From 54d8f27d0477937e1f99a414fc1ffd93d184b38a Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Fri, 8 Apr 2022 10:21:11 +0200 Subject: [PATCH] tools/libxl: report trusted backend status to frontends MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Allow administrators to notify a frontend driver that it's backend counterpart is not to be trusted, so the frontend can deploy whatever mitigations required in order to secure itself. Allow such option for disk and network frontends only, as those are the only hardened ones currently supported. This is part of XSA-403 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD --- docs/man/xl-disk-configuration.5.pod.in | 29 ++++++++++++++++++++++ docs/man/xl-network-configuration.5.pod.in | 9 +++++++ tools/include/libxl.h | 8 ++++++ tools/libs/light/libxl_disk.c | 3 +++ tools/libs/light/libxl_nic.c | 5 ++++ tools/libs/light/libxl_types.idl | 6 +++-- tools/libs/util/libxlu_disk_l.l | 3 +++ tools/xl/check-xl-disk-parse | 26 +++++++++++++++++++ tools/xl/check-xl-vif-parse | 18 ++++++++++++++ tools/xl/xl_parse.c | 4 +++ xen/include/public/io/blkif.h | 8 ++++++ xen/include/public/io/netif.h | 6 +++++ 12 files changed, 123 insertions(+), 2 deletions(-) diff --git a/docs/man/xl-disk-configuration.5.pod.in b/docs/man/xl-disk-configuration.5.pod.in index 71d0e86e3d..95d039655a 100644 --- a/docs/man/xl-disk-configuration.5.pod.in +++ b/docs/man/xl-disk-configuration.5.pod.in @@ -344,6 +344,35 @@ can be used to disable "hole punching" for file based backends which were intentionally created non-sparse to avoid fragmentation of the file. +=item B / B + +=over 4 + +=item Description + +Reports whether the backend should be trusted by the frontend + +=item Supported values + +trusted, untrusted + +=item Mandatory + +No + +=item Default value + +trusted + +=back + +An advisory setting for the frontend driver on whether the backend should be +trusted. The frontend should deploy whatever protections it has available to +prevent an untrusted backend from accessing guest data not related to the I/O +processing or causing malfunction to the frontend or the whole domain. + +Note frontends can ignore such recommendation. + =back diff --git a/docs/man/xl-network-configuration.5.pod.in b/docs/man/xl-network-configuration.5.pod.in index cf92d7960c..f3e379bcf8 100644 --- a/docs/man/xl-network-configuration.5.pod.in +++ b/docs/man/xl-network-configuration.5.pod.in @@ -258,3 +258,12 @@ NOTE: This should not be set unless you have a reason to. Specifies the MTU (i.e. the maximum size of an IP payload, exclusing headers). The default value is 1500 but, if the VIF is attached to a bridge, it will be set to match unless overridden by this parameter. + +=head2 trusted / untrusted + +An advisory setting for the frontend driver on whether the backend should be +trusted. The frontend should deploy whatever protections it has available to +prevent an untrusted backend from accessing guest data not related to the I/O +processing or causing malfunction to the frontend or the whole domain. + +Note frontends can ignore such recommendation. diff --git a/tools/include/libxl.h b/tools/include/libxl.h index 7ce978e83c..835dfabc50 100644 --- a/tools/include/libxl.h +++ b/tools/include/libxl.h @@ -527,6 +527,14 @@ */ #define LIBXL_HAVE_MAX_GRANT_VERSION 1 +/* + * LIBXL_HAVE_{DISK,NIC}_TRUSTED indicates that the libxl_device_disk and + * libxl_device_nic structs have a field to signal whether the backend of the + * device is to be trusted. Such information is propagated to the frontend. + */ +#define LIBXL_HAVE_DISK_TRUSTED 1 +#define LIBXL_HAVE_NIC_TRUSTED 1 + /* * libxl ABI compatibility * diff --git a/tools/libs/light/libxl_disk.c b/tools/libs/light/libxl_disk.c index a5ca77850f..9da2b2ed27 100644 --- a/tools/libs/light/libxl_disk.c +++ b/tools/libs/light/libxl_disk.c @@ -159,6 +159,7 @@ static int libxl__device_disk_setdefault(libxl__gc *gc, uint32_t domid, libxl_defbool_setdefault(&disk->discard_enable, !!disk->readwrite); libxl_defbool_setdefault(&disk->colo_enable, false); libxl_defbool_setdefault(&disk->colo_restore_enable, false); + libxl_defbool_setdefault(&disk->trusted, true); rc = libxl__resolve_domid(gc, disk->backend_domname, &disk->backend_domid); if (rc < 0) return rc; @@ -395,6 +396,8 