[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Pratt <Ian.Pratt@xxxxxxxxxxxxx>
From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date: Tue, 24 May 2011 12:35:16 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>, Tim, Deegan <Tim.Deegan@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>
Delivery-date: Tue, 24 May 2011 12:35:58 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Thread-index: AcwaNglNf8NdxHwYTJu1npm/ttLCxQAEiIFQ
Thread-topic: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

> From: Ian Jackson [mailto:Ian.Jackson@xxxxxxxxxxxxx]
> Sent: Tuesday, May 24, 2011 10:14 AM
> 
> Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d 
> (PCI passthrough)
> MSI"):
> > My inclination would be such that iommu=force is allowed on non IR
> > systems, but where IR is expected to be present e.g. sandybridge
> > generation we insist that it is enabled (i.e. that the BIOS supports
> > it).
> 
> I don't think that's a conceptually coherent point of view, unless the 
> purpose is to avoid
> marketing embarrassment.
> 
> Either IR is required for a secure system with passthrough, in which case 
> iommu=force should
> require IR, or it is not required for a secure system with passthrough, in 
> which case iommu=force
> should not insist on it.

None of the proposed patches check for whether passthrough is being used.  Nor 
can they check whether it is being used safely (it may be used for performance 
by domains that are trusted).

Whether IR is required for a secure system with passthrough depends on the 
usage model (as I indicated in an earlier email).  The user/distributor should 
decide whether their usage model requires it or not.  If it does, then all they 
need to do is run on HW that supports IR (and if they're worried about the 
pre-OS attack then use TXT, which would be necessary anyway).

> Whether it is required for security doesn't depend on whether it is actually 
> available.  That
> there are some motherboards which cannot do passthrough securely does not 
> mean that we should
> allow users of those boards to be led up the garden path.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Ian Jackson
- Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Keir Fraser
- RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Ian Pratt
- RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Ian Jackson

Prev by Date: Re: xl/xm save -c fails - set_vcpucontext EOPNOTSUPP (was Re: [Xen-devel] xl save -c issues with Windows 7 Ultimate)
Next by Date: Re: [Xen-devel] New 4.0.2 and 4.1.1 release candidates
Previous by thread: RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Next by thread: [Xen-devel] [PATCH] x86: further adjustments to arch_set_info_guest() after c/s 23142:f5e8d152a565
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.