virtualization-bounces@xxxxxxxxxxxxxxxxxxxxxxxxxx wrote: > On Sunday 10 June 2007, Avi Kivity wrote: >>> - PCI (or your favorite HW bus) passthrough, for your favorite >>> oddball device (e.g., crypto-accelerators). >>> >> Won't all high-bandwidth traffic be through dma, bypassing virtio? > > It can be done, but you'd also need a passthrough for the > IOMMU in that case, and you get a potential security hole: if > a malicious guest is smart enough to figure out IOMMU > mappings from the device to memory owned by the host. > If it is possible for a malicious guess to use the IOMMU to access memory that was not assigned to it then either the Hypervisor is not really a Hypervisor or the IOMMU is not really an IOMMU. The only real difference between enabling DMA and providing IO buffers are the durations. The security implications are identical. _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/virtualization
