WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] granting access to MSI-X table and pending bit array

To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] granting access to MSI-X table and pending bit array
From: "Jan Beulich" <JBeulich@xxxxxxxxxx>
Date: Wed, 07 Jul 2010 11:14:04 +0100
Delivery-date: Wed, 07 Jul 2010 03:14:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
The original implementation (c/s 17536) disallowed access to these
after granting access to all BAR specified resources (i.e. this was
almost correct, except for a small time window during which the
memory was accessible to the guest and except for hiding the
pending bit array from the guest), but this got reverted with c/s
20171.

Afaics this is a security problem, as CPU accesses to the granted
memory don't go through any IOMMU and hence there's no place
these could be filtered out even in a supposedly secure environment
(not that I think devices accesses would be filtered at present, but
for those this would at least be possible ), and such accesses could
inadvertently or maliciously unmask masked vectors or modify the
message address/data fields.

Imo the pending bit array must be granted read-only access to the
guest (instead of either granting full access or no access at all),
with the potential side effect of also granting read-only access to
the table. And I would even think that this shouldn't be done in the
tools, but rather in Xen itself (since it knows of all the PCI devices
and their respective eventual MSI-X address ranges), thus at once
eliminating any timing windows.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel