On Fri, 2015-11-20 at 10:21 +0200, Michael S. Tsirkin wrote: > > David, there are two things a hypervisor needs to tell the guest. > 1. The actual device is behind an IOMMU. This is what you > are suggesting we use DMAR for. > 2. Using IOMMU from kernel (as opposed to from userspace with VFIO) > actually adds security. For exising virtio devices on KVM, > the answer is no. And DMAR has no way to reflect that.
Using the IOMMU from the kernel *always* adds security. It protects against device driver (and device) bugs which can be made exploitable by allowing DMA to anywhere in the system. Sure, there are classes of that which are far more interesting, for example where you give the whole device to a guest and let it load the firmware. But "we trust the hypervisor" and "we trust the hardware" are not *so* far apart conceptually. Hell, with ATS you *still* have to trust the hardware to a large extent. I really think that something like the proposed DMA_ATTR_IOMMU_BYPASS should suffice for the "who cares about security; we want performance" case. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature