[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode



> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> Sent: Wednesday, September 09, 2015 2:55 PM
> 
> >>> On 09.09.15 at 03:59, <tiejun.chen@xxxxxxxxx> wrote:
> > @@ -2310,12 +2312,16 @@ static int intel_iommu_assign_device(
> >               PCI_DEVFN2(bdf) == devfn &&
> >               rmrr->scope.devices_cnt > 1 )
> >          {
> > -            printk(XENLOG_G_ERR VTDPREFIX
> > -                   " cannot assign %04x:%02x:%02x.%u"
> > +            bool_t relaxed = !!(flag & XEN_DOMCTL_DEV_RDM_RELAXED);
> > +
> > +            printk(XENLOG_G_WARNING VTDPREFIX
> 
> Well, I can live with this always being a warning, but it's not what I
> had asked for. The VT-d maintainers will have to judge.
> 

Need to have separate warning/error level for relax/strict.

However I don't think this patch is a right fix. So far relax/strict policy
is per-domain. what about one VM specifies relax while another VM
specifies strict when each is assigned with a device sharing rmrr
with the other? In that case it becomes a system-wide security hole.

Once we add code to track group relationship cross domains, it'd be
close to the final fix to support group assignment which originally target 
4.7. It might be risky to add that in 4.6.

So my suggestion is to live with current limitation.

Thanks
Kevin

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.