From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47067)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1RZg66-00063y-IK
	for qemu-devel@nongnu.org; Sun, 11 Dec 2011 04:53:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1RZg65-00037D-FB
	for qemu-devel@nongnu.org; Sun, 11 Dec 2011 04:53:30 -0500
Received: from mx1.redhat.com ([209.132.183.28]:58152)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1RZg65-00035o-4h
	for qemu-devel@nongnu.org; Sun, 11 Dec 2011 04:53:29 -0500
Message-ID: <4EE47302.4030000@redhat.com>
Date: Sun, 11 Dec 2011 11:08:18 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
References: <4EDFAF91.4070904@linux.vnet.ibm.com>
	<201112091617.50928.paul@codesourcery.com>
In-Reply-To: <201112091617.50928.paul@codesourcery.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC] Device sandboxing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Brook <paul@codesourcery.com>
Cc: Ashley D Lai <adlai@us.ibm.com>, Anthony Liguori <aliguori@us.ibm.com>, Stefan Hajnoczi <stefanha@gmail.com>, Corey Bryant <coreyb@linux.vnet.ibm.com>, Michael Halcrow <mhalcrow@google.com>, qemu-devel@nongnu.org, Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>, =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <radimkrcmar@hpx.cz>, Richa Marwaha <rmarwah@us.ibm.com>, Amit Shah <amit.shah@redhat.com>, Eduardo Terrell Ferrari Otubo <eotubo@br.ibm.com>, Lee Terrell <lterrell@us.ibm.com>, George Wilson <gcwilson@us.ibm.com>

On 12/09/2011 06:17 PM, Paul Brook wrote:
> > A group of us are starting to work on sandboxing QEMU device emulation
> > code.  We're just getting started investigating various approaches, and
> > want to engage the community to gather input.
> > 
> > Following are the design points that we are currently considering:
> > 
> > * Decompose QEMU into multiple processes:
> > 
> >      * This could be done such that QEMU devices execute in separate
> >        processes based on device type, e.g. all block devices in one
> >        process and all network devices in a second process.  Another
> >        alternative is executing a separate process per device.
>
> I can't help wondering if nested virtualization would be a better solution.  
> i.e. have an outer VM that only implements a trusted subset of devices. Inside 
> that run a VM that provides the flakey legacy device emulation you expect to 
> be compromised.

Nested virtualization is going to be painfully slow.  We did consider
side-by-side virtualization: both the guest and the device model run in
separate VM containers (this is what Xen does, except it uses
paravirtualization for the device model).  It's going to be more
expensive that the other forms of sandboxing, though, due to the heavier
context switch penalty.

-- 
error compiling committee.c: too many arguments to function