'RE: [virtio-comment] [PATCH 5/6 Resend] Vhost-pci RFC: Future Security Enhancement'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kvm
Subject:    RE: [virtio-comment] [PATCH 5/6 Resend] Vhost-pci RFC: Future Security Enhancement
From:       "Wang, Wei W" <wei.w.wang () intel ! com>
Date:       2016-05-31 8:00:19
Message-ID: 286AC319A985734F985F78AFA26841F7C75B3C () shsmsx102 ! ccr ! corp ! intel ! com
[Download RAW message or body]

On Mon 5/30/2016 2:24 PM, Jan Kiszka Wrote:
> On 2016-05-29 10:11, Wei Wang wrote:
> > Signed-off-by: Wei Wang <wei.w.wang@intel.com>
> > ---
> > FutureWorks | 21 +++++++++++++++++++++
> > 1 file changed, 21 insertions(+)
> > create mode 100644 FutureWorks
> > 
> > diff --git a/FutureWorks b/FutureWorks new file mode 100644 index
> > 0000000..210edcd
> > --- /dev/null
> > +++ b/FutureWorks
> > @@ -0,0 +1,21 @@
> > +The vhost-pci design is currently suitable for a group of VMs who
> > +trust each other. To extend it to a more general use case, two
> > +security features can be added in the future.
> 
> Sounds a bit like security is just "nice to have" in the foreseen use cases of this
> mechanism. Is that really true?

Not really. It's usually a tradeoff between performance and security, so I think \
having security doesn't always mean "Nice" :-)

Instead of proposing a compromised solution, we can actually offer two independent \
solutions, performance oriented vhost-pci (let's call it fast vhost-pci) and security \
oriented vhost-pci (say, secure vhost-pci). It's up to the users to choose which one \
to use according to their use cases. So, the secured version of vhost-pci can be \
viewed as another option for users (not a replacement of this proposal).

Here is a use example:
There are two groups of VMs running on the same host machine. The frequent inter-VM \
communication between VMs in Group A can choose the fast vhost-pci mechanism. In a \
special case that a VM from Group A needs to communicate with a VM from Group B, they \
should set up a new NIC each and specify the use of the secure vhost-pci.  Since the \
secure vhost-pci is on our future plan, the traditional vhost-user can be an option \
for that inter-Group communication currently.

> > +
> > +1 vIOMMU
> > +vIOMMU provides the driver VM with the ability to restrict the device
> > +VM to transiently access a specified portion of its memory. The
> > +vhost-pci design proposed in this RFC can be extended to access the
> > +driver VM's memory with vIOMMU. Precisely, the vIOMMU engine in the
> > +driver VM configures access permissions (R/W) for the vhost-pci
> > +device to access its memory. More details can be found at
> > +https://wiki.opnfv.org/display/kvm/Vm2vm+Mst and
> > +https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03993.html
> 
> Do you have performance estimates on this approach already?
> 
> One challenge should be how to let the VMs reuse existing buffer mappings so
> that the vIOMMU isn't continuously reprogrammed - which is likely not very
> efficient.

I think one option here is to reserve a large block of GPA area (like a memory pool). \
The buffers are allocated from and freed to the pool.

Another one would be using batching. For example, set up a batch of 32 buffers (just \
give the starting guest physical address, and the 32 buffers are guest-physically \
continuous) each time.

> The other is how to hand over packets/buffers in a chain of multiple VMs. Ideally,
> there is already a hand-over from sender to the first receiver so that the sender
> can no longer mess with the packet after the receiver started processing it.
> However, that will work against efficiency.
> 
> Essentially, it's the old IPC question of remap vs. copy here. The rest is "just"
> interfaces to exploit this elegantly.

There are several ways to do a remapping. The remapping we are using here is to have \
the entire driver VM's memory mapped by the device VM, that is, the driver VM's \
memory is completely shared with the device VM. 

If I understand that old remapping based IPC problem correctly, this kind of \
remapping requires a high degree of coordination between the two parts (i.e. the \
device VM and the driver VM). I think "virtq" is right the coordination mechanism \
here - the device VM grabs and fills a buffer from the available ring and puts the \
filled buffer to the used ring,  so I don't think the sender would mess with the \
packet after the receiver started to process it. Please point out if I didn't get \
your point correctly. Thanks.

> 
> > +
> > +2 eptp switching
> > +The idea of eptp swithing allows a vhost-pci device driver to access
> > +the mapped driver VM's memory in an alternative view, where only a
> > +piece of trusted code can access the driver VM's memory. More details
> > +can be found at
> > +http://events.linuxfoundation.org/sites/events/files/slides/
> > +Jun_Nakajima_NFV_KVM%202015_final.pdf
> 
> As we learned a while back, this one is not really secure. Any updates on if/how
> this is going to be fixed?
> 

Right, that is why we claimed it as a protection mechanism. However, one option we \
are trying is to fix the related holes from the hardware. We can give updates once \
it's ready.

Best,
Wei

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic