projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 31b4f4a) | patch
passthrough: quarantine PCI devices
authorPaul Durrant <paul@xen.org>
Fri, 18 Oct 2019 16:41:44 +0000 (17:41 +0100)
committerJan Beulich <jbeulich@suse.com>
Thu, 31 Oct 2019 15:20:05 +0000 (16:20 +0100)
commit319f9a0ba94c7db505cd5dd9cb0b037ab1aa8e12
treef6724d947761ceb8bb022329af11a15ce931c26dtree | snapshot
parent31b4f4ab6634f85163656b470dffc6d974917853commit | diff
passthrough: quarantine PCI devices

When a PCI device is assigned to an untrusted domain, it is possible for
that domain to program the device to DMA to an arbitrary address. The
IOMMU is used to protect the host from malicious DMA by making sure that
the device addresses can only target memory assigned to the guest. However,
when the guest domain is torn down the device is assigned back to dom0,
thus allowing any in-flight DMA to potentially target critical host data.

This patch introduces a 'quarantine' for PCI devices using dom_io. When
the toolstack makes a device assignable (by binding it to pciback), it
will now also assign it to DOMID_IO and the device will only be assigned
back to dom0 when the device is made unassignable again. Whilst device is
assignable it will only ever transfer between dom_io and guest domains.
dom_io is actually only used as a sentinel domain for quarantining purposes;
it is not configured with any IOMMU mappings. Assignment to dom_io simply
means that the device's initiator (requestor) identifier is not present in
the IOMMU's device table and thus any DMA transactions issued will be
terminated with a fault condition.

In addition, a fix to assignment handling is made for VT-d.  Failure
during the assignment step should not lead to a device still being
associated with its prior owner. Hand the device to DomIO temporarily,
until the assignment step has completed successfully.  Remove the PI
hooks from the source domain then earlier as well.

Failure of the recovery reassign_device_ownership() may not go silent:
There e.g. may still be left over RMRR mappings in the domain assignment
to which has failed, and hence we can't allow that domain to continue
executing.

NOTE: This patch also includes one printk() cleanup; the
      "XEN_DOMCTL_assign_device: " tag is dropped in iommu_do_pci_domctl(),
      since similar printk()-s elsewhere also don't log such a tag.

This is XSA-302.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
tools/libxl/libxl_pci.c diff | blob | history
xen/common/domain.c diff | blob | history
xen/common/domctl.c diff | blob | history
xen/drivers/passthrough/amd/pci_amd_iommu.c diff | blob | history
xen/drivers/passthrough/device_tree.c diff | blob | history
xen/drivers/passthrough/iommu.c diff | blob | history
xen/drivers/passthrough/pci.c diff | blob | history
xen/drivers/passthrough/vtd/iommu.c diff | blob | history
xen/include/xen/pci.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.