Xen project Mailing List

[PATCH v4 2/5] x86/iommu: make code addressing CVE-2011-1898 no VT-d specific

From: Xenia Ragiadakou <burzalodowa@xxxxxxxxx>

Date: Tue, 24 Jan 2023 14:41:39 +0200

Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 24 Jan 2023 12:42:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The variable untrusted_msi indicates whether the system is vulnerable to CVE-2011-1898 due to the absence of interrupt remapping support. Although AMD iommus with interrupt remapping disabled are also affected, this case is not handled yet. Given that the issue is not VT-d specific, and to accommodate future use of the flag for covering also the AMD iommu case, move the definition of the flag out of the VT-d specific code to the common x86 iommu code. Also, since the current implementation assumes that only PV guests are prone to this attack, take the opportunity to define untrusted_msi only when PV is enabled. No functional change intended. Signed-off-by: Xenia Ragiadakou <burzalodowa@xxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> --- Changes in v4: - in vtd code, guard with CONFIG_PV the use of untrusted_msi - mention in commit log that CVE-2011-1898 currently is not addressed for AMD iommus with disabled intremap - add Jan's Reviewed-by tag xen/drivers/passthrough/vtd/iommu.c | 5 ++--- xen/drivers/passthrough/x86/iommu.c | 5 +++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c index 62e143125d..e97b1fe8cd 100644 --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -54,9 +54,6 @@ ? dom_iommu(d)->arch.vtd.pgd_maddr \ : (pdev)->arch.vtd.pgd_maddr) -/* Possible unfiltered LAPIC/MSI messages from untrusted sources? */ -bool __read_mostly untrusted_msi; - bool __read_mostly iommu_igfx = true; bool __read_mostly iommu_qinval = true; #ifndef iommu_snoop @@ -2770,6 +2767,7 @@ static int cf_check reassign_device_ownership( if ( !has_arch_pdevs(target) ) vmx_pi_hooks_assign(target); +#ifdef CONFIG_PV /* * Devices assigned to untrusted domains (here assumed to be any domU) * can attempt to send arbitrary LAPIC/MSI messages. We are unprotected @@ -2778,6 +2776,7 @@ static int cf_check reassign_device_ownership( if ( !iommu_intremap && !is_hardware_domain(target) && !is_system_domain(target) ) untrusted_msi = true; +#endif ret = domain_context_mapping(target, devfn, pdev); diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c index f671b0f2bb..c5021ea023 100644 --- a/xen/drivers/passthrough/x86/iommu.c +++ b/xen/drivers/passthrough/x86/iommu.c @@ -36,6 +36,11 @@ bool __initdata iommu_superpages = true; enum iommu_intremap __read_mostly iommu_intremap = iommu_intremap_full; +#ifdef CONFIG_PV +/* Possible unfiltered LAPIC/MSI messages from untrusted sources? */ +bool __read_mostly untrusted_msi; +#endif + #ifndef iommu_intpost /* * In the current implementation of VT-d posted interrupts, in some extreme -- 2.37.2

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.