| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 May 2016 02:36:27 +0000 From: "Tian, Kevin" <kevin.tian@...el.com> To: Alex Williamson <alex.williamson@...hat.com> CC: Yongji Xie <xyjxie@...ux.vnet.ibm.com>, David Laight <David.Laight@...LAB.COM>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>, "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>, "iommu@...ts.linux-foundation.org" <iommu@...ts.linux-foundation.org>, "bhelgaas@...gle.com" <bhelgaas@...gle.com>, "aik@...abs.ru" <aik@...abs.ru>, "benh@...nel.crashing.org" <benh@...nel.crashing.org>, "paulus@...ba.org" <paulus@...ba.org>, "mpe@...erman.id.au" <mpe@...erman.id.au>, "joro@...tes.org" <joro@...tes.org>, "warrier@...ux.vnet.ibm.com" <warrier@...ux.vnet.ibm.com>, "zhong@...ux.vnet.ibm.com" <zhong@...ux.vnet.ibm.com>, "nikunj@...ux.vnet.ibm.com" <nikunj@...ux.vnet.ibm.com>, "eric.auger@...aro.org" <eric.auger@...aro.org>, "will.deacon@....com" <will.deacon@....com>, "gwshan@...ux.vnet.ibm.com" <gwshan@...ux.vnet.ibm.com>, "alistair@...ple.id.au" <alistair@...ple.id.au>, "ruscur@...sell.cc" <ruscur@...sell.cc> Subject: RE: [PATCH 5/5] vfio-pci: Allow to mmap MSI-X table if interrupt remapping is supported > From: Tian, Kevin > Sent: Friday, May 13, 2016 10:33 AM > > > means. The MSI-X vector table of a device is always considered > > untrusted which is why we require user opt-ins to subvert that > > protection. Thanks, > > > > I only partially agree with this statement since there is different > trust level for kernel space driver and user space driver. > > OS may choose to trust kernel space driver then it can enable IRQ > remapping only for load balance purpose w/o source id verfification. > In such case MSI-X vector table is trusted and fully under kernel > control. Allowing to mmap MSI-X table in user space definitely > breaks that boundary. > > Anyway my point is simple. Let's ignore how Linux kernel implements > IRQ remapping on x86 (which may change time to time), and just > focus on architectural possibility. Non-x86 platform may implement > IRQ remapping completely separate from device side, then checking > availability of IRQ remapping is enough to decide whether mmap > MSI-X table is safe. x86 with VT-d can be configured to a mode > requiring host control of both MSI-X entry and IRQ remapping hardware > (without source id check). In such case it's insufficient to make > decision simply based on IRQ remapping availability. We need a way > to query from IRQ remapping module whether it's actually safe to > mmap MSI-X. > Or another way is to have VFIO explicitly request intel-iommu to enforce sid check when IRQ remapping is enabled... Thanks Kevin
Powered by blists - more mailing lists