Xen project Mailing List

Re: [Xen-devel] [PATCH for-4.13] docs/xl: Document pci-assignable state

To: Jan Beulich <jbeulich@xxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>

From: "Durrant, Paul" <pdurrant@xxxxxxxxxx>

Date: Tue, 26 Nov 2019 15:26:43 +0000

Accept-language: en-GB, en-US

Cc: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 26 Nov 2019 15:26:54 +0000

Ironport-sdr: 4EYUUC7VAKA+a01GKrDFXTlzw1oyAEhK3UoLjcdMw+fJ3CE6okoSGaST+WtXEJuuKJC+rphCoP 3qyIO20CtFgw==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVpGO9i8ZtI5j/j0uhqwrBCqQB3KedftkAgAADmACAABBgQA==

Thread-topic: [Xen-devel] [PATCH for-4.13] docs/xl: Document pci-assignable state

> -----Original Message----- > From: Xen-devel <xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx> On Behalf Of Jan > Beulich > Sent: 26 November 2019 14:27 > To: Ian Jackson <ian.jackson@xxxxxxxxxx> > Cc: Juergen Gross <jgross@xxxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx; Paul > Durrant <paul.durrant@xxxxxxxxxx>; George Dunlap > <george.dunlap@xxxxxxxxxx>; Wei Liu <wl@xxxxxxx> > Subject: Re: [Xen-devel] [PATCH for-4.13] docs/xl: Document pci-assignable > state > > On 26.11.2019 15:14, Ian Jackson wrote: > > George Dunlap writes ("[PATCH for-4.13] docs/xl: Document pci-assignable > state"): > >> =item B<pci-assignable-remove> [I<-r>] I<BDF> > > ... > >> +Make the device at PCI Bus/Device/Function BDF not assignable to > >> +guests. This will at least unbind the device from pciback, and > >> +re-assign it from the "quarantine domain" back to domain 0. If the -r > >> +option is specified, it will also attempt to re-bind the device to its > >> +original driver, making it usable by Domain 0 again. If the device is > >> +not bound to pciback, it will return success. > >> + > >> +Note that this functionality will work even for devices which were not > >> +made assignable by B<pci-assignable-add>. This can be used to allow > >> +dom0 to access devices which were automatically quarantined by Xen > >> +after domain destruction as a result of Xen's B<iommu=quarantine> > >> +command-line default. > > > > What are the security implications of doing this if the device might > > still be doing DMA or something ? > > Devices get reset in between, so well behaving ones should not > still be doing DMA at that point. Misbehaving ones would better > not be assigned (back and forth) anyway. But a recent patch of > Paul's suggests that people still wish to do so, on the > assumption that such DMA will drain sufficiently quickly. Yes. I will hopefully find time to post the next version of that patch this week. Paul > > > (For that matter, presumably there are security implications of > > assigning the same device in sequence to different guests?) > > Right. > > Jan > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/mailman/listinfo/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.