> From: Jan Beulich <[email protected]> > Sent: Monday, November 30, 2020 3:35 PM > > On 30.11.2020 07:13, Tian, Kevin wrote: > >> From: Jan Beulich <[email protected]> > >> Sent: Saturday, November 28, 2020 12:46 AM > >> > >> @@ -1316,11 +1316,32 @@ boolean (e.g. `iommu=no`) can override t > >> will prevent Xen from booting if IOMMUs aren't discovered and > enabled > >> successfully. > >> > >> -* The `quarantine` boolean can be used to control Xen's behavior when > >> - de-assigning devices from guests. If enabled (the default), Xen > >> always > >> +* The `quarantine` option can be used to control Xen's behavior when > >> + de-assigning devices from guests. > >> + > >> + When a PCI device is assigned to an untrusted domain, it is possible > >> + for that domain to program the device to DMA to an arbitrary address. > >> + The IOMMU is used to protect the host from malicious DMA by making > >> + sure that the device addresses can only target memory assigned to the > >> + guest. However, when the guest domain is torn down, assigning the > >> + device back to the hardware domain would allow any in-flight DMA to > >> + potentially target critical host data. To avoid this, quarantining > >> + should be enabled. Quarantining can be done in two ways: In its basic > >> + form, all in-flight DMA will simply be forced to encounter IOMMU > >> + faults. Since there are systems where doing so can cause host lockup, > >> + an alternative form is available where writes to memory will be made > >> + fault, but reads will be directed to a dummy page. The implication > >> + here is that such reads will go unnoticed, i.e. an admin may not > >> + become aware of the underlying problem. > >> + > >> + Therefore, if this option is set to true (the default), Xen always > >> quarantines such devices; they must be explicitly assigned back to > Dom0 > >> - before they can be used there again. If disabled, Xen will only > >> - quarantine devices the toolstack hass arranged for getting > >> quarantined. > >> + before they can be used there again. If set to "scratch-page", still > >> + active DMA reads will additionally be directed to a "scratch" page. > >> If > >> + set to false, Xen will only quarantine devices the toolstack has > arranged > >> + for getting quarantined. > > > > Here let's be clear about the quarantine policy when the quarantine > > devices are arranged by toolstack. Based on this patch it is the 'basic' > > form i.e. always getting IOMMU faults for such devices. > > Well, the policy is always as chosen via command line. Therefore do > you perhaps merely mean the default mode to be spelled out? This is > already the case at the beginning of the 2nd paragraph.
When I read above paragraphs, it's clear about the enabled case where two quarantine forms are available (basic vs. scratch-page) and how to choose them, but it's not crystal clear about the disabled case which form is assumed for toolstack-managed devices, from an user p.o.v. Thanks, Kevin
