[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] IOMMU: make DMA containment of quarantined devices optional
On 13.12.19 15:11, Jan Beulich wrote: On 13.12.2019 14:46, Jürgen Groß wrote:On 13.12.19 14:38, Jan Beulich wrote:On 13.12.2019 14:31, Jürgen Groß wrote:Maybe I have misunderstood the current state, but I thought that it would just silently hide quirky devices without imposing a security risk. We would not learn which devices are quirky, but OTOH I doubt we'd get many reports about those in case your patch goes in.We don't want or need such reports, that's not the point. The security risk comes from the quirkiness of the devices - admins may wrongly think all is well and expose quirky devices to not sufficiently trusted guests. (I say this fully realizing that exposing devices to untrusted guests is almost always a certain level of risk.)Do we _know_ those devices are problematic from security standpoint? Normally the IOMMU should do the isolation just fine. If it doesn't then its not the quirky device which is problematic, but the IOMMU. I thought the problem was that the quirky devices would not stop all (read) DMA even when being unassigned from the guest resulting in fatal IOMMU faults. The dummy page should stop those faults to happen resulting in a more stable system.IOMMU faults by themselves are not impacting stability (they will add processing overhead, yes). The problem, according to Paul's description, is that the occurrence of at least some forms of IOMMU faults (not present ones as it seems, as opposed to permission violation ones) is fatal to certain systems. Irrespective of the sink page used after de-assignment a guest can arrange for IOMMU faults to occur even while it still has the device assigned. Hence it is important for the admin to know that their system (not the the particular device) behaves in this undesirable way. So how does the admin learn this? Its not as if your patch would result in a system crash or hang all the time, right? This would be the case only if there either is a malicious (on purpose or due to a bug) guest which gets the device assigned, or if there happens to be a pending DMA operation when the device gets unassigned. The malicious guest case would be caught without your patch as well. And most cases of device unassignment would be fine, too, as a normal guest shutdown/reboot includes stopping I/O activity. So what are the security problems which are added by this behavior?There are no problems added; there are problems hidden from admins. In my understanding in some corner cases, yes. Juergen _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |