[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] [PATCH][RFC] Support more Capability Structures andDevice Specific
Alan Cox wrote: >> I think it is fine to have a passthrough option which >> doesn't properly protect the host from the guest - this >> is a useful setup in many situations. But it should not >> be enabled by default, surely ? > > Agreed entirely. Note also that some implementations of > an IOMMU will not save you as they don't fence between > individual PCI devices (PCIE is obviously a bit easier). IOMMU, at least Intel's IOMMU, doesn't support pure PCI device, only PCIe devices can be DMA protected. > Not fencing between devices allows you for example to use > a fairly flexible SCSI controller to reprogram another > device. Again, at least for Intel IOMMU, devices under root endpoint can never escape from IOMMU DMA protection, right now we don't support PCIe devices under a switch to do assignement, but with future ATS or ACS is implemented, we can assign devices under a switch, where ether the switch disable peer to peer transaction or always pass up "untranslated" traffic to upstream. So your concern is a not real IMO, not? Or do u mean AMD IOMMU may have different implementation? > > In the general case there are also some really nasty > dirty attacks you can't stop with an IOMMU one of which > is to reflash the BIOS of the graphics card to which you > were given unrestricted access so that you compromise the > entire system next boot. These attacks appear well > understood except by IOMMU marketing people ;) Same with above, this is already protected by IOMMU, peer to peer DMA is not supported right now. > > IOMMU is great for system correctness and flexibility, > using it for safely providing hardware direct access is a > very very hairy business with a complex device. > Agree, that is why we are here :) Thx, eddie _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |