From: David Stevens <stevensd@chromium.org>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Geoffrey McRae" <geoff@hostfission.com>,
"Hans Verkuil" <hverkuil@xs4all.nl>,
"Zach Reizner" <zachr@chromium.org>,
"Alexandre Courbot" <acourbot@chromium.org>,
virtio-dev@lists.oasis-open.org,
qemu-devel <qemu-devel@nongnu.org>,
"Alex Lau" <alexlau@chromium.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Keiichi Watanabe" <keiichiw@chromium.org>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Dylan Reid" <dgreid@chromium.org>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Dmitry Morozov" <dmitry.morozov@opensynergy.com>,
"Pawel Osciak" <posciak@chromium.org>,
"Linux Media Mailing List" <linux-media@vger.kernel.org>
Subject: Re: [virtio-dev] Re: guest / host buffer sharing ...
Date: Thu, 12 Dec 2019 15:40:44 +0900 [thread overview]
Message-ID: <CAD=HUj7d3SWqCH=57ymy-BVd6xdJWc=WSqHAFyQXt-3MjchEAA@mail.gmail.com> (raw)
In-Reply-To: <20191211092625.jzqx2ukphhggwavo@sirius.home.kraxel.org>
> First the addressing is non-trivial, especially with the "transport
> specific device address" in the tuple.
There is complexity here, but I think it would also be present in the
buffer sharing device case. With a buffer sharing device, the same
identifying information would need to be provided from the exporting
driver to the buffer sharing driver, so the buffer sharing device
would be able to identify the right device in the vmm. And then in
both import cases, the buffer is just identified by some opaque bytes
that need to be given to a buffer manager in the vmm to resolve the
actual buffer.
> Second I think it is a bad idea
> from the security point of view. When explicitly exporting buffers it
> is easy to restrict access to the actual exports.
Restricting access to actual exports could perhaps help catch bugs.
However, I don't think it provides any security guarantees, since the
guest can always just export every buffer before using it. Using
implicit addresses doesn't mean that the buffer import actually has to
be allowed - it can be thought of as fusing the buffer export and
buffer import operations into a single operation. The vmm can still
perform exactly the same security checks.
> Instead of using a dedicated buffer sharing device we can also use
> virtio-gpu (or any other driver which supports dma-buf exports) to
> manage buffers.
I don't think adding generic buffer management to virtio-gpu (or any
specific device type) is a good idea, since that device would then
become a requirement for buffer sharing between unrelated devices. For
example, it's easy to imagine a device with a virtio-camera and a
virtio-encoder (although such protocols don't exist today). It
wouldn't make sense to require a virtio-gpu device to allow those two
devices to share buffers.
> With no central instance (buffer sharing device) being there managing
> the buffer identifiers I think using uuids as identifiers would be a
> good idea, to avoid clashes. Also good for security because it's pretty
> much impossible to guess buffer identifiers then.
Using uuids to identify buffers would work. The fact that it provides
a single way to refer to both guest and host allocated buffers is
nice. And it could also directly apply to sharing resources other than
buffers (e.g. fences). Although unless we're positing that there are
different levels of trust within the guest, I don't think uuids really
provides much security.
If we're talking about uuids, they could also be used to simplify my
proposed implicit addressing scheme. Each device could be assigned a
uuid, which would simplify the shared resource identifier to
(device-uuid, shmid, offset).
In my opinion, the implicit buffer addressing scheme is fairly similar
to the uuid proposal. As I see it, the difference is that one is
referring to resources as uuids in a global namespace, whereas the
other is referring to resources with fully qualified names. Beyond
that, the implementations would be fairly similar.
-David
next prev parent reply other threads:[~2019-12-12 6:41 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-05 10:54 guest / host buffer sharing Gerd Hoffmann
2019-11-05 11:35 ` Geoffrey McRae
2019-11-06 6:24 ` Gerd Hoffmann
2019-11-06 8:36 ` David Stevens
2019-11-06 12:41 ` Gerd Hoffmann
2019-11-06 22:28 ` Geoffrey McRae
2019-11-07 6:48 ` Gerd Hoffmann
2019-11-20 12:13 ` Tomasz Figa
2019-11-20 21:41 ` Geoffrey McRae
2019-11-21 5:51 ` Tomasz Figa
2019-12-04 22:22 ` Dylan Reid
2019-12-11 5:08 ` David Stevens
2019-12-11 9:26 ` Gerd Hoffmann
2019-12-11 16:05 ` [virtio-dev] " Enrico Granata
2019-12-12 6:40 ` David Stevens [this message]
2019-12-12 9:41 ` Gerd Hoffmann
2019-12-12 12:26 ` David Stevens
2019-12-12 13:30 ` Gerd Hoffmann
2019-12-13 3:21 ` David Stevens
2019-12-16 13:47 ` Gerd Hoffmann
2019-12-17 12:59 ` David Stevens
2019-11-06 8:43 ` Stefan Hajnoczi
2019-11-06 9:51 ` Gerd Hoffmann
2019-11-06 10:10 ` [virtio-dev] " Dr. David Alan Gilbert
2019-11-07 11:11 ` Gerd Hoffmann
2019-11-07 11:16 ` Dr. David Alan Gilbert
2019-11-08 6:45 ` Gerd Hoffmann
2019-11-06 11:46 ` Stefan Hajnoczi
2019-11-06 12:50 ` Gerd Hoffmann
2019-11-07 12:10 ` Stefan Hajnoczi
2019-11-07 15:10 ` Frank Yang
2019-11-20 11:58 ` Tomasz Figa
2019-11-08 7:22 ` Gerd Hoffmann
2019-11-08 7:35 ` Stefan Hajnoczi
2019-11-09 1:41 ` Stéphane Marchesin
2019-11-09 10:12 ` Stefan Hajnoczi
2019-11-09 11:16 ` Tomasz Figa
2019-11-09 12:08 ` Stefan Hajnoczi
2019-11-09 15:12 ` Tomasz Figa
2019-11-18 10:20 ` Stefan Hajnoczi
2019-11-20 10:11 ` Tomasz Figa
2019-11-20 12:11 ` Tomasz Figa
2019-11-11 3:04 ` David Stevens
2019-11-11 15:36 ` [virtio-dev] " Liam Girdwood
2019-11-12 0:54 ` Gurchetan Singh
2019-11-12 13:56 ` Liam Girdwood
2019-11-12 22:55 ` Gurchetan Singh
2019-11-19 15:31 ` Liam Girdwood
2019-11-20 0:42 ` Gurchetan Singh
2019-11-20 9:53 ` Gerd Hoffmann
2019-11-25 16:46 ` Liam Girdwood
2019-11-27 7:58 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD=HUj7d3SWqCH=57ymy-BVd6xdJWc=WSqHAFyQXt-3MjchEAA@mail.gmail.com' \
--to=stevensd@chromium.org \
--cc=acourbot@chromium.org \
--cc=alexlau@chromium.org \
--cc=daniel@ffwll.ch \
--cc=dgreid@chromium.org \
--cc=dmitry.morozov@opensynergy.com \
--cc=geoff@hostfission.com \
--cc=gurchetansingh@chromium.org \
--cc=hverkuil@xs4all.nl \
--cc=keiichiw@chromium.org \
--cc=kraxel@redhat.com \
--cc=linux-media@vger.kernel.org \
--cc=marcheu@chromium.org \
--cc=posciak@chromium.org \
--cc=qemu-devel@nongnu.org \
--cc=tfiga@chromium.org \
--cc=virtio-dev@lists.oasis-open.org \
--cc=zachr@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).