Xen project Mailing List

Re: [Xen-devel] [PATCH for-4.13] docs/xl: Document pci-assignable state

To: Ian Jackson <Ian.Jackson@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>

From: "Durrant, Paul" <pdurrant@xxxxxxxxxx>

Date: Tue, 26 Nov 2019 15:17:23 +0000

Accept-language: en-GB, en-US

Cc: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 26 Nov 2019 15:17:31 +0000

Ironport-sdr: uCBVU03O7h9tFqB3A/JWuFpFmFyaTIs+FcRInYhyVavuocBDo/M6CCDMy+mOhopYNTYzWPeH3S WG81LjH10z+Q==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVpGT4qCvWO7fUTEaoXMLhP52Fm6edjuVg

Thread-topic: [PATCH for-4.13] docs/xl: Document pci-assignable state

> -----Original Message----- > From: Ian Jackson <Ian.Jackson@xxxxxxxxxx> > Sent: 26 November 2019 14:22 > To: George Dunlap <George.Dunlap@xxxxxxxxxx> > Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx; Wei Liu <wl@xxxxxxx>; Jan Beulich > <jbeulich@xxxxxxxx>; Paul Durrant <paul.durrant@xxxxxxxxxx>; Juergen Gross > <jgross@xxxxxxxx> > Subject: Re: [PATCH for-4.13] docs/xl: Document pci-assignable state > > [resending to just Paul to fix email address problem] > > George Dunlap writes ("[PATCH for-4.13] docs/xl: Document pci-assignable > state"): > > =item B<pci-assignable-remove> [I<-r>] I<BDF> > ... > > +Make the device at PCI Bus/Device/Function BDF not assignable to > > +guests. This will at least unbind the device from pciback, and > > +re-assign it from the "quarantine domain" back to domain 0. If the -r > > +option is specified, it will also attempt to re-bind the device to its > > +original driver, making it usable by Domain 0 again. If the device is > > +not bound to pciback, it will return success. > > + > > +Note that this functionality will work even for devices which were not > > +made assignable by B<pci-assignable-add>. This can be used to allow > > +dom0 to access devices which were automatically quarantined by Xen > > +after domain destruction as a result of Xen's B<iommu=quarantine> > > +command-line default. > > What are the security implications of doing this if the device might > still be doing DMA or something ? > > (For that matter, presumably there are security implications of > assigning the same device in sequence to different guests?) > Assigning any device carries a risk and can never considered to be secure in any general way. E.g. a device that exposes its config space in a writable fashion via an internal i2c bus that can be accessed via one of its BARs. Quarantining helps to the extent that, if a device is continuing to DMA than at least that doesn't hit dom0 whilst the FLR/SBR is attempted, but if even that's not effective then the device should probably remain in quarantine until it is power-cycled. Paul _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.