[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [kvm-devel] [Xen-devel] More virtio users



On Wednesday 13 June 2007, Caitlin Bestler wrote:
> 
> > It can be done, but you'd also need a passthrough for the
> > IOMMU in that case, and you get a potential security hole: if
> > a malicious guest is smart enough to figure out IOMMU
> > mappings from the device to memory owned by the host.
> > 
> If it is possible for a malicious guess to use the IOMMU
> to access memory that was not assigned to it then either
> the Hypervisor is not really a Hypervisor or the IOMMU
> is not really an IOMMU.

Unfortunately, most IOMMU implementations are not really
IOMMUs then, I guess ;-). To be safe, every PCI device
needs to have its own tagged DMA transfers, which essentially
boils down to having each device behind a separate PCI
host bridge, and that's not very likely to be done
on PC style hardware.

Admittedly, I haven't seen many IOMMU implementations, but
the one I'm most familiar with (the one on the Cell
Broadband Engine) can only assign a local device on the
north bridge to one guest in a secure way, but an
entire PCI or PCIe host is treated as a single device
when seen from the IOMMU, so when one PCIe device has
a mapping to guest A, guest B can use MMIO access to
program another device on the same host to do DMA
into the buffer provided by guest A.

        Arnd <><

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.