[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.16] x86/pass-through: documents as security-unsupported when sharing resources



commit 638f21616a7a9e94ebae134573ca42d977a65063
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Aug 13 16:52:44 2024 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Aug 13 16:52:44 2024 +0200

    x86/pass-through: documents as security-unsupported when sharing resources
    
    When multiple devices share resources and one of them is to be passed
    through to a guest, security of the entire system and of respective
    guests individually cannot really be guaranteed without knowing
    internals of any of the involved guests.  Therefore such a configuration
    cannot really be security-supported, yet making that explicit was so far
    missing.
    
    This is XSA-461 / CVE-2024-31146.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
    master commit: 9c94eda1e3790820699a6de3f6a7c959ecf30600
    master date: 2024-08-13 16:37:25 +0200
---
 SUPPORT.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index 15fbad84a7..fbbb267bf1 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -704,6 +704,11 @@ This feature is not security supported: see 
https://xenbits.xen.org/xsa/advisory
 
 Only systems using IOMMUs are supported.
 
+Passing through of devices sharing resources with another device is not
+security supported.  Such sharing could e.g. be the same line interrupt being
+used by multiple devices, one of which is to be passed through, or two such
+devices having memory BARs within the same 4k page.
+
 Not compatible with migration, populate-on-demand, altp2m,
 introspection, memory sharing, or memory paging.
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.16



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.