On Mon, Sep 30, 2013 at 08:29:30PM -0400, duy hai nguyen wrote: > I have this question regarding the way KVM handles I/O requests from a guest: > > IO requests from a guest are trapped by KVM. KVM then forwards the > requests to QEMU to handle. > > I am wondering if there is a way to make KVM forward the IO requests > to another guest instead of QEMU? I want this second guest to encrypt > the data before passing them to QEMU: > > (I/O from VM1) -> KVM kernel -> VM2 -> QEMU I don't really understand the trust model you are aiming for. Since QEMU has full control over guest RAM and CPU state, QEMU is always capable of spying on the guest. Anyway, QEMU doesn't have a built-in way to bounce the I/O through another guest without seeing the data first. Use a network file system or iSCSI inside the guest. Then VM2 can transform the data however you like and transport encryption can be used. Stefan -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
