[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [TESTDAY] PV / HVM pass-through works when IOMMU present; weird failures when not



>>> On 01.07.13 at 14:15, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote:
> On Mon, Jul 1, 2013 at 11:53 AM, George Dunlap
> <george.dunlap@xxxxxxxxxxxxx> wrote:
>> On 28/06/13 17:00, Jan Beulich wrote:
>>>>>>
>>>>>> On 28.06.13 at 17:37, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
>>>>>> wrote:
>>>>
>>>> - For HVM guests, the only user-visible indication tha the IOMMU has
>>>> been disabled is the following error message on the command-line:
>>>>
>>>> # xl pci-attach h0 07:00.0
>>>> libxl: error: libxl_pci.c:949:do_pci_add: xc_assign_device failed
>>>>
>>>> However, the device itself ends up passed-through to the guest anyway;
>>>> the guest seems to be able to see it and interact with it normally.
>>>> This is particularly scary, as in theory this should not be possible
>>>> without a working IOMMU.
>>>>
>>>> I don't think this is a blocker for 4.3, but we should definitely
>>>> release note it, and for 4.4 add a check to see if there is a
>>>> functioning IOMMU and only add a device if there's an override set.
>>>
>>> To me this very much looks like a security problem (which I
>>> think we should fix asap).
>>
>>
>> Is it worth delaying the release (yet) another week for?
>>
>> Probably the simplest solution at the moment, if there's an easy way for the
>> toolstack to figure out whether there is a working IOMMU or not, is to
>> simply not allow pass-through without an IOMMU unless there is an override
>> option.
> 
> On further reflection, I think there isn't actually a security bug
> here: The promised behavior as of now is that if you really need to
> have an iommu, then you should specify "iommu=force".  If I specify
> iommu=force, then of course Xen doesn't boot, and I can't trigger this
> problem.

I disagree, not the least because the behavior was different with
xend: When there's no IOMMU, pass-through to HVM must not
happen (or we'd have to suppress bus mastering on any such
passed through device). Pass-through to PV may happen, but is
insecure (as would be pass-through to HVM with disabled bus
mastering). So to anyone migrating from xend, if we don't change
things, this will at least be perceived as a security bug.

> This is actually a pretty awful interface, and should change, but
> that's a 4.4 thing, not a 4.3 thing.  Since we haven't had any other
> issues reported, I think we should go ahead with the scheduled release
> tomorrow.

As per the above and the earlier reply I sent, I don't think we
should release without this fixed. Let me see whether the minimal
fix I sketched out earlier works...

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.