From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Chen, Tiejun" Subject: Re: [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode Date: Thu, 10 Sep 2015 13:46:59 +0800 Message-ID: <55F11953.7040002@intel.com> References: <1441763998-4937-1-git-send-email-tiejun.chen@intel.com> <55EFF3CE02000078000A1150@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: "Tian, Kevin" , Jan Beulich Cc: "Zhang, Yang Z" , Wei Liu , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org > Need to have separate warning/error level for relax/strict. > > However I don't think this patch is a right fix. So far relax/strict policy > is per-domain. what about one VM specifies relax while another VM > specifies strict when each is assigned with a device sharing rmrr > with the other? In that case it becomes a system-wide security hole. > > Once we add code to track group relationship cross domains, it'd be > close to the final fix to support group assignment which originally target > 4.7. It might be risky to add that in 4.6. Yes. > > So my suggestion is to live with current limitation. > But recently someone was encountering this problem. http://www.gossamer-threads.com/lists/xen/devel/391684?page=last We'd better figure out a simple way to this regression. Thanks Tiejun