在 2021/4/15 下午4:36, Jason Wang 写道:

quoted

quoted

Please state this explicitly at the start of the document. Existing
interfaces like FUSE are designed to avoid trusting userspace.

There're some subtle difference here. VDUSE present a device to kernel 
which means IOMMU is probably the only thing to prevent a malicous 
device.

quoted

Therefore
people might think the same is the case here. It's critical that people
are aware of this before deploying VDUSE with virtio-vdpa.

We should probably pause here and think about whether it's possible to
avoid trusting userspace. Even if it takes some effort and costs some
performance it would probably be worthwhile.

Since the bounce buffer is used the only attack surface is the 
coherent area, if we want to enforce stronger isolation we need to use 
shadow virtqueue (which is proposed in earlier version by me) in this 
case. But I'm not sure it's worth to do that.

So this reminds me the discussion in the end of last year. We need to 
make sure we don't suffer from the same issues for VDUSE at least

https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@redhat.com/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b

Or we can solve it at virtio level, e.g remember the dma address instead 
of depending on the addr in the descriptor ring

Thanks

quoted

Is the security situation different with vhost-vdpa? In that case it
seems more likely that the host kernel doesn't need to trust the
userspace VDUSE device.