From: "Michael S. Tsirkin" <mst@redhat.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: "Hans J. Koch" <hjk@hansjkoch.de>,
Andreas Hartmann <andihartmann@01019freenet.de>,
Dominic Eschweiler <eschweiler@fias.uni-frankfurt.de>,
Jan Kiszka <jan.kiszka@siemens.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] uio_pci_generic does not export memory resources
Date: Sun, 10 Jun 2012 21:43:18 +0300 [thread overview]
Message-ID: <20120610184318.GC10523@redhat.com> (raw)
In-Reply-To: <1339349905.26976.306.camel@ul30vt>
On Sun, Jun 10, 2012 at 11:38:25AM -0600, Alex Williamson wrote:
> On Sun, 2012-06-10 at 19:44 +0300, Michael S. Tsirkin wrote:
> > On Sun, Jun 10, 2012 at 10:09:26AM -0600, Alex Williamson wrote:
> > > On Sun, 2012-06-10 at 17:18 +0300, Michael S. Tsirkin wrote:
> > > > On Fri, Jun 08, 2012 at 11:11:16AM -0600, Alex Williamson wrote:
> > > > > On Fri, 2012-06-08 at 18:44 +0200, Hans J. Koch wrote:
> > > > > > On Fri, Jun 08, 2012 at 06:16:18PM +0200, Andreas Hartmann wrote:
> > > > > > > Hi Dominic,
> > > > > > >
> > > > > > > Dominic Eschweiler wrote:
> > > > > > > > Am Freitag, den 08.06.2012, 08:16 -0600 schrieb Alex Williamson:
> > > > > > > >> Yes, thanks Jan. This is exactly what VFIO does. VFIO provides
> > > > > > > >> secure config space access, resource access, DMA mapping services, and
> > > > > > > >> full interrupt support to userspace.
> > > > > >
> > > > > > VFIO is not a "better UIO". It *requires* an IOMMU. Dominic didn't say on
> > > > > > what CPU he's working, so it's not clear if he can use VFIO at all.
> > > > > >
> > > > > > UIO is intended for general use with devices that have mappable registers
> > > > > > and don't fit into any other subsystem. No more, no less.
> > > > >
> > > > > VFIO is a secure UIO.
> > > >
> > > > A secure UIO *for VFs*. I think that's why it's called VFIO :).
> > > > Other stuff sometimes also works but no real guarantees, though
> > > > VFIO tries to make sure you don't burn yourself too badly
> > > > if it breaks.
> > >
> > > We do a little better than that. Multifunction devices that don't
> > > explicitly report ACS support are grouped together, so we have security
> > > for multifunction devices as well.
> >
> > How can you get security with insecure hardware?
> >
> > So you prevent the device from writing to host memory? Cool.
> > Now guest puts a virus on an on-card flash, the
> > moment device is assigned to another VM it will own that,
> > or host if it's enabled in host.
> >
> > I can make up more silliness. Buggy userspace can brick the device,
> > e.g. by damaging the internal eeprom memory, and these things were known
> > to happen even by accident.
> >
> > Simply put if you want secure userspace drivers you must be able to
> > trust your hardware for security and the only hardware that promises you
> > security is a VF in an SRIOV device.
>
> Next I suppose you're going to say assigning a NIC to a guest is
> insecure because it could host a malicious OS that infects other systems
> on the network.
*Of course* it is less secure than a firewalled guest
with a virtual NIC. You argue this is not true?
But at least there are ways to contain a NIC on a network.
So it depends on the setup.
Not so for an assigned PF. It depends on the internals of the PF
which you have no idea about.
> So to clarify, by secure, I mean that users of VFIO
> devices don't have access to the host.
Yes. And since you can't guarantee it for PFs, it's insecure.
> The host still needs to be
> suspicious of any data the user might have tainted
That's not the only point. Host data might also leak to guest
when device is assigned.
> after a device is returned.
For a VF you have a way to validate what the VF does.
For a PF there is no way to be suspicious of the device state.
> > > Either single of multifunction PFs
> > > can have an option ROM, but since there's no defined mechanism to
> > > program the ROM, we can't protect it. Secure boot actually helps us
> > > here since the ROM loaded by the host BIOS or drivers would need to
> > > verify the ROM before using it. Note that secure boot will likely close
> > > off the pci-sysfs path uio_pci and KVM device assignment use to get
> > > resources since it allows unprotected access to the system. VFIO
> > > provides an interface where we control secure access, so should be
> > > compatible with secure boot. Thanks,
> > >
> > > Alex
> >
> > IMHO all this means VFIO *works* not just for VFs.
> > Not that it's secure.
>
> By your argument above, not even VFs are "secure".
VFs can be secure if PF hardware and driver are secure.
There's no sure way to secure a PF.
> A user could just as
> easily taint a disk attached to an HBA VF...
But if I don't run stuff from this disk I am safe.
What is the way to guarantee security with an assigned PF?
--
MST
next prev parent reply other threads:[~2012-06-10 18:43 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 11:56 [PATCH] uio_pci_generic does not export memory resources Dominic Eschweiler
2012-06-08 13:03 ` Michael S. Tsirkin
2012-06-08 13:16 ` Jan Kiszka
2012-06-08 14:16 ` Alex Williamson
2012-06-08 14:47 ` Dominic Eschweiler
2012-06-08 15:06 ` Alex Williamson
2012-06-08 16:16 ` Andreas Hartmann
2012-06-08 16:41 ` Alex Williamson
2012-06-09 9:28 ` Andreas Hartmann
2012-06-09 14:50 ` Alex Williamson
2012-06-09 16:25 ` Andreas Hartmann
2012-06-09 16:55 ` Alex Williamson
2012-06-10 7:21 ` Andreas Hartmann
2012-06-10 19:12 ` Andreas Hartmann
2012-06-10 14:12 ` Michael S. Tsirkin
2012-06-08 16:44 ` Hans J. Koch
2012-06-08 16:59 ` Jan Kiszka
2012-06-08 17:11 ` Alex Williamson
2012-06-10 14:18 ` Michael S. Tsirkin
2012-06-10 16:09 ` Alex Williamson
2012-06-10 16:44 ` Michael S. Tsirkin
2012-06-10 17:38 ` Alex Williamson
2012-06-10 18:43 ` Michael S. Tsirkin [this message]
2012-06-10 19:00 ` Michael S. Tsirkin
2012-06-10 19:11 ` Hans J. Koch
2012-06-10 19:16 ` Michael S. Tsirkin
2012-06-10 20:19 ` Hans J. Koch
2012-06-10 19:01 ` Hans J. Koch
2012-06-08 14:28 ` Dominic Eschweiler
2012-06-08 15:18 ` Hans J. Koch
2012-06-08 15:45 ` Dominic Eschweiler
2012-06-08 15:57 ` Hans J. Koch
2012-06-08 16:23 ` Dominic Eschweiler
2012-06-08 16:37 ` Hans J. Koch
2012-06-08 17:07 ` Dominic Eschweiler
2012-06-08 17:11 ` Hans J. Koch
2012-06-08 16:39 ` Michael S. Tsirkin
2012-06-08 16:07 ` Hans J. Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120610184318.GC10523@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=andihartmann@01019freenet.de \
--cc=eschweiler@fias.uni-frankfurt.de \
--cc=gregkh@linuxfoundation.org \
--cc=hjk@hansjkoch.de \
--cc=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.