Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: Marcel Apfelbaum <marcel@redhat.com>
Cc: Marcel Apfelbaum <marcel.a@redhat.com>,
	quintela@redhat.com,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	qemu-devel@nongnu.org, amit.shah@redhat.com,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels
Date: Wed, 4 Feb 2015 14:50:53 +0000	[thread overview]
Message-ID: <20150204145053.GW3032@redhat.com> (raw)
In-Reply-To: <54D2314C.7010501@redhat.com>

On Wed, Feb 04, 2015 at 04:48:44PM +0200, Marcel Apfelbaum wrote:
> On 02/04/2015 04:28 PM, Paolo Bonzini wrote:
> >
> >
> >On 04/02/2015 15:02, Daniel P. Berrange wrote:
> >>>I'm not sure if it makes sense for RDMA; it already has a couple of hooks
> >>>that go around the back of QEMUFile in migration, and it's transferring the
> >>>data via DMA so the page data doesn't go through the same path.
> >>
> >>Could you ever anticipate any need for authentication or encryption in
> >>the RDMA based channel ? I don't know enough about RDMA myself to know
> >>if it makes sense or not, other than the fact that any channel between
> >>two separate hosts needs security at some level in the stack.
> >
> >Authentication, possibly; but I don't think encryption makes sense.  Marcel?
> I personally think that the protocol is safe enough, but as always there are holes
> and I am not a security expert:
> 
>     "RDMA mechanisms can create a potential security vulnerability. A node may access another nodes
>      memory region that was supposed to be banned.
>      In order to protect remote memory access to unauthorized memory areas, InfiniBand defines memory
>      protection mechanisms, where a remote memory access requires a special key (R_Key). The R_Key is
>      negotiated between the peers and is validated at the target’s system HCA card. In case of illegal key the
>      packet is dropped. The R_Key requirement is built into silicon and driver code and cannot be disabled
>      even when attacker compromises root/admin/superuser account on one or multiple servers."
> 
> More on Layer 2 attacks and how Infiniband handle those:
>     http://www.mellanox.com/related-docs/whitepapers/WP_Secuirty_In_InfiniBand_Fabrics_Final.pdf
>

Ok I guess we could probably just assume RDMA is sufficient as is for now.
We can fairly easily revisit it later if we find it it needs more work

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

next prev parent reply	other threads:[~2015-02-04 14:51 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-04 11:32 [Qemu-devel] RFC: Universal encryption on QEMU I/O channels Daniel P. Berrange
2015-02-04 12:43 ` Paolo Bonzini
2015-02-04 13:00   ` Daniel P. Berrange
2015-02-04 13:42     ` Paolo Bonzini
2015-02-04 14:08       ` Daniel P. Berrange
2015-02-04 14:23         ` Paolo Bonzini
2015-02-04 14:34           ` Daniel P. Berrange
2015-02-04 15:04             ` Paolo Bonzini
2015-02-04 15:11               ` Daniel P. Berrange
2015-02-04 15:22                 ` Paolo Bonzini
2015-02-04 15:26                   ` Daniel P. Berrange
2015-02-04 16:46                     ` Paolo Bonzini
2015-02-05 14:38       ` Stefan Hajnoczi
2015-02-05 14:44         ` Cornelia Huck
2015-02-05 14:45         ` Peter Maydell
2015-02-04 13:49     ` Markus Armbruster
2015-02-04 13:55       ` Peter Maydell
2015-02-04 16:33         ` Markus Armbruster
2015-02-04 16:41           ` Daniel P. Berrange
2015-02-04 20:41           ` Peter Maydell
2015-02-04 21:06             ` Paolo Bonzini
2015-02-05  7:57             ` Markus Armbruster
2015-02-04 13:08 ` Dr. David Alan Gilbert
2015-02-04 14:02   ` Daniel P. Berrange
2015-02-04 14:28     ` Paolo Bonzini
2015-02-04 14:48       ` Marcel Apfelbaum
2015-02-04 14:50         ` Daniel P. Berrange [this message]
2015-02-04 18:34     ` Eric Blake
2015-02-05  9:11       ` Dr. David Alan Gilbert
2015-02-04 14:27   ` Paolo Bonzini
2015-02-04 14:37     ` Dr. David Alan Gilbert
2015-03-06 17:18 ` Daniel P. Berrange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150204145053.GW3032@redhat.com \
    --to=berrange@redhat.com \
    --cc=amit.shah@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=marcel.a@redhat.com \
    --cc=marcel@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quintela@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.