From patchwork Wed Mar 30 23:05:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 12796275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BFF92C433FE for ; Wed, 30 Mar 2022 19:05:19 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.296500.504741 (Exim 4.92) (envelope-from ) id 1nZdcy-0001n6-1p; Wed, 30 Mar 2022 19:05:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 296500.504741; Wed, 30 Mar 2022 19:05:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nZdcx-0001mz-UR; Wed, 30 Mar 2022 19:05:07 +0000 Received: by outflank-mailman (input) for mailman id 296500; Wed, 30 Mar 2022 19:05:06 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nZdcw-0001VT-E5 for xen-devel@lists.xenproject.org; Wed, 30 Mar 2022 19:05:06 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 4e670fb0-b05c-11ec-a405-831a346695d4; Wed, 30 Mar 2022 21:05:05 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1648667096871750.1941533014053; Wed, 30 Mar 2022 12:04:56 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 4e670fb0-b05c-11ec-a405-831a346695d4 ARC-Seal: i=1; a=rsa-sha256; t=1648667098; cv=none; d=zohomail.com; s=zohoarc; b=I8IHlShgYkhKa5I3J2yTRYG+M0XKPmdaxJWzBhuOES71D3stl8jxjCkIlFhPgoIo8U4hLtUpJNeI2eA1huxJQ4a6d0bNGIj23RucANz0xEGPxR7TEqlCxe3/jjOxw5HyHt2SIuNrloV1l5mI5Vr3B2qss/fMD59Kqtr1LVddLzU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648667098; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=xQOPCqDVTdCL2p8rO8+lt5h9rYY5L4DAdcWEvMlILpc=; b=luLcV2MpRfAx3Q9MergmERIqb8fWR6K95maJnAo9qkKdj8Xb0jCFDligMpTjiYYxSk0GXywpLbbRYAGyRwlu1jFjSqDngHYch6xxjyGQjBtZKiW610XfxXi+W0/Vx7fEYYbg8gIi9QgEAvSItnQNENmj8hoxHA9vneoO2tTEz+0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1648667098; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=xQOPCqDVTdCL2p8rO8+lt5h9rYY5L4DAdcWEvMlILpc=; b=lcUXJCMjU1RN/AekWEXGxAZz1CD5oOJAPf87B9IBcG7XENztAfFnl/NVJ6njPzbn Ym8fUsAB4EPNR/2ikx33xTQyB0tlEQv1hY66ufoxiWvdSN4ZHstqEtkwDqoLjGJRp+L s+5qO6vQovFOayEgp2vJSKYowBodypnzKuXAvl7Q= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , scott.davis@starlab.io, jandryuk@gmail.com, Daniel De Graaf Subject: [PATCH 1/2] xsm: add ability to elevate a domain to privileged Date: Wed, 30 Mar 2022 19:05:48 -0400 Message-Id: <20220330230549.26074-2-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220330230549.26074-1-dpsmith@apertussolutions.com> References: <20220330230549.26074-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External There are now instances where internal hypervisor logic needs to make resource allocation calls that are protected by XSM checks. The internal hypervisor logic is represented a number of system domains which by designed are represented by non-privileged struct domain instances. To enable these logic blocks to function correctly but in a controlled manner, this commit introduces a pair of privilege escalation and demotion functions that will make a system domain privileged and then remove that privilege. Signed-off-by: Daniel P. Smith --- xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index e22d6160b5..157e57151e 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -189,6 +189,28 @@ struct xsm_operations { #endif }; +static always_inline int xsm_elevate_priv(struct domain *d) +{ + if ( is_system_domain(d) ) + { + d->is_privileged = true; + return 0; + } + + return -EPERM; +} + +static always_inline int xsm_demote_priv(struct domain *d) +{ + if ( is_system_domain(d) ) + { + d->is_privileged = false; + return 0; + } + + return -EPERM; +} + #ifdef CONFIG_XSM extern struct xsm_operations *xsm_ops; From patchwork Wed Mar 30 23:05:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 12796277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EF004C433F5 