Subject: Re: [virtio-dev] Re: [Qemu-devel] [virtio-dev] [PATCH v3 0/7] Vhost-pci for inter-VM communication
On 12/14/2017 05:40 PM, Michael S. Tsirkin wrote:
On Thu, Dec 14, 2017 at 05:39:19PM +0100, Maxime Coquelin wrote:On 12/14/2017 05:27 PM, Michael S. Tsirkin wrote:On Thu, Dec 14, 2017 at 03:46:56PM +0000, Stefan Hajnoczi wrote:On Wed, Dec 13, 2017 at 10:50:11PM +0100, Maxime Coquelin wrote:On 12/13/2017 09:08 PM, Stefan Hajnoczi wrote:On Wed, Dec 13, 2017 at 3:01 PM, Michael S. Tsirkin <email@example.com> wrote:On Wed, Dec 13, 2017 at 12:35:21PM +0000, Stefan Hajnoczi wrote:I'm not saying that DPDK should use libvhost-user. I'm saying that it's easy to add vfio vhost-pci support (for the PCI adapter I described) to DPDK. This patch series would require writing a completely new slave for vhost-pci because the device interface is so different from vhost-user.The main question is how appropriate is the vhost user protocol for passing to guests. And I am not sure at this point. Someone should go over vhost user messages and see whether they are safe to pass to guest. If most are then we can try the transparent approach. If most aren't then we can't and might as well use the proposed protocol which at least has code behind it.I have done that:...* VHOST_USER_SET_MEM_TABLE Set up BARs before sending a VHOST_USER_SET_MEM_TABLE to the guest.It would require to filter out userspace_addr from the payload not to leak other QEMU process VAs to the guest.QEMU's vhost-user master implementation is insecure because it leaks QEMU process VAs. This also affects vhost-user host processes, not just vhost-pci. The QEMU vhost-user master could send an post-IOMMU guest physical addresses whereever the vhost-user protocol specification says "user address". That way no address space information is leaked although it does leak IOMMU mappings. If we want to hide the IOMMU mappings too then we need another logical address space (kind a randomized ramaddr_t). Anyway, my point is that the current vhost-user master implementation is insecure and should be fixed. vhost-pci doesn't need to worry about this issue. StefanI was going to make this point too. It does not look like anyone uses userspace_addr. It might have been a mistake to put it there - maybe we should have reused it for map offset. It does not look like anyone uses this for anything. How about we put zero, or a copy of the GPA there?It is used when no iommu for the ring addresses, and when iommu is used for the IOTLB update messages. MaximeHow do clients use it? Why won't GPA do just as well?
It is used to calculate the offset in the regions, so if we change all to use GPA, it may work without backend change. Maxime