Subject: Re: some questions
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-xen
Date: 01/05/2006 23:47:55
On Thu, Jan 05, 2006 at 10:54:20PM +0100, Manuel Bouyer wrote:
> 
> Are there x86 hardware with IOMMU ?

Anything with an AGP GART has an IOMMU, after a fashion -- it has an
address mapping engine for DMA.  The AMD Opteron processors extend
the GART so that it's much more useful -- I believe it even has
page permissions.

> Sure. But for this you have to gain direct access to the DMA device,
> so the domU's kernel has to misbehave. Which kernel is running on the
> domU is under the domain0's control, so if enouth access control are
> present in this kernel (and it's bug-free :) it can be trusted.
> For this, the kernel's memory has to be non-writable for any userland process,
> this is why I talked about starting this kenrel at securelevel 1.

If all I cared about were secure operation with a bug-free OS kernel, I
might as well just use chroot, from my point of view.

Letting "unprivileged" domains access device DMA engines grants their
kernels all the privilege that the dom0 kernel has, because it lets
the domU kernels write arbitrary memory, including that occupied by the
dom0 kernel itself.  It's not a point to gloss over, because the
security implications are very real -- and the cost of using xbd for
domU disks to mitigate the problem is, really, quite small.

Thor