Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[Jan Beulich]

>>> On 23.08.17 at 17:56,  wrote:
> On 08/22/2017 04:18 AM, Jan Beulich wrote:
> On 18.08.17 at 23:55,  wrote:
>>> On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote:
 From: Christopher Clark 

 Isolation of devices passed through to domains usually requires an
 active IOMMU. The existing method of requiring an IOMMU is via a Xen
 boot parameter ("iommu=force") which will abort boot if an IOMMU is not
 available.

 More graceful degradation of behaviour when an IOMMU is absent can be
 achieved by enabling XSM to perform enforcement of IOMMU requirement.

 This patch enables an enforceable XSM policy to specify that an IOMMU is
 required for particular domains to access devices and how capable that
 IOMMU must be. This allows a Xen system to boot whilst still
 ensuring that an IOMMU is active before permitting device use.

 Using a XSM policy ensures that the isolation properties remain enforced
 even when the large, complex toolstack software changes.

 For some hardware platforms interrupt remapping is a strict requirement
 for secure isolation. Not all IOMMUs provide interrupt remapping.
 The XSM policy can now optionally require interrupt remapping.

 The device use hooks now check whether an IOMMU is:
* Active and securely isolating:
   -- current criteria for this is that interrupt remapping is ok
* Active but interrupt remapping is not available
* Not active

 This patch also updates the reference XSM policy to use the new
 primitives, with policy entries that do not require an active IOMMU.

 Signed-off-by: Christopher Clark 
>>>
>>> Acked-by: Daniel De Graaf 
>> 
>> To be honest, for this kind of a change I would have hoped for
>> a Reviewed-by (by you or someone else), not just an Acked-by.
>> Hence I'm hesitant to put the patch in right away.
> 
> I'll keep that in mind for the future.  I have looked at this patch
> in depth, so you can change that to
> 
> Reviewed-by: Daniel De Graaf 

Thanks, a few minutes too late though - I've just committed it the
way it was (with Ross' R-b).

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[Daniel De Graaf]

On 08/22/2017 04:18 AM, Jan Beulich wrote:

On 18.08.17 at 23:55,  wrote:

On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote:

From: Christopher Clark 

Isolation of devices passed through to domains usually requires an
active IOMMU. The existing method of requiring an IOMMU is via a Xen
boot parameter ("iommu=force") which will abort boot if an IOMMU is not
available.

More graceful degradation of behaviour when an IOMMU is absent can be
achieved by enabling XSM to perform enforcement of IOMMU requirement.

This patch enables an enforceable XSM policy to specify that an IOMMU is
required for particular domains to access devices and how capable that
IOMMU must be. This allows a Xen system to boot whilst still
ensuring that an IOMMU is active before permitting device use.

Using a XSM policy ensures that the isolation properties remain enforced
even when the large, complex toolstack software changes.

For some hardware platforms interrupt remapping is a strict requirement
for secure isolation. Not all IOMMUs provide interrupt remapping.
The XSM policy can now optionally require interrupt remapping.

The device use hooks now check whether an IOMMU is:
   * Active and securely isolating:
  -- current criteria for this is that interrupt remapping is ok
   * Active but interrupt remapping is not available
   * Not active

This patch also updates the reference XSM policy to use the new
primitives, with policy entries that do not require an active IOMMU.

Signed-off-by: Christopher Clark 


Acked-by: Daniel De Graaf 


To be honest, for this kind of a change I would have hoped for
a Reviewed-by (by you or someone else), not just an Acked-by.
Hence I'm hesitant to put the patch in right away.

Jan


I'll keep that in mind for the future.  I have looked at this patch
in depth, so you can change that to

Reviewed-by: Daniel De Graaf 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[Ross Philipson]

I did test and review this submission back when I worked on the OpenXT
project with Christopher so I can add a reviewed by.

Reviewed-by: Ross Philipson 

On Tue, Aug 22, 2017 at 4:18 AM, Jan Beulich  wrote:

