From: Yongji Xie <xieyongji@bytedance.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "Jason Wang" <jasowang@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Stefano Garzarella" <sgarzare@redhat.com>,
"Parav Pandit" <parav@nvidia.com>,
"Christoph Hellwig" <hch@infradead.org>,
"Christian Brauner" <christian.brauner@canonical.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Matthew Wilcox" <willy@infradead.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Jens Axboe" <axboe@kernel.dk>,
bcrl@kvack.org, "Jonathan Corbet" <corbet@lwn.net>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
joro@8bytes.org,
virtualization <virtualization@lists.linux-foundation.org>,
netdev@vger.kernel.org, kvm <kvm@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: Re: [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace
Date: Thu, 20 May 2021 17:06:21 +0800 [thread overview]
Message-ID: <CACycT3tKY2V=dmOJjeiZxkqA3cH8_KF93NNbRnNU04e5Job2cw@mail.gmail.com> (raw)
In-Reply-To: <20210520014349-mutt-send-email-mst@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 8219 bytes --]
On Thu, May 20, 2021 at 2:06 PM Michael S. Tsirkin <mst@redhat.com> wrote:
>
> On Mon, May 17, 2021 at 05:55:01PM +0800, Xie Yongji wrote:
> > This series introduces a framework, which can be used to implement
> > vDPA Devices in a userspace program. The work consist of two parts:
> > control path forwarding and data path offloading.
> >
> > In the control path, the VDUSE driver will make use of message
> > mechnism to forward the config operation from vdpa bus driver
> > to userspace. Userspace can use read()/write() to receive/reply
> > those control messages.
> >
> > In the data path, the core is mapping dma buffer into VDUSE
> > daemon's address space, which can be implemented in different ways
> > depending on the vdpa bus to which the vDPA device is attached.
> >
> > In virtio-vdpa case, we implements a MMU-based on-chip IOMMU driver with
> > bounce-buffering mechanism to achieve that. And in vhost-vdpa case, the dma
> > buffer is reside in a userspace memory region which can be shared to the
> > VDUSE userspace processs via transferring the shmfd.
> >
> > The details and our user case is shown below:
> >
> > ------------------------ ------------------------- ----------------------------------------------
> > | Container | | QEMU(VM) | | VDUSE daemon |
> > | --------- | | ------------------- | | ------------------------- ---------------- |
> > | |dev/vdx| | | |/dev/vhost-vdpa-x| | | | vDPA device emulation | | block driver | |
> > ------------+----------- -----------+------------ -------------+----------------------+---------
> > | | | |
> > | | | |
> > ------------+---------------------------+----------------------------+----------------------+---------
> > | | block device | | vhost device | | vduse driver | | TCP/IP | |
> > | -------+-------- --------+-------- -------+-------- -----+---- |
> > | | | | | |
> > | ----------+---------- ----------+----------- -------+------- | |
> > | | virtio-blk driver | | vhost-vdpa driver | | vdpa device | | |
> > | ----------+---------- ----------+----------- -------+------- | |
> > | | virtio bus | | | |
> > | --------+----+----------- | | | |
> > | | | | | |
> > | ----------+---------- | | | |
> > | | virtio-blk device | | | | |
> > | ----------+---------- | | | |
> > | | | | | |
> > | -----------+----------- | | | |
> > | | virtio-vdpa driver | | | | |
> > | -----------+----------- | | | |
> > | | | | vdpa bus | |
> > | -----------+----------------------+---------------------------+------------ | |
> > | ---+--- |
> > -----------------------------------------------------------------------------------------| NIC |------
> > ---+---
> > |
> > ---------+---------
> > | Remote Storages |
> > -------------------
> >
> > We make use of it to implement a block device connecting to
> > our distributed storage, which can be used both in containers and
> > VMs. Thus, we can have an unified technology stack in this two cases.
> >
> > To test it with null-blk:
> >
> > $ qemu-storage-daemon \
> > --chardev socket,id=charmonitor,path=/tmp/qmp.sock,server,nowait \
> > --monitor chardev=charmonitor \
> > --blockdev driver=host_device,cache.direct=on,aio=native,filename=/dev/nullb0,node-name=disk0 \
> > --export type=vduse-blk,id=test,node-name=disk0,writable=on,name=vduse-null,num-queues=16,queue-size=128
> >
> > The qemu-storage-daemon can be found at https://github.com/bytedance/qemu/tree/vduse
> >
> > To make the userspace VDUSE processes such as qemu-storage-daemon able to
> > run unprivileged. We did some works on virtio driver to avoid trusting
> > device, including:
> >
> > - validating the device status:
> >
> > * https://lore.kernel.org/lkml/20210517093428.670-1-xieyongji@bytedance.com/
> >
> > - validating the used length:
> >
> > * https://lore.kernel.org/lkml/20210517090836.533-1-xieyongji@bytedance.com/
> >
> > - validating the device config:
> >
> > * patch 4 ("virtio-blk: Add validation for block size in config space")
> >
> > - validating the device response:
> >
> > * patch 5 ("virtio_scsi: Add validation for residual bytes from response")
> >
> > Since I'm not sure if I missing something during auditing, especially on some
> > virtio device drivers that I'm not familiar with, now we only support emualting
> > a few vDPA devices by default, including: virtio-net device, virtio-blk device,
> > virtio-scsi device and virtio-fs device. This limitation can help to reduce
> > security risks.
