On Wed, Dec 01, 2021 at 09:54:27AM +0000, Shameerali Kolothum Thodi wrote:

So just to make it clear , if a device declares that it doesn't support NDMA
and P2P, is the v1 version of the spec good enough or we still need to take
care the case that a malicious user might try MMIO access in !RUNNING
state and should have kernel infrastructure in place to safe guard that?

My thinking is so long as the hostile user space cannot compromise the
kernel it is OK. A corrupted migration is acceptable if userspace is
not following the rules.

From a qemu perspective it should prevent a hostile VM from corrupting
the migration, as that is allowing the VM to attack the infrastructure
even if it hopefully only harms itself.

(Just a note to clarify that these are not HNS devices per se. HNS actually
stands for HiSilicon Network Subsystem and doesn't currently have live
migration capability. The devices capable of live migration are HiSilicon
Accelerator devices).

Sorry, I mostly talk to the hns team ;)

Jason