Non-maskable interrupts triggerable by guests

Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific.

guest VM可以修改PCI command register,如果disable掉某些bits可能造成之后产生UR (unsupported request) responses,造成host crash。


privilege uncheck (PCI register modify)



xen-pciback: limit guest control of command register

Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host.

限制guest VM对PCI command register的控制


In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI’s APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service.