From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jan Beulich" Subject: Re: [TESTDAY] PV / HVM pass-through works when IOMMU present; weird failures when not Date: Mon, 01 Jul 2013 13:31:54 +0100 Message-ID: <51D192DA02000078000E1F38@nat28.tlf.novell.com> References: <51CDCF5302000078000E1A47@nat28.tlf.novell.com> <51D15F9E.4020309@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: George Dunlap Cc: Ian Jackson , Ian Campbell , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org >>> On 01.07.13 at 14:15, George Dunlap wrote: > On Mon, Jul 1, 2013 at 11:53 AM, George Dunlap > wrote: >> On 28/06/13 17:00, Jan Beulich wrote: >>>>>> >>>>>> On 28.06.13 at 17:37, George Dunlap >>>>>> wrote: >>>> >>>> - For HVM guests, the only user-visible indication tha the IOMMU has >>>> been disabled is the following error message on the command-line: >>>> >>>> # xl pci-attach h0 07:00.0 >>>> libxl: error: libxl_pci.c:949:do_pci_add: xc_assign_device failed >>>> >>>> However, the device itself ends up passed-through to the guest anyway; >>>> the guest seems to be able to see it and interact with it normally. >>>> This is particularly scary, as in theory this should not be possible >>>> without a working IOMMU. >>>> >>>> I don't think this is a blocker for 4.3, but we should definitely >>>> release note it, and for 4.4 add a check to see if there is a >>>> functioning IOMMU and only add a device if there's an override set. >>> >>> To me this very much looks like a security problem (which I >>> think we should fix asap). >> >> >> Is it worth delaying the release (yet) another week for? >> >> Probably the simplest solution at the moment, if there's an easy way for the >> toolstack to figure out whether there is a working IOMMU or not, is to >> simply not allow pass-through without an IOMMU unless there is an override >> option. > > On further reflection, I think there isn't actually a security bug > here: The promised behavior as of now is that if you really need to > have an iommu, then you should specify "iommu=force". If I specify > iommu=force, then of course Xen doesn't boot, and I can't trigger this > problem. I disagree, not the least because the behavior was different with xend: When there's no IOMMU, pass-through to HVM must not happen (or we'd have to suppress bus mastering on any such passed through device). Pass-through to PV may happen, but is insecure (as would be pass-through to HVM with disabled bus mastering). So to anyone migrating from xend, if we don't change things, this will at least be perceived as a security bug. > This is actually a pretty awful interface, and should change, but > that's a 4.4 thing, not a 4.3 thing. Since we haven't had any other > issues reported, I think we should go ahead with the scheduled release > tomorrow. As per the above and the earlier reply I sent, I don't think we should release without this fixed. Let me see whether the minimal fix I sketched out earlier works... Jan