[PATCH V4 0/8] virtio: Solution to restrict memory access under Xen using xen-grant DMA-mapping layer
Juergen Gross
jgross at suse.com
Tue Jun 7 22:36:37 PDT 2022
On 02.06.22 21:23, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <oleksandr_tyshchenko at epam.com>
>
> Hello all.
>
> The purpose of this patch series is to add support for restricting memory access under Xen using specific
> grant table [1] based DMA-mapping layer. Patch series is based on Juergen Gross’ initial work [2] which implies
> using grant references instead of raw guest physical addresses (GPA) for the virtio communications (some
> kind of the software IOMMU).
>
> You can find RFC-V3 patch series (and previous discussions) at [3].
>
> !!! Please note, the only diff between V3 and V4 is in commit #5, also I have collected the acks (commits ##4-7).
>
> The high level idea is to create new Xen’s grant table based DMA-mapping layer for the guest Linux whose main
> purpose is to provide a special 64-bit DMA address which is formed by using the grant reference (for a page
> to be shared with the backend) with offset and setting the highest address bit (this is for the backend to
> be able to distinguish grant ref based DMA address from normal GPA). For this to work we need the ability
> to allocate contiguous (consecutive) grant references for multi-page allocations. And the backend then needs
> to offer VIRTIO_F_ACCESS_PLATFORM and VIRTIO_F_VERSION_1 feature bits (it must support virtio-mmio modern
> transport for 64-bit addresses in the virtqueue).
>
> Xen's grant mapping mechanism is the secure and safe solution to share pages between domains which proven
> to work and works for years (in the context of traditional Xen PV drivers for example). So far, the foreign
> mapping is used for the virtio backend to map and access guest memory. With the foreign mapping, the backend
> is able to map arbitrary pages from the guest memory (or even from Dom0 memory). And as the result, the malicious
> backend which runs in a non-trusted domain can take advantage of this. Instead, with the grant mapping
> the backend is only allowed to map pages which were explicitly granted by the guest before and nothing else.
> According to the discussions in various mainline threads this solution would likely be welcome because it
> perfectly fits in the security model Xen provides.
>
> What is more, the grant table based solution requires zero changes to the Xen hypervisor itself at least
> with virtio-mmio and DT (in comparison, for example, with "foreign mapping + virtio-iommu" solution which would
> require the whole new complex emulator in hypervisor in addition to new functionality/hypercall to pass IOVA
> from the virtio backend running elsewhere to the hypervisor and translate it to the GPA before mapping into
> P2M or denying the foreign mapping request if no corresponding IOVA-GPA mapping present in the IOMMU page table
> for that particular device). We only need to update toolstack to insert "xen,grant-dma" IOMMU node (to be referred
> by the virtio-mmio device using "iommus" property) when creating a guest device-tree (this is an indicator for
> the guest to use Xen grant mappings scheme for that device with the endpoint ID being used as ID of Xen domain
> where the corresponding backend is running, the backend domid is used as an argument to the grant mapping APIs).
> It worth mentioning that toolstack patch is based on non upstreamed yet “Virtio support for toolstack on Arm”
> series which is on review now [4].
>
> Please note the following:
> - Patch series only covers Arm and virtio-mmio (device-tree) for now. To enable the restricted memory access
> feature on Arm the following option should be set:
> CONFIG_XEN_VIRTIO=y
> - Patch series is based on "kernel: add new infrastructure for platform_has() support" patch series which
> is on review now [5]
> - Xen should be built with the following options:
> CONFIG_IOREQ_SERVER=y
> CONFIG_EXPERT=y
>
> Patch series is rebased on "for-linus-5.19" branch [1] with "platform_has()" series applied and tested on Renesas
> Salvator-X board + H3 ES3.0 SoC (Arm64) with standalone userspace (non-Qemu) virtio-mmio based virtio-disk backend
> running in Driver domain and Linux guest running on existing virtio-blk driver (frontend). No issues were observed.
> Guest domain 'reboot/destroy' use-cases work properly.
> I have also tested other use-cases such as assigning several virtio block devices or a mix of virtio and Xen PV block
> devices to the guest. Patch series was build-tested on Arm32 and x86.
