Ok, I have a trusted software to localy configure the ethernet device assignment. I will probably add a "pre-cooked way" to share the configuration to the hypervisor and allow the MSI configuration from a device only with only one granted domain.
Thank you very much for the help -----Original Message----- From: Jan Beulich <jbeul...@suse.com> Sent: Friday, November 29, 2019 2:32 PM To: DOZ, MARC (ext) <marc.doz.exter...@atos.net> Cc: xen-devel@lists.xenproject.org Subject: Re: [Xen-devel] bug suspcion and proposed modification when xen-pciback failed to map an irq (-19) to a domU On 29.11.2019 13:34, DOZ, MARC (ext) wrote: > >> Except that this is not a "fix", but the introduction of a security >> vulnerability (permitting interrupt setup on un-owned devices). See XSA-237, >> which actually changed it in the opposite direction of what you're proposing. > > Ok, I found it : > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fxenb > its.xen.org%2Fxsa%2Fxsa237-4.5%2F0001-x86-dont-allow-MSI-pIRQ-mapping- > on-unowned-device.patch&data=02%7C01%7Cmarc.doz.external%40atos.ne > t%7Cddc18189b78d47e0165d08d774d09a4a%7C33440fc6b7c7412cbb730e70b0198d5 > a%7C0%7C0%7C637106311594585817&sdata=1EaYn7PE6n2JZxldEciBla7QBWBRW > jZUugtEgmCnuZ4%3D&reserved=0 > > "MSI setup should be permitted only for existing devices owned by the > respective guest" > > But how to change the owner of my device or update the > pdev->domain->domain_id ? With the code as is and without an IOMMU there's no pre-cooked way to, I'm afraid. You could try granting the guest access to MMIO and IRQ "manually" (there are guest config file options for this), but I take it you'll be in trouble if (as iirc you've said) the device / driver want to use MSI. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
