Xen project Mailing List

Re: [Xen-devel] bug suspcion and proposed modification when xen-pciback failed to map an irq (-19) to a domU

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: "DOZ, MARC (ext)" <marc.doz.external@xxxxxxxx>

Date: Mon, 2 Dec 2019 09:36:07 +0000

Accept-language: fr-FR, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=atos.net; dmarc=pass action=none header.from=atos.net; dkim=pass header.d=atos.net; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hN8IV2kJidLPdk3SCAmKVDCyAcdl8Evg7HMa5AsIw24=; b=PWS80RbRkN54R6kOszJYuaJfnWXfKbIKLOhYtevERaK45Kmu49YLn/xhdzpgEO/bi8ugScGf89a/wV+OaUK32X0KJvK8JPu7oUCFptacMmZwGAc7lqapwIEZemrUGgofJcOkeV4xLGMsrmXjy5/QQkRjfbRHP7iF6/I+tnwlZoxdzLhgmZ73SaZPtmgD04Xfu7Lzdv/wH6V/i5KyjlpdRAUmXzkvXzsHtP7B7wd8svmGkdq1g9TrIFQeb783h/5FjViA0dn7CfqoQKvI1ZzpaMfV1zM5ytQvrrNc8UhBViZH+ZeFFylwiAMRras6VCmUQwCLKRkhbN1vIrdDjwr0Nw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ijCGADiJ2XgUYZucvta9yfoDykHmc1RxE7FYHh0X/fhQNpMdUljA50rZaQgVsLFMOPr6C45sRKXE/klSKrSTd3oeh+QM6Vi0wHNkOjxiVlcCJzn5J20UiRWyGpeFRz4YbxwiOs2Asm1pEYR57Jaul+H8G88aE3Y0fUDYt++3u5Z/aTsnm1XvPWUi+57bkaujxkqcLlAy+g3BXN7FQhM4YdodQGSHeb7zqt6OaVtiS/sj3iLOSrBwtyDYDCPyLhexKPpb0klrhGOVjAA6kUA9rtpwT9OqEb0Y27GKz5I4csVgFEdCmtBKrUsJUr1coG79PESBW+JOB/rLzTlPsMUKWg==

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=marc.doz.external@xxxxxxxx;

Delivery-date: Mon, 02 Dec 2019 09:36:23 +0000

Ironport-sdr: Lx+76fgQ0Vwy2JMdGnxZcWPbuJzd6NRmGA4vgICIyM247h/QYJ11saTBEKk1jJgxQ/4QWGrYYK uJsNrYwMBFmqN1HgATJ5lCsh6wORnRmdQ/r26BpVlVn0kTT3EVlRmtXm1cUcbBPeBD6pf0ayHg VO1aAAdurG2Br2U7ym9drbjnBLADFT2Syr2fJwL3waQevkcKpf/L/8rxDE3hQURXfhheQfqfwF PrYSbOc/AK0tXkYPvmaFAXCY/p9Xwi05zXft8mApe5bgrmRptaj/iP1fMSOU5FlfF6N1pxH9v0 hRnGJr6WlRr2T6l5xIvrEjoi

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AdWmkKtK1mIfCnPYTFqu2ZiOwgqUvwAEPQGAAAOYXhAAAllXgACOV9Eg

Thread-topic: [Xen-devel] bug suspcion and proposed modification when xen-pciback failed to map an irq (-19) to a domU

Ok, I have a trusted software to localy configure the ethernet device assignment. I will probably add a "pre-cooked way" to share the configuration to the hypervisor and allow the MSI configuration from a device only with only one granted domain. Thank you very much for the help -----Original Message----- From: Jan Beulich <jbeulich@xxxxxxxx> Sent: Friday, November 29, 2019 2:32 PM To: DOZ, MARC (ext) <marc.doz.external@xxxxxxxx> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx Subject: Re: [Xen-devel] bug suspcion and proposed modification when xen-pciback failed to map an irq (-19) to a domU On 29.11.2019 13:34, DOZ, MARC (ext) wrote: > >> Except that this is not a "fix", but the introduction of a security >> vulnerability (permitting interrupt setup on un-owned devices). See XSA-237, >> which actually changed it in the opposite direction of what you're proposing. > > Ok, I found it : > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fxenb > its.xen.org%2Fxsa%2Fxsa237-4.5%2F0001-x86-dont-allow-MSI-pIRQ-mapping- > on-unowned-device.patch&data=02%7C01%7Cmarc.doz.external%40atos.ne > t%7Cddc18189b78d47e0165d08d774d09a4a%7C33440fc6b7c7412cbb730e70b0198d5 > a%7C0%7C0%7C637106311594585817&sdata=1EaYn7PE6n2JZxldEciBla7QBWBRW > jZUugtEgmCnuZ4%3D&reserved=0 > > "MSI setup should be permitted only for existing devices owned by the > respective guest" > > But how to change the owner of my device or update the > pdev->domain->domain_id ? With the code as is and without an IOMMU there's no pre-cooked way to, I'm afraid. You could try granting the guest access to MMIO and IRQ "manually" (there are guest config file options for this), but I take it you'll be in trouble if (as iirc you've said) the device / driver want to use MSI. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.