Allow the hwdom to access the console, and to access physical
information about the system.

xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
permission would be required.

SYSCTL_physinfo is mainly to silence xl messages:

$ xl list
libxl: error: libxl_utils.c:818:libxl_cpu_bitmap_alloc: failed to retrieve the maximum number of cpus

Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
---
This is not strictly needed.
---
 xen/common/sysctl.c     |  2 +-
 xen/include/xsm/dummy.h | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c
index c2d99ae12e..89d5176f4d 100644
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -42,7 +42,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
     if ( op->interface_version != XEN_SYSCTL_INTERFACE_VERSION )
         return -EACCES;
 
-    ret = xsm_sysctl(XSM_PRIV, op->cmd);
+    ret = xsm_sysctl(XSM_OTHER, op->cmd);
     if ( ret )
         return ret;
 
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 477fadaefd..5e806dc241 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -188,8 +188,18 @@ static XSM_INLINE int cf_check xsm_domctl(
 
 static XSM_INLINE int cf_check xsm_sysctl(XSM_DEFAULT_ARG int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    XSM_ASSERT_ACTION(XSM_OTHER);
+    switch ( cmd )
+    {
+    case XEN_SYSCTL_readconsole:
+        return xsm_default_action(XSM_HW_PRIV, current->domain, NULL);
+    case XEN_SYSCTL_physinfo:
+        if ( is_hardware_domain(current->domain) )
+            return xsm_default_action(XSM_HW_PRIV, current->domain, NULL);
+        fallthrough;
+    default:
+        return xsm_default_action(XSM_PRIV, current->domain, NULL);
+    }
 }
 
 static XSM_INLINE int cf_check xsm_readconsole(XSM_DEFAULT_ARG uint32_t clear)
-- 
2.49.0

On 11.06.2025 00:57, Jason Andryuk wrote:
> Allow the hwdom to access the console, and to access physical
> information about the system.
> 
> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
> permission would be required.

Why would xenconsoled run in the hardware domain? It's purely a software
construct, isn't it? As a daemon, putting it in the control domain may
make sense. Otherwise it probably ought to go in a service domain.

Jan

On 2025-06-11 09:27, Jan Beulich wrote:
> On 11.06.2025 00:57, Jason Andryuk wrote:
>> Allow the hwdom to access the console, and to access physical
>> information about the system.
>>
>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
>> permission would be required.
> 
> Why would xenconsoled run in the hardware domain? It's purely a software
> construct, isn't it? As a daemon, putting it in the control domain may
> make sense. Otherwise it probably ought to go in a service domain.

My approach has been to transform dom0 into the hardware domain and add 
a new control domain.  xenconsoled was left running in the hardware domain.

I suppose it could move.  Maybe that would be fine?  I haven't tried. 
The Hyperlaunch code populates the console grants to point at the 
hardware domain, and I just followed that.

One aspect of why I left most things running in the Hardware domain was 
to not run things in the Control domain.  If Control is the highest 
privileged entity, we'd rather run software in lower privileged places. 
Especially something like xenconsoled which is receiving data from the 
domUs.

Running in a service domain is a good suggestion, but we haven't made it 
that far.

Regards,
Jason

On Wed, 11 Jun 2025, Jason Andryuk wrote:
> On 2025-06-11 09:27, Jan Beulich wrote:
> > On 11.06.2025 00:57, Jason Andryuk wrote:
> > > Allow the hwdom to access the console, and to access physical
> > > information about the system.
> > > 
> > > xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
> > > permission would be required.
> > 
> > Why would xenconsoled run in the hardware domain? It's purely a software
> > construct, isn't it? As a daemon, putting it in the control domain may
> > make sense. Otherwise it probably ought to go in a service domain.
> 
> My approach has been to transform dom0 into the hardware domain and add a new
> control domain.  xenconsoled was left running in the hardware domain.

