xen/arm: Turn on SILO mode by default on Arm

On Arm, exclusive load-store atomics should only be used between trusted
thread. As not all the guests are trusted, it may be possible to DoS Xen
when updating shared memory with guest atomically.

Recent patches introduced new helpers to update shared memory with guest
atomically. Those helpers relies on a memory region to be be shared with
Xen and a single guest.

At the moment, nothing prevent a guest sharing a page with Xen and as
well with another guest (e.g via grant table).

For the scope of the XSA, the quickest way is to deny communications
between unprivileged guest. So this patch is enabling and using SILO
mode by default on Arm.

Users wanted finer graine policy could wrote their own Flask policy.

This is part of XSA-295.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 1d6f6bf37efa833c06c4963494e54168eb4b52c2..ff949f545abcd3bc5ac0452dde1c99ec37de4a3c 100644 (file)
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -37,6 +37,7 @@
 #include <xen/vmap.h>
 #include <xen/libfdt/libfdt.h>
 #include <xen/acpi.h>
+#include <xen/warning.h>
 #include <asm/alternative.h>
 #include <asm/page.h>
 #include <asm/current.h>
@@ -787,8 +788,11 @@ void __init start_xen(unsigned long boot_phys_offset,
 
     tasklet_subsys_init();
 
-
-    xsm_dt_init();
+    if ( xsm_dt_init() != 1 )
+        warning_add("WARNING: SILO mode is not enabled.\n"
+                    "It has implications on the security of the system,\n"
+                    "unless the communications have been forbidden between\n"
+                    "untrusted domains.\n");
 
     init_maintenance_interrupt();
     init_timer_interrupt();

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 512f6446a3e91b425e1aef1a3b7b4ce823362a5b..e4af3f13ebea02509614d9373257ebbdedb91a96 100644 (file)
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -93,7 +93,7 @@ config XENOPROF
 
 config XSM
        bool "Xen Security Modules support"
-       default n
+       default ARM
        ---help---
          Enables the security framework known as Xen Security Modules which
          allows administrators fine-grained control over a Xen domain and
@@ -158,6 +158,7 @@ config XSM_SILO
 choice
        prompt "Default XSM implementation"
        depends on XSM
+       default XSM_SILO_DEFAULT if XSM_SILO && ARM
        default XSM_FLASK_DEFAULT if XSM_FLASK
        default XSM_SILO_DEFAULT if XSM_SILO
        default XSM_DUMMY_DEFAULT

diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index b16a1b5b1865a956f2945bb6cca88e9521458b79..0c803531eb7860c3be9fd7fff955bae9dbcda76b 100644 (file)
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -710,6 +710,11 @@ extern int xsm_multiboot_policy_init(unsigned long *module_map,
 #endif
 
 #ifdef CONFIG_HAS_DEVICE_TREE
+/*
+ * Initialize XSM
+ *
+ * On success, return 1 if using SILO mode else 0.
+ */
 extern int xsm_dt_init(void);
 extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
 extern bool has_xsm_magic(paddr_t);

diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 7b862ea79d93690e7add5b15cb4b93d19568f937..1179cdf6103130cc2a4209111156d5434e81d26e 100644 (file)
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -167,7 +167,7 @@ int __init xsm_dt_init(void)
 
     xfree(policy_buffer);
 
-    return ret;
+    return ret ?: (xsm_bootparam == XSM_BOOTPARAM_SILO);
 }
 
 /**