> From: Jason Gunthorpe <jgg@nvidia.com> > Sent: Tuesday, May 30, 2023 2:43 AM > > On Wed, May 24, 2023 at 08:59:43AM +0000, Tian, Kevin wrote: > > > At least this looks a reasonable tradeoff to some proprietary VMMs > > which never adds RO mappings in stage-2 today. > > What is the reason for the RO anyhow? vfio simply follows the permission in the CPU address space. vBIOS regions are marked as RO there hence also carried to vfio mappings. > > Would it be so bad if it was DMA mapped as RW due to the errata? > think of a scenario where the vbios memory is shared by multiple qemu instances then RW allows a malicious VM to modify the shared content then potentially attacking other VMs. skipping the mapping is safest in this regard.
On Wed, Jun 14, 2023 at 08:07:30AM +0000, Tian, Kevin wrote: > think of a scenario where the vbios memory is shared by multiple qemu > instances then RW allows a malicious VM to modify the shared content > then potentially attacking other VMs. qemu would have to map the vbios as MAP_PRIVATE WRITE before the iommu side could map it writable, so this is not a real worry. Jason
> From: Jason Gunthorpe <jgg@nvidia.com> > Sent: Wednesday, June 14, 2023 7:53 PM > > On Wed, Jun 14, 2023 at 08:07:30AM +0000, Tian, Kevin wrote: > > > think of a scenario where the vbios memory is shared by multiple qemu > > instances then RW allows a malicious VM to modify the shared content > > then potentially attacking other VMs. > > qemu would have to map the vbios as MAP_PRIVATE WRITE before the > iommu > side could map it writable, so this is not a real worry. > Make sense. but IMHO it's still safer to reduce the permission (RO->NP) than increasing the permission (RO->RW) when faithfully emulating bare metal behavior is impossible, especially when there is no real usage counting on it. 😊
© 2016 - 2026 Red Hat, Inc.