Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On Nov 22, 2017, at 13:58, George Dunlapwrote: > >> On 11/16/2017 03:43 PM, Julien Grall wrote: >> Hi George, >> >>> On 13/11/17 15:41, George Dunlap wrote: >>> Signed-off-by: George Dunlap >>> --- >>> CC: Ian Jackson >>> CC: Wei Liu >>> CC: Andrew Cooper >>> CC: Jan Beulich >>> CC: Stefano Stabellini >>> CC: Konrad Wilk >>> CC: Tim Deegan >>> CC: Rich Persaud >>> CC: Marek Marczykowski-Górecki >>> CC: Christopher Clark >>> CC: James McKenzie >>> --- >>> SUPPORT.md | 33 - >>> 1 file changed, 32 insertions(+), 1 deletion(-) >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 3e352198ce..a8388f3dc5 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -454,9 +454,23 @@ there is currently no xl support. >>> ## Security >>> +### Driver Domains >>> + >>> +Status: Supported, with caveats >>> + >>> +"Driver domains" means allowing non-Domain 0 domains >>> +with access to physical devices to act as back-ends. >>> + >>> +See the appropriate "Device Passthrough" section >>> +for more information about security support. >>> + >>> ### Device Model Stub Domains >>> -Status: Supported >>> +Status: Supported, with caveats >>> + >>> +Vulnerabilities of a device model stub domain >>> +to a hostile driver domain (either compromised or untrusted) >>> +are excluded from security support. >>> ### KCONFIG Expert >>> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >>> Disabled by default (enable with hypervisor command line option). >>> This feature is not security supported: see >>> http://xenbits.xen.org/xsa/advisory-163.html >>> +### x86/PCI Device Passthrough >>> + >>> +Status: Supported, with caveats >>> + >>> +Only systems using IOMMUs will be supported. >>> + >>> +Not compatible with migration, altp2m, introspection, memory sharing, >>> or memory paging. >>> + >>> +Because of hardware limitations >>> +(affecting any operating system or hypervisor), >>> +it is generally not safe to use this feature >>> +to expose a physical device to completely untrusted guests. >>> +However, this feature can still confer significant security benefit >>> +when used to remove drivers and backends from domain 0 >>> +(i.e., Driver Domains). >>> +See docs/PCI-IOMMU-bugs.txt for more information. >> >> Where can I find this file? Is it in staging? > > No, I took this from a recommendation made to me, without checking. > > Rich, are you going to send a patch adding this file, or did you mean to > point to a different file? Yes, I’ll send a patch to add this file. Rich ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On 11/16/2017 03:43 PM, Julien Grall wrote: > Hi George, > > On 13/11/17 15:41, George Dunlap wrote: >> Signed-off-by: George Dunlap>> --- >> CC: Ian Jackson >> CC: Wei Liu >> CC: Andrew Cooper >> CC: Jan Beulich >> CC: Stefano Stabellini >> CC: Konrad Wilk >> CC: Tim Deegan >> CC: Rich Persaud >> CC: Marek Marczykowski-Górecki >> CC: Christopher Clark >> CC: James McKenzie >> --- >> SUPPORT.md | 33 - >> 1 file changed, 32 insertions(+), 1 deletion(-) >> >> diff --git a/SUPPORT.md b/SUPPORT.md >> index 3e352198ce..a8388f3dc5 100644 >> --- a/SUPPORT.md >> +++ b/SUPPORT.md >> @@ -454,9 +454,23 @@ there is currently no xl support. >> ## Security >> +### Driver Domains >> + >> + Status: Supported, with caveats >> + >> +"Driver domains" means allowing non-Domain 0 domains >> +with access to physical devices to act as back-ends. >> + >> +See the appropriate "Device Passthrough" section >> +for more information about security support. >> + >> ### Device Model Stub Domains >> - Status: Supported >> + Status: Supported, with caveats >> + >> +Vulnerabilities of a device model stub domain >> +to a hostile driver domain (either compromised or untrusted) >> +are excluded from security support. >> ### KCONFIG Expert >> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >> Disabled by default (enable with hypervisor command line option). >> This feature is not security supported: see >> http://xenbits.xen.org/xsa/advisory-163.html >> +### x86/PCI Device Passthrough >> + >> + Status: Supported, with caveats >> + >> +Only systems using IOMMUs will be supported. >> + >> +Not compatible with migration, altp2m, introspection, memory sharing, >> or memory paging. >> + >> +Because of hardware limitations >> +(affecting any operating system or hypervisor), >> +it is generally not safe to use this feature >> +to expose a physical device to completely untrusted guests. >> +However, this feature can still confer significant security benefit >> +when used to remove drivers and backends from domain 0 >> +(i.e., Driver Domains). >> +See docs/PCI-IOMMU-bugs.txt for more information. > > Where can I find this file? Is it in staging? No, I took this from a recommendation made to me, without checking. Rich, are you going to send a patch adding this file, or did you mean to point to a different file? -George ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On 11/21/2017 08:59 AM, Jan Beulich wrote: On 13.11.17 at 16:41,wrote: >> +### x86/PCI Device Passthrough >> + >> +Status: Supported, with caveats > > I think this wants to be > > ### PCI Device Passthrough > > Status, x86 HVM: Supported, with caveats > Status, x86 PV: Supported, with caveats > > to (a) allow later extending for ARM and (b) exclude PVH (assuming > that its absence means non-existing code). Good call. > >> +Only systems using IOMMUs will be supported. >> + >> +Not compatible with migration, altp2m, introspection, memory sharing, or >> memory paging. > > And PoD, iirc. Ack > > With these adjustments (or substantially similar ones) > Acked-by: Jan Beulich Great, thanks. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On 11/14/2017 01:25 PM, Marek Marczykowski-Górecki wrote: > On Mon, Nov 13, 2017 at 03:41:24PM +, George Dunlap wrote: >> Signed-off-by: George Dunlap>> --- >> CC: Ian Jackson >> CC: Wei Liu >> CC: Andrew Cooper >> CC: Jan Beulich >> CC: Stefano Stabellini >> CC: Konrad Wilk >> CC: Tim Deegan >> CC: Rich Persaud >> CC: Marek Marczykowski-Górecki >> CC: Christopher Clark >> CC: James McKenzie >> --- >> SUPPORT.md | 33 - >> 1 file changed, 32 insertions(+), 1 deletion(-) >> >> diff --git a/SUPPORT.md b/SUPPORT.md >> index 3e352198ce..a8388f3dc5 100644 >> --- a/SUPPORT.md >> +++ b/SUPPORT.md > > (...) > >> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >> Disabled by default (enable with hypervisor command line option). >> This feature is not security supported: see >> http://xenbits.xen.org/xsa/advisory-163.html >> >> +### x86/PCI Device Passthrough >> + >> +Status: Supported, with caveats >> + >> +Only systems using IOMMUs will be supported. > > s/will be/are/ ? Ack -George ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
>>> On 13.11.17 at 16:41,wrote: > +### x86/PCI Device Passthrough > + > +Status: Supported, with caveats I think this wants to be ### PCI Device Passthrough Status, x86 HVM: Supported, with caveats Status, x86 PV: Supported, with caveats to (a) allow later extending for ARM and (b) exclude PVH (assuming that its absence means non-existing code). > +Only systems using IOMMUs will be supported. > + > +Not compatible with migration, altp2m, introspection, memory sharing, or > memory paging. And PoD, iirc. With these adjustments (or substantially similar ones) Acked-by: Jan Beulich Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
Hi George, On 13/11/17 15:41, George Dunlap wrote: Signed-off-by: George Dunlap--- CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: Jan Beulich CC: Stefano Stabellini CC: Konrad Wilk CC: Tim Deegan CC: Rich Persaud CC: Marek Marczykowski-Górecki CC: Christopher Clark CC: James McKenzie --- SUPPORT.md | 33 - 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/SUPPORT.md b/SUPPORT.md index 3e352198ce..a8388f3dc5 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -454,9 +454,23 @@ there is currently no xl support. ## Security +### Driver Domains + +Status: Supported, with caveats + +"Driver domains" means allowing non-Domain 0 domains +with access to physical devices to act as back-ends. + +See the appropriate "Device Passthrough" section +for more information about security support. + ### Device Model Stub Domains -Status: Supported +Status: Supported, with caveats + +Vulnerabilities of a device model stub domain +to a hostile driver domain (either compromised or untrusted) +are excluded from security support. ### KCONFIG Expert @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests Disabled by default (enable with hypervisor command line option). This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html +### x86/PCI Device Passthrough + +Status: Supported, with caveats + +Only systems using IOMMUs will be supported. + +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. + +Because of hardware limitations +(affecting any operating system or hypervisor), +it is generally not safe to use this feature +to expose a physical device to completely untrusted guests. +However, this feature can still confer significant security benefit +when used to remove drivers and backends from domain 0 +(i.e., Driver Domains). +See docs/PCI-IOMMU-bugs.txt for more information. Where can I find this file? Is it in staging? Cheers, -- Julien Grall ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough
On Mon, Nov 13, 2017 at 03:41:24PM +, George Dunlap wrote: > Signed-off-by: George Dunlap> --- > CC: Ian Jackson > CC: Wei Liu > CC: Andrew Cooper > CC: Jan Beulich > CC: Stefano Stabellini > CC: Konrad Wilk > CC: Tim Deegan > CC: Rich Persaud > CC: Marek Marczykowski-Górecki > CC: Christopher Clark > CC: James McKenzie > --- > SUPPORT.md | 33 - > 1 file changed, 32 insertions(+), 1 deletion(-) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 3e352198ce..a8388f3dc5 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md (...) > @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests > Disabled by default (enable with hypervisor command line option). > This feature is not security supported: see > http://xenbits.xen.org/xsa/advisory-163.html > > +### x86/PCI Device Passthrough > + > +Status: Supported, with caveats > + > +Only systems using IOMMUs will be supported. s/will be/are/ ? > + > +Not compatible with migration, altp2m, introspection, memory sharing, or > memory paging. > + > +Because of hardware limitations > +(affecting any operating system or hypervisor), > +it is generally not safe to use this feature > +to expose a physical device to completely untrusted guests. > +However, this feature can still confer significant security benefit > +when used to remove drivers and backends from domain 0 > +(i.e., Driver Domains). > +See docs/PCI-IOMMU-bugs.txt for more information. > + > ### ARM/Non-PCI device passthrough > > Status: Supported -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? signature.asc Description: PGP signature ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel