On Sun, Feb 28, 2010 at 10:08:26AM -0600, Anthony Liguori wrote: > On 02/27/2010 01:44 PM, Michael S. Tsirkin wrote: >>> and it doesn't >>> support all of the features of userspace virtio. Since it's in upstream >>> Linux without supporting all of the virtio-net features, it's something >>> we're going to have to deal with for a long time. >>> >> Speaking of vlan filtering etc? It's just a matter of time before it >> supports all interesting features. Kernel support is there in net-next >> already, userspace should be easy too. I should be able to code it up >> once I finish bothering about upstream merge (hint hint :)). >> > > :-) As I've said in the past, I'm willing to live with -net tap,vhost > but I really think -net vhost would be better in the long run. > > The only two real issues I have with the series is the ring address > mapping stability
This one I do not yet understand completely to be able solve. Is the only case where PCI BAR overlays RAM? I think this case is best dealt with by disabling BAR mapping. > and the duplicated slot management code. If you look at qemu-kvm, it's even triplicated :) I just would like to get the code merged, then work at adding more infrastructure to prettify it. > Both have security implications so I think it's important that they > be addressed. Otherwise, I'm pretty happy with how things are. Care suggesting some solutions? > >>> Furthermore, vhost reduces a virtual machine's security. It offers an >>> impressive performance boost (particularly when dealing with 10gbit+ >>> networking) but for a user that doesn't have such strong networking >>> performance requirements, I think it's reasonable for them to not want >>> to make a security trade off. >>> >> It's hard for me to see how it reduces VM security. If it does, it's >> not by design and will be fixed. >> > > If you have a bug in vhost-net (would never happen of course) then it's > a host-kernel exploit whereas if we have a bug in virtio-net userspace, > it's a local user exploit. We have a pretty robust architecture to deal > with local user exploits (qemu can run unprivilieged, SELinux enforces > mandatory access control) but a host-kernel can not be protected against. > > I'm not saying that we should never put things in the kernel, but > there's definitely a security vs. performance trade off here. > > Regards, > > Anthony Liguori Not sure I get the argument completely. Any kernel service with a bug might be exploited for priveledge escalation. Yes, more kernel code gives you more attack surface, but given we use rich interfaces such as ones exposed by kvm, I am not sure by how much. Also note that vhost net does not take qemu out of the equation for everything, just for datapath operations. -- MST
