File 53563ea4-x86-MSI-drop-workaround-for-insecure-D... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch of Package xen.10697

# Commit 061eebe0e99ad45c9c3b1a778b06140de4a91f25
# Date 2014-04-22 12:04:20 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/MSI: drop workaround for insecure Dom0 kernels

Considering that
- the workaround is expensive (iterating through the entire P2M space
  of a domain),
- the planned elimination of the expensiveness (by propagating the type
  change step by step to the individual P2M leaves) wouldn't address
  the IOMMU side of things (as for it to obey to the changed
  permissions the adjustments must be pushed down immediately through
  the entire tree)
- the proper solution (PHYSDEVOP_msix_prepare) should by now be
  implemented by all security conscious Dom0 kernels
remove the workaround, killing eventual guests that would be known to
become a security risk instead.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

Index: xen-4.4.4-testing/xen/arch/x86/mm/p2m-ept.c
===================================================================
--- xen-4.4.4-testing.orig/xen/arch/x86/mm/p2m-ept.c
+++ xen-4.4.4-testing/xen/arch/x86/mm/p2m-ept.c
@@ -680,7 +680,7 @@ static void ept_change_entry_type_global
         return;
 
     BUG_ON(p2m_is_grant(ot) || p2m_is_grant(nt));
-    BUG_ON(ot != nt && (ot == p2m_mmio_direct || nt == p2m_mmio_direct));
+    BUG_ON(p2m_is_mmio(ot) || p2m_is_mmio(nt));
 
     ept_change_entry_type_page(_mfn(ept_get_asr(ept)),
                                ept_get_wl(ept), ot, nt);
Index: xen-4.4.4-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.4.4-testing.orig/xen/arch/x86/msi.c
+++ xen-4.4.4-testing/xen/arch/x86/msi.c
@@ -834,32 +834,22 @@ static int msix_capability_init(struct p
                                 msix->pba.last) )
             WARN();
 
-        if ( dev->domain )
-            p2m_change_entry_type_global(dev->domain,
-                                         p2m_mmio_direct, p2m_mmio_direct);
-        if ( desc && (!dev->domain || !paging_mode_translate(dev->domain)) )
+        if ( desc )
         {
-            struct domain *d = dev->domain;
+            struct domain *currd = current->domain;
+            struct domain *d = dev->domain ?: currd;
 
-            if ( !d )
-                for_each_domain(d)
-                    if ( !paging_mode_translate(d) &&
-                         (iomem_access_permitted(d, msix->table.first,
-                                                 msix->table.last) ||
-                          iomem_access_permitted(d, msix->pba.first,
-                                                 msix->pba.last)) )
-                        break;
-            if ( d )
-            {
-                if ( !is_hardware_domain(d) && msix->warned != d->domain_id )
-                {
-                    msix->warned = d->domain_id;
-                    printk(XENLOG_ERR
-                           "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
-                           seg, bus, slot, func, d->domain_id);
-                }
-                /* XXX How to deal with existing mappings? */
-            }
+            if ( !is_hardware_domain(currd) || d != currd )
+                printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
+                       is_hardware_domain(currd)
+                       ? XENLOG_WARNING "Potentially insecure"
+                       : XENLOG_ERR "Insecure",
+                       seg, bus, slot, func, d->domain_id);
+            if ( !is_hardware_domain(d) &&
+                 /* Assume a domain without memory has no mappings yet. */
+                 (!is_hardware_domain(currd) || d->tot_pages) )
+                domain_crash(d);
+            /* XXX How to deal with existing mappings? */
         }
     }
     WARN_ON(msix->nr_entries != nr_entries);

Places

File 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch of Package xen.10697

Places