Avi Kivity wrote:
Rusty Russell wrote:
Hi all,
Just finished my prototype of inter-guest virtio, using networking as an
example. Each guest mmaps the other's address space and uses a FIFO for
notifications.
Isn't that a security hole (hole? chasm)? If the two guests can access
each other's memory, they might as well be just one guest, and
communicate internally.
Each guest's host userspace mmaps the other guest's address space. The
userspace then does a copy on both the tx and rx paths.
Conceivably, this could be done as a read-only mapping so that each
guest userspace copies only the rx packets. That's about as secure as
you're going to get with this approach I think.
Regards,
Anthony Liguori
My feeling is that the host needs to copy the data, using dma if
available. Another option is to have one guest map the other's memory
for read and write, while the other guest is unprivileged. This allows
one privileged guest to provide services for other, unprivileged guests,
like domain 0 or driver domains in Xen.
_______________________________________________
Lguest mailing list
Lguest@ozlabs.org
https://ozlabs.org/mailman/listinfo/lguest
