| Message ID | 20171113154126.13038-14-george.dunlap@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Nov 13, 2017 at 03:41:24PM +0000, George Dunlap wrote: > Signed-off-by: George Dunlap <george.dunlap@citrix.com> > --- > CC: Ian Jackson <ian.jackson@citrix.com> > CC: Wei Liu <wei.liu2@citrix.com> > CC: Andrew Cooper <andrew.cooper3@citrix.com> > CC: Jan Beulich <jbeulich@suse.com> > CC: Stefano Stabellini <sstabellini@kernel.org> > CC: Konrad Wilk <konrad.wilk@oracle.com> > CC: Tim Deegan <tim@xen.org> > CC: Rich Persaud <persaur@gmail.com> > CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > CC: Christopher Clark <christopher.w.clark@gmail.com> > CC: James McKenzie <james.mckenzie@bromium.com> > --- > SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 3e352198ce..a8388f3dc5 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md (...) > @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests > Disabled by default (enable with hypervisor command line option). > This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html > > +### x86/PCI Device Passthrough > + > + Status: Supported, with caveats > + > +Only systems using IOMMUs will be supported. s/will be/are/ ? > + > +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. > + > +Because of hardware limitations > +(affecting any operating system or hypervisor), > +it is generally not safe to use this feature > +to expose a physical device to completely untrusted guests. > +However, this feature can still confer significant security benefit > +when used to remove drivers and backends from domain 0 > +(i.e., Driver Domains). > +See docs/PCI-IOMMU-bugs.txt for more information. > + > ### ARM/Non-PCI device passthrough > > Status: Supported
Hi George, On 13/11/17 15:41, George Dunlap wrote: > Signed-off-by: George Dunlap <george.dunlap@citrix.com> > --- > CC: Ian Jackson <ian.jackson@citrix.com> > CC: Wei Liu <wei.liu2@citrix.com> > CC: Andrew Cooper <andrew.cooper3@citrix.com> > CC: Jan Beulich <jbeulich@suse.com> > CC: Stefano Stabellini <sstabellini@kernel.org> > CC: Konrad Wilk <konrad.wilk@oracle.com> > CC: Tim Deegan <tim@xen.org> > CC: Rich Persaud <persaur@gmail.com> > CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > CC: Christopher Clark <christopher.w.clark@gmail.com> > CC: James McKenzie <james.mckenzie@bromium.com> > --- > SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > > diff --git a/SUPPORT.md b/SUPPORT.md > index 3e352198ce..a8388f3dc5 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -454,9 +454,23 @@ there is currently no xl support. > > ## Security > > +### Driver Domains > + > + Status: Supported, with caveats > + > +"Driver domains" means allowing non-Domain 0 domains > +with access to physical devices to act as back-ends. > + > +See the appropriate "Device Passthrough" section > +for more information about security support. > + > ### Device Model Stub Domains > > - Status: Supported > + Status: Supported, with caveats > + > +Vulnerabilities of a device model stub domain > +to a hostile driver domain (either compromised or untrusted) > +are excluded from security support. > > ### KCONFIG Expert > > @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests > Disabled by default (enable with hypervisor command line option). > This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html > > +### x86/PCI Device Passthrough > + > + Status: Supported, with caveats > + > +Only systems using IOMMUs will be supported. > + > +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. > + > +Because of hardware limitations > +(affecting any operating system or hypervisor), > +it is generally not safe to use this feature > +to expose a physical device to completely untrusted guests. > +However, this feature can still confer significant security benefit > +when used to remove drivers and backends from domain 0 > +(i.e., Driver Domains). > +See docs/PCI-IOMMU-bugs.txt for more information. Where can I find this file? Is it in staging? Cheers,
>>> On 13.11.17 at 16:41, <george.dunlap@citrix.com> wrote: > +### x86/PCI Device Passthrough > + > + Status: Supported, with caveats I think this wants to be ### PCI Device Passthrough Status, x86 HVM: Supported, with caveats Status, x86 PV: Supported, with caveats to (a) allow later extending for ARM and (b) exclude PVH (assuming that its absence means non-existing code). > +Only systems using IOMMUs will be supported. > + > +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. And PoD, iirc. With these adjustments (or substantially similar ones) Acked-by: Jan Beulich <jbeulich@suse.com> Jan
On 11/14/2017 01:25 PM, Marek Marczykowski-Górecki wrote: > On Mon, Nov 13, 2017 at 03:41:24PM +0000, George Dunlap wrote: >> Signed-off-by: George Dunlap <george.dunlap@citrix.com> >> --- >> CC: Ian Jackson <ian.jackson@citrix.com> >> CC: Wei Liu <wei.liu2@citrix.com> >> CC: Andrew Cooper <andrew.cooper3@citrix.com> >> CC: Jan Beulich <jbeulich@suse.com> >> CC: Stefano Stabellini <sstabellini@kernel.org> >> CC: Konrad Wilk <konrad.wilk@oracle.com> >> CC: Tim Deegan <tim@xen.org> >> CC: Rich Persaud <persaur@gmail.com> >> CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> >> CC: Christopher Clark <christopher.w.clark@gmail.com> >> CC: James McKenzie <james.mckenzie@bromium.com> >> --- >> SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- >> 1 file changed, 32 insertions(+), 1 deletion(-) >> >> diff --git a/SUPPORT.md b/SUPPORT.md >> index 3e352198ce..a8388f3dc5 100644 >> --- a/SUPPORT.md >> +++ b/SUPPORT.md > > (...) > >> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >> Disabled by default (enable with hypervisor command line option). >> This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html >> >> +### x86/PCI Device Passthrough >> + >> + Status: Supported, with caveats >> + >> +Only systems using IOMMUs will be supported. > > s/will be/are/ ? Ack -George
On 11/21/2017 08:59 AM, Jan Beulich wrote: >>>> On 13.11.17 at 16:41, <george.dunlap@citrix.com> wrote: >> +### x86/PCI Device Passthrough >> + >> + Status: Supported, with caveats > > I think this wants to be > > ### PCI Device Passthrough > > Status, x86 HVM: Supported, with caveats > Status, x86 PV: Supported, with caveats > > to (a) allow later extending for ARM and (b) exclude PVH (assuming > that its absence means non-existing code). Good call. > >> +Only systems using IOMMUs will be supported. >> + >> +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. > > And PoD, iirc. Ack > > With these adjustments (or substantially similar ones) > Acked-by: Jan Beulich <jbeulich@suse.com> Great, thanks.
On 11/16/2017 03:43 PM, Julien Grall wrote: > Hi George, > > On 13/11/17 15:41, George Dunlap wrote: >> Signed-off-by: George Dunlap <george.dunlap@citrix.com> >> --- >> CC: Ian Jackson <ian.jackson@citrix.com> >> CC: Wei Liu <wei.liu2@citrix.com> >> CC: Andrew Cooper <andrew.cooper3@citrix.com> >> CC: Jan Beulich <jbeulich@suse.com> >> CC: Stefano Stabellini <sstabellini@kernel.org> >> CC: Konrad Wilk <konrad.wilk@oracle.com> >> CC: Tim Deegan <tim@xen.org> >> CC: Rich Persaud <persaur@gmail.com> >> CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> >> CC: Christopher Clark <christopher.w.clark@gmail.com> >> CC: James McKenzie <james.mckenzie@bromium.com> >> --- >> SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- >> 1 file changed, 32 insertions(+), 1 deletion(-) >> >> diff --git a/SUPPORT.md b/SUPPORT.md >> index 3e352198ce..a8388f3dc5 100644 >> --- a/SUPPORT.md >> +++ b/SUPPORT.md >> @@ -454,9 +454,23 @@ there is currently no xl support. >> ## Security >> +### Driver Domains >> + >> + Status: Supported, with caveats >> + >> +"Driver domains" means allowing non-Domain 0 domains >> +with access to physical devices to act as back-ends. >> + >> +See the appropriate "Device Passthrough" section >> +for more information about security support. >> + >> ### Device Model Stub Domains >> - Status: Supported >> + Status: Supported, with caveats >> + >> +Vulnerabilities of a device model stub domain >> +to a hostile driver domain (either compromised or untrusted) >> +are excluded from security support. >> ### KCONFIG Expert >> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >> Disabled by default (enable with hypervisor command line option). >> This feature is not security supported: see >> http://xenbits.xen.org/xsa/advisory-163.html >> +### x86/PCI Device Passthrough >> + >> + Status: Supported, with caveats >> + >> +Only systems using IOMMUs will be supported. >> + >> +Not compatible with migration, altp2m, introspection, memory sharing, >> or memory paging. >> + >> +Because of hardware limitations >> +(affecting any operating system or hypervisor), >> +it is generally not safe to use this feature >> +to expose a physical device to completely untrusted guests. >> +However, this feature can still confer significant security benefit >> +when used to remove drivers and backends from domain 0 >> +(i.e., Driver Domains). >> +See docs/PCI-IOMMU-bugs.txt for more information. > > Where can I find this file? Is it in staging? No, I took this from a recommendation made to me, without checking. Rich, are you going to send a patch adding this file, or did you mean to point to a different file? -George
