From: Weidong Han <weidong.han@intel.com>
To: Sander Eikelenboom <linux@eikelenboom.it>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
"Kay, Allen M" <allen.m.kay@intel.com>,
"Cihula, Joseph" <joseph.cihula@intel.com>,
Noboru Iwamatsu <n_iwamatsu@jp.fujitsu.com>,
"keir.fraser@eu.citrix.com" <keir.fraser@eu.citrix.com>
Subject: Re: [PATCH] VT-d: improve RMRR validity checking
Date: Mon, 25 Jan 2010 17:11:10 +0800 [thread overview]
Message-ID: <4B5D602E.2020904@intel.com> (raw)
In-Reply-To: <1721112626.20100125100200@eikelenboom.it>
Sander Eikelenboom wrote:
> Hello Weidong,
>
> Is it possible to enable/disable DRHD's and RMRR's after boot ?
>
> For example if one would hotplug a pci device, that wasn't existent on boot ..
> What would happen considering security ?
> Is it possible to enable DRHD for that device although it was non existent at boot ?
>
There is a "INCLUDE_ALL" DRHD, any hot added devices after boot will be
handled by this DRHD. So it is no problem in hotplug case.
Regards,
Weidong
> --
> Sander
>
>
>
> Monday, January 25, 2010, 8:56:24 AM, you wrote:
>
>
>> Noboru Iwamatsu wrote:
>>
>>> Weidong,
>>>
>>> I read the patch and the following thread.
>>>
>>> I understood what you mean, but I think it's better to
>>> limit the scope of "force_iommu".
>>> And I believe RMRR should be checked as same as DRHD.
>>>
>>> What I thought about DRHD is:
>>> If all devices under the scope of the DRHD are non-existent,
>>> this DRHD is invalid but safely ignorable, so ignore it.
>>>
>>>
>> No, we cannot ignore it if iommu=force. The invisible device may be
>> disabled, not really non-existent. it is possibly that it is re-enabled
>> by malfunctional s/w. So when iommu=force, we should not ignore any
>> DRHD. We ignores it just to workaround the BIOS issue you encountered.
>>
>>> If some devices under the scope of the DRHD are non-existent,
>>> this DRHD is invalid, so disable VT-d unless "iommu=force"
>>> option is specified.
>>> When "iommu=force" option is specified, even the invalid DRHD
>>> will be registered, because DRHD that has some existent devices
>>> must not be ignored due to security reasons.
>>>
>>> About the RMRR:
>>> If all devices under the scope of the RMRR are non-existent,
>>> this RMMR is invalid but ignorable, so ignore it.
>>> If some devices under the scope of the RMRR are non-existent,
>>> this RMRR is invalid, so disable VT-d unless "iommu=force"
>>>
>>>
>> RMRR is much different from DRHD, it's just reversed memories for
>> specific devices (now only Intel IGD and USB contollers need RMRR), it's
>> no security issue like described above.
>> if "all" devices under the scope of the RMRR are non-existent, we
>> can ignore the RMRR because no devices will use it.
>> if some" devices under the scope of the RMRR are non-existent, we
>> cannot ignore the RMRR, because there are still some devices want to use
>> it. I think we needn't to disable VT-d because it won't cause any
>> issues. Of course, we also can disable VT-d for this case strictly.
>>
>>> option is specified. When "iommu=force" option is specified,
>>> the invalid RMRR is ignored (it's safe).
>>>
>>>
>>> I attach the patch.
>>>
>>> What do you think?
>>>
>>>
>
>
>> Noboru,
>>
>
>
>> I think it need not to change current code. BTW, your patch is not based
>> on latest Xen.
>>
>
>
>> Regards,
>> Weidong
>>
>
>
>
>>> Regards,
>>> Noboru.
>>>
>>>
>>>
>>>> I implemented a patch and attached.
>>>>
>>>> patch description:
>>>> In order to make Xen more defensive to VT-d related BIOS issue, this
>>>> patch ignores a DRHD if all devices under its scope are not pci
>>>> discoverable, and regards a DRHD as invalid and then disable whole VT-d
>>>> if some devices under its scope are not pci discoverable. But if
>>>> iommu=force is set, it will enable all DRHDs reported by BIOS, to avoid
>>>> any security vulnerability with malicious s/s re-enabling "supposed
>>>> disabled" devices. Pls note that we don't know the devices under the
>>>> "Include_all" DRHD are existent or not, because the scope of
>>>> "Include_all" DRHD won't enumerate common pci device, it only enumerates
>>>> I/OxAPIC and HPET devices.
