On 05/07/19 22:25, Thomas Gleixner wrote: > In practice, this makes Linux vulnerable to CVE-2011-1898 / XSA-3, which > I'm disappointed to see wasn't shared with other software vendors at the > time.
Oh, that brings back memories. At the time I was working on Xen, so I remember that CVE. IIRC there was some mitigation but the fix was basically to print a very scary error message if you used VT-d without interrupt remapping. Maybe force the user to add something on the Xen command line too? > The more interesting question is whether this is all relevant. If I > understood the issue correctly then this is mitigated by proper interrupt > remapping. Yes, and for Linux we're good I think. VFIO by default refuses to use the IOMMU if interrupt remapping is absent or disabled, and KVM's own (pre-VFIO) IOMMU support was removed a couple years ago. I guess the secure boot lockdown patches should outlaw VFIO's allow_unsafe_interrupts option, but that's it. > Is there any serious usage of virtualization w/o interrupt remapping left > or have the machines which are not capable been retired already? I think they were already starting to disappear in 2011, as I don't remember much worry about customers that were using systems without it. Paolo