[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode

To: "Kevin Tian" <kevin.tian@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Fri, 11 Sep 2015 02:56:02 -0600
Cc: Yang Z Zhang <yang.z.zhang@xxxxxxxxx>, Tiejun Chen <tiejun.chen@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Fri, 11 Sep 2015 08:56:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 11.09.15 at 01:22, <kevin.tian@xxxxxxxxx> wrote:
> Sorry it's a bad example. My actual concern is that we can't count
> on this per-VM relax/strict policy to prevent group devices assigned
> to different VM. In that case it's definitely a security hole since
> one VM may clobber shared RMRR to impact another VM. So right
> example for that scenario is both VMs specified with 'relax'. 

Sorry, no, the idea of "relax" is to allow the admin to state "I have
no security concerns". Hence we'd have a security issue only if the
default was "relax" (which iiuc it isn't, or if it were _that's_ what
would need to be alongside the presented change). Whether that
statement of the admin is because of
- knowing that the RMRR won't be used post-boot
- group-assigning the devices manually
- simply not caring (i.e. trusting the guests)
is not our business.

IOW, provided there's no way for "relax" to become the default
(Tiejun - please confirm), the patch as is should be fine.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Tian, Kevin

References:
- [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Tiejun Chen
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Jan Beulich
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Tian, Kevin
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Jan Beulich
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Wei Liu
- Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
  - From: Tian, Kevin

Prev by Date: Re: [Xen-devel] xl: libxl_domain_info: getting domain info list: Bad address
Next by Date: Re: [Xen-devel] [libvirt] [PATCH LIBVIRT] libxl: don't end job for ephemeal domain on start failure
Previous by thread: Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
Next by thread: Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.