qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid re

From: Michael S. Tsirkin
Subject: Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi
Date: Sun, 27 Apr 2014 11:17:48 +0300 
On Fri, Apr 25, 2014 at 10:17:36AM +0200, Kevin Wolf wrote:
> Am 25.04.2014 um 08:29 hat Markus Armbruster geschrieben:
> > "Michael S. Tsirkin" <address@hidden> writes:
> > 
> > > On Thu, Apr 24, 2014 at 12:43:56PM +0200, Kevin Wolf wrote:
> > >> Am 24.04.2014 um 09:55 hat Michael S. Tsirkin geschrieben:
> > >> > On Thu, Apr 24, 2014 at 09:15:25AM +0200, Markus Armbruster wrote:
> > >> > > If I remember correctly, the DOS involved passthrough of a virtual
> > >> > > device to a nested guest or something like that.
> > >> > >  Guest killing itself
> > >> > > is unexciting, nested guest killing its host qualifies as DOS.  I 
> > >> > > guess
> > >> > > our current answer to that is "don't do that then".
> > >> > 
> > >> > Yes.  virtio doesn't support that for a variety of other reasons,
> > >> > one of which is that it doesn't go through an mmu.
> > >> > Now, before someone sends a trivial patch converting it to
> > >> > mmu aware calls, that's not yet possible without teaching vhost
> > >> > and dataplane about MMU.
> > >> 
> > >> Nested virt is really just one example for a userspace virtio driver.
> > >> Userspace shouldn't be able to kill the whole guest.
> > >> 
> > >> Kevin
> > >
> > > Without an MMIO this is fundamentally unavoidable.
> 
> s/MMIO/IOMMU/, I guess

Oops :) You are right.

> > Really?  Why is it fundamentally impossible to put the device into an
> > error state when we detect invalid device use by the guest?  Honest
> > question; please excuse my ignorance here...
> 
> I think what Michael means is that without an IOMMU, a buggy or
> malicious userspace guest driver (which could be a nested VM, in fact)
> can always kill the guest kernel by DMAing to the right places.
> 
> This is true, without an IOMMU the protection won't be perfect. But
> fixing what can easily be fixed is still an improvement and protects
> at least against some forms of buggy drivers. It doesn't immediately
> achieve the goal "userspace can't kill the guest", but it does bring
> us closer to it.
> 
> Kevin

It's not just a question of being perfect. Without an IOMMU
VFIO does not work, period.

So it worries me that people talk about "protection" - all this patchset
does is make debugging guest drivers easier.

Which would be a very valid use-case, in my opinion.

Unfortunately as implemented the patchset just seems to make debugging
harder instead of easier.


-- 
MST
reply via email to
[Prev in Thread] Current Thread [Next in Thread]