From: Stefan Hajnoczi <stefanha@redhat.com>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: John G Johnson <john.g.johnson@oracle.com>,
Daniele Buono <dbuono@us.ibm.com>,
slp@redhat.com, "Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org,
"marcandre.lureau@redhat.com" <marcandre.lureau@redhat.com>,
Hubertus Franke <frankeh@us.ibm.com>,
rust-vmm@lists.opendev.org,
Thanos Makatos <thanos.makatos@nutanix.com>
Subject: Re: [Rust-VMM] Requirements for out-of-process device emulation
Date: Wed, 11 Nov 2020 11:17:46 +0000 [thread overview]
Message-ID: <20201111111746.GA1344536@stefanha-x1.localdomain> (raw)
In-Reply-To: <87ft6jz7od.fsf@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 1504 bytes --]
On Mon, Oct 12, 2020 at 06:16:18PM +0100, Alex Bennée wrote:
> Stefan Hajnoczi <stefanha@redhat.com> writes:
> > Security
> > --------
> > The trust model
> > ```````````````
> > The VMM must not trust the device emulation program. This is key to
> > implementing privilege separation and the principle of least privilege.
> > If a compromised device emulation program is able to gain control of the
> > VMM then out-of-process device emulation has failed to provide isolation
> > between devices.
> >
> > The device emulation program must not trust the VMM to the extent that
> > this is possible. For example, it must validate inputs so that the VMM
> > cannot gain control of the device emulation process through memory
> > corruptions or other bugs. This makes it so that even if the VMM has
> > been compromised, access to device resources and associated system calls
> > still requires further compromising the device emulation process.
>
> However in this model the guest intrinsically trusts device emulation
> because it currently has full access to the guest's address space. It
> would probably be worth making that explicit.
>
> There are security models where the guest doesn't need to trust the VMM
> or particular device emulations.
Where do you see that assumption in the text?
BTW, shared guest memory access is optional in vhost-user. The protocol
allows the VMM to handle DMA accesses instead of granting the device
access to guest memory.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2020-11-11 11:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-09 16:18 Requirements for out-of-process device emulation Stefan Hajnoczi
2020-10-09 19:44 ` Alex Williamson
2020-10-12 15:39 ` Stefan Hajnoczi
2020-10-12 17:16 ` Alex Bennée
2020-11-11 11:17 ` Stefan Hajnoczi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201111111746.GA1344536@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=dbuono@us.ibm.com \
--cc=frankeh@us.ibm.com \
--cc=john.g.johnson@oracle.com \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rust-vmm@lists.opendev.org \
--cc=slp@redhat.com \
--cc=thanos.makatos@nutanix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).