were intentionally created non-sparse to avoid fragmentation of the
file.
+=item B<trusted> / B<untrusted>
+
+=over 4
+
+=item Description
+
+Reports whether the backend should be trusted by the frontend
+
+=item Supported values
+
+trusted, untrusted
+
+=item Mandatory
+
+No
+
+=item Default value
+
+trusted
+
+=back
+
+An advisory setting for the frontend driver on whether the backend should be
+trusted. The frontend should deploy whatever protections it has available to
+prevent an untrusted backend from accessing guest data not related to the I/O
+processing or causing malfunction to the frontend or the whole domain.
+
+Note frontends can ignore such recommendation.
+
=back
Specifies the MTU (i.e. the maximum size of an IP payload, exclusing headers). The
default value is 1500 but, if the VIF is attached to a bridge, it will be set to match
unless overridden by this parameter.
+
+=head2 trusted / untrusted
+
+An advisory setting for the frontend driver on whether the backend should be
+trusted. The frontend should deploy whatever protections it has available to
+prevent an untrusted backend from accessing guest data not related to the I/O
+processing or causing malfunction to the frontend or the whole domain.
+
+Note frontends can ignore such recommendation.
*/
#define LIBXL_HAVE_MAX_GRANT_VERSION 1
+/*
+ * LIBXL_HAVE_{DISK,NIC}_TRUSTED indicates that the libxl_device_disk and
+ * libxl_device_nic structs have a field to signal whether the backend of the
+ * device is to be trusted. Such information is propagated to the frontend.
+ */
+#define LIBXL_HAVE_DISK_TRUSTED 1
+#define LIBXL_HAVE_NIC_TRUSTED 1
+
/*
* libxl ABI compatibility
*
libxl_defbool_setdefault(&disk->discard_enable, !!disk->readwrite);
libxl_defbool_setdefault(&disk->colo_enable, false);
libxl_defbool_setdefault(&disk->colo_restore_enable, false);
+ libxl_defbool_setdefault(&disk->trusted, true);
rc = libxl__resolve_domid(gc, disk->backend_domname, &disk->backend_domid);
if (rc < 0) return rc;
flexarray_append(front, GCSPRINTF("%d", device->devid));
flexarray_append(front, "device-type");
flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk");
+ flexarray_append(front, "trusted");
+ flexarray_append(front, libxl_defbool_val(disk->trusted) ? "1" : "0");
/*
* Old PV kernel disk frontends before 2.6.26 rely on tool stack to
abort();
}
+ libxl_defbool_setdefault(&nic->trusted, true);
+
return rc;
}
flexarray_append(back, "hotplug-status");
flexarray_append(back, "");
+ flexarray_append(front, "trusted");
+ flexarray_append(front, libxl_defbool_val(nic->trusted) ? "1" : "0");
+
return 0;
}
("colo_port", integer),
("colo_export", string),
("active_disk", string),
- ("hidden_disk", string)
+ ("hidden_disk", string),
+ ("trusted", libxl_defbool),
])
libxl_device_nic = Struct("device_nic", [
("colo_filter_sec_redirector1_outdev", string),
("colo_filter_sec_rewriter0_queue", string),
("colo_checkpoint_host", string),
- ("colo_checkpoint_port", string)
+ ("colo_checkpoint_port", string),
+ ("trusted", libxl_defbool),
])
libxl_device_pci = Struct("device_pci", [
active-disk=[^,]*,? { STRIP(','); SAVESTRING("active-disk", active_disk, FROMEQUALS); }
hidden-disk=[^,]*,? { STRIP(','); SAVESTRING("hidden-disk", hidden_disk, FROMEQUALS); }
+trusted,? { libxl_defbool_set(&DPC->disk->trusted, true); }
+untrusted,? { libxl_defbool_set(&DPC->disk->trusted, false); }
+
/* the target magic parameter, eats the rest of the string */
target=.* { STRIP(','); SAVESTRING("target", pdev_path, FROMEQUALS); }
END
one 0 cdrom no-discard vdev=hda target=/some/disk/image.iso
+# test setting trusted
+expected <<END
+disk: {
+ "pdev_path": "/some/disk/image.raw",
+ "vdev": "hda",
+ "format": "raw",
+ "readwrite": 1,
+ "trusted": "True"
+}
+
+END
+one 0 trusted vdev=hda target=/some/disk/image.raw
+
+# test setting untrusted
+expected <<END
+disk: {
+ "pdev_path": "/some/disk/image.raw",
+ "vdev": "hda",
+ "format": "raw",
+ "readwrite": 1,
+ "trusted": "False"
+}
+
+END
+one 0 untrusted vdev=hda target=/some/disk/image.raw
+
complete
expected </dev/null
one $e rate=@
+# test trusted setting
+expected <<END
+vif: {
+ "trusted": "True"
+}
+
+END
+one 0 trusted
+
+# test untrusted setting
+expected <<END
+vif: {
+ "trusted": "False"
+}
+
+END
+one 0 untrusted
+
complete
nic->devid = parse_ulong(oparg);
} else if (MATCH_OPTION("mtu", token, oparg)) {
nic->mtu = parse_ulong(oparg);
+ } else if (!strcmp("trusted", token)) {
+ libxl_defbool_set(&nic->trusted, true);
+ } else if (!strcmp("untrusted", token)) {
+ libxl_defbool_set(&nic->trusted, false);
} else {
fprintf(stderr, "unrecognized argument `%s'\n", token);
return 1;
* that the frontend requires that the logical block size is 512 as it
* is hardcoded (which is the case in some frontend implementations).
*
+ * trusted
+ * Values: 0/1 (boolean)
+ * Default value: 1
+ *
+ * A value of "0" indicates that the frontend should not trust the
+ * backend, and should deploy whatever measures available to protect from
+ * a malicious backend on the other end.
+ *
*------------------------- Virtual Device Properties -------------------------
*
* device-type
* be applied if it is set.
*/
+/*
+ * The setting of "trusted" node to "0" in the frontend path signals that the
+ * frontend should not trust the backend, and should deploy whatever measures
+ * available to protect from a malicious backend on the other end.
+ */
+
/*
* Control ring
* ============
projects / xen.git / commitdiff