On 30.11.2020 09:05, Tian, Kevin wrote: >> From: Jan Beulich <jbeul...@suse.com> >> Sent: Monday, November 30, 2020 3:35 PM >> >> On 30.11.2020 07:13, Tian, Kevin wrote: >>>> From: Jan Beulich <jbeul...@suse.com> >>>> Sent: Saturday, November 28, 2020 12:46 AM >>>> >>>> @@ -1316,11 +1316,32 @@ boolean (e.g. `iommu=no`) can override t >>>> will prevent Xen from booting if IOMMUs aren't discovered and >> enabled >>>> successfully. >>>> >>>> -* The `quarantine` boolean can be used to control Xen's behavior when >>>> - de-assigning devices from guests. If enabled (the default), Xen >>>> always >>>> +* The `quarantine` option can be used to control Xen's behavior when >>>> + de-assigning devices from guests. >>>> + >>>> + When a PCI device is assigned to an untrusted domain, it is possible >>>> + for that domain to program the device to DMA to an arbitrary address. >>>> + The IOMMU is used to protect the host from malicious DMA by making >>>> + sure that the device addresses can only target memory assigned to the >>>> + guest. However, when the guest domain is torn down, assigning the >>>> + device back to the hardware domain would allow any in-flight DMA to >>>> + potentially target critical host data. To avoid this, quarantining >>>> + should be enabled. Quarantining can be done in two ways: In its basic >>>> + form, all in-flight DMA will simply be forced to encounter IOMMU >>>> + faults. Since there are systems where doing so can cause host lockup, >>>> + an alternative form is available where writes to memory will be made >>>> + fault, but reads will be directed to a dummy page. The implication >>>> + here is that such reads will go unnoticed, i.e. an admin may not >>>> + become aware of the underlying problem. >>>> + >>>> + Therefore, if this option is set to true (the default), Xen always >>>> quarantines such devices; they must be explicitly assigned back to >> Dom0 >>>> - before they can be used there again. If disabled, Xen will only >>>> - quarantine devices the toolstack hass arranged for getting >>>> quarantined. >>>> + before they can be used there again. If set to "scratch-page", still >>>> + active DMA reads will additionally be directed to a "scratch" page. >>>> If >>>> + set to false, Xen will only quarantine devices the toolstack has >> arranged >>>> + for getting quarantined. >>> >>> Here let's be clear about the quarantine policy when the quarantine >>> devices are arranged by toolstack. Based on this patch it is the 'basic' >>> form i.e. always getting IOMMU faults for such devices. >> >> Well, the policy is always as chosen via command line. Therefore do >> you perhaps merely mean the default mode to be spelled out? This is >> already the case at the beginning of the 2nd paragraph. > > When I read above paragraphs, it's clear about the enabled case where > two quarantine forms are available (basic vs. scratch-page) and how to > choose them, but it's not crystal clear about the disabled case which > form is assumed for toolstack-managed devices, from an user p.o.v.
Oh, now I think I got what you mean. I've added '..., and only in the "basic" form' to that last sentence. Jan
