From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: A few KVM security questions Date: Mon, 07 Dec 2009 14:30:43 +0100 Message-ID: <4B1D0383.1080306@invisiblethingslab.com> References: <4B1CFD93.7090307@invisiblethingslab.com> <4B1D0057.8030707@redhat.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig51245BDD5D1B08C7E610A889" Cc: kvm@vger.kernel.org To: Avi Kivity Return-path: Received: from out1.smtp.messagingengine.com ([66.111.4.25]:45161 "EHLO out1.smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935014AbZLGNay (ORCPT ); Mon, 7 Dec 2009 08:30:54 -0500 In-Reply-To: <4B1D0057.8030707@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig51245BDD5D1B08C7E610A889 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Avi Kivity wrote: >> 1) Do you have any support for para-virtualized VMs? >=20 > Yes, for example, we support paravirtualized timers and mmu for Linux. = > These are fairly minimal compared to Xen's pv domains. >=20 Can I run a regular Linux as PV-guest? Specifically, can I get rid of qemu totally, assuming I have only PV guests? E.g. do you have PV network and disk frontends (PV drivers), that I could use on guests and that do not use qemu at all? >> 2) Is it possible to have driver domains in KVM? E.g. I would like to >> assign my NIC to one VM (a "network domain") and then I would like oth= er >> domains to use this network domain for networking. In case of Xen, thi= s >> is done by moving the network backend (which is not qemu BTW) into the= >> network domain, and configuring the network frontends in other VMs to >> talk to this network domain's backend, rather then to Dom0's backend (= in >> fact you can get rid of all the networking in Dom0). >> =20 >=20 > Should be doable by assigning the NIC to a driver domain and bridging i= t > to a virtio driver; then have the driver domain's virtio device talk to= > the ordinary guests. But bridging would still require to have some networking support (+net backends) on the host (sure, without any real NIC driver, but still), correct? >> 4) Do you have some method of excluding particular PCI devices from >> being initialized by your host Linux? E.g. those devices that are late= r >> to be assigned to some VMs (via VT-d passthrough)? >=20 > Yes, there is a stub driver that does this. >=20 Does this stub driver sets DMA protections, so that the device in question cannot access any host memory? That is important, because once you assigned a device to some VM, we should assume the VM might have somehow compromised the device, e.g. reflashed the firmware of the NIC, perhaps. So, it's important to be able to protect the hypervisor from such devices. Thanks, joanna. --------------enig51245BDD5D1B08C7E610A889 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAksdA4cACgkQORdkotfEW87RUQCg5+5YboRyUB/xlXxi3btHDoKf nY0AnA8CP9ZZmPAUS0Py57qgu0E4OS4i =7JRi -----END PGP SIGNATURE----- --------------enig51245BDD5D1B08C7E610A889--