From: David Stevens <stevensd@chromium.org>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Dylan Reid" <dgreid@chromium.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Zach Reizner" <zachr@chromium.org>,
"Geoffrey McRae" <geoff@hostfission.com>,
"Keiichi Watanabe" <keiichiw@chromium.org>,
"Dmitry Morozov" <dmitry.morozov@opensynergy.com>,
"Alexandre Courbot" <acourbot@chromium.org>,
"Alex Lau" <alexlau@chromium.org>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Pawel Osciak" <posciak@chromium.org>,
"Hans Verkuil" <hverkuil@xs4all.nl>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Linux Media Mailing List" <linux-media@vger.kernel.org>,
virtio-dev@lists.oasis-open.org,
qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [virtio-dev] Re: guest / host buffer sharing ...
Date: Thu, 12 Dec 2019 21:26:32 +0900 [thread overview]
Message-ID: <CAD=HUj6YYupjdxxz2mgMmE2DcKhXP-qdhRORvUNTmzcORRrLzg@mail.gmail.com> (raw)
In-Reply-To: <20191212094121.by7w7fywlzdfoktn@sirius.home.kraxel.org>
> > > Second I think it is a bad idea
> > > from the security point of view. When explicitly exporting buffers it
> > > is easy to restrict access to the actual exports.
> >
> > Restricting access to actual exports could perhaps help catch bugs.
> > However, I don't think it provides any security guarantees, since the
> > guest can always just export every buffer before using it.
>
> Probably not on the guest/host boundary.
>
> It's important for security inside the guest though. You don't want
> process A being able to access process B private resources via buffer
> sharing support, by guessing implicit buffer identifiers.
At least for the linux guest implementation, I wouldn't think the
uuids would be exposed from the kernel. To me, it seems like something
that should be handled internally by the virtio drivers. Especially
since the 'export' process would be very much a virtio-specific
action, so it's likely that it wouldn't fit nicely into existing
userspace software. If you use some other guest with untrusted
userspace drivers, or if you're pulling the uuids out of the kernel to
give to some non-virtio transport, then I can see it being a concern.
> > > Instead of using a dedicated buffer sharing device we can also use
> > > virtio-gpu (or any other driver which supports dma-buf exports) to
> > > manage buffers.
Ah, okay. I misunderstood the original statement. I read the sentence
as 'we can use virtio-gpu in place of the dedicated buffer sharing
device', rather than 'every device can manage its own buffers'. I can
agree with the second meaning.
> Without buffer sharing support the driver importing a virtio-gpu dma-buf
> can send the buffer scatter list to the host. So both virtio-gpu and
> the other device would actually access the same guest pages, but they
> are not aware that the buffer is shared between devices.
With the uuid approach, how should this case be handled? Should it be
equivalent to exporting and importing the buffer which was created
first? Should the spec say it's undefined behavior that might work as
expected but might not, depending on the device implementation? Does
the spec even need to say anything about it?
> With buffer sharing virtio-gpu would attach a uuid to the dma-buf, and
> the importing driver can send the uuid (instead of the scatter list) to
> the host. So the device can simply lookup the buffer on the host side
> and use it directly. Another advantage is that this enables some more
> use cases like sharing buffers between devices which are not backed by
> guest ram.
Not just buffers not backed by guest ram, but things like fences. I
would suggest the uuids represent 'exported resources' rather than
'exported buffers'.
> Well, security-wise you want have buffer identifiers which can't be
> easily guessed. And guessing uuid is pretty much impossible due to
> the namespace being huge.
I guess this depends on what you're passing around within the guest.
If you're passing around the raw uuids, sure. But I would argue it's
better to pass around unforgeable identifiers (e.g. fds), and to
restrict the uuids to when talking directly to the virtio transport.
But I guess there are likely situations where that's not possible.
