[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
> > Need to have separate warning/error level for relax/strict. > > > > However I don't think this patch is a right fix. So far relax/strict policy > > is per-domain. what about one VM specifies relax while another VM > > specifies strict when each is assigned with a device sharing rmrr > > with the other? In that case it becomes a system-wide security hole. > > The one specifying "strict" won't gets its device assigned (due to > the code above, taking the path that was there already without > the patch), so I don't see the security issue. > Agreed. A VM can't get such device assigned in the first place, so the hypothetical scenario doesn't exist.Sorry it's a bad example. My actual concern is that we can't count on this per-VM relax/strict policy to prevent group devices assigned to different VM. In that case it's definitely a security hole since one VM may clobber shared RMRR to impact another VM. So right example for that scenario is both VMs specified with 'relax'. What if one of group devices is still owned by Dom0? Thanks Tiejun _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |