Re: [PATCH] intel_iommu: Disable vfio and kvm interrupt assignment when unsafe

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Joerg Roedel <joro@8bytes.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Gleb Natapov <gleb@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>,
	x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	Alex Williamson <alex.williamson@redhat.com>,
	Don Zickus <dzickus@redhat.com>,
	Prarit Bhargava <prarit@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH] intel_iommu: Disable vfio and kvm interrupt assignment when unsafe
Date: Thu, 7 Feb 2013 21:51:53 +0100	[thread overview]
Message-ID: <20130207205152.GA2849@8bytes.org> (raw)
In-Reply-To: <CALCETrWGgpipHVnutSdfqBWw1GoyrdJV7vTMxagtYC8Zzr8HzA@mail.gmail.com>

On Thu, Feb 07, 2013 at 09:53:45AM -0800, Andy Lutomirski wrote:
> On Thu, Feb 7, 2013 at 9:27 AM, Joerg Roedel <joro@8bytes.org> wrote:
> > Hmm, looking into the intel_irq_remapping.c version in the tip tree
> > makes me wonder even more.
> 
> Is this the version I'm based on (intel_irq_remapping: Clean up x2apic
> optout security warning mess), or something else?

The current tip/master branch with your previous patches included. Btw.
commit af8d102f99 (which introduces the CFIS check) is also bogus. It
claims to cleanup warning messages but does more, like explicitly
clearing DMA_GCMD_CFI in the global command register. This should have
been a seperate patch with a seperate commit-msg.

Now to the two warnings. First of:

        if (sts & DMA_GSTS_CFIS)
                WARN(1, KERN_WARNING
                        "Compatibility-format IRQs enabled despite intr remapping;\n"
                        "you are vulnerable to IRQ injection.\n");

This one can be removed completly as it will never trigger. The CFIS bit
you check here (according to the VT-d spec) has the same value as what
you write into GCMD.CFI (which you set to 0 earlier in the function).

The other warning:

        if (x2apic_present)
                WARN(1, KERN_WARNING
                        "Failed to enable irq remapping.  You are vulnerable to irq-injection attacks.\n");

Here you should remove the x2apic_present check as this is the
error-path for xapic and x2apic. The vulnerability exists with xapic
too.

> What's the general rule here?  If this warning hits, then my
> understanding of the Intel VT-d spec is wrong, and I don't think that
> firmware can cause it.  A buggy hypervisor could, I suppose.

A buggy hypervisor can not cause the CFIS-check warning. In my
understanding only broken hardware can cause it, but that would be known
already in the form of a hardware erratum. As I said above, after some
reading in the VT-d spec I think the warning can go away (Even clearing
GCMD.CFI can be removed as the value is never set in the VT-d driver, so
the bit is always written as 0 by Linux).

With this in mind, I also think that the patch this thread is about does
not make much sense. It just adds more code to handle a case that could
never happen.

Regards,

	Joerg

next prev parent reply	other threads:[~2013-02-07 20:52 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-07  3:08 [PATCH] intel_iommu: Disable vfio and kvm interrupt assignment when unsafe Andy Lutomirski
2013-02-07  3:11 ` Andy Lutomirski
2013-02-07 11:33 ` Joerg Roedel
2013-02-07 16:29   ` Andy Lutomirski
2013-02-07 17:27     ` Joerg Roedel
2013-02-07 17:53       ` Andy Lutomirski
2013-02-07 20:51         ` Joerg Roedel [this message]
2013-02-07 21:02       ` David Woodhouse
2013-02-07 21:21         ` Joerg Roedel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130207205152.GA2849@8bytes.org \
    --to=joro@8bytes.org \
    --cc=alex.williamson@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=dzickus@redhat.com \
    --cc=gleb@redhat.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=prarit@redhat.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).