[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional

To: Jürgen Groß <jgross@xxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 13 Dec 2019 15:11:45 +0100
Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Fri, 13 Dec 2019 14:11:47 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 13.12.2019 14:46, Jürgen Groß wrote:
> On 13.12.19 14:38, Jan Beulich wrote:
>> On 13.12.2019 14:31, Jürgen Groß wrote:
>>> Maybe I have misunderstood the current state, but I thought that it
>>> would just silently hide quirky devices without imposing a security
>>> risk. We would not learn which devices are quirky, but OTOH I doubt
>>> we'd get many reports about those in case your patch goes in.
>>
>> We don't want or need such reports, that's not the point. The
>> security risk comes from the quirkiness of the devices - admins
>> may wrongly think all is well and expose quirky devices to not
>> sufficiently trusted guests. (I say this fully realizing that
>> exposing devices to untrusted guests is almost always a certain
>> level of risk.)
> 
> Do we _know_ those devices are problematic from security standpoint?
> Normally the IOMMU should do the isolation just fine. If it doesn't
> then its not the quirky device which is problematic, but the IOMMU.
> 
> I thought the problem was that the quirky devices would not stop all
> (read) DMA even when being unassigned from the guest resulting in
> fatal IOMMU faults. The dummy page should stop those faults to happen
> resulting in a more stable system.

IOMMU faults by themselves are not impacting stability (they will
add processing overhead, yes). The problem, according to Paul's
description, is that the occurrence of at least some forms of IOMMU
faults (not present ones as it seems, as opposed to permission
violation ones) is fatal to certain systems. Irrespective of the
sink page used after de-assignment a guest can arrange for IOMMU
faults to occur even while it still has the device assigned. Hence
it is important for the admin to know that their system (not the
the particular device) behaves in this undesirable way.

> So what are the security problems which are added by this behavior?

There are no problems added; there are problems hidden from admins.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jürgen Groß

References:
- [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jürgen Groß
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jürgen Groß
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
  - From: Jürgen Groß

Prev by Date: Re: [Xen-devel] [PATCH 2/4] x86/mm: Implement common put_data_pages for put_page_from_l[23]e
Next by Date: Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
Previous by thread: Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
Next by thread: Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.