Patchwork [v3,14/17] Add statement on PCI passthrough

mail settings
Submitter George Dunlap
Date Nov. 22, 2017, 7:20 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/388319/
State New
Headers show


George Dunlap - Nov. 22, 2017, 7:20 p.m.
Signed-off-by: George Dunlap <>
Changes since v2:
- Separate PV and HVM passthrough (excluding PVH by implication)
- + not compatible with PoD
- 'will be' -> 'are'

NB that we don't seem to have the referenced file yet; left as a reference.

CC: Ian Jackson <>
CC: Wei Liu <>
CC: Andrew Cooper <>
CC: Jan Beulich <>
CC: Stefano Stabellini <>
CC: Konrad Wilk <>
CC: Tim Deegan <>
CC: Rich Persaud <>
CC: Marek Marczykowski-Górecki <>
CC: Christopher Clark <>
CC: James McKenzie <>
--- | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)


diff --git a/ b/
index 63f6a6d127..c8fec4daa8 100644
--- a/
+++ b/
@@ -486,9 +486,23 @@  but has no xl support.
 ## Security
+### Driver Domains
+    Status: Supported, with caveats
+"Driver domains" means allowing non-Domain 0 domains
+with access to physical devices to act as back-ends.
+See the appropriate "Device Passthrough" section
+for more information about security support.
 ### Device Model Stub Domains
-    Status: Supported
+    Status: Supported, with caveats
+Vulnerabilities of a device model stub domain
+to a hostile driver domain (either compromised or untrusted)
+are excluded from security support.
 ### KCONFIG Expert
@@ -559,6 +573,26 @@  Virtual Performance Management Unit for HVM guests
 Disabled by default (enable with hypervisor command line option).
 This feature is not security supported: see
+### x86/PCI Device Passthrough
+    Status, x86 PV: Supported, with caveats
+    Status, x86 HVM: Supported, with caveats
+Only systems using IOMMUs are supported.
+Not compatible with migration, populate-on-demand, altp2m,
+introspection, memory sharing, or memory paging.
+Because of hardware limitations
+(affecting any operating system or hypervisor),
+it is generally not safe to use this feature
+to expose a physical device to completely untrusted guests.
+However, this feature can still confer significant security benefit
+when used to remove drivers and backends from domain 0
+(i.e., Driver Domains).
+XXX See docs/PCI-IOMMU-bugs.txt for more information.
 ### ARM/Non-PCI device passthrough
     Status: Supported, not security supported