From: "Yangyongqiang (Tony, Shannon)" <yangyongqiang@huawei.com>
To: "Mauricio Vásquez" <mauricio.vasquezbernal@studenti.polito.it>
Cc: "dev@dpdk.org" <dev@dpdk.org>,
"huangyongtao (A)" <huangyongtao1@huawei.com>
Subject: [dpdk-dev] 答复: ivshmem is secure or not ? why ?
Date: Sat, 23 Apr 2016 00:44:17 +0000 [thread overview]
Message-ID: <3E257BB0E1F99A41843FB9EE242C420392A09CBC@nkgeml514-mbx.china.huawei.com> (raw)
In-Reply-To: <CAPwdgqhXBC3w4bGkbCQBH6YW6s6xF8uwxk9vtd2BSPCN7UwvUA@mail.gmail.com>
Thank you , Vasquez
I get it, the metadatas only are used by vms for finding this MZ or ring from the whole hugepages.
发件人: Mauricio Vásquez [mailto:mauricio.vasquezbernal@studenti.polito.it]
发送时间: 2016年4月22日 17:58
收件人: Yangyongqiang (Tony, Shannon)
抄送: dev@dpdk.org; huangyongtao (A)
主题: Re: [dpdk-dev] ivshmem is secure or not ? why ?
Hello Yangyongqiang,
On Fri, Apr 22, 2016 at 9:55 AM, Yangyongqiang (Tony, Shannon) <yangyongqiang@huawei.com<mailto:yangyongqiang@huawei.com>> wrote:
From http://dpdk.org/doc/guides/prog_guide/ivshmem_lib.html, I get this : different vms can use different metadatas, so different vms can have different memory shared with host.
For example:
If vm1 shares MZ1 with host, and vm2 shares MZ2 with host, then vm1 can not look MZ2. If this is true, then I think ivshmem is secured.
It is not true. In order to share a memzone, the current implementation of ivshmem shares the whole hugepages that contain that memzone, then, in the case MZ1 and MZ2 are in the same hugepage, both guest could access both memory zones.
But "9.3. Best Practices for Writing IVSHMEM Applications"section say : "While the IVSHMEM library tries to share as little memory as possible, it is quite probable that data designated for one VM might also be present in an IVSMHMEM device designated for another VM. "
* I can not understand why this insecurity<javascript:void(0);> happened, can anyone explain this for me ?
Mauricio Vasquez,
prev parent reply other threads:[~2016-04-23 0:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 7:55 [dpdk-dev] " Yangyongqiang (Tony, Shannon)
2016-04-22 9:58 ` Mauricio Vásquez
2016-04-23 0:44 ` Yangyongqiang (Tony, Shannon) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E257BB0E1F99A41843FB9EE242C420392A09CBC@nkgeml514-mbx.china.huawei.com \
--to=yangyongqiang@huawei.com \
--cc=dev@dpdk.org \
--cc=huangyongtao1@huawei.com \
--cc=mauricio.vasquezbernal@studenti.polito.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).