I think we should keep xenconsoled in the hardware domain because the
control domain should be just optional. (However, one could say that with
Denis' recent changes xenconsoled is also optional because one can use
console hypercalls or emulators (PL011, NS16550) for all DomUs.)



> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
> Hyperlaunch code populates the console grants to point at the hardware domain,
> and I just followed that.
> 
> One aspect of why I left most things running in the Hardware domain was to not
> run things in the Control domain.  If Control is the highest privileged
> entity, we'd rather run software in lower privileged places. Especially
> something like xenconsoled which is receiving data from the domUs.

Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
Control Domain because the Control Domain is meant to be safe from
interference. We want to keep the number of potential vehicles for
interference down to a minimum and shared memory between Control Domain
and DomUs is certainly a vehicle for interference.

On 14.06.2025 00:51, Stefano Stabellini wrote:
> On Wed, 11 Jun 2025, Jason Andryuk wrote:
>> On 2025-06-11 09:27, Jan Beulich wrote:
>>> On 11.06.2025 00:57, Jason Andryuk wrote:
>>>> Allow the hwdom to access the console, and to access physical
>>>> information about the system.
>>>>
>>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
>>>> permission would be required.
>>>
>>> Why would xenconsoled run in the hardware domain? It's purely a software
>>> construct, isn't it? As a daemon, putting it in the control domain may
>>> make sense. Otherwise it probably ought to go in a service domain.
>>
>> My approach has been to transform dom0 into the hardware domain and add a new
>> control domain.  xenconsoled was left running in the hardware domain.
> 
> I think we should keep xenconsoled in the hardware domain because the
> control domain should be just optional. (However, one could say that with
> Denis' recent changes xenconsoled is also optional because one can use
> console hypercalls or emulators (PL011, NS16550) for all DomUs.)
> 
> 
> 
>> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
>> Hyperlaunch code populates the console grants to point at the hardware domain,
>> and I just followed that.
>>
>> One aspect of why I left most things running in the Hardware domain was to not
>> run things in the Control domain.  If Control is the highest privileged
>> entity, we'd rather run software in lower privileged places. Especially
>> something like xenconsoled which is receiving data from the domUs.
> 
> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
> Control Domain because the Control Domain is meant to be safe from
> interference. We want to keep the number of potential vehicles for
> interference down to a minimum and shared memory between Control Domain
> and DomUs is certainly a vehicle for interference.

As much as it is when xenconsoled runs in the hardware domain? Especially
if the hardware domain is also running e.g. PV backends or qemu instances?

Jan

On Mon, 16 Jun 2025, Jan Beulich wrote:
> On 14.06.2025 00:51, Stefano Stabellini wrote:
> > On Wed, 11 Jun 2025, Jason Andryuk wrote:
> >> On 2025-06-11 09:27, Jan Beulich wrote:
> >>> On 11.06.2025 00:57, Jason Andryuk wrote:
> >>>> Allow the hwdom to access the console, and to access physical
> >>>> information about the system.
> >>>>
> >>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
> >>>> permission would be required.
> >>>
> >>> Why would xenconsoled run in the hardware domain? It's purely a software
> >>> construct, isn't it? As a daemon, putting it in the control domain may
> >>> make sense. Otherwise it probably ought to go in a service domain.
> >>
> >> My approach has been to transform dom0 into the hardware domain and add a new
> >> control domain.  xenconsoled was left running in the hardware domain.
> > 
> > I think we should keep xenconsoled in the hardware domain because the
> > control domain should be just optional. (However, one could say that with
> > Denis' recent changes xenconsoled is also optional because one can use
> > console hypercalls or emulators (PL011, NS16550) for all DomUs.)
> > 
> > 
> > 
> >> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
> >> Hyperlaunch code populates the console grants to point at the hardware domain,
> >> and I just followed that.
> >>
> >> One aspect of why I left most things running in the Hardware domain was to not
> >> run things in the Control domain.  If Control is the highest privileged
> >> entity, we'd rather run software in lower privileged places. Especially
> >> something like xenconsoled which is receiving data from the domUs.
> > 
> > Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
> > Control Domain because the Control Domain is meant to be safe from
> > interference. We want to keep the number of potential vehicles for
> > interference down to a minimum and shared memory between Control Domain
> > and DomUs is certainly a vehicle for interference.
> 
> As much as it is when xenconsoled runs in the hardware domain? Especially
> if the hardware domain is also running e.g. PV backends or qemu instances?

It looks like you are thinking of the possible
interference from the Hardware Domain to the Control Domain via
xenconsoled, correct?

If that is the case, good thinking. I can see that you have really
understood the essence of the problem we are trying to solve.

That is not an issue because the Control Domain shouldn't use PV
console. Instead, it should use the console hypercall, or the
PL011/NS16550 emulators in Xen.

On 17.06.2025 02:10, Stefano Stabellini wrote:
> On Mon, 16 Jun 2025, Jan Beulich wrote:
>> On 14.06.2025 00:51, Stefano Stabellini wrote:
>>> On Wed, 11 Jun 2025, Jason Andryuk wrote:
>>>> On 2025-06-11 09:27, Jan Beulich wrote:
>>>>> On 11.06.2025 00:57, Jason Andryuk wrote:
>>>>>> Allow the hwdom to access the console, and to access physical
>>>>>> information about the system.
>>>>>>
>>>>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
>>>>>> permission would be required.
>>>>>
>>>>> Why would xenconsoled run in the hardware domain? It's purely a software
>>>>> construct, isn't it? As a daemon, putting it in the control domain may
>>>>> make sense. Otherwise it probably ought to go in a service domain.
>>>>
>>>> My approach has been to transform dom0 into the hardware domain and add a new
>>>> control domain.  xenconsoled was left running in the hardware domain.
>>>
>>> I think we should keep xenconsoled in the hardware domain because the
>>> control domain should be just optional. (However, one could say that with
>>> Denis' recent changes xenconsoled is also optional because one can use
>>> console hypercalls or emulators (PL011, NS16550) for all DomUs.)
>>>
>>>
>>>
>>>> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
>>>> Hyperlaunch code populates the console grants to point at the hardware domain,
>>>> and I just followed that.
>>>>
>>>> One aspect of why I left most things running in the Hardware domain was to not
>>>> run things in the Control domain.  If Control is the highest privileged
>>>> entity, we'd rather run software in lower privileged places. Especially
>>>> something like xenconsoled which is receiving data from the domUs.
>>>
>>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
>>> Control Domain because the Control Domain is meant to be safe from
>>> interference. We want to keep the number of potential vehicles for
>>> interference down to a minimum and shared memory between Control Domain
>>> and DomUs is certainly a vehicle for interference.
>>
>> As much as it is when xenconsoled runs in the hardware domain? Especially
>> if the hardware domain is also running e.g. PV backends or qemu instances?
> 
> It looks like you are thinking of the possible
> interference from the Hardware Domain to the Control Domain via
> xenconsoled, correct?

More like interference with the system as a whole, which simply includes
Control.

> If that is the case, good thinking. I can see that you have really
> understood the essence of the problem we are trying to solve.
> 
> That is not an issue because the Control Domain shouldn't use PV
> console. Instead, it should use the console hypercall, or the
> PL011/NS16550 emulators in Xen.

Well. I think the underlying concept of Control Domain being highly
privileged needs more general discussion. As indicated elsewhere, I
didn't think disaggregation (whichever way done) would leave any
domain with effectively full privilege. I wonder what others think.

Jan

On Tue, 17 Jun 2025, Jan Beulich wrote:
> On 17.06.2025 02:10, Stefano Stabellini wrote:
> > On Mon, 16 Jun 2025, Jan Beulich wrote:
> >> On 14.06.2025 00:51, Stefano Stabellini wrote:
> >>> On Wed, 11 Jun 2025, Jason Andryuk wrote:
> >>>> On 2025-06-11 09:27, Jan Beulich wrote:
> >>>>> On 11.06.2025 00:57, Jason Andryuk wrote:
> >>>>>> Allow the hwdom to access the console, and to access physical
> >>>>>> information about the system.
> >>>>>>
> >>>>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
> >>>>>> permission would be required.
> >>>>>
> >>>>> Why would xenconsoled run in the hardware domain? It's purely a software
> >>>>> construct, isn't it? As a daemon, putting it in the control domain may
> >>>>> make sense. Otherwise it probably ought to go in a service domain.
> >>>>
> >>>> My approach has been to transform dom0 into the hardware domain and add a new
> >>>> control domain.  xenconsoled was left running in the hardware domain.
> >>>
> >>> I think we should keep xenconsoled in the hardware domain because the
> >>> control domain should be just optional. (However, one could say that with
> >>> Denis' recent changes xenconsoled is also optional because one can use
> >>> console hypercalls or emulators (PL011, NS16550) for all DomUs.)
> >>>
> >>>
> >>>
> >>>> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
> >>>> Hyperlaunch code populates the console grants to point at the hardware domain,
> >>>> and I just followed that.
> >>>>
> >>>> One aspect of why I left most things running in the Hardware domain was to not
> >>>> run things in the Control domain.  If Control is the highest privileged
> >>>> entity, we'd rather run software in lower privileged places. Especially
> >>>> something like xenconsoled which is receiving data from the domUs.
> >>>
> >>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
> >>> Control Domain because the Control Domain is meant to be safe from
> >>> interference. We want to keep the number of potential vehicles for
> >>> interference down to a minimum and shared memory between Control Domain
> >>> and DomUs is certainly a vehicle for interference.
> >>
> >> As much as it is when xenconsoled runs in the hardware domain? Especially
> >> if the hardware domain is also running e.g. PV backends or qemu instances?
> > 
> > It looks like you are thinking of the possible
> > interference from the Hardware Domain to the Control Domain via
> > xenconsoled, correct?
> 
> More like interference with the system as a whole, which simply includes
> Control.
> 
> > If that is the case, good thinking. I can see that you have really
> > understood the essence of the problem we are trying to solve.
> > 
> > That is not an issue because the Control Domain shouldn't use PV
> > console. Instead, it should use the console hypercall, or the
> > PL011/NS16550 emulators in Xen.
> 
> Well. I think the underlying concept of Control Domain being highly
> privileged needs more general discussion. As indicated elsewhere, I
> didn't think disaggregation (whichever way done) would leave any
> domain with effectively full privilege. I wonder what others think.

Keep in mind that the threat model here is different from the
datacenter. 

But the Control Domain is optional. If the user doesn't want it, the
user can avoid it.

Even on a fully static system (no VM creation), it is convenient to have
a domain that can monitor the others and trigger domain reset (we are
reimplementing domain reboot to be more like a soft reset so that the VM
doesn't need to be destroyed and recreated). As an example, the Control
Domain could be used to monitor a non-safe domain such as Android,
detect an Android crash, and trigger an Android reboot.

