From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jan Beulich" <JBeulich@novell.com>
Subject: Re: Xen security advisory CVE-2011-1898 - VT-d
	(PCI passthrough) MSI
Date: Fri, 13 May 2011 13:34:34 +0100
Message-ID: <4DCD417A020000780004145C@vpn.id2.novell.com>
References: <19915.58644.191837.671729@mariner.uk.xensource.com>
	<4DCD030902000078000412C8@vpn.id2.novell.com>
	<4DCD1120.5020606@invisiblethingslab.com>
	<1305285108.31488.105.camel@zakaz.uk.xensource.com>
	<4DCD140D.9000108@invisiblethingslab.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <4DCD140D.9000108@invisiblethingslab.com>
Content-Disposition: inline
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Ian Campbell <Ian.Campbell@citrix.com>, Joanna Rutkowska <joanna@invisiblethingslab.com>
Cc: Keir Fraser <keir@xen.org>, "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, Ian Jackson <Ian.Jackson@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

>>> On 13.05.11 at 13:20, Joanna Rutkowska <joanna@invisiblethingslab.com> =
wrote:
> On 05/13/11 13:11, Ian Campbell wrote:
>> On Fri, 2011-05-13 at 12:08 +0100, Joanna Rutkowska wrote:
>>> On 05/13/11 10:08, Jan Beulich wrote:
>>=20
>>>> Finally, wouldn't killing all guests that potentially could have =
caused
>>>> the problem be a better measure than bringing down the host?
>>>>
>>>
>>> Killing the guest might no longer be enough, because the guest might
>>> have already programmed the device to keep sending malicious MSIs.
>>=20
>> Is it even possible to know which guest triggered the MSI, or is the
>> best you can do the set of all guests with an MSI capable device passed
>> through?
>>=20
>=20
> Ah, probably you're right -- if we have more than one driver domain,
> then I think LAPIC would not tell us which device genrated the MSI.

That's why I wrote "killing all guests that potentially could have ...".

> In fact it's not really correct to assume that it must have been a guest
> with a "MSI capable device" -- note that we don't trigger the MSI via
> the official MSI triggering mechanism.

You lost me here. Neither am I clear about what "non-official"
triggering mechanism we use, nor can I see how a guest without
any MSI-capable device would be able to trigger the problem.

And even if things are as you say, it would still seem better to kill
all guests with *any* passed through device, than bring down the
entire host (there could e.g. be dozens of innocent pv guests and
only a single hvm one that has a problematic device assigned).

Jan