Alan Cox wrote:
>> I think it is fine to have a passthrough option which
>> doesn't properly protect the host from the guest - this
>> is a useful setup in many situations. But it should not
>> be enabled by default, surely ?
>
> Agreed entirely. Note also that some implementations of
> an IOMMU will not save you as they don't fence between
> individual PCI devices (PCIE is obviously a bit easier).
IOMMU, at least Intel's IOMMU, doesn't support pure PCI device, only
PCIe devices can be DMA protected.
> Not fencing between devices allows you for example to use
> a fairly flexible SCSI controller to reprogram another
> device.
Again, at least for Intel IOMMU, devices under root endpoint can never
escape from IOMMU DMA protection, right now we don't support PCIe
devices under a switch to do assignement, but with future ATS or ACS is
implemented, we can assign devices under a switch, where ether the
switch disable peer to peer transaction or always pass up "untranslated"
traffic to upstream.
So your concern is a not real IMO, not? Or do u mean AMD IOMMU may have
different implementation?
>
> In the general case there are also some really nasty
> dirty attacks you can't stop with an IOMMU one of which
> is to reflash the BIOS of the graphics card to which you
> were given unrestricted access so that you compromise the
> entire system next boot. These attacks appear well
> understood except by IOMMU marketing people ;)
Same with above, this is already protected by IOMMU, peer to peer DMA is
not supported right now.
>
> IOMMU is great for system correctness and flexibility,
> using it for safely providing hardware direct access is a
> very very hairy business with a complex device.
>
Agree, that is why we are here :)
Thx, eddie
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home