Tracy R Reed wrote:
Andrew Lentvorski wrote:
The big problem for both is still how to securely manage access to
shared resources like video cards and network cards.
A solution to this problem is on the horizon: Intel's Virtualization for
Directed IO aka VT-d makes it possible to map input/output devices to
particular virtual machines.
But even without this access to network cards is no problem. The virtual
ethernet interfaces on the virtual domains are bridged with the physical
ethernet card controlled by privilidged domain 0. It is currently video
and other hardware that are the issue.
Yes and no. I'm more interested in whether a "shared" network card
could be used as an attack vector rather than whether I can actually
share it. In the case of network cards, this tends to be manageable
because they have very little "state" which could be used against me.
However, if a card has something like a cryptoaccelerator, that's a
different problem.
Personally, I'm not a big fan of sharing cheap hardware resources like
network cards. Single point of failure and all that ...
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
