On Mon, 2013-06-17 at 08:39 +1000, Benjamin Herrenschmidt wrote:
> On Wed, 2013-06-05 at 16:11 +1000, Alexey Kardashevskiy wrote:
> > +long kvm_vm_ioctl_create_spapr_tce_iommu(struct kvm *kvm,
> > + struct kvm_create_spapr_tce_iommu *args)
> > +{
> > + struct kvmppc_spapr_tce_table *tt = NULL;
> > + struct iommu_group *grp;
> > + struct iommu_table *tbl;
> > +
> > + /* Find an IOMMU table for the given ID */
> > + grp = iommu_group_get_by_id(args->iommu_id);
> > + if (!grp)
> > + return -ENXIO;
> > +
> > + tbl = iommu_group_get_iommudata(grp);
> > + if (!tbl)
> > + return -ENXIO;
>
> So Alex Graf pointed out here, there is a security issue here, or are we
> missing something ?
>
> What prevents a malicious program that has access to /dev/kvm from
> taking over random iommu groups (including host used ones) that way?
>
> What is the security model of that whole iommu stuff to begin with ?
IOMMU groups themselves don't provide security, they're accessed by
interfaces like VFIO, which provide the security. Given a brief look, I
agree, this looks like a possible backdoor. The typical VFIO way to
handle this would be to pass a VFIO file descriptor here to prove that
the process has access to the IOMMU group. This is how /dev/vfio/vfio
gains the ability to setup an IOMMU domain an do mappings with the
SET_CONTAINER ioctl using a group fd. Thanks,
Alex
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
