At 22:35 +0100 on 23 May (1306190138), Cihula, Joseph wrote:
> > This is exactly the behaviour we already have if you don't have an iommu at
> > all. The installer
> > already needs to figure out whether there's an IOMMU, or make it optional.
> > If you really want to rely on TXT and Xen to mutuallly secure each other,
> > then as far as I can see
> > you _need_ an interrupt remapper in all your supported hardware. That
> > being the case, iommu=force
> Let me take one more shot at this, since no one has yet refuted my
> original points.
> Why do you *need* IR to have a secure Xen w/ TXT? Certainly a DoS is
> very undesirable, but that is not really a security issue. Tell me
> what security exploits are still possible with the current patches.
The Invisible Things paper lists a selection of possible attack vectors.
That they only developed and disclosed one actual exploit is, AIUI, as
much a question of manpower as anything else. I haven't seen any
analysis from Intel to suggest otherwise.
I think Ian's latest patch is the right thing to do. But since I'm not
a maintainer of that piece of code, and since in practice the decision
will be made for most people by product and distro engineers anyway, I'm
not going to chase this thread around any more.
Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
Xen-devel mailing list