On 2016/6/12 9:55, Steve Novakov wrote:
Hello Yang,
allow_unsafe_interupts actually means the interrupt remapping on Intel
IOMMU which is a security feature. Without it, a malicious VM can
attack the host, see below document for more details:
http://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
Should I take that to mean that "allow_unsafe_interrupts" is actually a
security feature??? Is this the discussed "interrupt remapping" in the
Interrupt remapping not only a security feature, it also supports more
than 255 CPUs associate with x2apic. allow_unsafe_interrupts allows you
to enable IOMMU on the platform even without interrupt remapping because
first platform supporting IOMMU doesn't have interrupt remapping.
whitepaper? I am interpreting that paper as saying that this interrupt
remapping does *not* use the supplied DMAR table. Is that correct?
All the necessary information for IOMMU is located in ACPI tables not
only DMAR table. OS need to parse it before enabling the IOMMU.
Also, you can try to upgrade your BIOS to fix it.
I'll take a look but I think I have the latest (which means, from ~2011
probably) BIOS version.
Could I also ask you outright what entire set of boot options you would
pass when booting into a kvm system with IOMMU enabled? I would love
some "default" set of boot options to compare to, as opposed to random
ones from assorted forums.
Usually, i am using intel_iommu=on and everything works well. But in
your case, i guess you may also need intremap=off.
Thank you for the prompt reply!
Steve Novakov
B.A.Sc Engineering Physics
PhD Student - Physics
University of Michigan - Ann Arbor
On 6/11/2016 9:46 PM, Yang Zhang wrote:
--
best regards
yang
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
