From: "Jan Beulich" <jbeulich@novell.com>
To: Ian.Campbell@citrix.com, joseph.cihula@intel.com
Cc: xen-devel@lists.xensource.com
Subject: RE: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Date: Tue, 17 May 2011 08:42:40 +0100 [thread overview]
Message-ID: <4DD235010200007800070074@vpn.id2.novell.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1866 bytes --]
>>> "Cihula, Joseph" 05/16/11 11:34 PM >>>
>IOMMU adds security capabilities. IR adds additional security capabilities. IOMMU allows for fully isolating the hypervisor
>from domains even if the domains control DMA devices. It helps to protect against buggy drivers or device FW by limiting
>the areas such bugs can affect to just the DMA data buffers. IOMMU, in conjunction with Intel(R) Trusted Execution
>Technology (TXT), provides DMA protection through the entire launch process and into runtime. This is all true regardless
>of the presence of IR. IR adds the ability to prevent DoS attacks by untrusted domains with assigned DMA devices,
>malicious device FW, etc. This is incremental--not all or nothing.
I think this is the problem - you're saying things like "fully isolating" and "regardless of the presence of IR", while the paper they made accessible meanwhile makes clear that neither is true. Thus the mere presence of DMA protection creates false expectation of customers - without IR (and with MSI supported by the system, not necessarily the device passed through) there's no way for isolation to become complete (actually, with non-MSI-capable devices or by disallowing MSI altogether on capable ones, depending of whether MSI writes bypass the IOMMU or simply get 1:1 translated, it could be possible to make this secure).
>The 00-block-msis-on-trap-vectors patch (esp. in conjunction with TXT) prevents all known security exploits of MSI misuse.
All? Not really, just a very small subset, and only partially. The SIPI one is perhaps the worst case (not prevented by this patch), but being able to send SMI or NMI perhaps isn't much better (as long as we're considering DoS attacks to also be a problem, which at least I do, and in which case said patch only converts from one [worse] to another ["better"] evil).
Jan
[-- Attachment #1.2: HTML --]
[-- Type: text/html, Size: 2186 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2011-05-17 7:42 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-17 7:42 Jan Beulich [this message]
2011-05-17 22:52 ` Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Cihula, Joseph
2011-05-18 8:54 ` Ian Campbell
2011-05-19 20:48 ` Cihula, Joseph
2011-05-20 10:17 ` Tim Deegan
2011-05-20 16:02 ` Cihula, Joseph
2011-05-22 18:14 ` Tim Deegan
2011-05-23 21:35 ` Cihula, Joseph
2011-05-24 9:03 ` Tim Deegan
2011-05-24 16:56 ` Ian Jackson
2011-05-24 19:23 ` Cihula, Joseph
2011-05-25 10:13 ` Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI [and 2 more messages] Ian Jackson
2011-06-01 18:06 ` Cihula, Joseph
2011-05-25 10:46 ` Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Alan Cox
2011-05-20 17:19 ` Ian Jackson
2011-05-22 18:15 ` Tim Deegan
2011-05-23 9:02 ` Ian Campbell
2011-05-24 15:15 ` Ian Jackson
2011-05-24 15:57 ` Keir Fraser
2011-05-24 16:16 ` Ian Pratt
2011-05-24 17:14 ` Ian Jackson
2011-05-24 19:35 ` Cihula, Joseph
-- strict thread matches above, loose matches on Subject: below --
2011-05-12 13:48 Ian Jackson
2011-05-12 13:49 ` Ian Jackson
2011-05-13 8:08 ` Jan Beulich
2011-05-13 11:08 ` Joanna Rutkowska
2011-05-13 11:11 ` Ian Campbell
2011-05-13 11:20 ` Joanna Rutkowska
2011-05-13 12:34 ` Jan Beulich
2011-05-13 12:29 ` Jan Beulich
2011-05-13 12:50 ` Tim Deegan
2011-05-13 10:25 ` Ian Campbell
2011-05-16 21:34 ` Cihula, Joseph
2011-05-18 8:53 ` Ian Campbell
2011-05-18 10:03 ` Keir Fraser
2011-05-18 10:06 ` Ian Campbell
2011-05-13 17:32 ` Joanna Rutkowska
2011-05-13 17:35 ` Joanna Rutkowska
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DD235010200007800070074@vpn.id2.novell.com \
--to=jbeulich@novell.com \
--cc=Ian.Campbell@citrix.com \
--cc=joseph.cihula@intel.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.