Re: [PATCH 2 of 2] xl, libxl: Add per-device and global permissive config options for pci passthrough

[George Dunlap <george.dunlap@eu.citrix.com>]

On 02/04/12 16:51, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] [PATCH 2 of 2] xl, libxl: Add per-device and global permissive config options for pci passthrough"):
>> I'm not sure how we can make it more definite.  What's possible (i.e.,
>> the security implications) entirely depends on the card; and what's
>> likely (i.e., the stability implications) entirely depends on the card
>> and the driver.  Short of giving a short discourse on the vices of
>> various cards PCI config space (which is entirely inappropriate for a
>> man page, IMHO), I'm not sure what more we can say.
> Is it generally or usually the case that this option will more
> completely expose the host ?
So, worst-case, the guest driver can make the card do anything a card 
can actually do.  Most of the things a card can do can be mitigated by 
the IOMMU.  But there may be some things which are not; and there are 
some people still running older hardware that either doesn't have an 
IOMMU, or whose IOMMU cannot handle important cases (e.g., Intel boxes 
with VTD but no interrupt remapping, if you recall the security issue 
related to this last year).

One of the examples Stefano gave of config stuff that can cause problems 
is the power management features: if the guest driver powers down the 
card, then when libxl tries to reset the card, it generates a PCI error 
interrupt.  This used to crash Xen. (It's now been fixed.)

But on the other hand, how many cards even have these kinds of dangerous 
capabilities in their PCI registers?  Most of them are probably just 
fine.  And in the case of driver domains, most people will be running 
trusted software anyway; the driver will be the same in the domU as the 
dom0.

Still, can't very well just turn things on by default and hope for the 
best; people need to know that they're doing something potentially 
dangerous.  But we can't really tell people how dangerous this thing 
might be, because we don't actually know how many cards might actually 
be dangerous, and we don't know what kind of software they're allowing 
access to the card.  And again, we can't just not give the option, 
because many cards need it to run, and most of the time it's just fine.

This is probably worth doing some more investigation and writing up in a 
doc and/or a wiki page somewhere; but I'm not sure we can do more in a 
man page than give a necessarily unspecific warning.

  -George
>> I thought it was unnecessary to duplicate, but I can do so if you prefer.
> I guess that depends on how strong a statement it is.
>
>>> I think you should consider breakibg out the sysfs writing function
>>> and refactoring with the very similar code in libxl__device_pci_reset,
>>> rather than introducing yet another clone.
>> I shall consider it. :-)
> Thanks :-).
>
> Ian.