Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
>>> On 23.08.17 at 17:56,wrote: > On 08/22/2017 04:18 AM, Jan Beulich wrote: > On 18.08.17 at 23:55, wrote: >>> On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote: From: Christopher Clark Isolation of devices passed through to domains usually requires an active IOMMU. The existing method of requiring an IOMMU is via a Xen boot parameter ("iommu=force") which will abort boot if an IOMMU is not available. More graceful degradation of behaviour when an IOMMU is absent can be achieved by enabling XSM to perform enforcement of IOMMU requirement. This patch enables an enforceable XSM policy to specify that an IOMMU is required for particular domains to access devices and how capable that IOMMU must be. This allows a Xen system to boot whilst still ensuring that an IOMMU is active before permitting device use. Using a XSM policy ensures that the isolation properties remain enforced even when the large, complex toolstack software changes. For some hardware platforms interrupt remapping is a strict requirement for secure isolation. Not all IOMMUs provide interrupt remapping. The XSM policy can now optionally require interrupt remapping. The device use hooks now check whether an IOMMU is: * Active and securely isolating: -- current criteria for this is that interrupt remapping is ok * Active but interrupt remapping is not available * Not active This patch also updates the reference XSM policy to use the new primitives, with policy entries that do not require an active IOMMU. Signed-off-by: Christopher Clark >>> >>> Acked-by: Daniel De Graaf >> >> To be honest, for this kind of a change I would have hoped for >> a Reviewed-by (by you or someone else), not just an Acked-by. >> Hence I'm hesitant to put the patch in right away. > > I'll keep that in mind for the future. I have looked at this patch > in depth, so you can change that to > > Reviewed-by: Daniel De Graaf Thanks, a few minutes too late though - I've just committed it the way it was (with Ross' R-b). Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
On 08/22/2017 04:18 AM, Jan Beulich wrote: On 18.08.17 at 23:55,wrote: On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote: From: Christopher Clark Isolation of devices passed through to domains usually requires an active IOMMU. The existing method of requiring an IOMMU is via a Xen boot parameter ("iommu=force") which will abort boot if an IOMMU is not available. More graceful degradation of behaviour when an IOMMU is absent can be achieved by enabling XSM to perform enforcement of IOMMU requirement. This patch enables an enforceable XSM policy to specify that an IOMMU is required for particular domains to access devices and how capable that IOMMU must be. This allows a Xen system to boot whilst still ensuring that an IOMMU is active before permitting device use. Using a XSM policy ensures that the isolation properties remain enforced even when the large, complex toolstack software changes. For some hardware platforms interrupt remapping is a strict requirement for secure isolation. Not all IOMMUs provide interrupt remapping. The XSM policy can now optionally require interrupt remapping. The device use hooks now check whether an IOMMU is: * Active and securely isolating: -- current criteria for this is that interrupt remapping is ok * Active but interrupt remapping is not available * Not active This patch also updates the reference XSM policy to use the new primitives, with policy entries that do not require an active IOMMU. Signed-off-by: Christopher Clark Acked-by: Daniel De Graaf To be honest, for this kind of a change I would have hoped for a Reviewed-by (by you or someone else), not just an Acked-by. Hence I'm hesitant to put the patch in right away. Jan I'll keep that in mind for the future. I have looked at this patch in depth, so you can change that to Reviewed-by: Daniel De Graaf ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
I did test and review this submission back when I worked on the OpenXT project with Christopher so I can add a reviewed by. Reviewed-by: Ross PhilipsonOn Tue, Aug 22, 2017 at 4:18 AM, Jan Beulich wrote: > >>> On 18.08.17 at 23:55, wrote: > > On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote: > >> From: Christopher Clark > >> > >> Isolation of devices passed through to domains usually requires an > >> active IOMMU. The existing method of requiring an IOMMU is via a Xen > >> boot parameter ("iommu=force") which will abort boot if an IOMMU is not > >> available. > >> > >> More graceful degradation of behaviour when an IOMMU is absent can be > >> achieved by enabling XSM to perform enforcement of IOMMU requirement. > >> > >> This patch enables an enforceable XSM policy to specify that an IOMMU is > >> required for particular domains to access devices and how capable that > >> IOMMU must be. This allows a Xen system to boot whilst still > >> ensuring that an IOMMU is active before permitting device use. > >> > >> Using a XSM policy ensures that the isolation properties remain enforced > >> even when the large, complex toolstack software changes. > >> > >> For some hardware platforms interrupt remapping is a strict requirement > >> for secure isolation. Not all IOMMUs provide interrupt remapping. > >> The XSM policy can now optionally require interrupt remapping. > >> > >> The device use hooks now check whether an IOMMU is: > >> * Active and securely isolating: > >> -- current criteria for this is that interrupt remapping is ok > >> * Active but interrupt remapping is not available > >> * Not active > >> > >> This patch also updates the reference XSM policy to use the new > >> primitives, with policy entries that do not require an active IOMMU. > >> > >> Signed-off-by: Christopher Clark > > > > Acked-by: Daniel De Graaf > > To be honest, for this kind of a change I would have hoped for > a Reviewed-by (by you or someone else), not just an Acked-by. > Hence I'm hesitant to put the patch in right away. > > Jan > > > ___ > Xen-devel mailing list > Xen-devel@lists.xen.org > https://lists.xen.org/xen-devel > -- Ross Philipson ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
>>> On 18.08.17 at 23:55,wrote: > On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote: >> From: Christopher Clark >> >> Isolation of devices passed through to domains usually requires an >> active IOMMU. The existing method of requiring an IOMMU is via a Xen >> boot parameter ("iommu=force") which will abort boot if an IOMMU is not >> available. >> >> More graceful degradation of behaviour when an IOMMU is absent can be >> achieved by enabling XSM to perform enforcement of IOMMU requirement. >> >> This patch enables an enforceable XSM policy to specify that an IOMMU is >> required for particular domains to access devices and how capable that >> IOMMU must be. This allows a Xen system to boot whilst still >> ensuring that an IOMMU is active before permitting device use. >> >> Using a XSM policy ensures that the isolation properties remain enforced >> even when the large, complex toolstack software changes. >> >> For some hardware platforms interrupt remapping is a strict requirement >> for secure isolation. Not all IOMMUs provide interrupt remapping. >> The XSM policy can now optionally require interrupt remapping. >> >> The device use hooks now check whether an IOMMU is: >> * Active and securely isolating: >> -- current criteria for this is that interrupt remapping is ok >> * Active but interrupt remapping is not available >> * Not active >> >> This patch also updates the reference XSM policy to use the new >> primitives, with policy entries that do not require an active IOMMU. >> >> Signed-off-by: Christopher Clark > > Acked-by: Daniel De Graaf To be honest, for this kind of a change I would have hoped for a Reviewed-by (by you or someone else), not just an Acked-by. Hence I'm hesitant to put the patch in right away. Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote: From: Christopher ClarkIsolation of devices passed through to domains usually requires an active IOMMU. The existing method of requiring an IOMMU is via a Xen boot parameter ("iommu=force") which will abort boot if an IOMMU is not available. More graceful degradation of behaviour when an IOMMU is absent can be achieved by enabling XSM to perform enforcement of IOMMU requirement. This patch enables an enforceable XSM policy to specify that an IOMMU is required for particular domains to access devices and how capable that IOMMU must be. This allows a Xen system to boot whilst still ensuring that an IOMMU is active before permitting device use. Using a XSM policy ensures that the isolation properties remain enforced even when the large, complex toolstack software changes. For some hardware platforms interrupt remapping is a strict requirement for secure isolation. Not all IOMMUs provide interrupt remapping. The XSM policy can now optionally require interrupt remapping. The device use hooks now check whether an IOMMU is: * Active and securely isolating: -- current criteria for this is that interrupt remapping is ok * Active but interrupt remapping is not available * Not active This patch also updates the reference XSM policy to use the new primitives, with policy entries that do not require an active IOMMU. Signed-off-by: Christopher Clark Acked-by: Daniel De Graaf One additional note: if this type of permission expansion needs to be applied to more permissions based on hypervisor settings, it may be useful to look at other solutions (such as policy booleans) to implement this logic. However, most of those solutions are more complicated than necessary for a single distinction like this, and the simpler ones do not provide the same ease of verification that this version has. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping
