在 2021/4/15 下午4:36, Jason Wang 写道:
Please state this explicitly at the start of the document. Existing
interfaces like FUSE are designed to avoid trusting userspace.
There're some subtle difference here. VDUSE present a device to kernel
which means IOMMU is probably the only thing to prevent a malicous
device.
Therefore
people might think the same is the case here. It's critical that people
are aware of this before deploying VDUSE with virtio-vdpa.
We should probably pause here and think about whether it's possible to
avoid trusting userspace. Even if it takes some effort and costs some
performance it would probably be worthwhile.
Since the bounce buffer is used the only attack surface is the
coherent area, if we want to enforce stronger isolation we need to use
shadow virtqueue (which is proposed in earlier version by me) in this
case. But I'm not sure it's worth to do that.
So this reminds me the discussion in the end of last year. We need to
make sure we don't suffer from the same issues for VDUSE at least
https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@xxxxxxxxxx/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b
Or we can solve it at virtio level, e.g remember the dma address instead
of depending on the addr in the descriptor ring
Thanks
Is the security situation different with vhost-vdpa? In that case it
seems more likely that the host kernel doesn't need to trust the
userspace VDUSE device.
