qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [virtio-dev] Re: [virtio-dev] [PATCH v3 0/7] Vhost-pci

From: Maxime Coquelin
Subject: Re: [Qemu-devel] [virtio-dev] Re: [virtio-dev] [PATCH v3 0/7] Vhost-pci for inter-VM communication
Date: Thu, 14 Dec 2017 17:39:19 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 


On 12/14/2017 05:27 PM, Michael S. Tsirkin wrote:

On Thu, Dec 14, 2017 at 03:46:56PM +0000, Stefan Hajnoczi wrote:

On Wed, Dec 13, 2017 at 10:50:11PM +0100, Maxime Coquelin wrote:

On 12/13/2017 09:08 PM, Stefan Hajnoczi wrote:

On Wed, Dec 13, 2017 at 3:01 PM, Michael S. Tsirkin <address@hidden> wrote:

On Wed, Dec 13, 2017 at 12:35:21PM +0000, Stefan Hajnoczi wrote:

I'm not saying that DPDK should use libvhost-user.  I'm saying that it's
easy to add vfio vhost-pci support (for the PCI adapter I described) to
DPDK.  This patch series would require writing a completely new slave
for vhost-pci because the device interface is so different from
vhost-user.


The main question is how appropriate is the vhost user protocol
for passing to guests. And I am not sure at this point.

Someone should go over vhost user messages and see whether they are safe
to pass to guest. If most are then we can try the transparent approach.
If most aren't then we can't and might as well use the proposed protocol
which at least has code behind it.


I have done that:


...

   * VHOST_USER_SET_MEM_TABLE

     Set up BARs before sending a VHOST_USER_SET_MEM_TABLE to the guest.


It would require to filter out userspace_addr from the payload not to
leak other QEMU process VAs to the guest.


QEMU's vhost-user master implementation is insecure because it leaks
QEMU process VAs.  This also affects vhost-user host processes, not just
vhost-pci.

The QEMU vhost-user master could send an post-IOMMU guest physical
addresses whereever the vhost-user protocol specification says "user
address".  That way no address space information is leaked although it
does leak IOMMU mappings.

If we want to hide the IOMMU mappings too then we need another logical
address space (kind a randomized ramaddr_t).

Anyway, my point is that the current vhost-user master implementation is
insecure and should be fixed.  vhost-pci doesn't need to worry about
this issue.

Stefan


I was going to make this point too.  It does not look like anyone uses
userspace_addr. It might have been a mistake to put it there -
maybe we should have reused it for map offset.

It does not look like anyone uses this for anything.

How about we put zero, or a copy of the GPA there?




It is used when no iommu for the ring addresses, and when iommu is used
for the IOTLB update messages.

Maxime
reply via email to
[Prev in Thread] Current Thread [Next in Thread]