WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthro

Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d 
(PCI passthrough) MSI"):
> My inclination would be such that iommu=force is allowed on non IR
> systems, but where IR is expected to be present e.g. sandybridge
> generation we insist that it is enabled (i.e. that the BIOS supports
> it).

I don't think that's a conceptually coherent point of view, unless the
purpose is to avoid marketing embarrassment.

Either IR is required for a secure system with passthrough, in which
case iommu=force should require IR, or it is not required for a secure
system with passthrough, in which case iommu=force should not insist
on it.

Whether it is required for security doesn't depend on whether it is
actually available.  That there are some motherboards which cannot do
passthrough securely does not mean that we should allow users of those
boards to be led up the garden path.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel