From stefanha at redhat.com Wed Nov 11 11:17:46 2020 From: stefanha at redhat.com (Stefan Hajnoczi) Date: Wed, 11 Nov 2020 11:17:46 +0000 Subject: [Rust-VMM] Requirements for out-of-process device emulation In-Reply-To: <87ft6jz7od.fsf@linaro.org> References: <20201009161815.GA321402@stefanha-x1.localdomain> <87ft6jz7od.fsf@linaro.org> Message-ID: <20201111111746.GA1344536@stefanha-x1.localdomain> On Mon, Oct 12, 2020 at 06:16:18PM +0100, Alex Bennée wrote: > Stefan Hajnoczi writes: > > Security > > -------- > > The trust model > > ``````````````` > > The VMM must not trust the device emulation program. This is key to > > implementing privilege separation and the principle of least privilege. > > If a compromised device emulation program is able to gain control of the > > VMM then out-of-process device emulation has failed to provide isolation > > between devices. > > > > The device emulation program must not trust the VMM to the extent that > > this is possible. For example, it must validate inputs so that the VMM > > cannot gain control of the device emulation process through memory > > corruptions or other bugs. This makes it so that even if the VMM has > > been compromised, access to device resources and associated system calls > > still requires further compromising the device emulation process. > > However in this model the guest intrinsically trusts device emulation > because it currently has full access to the guest's address space. It > would probably be worth making that explicit. > > There are security models where the guest doesn't need to trust the VMM > or particular device emulations. Where do you see that assumption in the text? BTW, shared guest memory access is optional in vhost-user. The protocol allows the VMM to handle DMA accesses instead of granting the device access to guest memory. Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: