[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI

> <sigh> take your pick really. Majority opinion is on the side of this
> revised patch, however Intel are the primary maintainers of this code and
> they clearly do not like it. If I have a casting vote here, I would be
> inclined to plump in favour of the revised patch -- we already have
> iommu=on
> as a best-effort option, and I believe iommu=force could be stronger than it
> is. However Joseph's claim that the non-DoS vulns may all now be handled is
> not as unconvincing as some seem to believe (and I was in that camp for a
> while) -- I can't really see how the attack vector can be successfully
> exploited now my mitigation patch is in the tree. So I'm not strongly
> inclined one way or the other really.

My inclination would be such that iommu=force is allowed on non IR systems, but 
where IR is expected to be present e.g. sandybridge generation we insist that 
it is enabled (i.e. that the BIOS supports it).


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.