[Rust-VMM] Requirements for out-of-process device emulation
stefanha at redhat.com
Wed Nov 11 11:17:46 UTC 2020
On Mon, Oct 12, 2020 at 06:16:18PM +0100, Alex Bennée wrote:
> Stefan Hajnoczi <stefanha at redhat.com> writes:
> > Security
> > --------
> > The trust model
> > ```````````````
> > The VMM must not trust the device emulation program. This is key to
> > implementing privilege separation and the principle of least privilege.
> > If a compromised device emulation program is able to gain control of the
> > VMM then out-of-process device emulation has failed to provide isolation
> > between devices.
> > The device emulation program must not trust the VMM to the extent that
> > this is possible. For example, it must validate inputs so that the VMM
> > cannot gain control of the device emulation process through memory
> > corruptions or other bugs. This makes it so that even if the VMM has
> > been compromised, access to device resources and associated system calls
> > still requires further compromising the device emulation process.
> However in this model the guest intrinsically trusts device emulation
> because it currently has full access to the guest's address space. It
> would probably be worth making that explicit.
> There are security models where the guest doesn't need to trust the VMM
> or particular device emulations.
Where do you see that assumption in the text?
BTW, shared guest memory access is optional in vhost-user. The protocol
allows the VMM to handle DMA accesses instead of granting the device
access to guest memory.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the Rust-vmm