> On Jan 8, 2018, at 16:44, Anthony Liguori <anth...@codemonkey.ws> wrote: >> On Mon, Jan 8, 2018 at 1:01 PM, Rich Persaud <pers...@gmail.com> wrote: >> On a similarly pragmatic note: would a variation of Anthony's vixen patch >> series be suitable for pre-PVH Xen 4.6 - 4.9? These versions are currently >> documented as security-supported (Oct 2018 - July 2020). >> >> There are production environments where upgrading to Xen 4.10 in a timeframe >> of days or weeks is not practical. >> >> Will PCI passthrough for PV guests be supported in any of the solutions that >> are being considered? If not, it would be helpful to document this in the >> Spectre/Meltdown XSA and/or FAQ, including timeline or complexity estimates >> for the return of security support for Xen PV driver domains. SUPPORT.md >> will also need an update. > > It's not particularly hard to plumb through I think
An earlier discussion [1] suggested that it was feasible but not easy. This feature is used for device driver (e.g. NIC or USB) domains in OpenXT and Qubes deployments. > but if you are using PCI passthrough for PV, then you really shouldn't worry > about > Spectre/Meltdown. That PV guest can already read all of physical > memory (since no IOMMU is used) and they can also write to all > physical memory which is far worse than what you can do with > Spectre/Meltdown. We may be using different terminology? OpenXT and Qubes typically require IOMMU for PV driver domains. XSM can [2] enforce a policy which requires that an IOMMU be present before a driver domain is started. Rich [1] https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00475.html [2] https://www.mail-archive.com/xen-devel@lists.xen.org/msg118728.html
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
