From patchwork Thu Aug 24 14:50:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 9920431 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D08EE602A0 for ; Thu, 24 Aug 2017 14:53:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B590B28B7B for ; Thu, 24 Aug 2017 14:53:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AA41B28BBD; Thu, 24 Aug 2017 14:53:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DBDDA28C22 for ; Thu, 24 Aug 2017 14:53:41 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dktSy-0005E8-7O; Thu, 24 Aug 2017 14:50:40 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dktSw-0005Dy-DN for xen-devel@lists.xen.org; Thu, 24 Aug 2017 14:50:38 +0000 Received: from [193.109.254.147] by server-11.bemta-6.messagelabs.com id 01/47-03612-DB7EE995; Thu, 24 Aug 2017 14:50:37 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDLMWRWlGSWpSXmKPExsXitHSDve7e5/M iDR5u4LZY8nExiwOjx9Hdv5kCGKNYM/OS8isSWDNmP/jEXLBWvuLA5HcsDYw7xLsYOTkkBPwl 7m/dzA5iswnoS+x+8YkJxBYRUJc43XGRtYuRi4NZYCqTxPpTF9i6GDk4hAXcJS7uYgSpYRFQl Th5fxJYL6+Ap8SiZZ/ZIGbKSZw//pMZxBYSUJO41n8JqkZQ4uTMJywgNrOAhMTBFy+YJzByz0 KSmoUktYCRaRWjenFqUVlqka6lXlJRZnpGSW5iZo6uoYGZXm5qcXFiempOYlKxXnJ+7iZGYCg wAMEOxrubAg4xSnIwKYnyNl+dFynEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgtfpGVBOsCg1PbUi LTMHGJQwaQkOHiUR3nyQNG9xQWJucWY6ROoUo6KUOG8NSEIAJJFRmgfXBouES4yyUsK8jECHC PEUpBblZpagyr9iFOdgVBLmnQwyhSczrwRu+iugxUxAiyedmAOyuCQRISXVwOi7w8J6n2T9vM 7Q5hybZK7Pgr/6vpycvKH45dXPn09k3/lydlVQ8Y+2o8qt//hP3f9f3RWY2jutkC2gsTl4zjK 31oW/AssiPv/68ER8nYTOq3rr4zcusZ3VK3l7hsudb8bdM3W+uqtOPfD2W/zG+rxf5zRL+403 nNpmnBc4HpF0ZX73f7Ub/X1KLMUZiYZazEXFiQBNmI9mfwIAAA== X-Env-Sender: prvs=402af6fe9=Andrew.Cooper3@citrix.com X-Msg-Ref: server-8.tower-27.messagelabs.com!1503586235!102388803!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 38266 invoked from network); 24 Aug 2017 14:50:36 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-8.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 24 Aug 2017 14:50:36 -0000 X-IronPort-AV: E=Sophos;i="5.41,421,1498521600"; d="scan'208";a="445001566" From: Andrew Cooper To: Xen-devel Date: Thu, 24 Aug 2017 15:50:26 +0100 Message-ID: <1503586226-12510-1-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 Cc: Stefano Stabellini , Wei Liu , George Dunlap , Andrew Cooper , Tim Deegan , Jan Beulich Subject: [Xen-devel] [PATCH] common/gnttab: Introduce command line feature controls X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP This patch was originally a workaround for XSA-226. Since then, transitive grants are believed to be functioning properly, and the defaults have changed appropriately. However, for those people who chose to use the workaround (especially from an attack surface mitigation point of view), retain the ability for the host administrator to choose. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: George Dunlap CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: Tim Deegan CC: Wei Liu --- docs/misc/xen-command-line.markdown | 13 +++++++++++ xen/common/grant_table.c | 44 +++++++++++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 4002eab..78c7b51 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -868,6 +868,19 @@ Controls EPT related features. Specify which console gdbstub should use. See **console**. +### gnttab +> `= List of [ max_ver:, transitive ]` + +> Default: `gnttab=max_ver:2,transitive` + +Control various aspects of the grant table behaviour available to guests. + +* `max_ver` Select the maximum grant table version to offer to guests. Valid +version are 1 and 2. +* `transitive` Permit or disallow the use of transitive grants. Note that the +use of grant table v2 without transitive grants is an ABI breakage from the +guests point of view. + ### gnttab\_max\_frames > `= ` diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 36895aa..f9c313d 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -50,6 +50,42 @@ integer_param("gnttab_max_nr_frames", max_nr_grant_frames); unsigned int __read_mostly max_grant_frames; integer_param("gnttab_max_frames", max_grant_frames); +static unsigned int __read_mostly opt_gnttab_max_version = 2; +static bool __read_mostly opt_transitive_grants = true; + +static void __init parse_gnttab(char *s) +{ + char *ss; + + do { + ss = strchr(s, ','); + if ( ss ) + *ss = '\0'; + + if ( !strncmp(s, "max_ver:", 8) ) + { + long ver = simple_strtol(s + 8, NULL, 10); + + if ( ver >= 1 && ver <= 2 ) + opt_gnttab_max_version = ver; + } + else + { + bool val = !!strncmp(s, "no-", 3); + + if ( !val ) + s += 3; + + if ( !strcmp(s, "transitive") ) + opt_transitive_grants = val; + } + + s = ss + 1; + } while ( ss ); +} + +custom_param("gnttab", parse_gnttab); + /* The maximum number of grant mappings is defined as a multiplier of the * maximum number of grant table entries. This defines the multiplier used. * Pretty arbitrary. [POLICY] @@ -2505,7 +2541,8 @@ static int gnttab_copy_claim_buf(const struct gnttab_copy *op, current->domain->domain_id, buf->read_only, &buf->frame, &buf->page, - &buf->ptr.offset, &buf->len, true); + &buf->ptr.offset, &buf->len, + opt_transitive_grants); if ( rc != GNTST_okay ) goto out; buf->ptr.u.ref = ptr->u.ref; @@ -3237,7 +3274,10 @@ do_grant_table_op( break; case GNTTABOP_set_version: - rc = gnttab_set_version(guest_handle_cast(uop, gnttab_set_version_t)); + if ( opt_gnttab_max_version == 1 ) + rc = -ENOSYS; /* Behave as before set_version was introduced. */ + else + rc = gnttab_set_version(guest_handle_cast(uop, gnttab_set_version_t)); break; case GNTTABOP_get_status_frames: