| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jun 2022 15:41:13 +0300
From: Oleksandr <olekstysh@...il.com>
To: Viresh Kumar <viresh.kumar@...aro.org>
Cc: xen-devel@...ts.xenproject.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
virtualization@...ts.linux-foundation.org, x86@...nel.org,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
Christoph Hellwig <hch@...radead.org>,
Stefano Stabellini <sstabellini@...nel.org>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>, Julien Grall <julien@....org>,
Bertrand Marquis <bertrand.marquis@....com>,
Wei Chen <Wei.Chen@....com>, Henry Wang <Henry.Wang@....com>,
Kaly Xin <Kaly.Xin@....com>, Jiamei Xie <Jiamei.Xie@....com>,
Alex Bennée <alex.bennee@...aro.org>,
Vincent Guittot <vincent.guittot@...aro.org>,
Mathieu Poirier <mathieu.poirier@...aro.org>
Subject: Re: [PATCH V4 0/8] virtio: Solution to restrict memory access under
Xen using xen-grant DMA-mapping layer
On 15.06.22 09:23, Viresh Kumar wrote:
> Hi Oleksandr,
Hello Viresh
>
> On Mon, Jun 6, 2022 at 10:16 AM Oleksandr Tyshchenko
> <olekstysh@...il.com> wrote:
>> The high level idea is to create new Xen’s grant table based DMA-mapping layer for the guest Linux whose main
>> purpose is to provide a special 64-bit DMA address which is formed by using the grant reference (for a page
>> to be shared with the backend) with offset and setting the highest address bit (this is for the backend to
>> be able to distinguish grant ref based DMA address from normal GPA). For this to work we need the ability
>> to allocate contiguous (consecutive) grant references for multi-page allocations. And the backend then needs
>> to offer VIRTIO_F_ACCESS_PLATFORM and VIRTIO_F_VERSION_1 feature bits (it must support virtio-mmio modern
>> transport for 64-bit addresses in the virtqueue).
> I was trying your series, from Linus's tree now and started seeing
> boot failures,
> failed to mount rootfs. And the reason probably is these messages:
>
> [ 1.222498] virtio_scsi virtio1: device must provide VIRTIO_F_ACCESS_PLATFORM
> [ 1.316334] virtio_net virtio0: device must provide VIRTIO_F_ACCESS_PLATFORM
>
> I understand from your email that the backends need to offer
> VIRTIO_F_ACCESS_PLATFORM flag now, but should this requirement be a
> bit soft ? I mean shouldn't we allow both types of backends to run with the same
> kernel, ones that offer this feature and others that don't ? The ones that don't
> offer the feature, should continue to work like they used to, i.e.
> without the restricted
> memory access feature.
> I am testing Xen currently with help of Qemu over my x86 desktop and
> these backends
> (scsi and net) are part of QEMU itself I think, and I don't really
> want to go and make the
> change there.
Thank you for testing on x86.
I assume your guest type in HVM. Within current series the
PLATFORM_VIRTIO_RESTRICTED_MEM_ACCESS is set for *all* type of Xen
guests if CONFIG_XEN_VIRTIO is enabled.
I have to admit that from the very beginning it could be possible to
configure for PV and HVM guests separately [1] because the usage of
grant mappings for virtio is mandatory for paravirtualized guest, but
not strictly necessary for the fully virtualized guests (if the backends
are in Dom0). But it was decided to drop these extra options (including
XEN_HVM_VIRTIO_GRANT) and leave only single one CONFIG_XEN_VIRTIO.
I see that Juergen has already pushed a fix.
Sorry for the inconvenience.
[1]
https://lore.kernel.org/xen-devel/1649963973-22879-3-git-send-email-olekstysh@gmail.com/
>
> Thanks.
>
> --
> Viresh
--
Regards,
Oleksandr Tyshchenko
Powered by blists - more mailing lists