From: Halil Pasic <pasic@linux.ibm.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: "Alex Bennée" <alex.bennee@linaro.org>, virtio-dev@lists.oasis-open.org
Subject: Re: [virtio-dev] Backend libraries for VirtIO device emulation
Date: Wed, 11 Mar 2020 19:18:55 +0100 [thread overview]
Message-ID: <20200311191855.3a406bbf.pasic@linux.ibm.com> (raw)
In-Reply-To: <20200311172411.GG281087@stefanha-x1.localdomain>
[-- Attachment #1: Type: text/plain, Size: 1958 bytes --]
On Wed, 11 Mar 2020 17:24:11 +0000
Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > I thought so - but does any vhost-user implementation assume it has
> > access to the entire of the guests memory space? I can see why that
> > might be seen as undesirable from a security point of view.
>
On s390 we do assume we have access to the whole guest memory
space if VIRTIO_F_ACCESS_PLATFORM is not set.
> VMMs typically give the vhost-user device program access to the entirety
> of guest RAM. That's because unmodified VIRTIO guest drivers typically
> require access to all of guest memory.
>
> If the guest software cooperates then it's possible to reduce the shared
> memory region. In other words, the vhost-user protocol doesn't demand
> that guest RAM is shared, it just requires all addresses to be within
> the shared memory region, whatever that may be.
In that case, I guess, we would have to negotiate
VIRTIO_F_ACCESS_PLATFORM. vhost-user already has support for
VIRTIO_F_ACCESS_PLATFORM, but in context of vhost-user it means: do
IOVA translation. Translation is basically boils down to IOMMU/IOTLB
support, and the specs (docs/interop/vhost-user.rst) says that the
translated stuff needs to be within a region set via
VHOST_USER_SET_MEM_TABLE.
I'm wondering how restricting the memory region shared vhost-user program
should work, unless we impose restrictions on what physical addresses
may be used for virtio buffers (regardless of whether what lands in the
virtqueue is an IOVA or a GPA), and make everybody in the stack aware of
this.
Of course sharing the whole guest memory space with the vhost-user
program does not necessarily mean the guest can actually access the
whole guest memory. For example memory encryption or other means of
protecting memory (e.g. s390 protected VMs) may ensure that the
vhost-user program can not mess with anything that in is not supposed to.
Regards,
Halil
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2020-03-11 18:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-06 18:33 [virtio-dev] Backend libraries for VirtIO device emulation Alex Bennée
2020-03-06 19:14 ` Matias Ezequiel Vara Larsen
2020-03-06 20:34 ` Alex Bennée
2020-03-06 19:40 ` Dr. David Alan Gilbert
2020-03-06 20:24 ` Alex Bennée
2020-03-09 8:11 ` Jan Kiszka
2020-03-09 10:44 ` Dr. David Alan Gilbert
2020-03-09 12:12 ` Alex Bennée
2020-03-09 15:08 ` Dr. David Alan Gilbert
2020-03-09 15:46 ` Stefan Hajnoczi
2020-03-09 16:43 ` Alex Bennée
2020-03-11 17:24 ` Stefan Hajnoczi
2020-03-11 18:18 ` Halil Pasic [this message]
2020-03-09 17:27 ` Srivatsa Vaddagiri
2020-03-09 17:42 ` Alex Bennée
2020-03-11 17:28 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200311191855.3a406bbf.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=alex.bennee@linaro.org \
--cc=stefanha@redhat.com \
--cc=virtio-dev@lists.oasis-open.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.