[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Date: Mon, 2 Sep 2019 15:58:13 +0200
Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=roger.pau@xxxxxxxxxx; spf=Pass smtp.mailfrom=roger.pau@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx
Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, TimDeegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 02 Sep 2019 13:58:33 +0000
Ironport-sdr: YiaQpQCocAbcXXBo9hO7ZRH0nkKtPFNMwzN55PQomEx1kWszfnlVjrkA/1pYiSHE+29YF5hdWc PWSaQep86O+OuSPGuRKns5dreV1+DF1FMluJrObl6p3s+APuSu+z4wHwrm+H0ibxEjckvi0P0g z2LMc79LAmAktE+m3hMjNl9xMJVz6pmLMQ+ZSN5OXoaqC1zhLRBofE1ux0LxriHtZZU7hEG94P WaQ1F9io8EC3uJcclCnriFZenNjIINHWFsp9Yy+c5+YE6EmQaIpkQ4/0Jy24bScwv//SvvE6gi yvQ=
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Sep 02, 2019 at 01:58:07PM +0200, Jan Beulich wrote:
> On 02.09.2019 13:30, Roger Pau Monne wrote:
> > Don't allow the hardware domain to access the PCI config space of
> > devices not assigned to it. Ie: the config space of iommu devices
> > in use by Xen should not be accessible to the hardware domain.
> 
> Well, I agree with what you say above, but the code change disallows
> much more than this. In particular Dom0 (and maybe stub domains too)
> need to be able to access the config space of devices assigned to
> guests, e.g. for qemu to control MSI and/or MSI-X.

Right, I was overlooking the fact that a domain using vPCI itself
should be able to handle passthrough backends for other domains.

I think the condition should instead check if the device is assigned
to dom_xen, and don't allow domains access to devices assigned to
dom_xen.

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain
  - From: Roger Pau Monne
- Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 2/2] x86/apci: Adjust command line parsing for "acpi_sleep"
Next by Date: Re: [Xen-devel] [PATCH v7 1/6] x86/domain: remove the 'oos_off' flag
Previous by thread: Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain
Next by thread: Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.