On Thu, Apr 15, 2021 at 5:05 PM Jason Wang <jasowang@xxxxxxxxxx> wrote: > > > 在 2021/4/15 下午4:36, Jason Wang 写道: > >>> > >> Please state this explicitly at the start of the document. Existing > >> interfaces like FUSE are designed to avoid trusting userspace. > > > > > > There're some subtle difference here. VDUSE present a device to kernel > > which means IOMMU is probably the only thing to prevent a malicous > > device. > > > > > >> Therefore > >> people might think the same is the case here. It's critical that people > >> are aware of this before deploying VDUSE with virtio-vdpa. > >> > >> We should probably pause here and think about whether it's possible to > >> avoid trusting userspace. Even if it takes some effort and costs some > >> performance it would probably be worthwhile. > > > > > > Since the bounce buffer is used the only attack surface is the > > coherent area, if we want to enforce stronger isolation we need to use > > shadow virtqueue (which is proposed in earlier version by me) in this > > case. But I'm not sure it's worth to do that. > > > > So this reminds me the discussion in the end of last year. We need to > make sure we don't suffer from the same issues for VDUSE at least > > https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@xxxxxxxxxx/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b > > Or we can solve it at virtio level, e.g remember the dma address instead > of depending on the addr in the descriptor ring > I might miss something. But VDUSE has recorded the dma address during dma mapping, so we would not do bouncing if the addr/length is invalid during dma unmapping. Is it enough? Thanks, Yongji
