From nobody Wed Aug 25 13:50:04 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B2FF21781C17 for ; Wed, 25 Aug 2021 13:50:06 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvnRL4GLSz4m8w; Wed, 25 Aug 2021 13:50:06 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qv1-xf2e.google.com with SMTP id j9so13727131qvt.4; Wed, 25 Aug 2021 06:50:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=LvKLvcKoppDIaQOY/ItvSdsSUbNsFtI+3XPyZMVLxB8=; b=fT/VyaYFD7KPG4Pdkv5+0dqT1iE164aQ5bERFWj9wTcX07siLdyeT42pLCbvszDgq7 neVI7AbI8za0HerU9bzs3ksybvJuRlZpRnoRvCmTQMXv4RaoD6VkrciMCY2QR+fHju2k q0U3oB3uGuZApXZOt08z+87SZx14tzK/NZNqPOfz63NF6US1ZHMZ838T3zjPM4EfuUWx qnUAZD1bIHzfYEX3V7PWZhv7YSKvwBAnJbHYKcPoMCTQI5dbpXFpID1jJXNp0MM46CDU O9KSMR9afwvCdEEAreAYI5JgoNCsqv0ZsDHuysSsMp0fegtozO17v78mVlTDvNC1LyR0 M8sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=LvKLvcKoppDIaQOY/ItvSdsSUbNsFtI+3XPyZMVLxB8=; b=T25CFft+Vgj152sQHgiAeuNLEBkYaTSzoCM9GO8jv1NrRoN3vrXxs0U1dE37xGUk6/ JSlCuu9G1Gym32CRRB1X4429/IcNneUu2phfqUx6Bxvu3NYqXT3E9yKmqtJXQEiH29En iJ4QtID+mNLI4H0im2VOwwoF1xIE72wf6NdK59EbukXME6YtYWa0d5395hxl3+YATSy/ e/OSNoSFqrosTrQFnzGWM590M4x1JnWhCiUCqbdDH49ppMLutezsAYAm+yYXdZOO6DjO QQZ5rpmmZBqWJo500u7vdKy+T9tEOtyos6XFVPCE88b5hmJgWM915iC+XZbopchfpQxM ZTcQ== X-Gm-Message-State: AOAM5320GiDxdsgCd5C0p2VfHR3mYZ6NkZ4zatxCXkazIF0HxWl5fYV/ X08MDMbPEyDLFh7WwWc9dtbc4z+HZPY= X-Google-Smtp-Source: ABdhPJwvoGi4eMAVjOnKo/O6/jQIcHJnbDy/ViNeqJB4Yrj+CDrBmyHLK1hZnk4HQanlR0U+iTSbrA== X-Received: by 2002:a05:6214:b11:: with SMTP id u17mr14498337qvj.40.1629899405721; Wed, 25 Aug 2021 06:50:05 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id d12sm8049579qtq.61.2021.08.25.06.50.03 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Aug 2021 06:50:04 -0700 (PDT) Message-ID: <61264A8C.2080301@gmail.com> Date: Wed, 25 Aug 2021 09:50:04 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 To: bugzilla-noreply@freebsd.org CC: jail@FreeBSD.org Subject: Re: [Bug 251046] bhyve PCI passthrough does not work inside jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GvnRL4GLSz4m8w X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 > > --- Comment #15 from Anatoli --- > Mark, All, > >> --- Comment #3 from Mark Johnston --- >> PRIV_IO access is not required only by /dev/io, it is also required for >> sysarch(I386_SET_IOPERM), which is otherwise available to jailed processes. So >> the patch definitely should not be committed. A better solution would be to >> extend pci(4) so that bhyve can use it to do everything required for PCI >> passthrough. Even then I'm not sure why it's useful to jail the bhyve process >> - what does it buy you? > > In light of the recently patched VM-escape vulnerability in bhyve > (FreeBSD-SA-21:13.bhyve fixing the CVE-2021-29631), I'd like to highlight the > benefits of running bhyve under a non-root user and inside a jail by default. > > If it were the case, this vulnerability, instead of a complete host takeover > would just have a DoS impact on the malicious VM, which is perfectly fine IMO. > > That's why it's extremely important to make bhyve work correctly under all > situations (including PPT) inside jail so we could make it run inside jail by > default. > > >> --- Comment #8 from Mark Johnston --- >> I am very skeptical that jailing bhyve with PCI passthrough enabled provides >> any meaningful security. /dev/pci allows a jailed root to access all PCI(e) >> devices in the system. Jails can be a useful deployment mechanism though, so I >> think we should better support their integration with bhyve. > > With respect to this, isn't it possible to restrict the bhyve process (maybe > self-restricting via Capsicum) to just the masked PCI addresses or to the PCI > addresses specified via the args so to limit the impact of a bhyve compromise > to > just the intended device(s)? > > Or, as you already proposed, to extend pci(4) so that bhyve can use it to do > everything required for PPT? > > Regards, > Anatoli > jail is not a vm.