On Thu, Jan 05, 2006 at 11:47:55PM -0500, Thor Lancelot Simon wrote:
> On Thu, Jan 05, 2006 at 10:54:20PM +0100, Manuel Bouyer wrote:
> > 
> > Are there x86 hardware with IOMMU ?
> 
> Anything with an AGP GART has an IOMMU, after a fashion -- it has an
> address mapping engine for DMA.  The AMD Opteron processors extend
> the GART so that it's much more useful -- I believe it even has
> page permissions.

Hum, this could be related to what I've seen in the Xen roadmap then.
Off hands I don't know if this is in Xen3 or not. 

> 
> > Sure. But for this you have to gain direct access to the DMA device,
> > so the domU's kernel has to misbehave. Which kernel is running on the
> > domU is under the domain0's control, so if enouth access control are
> > present in this kernel (and it's bug-free :) it can be trusted.
> > For this, the kernel's memory has to be non-writable for any userland process,
> > this is why I talked about starting this kenrel at securelevel 1.
> 
> If all I cared about were secure operation with a bug-free OS kernel, I
> might as well just use chroot, from my point of view.

Depends on the application. There are things you can do with different domains
you can't do with a chroot (network-related for example)

> 
> Letting "unprivileged" domains access device DMA engines grants their
> kernels all the privilege that the dom0 kernel has, because it lets
> the domU kernels write arbitrary memory, including that occupied by the
> dom0 kernel itself.

Or read arbitrary memory. I fully understand that.

> It's not a point to gloss over, because the
> security implications are very real -- and the cost of using xbd for
> domU disks to mitigate the problem is, really, quite small.

Yes, they're real. But it's still not exactly the same thing as giving
full access to dom0: you have to hack domU's the kernel first, in order
to execute code with kernel privileges.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--