OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

virtio-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [PATCH v6 2/2] virtio-fs: add DAX window

Describe how shared memory region ID 0 is the DAX window and how
FUSE_SETUPMAPPING maps file ranges into the window.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The FUSE_SETUPMAPPING message is part of the virtio-fs Linux patches:

 * Document timing side-channel attacks [Michael]
 virtio-fs.tex | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/virtio-fs.tex b/virtio-fs.tex
index 81adf85..154b043 100644
--- a/virtio-fs.tex
+++ b/virtio-fs.tex
@@ -178,6 +178,51 @@ \subsubsection{Device Operation: High Priority Queue}\label{sec:Device Types / F
 The driver MUST anticipate that request queues are processed concurrently with the hiprio queue.
+\subsubsection{Device Operation: DAX Window}\label{sec:Device Types / File System Device / Device Operation / Device Operation: DAX Window}
+FUSE\_READ and FUSE\_WRITE requests transfer file contents between the
+driver-provided buffer and the device.  In cases where data transfer is
+undesirable, the device can map file contents into the DAX window shared memory
+region.  The driver then accesses file contents directly in device-owned memory
+without a data transfer.
+Shared memory region ID 0 is called the DAX window.  Drivers map this shared
+memory region with writeback caching as if it were regular RAM.  The contents
+of the DAX window are undefined unless a mapping exists for that range.
+The driver maps a file range into the DAX window using the FUSE\_SETUPMAPPING
+request.  Alignment constraints for FUSE\_SETUPMAPPING and FUSE\_REMOVEMAPPING
+requests are communicated during FUSE\_INIT negotiation.
+When a FUSE\_SETUPMAPPING request perfectly overlaps a previous mapping, the
+previous mapping is replaced.  When a mapping partially overlaps a previous
+mapping, the previous mapping is split into one or two smaller mappings.  When
+a mapping is partially unmapped it is also split into one or two smaller
+Establishing new mappings or splitting existing mappings consumes resources.
+If the device runs out of resources the FUSE\_SETUPMAPPING request fails until
+resources are available again following FUSE\_REMOVEMAPPING.
+After FUSE\_SETUPMAPPING has completed successfully the file range is
+accessible from the DAX window at the offset provided by the driver in the
+request.  A mapping is removed using the FUSE\_REMOVEMAPPING request.
+Data is only guaranteed to be persistent when a FUSE\_FSYNC request is used by
+the device after having been made available by the driver following the write.
+\devicenormative{\paragraph}{Device Operation: DAX Window}{Device Types / File System Device / Device Operation / Device Operation: DAX Window}
+The device MUST allow mappings that completely or partially overlap existing mappings within the DAX window.
+The device MUST reject mappings that would go beyond the end of the DAX window.
+\drivernormative{\paragraph}{Device Operation: DAX Window}{Device Types / File System Device / Device Operation / Device Operation: DAX Window}
+The driver SHOULD be prepared to find shared memory region ID 0 absent and fall back to FUSE\_READ and FUSE\_WRITE requests.
+The driver MUST NOT access DAX window areas that have not been mapped.
 \subsubsection{Security Considerations}\label{sec:Device Types / File System Device / Security Considerations}
 The device provides access to a file system containing files owned by one or
@@ -206,6 +251,16 @@ \subsubsection{Security Considerations}\label{sec:Device Types / File System Dev
 virtio-fs.  They are typically managed at the file system administration level
 by providing shared access only to mutually trusted users.
+Multiple machines sharing access to a file system are susceptible to timing
+side-channel attacks.  By measuring the latency of accesses to file contents or
+file system metadata it is possible to infer whether other machines also
+accessed the same information.  Short latencies indicate that the information
+was cached due to a previous access.  This can reveal sensitive information,
+such as whether certain code paths were taken.  The DAX Window provides direct
+access to file contents and is therefore a likely target of such attacks.
+These attacks are also possible with traditional FUSE requests.  The safest
+approach is to avoid sharing file systems between untrusted machines.
 \subsubsection{Live migration considerations}\label{sec:Device Types / File System Device / Live Migration Considerations}
 When a driver is migrated to a new device it is necessary to consider the FUSE

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]