On Wed, Jan 07, 2009 at 01:26:05PM -0600, Anthony Liguori wrote:
Gleb Natapov wrote:
On Wed, Jan 07, 2009 at 11:54:29AM -0600, Anthony Liguori wrote:
Anthony Liguori wrote:
That is for secure guest<->host communication over network. Guest has to
know somehow which link host uses for communication. If guest has no way
to know this, another computer on untrusted network can pretend
it is real
host and "own" a guest.
So this is for vmchannel? How do you differentiate a real device
with that bit set compared to the vmchannel device?
Like if you were doing PCI passthrough of an e1000...
It's not just one bit. It is 14 byte string. We can put something unique there.
This is for vmchannel? Why not add a feature to virtio-net?
Yes. This is for vmchannel. Or any other management solution that work
over network. It has to know what network it can trust. The alternative
is much more complex (security certificates, etc). Why do it virtio-net
specific? What's wrong with more general solution?