for ; Wed, 30 Mar 2022 19:05:31 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.296501.504752 (Exim 4.92) (envelope-from ) id 1nZddB-0002IC-Ap; Wed, 30 Mar 2022 19:05:21 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 296501.504752; Wed, 30 Mar 2022 19:05:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nZddB-0002HN-79; Wed, 30 Mar 2022 19:05:21 +0000 Received: by outflank-mailman (input) for mailman id 296501; Wed, 30 Mar 2022 19:05:19 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nZdd9-0001VT-8X for xen-devel@lists.xenproject.org; Wed, 30 Mar 2022 19:05:19 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 560afc2e-b05c-11ec-a405-831a346695d4; Wed, 30 Mar 2022 21:05:18 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1648667098306644.7320036155761; Wed, 30 Mar 2022 12:04:58 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 560afc2e-b05c-11ec-a405-831a346695d4 ARC-Seal: i=1; a=rsa-sha256; t=1648667100; cv=none; d=zohomail.com; s=zohoarc; b=PAvk23Bp7OtwQ34hjKg724vdDXmYp6UIWNv4TDRbpKCX7HyxO2AOGo2MnX2CxV5sjrmbXak7X8QD+HAj6BRk72yilMYNpxVHDdx07cPtoSTnbrM/SFCl9Up2erpztzZ+8lljUp6i6FUJQkNFOi2VviY2CBXQOPMwAbbWLvxfVGA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648667100; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=dB9qOZNsWI6cdhi3GPQMvCqqeva+kPJ+omKewxXhvII=; b=jMRIkmlwpqBXCDmGVKiO1J7il6k/RLDL3Xq13V2/8PIJEMLXGVFQClGOlnIyxWS9PLcKNIVkZx4HzjU+lO2GPg3J1HYZduxmFPEU8TQKd1QqCJDJNgjEMk2upIDsQ1b7e/qQz3fM7XKVpMyWyAY0rs/inyKVJFSW2FjWw2oELP0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1648667100; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=dB9qOZNsWI6cdhi3GPQMvCqqeva+kPJ+omKewxXhvII=; b=uk3A1857UhrOj+FEX5+zWliaVJduT9HgfOaCYkUQplgjGzFRXXT+u2Apki667jlV I1pVnlIJIB+WS6PpwLKv2sFSr0p7UuOktkTF9nNP7wiV/TGAPgRIt9dzpJqQC6/TogK s7pfv522ajyftOZdqblzm7u/zoUkzAGDJb0UK4uU= From: "Daniel P. Smith" To: Volodymyr Babchuk , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , scott.davis@starlab.io, jandryuk@gmail.com, Stefano Stabellini , Julien Grall , Jan Beulich , Andrew Cooper Subject: [PATCH 2/2] arch: ensure idle domain is not left privileged Date: Wed, 30 Mar 2022 19:05:49 -0400 Message-Id: <20220330230549.26074-3-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220330230549.26074-1-dpsmith@apertussolutions.com> References: <20220330230549.26074-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External It is now possible to promote the idle domain to privileged during setup. It is not desirable for the idle domain to still be privileged when moving into a running state. If the idle domain was elevated and not properly demoted, it is desirable to fail at this point. This commit adds an assert for both x86 and Arm just before transitioning to a running state that ensures the idle is not privileged. Signed-off-by: Daniel P. Smith --- xen/arch/arm/setup.c | 3 +++ xen/arch/x86/setup.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index 7968cee47d..3de394e946 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -973,6 +973,9 @@ void __init start_xen(unsigned long boot_phys_offset, /* Hide UART from DOM0 if we're using it */ serial_endboot(); + /* Ensure idle domain was not left privileged */ + ASSERT(current->domain->is_privileged == false) ; + system_state = SYS_STATE_active; create_domUs(); diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 885919d5c3..b868463f83 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -589,6 +589,9 @@ static void noinline init_done(void) void *va; unsigned long start, end; + /* Ensure idle domain was not left privileged */ + ASSERT(current->domain->is_privileged == false) ; + system_state = SYS_STATE_active; domain_unpause_by_systemcontroller(dom0);