> On Apr 24, 2018, at 05:19, Lars Kurth <lars.ku...@citrix.com> wrote: > > Hi all, > as agreed please find attached the meeting invite > Regards > Lars > > ## Agenda (provisional) > I copied what was discussed on this thread so far > https://docs.google.com/document/d/1RWylmNmBXOrgGLARj6_ynK50P7SZPl4LpnmhGaPglJw/edit?usp=sharing, > which I will use as pad to write down minutes. Feel free to make agenda > suggestions and copy relevant information into the doc, prior to the meeting.
I would like to add an agenda item to discuss the level of security support that will be asserted in SUPPORT.md for driver domains which contain untrusted PCI devices. Will Xen security support be different for SR-IOV devices? GPUs vs. NICs? There have been past discussions on this topic and a proposed PCI-iommu-bugs.txt file to help Xen users and developers understand the risks [2][3][4] that may arise from a hostile device and potentially buggy firmware. If we can document specific risks, we can ask firmware developers to make specific improvements to improve the security of PCI emulation. There is an active effort [4] underway to improve firmware security in servers (and eventually desktops), including a reduction of attack surface due to SMM. There is also work underway [5][6] to perform secure boot between individual PCI devices and server motherboards. Some of these concepts may already be deployed in Azure. Several stakeholders will be attending or presenting at the PSEC [6] conference. Rich [1] Performance Isolation Exposure in Virtualized Platforms with PCI Passthrough I/O Sharing, https://mediatum.ub.tum.de/doc/1187609/972322.pdf [2] Securing Self-Virtualizing Ethernet Devices, https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-smolyar.pdf [3] Denial-of-Service Attacks on PCI Passthrough Devices, http://publications.andre-richter.com/richter2015denial.pdf [4] Open Compute Open System Firmware, http://www.opencompute.org/wiki/Open_System_Firmware [5] Open Compute Security, http://www.opencompute.org/wiki/Security [6] Firmware attestation: https://www.platformsecuritysummit.com/prepare/#attestation
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