>
> 1. Xen changes located at (last patch):
> https://github.com/otyshchenko1/xen/commits/libxl_virtio_next2_1
> 2. Linux changes located at (last 8 patches):
> https://github.com/otyshchenko1/linux/commits/virtio_grant9
> 3. virtio-disk changes located at:
> https://github.com/otyshchenko1/virtio-disk/commits/virtio_grant
>
> Any feedback/help would be highly appreciated.
>
> [1] https://xenbits.xenproject.org/docs/4.16-testing/misc/grant-tables.txt
> [2] https://www.youtube.com/watch?v=IrlEdaIUDPk
> [3] https://lore.kernel.org/xen-devel/1649963973-22879-1-git-send-email-olekstysh@gmail.com/
> https://lore.kernel.org/xen-devel/1650646263-22047-1-git-send-email-olekstysh@gmail.com/
> https://lore.kernel.org/xen-devel/1651947548-4055-1-git-send-email-olekstysh@gmail.com/
> https://lore.kernel.org/xen-devel/1653944417-17168-1-git-send-email-olekstysh@gmail.com/
> [4] https://lore.kernel.org/xen-devel/1654106261-28044-1-git-send-email-olekstysh@gmail.com/
> https://lore.kernel.org/xen-devel/1653944813-17970-1-git-send-email-olekstysh@gmail.com/
> [5] https://lore.kernel.org/xen-devel/20220504155703.13336-1-jgross@suse.com/
> [6] https://git.kernel.org/pub/scm/linux/kernel/git/xen/tip.git/log/?h=for-linus-5.19
>
> Juergen Gross (3):
> xen/grants: support allocating consecutive grants
> xen/grant-dma-ops: Add option to restrict memory access under Xen
> xen/virtio: Enable restricted memory access using Xen grant mappings
>
> Oleksandr Tyshchenko (5):
> arm/xen: Introduce xen_setup_dma_ops()
> dt-bindings: Add xen,grant-dma IOMMU description for xen-grant DMA ops
> xen/grant-dma-iommu: Introduce stub IOMMU driver
> xen/grant-dma-ops: Retrieve the ID of backend's domain for DT devices
> arm/xen: Assign xen-grant DMA ops for xen-grant DMA devices
>
> .../devicetree/bindings/iommu/xen,grant-dma.yaml | 39 +++
> arch/arm/include/asm/xen/xen-ops.h | 2 +
> arch/arm/mm/dma-mapping.c | 7 +-
> arch/arm/xen/enlighten.c | 2 +
> arch/arm64/include/asm/xen/xen-ops.h | 2 +
> arch/arm64/mm/dma-mapping.c | 7 +-
> arch/x86/xen/enlighten_hvm.c | 2 +
> arch/x86/xen/enlighten_pv.c | 2 +
> drivers/xen/Kconfig | 20 ++
> drivers/xen/Makefile | 2 +
> drivers/xen/grant-dma-iommu.c | 78 +++++
> drivers/xen/grant-dma-ops.c | 345 +++++++++++++++++++++
> drivers/xen/grant-table.c | 251 ++++++++++++---
> include/xen/arm/xen-ops.h | 18 ++
> include/xen/grant_table.h | 4 +
> include/xen/xen-ops.h | 13 +
> include/xen/xen.h | 8 +
> 17 files changed, 756 insertions(+), 46 deletions(-)
> create mode 100644 Documentation/devicetree/bindings/iommu/xen,grant-dma.yaml
> create mode 100644 arch/arm/include/asm/xen/xen-ops.h
> create mode 100644 arch/arm64/include/asm/xen/xen-ops.h
> create mode 100644 drivers/xen/grant-dma-iommu.c
> create mode 100644 drivers/xen/grant-dma-ops.c
> create mode 100644 include/xen/arm/xen-ops.h
>
Series pushed to xen/tip.git for-linus-5.19a
Juergen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB0DE9DD628BF132F.asc
Type: application/pgp-keys
Size: 3098 bytes
Desc: OpenPGP public key
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20220608/142f8250/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20220608/142f8250/attachment-0001.sig>
More information about the linux-arm-kernel
mailing list