-David
WARNING: multiple messages have this Message-ID (diff)
From: David Stevens <stevensd@chromium.org>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Geoffrey McRae" <geoff@hostfission.com>,
"Hans Verkuil" <hverkuil@xs4all.nl>,
"Zach Reizner" <zachr@chromium.org>,
"Alexandre Courbot" <acourbot@chromium.org>,
virtio-dev@lists.oasis-open.org,
qemu-devel <qemu-devel@nongnu.org>,
"Alex Lau" <alexlau@chromium.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Keiichi Watanabe" <keiichiw@chromium.org>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Dylan Reid" <dgreid@chromium.org>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Dmitry Morozov" <dmitry.morozov@opensynergy.com>,
"Pawel Osciak" <posciak@chromium.org>,
"Linux Media Mailing List" <linux-media@vger.kernel.org>
Subject: Re: [virtio-dev] Re: guest / host buffer sharing ...
Date: Thu, 12 Dec 2019 21:26:32 +0900 [thread overview]
Message-ID: <CAD=HUj6YYupjdxxz2mgMmE2DcKhXP-qdhRORvUNTmzcORRrLzg@mail.gmail.com> (raw)
In-Reply-To: <20191212094121.by7w7fywlzdfoktn@sirius.home.kraxel.org>
> > > Second I think it is a bad idea
> > > from the security point of view. When explicitly exporting buffers it
> > > is easy to restrict access to the actual exports.
> >
> > Restricting access to actual exports could perhaps help catch bugs.
> > However, I don't think it provides any security guarantees, since the
> > guest can always just export every buffer before using it.
>
> Probably not on the guest/host boundary.
>
> It's important for security inside the guest though. You don't want
> process A being able to access process B private resources via buffer
> sharing support, by guessing implicit buffer identifiers.
At least for the linux guest implementation, I wouldn't think the
uuids would be exposed from the kernel. To me, it seems like something
that should be handled internally by the virtio drivers. Especially
since the 'export' process would be very much a virtio-specific
action, so it's likely that it wouldn't fit nicely into existing
userspace software. If you use some other guest with untrusted
userspace drivers, or if you're pulling the uuids out of the kernel to
give to some non-virtio transport, then I can see it being a concern.
> > > Instead of using a dedicated buffer sharing device we can also use
> > > virtio-gpu (or any other driver which supports dma-buf exports) to
> > > manage buffers.
Ah, okay. I misunderstood the original statement. I read the sentence
as 'we can use virtio-gpu in place of the dedicated buffer sharing
device', rather than 'every device can manage its own buffers'. I can
agree with the second meaning.
> Without buffer sharing support the driver importing a virtio-gpu dma-buf
> can send the buffer scatter list to the host. So both virtio-gpu and
> the other device would actually access the same guest pages, but they
> are not aware that the buffer is shared between devices.
With the uuid approach, how should this case be handled? Should it be
equivalent to exporting and importing the buffer which was created
first? Should the spec say it's undefined behavior that might work as
expected but might not, depending on the device implementation? Does
the spec even need to say anything about it?
> With buffer sharing virtio-gpu would attach a uuid to the dma-buf, and
> the importing driver can send the uuid (instead of the scatter list) to
> the host. So the device can simply lookup the buffer on the host side
> and use it directly. Another advantage is that this enables some more
> use cases like sharing buffers between devices which are not backed by
> guest ram.
Not just buffers not backed by guest ram, but things like fences. I
would suggest the uuids represent 'exported resources' rather than
'exported buffers'.
> Well, security-wise you want have buffer identifiers which can't be
> easily guessed. And guessing uuid is pretty much impossible due to
> the namespace being huge.
I guess this depends on what you're passing around within the guest.
If you're passing around the raw uuids, sure. But I would argue it's
better to pass around unforgeable identifiers (e.g. fds), and to
restrict the uuids to when talking directly to the virtio transport.
But I guess there are likely situations where that's not possible.
-David
WARNING: multiple messages have this Message-ID (diff)
From: David Stevens <stevensd@chromium.org>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Dylan Reid" <dgreid@chromium.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Zach Reizner" <zachr@chromium.org>,
"Geoffrey McRae" <geoff@hostfission.com>,
"Keiichi Watanabe" <keiichiw@chromium.org>,
"Dmitry Morozov" <dmitry.morozov@opensynergy.com>,
"Alexandre Courbot" <acourbot@chromium.org>,
"Alex Lau" <alexlau@chromium.org>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Pawel Osciak" <posciak@chromium.org>,
"Hans Verkuil" <hverkuil@xs4all.nl>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Linux Media Mailing List" <linux-media@vger.kernel.org>,
virtio-dev@lists.oasis-open.org,
qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [virtio-dev] Re: guest / host buffer sharing ...
