Xen project Mailing List

Re: [PATCH v4] IOMMU: make DMA containment of quarantined devices optional

To: "Tian, Kevin" <kevin.tian@xxxxxxxxx>

Date: Mon, 30 Nov 2020 09:32:56 +0100

Cc: "Cooper, Andrew" <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 30 Nov 2020 08:33:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30.11.2020 09:05, Tian, Kevin wrote: >> From: Jan Beulich <jbeulich@xxxxxxxx> >> Sent: Monday, November 30, 2020 3:35 PM >> >> On 30.11.2020 07:13, Tian, Kevin wrote: >>>> From: Jan Beulich <jbeulich@xxxxxxxx> >>>> Sent: Saturday, November 28, 2020 12:46 AM >>>> >>>> @@ -1316,11 +1316,32 @@ boolean (e.g. `iommu=no`) can override t >>>> will prevent Xen from booting if IOMMUs aren't discovered and >> enabled >>>> successfully. >>>> >>>> -* The `quarantine` boolean can be used to control Xen's behavior when >>>> - de-assigning devices from guests. If enabled (the default), Xen >>>> always >>>> +* The `quarantine` option can be used to control Xen's behavior when >>>> + de-assigning devices from guests. >>>> + >>>> + When a PCI device is assigned to an untrusted domain, it is possible >>>> + for that domain to program the device to DMA to an arbitrary address. >>>> + The IOMMU is used to protect the host from malicious DMA by making >>>> + sure that the device addresses can only target memory assigned to the >>>> + guest. However, when the guest domain is torn down, assigning the >>>> + device back to the hardware domain would allow any in-flight DMA to >>>> + potentially target critical host data. To avoid this, quarantining >>>> + should be enabled. Quarantining can be done in two ways: In its basic >>>> + form, all in-flight DMA will simply be forced to encounter IOMMU >>>> + faults. Since there are systems where doing so can cause host lockup, >>>> + an alternative form is available where writes to memory will be made >>>> + fault, but reads will be directed to a dummy page. The implication >>>> + here is that such reads will go unnoticed, i.e. an admin may not >>>> + become aware of the underlying problem. >>>> + >>>> + Therefore, if this option is set to true (the default), Xen always >>>> quarantines such devices; they must be explicitly assigned back to >> Dom0 >>>> - before they can be used there again. If disabled, Xen will only >>>> - quarantine devices the toolstack hass arranged for getting >>>> quarantined. >>>> + before they can be used there again. If set to "scratch-page", still >>>> + active DMA reads will additionally be directed to a "scratch" page. >>>> If >>>> + set to false, Xen will only quarantine devices the toolstack has >> arranged >>>> + for getting quarantined. >>> >>> Here let's be clear about the quarantine policy when the quarantine >>> devices are arranged by toolstack. Based on this patch it is the 'basic' >>> form i.e. always getting IOMMU faults for such devices. >> >> Well, the policy is always as chosen via command line. Therefore do >> you perhaps merely mean the default mode to be spelled out? This is >> already the case at the beginning of the 2nd paragraph. > > When I read above paragraphs, it's clear about the enabled case where > two quarantine forms are available (basic vs. scratch-page) and how to > choose them, but it's not crystal clear about the disabled case which > form is assumed for toolstack-managed devices, from an user p.o.v. Oh, now I think I got what you mean. I've added '..., and only in the "basic" form' to that last sentence. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.