[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IGD passthrough security (was Re: [Xen-devel] feature suggestion: DMAR table emulation for Xen)

On 05/15/2010 06:54 PM, Ian Pratt wrote:
>> Well, we don't do graphics passthrough in Qubes, mostly for two reasons:
>> 1) We believe users prefer seamless integration of all apps onto one
>> desktop (and that requires only one domain, e.g. Dom0, to have access to
>> the graphics card),
> Not necessarily. If dom0 retains control of the display side of the
> GPU you can use video overlays to merge in windows from a couple of
> other domains. [Though ideally the GPU would use different PCI
> requestor IDs for displaying the framebuffer or fetching overlay data
> vs rendering]
>> 2) Giving a potentially untrusted domain full access to the graphics
>> device creates a potential security risk. In fact, you cannot make such an
>> architecture secure without using TXT (yes, TXT in addition to VT-d).

> I agree you can't give an untrusted domain full access, but there's
> an interesting design point where you emulate some parts of the GPU
> (e.g. anything controlling what is displayed) and pass-through
> others. GPU designs that enable you to do this without babysitting
> the command rings are obviously preferable...

I've been actually more concerned about the *rich* interface to the GPU
that you still must expose to DomU. While semantically it might not be
insecure (from what you wrote it might be perhaps possible to prevent
DomU from reading the screen buffer, etc), I bet it will contain
exploitable implementation flaws. And DomU would be able to exploit
them, similarly like one can exploit many modern NIC cards today (see [1]).



Attachment: signature.asc
Description: OpenPGP digital signature

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.