>>>>
>>>> Signed-off-by: Noboru Iwamatsu <n_iwamatsu@jp.fujitsu.com>
>>>> Signed-off-by: Weidong Han <weidong.han@intel.com>
>>>>
>>>>
>>>> Noboru, pls test the patch on your machine?
>>>>
>>>> Joe, could you review the patch? and pls ACK it if it's fine for you.
>>>>
>>>> Regards,
>>>> Weidong
>>>>
>>>> Noboru Iwamatsu wrote:
>>>>
>>>>
>>>>> Thanks,
>>>>>
>>>>> I understood.
>>>>>
>>>>>
>>>>>
>>>>>> Noboru Iwamatsu wrote:
>>>>>>
>>>>>>
>>>>>>> Hi Weidong,
>>>>>>>
>>>>>>> I'm not sure why the security problem is caused by ignoring
>>>>>>> the DRHD that has only non-existent devices.
>>>>>>>
>>>>>>> Could you explain details or where to read the spec?
>>>>>>>
>>>>>>>
>>>>>> It's requested from security experts. The device that is not pci
>>>>>> discoverable may be re-enabled by malicious software. If its DRHD is not
>>>>>> enabled, the re-enabled device is not protected by VT-d. It will cause
>>>>>> security issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> As you saying, security is the top-priority.
>>>>>>> However, when iommu=force is specified, we should enable vt-d
>>>>>>> if there are some potential issues.
>>>>>>> Because users want to "force" anyway.
>>>>>>>
>>>>>>>
>>>>>> iommu=force was introduced to enable VT-d anyway for security purpose. I
>>>>>> plan to still enable those DRHDs that includes non-existed device when
>>>>>> iommu=force, otherwise ignore them.
>>>>>>
>>>>>> Regards,
>>>>>> Weidong
>>>>>>
>>>>>>
>>>>>>> Regards,
>>>>>>> Noboru.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Keir Fraser wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> If we want to keep iommu=1 as default, then it is unacceptable to
>>>>>>>>> fail to
>>>>>>>>> boot on a fairly wide range of modern systems. We have to
>>>>>>>>> warn-and-disable,
>>>>>>>>> partially or completely, unless iommu=force is specified. Or we
>>>>>>>>> need to
>>>>>>>>> revert to iommu=0 as the default.
>>>>>>>>>
>>>>>>>>> What do you think, Weidong?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Yes. I agree to warn-and-disable for these BIOS issues, and consider
>>>>>>>> security more when iommu=force. Therefore I will implement a patch
>>>>>>>> based
>>>>>>>> on Nororu's patch.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Weidong
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -- Keir
>>>>>>>>>
>>>>>>>>> On 21/01/2010 14:17, "Sander Eikelenboom" <linux@eikelenboom.it>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello Weidong,
>>>>>>>>>>
>>>>>>>>>> The problem is most vendor's just don't fix it and ignore the
>>>>>>>>>> problem
>>>>>>>>>> completely.
>>>>>>>>>> Most often hiding them selves behind: come back when it's a problem
>>>>>>>>>> with
>>>>>>>>>> Microsoft Windows, that the only single thing we support (and no
>>>>>>>>>> other
>>>>>>>>>> software, so no vmware, no xen, no linux, perhaps even no
>>>>>>>>>> hypervisor)
>>>>>>>>>> Well I don't know if the virtual pc in windows 7 supports an iommu
>>>>>>>>>> now, but it
>>>>>>>>>> didn't in the past as far as i know, so any complain bounces off,
>>>>>>>>>> and
>>>>>>>>>> there it
>>>>>>>>>> all seems to end for them.
>>>>>>>>>>
>>>>>>>>>> Besides that i don't know if they do know what the problems with
>>>>>>>>>> there
>>>>>>>>>> implementation in BIOS is when someone reports it.
>>>>>>>>>> I think some behind the scenes pressure from Intel to vendors might
>>>>>>>>>> help to
>>>>>>>>>> solve some of them.
>>>>>>>>>> (my Q35 chipset, "Intel V-PRO" marketed motherboard (so much for
>>>>>>>>>> that) also
>>>>>>>>>> suffers RMRR problem when another graphics card is inserted which
>>>>>>>>>> switches off
>>>>>>>>>> the IGD).
>>>>>>>>>>
>>>>>>>>>> Although i think in my case your patch will work around that for me.
>>>>>>>>>> Perhaps a
>>>>>>>>>> third option is needed, which does all the workarounds possible and
>>>>>>>>>> warns
>>>>>>>>>> about potential security problem when requested ?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Sander
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thursday, January 21, 2010, 1:46:39 PM, you wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Noboru Iwamatsu wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Hi Weidong,
>>>>>>>>>>>>
>>>>>>>>>>>> I re-send the DRHD-fix patch.
>>>>>>>>>>>>
>>>>>>>>>>>> If DRHD does not have existent devices, ignore it.
>>>>>>>>>>>> If DRHD has both existent and non-existent devices, consider it
>>>>>>>>>>>> invalid
>>>>>>>>>>>> and not register.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Although you patch workarounds your buggy BIOS, but we still
>>>>>>>>>>> need to
>>>>>>>>>>> enable it for security purpose as I mentioned in previous mail. We
>>>>>>>>>>> needn't workaround / fix all BIOS issues in software. I think
>>>>>>>>>>> security
>>>>>>>>>>> is more important for this specific BIOS issue. Did you report the
>>>>>>>>>>> BIOS
>>>>>>>>>>> issue to your OEM vendor? maybe it's better to get it fixed in
>>>>>>>>>>> BIOS.
>>>>>>>>>>> Regards,
>>>>>>>>>>> Weidong
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> According to this patch and yours, my machine successfully booted
>>>>>>>>>>>> with vt-d enabled.
>>>>>>>>>>>>
>>>>>>>>>>>> Signed-off-by: Noboru Iwamatsu <n_iwamatsu@jp.fujitsu.com>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Keir Fraser wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 21/01/2010 10:19, "Weidong Han" <weidong.han@intel.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Sorry this is typo.
>>>>>>>>>>>>>>>> I mean:
>>>>>>>>>>>>>>>> So, I think RMRR that has no-existent device is "invalid"
>>>>>>>>>>>>>>>> and whole RMRR should be ignored.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> looks reasonable.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Keir, I Acks Noboru's rmrr patch. Or do you want us to merge
>>>>>>>>>>>>>>> them to one
>>>>>>>>>>>>>>> patch?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Merge them up, re-send with both sign-off and acked-by all in
>>>>>>>>>>>>>> one
>>>>>>>>>>>>>> email.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Keir
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry, I disagree with Noboru after thinking it again. If the
>>>>>>>>>>>>> RMRR
>>>>>>>>>>>>> has
>>>>>>>>>>>>> both no-existent device and also has existent devices in its
>>>>>>>>>>>>> scope, we
>>>>>>>>>>>>> should not ignore it because the existent devices under its scope
>>>>>>>>>>>>> will
>>>>>>>>>>>>> be impacted without the RMRR. so I suggest to print a warning
>>>>>>>>>>>>> instead of
>>>>>>>>>>>>> ignore it. Attached a patch for it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signed-off-by: Weidong Han <weidong.han@intel.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
>
>
>
next prev parent reply other threads:[~2010-01-25 9:11 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-21 2:46 [PATCH] VT-d: improve RMRR validity checking Han, Weidong
2010-01-21 8:25 ` Noboru Iwamatsu
2010-01-21 8:38 ` Han, Weidong
2010-01-21 10:03 ` Noboru Iwamatsu
2010-01-21 10:08 ` Noboru Iwamatsu
2010-01-21 10:19 ` Weidong Han
2010-01-21 10:27 ` Keir Fraser
2010-01-21 10:49 ` Weidong Han
2010-01-21 12:19 ` Noboru Iwamatsu
2010-01-21 12:46 ` Weidong Han
2010-01-21 14:01 ` Keir Fraser
2010-01-21 14:17 ` Sander Eikelenboom
2010-01-21 14:33 ` Keir Fraser
2010-01-22 2:12 ` Weidong Han
2010-01-22 2:38 ` Noboru Iwamatsu
2010-01-22 2:53 ` Weidong Han
2010-01-22 3:16 ` Noboru Iwamatsu
2010-01-22 8:47 ` Weidong Han
2010-01-22 9:19 ` Sander Eikelenboom
2010-01-22 12:15 ` Weidong Han
2010-01-22 12:32 ` Pasi Kärkkäinen
2010-01-23 12:40 ` Weidong Han
2010-01-23 13:08 ` Pasi Kärkkäinen
2010-01-23 14:33 ` Sander Eikelenboom
2010-01-23 14:54 ` [PATCH] VT-d: improve RMRR validity checking, documenting boot options Pasi Kärkkäinen
2010-01-25 16:40 ` Stephen Spector
2010-01-25 16:58 ` Documentation Xen-hypervisor and Dom0 xen-related boot options (was Re: [PATCH] VT-d: improve RMRR validity checking, documenting boot options) Sander Eikelenboom
2010-01-25 20:56 ` Stephen Spector
2010-01-27 11:33 ` Pasi Kärkkäinen
2010-01-25 7:06 ` [PATCH] VT-d: improve RMRR validity checking Noboru Iwamatsu
2010-01-25 7:56 ` Weidong Han
2010-01-25 9:02 ` Sander Eikelenboom
2010-01-25 9:11 ` Weidong Han [this message]
2010-01-25 9:22 ` Noboru Iwamatsu
2010-01-25 10:08 ` Weidong Han
2010-01-25 10:45 ` Sander Eikelenboom
2010-01-25 13:43 ` Keir Fraser
2010-01-25 13:57 ` Christian Tramnitz
2010-01-25 14:10 ` Weidong Han
2010-01-26 1:16 ` Noboru Iwamatsu
2010-01-26 5:51 ` Weidong Han
2010-01-26 6:38 ` Noboru Iwamatsu
2010-01-26 6:42 ` Weidong Han
2010-01-25 14:12 ` Weidong Han
2010-01-25 14:13 ` Han, Weidong
2010-03-09 21:39 ` Alex Williamson
2010-03-09 21:30 ` Konrad Rzeszutek Wilk
2010-03-09 21:57 ` Alex Williamson
2010-03-09 22:22 ` Konrad Rzeszutek Wilk
2010-03-09 23:05 ` Alex Williamson
2010-03-09 23:25 ` Alex Williamson
2010-03-10 2:13 ` Alex Williamson
2010-03-10 2:40 ` Weidong Han
2010-03-10 3:18 ` Alex Williamson
2010-03-10 3:28 ` Weidong Han
2010-03-10 3:37 ` Alex Williamson
2010-03-10 4:25 ` Weidong Han
2010-03-10 4:47 ` Alex Williamson
2010-03-10 7:03 ` Weidong Han
2010-03-10 13:56 ` Alex Williamson
2010-03-10 18:06 ` Alex Williamson
2010-03-11 2:11 ` Weidong Han
2010-03-11 2:32 ` Alex Williamson
2010-03-11 3:44 ` Weidong Han
2010-03-11 4:52 ` Alex Williamson
2010-03-11 8:30 ` Weidong Han
2010-01-21 15:28 ` Andrew Lyon
2010-01-21 15:04 ` Keir Fraser
2010-01-22 1:35 ` Noboru Iwamatsu
2010-01-21 10:13 ` Weidong Han
2010-01-21 12:09 ` Noboru Iwamatsu
2010-01-21 12:38 ` Weidong Han
2010-01-22 0:23 ` Noboru Iwamatsu
2010-01-21 8:45 ` Andrew Lyon
2010-01-21 10:03 ` Weidong Han
2010-01-21 9:15 ` Keir Fraser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B5D602E.2020904@intel.com \
--to=weidong.han@intel.com \
--cc=allen.m.kay@intel.com \
--cc=joseph.cihula@intel.com \
--cc=keir.fraser@eu.citrix.com \
--cc=linux@eikelenboom.it \
--cc=n_iwamatsu@jp.fujitsu.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).