On Tue, 2017-08-15 at 09:47 +0800, Jike Song wrote: > On 08/15/2017 09:33 AM, Benjamin Herrenschmidt wrote: > > On Tue, 2017-08-15 at 09:16 +0800, Jike Song wrote: > > > > Taking a step back, though, why does vfio-pci perform this check in the > > > > first place? If a malicious guest already has control of a device, any > > > > kind of interrupt spoofing it could do by fiddling with the MSI-X > > > > message address/data it could simply do with a DMA write anyway, so the > > > > security argument doesn't stand up in general (sure, not all PCIe > > > > devices may be capable of arbitrary DMA, but that seems like more of a > > > > tenuous security-by-obscurity angle to me). > > > > I tried to make that point for years, thanks for re-iterating it :-) > > > > > Hi Robin, > > > > > > DMA writes will be translated (thereby censored) by DMA Remapping hardware, > > > while MSI/MSI-X will not. Is this different for non-x86? > > > > There is no way your DMA remapping HW can differenciate. The only > > difference between a DMA write and an MSI is ... the address. So if I > > can make my device DMA to the MSI address range, I've defeated your > > security. > > I don't think with IRQ remapping enabled, you can make your device DMA to > MSI address, without being treated as an IRQ and remapped. If so, the IRQ > remapping hardware is simply broken :) You are mixing things here. Robin's point is that there is no security provided by the obfuscating of the MSI-X table by qemu because whatever qemu does to "filter" the MSI-X targer addresses can be worked around by making the device DMA wherever you want. None of what you say invalidates that basic fact. Now, as far as your remapping HW goes, either it filters interrupts or it doesn't. If it does then yes, it can't be spoofed, and thus you don't need the filtering of the table in qemu. If it doesn't, then the guest can spoof any interrupt using DMAs and whatever qemu does to filter the table is not going to fix it. Thus the point remains that the only value in qemu filtering the table is to enable already insecure use cases to work, without actually making them any more secure. Ben.
