[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v3 10/10] x86/MSI-X: provide hypercall interface for mask-all control
>>> On 12.06.15 at 15:21, <konrad.wilk@xxxxxxxxxx> wrote: > On Thu, Jun 11, 2015 at 09:35:51AM +0100, Jan Beulich wrote: >> >>> On 05.06.15 at 13:28, <JBeulich@xxxxxxxx> wrote: >> > Qemu shouldn't be fiddling with this bit directly, as the hypervisor >> > may (and now does) use it for its own purposes. Provide it with a >> > replacement interface, allowing the hypervisor to track host and guest >> > masking intentions independently (clearing the bit only when both want >> > it clear). >> >> Originally I merely meant to ping the tools side changes here >> (considering that the original issue has been pending for months, >> delayed by various security issues as well as slow turnaround on >> understanding the nature and validity of that original issue, I'd >> _really_ like to see this go in now), but thinking about it once >> again over night I realized that what we do here to allow qemu >> to be fixed would then also be made use of by the kernels >> running pciback: While Dom0 fiddling with the MSI-X mask-all bit >> for its own purposes is at least not a security problem, it doing >> so on behalf of (and directed by) a guest would be as soon as >> the hypervisor side patches making use of that bit went in. > > It is hard to comment on this since I don't know exactly what > those patches would do. Did you take a look? > But the 'pci_msi_ignore_mask' > from 38737d82f9f0168955f9944c3f8bd3bb262c7e88, "PCI/MSI: Add > pci_msi_ignore_mask to prevent writes to MSI/MSI-X Mask Bits"" > should have prevented that. That said said patches could change > the pci_msi_ignore_mask of course. For one, this doesn't deal with the MSI-X mask-all bit. And then it only suppresses functionality that the guest really ought to be allowed to use, just not by directly manipulating hardware. Plus of course any older Linux as well as other OSes would still be a problem. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |