[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2 of 2] xl, libxl: Add per-device and global permissive config options for pci passthrough

On 02/04/12 16:51, Ian Jackson wrote:
George Dunlap writes ("Re: [Xen-devel] [PATCH 2 of 2] xl, libxl: Add per-device and 
global permissive config options for pci passthrough"):
I'm not sure how we can make it more definite.  What's possible (i.e.,
the security implications) entirely depends on the card; and what's
likely (i.e., the stability implications) entirely depends on the card
and the driver.  Short of giving a short discourse on the vices of
various cards PCI config space (which is entirely inappropriate for a
man page, IMHO), I'm not sure what more we can say.
Is it generally or usually the case that this option will more
completely expose the host ?
So, worst-case, the guest driver can make the card do anything a card can actually do. Most of the things a card can do can be mitigated by the IOMMU. But there may be some things which are not; and there are some people still running older hardware that either doesn't have an IOMMU, or whose IOMMU cannot handle important cases (e.g., Intel boxes with VTD but no interrupt remapping, if you recall the security issue related to this last year).

One of the examples Stefano gave of config stuff that can cause problems is the power management features: if the guest driver powers down the card, then when libxl tries to reset the card, it generates a PCI error interrupt. This used to crash Xen. (It's now been fixed.)

But on the other hand, how many cards even have these kinds of dangerous capabilities in their PCI registers? Most of them are probably just fine. And in the case of driver domains, most people will be running trusted software anyway; the driver will be the same in the domU as the dom0.

Still, can't very well just turn things on by default and hope for the best; people need to know that they're doing something potentially dangerous. But we can't really tell people how dangerous this thing might be, because we don't actually know how many cards might actually be dangerous, and we don't know what kind of software they're allowing access to the card. And again, we can't just not give the option, because many cards need it to run, and most of the time it's just fine.

This is probably worth doing some more investigation and writing up in a doc and/or a wiki page somewhere; but I'm not sure we can do more in a man page than give a necessarily unspecific warning.

I thought it was unnecessary to duplicate, but I can do so if you prefer.
I guess that depends on how strong a statement it is.

I think you should consider breakibg out the sysfs writing function
and refactoring with the very similar code in libxl__device_pci_reset,
rather than introducing yet another clone.
I shall consider it. :-)
Thanks :-).


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.