From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim Deegan Subject: Re: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Date: Sun, 22 May 2011 19:15:55 +0100 Message-ID: <20110522181555.GB4990@whitby.uk.xensource.com> References: <4DD235010200007800070074@vpn.id2.novell.com> <4F65016F6CB04E49BFFA15D4F7B798D901B773E6D1@orsmsx506.amr.corp.intel.com> <1305708848.20907.109.camel@zakaz.uk.xensource.com> <4F65016F6CB04E49BFFA15D4F7B798D901B77B4CAF@orsmsx506.amr.corp.intel.com> <20110520101715.GB27118@whitby.uk.xensource.com> <19926.41612.443828.728199@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Return-path: Content-Disposition: inline In-Reply-To: <19926.41612.443828.728199@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Ian Jackson Cc: Ian Campbell , "Cihula, Joseph" , "xen-devel@lists.xensource.com" List-Id: xen-devel@lists.xenproject.org At 18:19 +0100 on 20 May (1305915548), Ian Jackson wrote: > Tim Deegan writes ("Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI"): > > At 21:48 +0100 on 19 May (1305841716), Cihula, Joseph wrote: > > > So how would the user (or installation SW) specify to use the best > > > (IOMMU) security available on the platform? > > > > iommu=on. That pretty much lines up with the current meaining. > > > > Only iommu=force requires a fully secure IOMMU, and you can > > overide that with iommu=force,nointremap. > > I think this is the best behaviour. Do we have a patch that > implements it ? If I'm not confused, the patch further upthread > crashes on lack of intremap even with iommu=on. AIUI Ian Campbell's most recent patch does exactly this. Ian? Tim. -- Tim Deegan Principal Software Engineer, Xen Platform Team Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)