RE: [PATCH v8 5/9] hisi_acc_vfio_pci: Restrict access to VF dev BAR2 migration region

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kevin,

> -----Original Message-----
> From: Tian, Kevin [mailto:kevin.tian@xxxxxxxxx]
> Sent: 08 March 2022 06:23
> To: Shameerali Kolothum Thodi <shameerali.kolothum.thodi@xxxxxxxxxx>;
> kvm@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> linux-crypto@xxxxxxxxxxxxxxx
> Cc: linux-pci@xxxxxxxxxxxxxxx; alex.williamson@xxxxxxxxxx; jgg@xxxxxxxxxx;
> cohuck@xxxxxxxxxx; mgurtovoy@xxxxxxxxxx; yishaih@xxxxxxxxxx; Linuxarm
> <linuxarm@xxxxxxxxxx>; liulongfang <liulongfang@xxxxxxxxxx>; Zengtao (B)
> <prime.zeng@xxxxxxxxxxxxx>; Jonathan Cameron
> <jonathan.cameron@xxxxxxxxxx>; Wangzhou (B) <wangzhou1@xxxxxxxxxxxxx>
> Subject: RE: [PATCH v8 5/9] hisi_acc_vfio_pci: Restrict access to VF dev BAR2
> migration region
> 
> Hi, Shameer,
> 
> > From: Shameer Kolothum <shameerali.kolothum.thodi@xxxxxxxxxx>
> > Sent: Friday, March 4, 2022 7:01 AM
> >
> > HiSilicon ACC VF device BAR2 region consists of both functional
> > register space and migration control register space. From a
> > security point of view, it's not advisable to export the migration
> > control region to Guest.
> >
> > Hence, introduce a separate struct vfio_device_ops for migration
> > support which will override the ioctl/read/write/mmap methods to
> > hide the migration region and limit the access only to the
> > functional register space.
> >
> > This will be used in subsequent patches when we add migration
> > support to the driver.
> 
> As a security concern the migration control region should be always
> disabled regardless of whether migration support is added to the
> driver for such device... It sounds like we should first fix this security
> hole for acc device assignment and then add the migration support
> atop (at least organize the series in this way).

By exposing the migration BAR region, there is a possibility that a malicious
Guest can prevent migration from happening by manipulating the migration
BAR region. I don't think there are any other security concerns now especially
since we only support the STOP_COPY state.  And the approach has been that
we only restrict this if migration support is enabled. I think I can change the
above "security concern" description to "malicious Guest can prevent migration"
to make it more clear.

Hope this is fine.

Thanks,
Shameer



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux