On Fri, Apr 25, 2014 at 10:17:36AM +0200, Kevin Wolf wrote: > Am 25.04.2014 um 08:29 hat Markus Armbruster geschrieben: > > "Michael S. Tsirkin" <m...@redhat.com> writes: > > > > > On Thu, Apr 24, 2014 at 12:43:56PM +0200, Kevin Wolf wrote: > > >> Am 24.04.2014 um 09:55 hat Michael S. Tsirkin geschrieben: > > >> > On Thu, Apr 24, 2014 at 09:15:25AM +0200, Markus Armbruster wrote: > > >> > > If I remember correctly, the DOS involved passthrough of a virtual > > >> > > device to a nested guest or something like that. > > >> > > Guest killing itself > > >> > > is unexciting, nested guest killing its host qualifies as DOS. I > > >> > > guess > > >> > > our current answer to that is "don't do that then". > > >> > > > >> > Yes. virtio doesn't support that for a variety of other reasons, > > >> > one of which is that it doesn't go through an mmu. > > >> > Now, before someone sends a trivial patch converting it to > > >> > mmu aware calls, that's not yet possible without teaching vhost > > >> > and dataplane about MMU. > > >> > > >> Nested virt is really just one example for a userspace virtio driver. > > >> Userspace shouldn't be able to kill the whole guest. > > >> > > >> Kevin > > > > > > Without an MMIO this is fundamentally unavoidable. > > s/MMIO/IOMMU/, I guess
Oops :) You are right. > > Really? Why is it fundamentally impossible to put the device into an > > error state when we detect invalid device use by the guest? Honest > > question; please excuse my ignorance here... > > I think what Michael means is that without an IOMMU, a buggy or > malicious userspace guest driver (which could be a nested VM, in fact) > can always kill the guest kernel by DMAing to the right places. > > This is true, without an IOMMU the protection won't be perfect. But > fixing what can easily be fixed is still an improvement and protects > at least against some forms of buggy drivers. It doesn't immediately > achieve the goal "userspace can't kill the guest", but it does bring > us closer to it. > > Kevin It's not just a question of being perfect. Without an IOMMU VFIO does not work, period. So it worries me that people talk about "protection" - all this patchset does is make debugging guest drivers easier. Which would be a very valid use-case, in my opinion. Unfortunately as implemented the patchset just seems to make debugging harder instead of easier. -- MST
