[Rust-VMM] Requirements for out-of-process device emulation

Stefan Hajnoczi stefanha at redhat.com
Wed Nov 11 11:17:46 UTC 2020


On Mon, Oct 12, 2020 at 06:16:18PM +0100, Alex Bennée wrote:
> Stefan Hajnoczi <stefanha at redhat.com> writes:
> > Security
> > --------
> > The trust model
> > ```````````````
> > The VMM must not trust the device emulation program. This is key to
> > implementing privilege separation and the principle of least privilege.
> > If a compromised device emulation program is able to gain control of the
> > VMM then out-of-process device emulation has failed to provide isolation
> > between devices.
> >
> > The device emulation program must not trust the VMM to the extent that
> > this is possible. For example, it must validate inputs so that the VMM
> > cannot gain control of the device emulation process through memory
> > corruptions or other bugs. This makes it so that even if the VMM has
> > been compromised, access to device resources and associated system calls
> > still requires further compromising the device emulation process.
> 
> However in this model the guest intrinsically trusts device emulation
> because it currently has full access to the guest's address space. It
> would probably be worth making that explicit.
> 
> There are security models where the guest doesn't need to trust the VMM
> or particular device emulations.

Where do you see that assumption in the text?

BTW, shared guest memory access is optional in vhost-user. The protocol
allows the VMM to handle DMA accesses instead of granting the device
access to guest memory.

Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/rust-vmm/attachments/20201111/56ab7e91/attachment.sig>


More information about the Rust-vmm mailing list