From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [kvm-devel] [RFC PATCH 0/4] Inter-guest virtio I/O example with lguest Date: Thu, 20 Mar 2008 08:54:45 +0200 Message-ID: <47E20A35.2000600@qumranet.com> References: <200803201659.14344.rusty@rustcorp.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Cc: kvm-devel , lguest , virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Rusty Russell Return-path: In-Reply-To: <200803201659.14344.rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: lguest-bounces+glkvl-lguest=m.gmane.org-mnsaURCQ41sdnm+yROfE0A@public.gmane.org Errors-To: lguest-bounces+glkvl-lguest=m.gmane.org-mnsaURCQ41sdnm+yROfE0A@public.gmane.org List-Id: kvm.vger.kernel.org Rusty Russell wrote: > Hi all, > > Just finished my prototype of inter-guest virtio, using networking as an > example. Each guest mmaps the other's address space and uses a FIFO for > notifications. > > Isn't that a security hole (hole? chasm)? If the two guests can access each other's memory, they might as well be just one guest, and communicate internally. My feeling is that the host needs to copy the data, using dma if available. Another option is to have one guest map the other's memory for read and write, while the other guest is unprivileged. This allows one privileged guest to provide services for other, unprivileged guests, like domain 0 or driver domains in Xen. -- Any sufficiently difficult bug is indistinguishable from a feature.