[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xend: passthrough: add an option pci-passthrough-strict-check
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1252327968 -3600 # Node ID f3076870465ff9953697aa2c9c1440e8058bc4e2 # Parent 7c8a33ed6decd74ef7de1e9e7941ac353e51aa0b xend: passthrough: add an option pci-passthrough-strict-check Currently when assigning device to HVM guest, we use the strict check for HVM guest by default.(For PV guest we use loose check automatically if necessary.) When we assign device to HVM guest, if we meet with the co-assignment issues or the ACS issue (see changeset 20081: 4a517458406f), we could try changing the option to 'no' -- however, we have to realize this may incur security issue and we can't make sure the device assignment could really work properly even after we do this. The option is located in /etc/xen/xend-config.sxp: (pci-passthrough-strict-check yes) Signed-off-by: Dexuan Cui <dexuan.cui@xxxxxxxxx> --- tools/examples/xend-config.sxp | 7 +++++++ tools/python/xen/util/pci.py | 6 +++++- tools/python/xen/xend/XendDomainInfo.py | 5 ++++- tools/python/xen/xend/XendOptions.py | 7 +++++++ tools/python/xen/xend/server/pciif.py | 14 ++++++++++++-- 5 files changed, 35 insertions(+), 4 deletions(-) diff -r 7c8a33ed6dec -r f3076870465f tools/examples/xend-config.sxp --- a/tools/examples/xend-config.sxp Mon Sep 07 13:52:17 2009 +0100 +++ b/tools/examples/xend-config.sxp Mon Sep 07 13:52:48 2009 +0100 @@ -260,3 +260,10 @@ #(device-create-timeout 100) #(device-destroy-timeout 100) +# When assigning device to HVM guest, we use the strict check for HVM guest by +# default. (For PV guest, we use loose check automatically if necessary.) +# When we assign device to HVM guest, if we meet with the co-assignment +# issues or the ACS issue, we could try changing the option to 'no' -- however, +# we have to realize this may incur security issue and we can't make sure the +# device assignment could really work properly even after we do this. +#(pci-passthrough-strict-check yes) diff -r 7c8a33ed6dec -r f3076870465f tools/python/xen/util/pci.py --- a/tools/python/xen/util/pci.py Mon Sep 07 13:52:17 2009 +0100 +++ b/tools/python/xen/util/pci.py Mon Sep 07 13:52:48 2009 +0100 @@ -1065,7 +1065,7 @@ class PciDevice: ', but it is not owned by pciback or pci-stub.' raise PciDeviceAssignmentError(err_msg % (pci_dev, self.name)) - def do_FLR(self, is_hvm): + def do_FLR(self, is_hvm, strict_check): """ Perform FLR (Functional Level Reset) for the device. """ if self.dev_type == DEV_TYPE_PCIe_ENDPOINT: @@ -1084,6 +1084,8 @@ class PciDevice: funcs = self.find_all_the_multi_functions() if not is_hvm and (len(funcs) > 1): + return + if is_hvm and not strict_check: return self.devs_check_driver(funcs) @@ -1112,6 +1114,8 @@ class PciDevice: del devs[0] if not is_hvm and (len(devs) > 1): + return + if is_hvm and not strict_check: return self.devs_check_driver(devs) diff -r 7c8a33ed6dec -r f3076870465f tools/python/xen/xend/XendDomainInfo.py --- a/tools/python/xen/xend/XendDomainInfo.py Mon Sep 07 13:52:17 2009 +0100 +++ b/tools/python/xen/xend/XendDomainInfo.py Mon Sep 07 13:52:48 2009 +0100 @@ -311,7 +311,7 @@ def do_FLR(domid, is_hvm): except Exception, e: raise VmError("pci: failed to locate device and "+ "parse it's resources - "+str(e)) - dev.do_FLR(is_hvm) + dev.do_FLR(is_hvm, xoptions.get_pci_dev_assign_strict_check()) class XendDomainInfo: """An object represents a domain. @@ -709,6 +709,9 @@ class XendDomainInfo: # PV guest has less checkings. if not self.info.is_hvm(): + return + + if not xoptions.get_pci_dev_assign_strict_check(): return # Check if there is intermediate PCIe switch bewteen the device and diff -r 7c8a33ed6dec -r f3076870465f tools/python/xen/xend/XendOptions.py --- a/tools/python/xen/xend/XendOptions.py Mon Sep 07 13:52:17 2009 +0100 +++ b/tools/python/xen/xend/XendOptions.py Mon Sep 07 13:52:48 2009 +0100 @@ -148,6 +148,10 @@ class XendOptions: """Default timeout for device destruction.""" device_destroy_timeout_default = 100 + """By default, we use the strict check for HVM guest. (For PV guest, we + use loose check automatically if necessary.""" + pci_dev_assign_strict_check_default = True + def __init__(self): self.configure() @@ -413,6 +417,9 @@ class XendOptions: return self.get_config_int("device-destroy-timeout", self.device_destroy_timeout_default) + def get_pci_dev_assign_strict_check(self): + return self.get_config_bool("pci-passthrough-strict-check", + self.pci_dev_assign_strict_check_default) class XendOptionsFile(XendOptions): diff -r 7c8a33ed6dec -r f3076870465f tools/python/xen/xend/server/pciif.py --- a/tools/python/xen/xend/server/pciif.py Mon Sep 07 13:52:17 2009 +0100 +++ b/tools/python/xen/xend/server/pciif.py Mon Sep 07 13:52:48 2009 +0100 @@ -21,6 +21,9 @@ import time import time from xen.xend import sxp +from xen.xend import XendOptions +xoptions = XendOptions.instance() + from xen.xend import arch from xen.xend.XendError import VmError from xen.xend.XendLogging import log @@ -356,6 +359,7 @@ class PciController(DevController): if len(pci_str_list) != len(set(pci_str_list)): raise VmError('pci: duplicate devices specified in guest config?') + strict_check = xoptions.get_pci_dev_assign_strict_check() for pci_dev in pci_dev_list: try: dev = PciDevice(pci_dev) @@ -365,7 +369,8 @@ class PciController(DevController): # Check if there is intermediate PCIe switch bewteen the device and # Root Complex. - if self.vm.info.is_hvm() and dev.is_behind_switch_lacking_acs(): + if self.vm.info.is_hvm() and dev.is_behind_switch_lacking_acs() \ + and strict_check: err_msg = 'pci: to avoid potential security issue, %s is not'+\ ' allowed to be assigned to guest since it is behind'+\ ' PCIe switch that does not support or enable ACS.' @@ -381,6 +386,8 @@ class PciController(DevController): log.warn(err_msg % dev.name) else: if not self.vm.info.is_hvm(): + continue + if not strict_check: continue funcs = dev.find_all_the_multi_functions() @@ -405,6 +412,8 @@ class PciController(DevController): else: if not self.vm.info.is_hvm(): continue + if not strict_check: + continue # All devices behind the uppermost PCI/PCI-X bridge must be\ # co-assigned to the same guest. @@ -466,7 +475,8 @@ class PciController(DevController): # Need to do FLR here before deassign device in order to terminate # DMA transaction, etc - dev.do_FLR(self.vm.info.is_hvm()) + dev.do_FLR(self.vm.info.is_hvm(), + xoptions.get_pci_dev_assign_strict_check()) bdf = xc.deassign_device(fe_domid, pci_dict_to_xc_str(pci_dev)) pci_str = pci_dict_to_bdf_str(pci_dev) _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |