[Rust-VMM] [Rust-vmm] Goals for this list

Anthony Liguori aliguori at amazon.com
Thu Dec 20 15:05:28 UTC 2018 

Allison Randal <allison at lohutok.net> writes:

> On 12/19/18 5:19 PM, Anthony Liguori wrote:
>> 
>> I did look at he work you've done and it's great!  I do think it's
>> important to cover everything though and especially to get architectures
>> like aarch64.
>
> Thanks, it really was just a proof-of-concept. Rust is much better than
> C at selective compilation for different architectures, so that's
> another area where well-written Rust would be a huge improvement over
> poorly-translated C-to-Rust.
>
>> I think while the bindgen results are not beautiful, having a bindgen
>> layer gives us something we can build nicer interfaces on top of.
>
> My primary concern was tight control over security at the lower layers,
> hence the emphasis on keeping that interface to KVM extremely clean and
> small. Totally understandable that other Rust hypervisor implementations
> may have other priorities.
>
>
> I'm curious whether rewriting (a subset of) the KVM kernel module itself
> in Rust would end up being a significant advantage for memory safety and
> security at an even lower layer. (Rust's ability to drop in as a
> compatible replacement for C components is a great advantage for
> gradually improving the memory safety of critical pieces of legacy C
> code.) I haven't decided whether to do a proof-of-concept on that yet,
> though, as my current focus is security vulnerabilities at the hardware
> level that punch through VM isolation (L1TF, etc.).

Yes!  But in addition to rewriting that subset, moving it to userspace
gives you yet another layer of protection.

The two biggest sources of CVEs in KVM have been instruction emulation
and device emulation.  Moving the x86_emulate code to userspace and
rewritting it in Rust would eliminate one of the larger attack surfaces
in KVM and likewise, moving IO APIC and PIT emulation to userspace would
help a lot there too.

On modern processors, LAPIC is handled almost entirely in hardware so
the remaining complexity in KVM is really around EPT handling and
hardware interaction.  I don't think either can reasonably be moved.

Regards,

Anthony Liguori

>
> Allison

More information about the Rust-vmm mailing list