[Security] Provide distinction between IOMMU versions/capabilities on compatibility page

Tai...@gmx.com

unread,

Oct 26, 2016, 6:03:54 AM10/26/16

to qubes...@googlegroups.com

Currently there is a simple "VT-d" yes/no column that doesn't
differentiate between systems that feature interrupt remapping and those
that don't (insecure) like the first gen intel core processors (old yes
but still in use by many).

There is also no check and distinction for systems that fail to properly
implement the IOMMU, for instance those that lack PCI-e ACS.

Zrubi

unread,

Oct 26, 2016, 6:32:24 AM10/26/16

to Tai...@gmx.com, qubes...@googlegroups.com

Can you provide any details how to identify those things you mentioned?

--
Zrubi

signature.asc

Tai...@gmx.com

unread,

Oct 26, 2016, 7:19:14 AM10/26/16

to ma...@zrubi.hu, qubes...@googlegroups.com

For the first it is a simple check of "xl dmesg" and for x86 platforms
grep either "AMD-Vi" or "Intel VT-d" to see all the IOMMU capabilities
that xen detects.

For ACS I do not know how, but it is possible.
Here is more information on ACS in relation to VFIO, xen doesn't use
groups but it is informative.
https://vfio.blogspot.com/2014/08/iommu-groups-inside-and-out.html

Radoslaw Szkodzinski

unread,

Nov 8, 2016, 12:29:19 PM11/8/16

to Tai...@gmx.com, qubes...@googlegroups.com, Zrubi

To detect ACS, check if there are iommu groups in sysfs, more than one, in /sys/bus/iommu_groups for KVM. Xen should expose it too, but I haven't tested that in a while.

Generally Xen should refuse redirecting devices that do not share an iommu group to different VMs in forced iommu mode. KVM definitely does unless you override the check with a kernel boot parameter.

R.

Reply all

Reply to author

Forward