WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Hardware passthrough without MSI-X

To: <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Hardware passthrough without MSI-X
From: "Robert Dunkley" <Robert@xxxxxxxxx>
Date: Fri, 29 Oct 2010 09:23:03 +0100
Cc:
Delivery-date: Wed, 10 Nov 2010 10:25:36 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Act3QoG7NavsvkxARwuRmG8NuX/N3Q==
Thread-topic: Hardware passthrough without MSI-X
Hi Everyone,


A recent email to the kernel mailing list by Konrad Wilk caught my
interest, here's the relevant extract:
"First of Xen PCI frontend driver can be used by PV guests on hardware
that with or without hardware IOMMU. Without an hardware IOMMU you have
a
potential security hole wherein a guest domain can use the hardware to
map
pages outside its memory range and slurp pages up. As such, this is more
restricted to a Privileged PV domain, aka - device driver domain
(similar to Qubes but a poor-man mechanism [1])."

Am I right in thinking that this means hardware pass through to a PV
guest is possible on a system without IOMMU? (Eg. Nvidia chipset
Opteron). How dangerous is the "Potential Security Hole" for VMs
controlled by the system admin?


Thanks,

Rob

The SAQ Group

Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ
SAQ is the trading name of SEMTEC Limited. Registered in England & Wales
Company Number: 06481952

http://www.saqnet.co.uk AS29219

SAQ Group Delivers high quality, honestly priced communication and I.T. 
services to UK Business.

Broadband : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : 
Backups : Managed Networks : Remote Support.

ISPA Member


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Hardware passthrough without MSI-X, Robert Dunkley <=