On 19.06.2025 02:36, Stefano Stabellini wrote:
> On Tue, 17 Jun 2025, Jan Beulich wrote:
>> On 17.06.2025 02:10, Stefano Stabellini wrote:
>>> On Mon, 16 Jun 2025, Jan Beulich wrote:
>>>> On 14.06.2025 00:51, Stefano Stabellini wrote:
>>>>> On Wed, 11 Jun 2025, Jason Andryuk wrote:
>>>>>> On 2025-06-11 09:27, Jan Beulich wrote:
>>>>>>> On 11.06.2025 00:57, Jason Andryuk wrote:
>>>>>>>> Allow the hwdom to access the console, and to access physical
>>>>>>>> information about the system.
>>>>>>>>
>>>>>>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
>>>>>>>> permission would be required.
>>>>>>>
>>>>>>> Why would xenconsoled run in the hardware domain? It's purely a software
>>>>>>> construct, isn't it? As a daemon, putting it in the control domain may
>>>>>>> make sense. Otherwise it probably ought to go in a service domain.
>>>>>>
>>>>>> My approach has been to transform dom0 into the hardware domain and add a new
>>>>>> control domain.  xenconsoled was left running in the hardware domain.
>>>>>
>>>>> I think we should keep xenconsoled in the hardware domain because the
>>>>> control domain should be just optional. (However, one could say that with
>>>>> Denis' recent changes xenconsoled is also optional because one can use
>>>>> console hypercalls or emulators (PL011, NS16550) for all DomUs.)
>>>>>
>>>>>
>>>>>
>>>>>> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
>>>>>> Hyperlaunch code populates the console grants to point at the hardware domain,
>>>>>> and I just followed that.
>>>>>>
>>>>>> One aspect of why I left most things running in the Hardware domain was to not
>>>>>> run things in the Control domain.  If Control is the highest privileged
>>>>>> entity, we'd rather run software in lower privileged places. Especially
>>>>>> something like xenconsoled which is receiving data from the domUs.
>>>>>
>>>>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
>>>>> Control Domain because the Control Domain is meant to be safe from
>>>>> interference. We want to keep the number of potential vehicles for
>>>>> interference down to a minimum and shared memory between Control Domain
>>>>> and DomUs is certainly a vehicle for interference.
>>>>
>>>> As much as it is when xenconsoled runs in the hardware domain? Especially
>>>> if the hardware domain is also running e.g. PV backends or qemu instances?
>>>
>>> It looks like you are thinking of the possible
>>> interference from the Hardware Domain to the Control Domain via
>>> xenconsoled, correct?
>>
>> More like interference with the system as a whole, which simply includes
>> Control.
>>
>>> If that is the case, good thinking. I can see that you have really
>>> understood the essence of the problem we are trying to solve.
>>>
>>> That is not an issue because the Control Domain shouldn't use PV
>>> console. Instead, it should use the console hypercall, or the
>>> PL011/NS16550 emulators in Xen.
>>
>> Well. I think the underlying concept of Control Domain being highly
>> privileged needs more general discussion. As indicated elsewhere, I
>> didn't think disaggregation (whichever way done) would leave any
>> domain with effectively full privilege. I wonder what others think.
> 
> Keep in mind that the threat model here is different from the
> datacenter. 
> 
> But the Control Domain is optional. If the user doesn't want it, the
> user can avoid it.
> 
> Even on a fully static system (no VM creation), it is convenient to have
> a domain that can monitor the others and trigger domain reset (we are
> reimplementing domain reboot to be more like a soft reset so that the VM
> doesn't need to be destroyed and recreated).

Suggesting that in such an environment Control should have no permission
to create domains. This would avoid various threats, including e.g.
massive amounts of dynamic memory allocation.

> As an example, the Control
> Domain could be used to monitor a non-safe domain such as Android,
> detect an Android crash, and trigger an Android reboot.

Yet at the same time it would have to be prevented from interfering with
any of the critical domains.

Altogether this doesn't sound like "highest privilege" to me then.

