Hello, I would like to implement some security checks in the qemu user process that would monitor the disk I/O of a KVM guest. I am trying to understand if this is a good level for the implementation (such that the security checks are safe) or I need to do this at a lower level (possibly in the hypervisor itself?). Can the thread that runs the guest code influence or control the guest and the I/O thread(s)?
Reading the doc on memory [1] and the KVM paper[2] I understood that the qemu userspace process and the guest have separate memory spaces. Also, the userspace process can map guest memory to emulate dma devices, which seems that the control on memory is in one direction, from userspace process to guest. I would like to better understand the mapping and how safe is the separation between the userspace qemu and the guest. [3] shows that the safe approach to harden KVM is to move functionality (and thus the attack surface) to the userspace process which indicates that the separation between guest and userspace is trusted. Could you give me some pointers about where to look in the code in order to better assess the guest-userspace process separation? Thank you, Andrei [1] docs/specs/memory.txt [2] https://www.kernel.org/doc/ols/2007/ols2007v1-pages-225-230.pdf [3] http://www.linux-kvm.org/wiki/images/f/f6/01x02-KVMHardening.pdf