Date: Thu, 12 Dec 2019 21:26:32 +0900 [thread overview]
Message-ID: <CAD=HUj6YYupjdxxz2mgMmE2DcKhXP-qdhRORvUNTmzcORRrLzg@mail.gmail.com> (raw)
In-Reply-To: <20191212094121.by7w7fywlzdfoktn@sirius.home.kraxel.org>
> > > Second I think it is a bad idea
> > > from the security point of view. When explicitly exporting buffers it
> > > is easy to restrict access to the actual exports.
> >
> > Restricting access to actual exports could perhaps help catch bugs.
> > However, I don't think it provides any security guarantees, since the
> > guest can always just export every buffer before using it.
>
> Probably not on the guest/host boundary.
>
> It's important for security inside the guest though. You don't want
> process A being able to access process B private resources via buffer
> sharing support, by guessing implicit buffer identifiers.
At least for the linux guest implementation, I wouldn't think the
uuids would be exposed from the kernel. To me, it seems like something
that should be handled internally by the virtio drivers. Especially
since the 'export' process would be very much a virtio-specific
action, so it's likely that it wouldn't fit nicely into existing
userspace software. If you use some other guest with untrusted
userspace drivers, or if you're pulling the uuids out of the kernel to
give to some non-virtio transport, then I can see it being a concern.
> > > Instead of using a dedicated buffer sharing device we can also use
> > > virtio-gpu (or any other driver which supports dma-buf exports) to
> > > manage buffers.
Ah, okay. I misunderstood the original statement. I read the sentence
as 'we can use virtio-gpu in place of the dedicated buffer sharing
device', rather than 'every device can manage its own buffers'. I can
agree with the second meaning.
> Without buffer sharing support the driver importing a virtio-gpu dma-buf
> can send the buffer scatter list to the host. So both virtio-gpu and
> the other device would actually access the same guest pages, but they
> are not aware that the buffer is shared between devices.
With the uuid approach, how should this case be handled? Should it be
equivalent to exporting and importing the buffer which was created
first? Should the spec say it's undefined behavior that might work as
expected but might not, depending on the device implementation? Does
the spec even need to say anything about it?
> With buffer sharing virtio-gpu would attach a uuid to the dma-buf, and
> the importing driver can send the uuid (instead of the scatter list) to
> the host. So the device can simply lookup the buffer on the host side
> and use it directly. Another advantage is that this enables some more
> use cases like sharing buffers between devices which are not backed by
> guest ram.
Not just buffers not backed by guest ram, but things like fences. I
would suggest the uuids represent 'exported resources' rather than
'exported buffers'.
> Well, security-wise you want have buffer identifiers which can't be
> easily guessed. And guessing uuid is pretty much impossible due to
> the namespace being huge.
I guess this depends on what you're passing around within the guest.
If you're passing around the raw uuids, sure. But I would argue it's
better to pass around unforgeable identifiers (e.g. fds), and to
restrict the uuids to when talking directly to the virtio transport.
But I guess there are likely situations where that's not possible.
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org
next prev parent reply other threads:[~2019-12-12 12:26 UTC|newest]
Thread overview: 139+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-05 10:54 guest / host buffer sharing Gerd Hoffmann
2019-11-05 10:54 ` [virtio-dev] " Gerd Hoffmann
2019-11-05 10:54 ` Gerd Hoffmann
2019-11-05 11:35 ` Geoffrey McRae
2019-11-06 6:24 ` Gerd Hoffmann
2019-11-06 6:24 ` [virtio-dev] " Gerd Hoffmann
2019-11-06 6:24 ` Gerd Hoffmann
2019-11-06 8:36 ` David Stevens
2019-11-06 8:36 ` [virtio-dev] " David Stevens
2019-11-06 8:36 ` David Stevens
2019-11-06 12:41 ` Gerd Hoffmann
2019-11-06 12:41 ` [virtio-dev] " Gerd Hoffmann
2019-11-06 12:41 ` Gerd Hoffmann
2019-11-06 22:28 ` Geoffrey McRae
2019-11-07 6:48 ` Gerd Hoffmann
2019-11-07 6:48 ` [virtio-dev] " Gerd Hoffmann
2019-11-07 6:48 ` Gerd Hoffmann
2019-11-20 12:13 ` Tomasz Figa
2019-11-20 12:13 ` [virtio-dev] " Tomasz Figa
2019-11-20 12:13 ` Tomasz Figa
2019-11-20 21:41 ` Geoffrey McRae
2019-11-21 5:51 ` Tomasz Figa
2019-11-21 5:51 ` [virtio-dev] " Tomasz Figa
2019-11-21 5:51 ` Tomasz Figa
2019-12-04 22:22 ` Dylan Reid
2019-12-04 22:22 ` Dylan Reid
2019-12-11 5:08 ` David Stevens
2019-12-11 5:08 ` [virtio-dev] " David Stevens
2019-12-11 5:08 ` David Stevens
2019-12-11 9:26 ` Gerd Hoffmann
2019-12-11 9:26 ` [virtio-dev] " Gerd Hoffmann
2019-12-11 9:26 ` Gerd Hoffmann
2019-12-11 16:05 ` [virtio-dev] " Enrico Granata
2019-12-11 16:05 ` Enrico Granata
2019-12-12 6:40 ` David Stevens
2019-12-12 6:40 ` David Stevens
2019-12-12 6:40 ` David Stevens
2019-12-12 9:41 ` Gerd Hoffmann
2019-12-12 9:41 ` Gerd Hoffmann
2019-12-12 9:41 ` Gerd Hoffmann
2019-12-12 12:26 ` David Stevens [this message]
2019-12-12 12:26 ` David Stevens
2019-12-12 12:26 ` David Stevens
2019-12-12 13:30 ` Gerd Hoffmann
2019-12-12 13:30 ` Gerd Hoffmann
2019-12-12 13:30 ` Gerd Hoffmann
2019-12-13 3:21 ` David Stevens
2019-12-13 3:21 ` David Stevens
2019-12-13 3:21 ` David Stevens
2019-12-16 13:47 ` Gerd Hoffmann
2019-12-16 13:47 ` Gerd Hoffmann
2019-12-16 13:47 ` Gerd Hoffmann
2019-12-17 12:59 ` David Stevens
2019-12-17 12:59 ` David Stevens
2019-12-17 12:59 ` David Stevens
2019-11-06 8:43 ` Stefan Hajnoczi
2019-11-06 8:43 ` Stefan Hajnoczi
2019-11-06 9:51 ` Gerd Hoffmann
2019-11-06 9:51 ` [virtio-dev] " Gerd Hoffmann
2019-11-06 9:51 ` Gerd Hoffmann
2019-11-06 10:10 ` [virtio-dev] " Dr. David Alan Gilbert
2019-11-06 10:10 ` Dr. David Alan Gilbert
2019-11-06 10:10 ` Dr. David Alan Gilbert
2019-11-07 11:11 ` Gerd Hoffmann
2019-11-07 11:11 ` Gerd Hoffmann
2019-11-07 11:11 ` Gerd Hoffmann
2019-11-07 11:16 ` Dr. David Alan Gilbert
2019-11-07 11:16 ` Dr. David Alan Gilbert
2019-11-07 11:16 ` Dr. David Alan Gilbert
2019-11-08 6:45 ` Gerd Hoffmann
2019-11-08 6:45 ` Gerd Hoffmann
2019-11-08 6:45 ` Gerd Hoffmann
2019-11-06 11:46 ` Stefan Hajnoczi
2019-11-06 11:46 ` Stefan Hajnoczi
2019-11-06 12:50 ` Gerd Hoffmann
2019-11-06 12:50 ` [virtio-dev] " Gerd Hoffmann
2019-11-06 12:50 ` Gerd Hoffmann
2019-11-07 12:10 ` Stefan Hajnoczi
2019-11-07 12:10 ` Stefan Hajnoczi
2019-11-07 15:10 ` Frank Yang
2019-11-07 15:10 ` [virtio-dev] " Frank Yang
2019-11-20 11:58 ` Tomasz Figa
2019-11-20 11:58 ` [virtio-dev] " Tomasz Figa
2019-11-20 11:58 ` Tomasz Figa
2019-11-08 7:22 ` Gerd Hoffmann
2019-11-08 7:22 ` [virtio-dev] " Gerd Hoffmann
2019-11-08 7:22 ` Gerd Hoffmann
2019-11-08 7:35 ` Stefan Hajnoczi
2019-11-08 7:35 ` Stefan Hajnoczi
2019-11-09 1:41 ` Stéphane Marchesin
2019-11-09 1:41 ` Stéphane Marchesin
2019-11-09 10:12 ` Stefan Hajnoczi
2019-11-09 10:12 ` Stefan Hajnoczi
2019-11-09 11:16 ` Tomasz Figa
2019-11-09 11:16 ` [virtio-dev] " Tomasz Figa
2019-11-09 11:16 ` Tomasz Figa
2019-11-09 12:08 ` Stefan Hajnoczi
2019-11-09 12:08 ` Stefan Hajnoczi
2019-11-09 15:12 ` Tomasz Figa
2019-11-09 15:12 ` [virtio-dev] " Tomasz Figa
2019-11-09 15:12 ` Tomasz Figa
2019-11-18 10:20 ` Stefan Hajnoczi
2019-11-18 10:20 ` Stefan Hajnoczi
2019-11-20 10:11 ` Tomasz Figa
2019-11-20 10:11 ` [virtio-dev] " Tomasz Figa
2019-11-20 10:11 ` Tomasz Figa
2019-11-20 12:11 ` Tomasz Figa
2019-11-20 12:11 ` [virtio-dev] " Tomasz Figa
2019-11-20 12:11 ` Tomasz Figa
2019-11-11 3:04 ` David Stevens
2019-11-11 3:04 ` [virtio-dev] " David Stevens
2019-11-11 3:04 ` David Stevens
2019-11-11 15:36 ` [virtio-dev] " Liam Girdwood
2019-11-11 15:36 ` Liam Girdwood
2019-11-11 15:36 ` Liam Girdwood
2019-11-12 0:54 ` Gurchetan Singh
2019-11-12 0:54 ` Gurchetan Singh
2019-11-12 0:54 ` Gurchetan Singh
2019-11-12 13:56 ` Liam Girdwood
2019-11-12 13:56 ` Liam Girdwood
2019-11-12 13:56 ` Liam Girdwood
2019-11-12 22:55 ` Gurchetan Singh
2019-11-12 22:55 ` Gurchetan Singh
2019-11-12 22:55 ` Gurchetan Singh
2019-11-19 15:31 ` Liam Girdwood
2019-11-19 15:31 ` Liam Girdwood
2019-11-19 15:31 ` Liam Girdwood
2019-11-20 0:42 ` Gurchetan Singh
2019-11-20 0:42 ` Gurchetan Singh
2019-11-20 0:42 ` Gurchetan Singh
2019-11-20 9:53 ` Gerd Hoffmann
2019-11-20 9:53 ` Gerd Hoffmann
2019-11-20 9:53 ` Gerd Hoffmann
2019-11-25 16:46 ` Liam Girdwood
2019-11-25 16:46 ` Liam Girdwood
2019-11-25 16:46 ` Liam Girdwood
2019-11-27 7:58 ` Gerd Hoffmann
2019-11-27 7:58 ` Gerd Hoffmann
2019-11-27 7:58 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD=HUj6YYupjdxxz2mgMmE2DcKhXP-qdhRORvUNTmzcORRrLzg@mail.gmail.com' \
--to=stevensd@chromium.org \
--cc=acourbot@chromium.org \
--cc=alexlau@chromium.org \
--cc=daniel@ffwll.ch \
--cc=dgreid@chromium.org \
--cc=dmitry.morozov@opensynergy.com \
--cc=geoff@hostfission.com \
--cc=gurchetansingh@chromium.org \
--cc=hverkuil@xs4all.nl \
--cc=keiichiw@chromium.org \
--cc=kraxel@redhat.com \
--cc=linux-media@vger.kernel.org \
--cc=marcheu@chromium.org \
--cc=posciak@chromium.org \
--cc=qemu-devel@nongnu.org \
--cc=tfiga@chromium.org \
--cc=virtio-dev@lists.oasis-open.org \
--cc=zachr@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.