[v3,56/62] arm/acpi: Deny MMIO access of UART

Commit Message

Shannon Zhao Nov. 17, 2015, 9:40 a.m. UTC

From: Shannon Zhao <shannon.zhao@linaro.org>

Firstly it permits full MMIO capabilities for Dom0. Then deny MMIO
access of UART device.

Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
---
 xen/arch/arm/domain_build.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

Comments

Julien Grall Nov. 17, 2015, 12:04 p.m. UTC | #1

On 17/11/15 09:40, shannon.zhao@linaro.org wrote:
> From: Shannon Zhao <shannon.zhao@linaro.org>
> 
> Firstly it permits full MMIO capabilities for Dom0. Then deny MMIO
> access of UART device.

I'm nearly sure we want to deny other MMIO such as the GIC regions and SMMU.

Regards,

Shannon Zhao Nov. 17, 2015, 1:10 p.m. UTC | #2

On 2015/11/17 20:04, Julien Grall wrote:
> On 17/11/15 09:40, shannon.zhao@linaro.org wrote:
>> From: Shannon Zhao <shannon.zhao@linaro.org>
>>
>> Firstly it permits full MMIO capabilities for Dom0. Then deny MMIO
>> access of UART device.
> 
> I'm nearly sure we want to deny other MMIO such as the GIC regions and SMMU.
> 
But Dom0 will not know the real GIC hardware MMIO space, how would it
map these regions? In case of wrong use?
Regarding SMMU, since it doesn't support now, so I didn't add it but it
could be added later.

Stefano Stabellini Nov. 27, 2015, 2:50 p.m. UTC | #3

On Tue, 17 Nov 2015, Shannon Zhao wrote:
> On 2015/11/17 20:04, Julien Grall wrote:
> > On 17/11/15 09:40, shannon.zhao@linaro.org wrote:
> >> From: Shannon Zhao <shannon.zhao@linaro.org>
> >>
> >> Firstly it permits full MMIO capabilities for Dom0. Then deny MMIO
> >> access of UART device.
> > 
> > I'm nearly sure we want to deny other MMIO such as the GIC regions and SMMU.
> > 
> But Dom0 will not know the real GIC hardware MMIO space, how would it
> map these regions? In case of wrong use?

It could try regions at random or by mistake.
I know that Dom0 is "trusted", but the less we trust it, the better.


> Regarding SMMU, since it doesn't support now, so I didn't add it but it
> could be added later.

Julien Grall Nov. 30, 2015, 3:30 p.m. UTC | #4

Hi Shannon,

On 17/11/15 13:10, Shannon Zhao wrote:
> Regarding SMMU, since it doesn't support now, so I didn't add it but it
> could be added later.

Then please add a TODO, otherwise it's a call to forget it.

Regards,

Patch

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 6945f89..9532807 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -1360,6 +1360,32 @@  static int prepare_dtb(struct domain *d, struct kernel_info *kinfo)
 #define XEN_HYPERVISOR_ID 0x000058656E564D4D  /* "XenVMM" */
 #define ACPI_DOM0_FDT_MIN_SIZE 4096
 
+static int acpi_iomem_deny_access(struct domain *d)
+{
+    acpi_status status;
+    struct acpi_table_spcr *spcr=NULL;
+    unsigned long gfn;
+    int rc;
+
+    /* Firstly permit full MMIO capabilities. */
+    rc = iomem_permit_access(d, 0UL, ~0UL);
+    if (rc)
+        return rc;
+
+    status = acpi_get_table(ACPI_SIG_SPCR, 0,
+                            (struct acpi_table_header **)&spcr);
+
+    if ( ACPI_FAILURE(status) )
+    {
+        printk("Failed to get SPCR table\n");
+        return -EINVAL;
+    }
+
+    gfn = spcr->serial_port.address >> PAGE_SHIFT;
+    /* Deny MMIO access for UART */
+    return iomem_deny_access(d, gfn, gfn + 1);
+}
+
 static int acpi_route_spi(struct domain *d)
 {
     int i, res;
@@ -1930,6 +1956,10 @@  static int prepare_acpi(struct domain *d, struct kernel_info *kinfo)
     if ( rc != 0 )
         return rc;
 
+    rc = acpi_iomem_deny_access(d);
+    if ( rc != 0 )
+        return rc;
+
     return 0;
 }
 #else