* [Qemu-devel] kvm guest-host separation
@ 2015-04-17 18:31 Andrei Bacs
2015-04-21 13:59 ` Stefan Hajnoczi
0 siblings, 1 reply; 2+ messages in thread
From: Andrei Bacs @ 2015-04-17 18:31 UTC (permalink / raw)
To: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 1356 bytes --]
Hello,
I would like to implement some security checks in the qemu user process
that would monitor the disk I/O of a KVM guest. I am trying to understand
if this is a good level for the implementation (such that the security
checks are safe) or I need to do this at a lower level (possibly in the
hypervisor itself?). Can the thread that runs the guest code influence or
control the guest and the I/O thread(s)?
Reading the doc on memory [1] and the KVM paper[2] I understood that the
qemu userspace process and the guest have separate memory spaces. Also, the
userspace process can map guest memory to emulate dma devices, which seems
that the control on memory is in one direction, from userspace process to
guest.
I would like to better understand the mapping and how safe is the
separation between the userspace qemu and the guest. [3] shows that the
safe approach to harden KVM is to move functionality (and thus the attack
surface) to the userspace process which indicates that the separation
between guest and userspace is trusted.
Could you give me some pointers about where to look in the code in order to
better assess the guest-userspace process separation?
Thank you,
Andrei
[1] docs/specs/memory.txt
[2] https://www.kernel.org/doc/ols/2007/ols2007v1-pages-225-230.pdf
[3] http://www.linux-kvm.org/wiki/images/f/f6/01x02-KVMHardening.pdf
[-- Attachment #2: Type: text/html, Size: 1796 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] kvm guest-host separation
2015-04-17 18:31 [Qemu-devel] kvm guest-host separation Andrei Bacs
@ 2015-04-21 13:59 ` Stefan Hajnoczi
0 siblings, 0 replies; 2+ messages in thread
From: Stefan Hajnoczi @ 2015-04-21 13:59 UTC (permalink / raw)
To: Andrei Bacs; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 422 bytes --]
On Fri, Apr 17, 2015 at 08:31:47PM +0200, Andrei Bacs wrote:
> I would like to implement some security checks in the qemu user process
> that would monitor the disk I/O of a KVM guest.
You probably need to avoid QEMU's zero-copy disk I/O, depending on the
security checks you are performing. Otherwise the guest can modify the
contents of I/O buffers while the host is checking them.
What are you trying to do?
Stefan
[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-04-21 13:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-17 18:31 [Qemu-devel] kvm guest-host separation Andrei Bacs
2015-04-21 13:59 ` Stefan Hajnoczi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).