RE: [Xen-devel] [PATCH][RFC] Support more Capability Structures andDevice Specific

["Dong, Eddie" <eddie.dong@xxxxxxxxx>]

Alan Cox wrote:
>> I think it is fine to have a passthrough option which
>> doesn't properly protect the host from the guest - this
>> is a useful setup in many situations.  But it should not
>> be enabled by default, surely ? 
> 
> Agreed entirely. Note also that some implementations of
> an IOMMU will not save you as they don't fence between
> individual PCI devices (PCIE is obviously a bit easier).

IOMMU, at least Intel's IOMMU, doesn't support pure PCI device, only
PCIe devices can be DMA protected.

> Not fencing between devices allows you for example to use
> a fairly flexible SCSI controller to reprogram another
> device. 

Again, at least for Intel IOMMU, devices under root endpoint can never
escape from IOMMU DMA protection, right now we don't support PCIe
devices under a switch to do assignement, but with future ATS or ACS is
implemented, we can assign devices under a switch, where ether the
switch disable peer to peer transaction or always pass up "untranslated"
traffic to upstream.

So your concern is a not real IMO, not? Or do u mean AMD IOMMU may have
different implementation? 

> 
> In the general case there are also some really nasty
> dirty attacks you can't stop with an IOMMU one of which
> is to reflash the BIOS of the graphics card to which you
> were given unrestricted access so that you compromise the
> entire system next boot. These attacks appear well
> understood except by IOMMU marketing people ;) 

Same with above, this is already protected by IOMMU, peer to peer DMA is
not supported right now.

> 
> IOMMU is great for system correctness and flexibility,
> using it for safely providing hardware direct access is a
> very very hairy business with a complex device.
> 
Agree, that is why we are here :)

Thx, eddie


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel