Re: [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions

[Jason Wang]

On 2020/9/4 上午3:46, Edgar E. Iglesias wrote:
> On Thu, Sep 03, 2020 at 07:53:33PM +0200, Paolo Bonzini wrote:
> > On 03/09/20 17:50, Edgar E. Iglesias wrote:
> > > > > Hmm, I guess it would make sense to have a configurable option in KVM
> > > > > to isolate passthrough devices so they only can DMA to guest RAM...
> > > > Passthrough devices are always protected by the IOMMU, anything else
> > > > would be obviously insane^H^H^Hecure. :)
> > > Really? To always do that blindly seems wrong.
> > >
> > > I'm refering to the passthrough device not being able to reach registers
> > > of other passthrough devices within the same guest.
> > Ah okay; sorry, I misunderstood.  That makes more sense now!
> >
> > Multiple devices are put in the same IOMMU "container" (page table
> > basically), and that takes care of reaching registers of other
> > passthrough devices.
> Thanks, yes, that's a sane default. What I was trying to say before is that
> it may make sense to allow the user to "harden" the setup by selectivly
> putting certain passthrough devs on a separate group that can *only*
> DMA access guest RAM (not other device regs).


This makes sens but it requires the knowledge from the management layer 
of whether P2P is needed which is probably not easy.

Thanks


> Some devs need access to other device's regs but many passthrough devs don't
> need DMA access to anything else but RAM (e.g an Ethernet MAC).
>
> That could mitigate the damage caused by wild DMA pointers...
>
> Cheers,
> Edgar