From mboxrd@z Thu Jan  1 00:00:00 1970
From: Yang Zhang <yang.zhang.wz@gmail.com>
Subject: Re: X58 Virtualization w/ Linux
Date: Mon, 13 Jun 2016 09:46:05 +0800
Message-ID: <2884c8b8-9ad3-cba7-d9ba-b94946775087@gmail.com>
References: <03f27bbf-f8ad-b377-c194-adaefe808077@stevenovakov.com>
 <ce629b1f-d85c-d93d-25a0-9c377cfc1500@gmail.com>
 <ecf1dd3d-e530-f42d-8f13-efb5ab60846c@stevenovakov.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
To: Steve Novakov <steve@stevenovakov.com>, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-oi0-f47.google.com ([209.85.218.47]:36454 "EHLO
	mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933059AbcFMBqL (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sun, 12 Jun 2016 21:46:11 -0400
Received: by mail-oi0-f47.google.com with SMTP id p204so187503563oih.3
        for <kvm@vger.kernel.org>; Sun, 12 Jun 2016 18:46:11 -0700 (PDT)
In-Reply-To: <ecf1dd3d-e530-f42d-8f13-efb5ab60846c@stevenovakov.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 2016/6/12 9:55, Steve Novakov wrote:
> Hello Yang,
>
>> allow_unsafe_interupts actually means the interrupt remapping on Intel
>> IOMMU which is a security feature. Without it, a malicious VM can
>> attack the host, see below document for more details:
>> http://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
>>
>
> Should I take that to mean that "allow_unsafe_interrupts" is actually a
> security feature???  Is this the discussed "interrupt remapping" in the

Interrupt remapping not only a security feature, it also supports more 
than 255 CPUs associate with x2apic. allow_unsafe_interrupts allows you 
to enable IOMMU on the platform even without interrupt remapping because 
first platform supporting IOMMU doesn't have interrupt remapping.

> whitepaper? I am interpreting that paper as saying that this interrupt
> remapping does *not* use the supplied DMAR table. Is that correct?

All the necessary information for IOMMU is located in ACPI tables not 
only DMAR table. OS need to parse it before enabling the IOMMU.

>
>> Also, you can try to upgrade your BIOS to fix it.
>
> I'll take a look but I think I have the latest (which means, from ~2011
> probably) BIOS version.
>
> Could I also ask you outright what entire set of boot options you would
> pass when booting into a kvm system with IOMMU enabled? I would love
> some "default" set of boot options to compare to, as opposed to random
> ones from assorted forums.

Usually, i am using intel_iommu=on and everything works well. But in 
your case, i guess you may also need intremap=off.

>
> Thank you for the prompt reply!
>
> Steve Novakov
> B.A.Sc Engineering Physics
> PhD Student - Physics
> University of Michigan - Ann Arbor
> On 6/11/2016 9:46 PM, Yang Zhang wrote:
>


-- 
best regards
yang