[libvirt-users] PCI-Passthrough suddenly stopped working

Rouven Sacha rs at blinkenlichten.de
Thu Jul 12 07:55:09 UTC 2012 

Am 12.07.2012 00:38, schrieb Eric Blake:
> This may be the result of a security fix in the new kernel. I know at 
> least one older version of Intel chips has a bug where IOMMU can be 
> exploited by a guest to take control over the host, so on those chips, 
> newer kernels now require to explicitly enable a kernel module 
> parameter to state that you are going to allow passthrough to the 
> guest in spite of the security risk. That is, you may need to use: 
> modprobe kvm allow_unsafe_assigned_interrupts=1 with your newer 
> kernel. Unfortunately, I wasn't able to find a better URL to a page 
> documenting this issue, so that implies we probably also need a patch 
> to the libvirt documentation with regards to using device passthrough. 

Hi Eric,

thanks for the info.

Reading https://bugzilla.redhat.com/show_bug.cgi?id=715555 , it seems 
that 5.8 shouldn't be affected since the kvm on that version doesn't 
support interrupt remapping, if I understand correctly. Additionally, if 
I run the script provided in the issue description, the check passes 
with "Interrupt remapping support available" and the error message 
differs: I don't get "Operation not permitted"  but "Invalid argument". 
I also can't set provides switch in 
/sys/module/kvm/parameters/allow_unsafe_assigned_interrupts, since the 
file isn't there on my box.

Are there any other circumstances where pci passthrough could fail? 
Googling for the error message i get, I can't seem to find any case that 
matches mine. This makes me guess that I'd rather accidentally 
introduced a misconfiguration than encountered a qemu-kvm/libvirt bug. I 
have attached the configuration file of that machine, maybe someone 
could have a look at the hostdev section?

Unfortunately, i am currently not able to switch back to the prior 
kernel, since the system is in production right now - I will test that 
later during the day.

Thanks &  cheers,

Rouven



-- 
Blinkenlichten Open Source Solutions
Maass  Sacha GbR | Weigandufer 45 | 12059 Berlin
tel: +493013896247 | fax: +493013896249 | mob: +491744220127
Web: http://www.blinkenlichten.de/ G+: http://gplus.to/blinkenlichten
Blinkenlichten Zarafa Hosted Tweets: http://twitter.com/zarafamail/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20120712/92baa98d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ld-vm002-vectron.xml
Type: text/xml
Size: 2288 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20120712/92baa98d/attachment.xml>

More information about the libvirt-users mailing list