4 releases (breaking)

0.4.0 Sep 23, 2021
0.3.0 May 26, 2021
0.2.0 Mar 22, 2021
0.1.1 Oct 14, 2020
0.1.0 Sep 9, 2020

#1 in #emulation

Download history 1273/week @ 2021-07-03 874/week @ 2021-07-10 633/week @ 2021-07-17 1015/week @ 2021-07-24 1243/week @ 2021-07-31 889/week @ 2021-08-07 631/week @ 2021-08-14 892/week @ 2021-08-21 502/week @ 2021-08-28 1145/week @ 2021-09-04 900/week @ 2021-09-11 1077/week @ 2021-09-18 1066/week @ 2021-09-25 736/week @ 2021-10-02 1228/week @ 2021-10-09 1010/week @ 2021-10-16

3,738 downloads per month

Apache-2.0 OR BSD-3-Clause

81KB
981 lines

vm-superio

The vm-superio crate provides emulation for legacy devices. For now, it offers this support only for the Linux serial console, a minimal i8042 PS/2 Controller and an ARM PL031 Real Time Clock.

Serial Console

Design

The console emulation is done by emulating a simple UART 16550A serial port with a 64-byte FIFO. This UART is an improvement of the original UART 8250 serial port, mostly because of the FIFO buffers that allow storing more than one byte at a time, which, in virtualized environments, is essential.

For a VMM to be able to use this device, besides the emulation part which is covered in this crate, the VMM needs to do the following operations:

  • add the serial port to the Bus (either PIO or MMIO)
  • define the serial backend
  • event handling (optional)

The following UART registers are emulated via the Serial structure: DLL, IER, DLH, IIR, LCR, LSR, MCR, MSR and SR (a brief, but nice presentation about these, here). The Fifo Control Register (FCR) is not emulated; there is no support yet for directly controlling the FIFOs (which, in this implementation, are always enabled). The serial console implements only the RX FIFO (and its corresponding RBR register). The RX buffer helps in testing the UART when running in loopback mode and for sending more bytes to the guest in one shot. The TX FIFO is trivially implemented by immediately writing a byte coming from the driver to an io::Write object (out), which can be, for example, io::Stdout or io::Sink. This object has to be provided when initializing the serial console. A Trigger object is the currently used mechanism for notifying the driver about in/out events that need to be handled.

Threat model

Trusted actors:

  • host kernel

Untrusted actors:

  • guest kernel
  • guest drivers

The untrusted actors can change the state of the device through reads and writes on the Bus at the address where the device resides.

#NR Threat Mitigation
1 A malicious guest generates large memory allocations by flooding the serial console input. CVE-2020-27173 The serial console limits the number of elements in the FIFO corresponding to the serial console input to FIFO_SIZE (=64), returning a FIFO Full error when the limit is reached. This error MUST be handled by the crate customer. When the serial console input is connected to an event loop, the customer MUST ensure that the loop is not flooded with events coming from untrusted sources when no space is available in the FIFO.
2 A malicious guest can fill up the host disk by generating a high amount of data to be written to the serial output. Mitigation is not possible at the emulation layer because we are not controlling the output (Writer). This needs to be mitigated at the VMM level by adding a rate limiting mechanism. We recommend using as output a resource that has a fixed size (e.g. ring buffer or a named pipe).

Usage

The interaction between the serial console and its driver, at the emulation level, is done by the two read and write specific methods, which handle one byte accesses. For sending more input, enqueue_raw_bytes can be used.

i8042 PS/2 Controller

The i8042 PS/2 controller emulates, at this point, only the CPU reset command which is needed for announcing the VMM about the guest's shutdown.

ARM PL031 Real Time Clock

This module emulates the ARM PrimeCell Real Time Clock (RTC) PL031. The PL031 provides a long time base counter with a 1HZ counter signal and a configurable offset.

This implementation emulates all control, peripheral ID, and PrimeCell ID registers; however, the interrupt based on the value of the Match Register (RTCMR) is not currently implemented (i.e., setting the Match Register has no effect).

For a VMM to be able to use this device, the VMM needs to do the following:

  • add the RTC to the Bus (either PIO or MMIO)
  • provide a structure that implements RTCEvents to track the occurrence of significant events (optional)

Note that because the Match Register is the only possible source of an event, and the Match Register is not currently implemented, no event handling is required.

Threat model

Trusted actors:

  • host kernel

Untrusted actors:

  • guest kernel
  • guest drivers

The untrusted actors can change the state of the device through reads and writes on the Bus at the address where the device resides.

#NR Threat Mitigation
1 A malicious guest writes invalid values in the Load Register to cause overflows on subsequent reads of the Data Register. The arithmetic operations in the RTC are checked for overflows. When such a situation occurs, the state of the device is reset.
2 A malicious guest performs reads and writes from invalid offsets (that do not correspond to the RTC registers) to cause crashes or to get access to data. Reads and writes of invalid offsets are denied by the emulation, and an invalid_read/write event is called. These events can be implemented by VMMs, and extend them to generate alarms (and for example stop the execution of the malicious guest).

License

This project is licensed under either of

No runtime deps