On Nov 22, 2017, at 13:58, George Dunlap <george.dunlap@citrix.com> wrote: > >> On 11/16/2017 03:43 PM, Julien Grall wrote: >> Hi George, >> >>> On 13/11/17 15:41, George Dunlap wrote: >>> Signed-off-by: George Dunlap <george.dunlap@citrix.com> >>> --- >>> CC: Ian Jackson <ian.jackson@citrix.com> >>> CC: Wei Liu <wei.liu2@citrix.com> >>> CC: Andrew Cooper <andrew.cooper3@citrix.com> >>> CC: Jan Beulich <jbeulich@suse.com> >>> CC: Stefano Stabellini <sstabellini@kernel.org> >>> CC: Konrad Wilk <konrad.wilk@oracle.com> >>> CC: Tim Deegan <tim@xen.org> >>> CC: Rich Persaud <persaur@gmail.com> >>> CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> >>> CC: Christopher Clark <christopher.w.clark@gmail.com> >>> CC: James McKenzie <james.mckenzie@bromium.com> >>> --- >>> SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- >>> 1 file changed, 32 insertions(+), 1 deletion(-) >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 3e352198ce..a8388f3dc5 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -454,9 +454,23 @@ there is currently no xl support. >>> ## Security >>> +### Driver Domains >>> + >>> + Status: Supported, with caveats >>> + >>> +"Driver domains" means allowing non-Domain 0 domains >>> +with access to physical devices to act as back-ends. >>> + >>> +See the appropriate "Device Passthrough" section >>> +for more information about security support. >>> + >>> ### Device Model Stub Domains >>> - Status: Supported >>> + Status: Supported, with caveats >>> + >>> +Vulnerabilities of a device model stub domain >>> +to a hostile driver domain (either compromised or untrusted) >>> +are excluded from security support. >>> ### KCONFIG Expert >>> @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests >>> Disabled by default (enable with hypervisor command line option). >>> This feature is not security supported: see >>> http://xenbits.xen.org/xsa/advisory-163.html >>> +### x86/PCI Device Passthrough >>> + >>> + Status: Supported, with caveats >>> + >>> +Only systems using IOMMUs will be supported. >>> + >>> +Not compatible with migration, altp2m, introspection, memory sharing, >>> or memory paging. >>> + >>> +Because of hardware limitations >>> +(affecting any operating system or hypervisor), >>> +it is generally not safe to use this feature >>> +to expose a physical device to completely untrusted guests. >>> +However, this feature can still confer significant security benefit >>> +when used to remove drivers and backends from domain 0 >>> +(i.e., Driver Domains). >>> +See docs/PCI-IOMMU-bugs.txt for more information. >> >> Where can I find this file? Is it in staging? > > No, I took this from a recommendation made to me, without checking. > > Rich, are you going to send a patch adding this file, or did you mean to > point to a different file? Yes, I’ll send a patch to add this file. Rich
diff --git a/SUPPORT.md b/SUPPORT.md index 3e352198ce..a8388f3dc5 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -454,9 +454,23 @@ there is currently no xl support. ## Security +### Driver Domains + + Status: Supported, with caveats + +"Driver domains" means allowing non-Domain 0 domains +with access to physical devices to act as back-ends. + +See the appropriate "Device Passthrough" section +for more information about security support. + ### Device Model Stub Domains - Status: Supported + Status: Supported, with caveats + +Vulnerabilities of a device model stub domain +to a hostile driver domain (either compromised or untrusted) +are excluded from security support. ### KCONFIG Expert @@ -522,6 +536,23 @@ Virtual Performance Management Unit for HVM guests Disabled by default (enable with hypervisor command line option). This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html +### x86/PCI Device Passthrough + + Status: Supported, with caveats + +Only systems using IOMMUs will be supported. + +Not compatible with migration, altp2m, introspection, memory sharing, or memory paging. + +Because of hardware limitations +(affecting any operating system or hypervisor), +it is generally not safe to use this feature +to expose a physical device to completely untrusted guests. +However, this feature can still confer significant security benefit +when used to remove drivers and backends from domain 0 +(i.e., Driver Domains). +See docs/PCI-IOMMU-bugs.txt for more information. + ### ARM/Non-PCI device passthrough Status: Supported
Signed-off-by: George Dunlap <george.dunlap@citrix.com> --- CC: Ian Jackson <ian.jackson@citrix.com> CC: Wei Liu <wei.liu2@citrix.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <jbeulich@suse.com> CC: Stefano Stabellini <sstabellini@kernel.org> CC: Konrad Wilk <konrad.wilk@oracle.com> CC: Tim Deegan <tim@xen.org> CC: Rich Persaud <persaur@gmail.com> CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> CC: Christopher Clark <christopher.w.clark@gmail.com> CC: James McKenzie <james.mckenzie@bromium.com> --- SUPPORT.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-)