Xen project Mailing List

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

To: "Daniel De Graaf" <dgdegra@xxxxxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Wed, 23 Aug 2017 10:01:36 -0600

Cc: christopher.w.clark@xxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Wed, 23 Aug 2017 16:01:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 23.08.17 at 17:56, <dgdegra@xxxxxxxxxxxxx> wrote: > On 08/22/2017 04:18 AM, Jan Beulich wrote: >>>>> On 18.08.17 at 23:55, <dgdegra@xxxxxxxxxxxxx> wrote: >>> On 08/18/2017 05:02 PM, christopher.w.clark@xxxxxxxxx wrote: >>>> From: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> >>>> >>>> Isolation of devices passed through to domains usually requires an >>>> active IOMMU. The existing method of requiring an IOMMU is via a Xen >>>> boot parameter ("iommu=force") which will abort boot if an IOMMU is not >>>> available. >>>> >>>> More graceful degradation of behaviour when an IOMMU is absent can be >>>> achieved by enabling XSM to perform enforcement of IOMMU requirement. >>>> >>>> This patch enables an enforceable XSM policy to specify that an IOMMU is >>>> required for particular domains to access devices and how capable that >>>> IOMMU must be. This allows a Xen system to boot whilst still >>>> ensuring that an IOMMU is active before permitting device use. >>>> >>>> Using a XSM policy ensures that the isolation properties remain enforced >>>> even when the large, complex toolstack software changes. >>>> >>>> For some hardware platforms interrupt remapping is a strict requirement >>>> for secure isolation. Not all IOMMUs provide interrupt remapping. >>>> The XSM policy can now optionally require interrupt remapping. >>>> >>>> The device use hooks now check whether an IOMMU is: >>>> * Active and securely isolating: >>>> -- current criteria for this is that interrupt remapping is ok >>>> * Active but interrupt remapping is not available >>>> * Not active >>>> >>>> This patch also updates the reference XSM policy to use the new >>>> primitives, with policy entries that do not require an active IOMMU. >>>> >>>> Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> >>> >>> Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> >> >> To be honest, for this kind of a change I would have hoped for >> a Reviewed-by (by you or someone else), not just an Acked-by. >> Hence I'm hesitant to put the patch in right away. > > I'll keep that in mind for the future. I have looked at this patch > in depth, so you can change that to > > Reviewed-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Thanks, a few minutes too late though - I've just committed it the way it was (with Ross' R-b). Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.