From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrea Arcangeli Subject: Re: [PATCH 1/1] direct mmio for passthrough - kernel part Date: Tue, 1 Apr 2008 20:10:31 +0200 Message-ID: <20080401181031.GA19189@duo.random> References: <1207050734-13166-1-git-send-email-benami@il.ibm.com> <1207050734-13166-2-git-send-email-benami@il.ibm.com> <47F238D8.7040608@qumranet.com> <47F249C3.6000300@codemonkey.ws> <47F26AD2.8000406@qumranet.com> <20080401171807.GA31765@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: kvm-devel@lists.sourceforge.net, allen.m.kay@intel.com, Avi Kivity , benami@il.ibm.com To: "Daniel P. Berrange" Return-path: Content-Disposition: inline In-Reply-To: <20080401171807.GA31765@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kvm-devel-bounces@lists.sourceforge.net Errors-To: kvm-devel-bounces@lists.sourceforge.net List-Id: kvm.vger.kernel.org On Tue, Apr 01, 2008 at 06:18:07PM +0100, Daniel P. Berrange wrote: > and very few application domains are allowed to access them. THe KVM/QEMU > policy will not allow this for example. Basically on the X server, HAL and > dmidecode have access in current policy. It would be undesirable to have to > all KVM guests full access to /dev/mem, so a more fine grained access method > would have benefits here. But pci-passthrough can give a root on the host even to the ring0 guest, just like /dev/mem without VT-d, so there's no muchx difference with using /dev/mem as far as security is concerned. Only on the CPUs including VT-d it's possible to retain a mostly equivalent security level despite pci-passthrough. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace