On Fri, 27 Jan 2023 11:15:02 -0600 Bjorn Helgaas <helgaas@xxxxxxxxxx> wrote: > On Fri, Jan 27, 2023 at 09:02:25AM +0000, bugzilla-daemon@xxxxxxxxxx wrote: > > https://bugzilla.kernel.org/show_bug.cgi?id=216970 > > > > Bug ID: 216970 > > Summary: When VM using vfio-pci driver to pci device > > passthrough, host can access VM's pci device with > > libpciaccess library. > > > Created attachment 303656 > > --> https://bugzilla.kernel.org/attachment.cgi?id=303656&action=edit > > Upload text data to vfio-pci passthrough GPU VRAM with using nvatools > > > > 1) Release of Ubuntu > > Host - Ubuntu 20.04.5 LTS / Release : 20.04 > > Guest - Ubuntu 18.04.6 LTS / Release : 18.04 > > > > 2) Kernel version > > Host - 5.15.0-57-generic > > Guest - 5.4.0-137-generic > > > > 3) Version of the package > > libpciaccess0: > > Installed: 0.16-0ubuntu1 > > Candidate: 0.16-0ubuntu1 > > > > libpciaccess-dev: > > Installed: 0.16-0ubuntu1 > > Candidate: 0.16-0ubuntu1 > > > > 4) Expected to happen > > When the virtual machine is running, the Host could not access the virtual > > machine's pci passthrough device via libpciaccess. > > > > 5) Happened instead > > When the virtual machine is running, the host can access the virtual machine's > > pci passthrough device via libpciaccess. > > > > In this case, host can interrupt passthrough pci device, or access passthrough > > pci device memory to leak virtual machine data. > > > > We checked this by creating a virtual machine using vfio-pci passthrough GPU in > > QEMU. > > > > In addition, when running GPU applications such as CUDA in a virtual machine, > > we found that data inside passthrough GPU VRAM can be accessed from the host > > via libpciaccess(nvatools). > > > > We proceeded as follows. > > 1. Create and run VMs with vfio-pci passthrough GPU. > > > > 2. Upload text data from the host via nvatools to the VRAM on the passthrough > > GPU. > > > > 3. The VM can see the text data in the GPU VRAM. > > I'm not really familiar with libpciaccess or nvatools, but it looks > like they do both PCI config accesses and MMIO access to PCI BARs. > > I expect both types of access to work for the host, even for devices > passed through to a guest. The VFIO folks can correct me if there's > some mechanism to prevent the host from accessing these devices. Yes, this is expected. The host would need privileged access in order to interfere or access assigned device data. Sounds like this is looking more for confidential computing type protection, which like protecting VM memory from host access, requires specific technologies that are under development. Thanks, Alex