Re: [RFC PATCH V1 04/12] xen/arm: Introduce arch specific bits for IOREQ/DM features

Sat, 15 Aug 2020 10:58:57 -0700 

Hi,

On 04/08/2020 15:01, Julien Grall wrote:

On 04/08/2020 08:49, Paul Durrant wrote:

diff --git a/tools/libxc/xc_dom_arm.c b/tools/libxc/xc_dom_arm.c
index 931404c..b5fc066 100644
--- a/tools/libxc/xc_dom_arm.c
+++ b/tools/libxc/xc_dom_arm.c
@@ -26,11 +26,19 @@
  #include "xg_private.h"
  #include "xc_dom.h"

-#define NR_MAGIC_PAGES 4
+
  #define CONSOLE_PFN_OFFSET 0
  #define XENSTORE_PFN_OFFSET 1
  #define MEMACCESS_PFN_OFFSET 2
  #define VUART_PFN_OFFSET 3
+#define IOREQ_SERVER_PFN_OFFSET 4
+
+#define NR_IOREQ_SERVER_PAGES 8
+#define NR_MAGIC_PAGES (4 + NR_IOREQ_SERVER_PAGES)
+
+#define GUEST_MAGIC_BASE_PFN (GUEST_MAGIC_BASE >> XC_PAGE_SHIFT)
+
+#define special_pfn(x)  (GUEST_MAGIC_BASE_PFN + (x))
Why introduce 'magic pages' for Arm? It's quite a horrible hack that we have begun to do away with by adding resource mapping.
This would require us to mandate at least Linux 4.17 in a domain that will run an IOREQ server. If we don't mandate this, the minimum version would be 4.10 where DM OP was introduced.
Because of XSA-300, we could technically not safely run an IOREQ server with existing Linux. So it is probably OK to enforce the use of the acquire interface.
One more thing. We are using atomic operations on the IOREQ pages. As our implementation is based on LL/SC instructions so far, we have mitigation in place to prevent a domain DoS Xen. However, this relies on the page to be mapped in a single domain at the time.
AFAICT, with the legacy interface, the pages will be mapped in both the target and the emulator. So this would defeat the mitigation we have in place.
Because the legacy interface is relying on foreign mapping, the page has to be mapped in the target P2M. It might be possible to restrict the access for the target by setting the p2m bits r, w to 0. This would still allow the foreign mapping to work as we only check the p2m type during mapping.
Anyway, I think we agreed that we want to avoid to introduce the legacy interface. But I wanted to answer just for completeness and keep a record of potential pitfalls with the legacy interface on Arm.
Note that I haven't yet looked at the rest of the series. So I am not sure if there is more work necessary to enable it. 

Cheers,



--
Julien Grall

Reply via email to