> On 7 Jan 2018, at 17:11, Andrew Cooper <andrew.coop...@citrix.com> wrote:
>
>
>>>> Since PVH does not yet support PCI passthrough, are there other
>>>> recommended SP3 mitigations for 64-bit PV driver domains?
>>> Lock them down? Device driver domains, even if not fully trusted, are
>>> going to be part of the system and therefore at least semi-TCB.
>>>
>>> If an attacker can't run code in your driver domain (and be aware of
>>> things like server side processing, JIT of SQL, etc as "running code"
>>> methods), they aren't in a position to mount an SP3 attack.
>> Well, the main reason why driver domains are used in Qubes OS is
>> assumption that it is not possible to really "lock them down", given
>> full OS (Linux) running inside and being exposed to the outside world
>> (having network adapters, USB controllers etc). There are so many
>> components running them, that for sure some of them are buggy. Just some
>> examples exploitable in the near past: DHCP client, Bluetooth stack.
>>
>> If we'd believe that handling those devices exposed to the outside world
>> is "safe", we wouldn't use driver domains at all...
>
> Indeed, but they are in a better position than arbitrary VMs, because
> users can't just log into them and start running code. (I really hope...)
I wanted to point out
https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00497.html
<https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00497.html>
which according to the cover letter is based on HVM and not PVH. I am not
really sure whether this would solve some of the problems around PCI
passthrough.
Regards
Lars
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