Jan

On Fri, 20 Jun 2025, Jan Beulich wrote:
> On 19.06.2025 02:36, Stefano Stabellini wrote:
> > On Tue, 17 Jun 2025, Jan Beulich wrote:
> >> On 17.06.2025 02:10, Stefano Stabellini wrote:
> >>> On Mon, 16 Jun 2025, Jan Beulich wrote:
> >>>> On 14.06.2025 00:51, Stefano Stabellini wrote:
> >>>>> On Wed, 11 Jun 2025, Jason Andryuk wrote:
> >>>>>> On 2025-06-11 09:27, Jan Beulich wrote:
> >>>>>>> On 11.06.2025 00:57, Jason Andryuk wrote:
> >>>>>>>> Allow the hwdom to access the console, and to access physical
> >>>>>>>> information about the system.
> >>>>>>>>
> >>>>>>>> xenconsoled can read Xen's dmesg.  If it's in hwdom, then that
> >>>>>>>> permission would be required.
> >>>>>>>
> >>>>>>> Why would xenconsoled run in the hardware domain? It's purely a software
> >>>>>>> construct, isn't it? As a daemon, putting it in the control domain may
> >>>>>>> make sense. Otherwise it probably ought to go in a service domain.
> >>>>>>
> >>>>>> My approach has been to transform dom0 into the hardware domain and add a new
> >>>>>> control domain.  xenconsoled was left running in the hardware domain.
> >>>>>
> >>>>> I think we should keep xenconsoled in the hardware domain because the
> >>>>> control domain should be just optional. (However, one could say that with
> >>>>> Denis' recent changes xenconsoled is also optional because one can use
> >>>>> console hypercalls or emulators (PL011, NS16550) for all DomUs.)
> >>>>>
> >>>>>
> >>>>>
> >>>>>> I suppose it could move.  Maybe that would be fine?  I haven't tried. The
> >>>>>> Hyperlaunch code populates the console grants to point at the hardware domain,
> >>>>>> and I just followed that.
> >>>>>>
> >>>>>> One aspect of why I left most things running in the Hardware domain was to not
> >>>>>> run things in the Control domain.  If Control is the highest privileged
> >>>>>> entity, we'd rather run software in lower privileged places. Especially
> >>>>>> something like xenconsoled which is receiving data from the domUs.
> >>>>>
> >>>>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the
> >>>>> Control Domain because the Control Domain is meant to be safe from
> >>>>> interference. We want to keep the number of potential vehicles for
> >>>>> interference down to a minimum and shared memory between Control Domain
> >>>>> and DomUs is certainly a vehicle for interference.
> >>>>
> >>>> As much as it is when xenconsoled runs in the hardware domain? Especially
> >>>> if the hardware domain is also running e.g. PV backends or qemu instances?
> >>>
> >>> It looks like you are thinking of the possible
> >>> interference from the Hardware Domain to the Control Domain via
> >>> xenconsoled, correct?
> >>
> >> More like interference with the system as a whole, which simply includes
> >> Control.
> >>
> >>> If that is the case, good thinking. I can see that you have really
> >>> understood the essence of the problem we are trying to solve.
> >>>
> >>> That is not an issue because the Control Domain shouldn't use PV
> >>> console. Instead, it should use the console hypercall, or the
> >>> PL011/NS16550 emulators in Xen.
> >>
> >> Well. I think the underlying concept of Control Domain being highly
> >> privileged needs more general discussion. As indicated elsewhere, I
> >> didn't think disaggregation (whichever way done) would leave any
> >> domain with effectively full privilege. I wonder what others think.
> > 
> > Keep in mind that the threat model here is different from the
> > datacenter. 
> > 
> > But the Control Domain is optional. If the user doesn't want it, the
> > user can avoid it.
> > 
> > Even on a fully static system (no VM creation), it is convenient to have
> > a domain that can monitor the others and trigger domain reset (we are
> > reimplementing domain reboot to be more like a soft reset so that the VM
> > doesn't need to be destroyed and recreated).
> 
> Suggesting that in such an environment Control should have no permission
> to create domains. This would avoid various threats, including e.g.
> massive amounts of dynamic memory allocation.

+1


> > As an example, the Control
> > Domain could be used to monitor a non-safe domain such as Android,
> > detect an Android crash, and trigger an Android reboot.
> 
> Yet at the same time it would have to be prevented from interfering with
> any of the critical domains.
> 
> Altogether this doesn't sound like "highest privilege" to me then.

You are right. We should be more precise with our wording.