Currently when assigning device to HVM guest, we use the strict check
for HVM guest by default.(For PV guest we use loose check
automatically if necessary.)
When we assign device to HVM guest, if we meet with the co-assignment
issues or the ACS issue (see changeset 20081:
4a517458406f), we could
try changing the option to 'no' -- however, we have to realize this
may incur security issue and we can't make sure the device assignment
could really work properly even after we do this.
The option is located in /etc/xen/xend-config.sxp:
(pci-passthrough-strict-check yes)
Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>
#(device-create-timeout 100)
#(device-destroy-timeout 100)
+# When assigning device to HVM guest, we use the strict check for HVM guest by
+# default. (For PV guest, we use loose check automatically if necessary.)
+# When we assign device to HVM guest, if we meet with the co-assignment
+# issues or the ACS issue, we could try changing the option to 'no' -- however,
+# we have to realize this may incur security issue and we can't make sure the
+# device assignment could really work properly even after we do this.
+#(pci-passthrough-strict-check yes)
', but it is not owned by pciback or pci-stub.'
raise PciDeviceAssignmentError(err_msg % (pci_dev, self.name))
- def do_FLR(self, is_hvm):
+ def do_FLR(self, is_hvm, strict_check):
""" Perform FLR (Functional Level Reset) for the device.
"""
if self.dev_type == DEV_TYPE_PCIe_ENDPOINT:
if not is_hvm and (len(funcs) > 1):
return
+ if is_hvm and not strict_check:
+ return
self.devs_check_driver(funcs)
if not is_hvm and (len(devs) > 1):
return
+ if is_hvm and not strict_check:
+ return
self.devs_check_driver(devs)
except Exception, e:
raise VmError("pci: failed to locate device and "+
"parse it's resources - "+str(e))
- dev.do_FLR(is_hvm)
+ dev.do_FLR(is_hvm, xoptions.get_pci_dev_assign_strict_check())
class XendDomainInfo:
"""An object represents a domain.
if not self.info.is_hvm():
return
+ if not xoptions.get_pci_dev_assign_strict_check():
+ return
+
# Check if there is intermediate PCIe switch bewteen the device and
# Root Complex.
if pci_device.is_behind_switch_lacking_acs():
"""Default timeout for device destruction."""
device_destroy_timeout_default = 100
+ """By default, we use the strict check for HVM guest. (For PV guest, we
+ use loose check automatically if necessary."""
+ pci_dev_assign_strict_check_default = True
+
def __init__(self):
self.configure()
return self.get_config_int("device-destroy-timeout",
self.device_destroy_timeout_default)
+ def get_pci_dev_assign_strict_check(self):
+ return self.get_config_bool("pci-passthrough-strict-check",
+ self.pci_dev_assign_strict_check_default)
class XendOptionsFile(XendOptions):
import time
from xen.xend import sxp
+from xen.xend import XendOptions
+xoptions = XendOptions.instance()
+
from xen.xend import arch
from xen.xend.XendError import VmError
from xen.xend.XendLogging import log
if len(pci_str_list) != len(set(pci_str_list)):
raise VmError('pci: duplicate devices specified in guest config?')
+ strict_check = xoptions.get_pci_dev_assign_strict_check()
for pci_dev in pci_dev_list:
try:
dev = PciDevice(pci_dev)
# Check if there is intermediate PCIe switch bewteen the device and
# Root Complex.
- if self.vm.info.is_hvm() and dev.is_behind_switch_lacking_acs():
+ if self.vm.info.is_hvm() and dev.is_behind_switch_lacking_acs() \
+ and strict_check:
err_msg = 'pci: to avoid potential security issue, %s is not'+\
' allowed to be assigned to guest since it is behind'+\
' PCIe switch that does not support or enable ACS.'
else:
if not self.vm.info.is_hvm():
continue
+ if not strict_check:
+ continue
funcs = dev.find_all_the_multi_functions()
dev.devs_check_driver(funcs)
else:
if not self.vm.info.is_hvm():
continue
+ if not strict_check:
+ continue
# All devices behind the uppermost PCI/PCI-X bridge must be\
# co-assigned to the same guest.
# Need to do FLR here before deassign device in order to terminate
# DMA transaction, etc
- dev.do_FLR(self.vm.info.is_hvm())
+ dev.do_FLR(self.vm.info.is_hvm(),
+ xoptions.get_pci_dev_assign_strict_check())
bdf = xc.deassign_device(fe_domid, pci_dict_to_xc_str(pci_dev))
pci_str = pci_dict_to_bdf_str(pci_dev)
projects / xen.git / commitdiff