Re: [PATCH v4 12/13] pyjailhouse: x86: implement pio_regions generator

[Andrej Utz]

Hi Ralf,

On 15.10.19 18:22, Ralf Ramsauer wrote:
From: Andrej Utz <andrej....@st.oth-regensburg.de>
This replaces the former static port list with actual port regions as listed in
/proc/ioports.

A whitelist selectively allows access to known ports (if present). PCI devices
above 0xcff are permitted as well.

However, not all ports that are in use are listed in ioports, so the generated
list may still ne further tuning.

Signed-off-by: Andrej Utz <andrej....@st.oth-regensburg.de>
[ralf: s/permitted/whitelist/, autodetect VGA, whitelist serial,
        whitelist PCI devices, amend commit message, improve __str__ methods,
        ensure pep8 conformity]
Signed-off-by: Ralf Ramsauer <ralf.ramsa...@oth-regensburg.de>
---
  pyjailhouse/sysfs_parser.py   | 89 +++++++++++++++++++++++++++++++++++
  tools/jailhouse-config-create | 15 +-----
  tools/root-cell-config.c.tmpl | 12 ++---
  3 files changed, 96 insertions(+), 20 deletions(-)

diff --git a/pyjailhouse/sysfs_parser.py b/pyjailhouse/sysfs_parser.py
index 1d00f364..3cefc2c7 100644
--- a/pyjailhouse/sysfs_parser.py
+++ b/pyjailhouse/sysfs_parser.py
@@ -18,6 +18,7 @@
  # to change the generated C-code.
  
  
+import re
  import struct
  import os
  import fnmatch
@@ -25,6 +26,7 @@ import fnmatch
  from .pci_defs import PCI_CAP_ID, PCI_EXT_CAP_ID
  
  root_dir = "/"
+bdf_regex = re.compile(r'\w{4}:\w{2}:\w{2}\.\w')
  
  
  def set_root_dir(dir):
@@ -147,6 +149,65 @@ def parse_iomem(pcidevices):
      return ret, dmar_regions
  
  
+def ioports_search_pci_devices(tree):
+    ret = []
+
+    if tree.region and bdf_regex.match(tree.region.typestr):
+        ret.append(tree.region)
+    else:
+        for subtree in tree:
+            ret += ioports_search_pci_devices(subtree)
+
+    return ret
+
+
+def parse_ioports():
+    tree = IORegionTree.parse_io_file('/proc/ioports', PortRegion)
+
+    pm_timer_base = tree.find_regions_by_name('ACPI PM_TMR')
+    if len(pm_timer_base) != 1:
+        raise RuntimeError('Found %u entries for ACPI PM_TMR (expected 1)' %
+                           len(pm_timer_base))
+    pm_timer_base = pm_timer_base[0].start
+
+    leaves = tree.get_leaves()
+
+    # Never expose PCI config space ports to the user
+    leaves = list(filter(lambda p: p.start != 0xcf8, leaves))
+
+    # Drop everything above 0xd00
+    leaves = list(filter(lambda p: p.start < 0xd00, leaves))
+
+    whitelist = [
+        0x40,   # PIT
+        0x60,   # keyboard
+        0x61,   # HACK: NMI status/control
+        0x64,   # I8042
+        0x70,   # RTC
+        0x2f8,  # serial
+        0x3f8,  # serial

I see you added the onboard UARTs to the whitelist. Shouldn't we 
disallow them if they collide with Jailhouse' own debug port?

Thanks,
Andrej Utz

+    ]
+
+    pci_devices = ioports_search_pci_devices(tree)
+
+    # Drop devices below 0xd00 as leaves already contains them. Access should
+    # not be permitted by default.
+    pci_devices = list(filter(lambda p: p.start >= 0xd00, pci_devices))
+    for pci_device in pci_devices:
+        pci_device.permit = True
+
+    for r in leaves:
+        typestr = r.typestr.lower()
+        if r.start in whitelist or \
+           True in [vga in typestr for vga in ['vesa', 'vga']]:
+            r.permit = True
+
+    leaves += pci_devices
+    leaves.sort(key=lambda r: r.start)
+
+    return leaves, pm_timer_base
+
+
  def parse_pcidevices():
      int_src_cnt = 0
      devices = []
@@ -831,6 +892,19 @@ class MemRegion(IORegion):
          return 'JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE'
  
