From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: keir@xen.org, Ian.Campbell@citrix.com, xen-devel@lists.xen.org,
Joby Poriyath <joby.poriyath@citrix.com>,
malcolm.crossley@citrix.com
Subject: Re: [PATCH v2] interrupts: allow guest to set and clear MSI-X mask bit
Date: Mon, 5 Aug 2013 12:01:28 +0100 [thread overview]
Message-ID: <51FF8608.7070905@citrix.com> (raw)
In-Reply-To: <51FF9E3002000078000E9338@nat28.tlf.novell.com>
On 05/08/13 11:44, Jan Beulich wrote:
>>>> On 23.07.13 at 19:59, Joby Poriyath <joby.poriyath@citrix.com> wrote:
>> On Tue, Jul 23, 2013 at 09:28:42AM -0400, Konrad Rzeszutek Wilk wrote:
>>> On Tue, Jul 23, 2013 at 11:54:41AM +0100, Joby Poriyath wrote:
>>>> Ping...
>>>>
>>>> Could you kindly review this?
>>> I believe Malcom reviewed and sent you an email with his response.
>> Andrew and Malcolm has reviewed the code.
>>
>>> Are you waiting for Andrew to look at it as well? Or Jan? Jan is
>>> out on vacation for a couple of weeks.
>> I was hoping that Jan would also review this, since this patch
>> partly reverts his code.
>>
>> This patch makes an assumption that, for a passed through device,
>> xen needs to mask the MSI-X control bit only when it does vcpu
>> migration. Otherwise xen leaves it in the state guest has set it.
> Exactly. And hence the patch is wrong,
Unfortunately it is not.
The whole problem is that the VF can (and does) request that the PF
resets itself (using an out-of-band mailbox system in the hardware
itself), causing the mask bit to change (i.e. get set) without Xen's
knowledge.
At this point, it is only the guest which can rectify the situation and
clear the mask bit.
I would agree that the solution is not perfect, but SRIOV virtual
functions rely on the ability to clear the mask bit, whether or not it
is a security issue. This means that your patch to disable writing to
the mask bit has caused a functional regression in all SRIOV operations
in Xen.
I would say that the less bad alternative is to reintroduce the ability
to change the mask bit, and fix the regression, then work out how to fix
the security aspect.
~Andrew
> re-introducing a security
> issue. If you need to give the guest control over the _virtual_
> mask bit, you need to add proper emulation / masking of the
> delivery of the virtual interrupt (i.e. the physical mask bit should
> always be under the control of Xen, but interrupts should not be
> delivered to the guest when the virtual mask bit is set).
>
> In any event - if the solution was as simple as what you propose,
> I would have implemented it right away rather than leaving the
> code known broken (which in fact was partly based on the
> observation that KVM/QEMU - at least at that time - got away
> without properly emulating the guest attempts to control this bit
> as well).
>
> Jan
>
next prev parent reply other threads:[~2013-08-05 11:01 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-19 15:07 [PATCH v2] interrupts: allow guest to set and clear MSI-X mask bit Joby Poriyath
2013-07-19 15:23 ` Konrad Rzeszutek Wilk
2013-07-19 16:07 ` Joby Poriyath
2013-07-19 16:38 ` Malcolm Crossley
2013-07-23 10:54 ` Joby Poriyath
2013-07-23 13:21 ` Andrew Cooper
2013-07-23 13:28 ` Konrad Rzeszutek Wilk
2013-07-23 17:59 ` Joby Poriyath
2013-08-05 10:44 ` Jan Beulich
2013-08-05 11:01 ` Andrew Cooper [this message]
2013-08-05 11:49 ` Jan Beulich
2013-08-05 16:03 ` Andrew Cooper
2013-08-06 8:29 ` Jan Beulich
2013-08-06 9:52 ` Andrew Cooper
2013-08-06 10:17 ` Jan Beulich
2013-08-06 10:17 ` Pasi Kärkkäinen
2013-08-06 13:11 ` Pasi Kärkkäinen
2013-08-13 17:37 ` Joby Poriyath
2013-08-14 10:11 ` Jan Beulich
2013-08-13 17:08 ` Joby Poriyath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51FF8608.7070905@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=JBeulich@suse.com \
--cc=joby.poriyath@citrix.com \
--cc=keir@xen.org \
--cc=malcolm.crossley@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).