[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] VT-d: apply quirks at device setup time rather than only at boot



On 28/04/14 10:55, Jan Beulich wrote:
>>>> On 28.04.14 at 11:30, <andrew.cooper3@xxxxxxxxxx> wrote:
>> On 28/04/14 09:01, Jan Beulich wrote:
>>> Accessing extended config space may not be possible at boot time, e.g.
>>> when the memory space used by MMCFG is reserved only via ACPI tables,
>>> but not in the E820/UEFI memory maps (which we need Dom0 to tell us
>>> about). Consequently the change here still leaves the issue unaddressed
>>> for systems where the extended config space remains inaccessible (due
>>> to firmware bugs, i.e. not properly reserving the address space of
>>> those regions).
>>>
>>> With the respective messages now potentially getting logged more than
>>> once, we ought to consider whether we should issue them only if we in
>>> fact were required to do any masking (i.e. if the relevant mask bits
>>> weren't already set).
>>>
>>> This is CVE-2013-3495 / XSA-59.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> I would agree that log messages should only be presented if Xen had to
>> change system state.
> I'll wait for eventual other opinions, but might create a 3rd patch on
> top of these then. Just for the record, the downside I see to this is
> that then there's no trace left that a system is secure. An intermediate
> option might be to downgrade the messages to XENLOG_DEBUG when
> we didn't really need to do anything.
>
> Jan
>

Hmm yes - that is a point.  It probably is best to leave some hint for
people really trying to find it.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.