WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthro

from [Ian Jackson] [Permanent Link][Original]
To: Ian Pratt <Ian.Pratt@xxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 24 May 2011 18:14:13 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Deegan <Tim.Deegan@xxxxxxxxxxxxx>, "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>, Tim
Delivery-date: Tue, 24 May 2011 10:14:49 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4FA716B1526C7C4DB0375C6DADBC4EA3B2C2ABD055@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Newsgroups: chiark.mail.xen.devel
References: <19931.52091.713851.292632@xxxxxxxxxxxxxxxxxxxxxxxx> <CA0193F7.2DA3B%keir@xxxxxxx> <4FA716B1526C7C4DB0375C6DADBC4EA3B2C2ABD055@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
Ian Pratt writes ("RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d 
(PCI passthrough) MSI"):
> My inclination would be such that iommu=force is allowed on non IR
> systems, but where IR is expected to be present e.g. sandybridge
> generation we insist that it is enabled (i.e. that the BIOS supports
> it).

I don't think that's a conceptually coherent point of view, unless the
purpose is to avoid marketing embarrassment.

Either IR is required for a secure system with passthrough, in which
case iommu=force should require IR, or it is not required for a secure
system with passthrough, in which case iommu=force should not insist
on it.

Whether it is required for security doesn't depend on whether it is
actually available.  That there are some motherboards which cannot do
passthrough securely does not mean that we should allow users of those
boards to be led up the garden path.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [RESEND] [PATCH] XFS support for pygrub patch, Ian Jackson
Next by Date:  Re: [Xen-devel] Re: VGA passthrough on unstable, Gennady Marchenko
Previous by Thread:  RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI, Ian Pratt
Next by Thread:  RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI, Cihula, Joseph
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy