Xen project Mailing List

Re: [Xen-devel] [TESTDAY] PV / HVM pass-through works when IOMMU present; weird failures when not

From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Date: Mon, 1 Jul 2013 15:15:28 +0100

Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Mon, 01 Jul 2013 14:15:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 1 Jul 2013, Jan Beulich wrote: > >>> On 01.07.13 at 14:15, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote: > > On Mon, Jul 1, 2013 at 11:53 AM, George Dunlap > > <george.dunlap@xxxxxxxxxxxxx> wrote: > >> On 28/06/13 17:00, Jan Beulich wrote: > >>>>>> > >>>>>> On 28.06.13 at 17:37, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> > >>>>>> wrote: > >>>> > >>>> - For HVM guests, the only user-visible indication tha the IOMMU has > >>>> been disabled is the following error message on the command-line: > >>>> > >>>> # xl pci-attach h0 07:00.0 > >>>> libxl: error: libxl_pci.c:949:do_pci_add: xc_assign_device failed > >>>> > >>>> However, the device itself ends up passed-through to the guest anyway; > >>>> the guest seems to be able to see it and interact with it normally. > >>>> This is particularly scary, as in theory this should not be possible > >>>> without a working IOMMU. > >>>> > >>>> I don't think this is a blocker for 4.3, but we should definitely > >>>> release note it, and for 4.4 add a check to see if there is a > >>>> functioning IOMMU and only add a device if there's an override set. > >>> > >>> To me this very much looks like a security problem (which I > >>> think we should fix asap). > >> > >> > >> Is it worth delaying the release (yet) another week for? > >> > >> Probably the simplest solution at the moment, if there's an easy way for > >> the > >> toolstack to figure out whether there is a working IOMMU or not, is to > >> simply not allow pass-through without an IOMMU unless there is an override > >> option. > > > > On further reflection, I think there isn't actually a security bug > > here: The promised behavior as of now is that if you really need to > > have an iommu, then you should specify "iommu=force". If I specify > > iommu=force, then of course Xen doesn't boot, and I can't trigger this > > problem. > > I disagree, not the least because the behavior was different with > xend: When there's no IOMMU, pass-through to HVM must not > happen (or we'd have to suppress bus mastering on any such > passed through device). > Pass-through to PV may happen, but is > insecure (as would be pass-through to HVM with disabled bus > mastering). I don't have an opinion on the release, but this is certainly true. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.