2015-03-31 11:35 GMT+02:00 Burakov, Anatoly :
>
> > I think the whole process of VFIO binding maybe needs at least a second
> > thought regarding corner cases and security.
> >
> > 1) in the setup process, there currently is no mechanism that checks if the
> > Device to be used has other devices
> iommu groups already exist before vfio-pci is loaded.
> The whole setup process as described in the VFIO documentation, where a
> PCIe device shares an iommu group with other devices, can therefore be
> automated. Some time ago I wrote a ruby script that does exactly that
> (https://github.com/an
> I think the whole process of VFIO binding maybe needs at least a second
> thought regarding corner cases and security.
>
> 1) in the setup process, there currently is no mechanism that checks if the
> Device to be used has other devices in the
> same iommu group that need to be bound to VFIO t
I think the whole process of VFIO binding maybe needs at least a second
thought regarding corner cases and security.
1) in the setup process, there currently is no mechanism that checks if the
Device to be used has other devices in the same iommu group that need to be
bound to VFIO too. Otherwise
> > 3. Why depend on location of vfio module in kernel tree?
> >modprobe does the right thing and finds it.
> >
> > VFIO_PATH="kernel/drivers/vfio/pci/vfio-pci.ko"
> >
> > echo "Loading VFIO module"
> > /sbin/lsmod | grep -s vfio_pci > /dev/null
> > if [ $? -ne 0 ] ; then
> >
On Mon, 30 Mar 2015 13:35:07 -0700
Stephen Hemminger wrote:
> This code around vfio in setup script looks incorrect, is anyone using it:
>
> 1. Why set the execute bit, when you want read-write?
>Looks like a bug (or worse a security hole).
> # make sure regular users can read /dev/vfi
This code around vfio in setup script looks incorrect, is anyone using it:
1. Why set the execute bit, when you want read-write?
Looks like a bug (or worse a security hole).
# make sure regular users can read /dev/vfio
echo "chmod /dev/vfio"
sudo chmod a+x /dev/vfio
3.
7 matches
Mail list logo