> >>> On 18.08.17 at 23:55,  wrote:
> > On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote:
> >> From: Christopher Clark 
> >>
> >> Isolation of devices passed through to domains usually requires an
> >> active IOMMU. The existing method of requiring an IOMMU is via a Xen
> >> boot parameter ("iommu=force") which will abort boot if an IOMMU is not
> >> available.
> >>
> >> More graceful degradation of behaviour when an IOMMU is absent can be
> >> achieved by enabling XSM to perform enforcement of IOMMU requirement.
> >>
> >> This patch enables an enforceable XSM policy to specify that an IOMMU is
> >> required for particular domains to access devices and how capable that
> >> IOMMU must be. This allows a Xen system to boot whilst still
> >> ensuring that an IOMMU is active before permitting device use.
> >>
> >> Using a XSM policy ensures that the isolation properties remain enforced
> >> even when the large, complex toolstack software changes.
> >>
> >> For some hardware platforms interrupt remapping is a strict requirement
> >> for secure isolation. Not all IOMMUs provide interrupt remapping.
> >> The XSM policy can now optionally require interrupt remapping.
> >>
> >> The device use hooks now check whether an IOMMU is:
> >>   * Active and securely isolating:
> >>  -- current criteria for this is that interrupt remapping is ok
> >>   * Active but interrupt remapping is not available
> >>   * Not active
> >>
> >> This patch also updates the reference XSM policy to use the new
> >> primitives, with policy entries that do not require an active IOMMU.
> >>
> >> Signed-off-by: Christopher Clark 
> >
> > Acked-by: Daniel De Graaf 
>
> To be honest, for this kind of a change I would have hoped for
> a Reviewed-by (by you or someone else), not just an Acked-by.
> Hence I'm hesitant to put the patch in right away.
>
> Jan
>
>
> ___
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel
>



-- 
Ross Philipson
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[Jan Beulich]

>>> On 18.08.17 at 23:55,  wrote:
> On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote:
>> From: Christopher Clark 
>> 
>> Isolation of devices passed through to domains usually requires an
>> active IOMMU. The existing method of requiring an IOMMU is via a Xen
>> boot parameter ("iommu=force") which will abort boot if an IOMMU is not
>> available.
>> 
>> More graceful degradation of behaviour when an IOMMU is absent can be
>> achieved by enabling XSM to perform enforcement of IOMMU requirement.
>> 
>> This patch enables an enforceable XSM policy to specify that an IOMMU is
>> required for particular domains to access devices and how capable that
>> IOMMU must be. This allows a Xen system to boot whilst still
>> ensuring that an IOMMU is active before permitting device use.
>> 
>> Using a XSM policy ensures that the isolation properties remain enforced
>> even when the large, complex toolstack software changes.
>> 
>> For some hardware platforms interrupt remapping is a strict requirement
>> for secure isolation. Not all IOMMUs provide interrupt remapping.
>> The XSM policy can now optionally require interrupt remapping.
>> 
>> The device use hooks now check whether an IOMMU is:
>>   * Active and securely isolating:
>>  -- current criteria for this is that interrupt remapping is ok
>>   * Active but interrupt remapping is not available
>>   * Not active
>> 
>> This patch also updates the reference XSM policy to use the new
>> primitives, with policy entries that do not require an active IOMMU.
>> 
>> Signed-off-by: Christopher Clark 
> 
> Acked-by: Daniel De Graaf 

To be honest, for this kind of a change I would have hoped for
a Reviewed-by (by you or someone else), not just an Acked-by.
Hence I'm hesitant to put the patch in right away.

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[Daniel De Graaf]

On 08/18/2017 05:02 PM, christopher.w.cl...@gmail.com wrote:

From: Christopher Clark 

Isolation of devices passed through to domains usually requires an
active IOMMU. The existing method of requiring an IOMMU is via a Xen
boot parameter ("iommu=force") which will abort boot if an IOMMU is not
available.

More graceful degradation of behaviour when an IOMMU is absent can be
achieved by enabling XSM to perform enforcement of IOMMU requirement.

This patch enables an enforceable XSM policy to specify that an IOMMU is
required for particular domains to access devices and how capable that
IOMMU must be. This allows a Xen system to boot whilst still
ensuring that an IOMMU is active before permitting device use.

Using a XSM policy ensures that the isolation properties remain enforced
even when the large, complex toolstack software changes.

For some hardware platforms interrupt remapping is a strict requirement
for secure isolation. Not all IOMMUs provide interrupt remapping.
The XSM policy can now optionally require interrupt remapping.

The device use hooks now check whether an IOMMU is:
  * Active and securely isolating:
 -- current criteria for this is that interrupt remapping is ok
  * Active but interrupt remapping is not available
  * Not active

This patch also updates the reference XSM policy to use the new
primitives, with policy entries that do not require an active IOMMU.

Signed-off-by: Christopher Clark 


Acked-by: Daniel De Graaf 

One additional note: if this type of permission expansion needs to be
applied to more permissions based on hypervisor settings, it may be
useful to look at other solutions (such as policy booleans) to implement
this logic.  However, most of those solutions are more complicated than
necessary for a single distinction like this, and the simpler ones do
not provide the same ease of verification that this version has.

