[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

  • To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Tue, 24 May 2011 16:57:27 +0100
  • Cc: Tim Deegan <Tim.Deegan@xxxxxxxxxxxxx>, "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 24 May 2011 09:12:08 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=PrpZs34YQGzgV1gX9zjzbl9zMXVXYc1zpiiENCxZEOFRjDj9P/hs02nCsqNeXlseca kad6zjUWYP2mwVAbqsLsnoiL0N9nhAhjQdbGq0zPWHdjIrxGY73w0FVG0GhhcToijBSZ KfN3uGzsZ6eHLgqm9/uJfYu7HhGkJvxn7sN3s=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcwaK0dbB1td/JIyDE+h2p2VVYx4Zg==
  • Thread-topic: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
On 24/05/2011 16:15, "Ian Jackson" <Ian.Jackson@xxxxxxxxxxxxx> wrote:

> Ian Campbell writes ("Re: [Xen-devel] Xen security advisory CVE-2011-1898 -
> VT-d (PCI passthrough) MSI"):
>> IOMMU: Fail if intremap is not available and iommu=required/force.
>> 
>> Rather than sprinkling panic()s throughout the setup code hoist the check up
>> into common code.
>> 
>> Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
> 
> Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
> 
> Keir, do you think we should apply this then ?

<sigh> take your pick really. Majority opinion is on the side of this
revised patch, however Intel are the primary maintainers of this code and
they clearly do not like it. If I have a casting vote here, I would be
inclined to plump in favour of the revised patch -- we already have iommu=on
as a best-effort option, and I believe iommu=force could be stronger than it
is. However Joseph's claim that the non-DoS vulns may all now be handled is
not as unconvincing as some seem to believe (and I was in that camp for a
while) -- I can't really see how the attack vector can be successfully
exploited now my mitigation patch is in the tree. So I'm not strongly
inclined one way or the other really.

 -- Keir

> Ian.
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.