| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180806233024-mutt-send-email-mst@kernel.org>
Date: Mon, 6 Aug 2018 23:35:39 +0300
From: "Michael S. Tsirkin" <mst@...hat.com>
To: Benjamin Herrenschmidt <benh@...nel.crashing.org>
Cc: Christoph Hellwig <hch@...radead.org>,
Will Deacon <will.deacon@....com>,
Anshuman Khandual <khandual@...ux.vnet.ibm.com>,
virtualization@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
aik@...abs.ru, robh@...nel.org, joe@...ches.com,
elfring@...rs.sourceforge.net, david@...son.dropbear.id.au,
jasowang@...hat.com, mpe@...erman.id.au, linuxram@...ibm.com,
haren@...ux.vnet.ibm.com, paulus@...ba.org,
srikar@...ux.vnet.ibm.com, robin.murphy@....com,
jean-philippe.brucker@....com, marc.zyngier@....com
Subject: Re: [RFC 0/4] Virtio uses DMA API for all devices
On Tue, Aug 07, 2018 at 05:56:59AM +1000, Benjamin Herrenschmidt wrote:
> On Mon, 2018-08-06 at 16:46 +0300, Michael S. Tsirkin wrote:
> >
> > > Right, we'll need some quirk to disable balloons in the guest I
> > > suppose.
> > >
> > > Passing something from libvirt is cumbersome because the end user may
> > > not even need to know about secure VMs. There are use cases where the
> > > security is a contract down to some special application running inside
> > > the secure VM, the sysadmin knows nothing about.
> > >
> > > Also there's repercussions all the way to admin tools, web UIs etc...
> > > so it's fairly wide ranging.
> > >
> > > So as long as we only need to quirk a couple of devices, it's much
> > > better contained that way.
> >
> > So just the balloon thing already means that yes management and all the
> > way to the user tools must know this is going on. Otherwise
> > user will try to inflate the balloon and wonder why this does not work.
>
> There is *dozens* of management systems out there, not even all open
> source, we won't ever be able to see the end of the tunnel if we need
> to teach every single of them, including end users, about platform
> specific new VM flags like that.
>
> .../...
In the end I suspect you will find you have to.
> > Here's another example: you can't migrate a secure vm to hypervisor
> > which doesn't support this feature. Again management tools above libvirt
> > need to know otherwise they will try.
>
> There will have to be a new machine type for that I suppose, yes,
> though it's not just the hypervisor that needs to know about the
> modified migration stream, it's also the need to have a compatible
> ultravisor with the right keys on the other side.
>
> So migration is going to be special and require extra admin work in all
> cases yes. But not all secure VMs are meant to be migratable.
>
> In any case, back to the problem at hand. What a qemu flag gives us is
> just a way to force iommu at VM creation time.
I don't think a qemu flag is strictly required for a problem at hand.
> This is rather sub-optimal, we don't really want the iommu in the way,
> so it's at best a "workaround", and it's not really solving the real
> problem.
This specific problem, I think I agree.
> As I said replying to Christoph, we are "leaking" into the interface
> something here that is really what's the VM is doing to itself, which
> is to stash its memory away in an inaccessible place.
>
> Cheers,
> Ben.
I think Christoph merely objects to the specific implementation. If
instead you do something like tweak dev->bus_dma_mask for the virtio
device I think he won't object.
--
MST
Powered by blists - more mailing lists