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

[christopher . w . clark]

From: Christopher Clark 

Isolation of devices passed through to domains usually requires an
active IOMMU. The existing method of requiring an IOMMU is via a Xen
boot parameter ("iommu=force") which will abort boot if an IOMMU is not
available.

More graceful degradation of behaviour when an IOMMU is absent can be
achieved by enabling XSM to perform enforcement of IOMMU requirement.

This patch enables an enforceable XSM policy to specify that an IOMMU is
required for particular domains to access devices and how capable that
IOMMU must be. This allows a Xen system to boot whilst still
ensuring that an IOMMU is active before permitting device use.

Using a XSM policy ensures that the isolation properties remain enforced
even when the large, complex toolstack software changes.

For some hardware platforms interrupt remapping is a strict requirement
for secure isolation. Not all IOMMUs provide interrupt remapping.
The XSM policy can now optionally require interrupt remapping.

The device use hooks now check whether an IOMMU is:
 * Active and securely isolating:
-- current criteria for this is that interrupt remapping is ok
 * Active but interrupt remapping is not available
 * Not active

This patch also updates the reference XSM policy to use the new
primitives, with policy entries that do not require an active IOMMU.

Signed-off-by: Christopher Clark 
---
Patch author: Christopher Clark
Copyright belongs to BAE Systems. Written for OpenXT. [OXT-826]
The author is grateful to Daniel De Graaf, Stephen Smalley,
Daniel Smith and Ross Philipson for feedback on earlier revisions
of this patch.

This patch was developed for OpenXT for the 2017 stable-7 release
to ensure that a network interface card cannot be passed through
to the network driver domain unless the IOMMU is active.

Earlier versions of OpenXT had ensured this via logic in the toolstack,
but this behaviour was discovered to have been lost after porting the
upper level of the toolstack to use libxl. This motivated introduction
of a robust way of ensuring that this important system policy would
be preserved across any future toolstack changes.

The XSM hook code in this patch is the same as in OpenXT; the reference
policy is not. The hooks have been validated as behaving correctly on
several generations of Dell and HP Intel-based hardware, with this patch
applied to Xen 4.6, with and without interrupt remapping capability;
and further testing with Xen 4.9 on a subset of that hardware.
The reference policy in this patch has been compile-tested only.

An OpenXT system will still boot even with the IOMMU disabled -- which
is different behaviour than would be the case if the IOMMU was required
via the Xen command line. The system retains its isolation from the
network by preventing passthrough of the NIC(s) to the domain containing
the device drivers, whilst still allowing user access to VMs stored
locally on the system.

Since OpenXT supports older hardware with less capable IOMMUs, its
default configuration is to allow use without interrupt remapping,
but derivative projects of OpenXT with different hardware support
requirements are able to change their policy to the stronger setting
that insists on interrupt remapping availability.

Device isolation can be:
  Useful, eg. for resiliency against occasionally buggy devices
or
  Necessary, eg. strictly required for system security

and sometimes both are true:

The hooks in this patch enable a single XSM policy to be created
for a common software build that is usable across diverse hardware
to express:

  * that allowing GPU passthrough to a particular class of VMs does
require an IOMMU, but it can proceed without interrupt remapping,

  * whereas the network interface card is not allowed to be used
by the network driver domain unless an IOMMU is active and
it has interrupt remapping capability.

 tools/flask/policy/modules/nic_dev.te |  2 +-
 tools/flask/policy/modules/xen.if | 29 +++
 tools/flask/policy/modules/xen.te |  3 ++-
 xen/xsm/flask/hooks.c | 44 +--
 xen/xsm/flask/policy/access_vectors   | 20 ++--
 5 files changed, 83 insertions(+), 15 deletions(-)

diff --git a/tools/flask/policy/modules/nic_dev.te 
b/tools/flask/policy/modules/nic_dev.te
index e0484af..5206f1e 100644
--- a/tools/flask/policy/modules/nic_dev.te
+++ b/tools/flask/policy/modules/nic_dev.te
@@ -11,4 +11,4 @@
 type nic_dev_t, resource_type;
 
 admin_device(dom0_t, nic_dev_t)
-use_device(domU_t, nic_dev_t)
+use_device_noiommu(domU_t, nic_dev_t)
diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index ed0df4f..9126400 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -167,11 +167,32 @@ define(`make_device_model', `
 #