From: Christopher ClarkIsolation of devices passed through to domains usually requires an active IOMMU. The existing method of requiring an IOMMU is via a Xen boot parameter ("iommu=force") which will abort boot if an IOMMU is not available. More graceful degradation of behaviour when an IOMMU is absent can be achieved by enabling XSM to perform enforcement of IOMMU requirement. This patch enables an enforceable XSM policy to specify that an IOMMU is required for particular domains to access devices and how capable that IOMMU must be. This allows a Xen system to boot whilst still ensuring that an IOMMU is active before permitting device use. Using a XSM policy ensures that the isolation properties remain enforced even when the large, complex toolstack software changes. For some hardware platforms interrupt remapping is a strict requirement for secure isolation. Not all IOMMUs provide interrupt remapping. The XSM policy can now optionally require interrupt remapping. The device use hooks now check whether an IOMMU is: * Active and securely isolating: -- current criteria for this is that interrupt remapping is ok * Active but interrupt remapping is not available * Not active This patch also updates the reference XSM policy to use the new primitives, with policy entries that do not require an active IOMMU. Signed-off-by: Christopher Clark --- Patch author: Christopher Clark Copyright belongs to BAE Systems. Written for OpenXT. [OXT-826] The author is grateful to Daniel De Graaf, Stephen Smalley, Daniel Smith and Ross Philipson for feedback on earlier revisions of this patch. This patch was developed for OpenXT for the 2017 stable-7 release to ensure that a network interface card cannot be passed through to the network driver domain unless the IOMMU is active. Earlier versions of OpenXT had ensured this via logic in the toolstack, but this behaviour was discovered to have been lost after porting the upper level of the toolstack to use libxl. This motivated introduction of a robust way of ensuring that this important system policy would be preserved across any future toolstack changes. The XSM hook code in this patch is the same as in OpenXT; the reference policy is not. The hooks have been validated as behaving correctly on several generations of Dell and HP Intel-based hardware, with this patch applied to Xen 4.6, with and without interrupt remapping capability; and further testing with Xen 4.9 on a subset of that hardware. The reference policy in this patch has been compile-tested only. An OpenXT system will still boot even with the IOMMU disabled -- which is different behaviour than would be the case if the IOMMU was required via the Xen command line. The system retains its isolation from the network by preventing passthrough of the NIC(s) to the domain containing the device drivers, whilst still allowing user access to VMs stored locally on the system. Since OpenXT supports older hardware with less capable IOMMUs, its default configuration is to allow use without interrupt remapping, but derivative projects of OpenXT with different hardware support requirements are able to change their policy to the stronger setting that insists on interrupt remapping availability. Device isolation can be: Useful, eg. for resiliency against occasionally buggy devices or Necessary, eg. strictly required for system security and sometimes both are true: The hooks in this patch enable a single XSM policy to be created for a common software build that is usable across diverse hardware to express: * that allowing GPU passthrough to a particular class of VMs does require an IOMMU, but it can proceed without interrupt remapping, * whereas the network interface card is not allowed to be used by the network driver domain unless an IOMMU is active and it has interrupt remapping capability. tools/flask/policy/modules/nic_dev.te | 2 +- tools/flask/policy/modules/xen.if | 29 +++ tools/flask/policy/modules/xen.te | 3 ++- xen/xsm/flask/hooks.c | 44 +-- xen/xsm/flask/policy/access_vectors | 20 ++-- 5 files changed, 83 insertions(+), 15 deletions(-) diff --git a/tools/flask/policy/modules/nic_dev.te b/tools/flask/policy/modules/nic_dev.te index e0484af..5206f1e 100644 --- a/tools/flask/policy/modules/nic_dev.te +++ b/tools/flask/policy/modules/nic_dev.te @@ -11,4 +11,4 @@ type nic_dev_t, resource_type; admin_device(dom0_t, nic_dev_t) -use_device(domU_t, nic_dev_t) +use_device_noiommu(domU_t, nic_dev_t) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index ed0df4f..9126400 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -167,11 +167,32 @@ define(`make_device_model', ` #