From: Arnd Bergmann <arnd@arndb.de>
To: Caitlin Bestler <caitlinb@broadcom.com>
Cc: kvm-devel@lists.sourceforge.net,
xen-devel <xen-devel@lists.xensource.com>,
virtualization <virtualization@lists.linux-foundation.org>
Subject: Re: [kvm-devel] [Xen-devel] More virtio users
Date: Wed, 13 Jun 2007 01:54:26 +0200 [thread overview]
Message-ID: <200706130154.27513.arnd@arndb.de> (raw)
In-Reply-To: <1EF1E44200D82B47BD5BA61171E8CE9D04269608@NT-IRVA-0750.brcm.ad.broadcom.com>
On Wednesday 13 June 2007, Caitlin Bestler wrote:
>
> > It can be done, but you'd also need a passthrough for the
> > IOMMU in that case, and you get a potential security hole: if
> > a malicious guest is smart enough to figure out IOMMU
> > mappings from the device to memory owned by the host.
> >
> If it is possible for a malicious guess to use the IOMMU
> to access memory that was not assigned to it then either
> the Hypervisor is not really a Hypervisor or the IOMMU
> is not really an IOMMU.
Unfortunately, most IOMMU implementations are not really
IOMMUs then, I guess ;-). To be safe, every PCI device
needs to have its own tagged DMA transfers, which essentially
boils down to having each device behind a separate PCI
host bridge, and that's not very likely to be done
on PC style hardware.
Admittedly, I haven't seen many IOMMU implementations, but
the one I'm most familiar with (the one on the Cell
Broadband Engine) can only assign a local device on the
north bridge to one guest in a secure way, but an
entire PCI or PCIe host is treated as a single device
when seen from the IOMMU, so when one PCIe device has
a mapping to guest A, guest B can use MMIO access to
program another device on the same host to do DMA
into the buffer provided by guest A.
Arnd <><
next prev parent reply other threads:[~2007-06-12 23:54 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-10 7:33 More virtio users Avi Kivity
2007-06-10 8:06 ` Muli Ben-Yehuda
2007-06-10 8:09 ` [Xen-devel] " Avi Kivity
2007-06-10 8:09 ` Avi Kivity
2007-06-12 22:07 ` [kvm-devel] [Xen-devel] " Arnd Bergmann
2007-06-12 23:40 ` Caitlin Bestler
2007-06-12 23:40 ` [kvm-devel] " Caitlin Bestler
2007-06-12 23:54 ` Arnd Bergmann [this message]
2007-06-13 5:28 ` [kvm-devel] [Xen-devel] " Muli Ben-Yehuda
2007-06-13 5:28 ` [kvm-devel] " Muli Ben-Yehuda
2007-06-14 19:41 ` Caitlin Bestler
[not found] ` <1EF1E44200D82B47BD5BA61171E8CE9D04269D6E-Wx+fQJ8T8QJuheSVJXE+poKqz+Jmtwh+qs7JOtOhHmkAvxtiuMwx3w@public.gmane.org>
2007-06-14 23:39 ` [Xen-devel] " Arnd Bergmann
[not found] ` <200706150139.36770.arnd-r2nGTMty4D4@public.gmane.org>
2007-06-15 16:26 ` Caitlin Bestler
2007-06-15 16:26 ` [kvm-devel] " Caitlin Bestler
2007-06-14 23:39 ` Arnd Bergmann
2007-06-14 19:41 ` Caitlin Bestler
2007-06-10 8:06 ` Muli Ben-Yehuda
2007-06-10 8:13 ` Rusty Russell
2007-06-10 8:13 ` Rusty Russell
2007-06-10 8:16 ` Avi Kivity
2007-06-10 8:16 ` Avi Kivity
2007-06-10 12:37 ` Rusty Russell
2007-06-10 12:37 ` Rusty Russell
2007-06-11 6:41 ` Jens Axboe
2007-06-11 7:29 ` Rusty Russell
2007-06-11 7:29 ` Rusty Russell
2007-06-11 7:33 ` Jens Axboe
2007-06-12 0:31 ` Rusty Russell
2007-06-12 6:24 ` Jens Axboe
2007-06-12 7:52 ` Rusty Russell
2007-06-12 7:52 ` Rusty Russell
2007-06-12 7:56 ` Jens Axboe
2007-06-12 0:31 ` Rusty Russell
2007-06-11 8:16 ` [Xen-devel] " Gerd Hoffmann
2007-06-11 8:19 ` Avi Kivity
2007-06-11 8:19 ` [Xen-devel] " Avi Kivity
2007-06-11 19:24 ` Anthony Liguori
2007-06-11 19:24 ` Anthony Liguori
2007-06-11 19:24 ` Anthony Liguori
2007-06-11 23:19 ` [Xen-devel] " Rusty Russell
2007-06-12 3:36 ` Anthony Liguori
2007-06-12 4:07 ` [Xen-devel] " Benjamin Herrenschmidt
2007-06-12 3:36 ` Anthony Liguori
2007-06-11 23:19 ` Rusty Russell
2007-06-12 0:47 ` [Xen-devel] " Benjamin Herrenschmidt
2007-06-11 13:44 ` Markus Armbruster
2007-06-11 3:04 ` [Xen-devel] " ron minnich
2007-06-11 3:04 ` ron minnich
2007-06-12 22:01 ` [kvm-devel] " Arnd Bergmann
[not found] ` <200706130001.21431.arnd-r2nGTMty4D4@public.gmane.org>
2007-06-14 16:27 ` [Xen-devel] " Mark Williamson
2007-06-14 16:27 ` [Xen-devel] Re: [kvm-devel] " Mark Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706130154.27513.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=caitlinb@broadcom.com \
--cc=kvm-devel@lists.sourceforge.net \
--cc=virtualization@lists.linux-foundation.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.