qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [virtio-dev] Re: [virtio-dev] [PATCH v3 0/7] Vhost-pci


From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [virtio-dev] Re: [virtio-dev] [PATCH v3 0/7] Vhost-pci for inter-VM communication
Date: Thu, 14 Dec 2017 15:46:56 +0000
User-agent: Mutt/1.9.1 (2017-09-22)

On Wed, Dec 13, 2017 at 10:50:11PM +0100, Maxime Coquelin wrote:
> On 12/13/2017 09:08 PM, Stefan Hajnoczi wrote:
> > On Wed, Dec 13, 2017 at 3:01 PM, Michael S. Tsirkin <address@hidden> wrote:
> > > On Wed, Dec 13, 2017 at 12:35:21PM +0000, Stefan Hajnoczi wrote:
> > > > I'm not saying that DPDK should use libvhost-user.  I'm saying that it's
> > > > easy to add vfio vhost-pci support (for the PCI adapter I described) to
> > > > DPDK.  This patch series would require writing a completely new slave
> > > > for vhost-pci because the device interface is so different from
> > > > vhost-user.
> > > 
> > > The main question is how appropriate is the vhost user protocol
> > > for passing to guests. And I am not sure at this point.
> > > 
> > > Someone should go over vhost user messages and see whether they are safe
> > > to pass to guest. If most are then we can try the transparent approach.
> > > If most aren't then we can't and might as well use the proposed protocol
> > > which at least has code behind it.
> > 
> > I have done that:
> > 
> ...
> >   * VHOST_USER_SET_MEM_TABLE
> > 
> >     Set up BARs before sending a VHOST_USER_SET_MEM_TABLE to the guest.
> 
> It would require to filter out userspace_addr from the payload not to
> leak other QEMU process VAs to the guest.

QEMU's vhost-user master implementation is insecure because it leaks
QEMU process VAs.  This also affects vhost-user host processes, not just
vhost-pci.

The QEMU vhost-user master could send an post-IOMMU guest physical
addresses whereever the vhost-user protocol specification says "user
address".  That way no address space information is leaked although it
does leak IOMMU mappings.

If we want to hide the IOMMU mappings too then we need another logical
address space (kind a randomized ramaddr_t).

Anyway, my point is that the current vhost-user master implementation is
insecure and should be fixed.  vhost-pci doesn't need to worry about
this issue.

Stefan

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]