From nobody Wed Aug 25 00:05:27 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E959417860AB for ; Wed, 25 Aug 2021 00:05:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvR7q69fJz4slK for ; Wed, 25 Aug 2021 00:05:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BAAD1127CF for ; Wed, 25 Aug 2021 00:05:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 17P05R9b095452 for ; Wed, 25 Aug 2021 00:05:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 17P05RYJ095451 for jail@FreeBSD.org; Wed, 25 Aug 2021 00:05:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 251046] bhyve PCI passthrough does not work inside jail Date: Wed, 25 Aug 2021 00:05:27 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: me@anatoli.ws X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: markj@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251046 --- Comment #15 from Anatoli --- Mark, All, > --- Comment #3 from Mark Johnston --- > PRIV_IO access is not required only by /dev/io, it is also required for > sysarch(I386_SET_IOPERM), which is otherwise available to jailed processe= s. So > the patch definitely should not be committed. A better solution would be= to > extend pci(4) so that bhyve can use it to do everything required for PCI > passthrough. Even then I'm not sure why it's useful to jail the bhyve pr= ocess > - what does it buy you? In light of the recently patched VM-escape vulnerability in bhyve (FreeBSD-SA-21:13.bhyve fixing the CVE-2021-29631), I'd like to highlight t= he benefits of running bhyve under a non-root user and inside a jail by defaul= t. If it were the case, this vulnerability, instead of a complete host takeover would just have a DoS impact on the malicious VM, which is perfectly fine I= MO. That's why it's extremely important to make bhyve work correctly under all situations (including PPT) inside jail so we could make it run inside jail = by default. > --- Comment #8 from Mark Johnston --- > I am very skeptical that jailing bhyve with PCI passthrough enabled provi= des > any meaningful security. /dev/pci allows a jailed root to access all PCI= (e) > devices in the system. Jails can be a useful deployment mechanism though,= so I > think we should better support their integration with bhyve. With respect to this, isn't it possible to restrict the bhyve process (maybe self-restricting via Capsicum) to just the masked PCI addresses or to the P= CI addresses specified via the args so to limit the impact of a bhyve compromi= se to just the intended device(s)? Or, as you already proposed, to extend pci(4) so that bhyve can use it to do everything required for PPT? Regards, Anatoli --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Wed Aug 25 13:50:04 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B2FF21781C17 for ; Wed, 25 Aug 2021 13:50:06 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvnRL4GLSz4m8w; Wed, 25 Aug 2021 13:50:06 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qv1-xf2e.google.com with SMTP id j9so13727131qvt.4; Wed, 25 Aug 2021 06:50:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=LvKLvcKoppDIaQOY/ItvSdsSUbNsFtI+3XPyZMVLxB8=; b=fT/VyaYFD7KPG4Pdkv5+0dqT1iE164aQ5bERFWj9wTcX07siLdyeT42pLCbvszDgq7 neVI7AbI8za0HerU9bzs3ksybvJuRlZpRnoRvCmTQMXv4RaoD6VkrciMCY2QR+fHju2k q0U3oB3uGuZApXZOt08z+87SZx14tzK/NZNqPOfz63NF6US1ZHMZ838T3zjPM4EfuUWx qnUAZD1bIHzfYEX3V7PWZhv7YSKvwBAnJbHYKcPoMCTQI5dbpXFpID1jJXNp0MM46CDU O9KSMR9afwvCdEEAreAYI5JgoNCsqv0ZsDHuysSsMp0fegtozO17v78mVlTDvNC1LyR0 M8sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=LvKLvcKoppDIaQOY/ItvSdsSUbNsFtI+3XPyZMVLxB8=; b=T25CFft+Vgj152sQHgiAeuNLEBkYaTSzoCM9GO8jv1NrRoN3vrXxs0U1dE37xGUk6/ JSlCuu9G1Gym32CRRB1X4429/IcNneUu2phfqUx6Bxvu3NYqXT3E9yKmqtJXQEiH29En iJ4QtID+mNLI4H0im2VOwwoF1xIE72wf6NdK59EbukXME6YtYWa0d5395hxl3+YATSy/ e/OSNoSFqrosTrQFnzGWM590M4x1JnWhCiUCqbdDH49ppMLutezsAYAm+yYXdZOO6DjO QQZ5rpmmZBqWJo500u7vdKy+T9tEOtyos6XFVPCE88b5hmJgWM915iC+XZbopchfpQxM ZTcQ== X-Gm-Message-State: AOAM5320GiDxdsgCd5C0p2VfHR3mYZ6NkZ4zatxCXkazIF0HxWl5fYV/ X08MDMbPEyDLFh7WwWc9dtbc4z+HZPY= X-Google-Smtp-Source: