Re: [Xen-devel] [PATCH] VT-d: fix RMRR handling

["Zhang, Xiantao" <xiantao.zhang@xxxxxxxxx>]

Ok, make sense, thanks, Jan! 
Acked-by: Xiantao Zhang <xiantao.zhang@xxxxxxxxx>

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> Sent: Tuesday, March 4, 2014 4:05 PM
> To: Zhang, Xiantao
> Cc: xen-devel
> Subject: RE: [PATCH] VT-d: fix RMRR handling
> 
> >>> On 01.03.14 at 08:03, "Zhang, Xiantao" <xiantao.zhang@xxxxxxxxx> wrote:
> > Jan, my comments embedded, thanks!
> >
> >> Removing mapped RMRR tracking structures in dma_pte_clear_one() is
> >> wrong for two reasons: First, these regions may cover more than a
> >> single page. And second, multiple devices (and hence multiple devices
> >> assigned to any particular guest) may share a single RMRR (whether
> >> assigning such devices to distinct guests is a safe thing to do is another
> question).
> >
> > Agree, this is a real issue as you described
> >
> >> Therefore move the removal of the tracking structures into the
> >> counterpart function to the one doing the insertion -
> >> intel_iommu_remove_device(), and add a reference count to the tracking
> structure.
> >
> > Adding a reference count is a good idea, but from the logic, seems you
> > are adding a global counter for each rmrr?
> 
> I don't think so: mapped_rmrrs is rooted in struct hvm_iommu, which is a
> per-domain thing.
> 
> > In theory, one rmrr may be mapped for multiple devices in multiple
> > domains, global counter for once rmrr is not enough.
> > Maybe we need to per-domain counter there ?
> 
> And even if it was, I wouldn't think so, for security reasons: Sharing an RMRR
> across domains is insecure afaict, so if anything we ought to suppress 
> assigning
> devices sharing an RMRR to different guests (e.g. via intel_iommu_group_id() 
> or
> a second, similar mechanism), at least in "iommu=force" mode.
> 
> Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel