All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alex Williamson <alex.williamson@redhat.com>
To: Ilya Lesokhin <ilyal@mellanox.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
	"bhelgaas@google.com" <bhelgaas@google.com>,
	"Noa Osherovich" <noaos@mellanox.com>,
	Haggai Eran <haggaie@mellanox.com>,
	"Or Gerlitz" <ogerlitz@mellanox.com>,
	Liran Liss <liranl@mellanox.com>
Subject: Re: [PATCH v2 0/2] VFIO SRIOV support
Date: Tue, 21 Jun 2016 09:45:37 -0600	[thread overview]
Message-ID: <20160621094537.4416cbce@t450s.home> (raw)
In-Reply-To: <VI1PR0501MB19680B7AF4C02D4FFC5874A9D42B0@VI1PR0501MB1968.eurprd05.prod.outlook.com>

On Tue, 21 Jun 2016 07:19:14 +0000
Ilya Lesokhin <ilyal@mellanox.com> wrote:

> Why is the need for admin privileges not enough to make it safe?

Seems like an opportunity for a phishing attempt, an exploited VM
generates VFs and hopes that they get assigned to other VMs or put to
other uses.  It simply allows one VM to create resources that are
really not tied to that VM and can easily be mis-used in other ways,
potentially even with the assumption that it's secure.

> What's the difference between the following?
> 	1. A PF is assigned to one user and the admin assigns one of it VFs to a different user.
> 	2. The admin assign the main network interface of the machine to a VM and bring down all the connectivity of the host.

In case 1. does the admin realize what they've done?  How?  Maybe they
just start filing bugs when they shutdown the PF assigned VM or even
just reboot it and the VF assigned VM no longer has connectivity.  A  
typical user might just think "hey cool, now I can assign PFs and VFs"
w/o considering the implications of that.  There are aspects of
the host that we need to trust, allowing another VM to hold some
of that trust is not such an obvious thing.  Clearly in case 2. the
admin is going to pretty quickly figure out that they've done something
terribly wrong.
 
> Indeed we don't address clean up, but we didn't see any adverse effect from the VFs remaining probed by the VFIO driver after the VM is shutdown.

Yet that's clearly not the state the PF was in when assigned and those
VFs have no cleanup mechanism.  This is a big problem.

> Would you be willing to accept this feature under some kconfig option or if it was allowed only for Privileged processes?
> I would hate to throw this feature away just because we can't address every corner case.

I'm not willing to accept half baked features and letting them bitrot
under a config option that doesn't get regular use doesn't help.  If
this is really that useful to you then make it safe and predictable.  I
don't have answers to all the issues this generates, it might require
extensions to driver APIs or new mechanisms for vfio to associate device
ownership.  There might be valid use cases for a user owned PF sourcing
VFs owned by other users, but obviously to me it sounds like a rats
nest of security issues and "because we can" and "useful development
tool" are not resounding motives for me to sign up trying to support
it.  Thanks,

Alex

  reply	other threads:[~2016-06-21 15:47 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-19 12:16 [PATCH v2 0/2] VFIO SRIOV support Ilya Lesokhin
2016-06-19 12:16 ` [PATCH v2 1/2] PCI: Extend PCI IOV API Ilya Lesokhin
2016-06-19 14:10   ` kbuild test robot
2016-06-19 12:16 ` [PATCH v2 2/2] VFIO: Add support for SR-IOV extended capablity Ilya Lesokhin
2016-06-19 23:07   ` kbuild test robot
2016-06-20 17:37 ` [PATCH v2 0/2] VFIO SRIOV support Alex Williamson
2016-06-21  7:19   ` Ilya Lesokhin
2016-06-21 15:45     ` Alex Williamson [this message]
2016-07-14 14:53       ` Ilya Lesokhin
2016-07-14 17:03         ` Alex Williamson
2016-07-17 10:05           ` Haggai Eran
2016-07-18 21:34             ` Alex Williamson
2016-07-19  7:06               ` Tian, Kevin
2016-07-19 15:10                 ` Alex Williamson
2016-07-19 19:43                   ` Alex Williamson
2016-07-21  5:51                     ` Tian, Kevin
2016-07-25  7:53                     ` Haggai Eran
2016-07-25 15:07                       ` Alex Williamson
2016-07-25 15:34                         ` Ilya Lesokhin
2016-07-25 15:58                           ` Alex Williamson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160621094537.4416cbce@t450s.home \
    --to=alex.williamson@redhat.com \
    --cc=bhelgaas@google.com \
    --cc=haggaie@mellanox.com \
    --cc=ilyal@mellanox.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=liranl@mellanox.com \
    --cc=noaos@mellanox.com \
    --cc=ogerlitz@mellanox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.