From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wei Wang Subject: [PATCH 5/6] Vhost-pci RFC: Future Security Enhancement Date: Sun, 29 May 2016 07:36:34 +0800 Message-ID: <1464478595-146533-6-git-send-email-wei.w.wang@intel.com> References: <1464478595-146533-1-git-send-email-wei.w.wang@intel.com> Cc: Wei Wang To: kvm@vger.kernel.org, qemu-devel@nongnu.org, virtio-comment@lists.oasis-open.org, virtio-dev@lists.oasis-open.org, mst@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Return-path: Received: from mga09.intel.com ([134.134.136.24]:29126 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752507AbcE1Pkh (ORCPT ); Sat, 28 May 2016 11:40:37 -0400 In-Reply-To: <1464478595-146533-1-git-send-email-wei.w.wang@intel.com> Sender: kvm-owner@vger.kernel.org List-ID: Signed-off-by: Wei Wang --- FutureWorks | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 FutureWorks diff --git a/FutureWorks b/FutureWorks new file mode 100644 index 0000000..210edcd --- /dev/null +++ b/FutureWorks @@ -0,0 +1,21 @@ +The vhost-pci design is currently suitable for a group of VMs who trust each +other. To extend it to a more general use case, two security features can be +added in the future. + +1 vIOMMU +vIOMMU provides the driver VM with the ability to restrict the device VM to +transiently access a specified portion of its memory. The vhost-pci design +proposed in this RFC can be extended to access the driver VM's memory with +vIOMMU. Precisely, the vIOMMU engine in the driver VM configures access +permissions (R/W) for the vhost-pci device to access its memory. More details +can be found at https://wiki.opnfv.org/display/kvm/Vm2vm+Mst and +https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03993.html + +2 eptp switching +The idea of eptp swithing allows a vhost-pci device driver to access the mapped +driver VM's memory in an alternative view, where only a piece of trusted code +can access the driver VM's memory. More details can be found at +http://events.linuxfoundation.org/sites/events/files/slides/ +Jun_Nakajima_NFV_KVM%202015_final.pdf + + -- 1.8.3.1