lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200115224530.GU1314@mail-itl>
Date:   Wed, 15 Jan 2020 23:45:30 +0100
From:   Marek Marczykowski-Górecki 
        <marmarek@...isiblethingslab.com>
To:     Boris Ostrovsky <boris.ostrovsky@...cle.com>
Cc:     Roger Pau Monné <roger.pau@...rix.com>,
        xen-devel@...ts.xenproject.org, Juergen Gross <jgross@...e.com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        YueHaibing <yuehaibing@...wei.com>,
        open list <linux-kernel@...r.kernel.org>,
        Simon Gaiser <simon@...isiblethingslab.com>,
        Jan Beulich <jbeulich@...e.com>
Subject: Re: [Xen-devel] [PATCH v4] xen-pciback: optionally allow interrupt
 enable flag writes

On Wed, Jan 15, 2020 at 05:32:32PM -0500, Boris Ostrovsky wrote:
> 
> 
> On 1/15/20 11:48 AM, Roger Pau Monné wrote:
> > On Wed, Jan 15, 2020 at 02:46:29AM +0100, Marek Marczykowski-Górecki wrote:
> > > QEMU running in a stubdom needs to be able to set INTX_DISABLE, and the
> > > MSI(-X) enable flags in the PCI config space. This adds an attribute
> > > 'allow_interrupt_control' which when set for a PCI device allows writes
> > > to this flag(s). The toolstack will need to set this for stubdoms.
> > > When enabled, guest (stubdomain) will be allowed to set relevant enable
> > > flags, but only one at a time - i.e. it refuses to enable more than one
> > > of INTx, MSI, MSI-X at a time.
> > > 
> > > This functionality is needed only for config space access done by device
> > > model (stubdomain) serving a HVM with the actual PCI device. It is not
> > > necessary and unsafe to enable direct access to those bits for PV domain
> > > with the device attached. For PV domains, there are separate protocol
> > > messages (XEN_PCI_OP_{enable,disable}_{msi,msix}) for this purpose.
> > > Those ops in addition to setting enable bits, also configure MSI(-X) in
> > > dom0 kernel - which is undesirable for PCI passthrough to HVM guests.
> > > 
> > > This should not introduce any new security issues since a malicious
> > > guest (or stubdom) can already generate MSIs through other ways, see
> > > [1] page 8. Additionally, when qemu runs in dom0, it already have direct
> > > access to those bits.
> > > 
> > > This is the second iteration of this feature. First was proposed as a
> > > direct Xen interface through a new hypercall, but ultimately it was
> > > rejected by the maintainer, because of mixing pciback and hypercalls for
> > > PCI config space access isn't a good design. Full discussion at [2].
> > > 
> > > [1]: https://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
> > > [2]: https://xen.markmail.org/thread/smpgpws4umdzizze
> > > 
> > > [part of the commit message and sysfs handling]
> > > Signed-off-by: Simon Gaiser <simon@...isiblethingslab.com>
> > > [the rest]
> > > Signed-off-by: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
> > Some minor nits below, but LGTM:
> > 
> > Reviewed-by: Roger Pau Monné <roger.pau@...rix.com>
> > 
> > > 
> > > diff --git a/Documentation/ABI/testing/sysfs-driver-pciback b/Documentation/ABI/testing/sysfs-driver-pciback
> > > index 6a733bfa37e6..566a11f2c12f 100644
> > > --- a/Documentation/ABI/testing/sysfs-driver-pciback
> > > +++ b/Documentation/ABI/testing/sysfs-driver-pciback
> > > @@ -11,3 +11,16 @@ Description:
> > >                   #echo 00:19.0-E0:2:FF > /sys/bus/pci/drivers/pciback/quirks
> > >                   will allow the guest to read and write to the configuration
> > >                   register 0x0E.
> > > +
> > > +What:           /sys/bus/pci/drivers/pciback/allow_interrupt_control
> > > +Date:           Jan 2020
> > > +KernelVersion:  5.5
> 
> 5.6
> 
> I can fix this and the things that Roger mentioned while committing if Marek
> is OK with that.

Yes, thanks!

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