  
+class PortRegion(IORegion):
+    def __init__(self, start, stop, typestr, permit=False, comments=None):
+        super(PortRegion, self).__init__(start, stop, typestr, comments)
+        self.permit = permit
+
+    def __str__(self):
+        return 'Port I/O: %04x-%04x : %s' % \
+            (self.start, self.stop, super(PortRegion, self).__str__())
+
+    def size(self):
+        return super(PortRegion, self).size() + 1
+
+
  class IOAPIC:
      def __init__(self, id, address, gsi_base, iommu=0, bdf=0):
          self.id = id
@@ -854,6 +928,21 @@ class IORegionTree:
          self.parent = None
          self.children = []
  
+    def __iter__(self):
+        for child in self.children:
+            yield child
+
+    def get_leaves(self):
+        leaves = []
+
+        if len(self.children):
+            for child in self.children:
+                leaves.extend(child.get_leaves())
+        elif self.region is not None:
+            leaves.append(self.region)
+
+        return leaves
+
      # find specific regions in tree
      def find_regions_by_name(self, name):
          regions = []
diff --git a/tools/jailhouse-config-create b/tools/jailhouse-config-create
index c3226dde..250785af 100755
--- a/tools/jailhouse-config-create
+++ b/tools/jailhouse-config-create
@@ -162,18 +162,6 @@ def count_cpus():
              count += 1
      return count
  
-
-def parse_ioports():
-    pm_timer_base = None
-    f = sysfs_parser.input_open('/proc/ioports')
-    for line in f:
-        if line.endswith('ACPI PM_TMR\n'):
-            pm_timer_base = int(line.split('-')[0], 16)
-            break
-    f.close()
-    return pm_timer_base
-
-
  class MMConfig:
      def __init__(self, base, end_bus):
          self.base = base
@@ -302,7 +290,7 @@ mem_regions.append(inmatereg)
  
  cpucount = count_cpus()
  
-pm_timer_base = parse_ioports()
+port_regions, pm_timer_base = sysfs_parser.parse_ioports()
  
  debug_console = DebugConsole(options.console)
  
@@ -312,6 +300,7 @@ tmpl = Template(filename=os.path.join(options.template_dir,
                                        'root-cell-config.c.tmpl'))
  kwargs = {
      'mem_regions': mem_regions,
+    'port_regions': port_regions,
      'ourmem': ourmem,
      'argstr': ' '.join(sys.argv),
      'hvmem': hvmem,
diff --git a/tools/root-cell-config.c.tmpl b/tools/root-cell-config.c.tmpl
index d884089a..8f654fa7 100644
--- a/tools/root-cell-config.c.tmpl
+++ b/tools/root-cell-config.c.tmpl
@@ -47,7 +47,7 @@ struct {
        __u64 cpus[${int((cpucount + 63) / 64)}];
        struct jailhouse_memory mem_regions[${len(mem_regions)}];
        struct jailhouse_irqchip irqchips[${len(irqchips)}];
-       struct jailhouse_pio pio_regions[6];
+       struct jailhouse_pio pio_regions[${len([1 for r in port_regions if 
r.permit])}];
        struct jailhouse_pci_device pci_devices[${len(pcidevices)}];
        struct jailhouse_pci_capability pci_caps[${len(pcicaps)}];
  } __attribute__((packed)) config = {
@@ -154,12 +154,10 @@ struct {
        },
  
  	.pio_regions = {
-               PIO_RANGE(0x40, 4), /* PIT */
-               PIO_RANGE(0x60, 2), /* HACK: NMI status/control */
-               PIO_RANGE(0x64, 1), /* I8042 */
-               PIO_RANGE(0x70, 2), /* RTC */
-               PIO_RANGE(0x3b0, 0x30), /* VGA */
-               PIO_RANGE(0xd00, 0xf300), /* HACK: PCI bus */
+               % for r in port_regions:
+               /* ${str(r)} */
+               ${'' if r.permit else '/* '}PIO_RANGE(${r.start_str()}, 
${r.size_str()}),${'' if r.permit else ' */'}
+               % endfor
        },
  
  	.pci_devices = {


--
You received this message because you are subscribed to the Google Groups 
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jailhouse-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jailhouse-dev/db6fdd43-f6f4-62b2-cfe6-d2113b99f74b%40st.oth-regensburg.de.