[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] VT-d: apply quirks at device setup time rather than only at boot



>>> On 28.04.14 at 11:30, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 28/04/14 09:01, Jan Beulich wrote:
>> Accessing extended config space may not be possible at boot time, e.g.
>> when the memory space used by MMCFG is reserved only via ACPI tables,
>> but not in the E820/UEFI memory maps (which we need Dom0 to tell us
>> about). Consequently the change here still leaves the issue unaddressed
>> for systems where the extended config space remains inaccessible (due
>> to firmware bugs, i.e. not properly reserving the address space of
>> those regions).
>>
>> With the respective messages now potentially getting logged more than
>> once, we ought to consider whether we should issue them only if we in
>> fact were required to do any masking (i.e. if the relevant mask bits
>> weren't already set).
>>
>> This is CVE-2013-3495 / XSA-59.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> I would agree that log messages should only be presented if Xen had to
> change system state.

I'll wait for eventual other opinions, but might create a 3rd patch on
top of these then. Just for the record, the downside I see to this is
that then there's no trace left that a system is secure. An intermediate
option might be to downgrade the messages to XENLOG_DEBUG when
we didn't really need to do anything.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.