>>> On 15.09.15 at 03:17, wrote:
>> > But looks its not better, so any idea?
>>
>> Did you at least make an attempt to find other examples of where
>> we dynamically determine the log level to be used for a message?
>> I would assume that if you did, you'd have come to
>>
On Tue, Sep 15, 2015 at 09:17:07AM +0800, Chen, Tiejun wrote:
> >>But looks its not better, so any idea?
> >
> >Did you at least make an attempt to find other examples of where
> >we dynamically determine the log level to be used for a message?
> >I would assume that if you did, you'd have come to
>>> On 14.09.15 at 08:24, wrote:
>> OK, that explanation is fine to me as long as it's made clear no
>> security guarantee once admin uses 'relax' for any domain. Tiejun
>> could you resend patch with right warning/error type?
>>
>
> Sure, but a little bit makes me
But looks its not better, so any idea?
Did you at least make an attempt to find other examples of where
we dynamically determine the log level to be used for a message?
I would assume that if you did, you'd have come to
printk(XENLOG_GUEST "%s" VTDPREFIX
I didn't know this tip
> From: Chen, Tiejun
> Sent: Monday, September 14, 2015 2:25 PM
>
> > OK, that explanation is fine to me as long as it's made clear no
> > security guarantee once admin uses 'relax' for any domain. Tiejun
> > could you resend patch with right warning/error type?
> >
>
> Sure, but a little bit
> From: Chen, Tiejun
> Sent: Wednesday, September 09, 2015 10:00 AM
>
> Currently we don't allow passing through any group devices which are
> sharing same RMRR entry since it would break security among VMs. And
> indeed, we expect we can figure out a better way to handle this kind
> of case
OK, that explanation is fine to me as long as it's made clear no
security guarantee once admin uses 'relax' for any domain. Tiejun
could you resend patch with right warning/error type?
Sure, but a little bit makes me confused when I'm trying to address
this. Actually most messages are same,
On Mon, Sep 14, 2015 at 06:59:56AM +, Tian, Kevin wrote:
> > From: Chen, Tiejun
> > Sent: Wednesday, September 09, 2015 10:00 AM
> >
> > Currently we don't allow passing through any group devices which are
> > sharing same RMRR entry since it would break security among VMs. And
> > indeed, we
>>> On 11.09.15 at 01:22, wrote:
> Sorry it's a bad example. My actual concern is that we can't count
> on this per-VM relax/strict policy to prevent group devices assigned
> to different VM. In that case it's definitely a security hole since
> one VM may clobber shared RMRR
> From: Jan Beulich [mailto:jbeul...@suse.com]
> Sent: Friday, September 11, 2015 4:56 PM
>
> >>> On 11.09.15 at 01:22, wrote:
> > Sorry it's a bad example. My actual concern is that we can't count
> > on this per-VM relax/strict policy to prevent group devices assigned
> >
On Thu, Sep 10, 2015 at 02:09:39AM -0600, Jan Beulich wrote:
> >>> On 10.09.15 at 07:23, wrote:
> >> From: Jan Beulich [mailto:jbeul...@suse.com]
> >> Sent: Wednesday, September 09, 2015 2:55 PM
> >>
> >> >>> On 09.09.15 at 03:59, wrote:
> >> > @@
>>> On 10.09.15 at 07:23, wrote:
>> From: Jan Beulich [mailto:jbeul...@suse.com]
>> Sent: Wednesday, September 09, 2015 2:55 PM
>>
>> >>> On 09.09.15 at 03:59, wrote:
>> > @@ -2310,12 +2312,16 @@ static int intel_iommu_assign_device(
>> >
Den 10. sep. 2015 08:06, skrev Tian, Kevin:
>> From: Chen, Tiejun
>> Sent: Thursday, September 10, 2015 1:47 PM
>>
>> But recently someone was encountering this problem.
>>
>> http://www.gossamer-threads.com/lists/xen/devel/391684?page=last
>>
>> We'd better figure out a simple way to this
Den 10. sep. 2015 13:04, skrev Håkon Alstadheim:
> Den 10. sep. 2015 08:06, skrev Tian, Kevin:
>>> From: Chen, Tiejun
>>> Sent: Thursday, September 10, 2015 1:47 PM
>>>
>>> But recently someone was encountering this problem.
>>>
>>> http://www.gossamer-threads.com/lists/xen/devel/391684?page=last
> From: Chen, Tiejun
> Sent: Friday, September 11, 2015 8:56 AM
>
> >> > > Need to have separate warning/error level for relax/strict.
> >> > >
> >> > > However I don't think this patch is a right fix. So far relax/strict
> >> > > policy
> >> > > is per-domain. what about one VM specifies relax
> > Need to have separate warning/error level for relax/strict.
> >
> > However I don't think this patch is a right fix. So far relax/strict policy
> > is per-domain. what about one VM specifies relax while another VM
> > specifies strict when each is assigned with a device sharing rmrr
> > with
> From: Wei Liu [mailto:wei.l...@citrix.com]
> Sent: Thursday, September 10, 2015 6:37 PM
>
> On Thu, Sep 10, 2015 at 02:09:39AM -0600, Jan Beulich wrote:
> > >>> On 10.09.15 at 07:23, wrote:
> > >> From: Jan Beulich [mailto:jbeul...@suse.com]
> > >> Sent: Wednesday,
> From: Chen, Tiejun
> Sent: Friday, September 11, 2015 10:21 AM
>
> >> >> > > However I don't think this patch is a right fix. So far
> >> >> > > relax/strict policy
> >> >> > > is per-domain. what about one VM specifies relax while another VM
> >> >> > > specifies strict when each is assigned
>> > > However I don't think this patch is a right fix. So far relax/strict
policy
>> > > is per-domain. what about one VM specifies relax while another VM
>> > > specifies strict when each is assigned with a device sharing rmrr
>> > > with the other? In that case it becomes a system-wide
> From: Chen, Tiejun
> Sent: Thursday, September 10, 2015 1:47 PM
>
> > Need to have separate warning/error level for relax/strict.
> >
> > However I don't think this patch is a right fix. So far relax/strict policy
> > is per-domain. what about one VM specifies relax while another VM
> >
>>> On 09.09.15 at 03:59, wrote:
> @@ -2310,12 +2312,16 @@ static int intel_iommu_assign_device(
> PCI_DEVFN2(bdf) == devfn &&
> rmrr->scope.devices_cnt > 1 )
> {
> -printk(XENLOG_G_ERR VTDPREFIX
> - "
On 9/9/2015 2:54 PM, Jan Beulich wrote:
On 09.09.15 at 03:59, wrote:
@@ -2310,12 +2312,16 @@ static int intel_iommu_assign_device(
PCI_DEVFN2(bdf) == devfn &&
rmrr->scope.devices_cnt > 1 )
{
-printk(XENLOG_G_ERR VTDPREFIX
> From: Jan Beulich [mailto:jbeul...@suse.com]
> Sent: Wednesday, September 09, 2015 2:55 PM
>
> >>> On 09.09.15 at 03:59, wrote:
> > @@ -2310,12 +2312,16 @@ static int intel_iommu_assign_device(
> > PCI_DEVFN2(bdf) == devfn &&
> >
Need to have separate warning/error level for relax/strict.
However I don't think this patch is a right fix. So far relax/strict policy
is per-domain. what about one VM specifies relax while another VM
specifies strict when each is assigned with a device sharing rmrr
with the other? In that case
Currently we don't allow passing through any group devices which are
sharing same RMRR entry since it would break security among VMs. And
indeed, we expect we can figure out a better way to handle this kind
of case completely.
But before the group assignment gets implemented, we might make this
25 matches
Mail list logo