On 6/16/23 17:16, Allen Webb wrote: > That extra context helps, so the hardening is on the side of the guest > kernel since the host kernel isn't trusted? > > My biggest concerns would be around situations where devices have > memory access for things like DMA. In such cases the guest would need > to be protected from the devices so bounce buffers or some limited > shared memory might need to be set up to facilitate these devices > without breaking the goals of pKVM. I'm assuming you are talking about cases when we want a host-owned device, e.g. a TPM from your example, to be able to DMA to the guest memory (please correct me if you mean something different). I think with pKVM it should be already possible to do securely and without extra hardening in the guest (modulo establishing trust between the guest and the TPM, which you mentioned, but that is needed anyway?). The hypervisor in any case ensures protection of the guest memory from the host devices DMA via IOMMU. Also the hypervisor allows the guest to explicitly share its memory pages with the host via a hypercall. Those shared pages, and only those, become accessible by the host devices DMA as well. P.S. I know that on chromebooks the TPM can't possibly do DMA. :) > The minimum starting point for something like this would be a shared > memory region visible to both the guest and the host. Given that it > should be possible to build communication primitives on top, but yes > ideally something like vsock or virtio would just work without > introducing risk of exploitation and typically the hypervisor is > trusted. Maybe this could be modeled as sibling to sibling > virtio/vsock?
