[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid re
From: |
Michael S. Tsirkin |
Subject: |
Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi |
Date: |
Sun, 27 Apr 2014 11:17:48 +0300 |
On Fri, Apr 25, 2014 at 10:17:36AM +0200, Kevin Wolf wrote:
> Am 25.04.2014 um 08:29 hat Markus Armbruster geschrieben:
> > "Michael S. Tsirkin" <address@hidden> writes:
> >
> > > On Thu, Apr 24, 2014 at 12:43:56PM +0200, Kevin Wolf wrote:
> > >> Am 24.04.2014 um 09:55 hat Michael S. Tsirkin geschrieben:
> > >> > On Thu, Apr 24, 2014 at 09:15:25AM +0200, Markus Armbruster wrote:
> > >> > > If I remember correctly, the DOS involved passthrough of a virtual
> > >> > > device to a nested guest or something like that.
> > >> > > Guest killing itself
> > >> > > is unexciting, nested guest killing its host qualifies as DOS. I
> > >> > > guess
> > >> > > our current answer to that is "don't do that then".
> > >> >
> > >> > Yes. virtio doesn't support that for a variety of other reasons,
> > >> > one of which is that it doesn't go through an mmu.
> > >> > Now, before someone sends a trivial patch converting it to
> > >> > mmu aware calls, that's not yet possible without teaching vhost
> > >> > and dataplane about MMU.
> > >>
> > >> Nested virt is really just one example for a userspace virtio driver.
> > >> Userspace shouldn't be able to kill the whole guest.
> > >>
> > >> Kevin
> > >
> > > Without an MMIO this is fundamentally unavoidable.
>
> s/MMIO/IOMMU/, I guess
Oops :) You are right.
> > Really? Why is it fundamentally impossible to put the device into an
> > error state when we detect invalid device use by the guest? Honest
> > question; please excuse my ignorance here...
>
> I think what Michael means is that without an IOMMU, a buggy or
> malicious userspace guest driver (which could be a nested VM, in fact)
> can always kill the guest kernel by DMAing to the right places.
>
> This is true, without an IOMMU the protection won't be perfect. But
> fixing what can easily be fixed is still an improvement and protects
> at least against some forms of buggy drivers. It doesn't immediately
> achieve the goal "userspace can't kill the guest", but it does bring
> us closer to it.
>
> Kevin
It's not just a question of being perfect. Without an IOMMU
VFIO does not work, period.
So it worries me that people talk about "protection" - all this patchset
does is make debugging guest drivers easier.
Which would be a very valid use-case, in my opinion.
Unfortunately as implemented the patchset just seems to make debugging
harder instead of easier.
--
MST
- Re: [Qemu-devel] [PATCH 2/3] virtio-blk: Don't exit on invalid VQ data, (continued)
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Michael S. Tsirkin, 2014/04/22
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Fam Zheng, 2014/04/22
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Michael S. Tsirkin, 2014/04/23
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Markus Armbruster, 2014/04/24
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Michael S. Tsirkin, 2014/04/25
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Kevin Wolf, 2014/04/24
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Michael S. Tsirkin, 2014/04/24
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Markus Armbruster, 2014/04/25
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi, Kevin Wolf, 2014/04/25
- Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi,
Michael S. Tsirkin <=