> A group of us are starting to work on sandboxing QEMU device emulation > code. We're just getting started investigating various approaches, and > want to engage the community to gather input. > > Following are the design points that we are currently considering: > > * Decompose QEMU into multiple processes: > > * This could be done such that QEMU devices execute in separate > processes based on device type, e.g. all block devices in one > process and all network devices in a second process. Another > alternative is executing a separate process per device.
I can't help wondering if nested virtualization would be a better solution. i.e. have an outer VM that only implements a trusted subset of devices. Inside that run a VM that provides the flakey legacy device emulation you expect to be compromised. Paul
