[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.13] docs/xl: Document pci-assignable state



> -----Original Message-----
> From: Ian Jackson <Ian.Jackson@xxxxxxxxxx>
> Sent: 26 November 2019 14:22
> To: George Dunlap <George.Dunlap@xxxxxxxxxx>
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx; Wei Liu <wl@xxxxxxx>; Jan Beulich
> <jbeulich@xxxxxxxx>; Paul Durrant <paul.durrant@xxxxxxxxxx>; Juergen Gross
> <jgross@xxxxxxxx>
> Subject: Re: [PATCH for-4.13] docs/xl: Document pci-assignable state
> 
> [resending to just Paul to fix email address problem]
> 
> George Dunlap writes ("[PATCH for-4.13] docs/xl: Document pci-assignable
> state"):
> >  =item B<pci-assignable-remove> [I<-r>] I<BDF>
> ...
> > +Make the device at PCI Bus/Device/Function BDF not assignable to
> > +guests.  This will at least unbind the device from pciback, and
> > +re-assign it from the "quarantine domain" back to domain 0.  If the -r
> > +option is specified, it will also attempt to re-bind the device to its
> > +original driver, making it usable by Domain 0 again.  If the device is
> > +not bound to pciback, it will return success.
> > +
> > +Note that this functionality will work even for devices which were not
> > +made assignable by B<pci-assignable-add>.  This can be used to allow
> > +dom0 to access devices which were automatically quarantined by Xen
> > +after domain destruction as a result of Xen's B<iommu=quarantine>
> > +command-line default.
> 
> What are the security implications of doing this if the device might
> still be doing DMA or something ?
> 
> (For that matter, presumably there are security implications of
> assigning the same device in sequence to different guests?)
> 

Assigning any device carries a risk and can never considered to be secure in 
any general way. E.g. a device that exposes its config space in a writable 
fashion via an internal i2c bus that can be accessed via one of its BARs. 
Quarantining helps to the extent that, if a device is continuing to DMA than at 
least that doesn't hit dom0 whilst the FLR/SBR is attempted, but if even that's 
not effective then the device should probably remain in quarantine until it is 
power-cycled.

  Paul

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.