[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Community call: PCI Emulation - Future Direction (Wed, May 2nd, UTC 16:00-17:00 / BST 17:00-18:00)

On Apr 24, 2018, at 05:19, Lars Kurth <lars.kurth@xxxxxxxxxx> wrote:

Hi all,
as agreed please find attached the meeting invite
Regards
Lars

## Agenda (provisional)
I copied what was discussed on this thread so far https://docs.google.com/document/d/1RWylmNmBXOrgGLARj6_ynK50P7SZPl4LpnmhGaPglJw/edit?usp=sharing, which I will use as pad to write down minutes. Feel free to make agenda suggestions and copy relevant information into the doc, prior to the meeting.

I would like to add an agenda item to discuss the level of security support that will be asserted in SUPPORT.md for driver domains which contain untrusted PCI devices.  Will Xen security support be different for SR-IOV devices?  GPUs vs. NICs?

There have been past discussions on this topic and a proposed PCI-iommu-bugs.txt file to help Xen users and developers understand the risks [2][3][4] that may arise from a hostile device and potentially buggy firmware.  If we can document specific risks, we can ask firmware developers to make specific improvements to improve the security of PCI emulation.

There is an active effort [4] underway to improve firmware security in servers (and eventually desktops), including a reduction of attack surface due to SMM.  There is also work underway [5][6] to perform secure boot between individual PCI devices and server motherboards.  Some of these concepts may already be deployed in Azure.

Several stakeholders will be attending or presenting at the PSEC [6] conference.

Rich

[1] Performance Isolation Exposure in Virtualized Platforms with PCI Passthrough I/O Sharing, https://mediatum.ub.tum.de/doc/1187609/972322.pdf


[3]  Denial-of-Service Attacks on PCI Passthrough Devices, http://publications.andre-richter.com/richter2015denial.pdf

[4] Open Compute Open System Firmware, http://www.opencompute.org/wiki/Open_System_Firmware

[5] Open Compute Security, http://www.opencompute.org/wiki/Security


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.