[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC 5/7] x86/iommu: the code addressing CVE-2011-1898 is VT-d specific
- To: Xenia Ragiadakou <burzalodowa@xxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Thu, 12 Jan 2023 12:53:04 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KjdNKbn2xVptyjw2QC5CMi6NcNrZEWVWFKNRxHh4GR4=; b=QD7hAIlN2hp7ks+QVIERPtjRfhHAl9xP5aoVzYUFv+KG53jSaLIf+5/QeCb+eq+146YGtxZRZ4UZxiMhZ84X4fn9Fo+IeaiHJd65ahj4M+CvjKksRcLs4cza7QnmqDbjFWCxjpiwC2OoCEzS7RagdTDHJeHAa4ZampCEovgxwzZNxq8YUWnH3FlJr2Okbnm1N4SaANtYZaogb4B5z69x6442v3I33v78Fn7iNI0rKEOgvoB22rhfQVBgiqL1TGcF4ZDP/+qx1zBi4JV1r0rPHfx1tRXIBARbSfSjuKIedsEsSLwOapr36AOxABp9BqhU4yq0BdWT0NQ9R1IlMga8tg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=deUE0beiV6s4dBqSeL21H81a7whbJOZEWoq8W+HMOyhcq+8P9MUrGxebEfYrlHibPjCk83Flv5ZukozzSIUbsdHPbqebdcDiBj3qbXpAdSNrq9LbxB+KT3pLaEMToj3aTpJkFyCekcCZuxJvbzo4hV2dkFxz4aB0W9svF45HIH0RcvRWhRKbT8fO0iqdWU0UFEbjgaLXKw509ORdAaH68aXHdw3iE+xri4uHz+YJ1FXW5ZiQetXRjm3XQm1+13SSPGnAyBrRbRPRef0DPK3ZT3C+j0KcwLzf09OZuU6HOL7sVaEq/sS0j7M2/nr0VLwmKCsg23Lb8QTjyiSDcTTlBw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 12 Jan 2023 11:53:15 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21.12.2022 16:22, Xenia Ragiadakou wrote:
>
> On 12/20/22 13:09, Andrew Cooper wrote:
>> On 19/12/2022 6:34 am, Xenia Ragiadakou wrote:
>>> The variable untrusted_msi indicates whether the system is vulnerable to
>>> CVE-2011-1898. This vulnerablity is VT-d specific.
>>> Place the code that addresses the issue under CONFIG_INTEL_VTD.
>>>
>>> No functional change intended.
>>>
>>> Signed-off-by: Xenia Ragiadakou <burzalodowa@xxxxxxxxx>
>>
>> Actually, this variable is pretty bogus. I think I'd like to delete it
>> entirely.
The important difference between Intel and AMD was that Intel initially
supplied DMA-remap-only IOMMUs, while AMD had intremap from the beginning.
Hence Intel hardware could be unsafe by default, whereas on AMD an admin
would need to come and turn off intremap. Deleting the variable would be
okay only if we declared Xen security-unsupported on inremap-less Intel
hardware. Extending coverage to AMD wouldn't seem unreasonable to me, if
we knew that there were people turning off intremap _and_ caring about
this particular class of attack. With no-one having complained in over
10 years, perhaps there's no-one of this kind ...
> Nevertheless, I don't think that it would be appropriate to be done as
> part of this series.
I agree, but I'll want to comment on v2 nevertheless, rather than simply
ack-ing it.
Jan
|
