[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v3 5/5] x86/MSI: drop workaround for insecure Dom0 kernels
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > Sent: Thursday, April 10, 2014 6:26 PM > > >>> On 10.04.14 at 11:02, <kevin.tian@xxxxxxxxx> wrote: > >> From: Jan Beulich > >> Sent: Monday, April 07, 2014 6:12 PM > >> > >> Considering that > >> - the workaround is expensive (iterating through the entire P2M space > >> of a domain), > >> - the planned elimination of the expensiveness (by propagating the type > >> change step by step to the individual P2M leaves) wouldn't address > >> the IOMMU side of things (as for it to obey to the changed > >> permissions the adjustments must be pushed down immediately through > >> the entire tree) > >> - the proper solution (PHYSDEVOP_msix_prepare) should by now be > >> implemented by all security conscious Dom0 kernels > >> remove the workaround, killing eventual guests that would be known to > >> become a security risk instead. > >> > > > > above looks reasonable to me... but I'm not familiar with original security > > issue on MSI. Could you give me a link to previous conversation? > > That'll be hard to locate, because it had been taking ages until we > settled on a reasonable strategy and implemented all the pieces > here and there. Hence perhaps it's best if you just looked at the > respective commits: > > http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=b5aadd4248d64249e > d6d1f98659a3b35ca9e91bd > http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=4245d331e0e75de8d > 1bddbbb518f3a8ce6d0bb7e > > Jan Acked-by: Kevin Tian <kevin.tian@xxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |