How would I with libvirt/qemu and AMD-Vi v1.26 restrict device
communication inside a VM as it would be on the host?
I am under the assumption that this doesn't happen and that for instance
with a router/firewall you would have the following dilemma:
Bare metal - IOMMU protects you from network controller PCI-e P2P or DMA
egress exploits assuming you use two different physical controllers.
VM - Can restrict write access to the device firmware and router OS to
prevent a rootkit from becoming permanent via making the system
partition read only in the VMM when you aren't doing updates in a
"maintenance mode" with routing disabled.
_______________________________________________
vfio-users mailing list
vfio-users@redhat.com
https://www.redhat.com/mailman/listinfo/vfio-users
