Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[Rich Persaud]

On Nov 22, 2017, at 13:58, George Dunlap  wrote:
> 
>> On 11/16/2017 03:43 PM, Julien Grall wrote:
>> Hi George,
>> 
>>> On 13/11/17 15:41, George Dunlap wrote:
>>> Signed-off-by: George Dunlap 
>>> ---
>>> CC: Ian Jackson 
>>> CC: Wei Liu 
>>> CC: Andrew Cooper 
>>> CC: Jan Beulich 
>>> CC: Stefano Stabellini 
>>> CC: Konrad Wilk 
>>> CC: Tim Deegan 
>>> CC: Rich Persaud 
>>> CC: Marek Marczykowski-Górecki 
>>> CC: Christopher Clark 
>>> CC: James McKenzie 
>>> ---
>>>   SUPPORT.md | 33 -
>>>   1 file changed, 32 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/SUPPORT.md b/SUPPORT.md
>>> index 3e352198ce..a8388f3dc5 100644
>>> --- a/SUPPORT.md
>>> +++ b/SUPPORT.md
>>> @@ -454,9 +454,23 @@ there is currently no xl support.
>>> ## Security
>>>   +### Driver Domains
>>> +
>>> +Status: Supported, with caveats
>>> +
>>> +"Driver domains" means allowing non-Domain 0 domains
>>> +with access to physical devices to act as back-ends.
>>> +
>>> +See the appropriate "Device Passthrough" section
>>> +for more information about security support.
>>> +
>>>   ### Device Model Stub Domains
>>>   -Status: Supported
>>> +Status: Supported, with caveats
>>> +
>>> +Vulnerabilities of a device model stub domain
>>> +to a hostile driver domain (either compromised or untrusted)
>>> +are excluded from security support.
>>> ### KCONFIG Expert
>>>   @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests
>>>   Disabled by default (enable with hypervisor command line option).
>>>   This feature is not security supported: see
>>> http://xenbits.xen.org/xsa/advisory-163.html
>>>   +### x86/PCI Device Passthrough
>>> +
>>> +Status: Supported, with caveats
>>> +
>>> +Only systems using IOMMUs will be supported.
>>> +
>>> +Not compatible with migration, altp2m, introspection, memory sharing,
>>> or memory paging.
>>> +
>>> +Because of hardware limitations
>>> +(affecting any operating system or hypervisor),
>>> +it is generally not safe to use this feature
>>> +to expose a physical device to completely untrusted guests.
>>> +However, this feature can still confer significant security benefit
>>> +when used to remove drivers and backends from domain 0
>>> +(i.e., Driver Domains).
>>> +See docs/PCI-IOMMU-bugs.txt for more information.
>> 
>> Where can I find this file? Is it in staging?
> 
> No, I took this from a recommendation made to me, without checking.
> 
> Rich, are you going to send a patch adding this file, or did you mean to
> point to a different file?

Yes, I’ll send a patch to add this file.

Rich
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[George Dunlap]

On 11/16/2017 03:43 PM, Julien Grall wrote:
> Hi George,
> 
> On 13/11/17 15:41, George Dunlap wrote:
>> Signed-off-by: George Dunlap 
>> ---
>> CC: Ian Jackson 
>> CC: Wei Liu 
>> CC: Andrew Cooper 
>> CC: Jan Beulich 
>> CC: Stefano Stabellini 
>> CC: Konrad Wilk 
>> CC: Tim Deegan 
>> CC: Rich Persaud 
>> CC: Marek Marczykowski-Górecki 
>> CC: Christopher Clark 
>> CC: James McKenzie 
>> ---
>>   SUPPORT.md | 33 -
>>   1 file changed, 32 insertions(+), 1 deletion(-)
>>
>> diff --git a/SUPPORT.md b/SUPPORT.md
>> index 3e352198ce..a8388f3dc5 100644
>> --- a/SUPPORT.md
>> +++ b/SUPPORT.md
>> @@ -454,9 +454,23 @@ there is currently no xl support.
>>     ## Security
>>   +### Driver Domains
>> +
>> +    Status: Supported, with caveats
>> +
>> +"Driver domains" means allowing non-Domain 0 domains
>> +with access to physical devices to act as back-ends.
>> +
>> +See the appropriate "Device Passthrough" section
>> +for more information about security support.
>> +
>>   ### Device Model Stub Domains
>>   -    Status: Supported
>> +    Status: Supported, with caveats
>> +
>> +Vulnerabilities of a device model stub domain
>> +to a hostile driver domain (either compromised or untrusted)
>> +are excluded from security support.
>>     ### KCONFIG Expert
>>   @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests
>>   Disabled by default (enable with hypervisor command line option).
>>   This feature is not security supported: see
>> http://xenbits.xen.org/xsa/advisory-163.html
>>   +### x86/PCI Device Passthrough
>> +
>> +    Status: Supported, with caveats
>> +
>> +Only systems using IOMMUs will be supported.
>> +
>> +Not compatible with migration, altp2m, introspection, memory sharing,
>> or memory paging.
>> +
>> +Because of hardware limitations
>> +(affecting any operating system or hypervisor),
>> +it is generally not safe to use this feature
>> +to expose a physical device to completely untrusted guests.
>> +However, this feature can still confer significant security benefit
>> +when used to remove drivers and backends from domain 0
>> +(i.e., Driver Domains).
>> +See docs/PCI-IOMMU-bugs.txt for more information.
> 
> Where can I find this file? Is it in staging?

No, I took this from a recommendation made to me, without checking.

Rich, are you going to send a patch adding this file, or did you mean to
point to a different file?

 -George

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[George Dunlap]

On 11/21/2017 08:59 AM, Jan Beulich wrote:
 On 13.11.17 at 16:41,  wrote:
>> +### x86/PCI Device Passthrough
>> +
>> +Status: Supported, with caveats
> 
> I think this wants to be
> 
> ### PCI Device Passthrough
> 
> Status, x86 HVM: Supported, with caveats
> Status, x86 PV: Supported, with caveats
> 
> to (a) allow later extending for ARM and (b) exclude PVH (assuming
> that its absence means non-existing code).

Good call.

> 
>> +Only systems using IOMMUs will be supported.
>> +
>> +Not compatible with migration, altp2m, introspection, memory sharing, or 
>> memory paging.
> 
> And PoD, iirc.

Ack

> 
> With these adjustments (or substantially similar ones)
> Acked-by: Jan Beulich 

Great, thanks.

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[George Dunlap]

On 11/14/2017 01:25 PM, Marek Marczykowski-Górecki wrote:
> On Mon, Nov 13, 2017 at 03:41:24PM +, George Dunlap wrote:
>> Signed-off-by: George Dunlap 
>> ---
>> CC: Ian Jackson 
>> CC: Wei Liu 
>> CC: Andrew Cooper 
>> CC: Jan Beulich 
>> CC: Stefano Stabellini 
>> CC: Konrad Wilk 
>> CC: Tim Deegan 
>> CC: Rich Persaud 
>> CC: Marek Marczykowski-Górecki 
>> CC: Christopher Clark 
>> CC: James McKenzie 
>> ---
>>  SUPPORT.md | 33 -
>>  1 file changed, 32 insertions(+), 1 deletion(-)
>>
>> diff --git a/SUPPORT.md b/SUPPORT.md
>> index 3e352198ce..a8388f3dc5 100644
>> --- a/SUPPORT.md
>> +++ b/SUPPORT.md
> 
> (...)
> 
>> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests
>>  Disabled by default (enable with hypervisor command line option).
>>  This feature is not security supported: see 
>> http://xenbits.xen.org/xsa/advisory-163.html
>>  
>> +### x86/PCI Device Passthrough
>> +
>> +Status: Supported, with caveats
>> +
>> +Only systems using IOMMUs will be supported.
> 
> s/will be/are/ ?

Ack

 -George

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[Jan Beulich]

>>> On 13.11.17 at 16:41,  wrote:
> +### x86/PCI Device Passthrough
> +
> +Status: Supported, with caveats

I think this wants to be

### PCI Device Passthrough

Status, x86 HVM: Supported, with caveats
Status, x86 PV: Supported, with caveats

to (a) allow later extending for ARM and (b) exclude PVH (assuming
that its absence means non-existing code).

> +Only systems using IOMMUs will be supported.
> +
> +Not compatible with migration, altp2m, introspection, memory sharing, or 
> memory paging.

And PoD, iirc.

With these adjustments (or substantially similar ones)
Acked-by: Jan Beulich 

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[Julien Grall]

Hi George,

On 13/11/17 15:41, George Dunlap wrote:

Signed-off-by: George Dunlap 
---
CC: Ian Jackson 
CC: Wei Liu 
CC: Andrew Cooper 
CC: Jan Beulich 
CC: Stefano Stabellini 
CC: Konrad Wilk 
CC: Tim Deegan 
CC: Rich Persaud 
CC: Marek Marczykowski-Górecki 
CC: Christopher Clark 
CC: James McKenzie 
---
  SUPPORT.md | 33 -
  1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/SUPPORT.md b/SUPPORT.md
index 3e352198ce..a8388f3dc5 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -454,9 +454,23 @@ there is currently no xl support.
  
  ## Security
  
+### Driver Domains

+
+Status: Supported, with caveats
+
+"Driver domains" means allowing non-Domain 0 domains
+with access to physical devices to act as back-ends.
+
+See the appropriate "Device Passthrough" section
+for more information about security support.
+
  ### Device Model Stub Domains
  
-Status: Supported

+Status: Supported, with caveats
+
+Vulnerabilities of a device model stub domain
+to a hostile driver domain (either compromised or untrusted)
+are excluded from security support.
  
  ### KCONFIG Expert
  
@@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests

  Disabled by default (enable with hypervisor command line option).
  This feature is not security supported: see 
http://xenbits.xen.org/xsa/advisory-163.html
  
+### x86/PCI Device Passthrough

+
+Status: Supported, with caveats
+
+Only systems using IOMMUs will be supported.
+
+Not compatible with migration, altp2m, introspection, memory sharing, or 
memory paging.
+
+Because of hardware limitations
+(affecting any operating system or hypervisor),
+it is generally not safe to use this feature
+to expose a physical device to completely untrusted guests.
+However, this feature can still confer significant security benefit
+when used to remove drivers and backends from domain 0
+(i.e., Driver Domains).
+See docs/PCI-IOMMU-bugs.txt for more information.


Where can I find this file? Is it in staging?

Cheers,

--
Julien Grall

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 14/16] SUPPORT.md: Add statement on PCI passthrough

[Marek Marczykowski-Górecki]

On Mon, Nov 13, 2017 at 03:41:24PM +, George Dunlap wrote:
> Signed-off-by: George Dunlap 
> ---
> CC: Ian Jackson 
> CC: Wei Liu 
> CC: Andrew Cooper 
> CC: Jan Beulich 
> CC: Stefano Stabellini 
> CC: Konrad Wilk 
> CC: Tim Deegan 
> CC: Rich Persaud 
> CC: Marek Marczykowski-Górecki 
> CC: Christopher Clark 
> CC: James McKenzie 
> ---
>  SUPPORT.md | 33 -
>  1 file changed, 32 insertions(+), 1 deletion(-)
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index 3e352198ce..a8388f3dc5 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md

(...)

> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests
>  Disabled by default (enable with hypervisor command line option).
>  This feature is not security supported: see 
> http://xenbits.xen.org/xsa/advisory-163.html
>  
> +### x86/PCI Device Passthrough
> +
> +Status: Supported, with caveats
> +
> +Only systems using IOMMUs will be supported.

s/will be/are/ ?

> +
> +Not compatible with migration, altp2m, introspection, memory sharing, or 
> memory paging.
> +
> +Because of hardware limitations
> +(affecting any operating system or hypervisor),
> +it is generally not safe to use this feature 
> +to expose a physical device to completely untrusted guests.
> +However, this feature can still confer significant security benefit 
> +when used to remove drivers and backends from domain 0
> +(i.e., Driver Domains).
> +See docs/PCI-IOMMU-bugs.txt for more information.
> +
>  ### ARM/Non-PCI device passthrough
>  
>  Status: Supported

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


signature.asc
Description: PGP signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel