[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Simple Query on PCI passthrough I/O

> Thanks a lot for all your responses - Chris, Mark and Joseph. They really
> help me.
> A few followup questions from your responses.
> > * ... unless you are using VT-d, in which case you can pass the PCI
> > device to
> > an HVM guest without that guest being able to stomp all over memory.
> >  Patches
> > to support this for PV guests are in development but not done yet.
> I'm running a PV. Does this mean I wont be able to do pass  through I/O?

Under PV you can pass through IO.  It just means that the guest with the 
passed-through card is as trusted as dom0.  i.e. the guest with the PCI card 
can potentially read and write all memory in the machine, take control of 
anything, etc, if controlled by a sufficiently determined attacker.

Dom0 already has this much power.  Giving a domU a PCI device does not give it 
*permission* to do these things, so it's technically more limited than dom0.  
However, it can (in principle) abuse the PCI device to break the system and 
thereby get these powers.  This is not a problem as long as you trust the 
administrator in the domU and it does not get hacked.  Otherwise, it could 
try to escalate its privileges.

Patches to limit PV guests using VT-d hardware where available have been 
reposted to the mailing list today, so that capability may be in the next Xen 
release.  Not helpful to people without that hardware, sadly.

> > * Don't try to xm pause, save or suspend the guest with the PCI card! 
> > Bad things may well happen ;-)

You shouldn't pause a guest with a PCI card (or save or suspend it) because 
you might interrupt it whilst it's doing something important with the 
hardware.  Potentially this can break your system.  Migrating has the same 
problem but also the guest would be confused to arrive on another machine 
without the PCI device it was using, so it wouldn't be a good idea anyhow.

Occasionally people have accidentally suspended a domU (the Xendomains init 
script does this on dom0 shutdown on some systems, for instance - it's worth 
making sure this won't happen!) that had a PCI device attached.  This caused 
problems - most recently, I guy had dom0 lose access to the hard disk.  The 
reason was that the guest was leaving an interrupt line masked when it 
shutdown - that interrupt line was shared with dom0's hard drive controller.

Best to just assume that any domain with hardware access needs to either be 
running or shut down cleanly.  xm destroy-ing one is possible but probably 
not recommended unless necessary, because similar problems could occur.  This 
was never a problem on my own test machine but your mileage may vary on 
different hardware.

> >
> > * You need to be running a dom0 kernel in the guest with the PCI card.
> Whoa! I did not know this either. Again what are the reasons? Kindly let me
> know.

Regarding the kernel version.  You don't necessarily need to be running the 
same kernel as dom0.  But you do need to be running a dom0-capable kernel 
because domU-only kernels lack hardware support.

Finally, I'll note that you can't run a really old kernel in a domU with PCI 
passthrough because the dom0 (aka privileged) interfaces were stabilised 
later on than the domU interfaces, so if your kernel is too old it may not 

Sorry if that all sounds horribly dire.  Plenty of people have been using PCI 
passthrough on all sorts of systems for years now, quite happily.  It's not 
like it's a highly dangerous activity.  But it's one of the more technical 
aspects of Xen to set up and it's worth you knowing the various issues 
associated with deploying it.


Push Me Pull You - Distributed SCM tool (http://www.cl.cam.ac.uk/~maw48/pmpu/)

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.