ABdhPJwvoGi4eMAVjOnKo/O6/jQIcHJnbDy/ViNeqJB4Yrj+CDrBmyHLK1hZnk4HQanlR0U+iTSbrA== X-Received: by 2002:a05:6214:b11:: with SMTP id u17mr14498337qvj.40.1629899405721; Wed, 25 Aug 2021 06:50:05 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id d12sm8049579qtq.61.2021.08.25.06.50.03 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Aug 2021 06:50:04 -0700 (PDT) Message-ID: <61264A8C.2080301@gmail.com> Date: Wed, 25 Aug 2021 09:50:04 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 To: bugzilla-noreply@freebsd.org CC: jail@FreeBSD.org Subject: Re: [Bug 251046] bhyve PCI passthrough does not work inside jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GvnRL4GLSz4m8w X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 > > --- Comment #15 from Anatoli --- > Mark, All, > >> --- Comment #3 from Mark Johnston --- >> PRIV_IO access is not required only by /dev/io, it is also required for >> sysarch(I386_SET_IOPERM), which is otherwise available to jailed processes. So >> the patch definitely should not be committed. A better solution would be to >> extend pci(4) so that bhyve can use it to do everything required for PCI >> passthrough. Even then I'm not sure why it's useful to jail the bhyve process >> - what does it buy you? > > In light of the recently patched VM-escape vulnerability in bhyve > (FreeBSD-SA-21:13.bhyve fixing the CVE-2021-29631), I'd like to highlight the > benefits of running bhyve under a non-root user and inside a jail by default. > > If it were the case, this vulnerability, instead of a complete host takeover > would just have a DoS impact on the malicious VM, which is perfectly fine IMO. > > That's why it's extremely important to make bhyve work correctly under all > situations (including PPT) inside jail so we could make it run inside jail by > default. > > >> --- Comment #8 from Mark Johnston --- >> I am very skeptical that jailing bhyve with PCI passthrough enabled provides >> any meaningful security. /dev/pci allows a jailed root to access all PCI(e) >> devices in the system. Jails can be a useful deployment mechanism though, so I >> think we should better support their integration with bhyve. > > With respect to this, isn't it possible to restrict the bhyve process (maybe > self-restricting via Capsicum) to just the masked PCI addresses or to the PCI > addresses specified via the args so to limit the impact of a bhyve compromise > to > just the intended device(s)? > > Or, as you already proposed, to extend pci(4) so that bhyve can use it to do > everything required for PPT? > > Regards, > Anatoli > jail is not a vm. From nobody Sun Aug 29 16:40:29 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A4FE6179EDC4 for ; Sun, 29 Aug 2021 16:40:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GyK254BVtz3k4d for ; Sun, 29 Aug 2021 16:40:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7541B5DBB for ; Sun, 29 Aug 2021 16:40:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 17TGeThN067923 for ; Sun, 29 Aug 2021 16:40:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 17TGeTn3067922 for jail@FreeBSD.org; Sun, 29 Aug 2021 16:40:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 251046] bhyve PCI passthrough does not work inside jail Date: Sun, 29 Aug 2021 16:40:29 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: markj@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251046 --- Comment #16 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dc53f23984220bfd34c198966874c36900= 6ea3246 commit c53f23984220bfd34c198966874c369006ea3246 Author: Mark Johnston AuthorDate: 2021-08-14 14:42:34 +0000 Commit: Mark Johnston CommitDate: 2021-08-29 16:39:53 +0000 bhyve: Use pci(4) to access I/O port BARs This removes the dependency on /dev/io. PR: 251046 Reviewed by: jhb Sponsored by: The FreeBSD Foundation (cherry picked from commit 42375556e5b2e68746d999b43d124040b6affb91) usr.sbin/bhyve/pci_passthru.c | 65 ++++++++++++++++++---------------------= ---- 1 file changed, 27 insertions(+), 38 deletions(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=