[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

To: Keir Fraser <keir@xxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxxx>
Date: Tue, 24 May 2011 17:16:42 +0100
Accept-language: en-US
Acceptlanguage: en-US
Cc: Tim Deegan <Tim.Deegan@xxxxxxxxxxxxx>, Ian Pratt <Ian.Pratt@xxxxxxxxxxxxx>, "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 24 May 2011 09:23:47 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Thread-index: AcwaK0dbB1td/JIyDE+h2p2VVYx4ZgAAkVMQ
Thread-topic: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

> <sigh> take your pick really. Majority opinion is on the side of this
> revised patch, however Intel are the primary maintainers of this code and
> they clearly do not like it. If I have a casting vote here, I would be
> inclined to plump in favour of the revised patch -- we already have
> iommu=on
> as a best-effort option, and I believe iommu=force could be stronger than it
> is. However Joseph's claim that the non-DoS vulns may all now be handled is
> not as unconvincing as some seem to believe (and I was in that camp for a
> while) -- I can't really see how the attack vector can be successfully
> exploited now my mitigation patch is in the tree. So I'm not strongly
> inclined one way or the other really.

My inclination would be such that iommu=force is allowed on non IR systems, but 
where IR is expected to be present e.g. sandybridge generation we insist that 
it is enabled (i.e. that the BIOS supports it).

Ian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Ian Jackson

References:
- Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Ian Jackson
- Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
  - From: Keir Fraser

Prev by Date: Re: [Xen-devel] [PATCH] [PATCH v2] build: Don't fetch tools/ioemu-dir unless needed
Next by Date: Re: [Xen-devel] [PATCH] libxc: use correct macro when unmapping memory after save operation
Previous by thread: Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Next by thread: RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.