[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support

To: "Keir Fraser" <Keir.Fraser@xxxxxxxxxxxx>
From: "Wei Wang2" <wei.wang2@xxxxxxx>
Date: Thu, 10 Jan 2008 18:31:54 +0100
Cc: muli@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx, Michael.Hohmuth@xxxxxxx, thomas.woller@xxxxxxx, iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx, Uwe.Dannowski@xxxxxxx
Delivery-date: Thu, 10 Jan 2008 09:34:19 -0800
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

If a halfway work can trigger any de-initialization routines, perhaps
device driver will deallocate dma pages which are in use and iommu
unmapping can be triggered?

-Wei

On Thu, 2008-01-10 at 16:58 +0000, Keir Fraser wrote:
> Grant mappings will only be triggered for I/O to/from foreign domains. I'm
> not really convinced that protecting a driver domain's own memory against
> errant DMAs is that important anyway. Firstly, there are many other ways
> that a buggy driver can screw its domain, other than errant DMA. Secondly,
> any driver that haflway works will request a DMA mapping from the OS before
> it initiates any DMA (otherwise the driver would *never* work) and that
> would probably be the point at which the OS would set up the iommu mapping.
> That's the problem -- the OS will be trusting the driver to tell it when a
> mapping should be set up, and that request will usually be co-located in the
> driver code with the actual DMA initiation. So if the driver is issuing
> errant DMAs, the OS is rather likely to let them happen!
> 
>  -- Keir
> 
> 
> On 10/1/08 16:52, "Wei Wang2" <wei.wang2@xxxxxxx> wrote:
> 
> > On Thu, 2008-01-10 at 15:54 +0000, Keir Fraser wrote:
> >> Grant table mappings/unmappings are an obvious place where we already trap
> >> to the hypervisor and could make correspodning changes to iommu mappings?
> > Can grant mapping cover the situation in which a device only be accessed
> > by a driver domain other than be shared with any remote domain? In other
> > word, when a device is only access by a driver domain, does grant table
> > mapping still happen? If yes, it is the best way to go.
> > 
> >> It depends if we want the iommu to do any more than prevent arbitrary DMA
> >> access to foreign pages. What's the threat model you are wanting to use the
> >> iommu to protect against?
> > I think IOMMU can help to prevent buggy driver from destroying memory 
> > content
> > of both 
> > driver domain itself and foreign domain. Proper IO address which is
> > requested by device driver should only be provided by some pre-defined
> > interfaces/hypercalls.  Arbitrary dma addresses written to a device by a
> > buggy driver will not trigger address translations.
> 
> 
> 
> 




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- [Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support
  - From: Keir Fraser

Prev by Date: Re: [Xen-devel] [PATCH] respin of mprotect performance patch
Next by Date: Re: [Xen-devel] [PATCH] respin of mprotect performance patch
Previous by thread: [Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support
Next by thread: [Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.