From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@web.de>
Subject: Re: KVM handling external interrupts
Date: Thu, 07 Jun 2012 13:40:57 +0200
Message-ID: <4FD09349.6090305@web.de>
References: <CAB7xdi=b_2jK33bW=cMt_k4+ehwzzf6synHsXf+1gboXtvWVNQ@mail.gmail.com> <OF0A8D80DC.FDEDAC2E-ONC2257A16.002A8BD4-C2257A16.002B31FA@il.ibm.com> <4FD062BC.5090703@web.de> <OFB1DF9654.3F7DAE26-ONC2257A16.0035B4BD-C2257A16.00368575@il.ibm.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigE44E54ADA1799F0005A4780E"
Cc: Alex Landau <LALEX@il.ibm.com>,
	Dan Tsafrir <dan.tsafrir@gmail.com>,
	sheng qiu <herbert1984106@gmail.com>,
	kvm <kvm@vger.kernel.org>,
	Muli Ben-Yehuda <muli@cs.technion.ac.il>,
	Nadav Har'El <NYH@il.ibm.com>,
	Nadav Amit <nadav.amit@gmail.com>
To: Abel Gordon <ABELG@il.ibm.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mout.web.de ([212.227.17.12]:57966 "EHLO mout.web.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752665Ab2FGLlD (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 7 Jun 2012 07:41:03 -0400
In-Reply-To: <OFB1DF9654.3F7DAE26-ONC2257A16.0035B4BD-C2257A16.00368575@il.ibm.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE44E54ADA1799F0005A4780E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 2012-06-07 11:55, Abel Gordon wrote:
> Security holes: not if you are OK with the threat model we describe in =
the
> paper

Back to this: I don't get your threat model completely. How should the
guest be able to manipulate the shadow IDT if we a) mark it read-only in
the host's page table that maps the guest physical memory and b) prevent
via the IOMMU that any assigned devices can address this page via DMA?

But even if we consider the IDT unsafe, what does that IDT limiting buy
us? The guest can still mask interrupts above that limit via cli, no?
Also, unless I misunderstood your suggestions, I wouldn't try to run
normal interrupt handlers in NMI context. That's asking for lots of
troubles or lots of code changes.

So the only measures that save us from CPU hogging guests are the
preemption timer and kicking via NMI. Or what am I missing?

Jan


--------------enigE44E54ADA1799F0005A4780E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/Qk0kACgkQitSsb3rl5xSLXgCfYNq8fqc7tSIcKrsuFCYbTtUn
900AmwQkD734JrRZf5GNBpT0fIgiYnK2
=H5DN
-----END PGP SIGNATURE-----

--------------enigE44E54ADA1799F0005A4780E--