[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 10/10] x86/MSI-X: provide hypercall interface for mask-all control



>>> On 12.06.15 at 15:21, <konrad.wilk@xxxxxxxxxx> wrote:
> On Thu, Jun 11, 2015 at 09:35:51AM +0100, Jan Beulich wrote:
>> >>> On 05.06.15 at 13:28, <JBeulich@xxxxxxxx> wrote:
>> > Qemu shouldn't be fiddling with this bit directly, as the hypervisor
>> > may (and now does) use it for its own purposes. Provide it with a
>> > replacement interface, allowing the hypervisor to track host and guest
>> > masking intentions independently (clearing the bit only when both want
>> > it clear).
>> 
>> Originally I merely meant to ping the tools side changes here
>> (considering that the original issue has been pending for months,
>> delayed by various security issues as well as slow turnaround on
>> understanding the nature and validity of that original issue, I'd
>> _really_ like to see this go in now), but thinking about it once
>> again over night I realized that what we do here to allow qemu
>> to be fixed would then also be made use of by the kernels
>> running pciback: While Dom0 fiddling with the MSI-X mask-all bit
>> for its own purposes is at least not a security problem, it doing
>> so on behalf of (and directed by) a guest would be as soon as
>> the hypervisor side patches making use of that bit went in.
> 
> It is hard to comment on this since I don't know exactly what
> those patches would do.

Did you take a look?

>  But the 'pci_msi_ignore_mask'
> from 38737d82f9f0168955f9944c3f8bd3bb262c7e88, "PCI/MSI: Add
> pci_msi_ignore_mask to prevent writes to MSI/MSI-X Mask Bits""
> should have prevented that. That said said patches could change
> the pci_msi_ignore_mask of course.

For one, this doesn't deal with the MSI-X mask-all bit. And then it
only suppresses functionality that the guest really ought to be
allowed to use, just not by directly manipulating hardware. Plus
of course any older Linux as well as other OSes would still be a
problem.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.