On Tue, Apr 01, 2008 at 06:18:07PM +0100, Daniel P. Berrange wrote: > and very few application domains are allowed to access them. THe KVM/QEMU > policy will not allow this for example. Basically on the X server, HAL and > dmidecode have access in current policy. It would be undesirable to have to > all KVM guests full access to /dev/mem, so a more fine grained access method > would have benefits here.
But pci-passthrough can give a root on the host even to the ring0 guest, just like /dev/mem without VT-d, so there's no muchx difference with using /dev/mem as far as security is concerned. Only on the CPUs including VT-d it's possible to retain a mostly equivalent security level despite pci-passthrough. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel