> From: Chen, Tiejun > Sent: Thursday, September 10, 2015 1:47 PM > > > Need to have separate warning/error level for relax/strict. > > > > However I don't think this patch is a right fix. So far relax/strict policy > > is per-domain. what about one VM specifies relax while another VM > > specifies strict when each is assigned with a device sharing rmrr > > with the other? In that case it becomes a system-wide security hole. > > > > Once we add code to track group relationship cross domains, it'd be > > close to the final fix to support group assignment which originally target > > 4.7. It might be risky to add that in 4.6. > > Yes. > > > > > So my suggestion is to live with current limitation. > > > > But recently someone was encountering this problem. > > http://www.gossamer-threads.com/lists/xen/devel/391684?page=last > > We'd better figure out a simple way to this regression. >
I'm not sure how popular that motherboard is used... To me security is important so having some limitation for this purpose is acceptable. But I'd also like to hear comments from Jan and Wei. If they think regression is more important (anyway we're not causing new security problem, it's there before), I'm OK with this patch (besides you need fix print level) Thanks Kevin _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
