[dpdk-dev] Having troubles binding an SR-IOV VF to uio_pci_generic on Amazon instance
Avi Kivity
avi at scylladb.com
Wed Sep 30 23:00:25 CEST 2015
On 09/30/2015 11:40 PM, Michael S. Tsirkin wrote:
> On Wed, Sep 30, 2015 at 06:36:17PM +0300, Avi Kivity wrote:
>> As it happens, you're removing the functionality from the users who have no
>> other option. They can't use vfio because it doesn't work on virtualized
>> setups.
> ...
>
>> Root can already do anything.
> I think there's a contradiction between the two claims above.
Yes, root can replace the current kernel with a patched kernel. In that
sense, root can do anything, and the kernel is complete. Now let's stop
playing word games.
>> So what security issue is there?
> A buggy userspace can and will corrupt kernel memory.
>
> ...
>
>> And for what, to prevent
>> root from touching memory via dma that they can access in a million other
>> ways?
> So one can be reasonably sure a kernel oops is not a result of a
> userspace bug.
>
That's not security. It's a legitimate concern though, one that is
addressed by tainting the kernel.
More information about the dev
mailing list