>
> I suspect there are a lot of assumptions even with these 4.
> Just what are the security assumptions and guarantees here?
The attack surface from a virtio device is limited with IOMMU enabled.
It should be able to avoid security risk if we can validate all data
such as config space and used length from device in device driver.
> E.g. it seems pretty clear that exposing a malformed FS
> to a random kernel config can cause untold mischief.
>
> Things like virtnet_send_command are also an easy way for
> the device to DOS the kernel. And before you try to add
> an arbitrary timeout there - please don't,
> the fix is moving things that must be guaranteed into kernel
> and making things that are not guaranteed asynchronous.
> Right now there are some things that happen with locks taken,
> where if we don't wait for device we lose the ability to report failures
> to userspace. E.g. all kind of netlink things are like this.
> One can think of a bunch of ways to address this, this
> needs to be discussed with the relevant subsystem maintainers.
>
>
> If I were you I would start with one type of device, and as simple one
> as possible.
>
Make sense to me. The virtio-blk device might be a good start. We
already have some existing interface like NBD to do similar things.
>
>
> > When a sysadmin trusts the userspace process enough, it can relax
> > the limitation with a 'allow_unsafe_device_emulation' module parameter.
>
> That's not a great security interface. It's a global module specific knob
> that just allows any userspace to emulate anything at all.
> Coming up with a reasonable interface isn't going to be easy.
> For now maybe just have people patch their kernels if they want to
> move fast and break things.
>
OK. A reasonable interface can be added if we need it in the future.
Thanks,
Yongji
[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 46427 bytes --]
next prev parent reply other threads:[~2021-05-20 9:06 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 9:55 [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-05-17 9:55 ` [PATCH v7 01/12] iova: Export alloc_iova_fast() Xie Yongji
2021-05-26 2:36 ` Jason Wang
2021-05-26 2:43 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 02/12] file: Export receive_fd() to modules Xie Yongji
2021-05-20 6:18 ` Al Viro
2021-05-20 6:32 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 03/12] eventfd: Increase the recursion depth of eventfd_signal() Xie Yongji
2021-05-17 9:55 ` [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Xie Yongji
2021-05-19 13:39 ` Yongji Xie
2021-05-19 14:42 ` Dan Carpenter
2021-05-20 5:25 ` Yongji Xie
2021-05-20 5:43 ` Michael S. Tsirkin
2021-05-20 7:08 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 05/12] virtio_scsi: Add validation for residual bytes from response Xie Yongji
2021-05-26 2:41 ` Jason Wang
2021-05-17 9:55 ` [PATCH v7 06/12] vhost-iotlb: Add an opaque pointer for vhost IOTLB Xie Yongji
2021-05-17 9:55 ` [PATCH v7 07/12] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() Xie Yongji
2021-05-17 9:55 ` [PATCH v7 08/12] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Xie Yongji
2021-05-17 9:55 ` [PATCH v7 09/12] vdpa: Support transferring virtual addressing during DMA mapping Xie Yongji
2021-05-17 9:55 ` [PATCH v7 10/12] vduse: Implement an MMU-based IOMMU driver Xie Yongji
2021-05-17 9:55 ` [PATCH v7 11/12] vduse: Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-05-20 6:28 ` Al Viro
2021-05-20 7:03 ` Yongji Xie
2021-05-27 4:12 ` Jason Wang
2021-05-27 4:57 ` Yongji Xie
2021-05-27 5:00 ` Jason Wang
2021-05-27 5:08 ` Yongji Xie
2021-05-27 5:40 ` Jason Wang
2021-05-27 7:34 ` Yongji Xie
2021-05-27 8:41 ` Jason Wang
2021-05-27 8:43 ` Jason Wang
2021-05-27 10:14 ` Yongji Xie
2021-05-28 1:33 ` Jason Wang
2021-05-28 3:54 ` Yongji Xie
2021-05-28 6:38 ` Jason Wang
2021-05-27 13:17 ` Yongji Xie
2021-05-28 2:31 ` Jason Wang
2021-05-31 4:27 ` Yongji Xie
2021-05-31 4:38 ` Jason Wang
2021-05-31 6:24 ` Yongji Xie
2021-05-31 4:56 ` Greg KH
2021-05-31 6:19 ` Yongji Xie
2021-05-31 6:32 ` Greg KH
2021-05-31 7:13 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 12/12] Documentation: Add documentation for VDUSE Xie Yongji
2021-05-20 6:06 ` [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Michael S. Tsirkin
2021-05-20 9:06 ` Yongji Xie [this message]
2021-05-25 6:40 ` Jason Wang
2021-05-25 6:48 ` Michael S. Tsirkin
2021-05-25 7:11 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACycT3tKY2V=dmOJjeiZxkqA3cH8_KF93NNbRnNU04e5Job2cw@mail.gmail.com' \
--to=xieyongji@bytedance.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=christian.brauner@canonical.com \
--cc=corbet@lwn.net \
--cc=dan.carpenter@oracle.com \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jasowang@redhat.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=parav@nvidia.com \
--cc=rdunlap@infradead.org \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=virtualization@lists.linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).