On 25.11.2021 12:02, Oleksandr Andrushchenko wrote: > From: Oleksandr Andrushchenko <[email protected]> > > For unprivileged guests vpci_{read|write} need to be re-worked > to not passthrough accesses to the registers not explicitly handled > by the corresponding vPCI handlers: without fixing that passthrough > to guests is completely unsafe as Xen allows them full access to > the registers. > > Xen needs to be sure that every register a guest accesses is not > going to cause the system to malfunction, so Xen needs to keep a > list of the registers it is safe for a guest to access. > > For example, we should only expose the PCI capabilities that we know > are safe for a guest to use, i.e.: MSI and MSI-X initially. > The rest of the capabilities should be blocked from guest access, > unless we audit them and declare safe for a guest to access. > > As a reference we might want to look at the approach currently used > by QEMU in order to do PCI passthrough. A very limited set of PCI > capabilities known to be safe for untrusted access are exposed to the > guest and registers need to be explicitly handled or else access is > rejected. Xen needs a fairly similar model in vPCI or else none of > this will be safe for unprivileged access. > > Add the corresponding TODO comment to highlight there is a problem that > needs to be fixed. > > Suggested-by: Roger Pau Monné <[email protected]> > Suggested-by: Jan Beulich <[email protected]> > Signed-off-by: Oleksandr Andrushchenko <[email protected]>
Looks okay to me in principle, but imo needs to come earlier in the series, before things actually get exposed to DomU-s. Jan
