[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
> From: Ian Jackson [mailto:Ian.Jackson@xxxxxxxxxxxxx]
> Sent: Tuesday, May 24, 2011 10:14 AM
> Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d
> (PCI passthrough)
> > My inclination would be such that iommu=force is allowed on non IR
> > systems, but where IR is expected to be present e.g. sandybridge
> > generation we insist that it is enabled (i.e. that the BIOS supports
> > it).
> I don't think that's a conceptually coherent point of view, unless the
> purpose is to avoid
> marketing embarrassment.
> Either IR is required for a secure system with passthrough, in which case
> iommu=force should
> require IR, or it is not required for a secure system with passthrough, in
> which case iommu=force
> should not insist on it.
None of the proposed patches check for whether passthrough is being used. Nor
can they check whether it is being used safely (it may be used for performance
by domains that are trusted).
Whether IR is required for a secure system with passthrough depends on the
usage model (as I indicated in an earlier email). The user/distributor should
decide whether their usage model requires it or not. If it does, then all they
need to do is run on HW that supports IR (and if they're worried about the
pre-OS attack then use TXT, which would be necessary anyway).
> Whether it is required for security doesn't depend on whether it is actually
> available. That
> there are some motherboards which cannot do passthrough securely does not
> mean that we should
> allow users of those boards to be led up the garden path.
Xen-devel mailing list