Hi Pablo,
On (Fri) May 29 2009 [11:41:58], Passera, Pablo R wrote:
> Hi Amit,
>
> Please correct me if I am wrong, but the fact that the PVDMA module
> is located in the guest imposes a security problem. So, if someone in the
> guest has root access, he could modify the PVDMA module and then corrupt the
> host memory. Because of this the guest has to be trusted. I had an idea that
> I would like to check with you to see if this is feasible.
This indeed is possible. A combination of an IOMMU along with PVDMA will
prevent this. The host can program the IOMMU to only allow guests to
access specific memory areas.
> What if I need pci passthrough in a known hardware platform where I
> know all the pci hardware devices, could I intercept the DMA commands to
> these PCI devices at qemu level and then do the translation from pseudo
> physical to physical memory address at that level? Since I know which are the
> devices present in the platform, I also know which are the PCI commands to
> configure the DMA transfers in the PCI device. Before forwarding this to the
> real PCI I could change the memory address to a physical one.
The way device assignment works is you hand over the device to the guest
completely. The guest then programs the device registers for the DMA
addresses. If you modify qemu to intercept the MMIO for assigned devices
(this was what was done in very initial device assignment code, even
before it got merged) and verify that the addresses that are being
written to the device dma registers are from the accepted range, you can
provide the necessary security (for this case at least).
Amit
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
