part of interrupt delivery (and hence applying its virtual mask decision). What's more, only masking MSI-X virtually cannot prevent physical interrupt storms. I would like to keep current policy in Qemu, unless anyone can move the whole MSI/MSI-X logics to Xen. > >> If Qemu is not trusted, I would say perhaps you can move MSI >> virtualization part from Qemu to Xen itself. >> >>> >>> Further, I don't think it's correct to remove guest access to either of >>> the two ranges altogether - either qemu needs to emulate access to >>> these, or the guest ought to be able to access the ranges directly, >>> but read-only. >> PBA is exposed to guests, unless it happens to be located on the same >> page of MSI-X table (in this case, it have to be removed), per my >> understanding. > > Besides above described reason for not exposing the PBA writably, > having to handle two cases (PBA exposed and PBA invisible) would > just needlessly complicate the code. So making it consistent with > the MSI-X table is going to be both more secure and simpler to > implement. > >> MSI-X table cannot be exposed to guests even read-only. > > Why not? The guest (or qemu on its behalf) reading the table > doesn't do any harm. And with there being 31 currently > undefined bits in each entry, future extensions could be severely > restricted from using in guests if we're too restrictive here. Why can guests see host MSI-X table, including vectors information contained? If this is OK, why not simply expose all CPU features via CPUID but just block its usage of unwanted features. For example, as long as guests cannot set XSAVE support via CR4 (if Xen implements this), do you agree it is safe to expose XSAVE via CPUID to guests. > > Jan > >