Re: [Xen-devel] [PATCH 0/5] VT-d support for PV guests

[Espen Skoglund <espen.skoglund@xxxxxxxxxxxxx>]

[Keir Fraser]
> On 19/5/08 21:27, "Espen Skoglund" <espen.skoglund@xxxxxxxxxxxxx> wrote:
>> I've added some preliminary support for VT-d for paravirtualized
>> guests.  This must be enabled using an 'iommu_pv' boot parameter
>> (disabled by default).
>> 
>> I've added some python bindigs to allow xend to assign PCI devices to
>> IOMMU for PV guests.  For HVM guests this is handled in ioemu.  Not
>> sure if it makes sense to handle both cases in one place.
>> 
>> The changes currently hook into get_page_type() in xen/arch/x86/mm.c
>> to map/unmap IOMMU pages when the page types change.  This might
>> not be the apropriate place to hook these calls.

> What functionality does this patchset enable, Espen? Is this a
> security enhancement (isolation/containment) for PV guests with
> direct hardware access? For example: can access all its own memory
> except that which has pagetable/GDT type, and only foreign memory
> which is granted to it?

> Is there a good reason to hide this behind a boot option?

The patchset does, as you guessed, enable isolation for PV guests with
direct hardware access.  If you assign a PCI device to a guest you are
guaranteed that the assigned device can't access the memory of other
guests or Xen itself.  The patchseet allows the device to access all
its own memory which it has write access to, and memory which is
granted to it.

The only reason for making it a boot option was to allow for the old
behaviour (i.e., complete access) to be the default behaviour until
people get more confident with the patches.

        eSk



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel