Re: [RFC V2 PATCH 8/12] UIO/Hyper-V: Not load UIO HV driver in the isolation VM.

From: Tianyu Lan <ltykernel@gmail.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: kys@microsoft.com, haiyangz@microsoft.com,
	sthemmin@microsoft.com, wei.liu@kernel.org,
	Tianyu Lan <Tianyu.Lan@microsoft.com>,
	linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org,
	vkuznets@redhat.com, thomas.lendacky@amd.com,
	brijesh.singh@amd.com, sunilmut@microsoft.com
Subject: Re: [RFC V2 PATCH 8/12] UIO/Hyper-V: Not load UIO HV driver in the isolation VM.
Date: Wed, 14 Apr 2021 23:20:19 +0800	[thread overview]
Message-ID: <e54446fb-f9d9-2768-f73f-01a94cf635ea@gmail.com> (raw)
In-Reply-To: <YHXAL+83iHPK8O/Q@kroah.com>

Hi Greg:
	Thanks for your review.

On 4/14/2021 12:00 AM, Greg KH wrote:
> On Tue, Apr 13, 2021 at 11:22:13AM -0400, Tianyu Lan wrote:
>> From: Tianyu Lan <Tianyu.Lan@microsoft.com>
>>
>> UIO HV driver should not load in the isolation VM for security reason.
> 
> Why?  I need a lot more excuse than that.

The reason is that ring buffers have been marked as visible to host.
UIO driver will expose these buffers to user space and user space
driver hasn't done some secure check for data from host. This
is considered as insecure in isolation VM.

> 
> Why would the vm allow UIO devices to bind to it if it was not possible?
> Shouldn't the VM be handling this type of logic and not forcing all
> individual hyperv drivers to do this?
> 
> This feels wrong...

Hypervisor exposes network and storage devices but can't prohibit guest
from binding these devices to UIO driver.

You are right. This should not happen in the individual driver and will
try handling this in the vmbus driver level.

> 
> thanks,
> 
> greg k-h
> 