xen/53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch

# Commit 061eebe0e99ad45c9c3b1a778b06140de4a91f25
# Date 2014-04-22 12:04:20 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/MSI: drop workaround for insecure Dom0 kernels

Considering that
- the workaround is expensive (iterating through the entire P2M space
  of a domain),
- the planned elimination of the expensiveness (by propagating the type
  change step by step to the individual P2M leaves) wouldn't address
  the IOMMU side of things (as for it to obey to the changed
  permissions the adjustments must be pushed down immediately through
  the entire tree)
- the proper solution (PHYSDEVOP_msix_prepare) should by now be
  implemented by all security conscious Dom0 kernels
remove the workaround, killing eventual guests that would be known to
become a security risk instead.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -679,7 +679,7 @@ static void ept_change_entry_type_global
         return;
 
     BUG_ON(p2m_is_grant(ot) || p2m_is_grant(nt));
-    BUG_ON(ot != nt && (ot == p2m_mmio_direct || nt == p2m_mmio_direct));
+    BUG_ON(p2m_is_mmio(ot) || p2m_is_mmio(nt));
 
     ept_change_entry_type_page(_mfn(ept_get_asr(ept)),
                                ept_get_wl(ept), ot, nt);
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -825,32 +825,22 @@ static int msix_capability_init(struct p
                                 msix->pba.last) )
             WARN();
 
-        if ( dev->domain )
-            p2m_change_entry_type_global(dev->domain,
-                                         p2m_mmio_direct, p2m_mmio_direct);
-        if ( desc && (!dev->domain || !paging_mode_translate(dev->domain)) )
+        if ( desc )
         {
-            struct domain *d = dev->domain;
+            struct domain *currd = current->domain;
+            struct domain *d = dev->domain ?: currd;
 
-            if ( !d )
-                for_each_domain(d)
-                    if ( !paging_mode_translate(d) &&
-                         (iomem_access_permitted(d, msix->table.first,
-                                                 msix->table.last) ||
-                          iomem_access_permitted(d, msix->pba.first,
-                                                 msix->pba.last)) )
-                        break;
-            if ( d )
-            {
-                if ( !is_hardware_domain(d) && msix->warned != d->domain_id )
-                {
-                    msix->warned = d->domain_id;
-                    printk(XENLOG_ERR
-                           "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
-                           seg, bus, slot, func, d->domain_id);
-                }
-                /* XXX How to deal with existing mappings? */
-            }
+            if ( !is_hardware_domain(currd) || d != currd )
+                printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",
+                       is_hardware_domain(currd)
+                       ? XENLOG_WARNING "Potentially insecure"
+                       : XENLOG_ERR "Insecure",
+                       seg, bus, slot, func, d->domain_id);
+            if ( !is_hardware_domain(d) &&
+                 /* Assume a domain without memory has no mappings yet. */
+                 (!is_hardware_domain(currd) || d->tot_pages) )
+                domain_crash(d);
+            /* XXX How to deal with existing mappings? */
         }
     }
     WARN_ON(msix->nr_entries != nr_entries);
- When the xl command is used, check to see if the domain being modified is managed by libvirt and print warning if it is. xl-check-for-libvirt-managed-domain.patch - Upstream patches from Jan 53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch 5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch 5357baff-x86-add-missing-break-in-dom0_pit_access.patch - XSA-92 xsa92.patch - Add # needssslcertforbuild to use the project's certificate when building in a home project. (bnc#872354) OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=312 2014-05-01 03:35:21 +00:00			`# Commit 061eebe0e99ad45c9c3b1a778b06140de4a91f25`
			`# Date 2014-04-22 12:04:20 +0200`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/MSI: drop workaround for insecure Dom0 kernels`

			`Considering that`
			`- the workaround is expensive (iterating through the entire P2M space`
			`of a domain),`
			`- the planned elimination of the expensiveness (by propagating the type`
			`change step by step to the individual P2M leaves) wouldn't address`
			`the IOMMU side of things (as for it to obey to the changed`
			`permissions the adjustments must be pushed down immediately through`
			`the entire tree)`
			`- the proper solution (PHYSDEVOP_msix_prepare) should by now be`
			`implemented by all security conscious Dom0 kernels`
			`remove the workaround, killing eventual guests that would be known to`
			`become a security risk instead.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Kevin Tian <kevin.tian@intel.com>`

			`--- a/xen/arch/x86/mm/p2m-ept.c`
			`+++ b/xen/arch/x86/mm/p2m-ept.c`
			`@@ -679,7 +679,7 @@ static void ept_change_entry_type_global`
			`return;`

			`BUG_ON(p2m_is_grant(ot) \|\| p2m_is_grant(nt));`
			`- BUG_ON(ot != nt && (ot == p2m_mmio_direct \|\| nt == p2m_mmio_direct));`
			`+ BUG_ON(p2m_is_mmio(ot) \|\| p2m_is_mmio(nt));`

			`ept_change_entry_type_page(_mfn(ept_get_asr(ept)),`
			`ept_get_wl(ept), ot, nt);`
			`--- a/xen/arch/x86/msi.c`
			`+++ b/xen/arch/x86/msi.c`
			`@@ -825,32 +825,22 @@ static int msix_capability_init(struct p`
			`msix->pba.last) )`
			`WARN();`

			`- if ( dev->domain )`
			`- p2m_change_entry_type_global(dev->domain,`
			`- p2m_mmio_direct, p2m_mmio_direct);`
			`- if ( desc && (!dev->domain \|\| !paging_mode_translate(dev->domain)) )`
			`+ if ( desc )`
			`{`
			`- struct domain *d = dev->domain;`
			`+ struct domain *currd = current->domain;`
			`+ struct domain *d = dev->domain ?: currd;`

			`- if ( !d )`
			`- for_each_domain(d)`
			`- if ( !paging_mode_translate(d) &&`
			`- (iomem_access_permitted(d, msix->table.first,`
			`- msix->table.last) \|\|`
			`- iomem_access_permitted(d, msix->pba.first,`
			`- msix->pba.last)) )`
			`- break;`
			`- if ( d )`
			`- {`
			`- if ( !is_hardware_domain(d) && msix->warned != d->domain_id )`
			`- {`
			`- msix->warned = d->domain_id;`
			`- printk(XENLOG_ERR`
			`- "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",`
			`- seg, bus, slot, func, d->domain_id);`
			`- }`
			`- /* XXX How to deal with existing mappings? */`
			`- }`
			`+ if ( !is_hardware_domain(currd) \|\| d != currd )`
			`+ printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n",`
			`+ is_hardware_domain(currd)`
			`+ ? XENLOG_WARNING "Potentially insecure"`
			`+ : XENLOG_ERR "Insecure",`
			`+ seg, bus, slot, func, d->domain_id);`
			`+ if ( !is_hardware_domain(d) &&`
			`+ /* Assume a domain without memory has no mappings yet. */`
			`+ (!is_hardware_domain(currd) \|\| d->tot_pages) )`
			`+ domain_crash(d);`
			`+ /* XXX How to deal with existing mappings? */`
			`}`
			`}`
			`WARN_ON(msix->nr_entries != nr_entries);`