From: "Michael S. Tsirkin" <mst@redhat.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: "Hans J. Koch" <hjk@hansjkoch.de>,
Andreas Hartmann <andihartmann@01019freenet.de>,
Dominic Eschweiler <eschweiler@fias.uni-frankfurt.de>,
Jan Kiszka <jan.kiszka@siemens.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] uio_pci_generic does not export memory resources
Date: Sun, 10 Jun 2012 21:43:18 +0300 [thread overview]
Message-ID: <20120610184318.GC10523@redhat.com> (raw)
In-Reply-To: <1339349905.26976.306.camel@ul30vt>
On Sun, Jun 10, 2012 at 11:38:25AM -0600, Alex Williamson wrote:
> On Sun, 2012-06-10 at 19:44 +0300, Michael S. Tsirkin wrote:
> > On Sun, Jun 10, 2012 at 10:09:26AM -0600, Alex Williamson wrote:
> > > On Sun, 2012-06-10 at 17:18 +0300, Michael S. Tsirkin wrote:
> > > > On Fri, Jun 08, 2012 at 11:11:16AM -0600, Alex Williamson wrote:
> > > > > On Fri, 2012-06-08 at 18:44 +0200, Hans J. Koch wrote:
> > > > > > On Fri, Jun 08, 2012 at 06:16:18PM +0200, Andreas Hartmann wrote:
> > > > > > > Hi Dominic,
> > > > > > >
> > > > > > > Dominic Eschweiler wrote:
> > > > > > > > Am Freitag, den 08.06.2012, 08:16 -0600 schrieb Alex Williamson:
> > > > > > > >> Yes, thanks Jan. This is exactly what VFIO does. VFIO provides
> > > > > > > >> secure config space access, resource access, DMA mapping services, and
> > > > > > > >> full interrupt support to userspace.
> > > > > >
> > > > > > VFIO is not a "better UIO". It *requires* an IOMMU. Dominic didn't say on
> > > > > > what CPU he's working, so it's not clear if he can use VFIO at all.
> > > > > >
> > > > > > UIO is intended for general use with devices that have mappable registers
> > > > > > and don't fit into any other subsystem. No more, no less.
> > > > >
> > > > > VFIO is a secure UIO.
> > > >
> > > > A secure UIO *for VFs*. I think that's why it's called VFIO :).
> > > > Other stuff sometimes also works but no real guarantees, though
> > > > VFIO tries to make sure you don't burn yourself too badly
> > > > if it breaks.
> > >
> > > We do a little better than that. Multifunction devices that don't
> > > explicitly report ACS support are grouped together, so we have security
> > > for multifunction devices as well.
> >
> > How can you get security with insecure hardware?
> >
> > So you prevent the device from writing to host memory? Cool.
> > Now guest puts a virus on an on-card flash, the
> > moment device is assigned to another VM it will own that,
> > or host if it's enabled in host.
> >
> > I can make up more silliness. Buggy userspace can brick the device,
> > e.g. by damaging the internal eeprom memory, and these things were known
> > to happen even by accident.
> >
> > Simply put if you want secure userspace drivers you must be able to
> > trust your hardware for security and the only hardware that promises you
> > security is a VF in an SRIOV device.
>
> Next I suppose you're going to say assigning a NIC to a guest is
> insecure because it could host a malicious OS that infects other systems
> on the network.
*Of course* it is less secure than a firewalled guest
with a virtual NIC. You argue this is not true?
But at least there are ways to contain a NIC on a network.
So it depends on the setup.
Not so for an assigned PF. It depends on the internals of the PF
which you have no idea about.
> So to clarify, by secure, I mean that users of VFIO
> devices don't have access to the host.
Yes. And since you can't guarantee it for PFs, it's insecure.
> The host still needs to be
> suspicious of any data the user might have tainted
That's not the only point. Host data might also leak to guest
when device is assigned.
> after a device is returned.
For a VF you have a way to validate what the VF does.
For a PF there is no way to be suspicious of the device state.
> > > Either single of multifunction PFs
> > > can have an option ROM, but since there's no defined mechanism to
> > > program the ROM, we can't protect it. Secure boot actually helps us
> > > here since the ROM loaded by the host BIOS or drivers would need to
> > > verify the ROM before using it. Note that secure boot will likely close
> > > off the pci-sysfs path uio_pci and KVM device assignment use to get
> > > resources since it allows unprotected access to the system. VFIO
> > > provides an interface where we control secure access, so should be
> > > compatible with secure boot. Thanks,
> > >
> > > Alex
> >
> > IMHO all this means VFIO *works* not just for VFs.
> > Not that it's secure.
>
> By your argument above, not even VFs are "secure".
VFs can be secure if PF hardware and driver are secure.
There's no sure way to secure a PF.
> A user could just as
> easily taint a disk attached to an HBA VF...
But if I don't run stuff from this disk I am safe.
What is the way to guarantee security with an assigned PF?
--
MST
next prev parent reply other threads:[~2012-06-10 18:43 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 11:56 [PATCH] uio_pci_generic does not export memory resources Dominic Eschweiler
2012-06-08 13:03 ` Michael S. Tsirkin
2012-06-08 13:16 ` Jan Kiszka
2012-06-08 14:16 ` Alex Williamson
2012-06-08 14:47 ` Dominic Eschweiler
2012-06-08 15:06 ` Alex Williamson
2012-06-08 16:16 ` Andreas Hartmann
2012-06-08 16:41 ` Alex Williamson
2012-06-09 9:28 ` Andreas Hartmann
2012-06-09 14:50 ` Alex Williamson
2012-06-09 16:25 ` Andreas Hartmann
2012-06-09 16:55 ` Alex Williamson
2012-06-10 7:21 ` Andreas Hartmann
2012-06-10 19:12 ` Andreas Hartmann
2012-06-10 14:12 ` Michael S. Tsirkin
2012-06-08 16:44 ` Hans J. Koch
2012-06-08 16:59 ` Jan Kiszka
2012-06-08 17:11 ` Alex Williamson
2012-06-10 14:18 ` Michael S. Tsirkin
2012-06-10 16:09 ` Alex Williamson
2012-06-10 16:44 ` Michael S. Tsirkin
2012-06-10 17:38 ` Alex Williamson
2012-06-10 18:43 ` Michael S. Tsirkin [this message]
2012-06-10 19:00 ` Michael S. Tsirkin
2012-06-10 19:11 ` Hans J. Koch
2012-06-10 19:16 ` Michael S. Tsirkin
2012-06-10 20:19 ` Hans J. Koch
2012-06-10 19:01 ` Hans J. Koch
2012-06-08 14:28 ` Dominic Eschweiler
2012-06-08 15:18 ` Hans J. Koch
2012-06-08 15:45 ` Dominic Eschweiler
2012-06-08 15:57 ` Hans J. Koch
2012-06-08 16:23 ` Dominic Eschweiler
2012-06-08 16:37 ` Hans J. Koch
2012-06-08 17:07 ` Dominic Eschweiler
2012-06-08 17:11 ` Hans J. Koch
2012-06-08 16:39 ` Michael S. Tsirkin
2012-06-08 16:07 ` Hans J. Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120610184318.GC10523@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=andihartmann@01019freenet.de \
--cc=eschweiler@fias.uni-frankfurt.de \
--cc=gregkh@linuxfoundation.org \
--cc=hjk@hansjkoch.de \
--cc=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox