From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Cihula, Joseph" Subject: RE: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Date: Tue, 24 May 2011 12:35:16 -0700 Message-ID: <4F65016F6CB04E49BFFA15D4F7B798D901B792DA43@orsmsx506.amr.corp.intel.com> References: <19931.52091.713851.292632@mariner.uk.xensource.com> <4FA716B1526C7C4DB0375C6DADBC4EA3B2C2ABD055@LONPMAILBOX01.citrite.net> <19931.59237.816706.497141@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <19931.59237.816706.497141@mariner.uk.xensource.com> Content-Language: en-US List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Ian Jackson , Ian Pratt Cc: Ian Campbell , Tim, Deegan , "xen-devel@lists.xensource.com" , Keir Fraser List-Id: xen-devel@lists.xenproject.org > From: Ian Jackson [mailto:Ian.Jackson@eu.citrix.com] > Sent: Tuesday, May 24, 2011 10:14 AM >=20 > Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - = VT-d (PCI passthrough) > MSI"): > > My inclination would be such that iommu=3Dforce is allowed on non IR > > systems, but where IR is expected to be present e.g. sandybridge > > generation we insist that it is enabled (i.e. that the BIOS supports > > it). >=20 > I don't think that's a conceptually coherent point of view, unless the pu= rpose is to avoid > marketing embarrassment. >=20 > Either IR is required for a secure system with passthrough, in which case= iommu=3Dforce should > require IR, or it is not required for a secure system with passthrough, i= n which case iommu=3Dforce > should not insist on it. None of the proposed patches check for whether passthrough is being used. = Nor can they check whether it is being used safely (it may be used for perf= ormance by domains that are trusted). Whether IR is required for a secure system with passthrough depends on the = usage model (as I indicated in an earlier email). The user/distributor sho= uld decide whether their usage model requires it or not. If it does, then = all they need to do is run on HW that supports IR (and if they're worried a= bout the pre-OS attack then use TXT, which would be necessary anyway). > Whether it is required for security doesn't depend on whether it is actua= lly available. That > there are some motherboards which cannot do passthrough securely does not= mean that we should > allow users of those boards to be led up the garden path.