The uio drivers are not secured by an iommu. Therefore, you could misuse the NIC to DMA read/write into any part of memory, e.g. reading or writing to memory of the host or other containers.
This is a security breach if you enable a container to do this by giving it access via uio, because you have them to isolate processes against each other in the first place. VFIO uses iommus to protect against that, but you need capable hardware, e.g. Intel VT-d support on x86. http://en.m.wikipedia.org/wiki/IOMMU Cheers, Andre Karmarkar Suyash <skarmarkar at sonusnet.com> schrieb am Do., 2. Apr. 2015 um 05:28: > << igb_uio and rte_kni are unlikely to be accepted upstream since they > have intrinsic security problems. > > Can you use VFIO?>> > > Hi Stephen, > > Thanks for the reply. Can you please elaborate on the security > issue?Thanks. > > Regards > Suyash > > -----Original Message----- > From: Stephen Hemminger [mailto:stephen at networkplumber.org] > Sent: Thursday, April 02, 2015 12:12 AM > To: Karmarkar Suyash > Cc: dev at dpdk.org > Subject: Re: [dpdk-dev] Running DPDK with Docker > > On Wed, 1 Apr 2015 17:56:56 +0000 > Karmarkar Suyash <skarmarkar at sonusnet.com> wrote: > > > Hi, > > > > Given the popularity of Docker it would be nice if we can run DPDK > inside a Docker container but the challenge is the igb_uio.ko and > rte_kni.ko kernel modules which need to be compiled with the exact kernel > source running on the host. Are there ways to seamlessly run DPDK with > Docker? I came across an articles about running DPDK with Linux container > but still the requirement is to insert igb_uio. Any plans to make the > igb_uio and rte_kni modules as default modules of Linux source code or any > other better approaches/suggestions ? Thanks. > > > > http://dpdk.org/ml/archives/dev/2014-October/006373.html > > http://permalink.gmane.org/gmane.comp.networking.dpdk.devel/6479 > > igb_uio and rte_kni are unlikely to be accepted upstream since they have > intrinsic security problems. > > Can you use VFIO? >
