From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [virtio-comment] [PATCH 5/6 Resend] Vhost-pci RFC: Future
 Security Enhancement
Date: Mon, 30 May 2016 08:23:47 +0200
Message-ID: <574BDC73.7070700@siemens.com>
References: <1464509494-159509-1-git-send-email-wei.w.wang@intel.com>
 <1464509494-159509-6-git-send-email-wei.w.wang@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
To: Wei Wang <wei.w.wang@intel.com>, kvm@vger.kernel.org,
	qemu-devel@nongnu.org, virtio-comment@lists.oasis-open.org,
	mst@redhat.com, stefanha@redhat.com, pbonzini@redhat.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from david.siemens.de ([192.35.17.14]:50854 "EHLO david.siemens.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751093AbcE3GYD (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 30 May 2016 02:24:03 -0400
In-Reply-To: <1464509494-159509-6-git-send-email-wei.w.wang@intel.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 2016-05-29 10:11, Wei Wang wrote:
> Signed-off-by: Wei Wang <wei.w.wang@intel.com>
> ---
>  FutureWorks | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>  create mode 100644 FutureWorks
> 
> diff --git a/FutureWorks b/FutureWorks
> new file mode 100644
> index 0000000..210edcd
> --- /dev/null
> +++ b/FutureWorks
> @@ -0,0 +1,21 @@
> +The vhost-pci design is currently suitable for a group of VMs who trust each
> +other. To extend it to a more general use case, two security features can be
> +added in the future.

Sounds a bit like security is just "nice to have" in the foreseen use
cases of this mechanism. Is that really true?

> +
> +1 vIOMMU
> +vIOMMU provides the driver VM with the ability to restrict the device VM to
> +transiently access a specified portion of its memory. The vhost-pci design
> +proposed in this RFC can be extended to access the driver VM's memory with
> +vIOMMU. Precisely, the vIOMMU engine in the driver VM configures access
> +permissions (R/W) for the vhost-pci device to access its memory. More details
> +can be found at https://wiki.opnfv.org/display/kvm/Vm2vm+Mst and
> +https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03993.html

Do you have performance estimates on this approach already?

One challenge should be how to let the VMs reuse existing buffer
mappings so that the vIOMMU isn't continuously reprogrammed - which is
likely not very efficient.

The other is how to hand over packets/buffers in a chain of multiple
VMs. Ideally, there is already a hand-over from sender to the first
receiver so that the sender can no longer mess with the packet after the
receiver started processing it. However, that will work against efficiency.

Essentially, it's the old IPC question of remap vs. copy here. The rest
is "just" interfaces to exploit this elegantly.

> +
> +2 eptp switching
> +The idea of eptp swithing allows a vhost-pci device driver to access the mapped
> +driver VM's memory in an alternative view, where only a piece of trusted code
> +can access the driver VM's memory. More details can be found at
> +http://events.linuxfoundation.org/sites/events/files/slides/
> +Jun_Nakajima_NFV_KVM%202015_final.pdf

As we learned a while back, this one is not really secure. Any updates
on if/how this is going to be fixed?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35563)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1b7GcO-0006kO-K5
	for qemu-devel@nongnu.org; Mon, 30 May 2016 02:24:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1b7GcI-0001oI-JD
	for qemu-devel@nongnu.org; Mon, 30 May 2016 02:24:03 -0400
Received: from david.siemens.de ([192.35.17.14]:34359)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1b7GcI-0001m3-8I
	for qemu-devel@nongnu.org; Mon, 30 May 2016 02:23:58 -0400
References: <1464509494-159509-1-git-send-email-wei.w.wang@intel.com>
	<1464509494-159509-6-git-send-email-wei.w.wang@intel.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
Message-ID: <574BDC73.7070700@siemens.com>
Date: Mon, 30 May 2016 08:23:47 +0200
MIME-Version: 1.0
In-Reply-To: <1464509494-159509-6-git-send-email-wei.w.wang@intel.com>
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [virtio-comment] [PATCH 5/6 Resend] Vhost-pci RFC:
 Future Security Enhancement
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Wei Wang <wei.w.wang@intel.com>, kvm@vger.kernel.org, qemu-devel@nongnu.org, virtio-comment@lists.oasis-open.org, mst@redhat.com, stefanha@redhat.com, pbonzini@redhat.com

On 2016-05-29 10:11, Wei Wang wrote:
> Signed-off-by: Wei Wang <wei.w.wang@intel.com>
> ---
>  FutureWorks | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>  create mode 100644 FutureWorks
> 
> diff --git a/FutureWorks b/FutureWorks
> new file mode 100644
> index 0000000..210edcd
> --- /dev/null
> +++ b/FutureWorks
> @@ -0,0 +1,21 @@
> +The vhost-pci design is currently suitable for a group of VMs who trust each
> +other. To extend it to a more general use case, two security features can be
> +added in the future.

Sounds a bit like security is just "nice to have" in the foreseen use
cases of this mechanism. Is that really true?

> +
> +1 vIOMMU
> +vIOMMU provides the driver VM with the ability to restrict the device VM to
> +transiently access a specified portion of its memory. The vhost-pci design
> +proposed in this RFC can be extended to access the driver VM's memory with
> +vIOMMU. Precisely, the vIOMMU engine in the driver VM configures access
> +permissions (R/W) for the vhost-pci device to access its memory. More details
> +can be found at https://wiki.opnfv.org/display/kvm/Vm2vm+Mst and
> +https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03993.html

Do you have performance estimates on this approach already?

One challenge should be how to let the VMs reuse existing buffer
mappings so that the vIOMMU isn't continuously reprogrammed - which is
likely not very efficient.

The other is how to hand over packets/buffers in a chain of multiple
VMs. Ideally, there is already a hand-over from sender to the first
receiver so that the sender can no longer mess with the packet after the
receiver started processing it. However, that will work against efficiency.

Essentially, it's the old IPC question of remap vs. copy here. The rest
is "just" interfaces to exploit this elegantly.

> +
> +2 eptp switching
> +The idea of eptp swithing allows a vhost-pci device driver to access the mapped
> +driver VM's memory in an alternative view, where only a piece of trusted code
> +can access the driver VM's memory. More details can be found at
> +http://events.linuxfoundation.org/sites/events/files/slides/
> +Jun_Nakajima_NFV_KVM%202015_final.pdf

As we learned a while back, this one is not really secure. Any updates
on if/how this is going to be fixed?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux