On Wednesday 13 June 2007, Caitlin Bestler wrote: > > > It can be done, but you'd also need a passthrough for the > > IOMMU in that case, and you get a potential security hole: if > > a malicious guest is smart enough to figure out IOMMU > > mappings from the device to memory owned by the host. > > > If it is possible for a malicious guess to use the IOMMU > to access memory that was not assigned to it then either > the Hypervisor is not really a Hypervisor or the IOMMU > is not really an IOMMU.
Unfortunately, most IOMMU implementations are not really IOMMUs then, I guess ;-). To be safe, every PCI device needs to have its own tagged DMA transfers, which essentially boils down to having each device behind a separate PCI host bridge, and that's not very likely to be done on PC style hardware. Admittedly, I haven't seen many IOMMU implementations, but the one I'm most familiar with (the one on the Cell Broadband Engine) can only assign a local device on the north bridge to one guest in a secure way, but an entire PCI or PCIe host is treated as a single device when seen from the IOMMU, so when one PCIe device has a mapping to guest A, guest B can use MMIO access to program another device on the same host to do DMA into the buffer provided by guest A. Arnd <>< ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel