Permalink
Switch branches/tags
Nothing to show
Commits on Nov 19, 2012
  1. xen/xsm: include default hook action in name

    dgdegraaf committed Nov 19, 2012
    Include the default XSM hook action in the name of the hook in order to
    allow quick understanding of how the call site is expected to be used
    (dom0-only, arbitrary guest, or target-only).
    
    Abbreviation explanation:
     xsm_dm_*      Usable only by device model (IS_PRIV_FOR)
     xsm_hook_*    No access check in dummy module. The calling code is
                   either guest-accessible or covered by another check
     xsm_priv_*    Privileged command (IS_PRIV)
     xsm_target_*  Usable by guest or its device model targeted to the guest
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  2. xen: platform_hypercall XSM hook removal

    dgdegraaf committed Nov 19, 2012
    A number of the platform_hypercall XSM hooks have no parameters or only
    pass the operation ID, making them redundant with the xsm_sysctl hook.
    Remove these redundant hooks.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  3. xen: sysctl XSM hook removal

    dgdegraaf committed Nov 19, 2012
    A number of the sysctl XSM hooks have no parameters or only pass the
    operation ID, making them redundant with the xsm_sysctl hook. Remove
    these redundant hooks.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  4. xen: domctl XSM hook removal

    dgdegraaf committed Nov 19, 2012
    A number of the domctl XSM hooks do nothing except pass the domain and
    operation ID, making them redundant with the xsm_domctl hook. Remove
    these redundant hooks.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  5. Remove XSM_DEFAULT macro

    dgdegraaf committed Nov 19, 2012
    This fixes ctags so that it can find the default XSM hooks.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  6. flask: move policy headers into hypervisor

    dgdegraaf committed Oct 9, 2012
    Rather than keeping around headers that are autogenerated in order to
    avoid adding build dependencies from xen/ to files in tools/, move the
    relevant parts of the FLASK policy into the hypervisor tree and generate
    the headers as part of the hypervisor's build.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  7. xen/arch/*: add struct domain parameter to arch_do_domctl

    dgdegraaf committed Sep 13, 2012
    Since the arch-independent do_domctl function now RCU locks the domain
    specified by op->domain, pass the struct domain to the arch-specific
    domctl function and remove the duplicate per-subfunction locking.
    
    This also removes two get_domain/put_domain call pairs (in
    XEN_DOMCTL_assign_device and XEN_DOMCTL_deassign_device), replacing them
    with RCU locking.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Cc: Ian Campbell <ian.campbell@citrix.com>
    Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
    Cc: Tim Deegan <tim@xen.org>
    Acked-by: Jan Beulich <jbeulich@suse.com>
  8. tmem: add XSM hooks

    dgdegraaf committed Aug 1, 2012
    This adds a pair of XSM hooks for tmem operations: xsm_tmem_op which
    controls any use of tmem, and xsm_tmem_control which allows use of the
    TMEM_CONTROL operations. By default, all domains can use tmem while only
    IS_PRIV domains can use control operations.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
  9. xen: Add XSM hook for XENMEM_exchange

    dgdegraaf committed Aug 2, 2012
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Cc: Keir Fraser <keir@xen.org>
  10. arch/x86: use XSM hooks for get_pg_owner access checks

    dgdegraaf committed Aug 2, 2012
    There are three callers of get_pg_owner:
     * do_mmuext_op, which does not have XSM hooks on all subfunctions
     * do_mmu_update, which has hooks that are inefficient
     * do_update_va_mapping_otherdomain, which has a simple XSM hook
    
    In order to preserve return values for the do_mmuext_op hypercall, an
    additional XSM hook is required to check the operation even for those
    subfunctions that do not use the pg_owner field. This also covers the
    MMUEXT_UNPIN_TABLE operation which did previously have an XSM hook.
    
    The XSM hooks in do_mmu_update were capable of replacing the checks in
    get_pg_owner; however, the hooks are buried in the inner loop of the
    function - not very good for performance when XSM is enabled and these
    turn in to indirect function calls. This patch removes the PTE from the
    hooks and replaces it with a bitfield describing what accesses are being
    requested. The XSM hook can then be called only when additional bits are
    set instead of once per iteration of the loop.
    
    This patch results in a change in the FLASK permissions used for mapping
    an MMIO page: the target for the permisison check on the memory mapping
    is no longer resolved to the device-specific type, and is instead either
    the domain's own type or domio_t (depending on if the domain uses
    DOMID_SELF or DOMID_IO in the map command). Device-specific access is
    still controlled via the "resource use" permisison checked at domain
    creation (or device hotplug).
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Tim Deegan <tim@xen.org>
    Cc: Keir Fraser <keir@xen.org>
  11. arch/x86: Add missing mem_sharing XSM hooks

    dgdegraaf committed Aug 1, 2012
    This patch adds splits up the mem_sharing and mem_event XSM hooks to
    better cover what the code is doing. It also changes the utility
    function get_mem_event_op_target to rcu_lock_live_remote_domain_by_id
    because there is no mm-specific logic in there.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Tim Deegan <tim@xen.org>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  12. xsm/flask: add distinct SIDs for self/target access

    dgdegraaf committed Aug 1, 2012
    Because the FLASK XSM module no longer checks IS_PRIV for remote domain
    accesses covered by XSM permissions, domains now have the ability to
    perform memory management and other functions on all domains that have
    the same type. While it is possible to prevent this by only creating one
    domain per type, this solution significantly limits the flexibility of
    the type system.
    
    This patch introduces a domain type transition to represent a domain
    that is operating on itself. In the example policy, this is demonstrated
    by creating a type with _self appended when declaring a domain type
    which will be used for reflexive operations. AVCs for a domain of type
    domU_t will look like the following:
    
    scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
    
    This change also allows policy to distinguish between event channels a
    domain creates to itself and event channels created between domains of
    the same type.
    
    The IS_PRIV_FOR check used for device model domains is also no longer
    checked by FLASK; a similar transition is performed when the target is
    set and used when the device model accesses its target domain.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  13. xsm/flask: add missing hooks

    dgdegraaf committed Sep 12, 2012
    The FLASK module was missing implementations of some hooks and did not
    have access vectors defined for 10 domctls; define these now.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  14. xen: convert do_sysctl to use XSM

    dgdegraaf committed Sep 11, 2012
    The xsm_sysctl hook now covers every sysctl, in addition to the more
    fine-grained XSM hooks in most sub-functions.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  15. xen: convert do_domctl to use XSM

    dgdegraaf committed Sep 11, 2012
    The xsm_domctl hook now covers every domctl, in addition to the more
    fine-grained XSM hooks in most sub-functions. This also removes the need
    to special-case XEN_DOMCTL_getdomaininfo.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  16. xen: lock target domain in do_domctl common code

    dgdegraaf committed Sep 11, 2012
    Because almost all domctls need to lock the target domain, do this by
    default instead of repeating it in each domctl. This is not currently
    extended to the arch-specific domctls, but RCU locks are safe to take
    recursively so this only causes duplicate but correct locking.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  17. arch/x86: convert platform_hypercall to use XSM

    dgdegraaf committed Jul 31, 2012
    The newly introduced xsm_platform_op hook addresses new sub-ops, while
    most ops already have their own XSM hooks.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  18. xen: avoid calling rcu_lock_*target_domain when an XSM hook exists

    dgdegraaf committed Aug 10, 2012
    The rcu_lock_{,remote_}target_domain_by_id functions are wrappers around
    an IS_PRIV_FOR check for the current domain. This is now redundant with
    XSM hooks, so replace these calls with rcu_lock_domain_by_any_id or
    rcu_lock_remote_domain_by_id to remove the duplicate permission checks.
    
    When XSM_ENABLE is not defined or when the dummy XSM module is used,
    this patch should not change any functionality. Because the locations of
    privilege checks have sometimes moved below argument validation, error
    returns of some functions may change from EPERM to EINVAL when called
    with invalid arguments and from a domain without permission to perform
    the operation.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  19. xen: use XSM instead of IS_PRIV where duplicated

    dgdegraaf committed Aug 10, 2012
    The Xen hypervisor has two basic access control function calls: IS_PRIV
    and the xsm_* functions. Most privileged operations currently require
    that both checks succeed, and many times the checks are at different
    locations in the code. This patch eliminates the explicit and implicit
    IS_PRIV checks that are duplicated in XSM hooks.
    
    When XSM_ENABLE is not defined or when the dummy XSM module is used,
    this patch should not change any functionality. Because the locations of
    privilege checks have sometimes moved below argument validation, error
    returns of some functions may change from EPERM to EINVAL or ESRCH if
    called with invalid arguments and from a domain without permission to
    perform the operation.
    
    Some checks are removed due to non-obvious duplicates in their callers:
    
     * acpi_enter_sleep is checked in XENPF_enter_acpi_sleep
     * map_domain_pirq has IS_PRIV_FOR checked in its callers:
       * physdev_map_pirq checks when acquiring the RCU lock
       * ioapic_guest_write is checked in PHYSDEVOP_apic_write
     * PHYSDEVOP_{manage_pci_add,manage_pci_add_ext,pci_device_add} are
       checked by xsm_resource_plug_pci in pci_add_device
     * PHYSDEVOP_manage_pci_remove is checked by xsm_resource_unplug_pci
       in pci_remove_device
     * PHYSDEVOP_{restore_msi,restore_msi_ext} are checked by
       xsm_resource_setup_pci in pci_restore_msi_state
     * do_console_io has changed to IS_PRIV from an explicit domid==0
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  20. xsm: Use the dummy XSM module if XSM is disabled

    dgdegraaf committed Aug 2, 2012
    This patch moves the implementation of the dummy XSM module to a header
    file that provides inline functions when XSM_ENABLE is not defined. This
    reduces duplication between the dummy module and callers when the
    implementation of the dummy return is not just "return 0", and also
    provides better compile-time checking for completeness of the XSM
    implementations in the dummy module.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  21. xsm/flask: Add checks on the domain performing the set_target operation

    dgdegraaf committed Aug 1, 2012
    The existing domain__set_target check only verifies that the source and
    target domains can be associated. We also need to check that the
    privileged domain making this association is allowed to do so.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  22. arch/x86: add distinct XSM hooks for map/unmap

    dgdegraaf committed Jul 31, 2012
    The xsm_iomem_permission and xsm_ioport_permission hooks are intended to
    be called by the domain builder, while the calls in arch/x86/domctl.c
    which control mapping are also performed by the device model. Because of
    this, they should not use the same XSM hooks.
    
    This also adds a missing XSM hook in the unbind IRQ domctl.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Cc: Keir Fraser <keir@xen.org>
  23. flask/policy: Add domain relabel example

    dgdegraaf committed Jul 5, 2012
    This adds the nomigrate_t type to the example FLASK policy which allows
    domains to be created that dom0 cannot access after building.
    
    Example domain configuration snippet:
      seclabel='customer_1:vm_r:nomigrate_t'
      init_seclabel='customer_1:vm_r:nomigrate_t_building'
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
  24. libxl: introduce XSM relabel on build

    dgdegraaf committed Jul 5, 2012
    Allow a domain to be built under one security label and run using a
    different label. This can be used to prevent the domain builder or
    control domain from having the ability to access a guest domain's memory
    via map_foreign_range except during the build process where this is
    required.
    
    Note: this does not provide complete protection from a malicious dom0;
    mappings created during the build process may persist after the relabel,
    and could be used to indirectly access the guest's memory.
    
    Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
    Cc: Ian Jackson <ian.jackson@eu.citrix.com>
    Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Cc: Ian Campbell <ian.campbell@citrix.com>
  25. xen: fix build failure due to extra closing comment

    Ian Campbell committed Nov 19, 2012
    Added by 26173:26facad2f1a1
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  26. docs: Include prototype for HYPERVISOR_multicall

    Ian Campbell committed Nov 19, 2012
    Mark-up for inclusion of generated docs.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  27. docs: Document HYPERVISOR_update_descriptor

    Ian Campbell committed Nov 19, 2012
    Mark-up for inclusion of generated docs.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  28. docs: Add ToC entry for start of day memory layout.

    Ian Campbell committed Nov 19, 2012
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  29. docs: Document HYPERVISOR_mmuext_op

    Ian Campbell committed Nov 19, 2012
    Mark-up for inclusion of generated docs.
    
    Remove some trailing whitespace.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  30. docs: document HYPERVISOR_update_va_mapping(_other_domain)

    Ian Campbell committed Nov 19, 2012
    Mark-up for inclusion of generated docs.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  31. docs: document/mark-up SCHEDOP_*

    Ian Campbell committed Nov 19, 2012
    The biggest subtlety here is there additional argument when op ==
    SCHEDOP_shutdown and reason == SHUTDOWN_suspend and its interpretation by
    xc_domain_{save,restore}. Add some clarifying comments to libxc as well.
    
    This patch moves some structs around but there is no functional change
    other than improved documentation.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  32. AMD IOMMU: fix type of "bdf" parameter of update_intremap_entry_from_…

    jbeulich committed Nov 19, 2012
    …msi_msg()
    
    Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
  33. Remove tools/vtpm* from MAINTAINERS file

    Matthew Fioravante committed Nov 19, 2012
    Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  34. tools: Remove old vtpm stuff from tools/libxen

    Matthew Fioravante committed Nov 19, 2012
    Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>
  35. Remove VTPM_TOOLS from config/Tools.mk.in

    Matthew Fioravante committed Nov 19, 2012
    Signed-off-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Campbell <ian.campbell@citrix.com>