Xen devel - Sep 2009 - [PATCH] xend: passthrough: add an option pci-passthrough-strict-check

Currently when assigning device to HVM guest, we use the strict check for HVM
guest by default.(For PV guest we use loose check automatically if necessary.)

When we assign device to HVM guest, if we meet with the co-assignment issues or
the ACS issue (see changeset 20081: 4a517458406f), we could try changing the
option to 'no' -- however, we have to realize this may incur security
issue and
we can't make sure the device assignment could really work properly even
after
we do this.

The option is located in /etc/xen/xend-config.sxp:
(pci-passthrough-strict-check yes)

Thanks,
-- Dexuan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Mon, Sep 07, 2009 at 06:02:02PM +0800, Cui, Dexuan
wrote:
> Currently when assigning device to HVM guest, we use the strict check for
HVM
> guest by default.(For PV guest we use loose check automatically if
necessary.)
> 
> When we assign device to HVM guest, if we meet with the co-assignment
issues or
> the ACS issue (see changeset 20081: 4a517458406f), we could try changing
the
> option to ''no'' -- however, we have to realize this may
incur security issue and
> we can''t make sure the device assignment could really work
properly even after
> we do this.
> 
> The option is located in /etc/xen/xend-config.sxp:
> (pci-passthrough-strict-check yes)
This sounds like it opens a can of worms to me.
I take it that you have equipment and a set-up in
mind that needs this.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

By default the option is "yes" so we''re safe and since the
option is in the global xend config file, only an administrator can change it.
In some cases, if an administrator knows clearly what he''s doing, he
may want to try to use the device assignment feature at the risk of some
potential security issues -- usually some of the potential issue are not very
likely to occur. So I guess the option should be useful. :-)

Thanks,
-- Dexuan

-----Original Message-----
From: Simon Horman [mailto:horms@verge.net.au] 
Sent: 2009?9?8? 7:42
To: Cui, Dexuan
Cc: Keir Fraser; xen-devel@lists.xensource.com
Subject: Re: [Xen-devel] [PATCH] xend: passthrough: add an option
pci-passthrough-strict-check

On Mon, Sep 07, 2009 at 06:02:02PM +0800, Cui, Dexuan
wrote:
> Currently when assigning device to HVM guest, we use the strict check for
HVM
> guest by default.(For PV guest we use loose check automatically if
necessary.)
> 
> When we assign device to HVM guest, if we meet with the co-assignment
issues or
> the ACS issue (see changeset 20081: 4a517458406f), we could try changing
the
> option to ''no'' -- however, we have to realize this may
incur security issue and
> we can''t make sure the device assignment could really work
properly even after
> we do this.
> 
> The option is located in /etc/xen/xend-config.sxp:
> (pci-passthrough-strict-check yes)
This sounds like it opens a can of worms to me.
I take it that you have equipment and a set-up in
mind that needs this.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Tue, Sep 08, 2009 at 08:23:38AM +0800, Cui, Dexuan
wrote:
> By default the option is "yes" so we''re safe and since
the option is in the global xend config file, only an administrator can change
it.
> In some cases, if an administrator knows clearly what he''s doing,
he may want to try to use the device assignment feature at the risk of some
potential security issues -- usually some of the potential issue are not very
likely to occur. So I guess the option should be useful. :-)
Ok, that sounds reasonable.

Acked-by: Simon Horman <horms@verge.net.au>


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel