[BitVisor-users-en:48] Re: Nested Virtualization Support
Hideki EIRAKU
hdk at igel.co.jp
Tue Jan 23 18:15:01 JST 2018
From: <krad ¡÷ tuta.io>
Subject: [BitVisor-users-en:47] Re: Nested Virtualization Support
Date: Fri, 19 Jan 2018 08:18:14 +0100 (CET)
> I don't quite understand the security ramifications of setting unsafe_nested_virtualization
> If I understand correctly, one of the core features that BitVisor provides, is a mitigation against DMA attacks, when configured with unsafe_nested_virtualization, would it become possible again to perform a DMA attack?
Not only DMA. Not only devices. A guest operating system running on
a hypervisor on BitVisor can access *everything* provided by the
hypervisor, even if BitVisor does not allow the access. For example,
if the hypervisor allows the guest operating system to access entire
memory, the guest operating system can access BitVisor memory
directly.
In general, hypervisors do not provide direct access to memory and
devices without IOMMU. However, a hypervisor that provides direct
access to memory and devices can be created from existing passthrough
based hypervisors like BitVisor. So if users using a system running
BitVisor can run their self-build hypervisor on it, they can easily
bypass BitVisor.
--
Hideki EIRAKU <hdk ¡÷ igel.co.jp>
More information about the BitVisor-users-en
mailing list