On Mon, 30 Jun 2025 at 21:22, Bernhard Beschow <shen...@gmail.com> wrote: > > > > Am 30. Juni 2025 09:09:31 UTC schrieb Peter Maydell > <peter.mayd...@linaro.org>: > >On Sun, 29 Jun 2025 at 21:49, Bernhard Beschow <shen...@gmail.com> wrote: > >> > >> Allows the imx8mp-evk machine to be run with KVM acceleration as a guest. > >> > >> Signed-off-by: Bernhard Beschow <shen...@gmail.com> > >> --- > >> docs/system/arm/imx8mp-evk.rst | 7 +++++++ > >> hw/arm/fsl-imx8mp.c | 33 ++++++++++++++++++++++++++++----- > >> hw/arm/imx8mp-evk.c | 11 +++++++++++ > >> hw/arm/Kconfig | 3 ++- > >> hw/arm/meson.build | 2 +- > >> 5 files changed, 49 insertions(+), 7 deletions(-) > > > >This puts a lot of IMX device models onto our security boundary, > >which makes me a bit nervous -- that's a lot of code which > >wasn't really written or reviewed carefully to ensure it > >can't be exploited by a malicious guest. > > Hi Peter, > > Does KVM increase the attack surface compared to TCG?
Yes, because our security policy says that TCG is not considered a security boundary, whereas KVM is: https://qemu-project.gitlab.io/qemu/system/security.html (It would move from "non-virtualization use case" to "virtualization use case".) thanks -- PMM
