Subject: Re: some questions
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-xen
Date: 01/05/2006 14:44:36
On Thu, Jan 05, 2006 at 08:35:43PM +0100, Manuel Bouyer wrote:
> On Thu, Jan 05, 2006 at 12:18:59PM -0500, Thor Lancelot Simon wrote:
> > >
> > > Yes, that what's it's for. You'll have to build custom kernels with
> > > PCI support for the domUs
> > 
> > It's very important to understand that if you allow any "unprivileged"
> > domain to access a device that does DMA, the domain is no longer
> > unprivileged in any meaningful way.
> 
> The situation is not that bad, the dom0 controls which kernel is loaded
> in the domU, and also controls the console.

I'm pretty sure it is, in fact, "that bad".  A misbehaving domU with
access to a PCI device that does DMA, on a platform without an IOMMU
(does Xen 3 even bother to use the IOMMU where available?) can overwrite
memory in the dom0 kernel and gain complete control of the machine.  Heck,
if the DMA device is a disk controller, you've even got convenient temporary
storage to stash the complete memory contents of the system, scan through
them to figure out what you need to smash, then DMA the right page back
into place where you aren't supposed to be writing.  In other words, the
hypervisor, in this case, gives you no meaningful isolation between the
kernels at all.

Thor