All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Cihula, Joseph" <joseph.cihula@intel.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>,
	Ian Pratt <Ian.Pratt@eu.citrix.com>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>,
	Tim, Deegan <Tim.Deegan@eu.citrix.com>,
	"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
	Keir Fraser <keir@xen.org>
Subject: RE: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Date: Tue, 24 May 2011 12:35:16 -0700	[thread overview]
Message-ID: <4F65016F6CB04E49BFFA15D4F7B798D901B792DA43@orsmsx506.amr.corp.intel.com> (raw)
In-Reply-To: <19931.59237.816706.497141@mariner.uk.xensource.com>

> From: Ian Jackson [mailto:Ian.Jackson@eu.citrix.com]
> Sent: Tuesday, May 24, 2011 10:14 AM
> 
> Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough)
> MSI"):
> > My inclination would be such that iommu=force is allowed on non IR
> > systems, but where IR is expected to be present e.g. sandybridge
> > generation we insist that it is enabled (i.e. that the BIOS supports
> > it).
> 
> I don't think that's a conceptually coherent point of view, unless the purpose is to avoid
> marketing embarrassment.
> 
> Either IR is required for a secure system with passthrough, in which case iommu=force should
> require IR, or it is not required for a secure system with passthrough, in which case iommu=force
> should not insist on it.

None of the proposed patches check for whether passthrough is being used.  Nor can they check whether it is being used safely (it may be used for performance by domains that are trusted).

Whether IR is required for a secure system with passthrough depends on the usage model (as I indicated in an earlier email).  The user/distributor should decide whether their usage model requires it or not.  If it does, then all they need to do is run on HW that supports IR (and if they're worried about the pre-OS attack then use TXT, which would be necessary anyway).

> Whether it is required for security doesn't depend on whether it is actually available.  That
> there are some motherboards which cannot do passthrough securely does not mean that we should
> allow users of those boards to be led up the garden path.

  reply	other threads:[~2011-05-24 19:35 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-17  7:42 Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Jan Beulich
2011-05-17 22:52 ` Cihula, Joseph
2011-05-18  8:54   ` Ian Campbell
2011-05-19 20:48     ` Cihula, Joseph
2011-05-20 10:17       ` Tim Deegan
2011-05-20 16:02         ` Cihula, Joseph
2011-05-22 18:14           ` Tim Deegan
2011-05-23 21:35             ` Cihula, Joseph
2011-05-24  9:03               ` Tim Deegan
2011-05-24 16:56               ` Ian Jackson
2011-05-24 19:23                 ` Cihula, Joseph
2011-05-25 10:13                   ` Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI [and 2 more messages] Ian Jackson
2011-06-01 18:06                     ` Cihula, Joseph
2011-05-25 10:46                   ` Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Alan Cox
2011-05-20 17:19         ` Ian Jackson
2011-05-22 18:15           ` Tim Deegan
2011-05-23  9:02             ` Ian Campbell
2011-05-24 15:15               ` Ian Jackson
2011-05-24 15:57                 ` Keir Fraser
2011-05-24 16:16                   ` Ian Pratt
2011-05-24 17:14                     ` Ian Jackson
2011-05-24 19:35                       ` Cihula, Joseph [this message]
  -- strict thread matches above, loose matches on Subject: below --
2011-05-12 13:48 Ian Jackson
2011-05-12 13:49 ` Ian Jackson
2011-05-13  8:08 ` Jan Beulich
2011-05-13 11:08   ` Joanna Rutkowska
2011-05-13 11:11     ` Ian Campbell
2011-05-13 11:20       ` Joanna Rutkowska
2011-05-13 12:34         ` Jan Beulich
2011-05-13 12:29     ` Jan Beulich
2011-05-13 12:50       ` Tim Deegan
2011-05-13 10:25 ` Ian Campbell
2011-05-16 21:34   ` Cihula, Joseph
2011-05-18  8:53     ` Ian Campbell
2011-05-18 10:03       ` Keir Fraser
2011-05-18 10:06         ` Ian Campbell
2011-05-13 17:32 ` Joanna Rutkowska
2011-05-13 17:35   ` Joanna Rutkowska

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F65016F6CB04E49BFFA15D4F7B798D901B792DA43@orsmsx506.amr.corp.intel.com \
    --to=joseph.cihula@intel.com \
    --cc=Ian.Campbell@eu.citrix.com \
    --cc=Ian.Jackson@eu.citrix.com \
    --cc=Ian.Pratt@eu.citrix.com \
    --cc=Tim.Deegan@eu.citrix.com \
    --cc=keir@xen.org \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.