[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional



On 13.12.2019 15:29, Jürgen Groß wrote:
> On 13.12.19 15:23, Jan Beulich wrote:
>> On 13.12.2019 14:53, Durrant, Paul wrote:
>>> Since *not* having the 'sink' page allows a guest pull off a host DoS
>>> in the presence of such h/w, security is surely increased by having it?
>>
>> host         device          result w/o sink         result w/ sink
>> good         good            good                    good
>> good         babbling        good                    good
>> wedge on fault       good            DoS (runtime)           DoS (runtime)
> 
> I guess the DoS cases here are due to malicious guest actions?

Yes.

>> wedge on fault       babbling        DoS (runtime/late)      DoS (runtime 
>> only, silent)
> 
> And why is the sink page resulting in a silent DoS here?

Sorry, space restrictions may have lead to this being ambiguous:
There's still the runtime DoS; the would-be-DoS after deassignment
will go entirely silent (i.e. without making the admin aware of
the situation, not allowing them to take precautions against the
runtime aspects of this).

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.