From nobody Tue Aug 24 23:58:40 2021 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6020E1783401 for ; Tue, 24 Aug 2021 23:58:53 +0000 (UTC) (envelope-from me@anatoli.ws) Received: from out-mx.anatoli.ws (out-mx.anatoli.ws [177.54.157.124]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "out-mx.anatoli.ws", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvR0D30N2z4r46 for ; Tue, 24 Aug 2021 23:58:52 +0000 (UTC) (envelope-from me@anatoli.ws) Received: from [192.168.0.1] (unknown [192.168.0.1]) by out-mx.oprbox.com (Postfix) with ESMTPSA id BD0481E00BCA for ; Tue, 24 Aug 2021 23:58:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anatoli.ws; s=vnptcm0lqn; t=1629849524; bh=f3AV9PBVa/pG6UL+/rFFjRcAMIqW8WGNISfx2SyuYJQ=; h=Subject:To:References:From:Date:In-Reply-To; b=GZzLJBamC0Og/Lcp+8c/9pnBRJhDF3j7u9ObBkeM9xcGbzu0hpqubgScJhpVAhGW4 yQOeC06jjzTO/aQH5cl7oIrJEAWxokcERrF63dUlf2JF6KFvPkYKHPWF8nlXVUgEyX F14IfVhFhM3pbBB/6w3DusDY58oYPZDPhneLd5ZI6KlwypcAyfFHl6HH4TDtfRJ5OQ WuF/PJSvG98FDR4Tb2/aExg7eOmnPaSgM0z9qprIonqqV0S9hLnxlMq39FuQfO7uLz s/Ow3pjTmNeHyQY2rpgIYoqwvU8w4o8zp2L3bBTTk++1LbJ8FpgVroPj870Q6102Q7 YHsBsYFjUJc5A== Subject: Re: [Bug 251046] bhyve PCI passthrough does not work inside jail To: freebsd-virtualization@freebsd.org References: Message-ID: Date: Tue, 24 Aug 2021 20:58:40 -0300 List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org Mime-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GvR0D30N2z4r46 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=anatoli.ws header.s=vnptcm0lqn header.b=GZzLJBam; dmarc=pass (policy=reject) header.from=anatoli.ws; spf=pass (mx1.freebsd.org: domain of me@anatoli.ws designates 177.54.157.124 as permitted sender) smtp.mailfrom=me@anatoli.ws X-Spamd-Result: default: False [-0.24 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[anatoli.ws:s=vnptcm0lqn]; FREEFALL_USER(0.00)[me]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-virtualization@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+a:out-mx.anatoli.ws]; DKIM_TRACE(0.00)[anatoli.ws:+]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[anatoli.ws,reject]; NEURAL_SPAM_SHORT(0.26)[0.265]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:262287, ipnet:177.54.156.0/23, country:BR]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Reply-To: me@anatoli.ws From: Anatoli via freebsd-virtualization X-Original-From: Anatoli X-ThisMailContainsUnwantedMimeParts: N Mark, All, On 23/11/20 13:11, bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 > > Mark Johnston changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |markj@FreeBSD.org > Status|New |Open > > --- Comment #3 from Mark Johnston --- > PRIV_IO access is not required only by /dev/io, it is also required for > sysarch(I386_SET_IOPERM), which is otherwise available to jailed processes. So > the patch definitely should not be committed. A better solution would be to > extend pci(4) so that bhyve can use it to do everything required for PCI > passthrough. Even then I'm not sure why it's useful to jail the bhyve process > - what does it buy you? > In light of the recently patched VM-escape vulnerability in bhyve (FreeBSD-SA-21:13.bhyve fixing the CVE-2021-29631), I'd like to highlight the benefits of running bhyve under a non-root user and inside a jail by default. If it were the case, this vulnerability, instead of a complete host takeover would just have a DoS impact on the malicious VM, which is perfectly fine IMO. That's why it's extremely important to make bhyve work correctly under all situations (including PPT) inside jail so we could make it run inside jail by default. > I am very skeptical that jailing bhyve with PCI passthrough enabled provides > any meaningful security. /dev/pci allows a jailed root to access all PCI(e) > devices in the system. Jails can be a useful deployment mechanism though, so I > think we should better support their integration with bhyve. With respect to this, isn't it possible to restrict the bhyve process (maybe self-restricting via Capsicum) to just the masked PCI addresses or to the PCI addresses specified via the args so to limit the impact of a bhyve compromise to just the intended device(s)? Or, as you already proposed, to extend pci(4) so that bhyve can use it to do everything required for PPT? Regards, Anatoli