IGD passthrough security (was Re: feature suggestion: DMAR table emulation for Xen)

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Ian Pratt <Ian.Pratt@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
	"Kay, Allen M" <allen.m.kay@intel.com>,
	"Cihula, Joseph" <joseph.cihula@intel.com>,
	"Han, Weidong" <weidong.han@intel.com>,
	Keir Fraser <Keir.Fraser@eu.citrix.com>
Subject: IGD passthrough security (was Re: feature suggestion: DMAR table emulation for Xen)
Date: Sat, 15 May 2010 19:12:08 +0200	[thread overview]
Message-ID: <4BEED5E8.2000707@invisiblethingslab.com> (raw)
In-Reply-To: <4FA716B1526C7C4DB0375C6DADBC4EA37ACEAA6123@LONPMAILBOX01.citrite.net>


[-- Attachment #1.1: Type: text/plain, Size: 1718 bytes --]

On 05/15/2010 06:54 PM, Ian Pratt wrote:
>> Well, we don't do graphics passthrough in Qubes, mostly for two reasons:
>>
>> 1) We believe users prefer seamless integration of all apps onto one
>> desktop (and that requires only one domain, e.g. Dom0, to have access to
>> the graphics card),
> 
> Not necessarily. If dom0 retains control of the display side of the
> GPU you can use video overlays to merge in windows from a couple of
> other domains. [Though ideally the GPU would use different PCI
> requestor IDs for displaying the framebuffer or fetching overlay data
> vs rendering]
> 
>> 2) Giving a potentially untrusted domain full access to the graphics
>> device creates a potential security risk. In fact, you cannot make such an
>> architecture secure without using TXT (yes, TXT in addition to VT-d).
> 

> I agree you can't give an untrusted domain full access, but there's
> an interesting design point where you emulate some parts of the GPU
> (e.g. anything controlling what is displayed) and pass-through
> others. GPU designs that enable you to do this without babysitting
> the command rings are obviously preferable...
> 

I've been actually more concerned about the *rich* interface to the GPU
that you still must expose to DomU. While semantically it might not be
insecure (from what you wrote it might be perhaps possible to prevent
DomU from reading the screen buffer, etc), I bet it will contain
exploitable implementation flaws. And DomU would be able to exploit
them, similarly like one can exploit many modern NIC cards today (see [1]).

Cheers,
joanna.

[1]
http://theinvisiblethings.blogspot.com/2010/04/remotely-attacking-network-cards-or-why.html


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

next prev parent reply	other threads:[~2010-05-15 17:12 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-05-13 14:14 feature suggestion: DMAR table emulation for Xen Joanna Rutkowska
2010-05-14  5:41 ` Kay, Allen M
2010-05-14  9:22   ` Joanna Rutkowska
2010-05-14  9:35     ` Keir Fraser
2010-05-14 10:15       ` Joanna Rutkowska
2010-05-14 10:48         ` Keir Fraser
2010-05-14 10:58           ` Joanna Rutkowska
2010-05-14 11:29             ` Keir Fraser
2010-05-14 11:47               ` philosophically about IGD pass-through (was: feature suggestion: DMAR table emulation for Xen) Joanna Rutkowska
2010-05-14 11:58                 ` James Harper
2010-05-14 12:30                 ` Keir Fraser
2010-05-14 15:57                 ` Dan Magenheimer
2010-05-14 16:43                   ` philosophically about IGD pass-through Joanna Rutkowska
2010-05-14 17:54                 ` philosophically about IGD pass-through (was: feature suggestion: DMAR table emulation for Xen) Kay, Allen M
2010-05-15 16:54             ` feature suggestion: DMAR table emulation for Xen Ian Pratt
2010-05-15 17:12               ` Joanna Rutkowska [this message]
2010-05-14  9:41     ` Barde Kaushik 00901718
2010-05-14 10:16       ` Joanna Rutkowska
2010-05-14 14:25         ` Barde Kaushik 00901718

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BEED5E8.2000707@invisiblethingslab.com \
    --to=joanna@invisiblethingslab.com \
    --cc=Ian.Pratt@eu.citrix.com \
    --cc=Keir.Fraser@eu.citrix.com \
    --cc=allen.m.kay@intel.com \
    --cc=joseph.cihula@intel.com \
    --cc=weidong.han@intel.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).