[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 0/2] AMD IOMMU: XSA-36 follow ups

To: "Jan Beulich" <JBeulich@xxxxxxxx>
From: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Date: Fri, 8 Feb 2013 18:10:19 +0100
Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, sherry.hurwitz@xxxxxxx, suravee.suthikulpanit@xxxxxxx, xiantao.zhang@xxxxxxxxx, xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 08 Feb 2013 17:10:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Friday, February 8, 2013, 5:48:41 PM, you wrote:

>>>> On 08.02.13 at 15:29, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> wrote:

>> ----- JBeulich@xxxxxxxx wrote:
>> 
>>> >>> On 06.02.13 at 14:04, "Jan Beulich" <JBeulich@xxxxxxxx> wrote:
>>> > A regression was reported on a class of broken firmware that c/s
>>> > 26517:601139e2b0db didn't consider, leading to a boot time crash.
>>> 
>>> After some more thought on this and the comments we got
>>> regarding disabling the IOMMU in this situation altogether making
>>> things worse instead of better, I came to the conclusion that we
>>> can actually restrict the action in affected cases to just disabling
>>> interrupt remapping. That doesn't make the situation worse than
>>> prior to the XSA-36 fixes (where interrupt remapping didn't really
>>> protect domains from one another), but allows at least DMA
>>> isolation to still be utilized. Patch 3/2 below/attached.
>> 
>> But now users who don't examine log messages may not realize 
>> that interupt remapping is disabled and therefore the system can be
>> affected by XSA-36.

> Yes. We need to balance these against one another - I see pros
> and cons in both (and I don't mind dropping this additional patch
> if we collectively come to the conclusion that the way it is now -
> with the one earlier fix - is the better state). So I'm really
> interested in others' opinions.

One argument pro could be that linux seems to do the same (only disable 
interrupt remapping)

>> With current code (boot option to use global remapping table) users
>> are explicitly agreeing to allow for possibility of cross-domain interrupt
>> attack.
>> 
>> Also, I think it may not be a bad idea to have AMD folks test you earlier
>> patch on multi-IOMMU system (and simulate bad IVRS) to see how it behaves 
>> there.

And getting mainbord / bios manufactures actually support stuff .. instead of 
giving some nice disinformation.
Fresh from MSI techsupport:

Posted:         2013-02-09 00:11:38 (GMT+8),MSI
Content:        CPU virtualization (SVM) should be possible on the 890FXA-GD70. 
I/O virtualization (IOMMU) is support on the MSI's AMD 900-series. IOMMU will 
not be possible on MSI's AMD 800 series.

In short .. buy a new mainboard and pray .. pray hard .. that it works out of 
the box

> That would indeed be very desirable.

> Jan





_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- Re: [Xen-devel] [PATCH 0/2] AMD IOMMU: XSA-36 follow ups
  - From: Boris Ostrovsky
- Re: [Xen-devel] [PATCH 0/2] AMD IOMMU: XSA-36 follow ups
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 04/13] xen: sync public headers
Next by Date: [Xen-devel] [PATCH 0 of 3] blktap3/libxl: add support for blktap3 in libxl
Previous by thread: Re: [Xen-devel] [PATCH 0/2] AMD IOMMU: XSA-36 follow ups
Next by thread: Re: [Xen-devel] [PATCH 0/2] AMD IOMMU: XSA-36 follow ups
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.