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid, flexarray_append(front, GCSPRINTF("%d", device->devid)); flexarray_append(front, "device-type"); flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk"); + flexarray_append(front, "trusted"); + flexarray_append(front, libxl_defbool_val(disk->trusted) ? "1" : "0"); /* * Old PV kernel disk frontends before 2.6.26 rely on tool stack to diff --git a/tools/libs/light/libxl_nic.c b/tools/libs/light/libxl_nic.c index 0b9e70c9d1..d6bf06fc34 100644 --- a/tools/libs/light/libxl_nic.c +++ b/tools/libs/light/libxl_nic.c @@ -116,6 +116,8 @@ static int libxl__device_nic_setdefault(libxl__gc *gc, uint32_t domid, abort(); } + libxl_defbool_setdefault(&nic->trusted, true); + return rc; } @@ -255,6 +257,9 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid, flexarray_append(back, "hotplug-status"); flexarray_append(back, ""); + flexarray_append(front, "trusted"); + flexarray_append(front, libxl_defbool_val(nic->trusted) ? "1" : "0"); + return 0; } diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl index 2a42da2f7d..89962218b4 100644 --- a/tools/libs/light/libxl_types.idl +++ b/tools/libs/light/libxl_types.idl @@ -712,7 +712,8 @@ libxl_device_disk = Struct("device_disk", [ ("colo_port", integer), ("colo_export", string), ("active_disk", string), - ("hidden_disk", string) + ("hidden_disk", string), + ("trusted", libxl_defbool), ]) libxl_device_nic = Struct("device_nic", [ @@ -780,7 +781,8 @@ libxl_device_nic = Struct("device_nic", [ ("colo_filter_sec_redirector1_outdev", string), ("colo_filter_sec_rewriter0_queue", string), ("colo_checkpoint_host", string), - ("colo_checkpoint_port", string) + ("colo_checkpoint_port", string), + ("trusted", libxl_defbool), ]) libxl_device_pci = Struct("device_pci", [ diff --git a/tools/libs/util/libxlu_disk_l.l b/tools/libs/util/libxlu_disk_l.l index 3bd639aab0..e115460d99 100644 --- a/tools/libs/util/libxlu_disk_l.l +++ b/tools/libs/util/libxlu_disk_l.l @@ -208,6 +208,9 @@ colo-export=[^,]*,? { STRIP(','); SAVESTRING("colo-export", colo_export, FROMEQU active-disk=[^,]*,? { STRIP(','); SAVESTRING("active-disk", active_disk, FROMEQUALS); } hidden-disk=[^,]*,? { STRIP(','); SAVESTRING("hidden-disk", hidden_disk, FROMEQUALS); } +trusted,? { libxl_defbool_set(&DPC->disk->trusted, true); } +untrusted,? { libxl_defbool_set(&DPC->disk->trusted, false); } + /* the target magic parameter, eats the rest of the string */ target=.* { STRIP(','); SAVESTRING("target", pdev_path, FROMEQUALS); } diff --git a/tools/xl/check-xl-disk-parse b/tools/xl/check-xl-disk-parse index 643f4f4ecb..18fb66940a 100755 --- a/tools/xl/check-xl-disk-parse +++ b/tools/xl/check-xl-disk-parse @@ -178,4 +178,30 @@ disk: { END one 0 cdrom no-discard vdev=hda target=/some/disk/image.iso +# test setting trusted +expected <devid = parse_ulong(oparg); } else if (MATCH_OPTION("mtu", token, oparg)) { nic->mtu = parse_ulong(oparg); + } else if (!strcmp("trusted", token)) { + libxl_defbool_set(&nic->trusted, true); + } else if (!strcmp("untrusted", token)) { + libxl_defbool_set(&nic->trusted, false); } else { fprintf(stderr, "unrecognized argument `%s'\n", token); return 1; diff --git a/xen/include/public/io/blkif.h b/xen/include/public/io/blkif.h index 4cdba79aba..ab863f175a 100644 --- a/xen/include/public/io/blkif.h +++ b/xen/include/public/io/blkif.h @@ -363,6 +363,14 @@ * that the frontend requires that the logical block size is 512 as it * is hardcoded (which is the case in some frontend implementations). * + * trusted + * Values: 0/1 (boolean) + * Default value: 1 + * + * A value of "0" indicates that the frontend should not trust the + * backend, and should deploy whatever measures available to protect from + * a malicious backend on the other end. + * *------------------------- Virtual Device Properties ------------------------- * * device-type diff --git a/xen/include/public/io/netif.h b/xen/include/public/io/netif.h index 00dd258712..3509b096f8 100644 --- a/xen/include/public/io/netif.h +++ b/xen/include/public/io/netif.h @@ -160,6 +160,12 @@ * be applied if it is set. */ +/* + * The setting of "trusted" node to "0" in the frontend path signals that the + * frontend should not trust the backend, and should deploy whatever measures + * available to protect from a malicious backend on the other end. + */ + /* * Control ring * ============ -- 2.39.5