Xen devel - Aug 2008 - [PATCH] [VTD] Add ''force_iommu'' option

For security reasons, add ''force_iommu'' option to ensure that
it should
not be possible under any conditions to boot Xen w/o VT-d being enabled.
This would only be specified by users that really want the added
security.

Signed-off-by: Weidong Han <weidong.han@intel.com>


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

ACKed-by:  Joseph Cihula <joseph.cihula@intel.com>

This patch is needed to maintain trust in Xen when it is launched using
Intel(R) Trusted Execution Technology, as it will be launched with DMA
protection and needs to fail securely if that protection cannot be
maintained.

Joe

-----Original Message-----
From: xen-devel-bounces@lists.xensource.com
[mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Han, Weidong
Sent: Tuesday, August 05, 2008 8:33 PM
To: xen-devel@lists.xensource.com
Subject: [Xen-devel] [PATCH] [VTD] Add ''force_iommu'' option

For security reasons, add ''force_iommu'' option to ensure that
it should
not be possible under any conditions to boot Xen w/o VT-d being enabled.
This would only be specified by users that really want the added
security.

Signed-off-by: Weidong Han <weidong.han@intel.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

[Weidong Han]
> For security reasons, add ''force_iommu'' option to ensure
that it should
> not be possible under any conditions to boot Xen w/o VT-d being enabled.
> This would only be specified by users that really want the added
> security.
Here''s a followup which collects all the iommu parameters into a
single parameter.  Makes things more intuitive from a users
perspective.

	eSk


---
iommu: Make the iommu boot parameters more generic and flexible

Make the ''iommu'' boot parameter take a comma separated value
indicating
wheter iommu is required to boot and whether to enable iommu for pv
domains.

Signed-off-by: Espen Skoglund <espen.skoglund@netronome.com>


diff -r 152ba12fc55c xen/drivers/passthrough/iommu.c
--- a/xen/drivers/passthrough/iommu.c	Wed Aug 06 13:07:34 2008 +0100
+++ b/xen/drivers/passthrough/iommu.c	Wed Aug 06 13:55:46 2008 +0100
@@ -20,18 +20,48 @@
 
 extern struct iommu_ops intel_iommu_ops;
 extern struct iommu_ops amd_iommu_ops;
+static void parse_iommu_param(char *s);
 static int iommu_populate_page_table(struct domain *d);
 int intel_vtd_setup(void);
 int amd_iov_detect(void);
 
+/*
+ * The ''iommu'' parameter enables the IOMMU.  Optional comma
separated
+ * value may contain:
+ *
+ *   off|no|false|disable       Disable IOMMU (default)
+ *   pv                         Enable IOMMU for PV domains
+ *   no-pv                      Disable IOMMU for PV domains (default)
+ *   force|required             Don''t boot unless IOMMU is enabled
+ */
+custom_param("iommu", parse_iommu_param);
 int iommu_enabled = 0;
-boolean_param("iommu", iommu_enabled);
+int iommu_pv_enabled = 0;
+int force_iommu = 0;
 
-int iommu_pv_enabled = 0;
-boolean_param("iommu_pv", iommu_pv_enabled);
+static void __init parse_iommu_param(char *s)
+{
+    char *ss;
+    iommu_enabled = 1;
 
-int force_iommu = 0;
-boolean_param("force_iommu", force_iommu);
+    do {
+        ss = strchr(s, '','');
+        if ( ss )
+            *ss = ''\0'';
+
+        if ( !strcmp(s, "off") || !strcmp(s, "no") ||
!strcmp(s, "false") ||
+             !strcmp(s, "0") || !strcmp(s, "disable") )
+            iommu_enabled = 0;
+        else if ( !strcmp(s, "pv") )
+            iommu_pv_enabled = 1;
+        else if ( !strcmp(s, "no-pv") )
+            iommu_pv_enabled = 0;
+        else if ( !strcmp(s, "force") || !strcmp(s,
"required") )
+            force_iommu = 1;
+
+        s = ss + 1;
+    } while ( ss );
+}
 
 int iommu_domain_init(struct domain *domain)
 {

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

I''d like to petition this patch to be included in 3.3, so that the
official releases continue to fully support the TXT/tboot trust model.

Joe

-----Original Message-----
From: xen-devel-bounces@lists.xensource.com
[mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Espen
Skoglund
Sent: Wednesday, August 06, 2008 6:02 AM
To: Han, Weidong
Cc: xen-devel@lists.xensource.com
Subject: Re: [Xen-devel] [PATCH] [VTD] Add ''force_iommu''
option

[Weidong Han]
> For security reasons, add ''force_iommu'' option to ensure
that it
should
> not be possible under any conditions to boot Xen w/o VT-d being
enabled.
> This would only be specified by users that really want the added
> security.
Here''s a followup which collects all the iommu parameters into a
single parameter.  Makes things more intuitive from a users
perspective.

	eSk


---
iommu: Make the iommu boot parameters more generic and flexible

Make the ''iommu'' boot parameter take a comma separated value
indicating
wheter iommu is required to boot and whether to enable iommu for pv
domains.

Signed-off-by: Espen Skoglund <espen.skoglund@netronome.com>


diff -r 152ba12fc55c xen/drivers/passthrough/iommu.c
--- a/xen/drivers/passthrough/iommu.c	Wed Aug 06 13:07:34 2008 +0100
+++ b/xen/drivers/passthrough/iommu.c	Wed Aug 06 13:55:46 2008 +0100
@@ -20,18 +20,48 @@
 
 extern struct iommu_ops intel_iommu_ops;
 extern struct iommu_ops amd_iommu_ops;
+static void parse_iommu_param(char *s);
 static int iommu_populate_page_table(struct domain *d);
 int intel_vtd_setup(void);
 int amd_iov_detect(void);
 
+/*
+ * The ''iommu'' parameter enables the IOMMU.  Optional comma
separated
+ * value may contain:
+ *
+ *   off|no|false|disable       Disable IOMMU (default)
+ *   pv                         Enable IOMMU for PV domains
+ *   no-pv                      Disable IOMMU for PV domains (default)
+ *   force|required             Don''t boot unless IOMMU is enabled
+ */
+custom_param("iommu", parse_iommu_param);
 int iommu_enabled = 0;
-boolean_param("iommu", iommu_enabled);
+int iommu_pv_enabled = 0;
+int force_iommu = 0;
 
-int iommu_pv_enabled = 0;
-boolean_param("iommu_pv", iommu_pv_enabled);
+static void __init parse_iommu_param(char *s)
+{
+    char *ss;
+    iommu_enabled = 1;
 
-int force_iommu = 0;
-boolean_param("force_iommu", force_iommu);
+    do {
+        ss = strchr(s, '','');
+        if ( ss )
+            *ss = ''\0'';
+
+        if ( !strcmp(s, "off") || !strcmp(s, "no") ||
!strcmp(s,
"false") ||
+             !strcmp(s, "0") || !strcmp(s, "disable") )
+            iommu_enabled = 0;
+        else if ( !strcmp(s, "pv") )
+            iommu_pv_enabled = 1;
+        else if ( !strcmp(s, "no-pv") )
+            iommu_pv_enabled = 0;
+        else if ( !strcmp(s, "force") || !strcmp(s,
"required") )
+            force_iommu = 1;
+
+        s = ss + 1;
+    } while ( ss );
+}
 
 int iommu_domain_init(struct domain *domain)
 {

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel