lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 25 Nov 2021 13:04:25 +0100
From:   Gerd Hoffmann <kraxel@...hat.com>
To:     "Wang, Wei W" <wei.w.wang@...el.com>
Cc:     Jason Wang <jasowang@...hat.com>,
        "Yamahata, Isaku" <isaku.yamahata@...el.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        "srutherford@...gle.com" <srutherford@...gle.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "virtualization@...ts.linux-foundation.org" 
        <virtualization@...ts.linux-foundation.org>,
        "erdemaktas@...gle.com" <erdemaktas@...gle.com>,
        Stefan Hajnoczi <stefanha@...hat.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        "Kleen, Andi" <andi.kleen@...el.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>
Subject: Re: [RFC] hypercall-vsock: add a new vsock transport

On Thu, Nov 25, 2021 at 08:43:55AM +0000, Wang, Wei W wrote:
> On Thursday, November 25, 2021 2:38 PM, Jason Wang wrote:
> > > We thought about virtio-mmio. There are some barriers:
> > > 1) It wasn't originally intended for x86 machines. The only machine
> > > type in QEMU that supports it (to run on x86) is microvm. But
> > > "microvm" doesn’t support TDX currently, and adding this support might
> > need larger effort.
> > 
> > Can you explain why microvm needs larger effort? It looks to me it fits for TDX
> > perfectly since it has less attack surface.
> 
> The main thing is TDVF doesn’t support microvm so far (the based OVMF
> support for microvm is still under their community discussion).

Initial microvm support (direct kernel boot only) is merged in upstream
OVMF.  Better device support is underway: virtio-mmio patches are out
for review, patches for pcie support exist.

TDX patches for OVMF are under review upstream, I havn't noticed
anything which would be a blocker for microvm.  If it doesn't work
out-of-the-box it should be mostly wiring up things needed on guest
(ovmf) and/or host (qemu) side.

(same goes for sev btw).

> Do you guys think it is possible to add virtio-mmio support for q35?
> (e.g. create a special platform bus in some fashion for memory mapped devices)
> Not sure if the effort would be larger.

I'd rather explore the microvm path than making q35 even more
frankenstein than it already is.

Also the pcie host bridge is present in q35 no matter what, so one of
the reasons to use virtio-mmio ("we can reduce the attach surface by
turning off pcie") goes away.

take care,
  Gerd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