On 08/15/2017 09:33 AM, Benjamin Herrenschmidt wrote: > On Tue, 2017-08-15 at 09:16 +0800, Jike Song wrote: >>> Taking a step back, though, why does vfio-pci perform this check in the >>> first place? If a malicious guest already has control of a device, any >>> kind of interrupt spoofing it could do by fiddling with the MSI-X >>> message address/data it could simply do with a DMA write anyway, so the >>> security argument doesn't stand up in general (sure, not all PCIe >>> devices may be capable of arbitrary DMA, but that seems like more of a >>> tenuous security-by-obscurity angle to me). > > I tried to make that point for years, thanks for re-iterating it :-) > >> Hi Robin, >> >> DMA writes will be translated (thereby censored) by DMA Remapping hardware, >> while MSI/MSI-X will not. Is this different for non-x86? > > There is no way your DMA remapping HW can differenciate. The only > difference between a DMA write and an MSI is ... the address. So if I > can make my device DMA to the MSI address range, I've defeated your > security. I don't think with IRQ remapping enabled, you can make your device DMA to MSI address, without being treated as an IRQ and remapped. If so, the IRQ remapping hardware is simply broken :) -- Thanks, Jike
