[Fedora-xen] Is pci-pasthrough enabled for F9 DomU?
David Parsley
parsley at linuxjedi.org
Wed May 14 18:29:29 UTC 2008
On Wed, May 14, 2008 at 9:54 AM, Richard W.M. Jones <rjones at redhat.com> wrote:
> On Tue, May 13, 2008 at 04:55:04PM -0700, snowcrash+xen at gmail.com wrote:
> > ouch! a large %age of the boxes we deploy have a firewall/DomU & and
> > a NAS/Domu, each with dedicated, pass'd-thru NICs. without passthru,
> > performance is lousy.
>
> You're aware that PCI passthrough is insecure? Someone who gets root
> access to a guest can reprogram the NICs (trivially) to read or write
> any area of memory in any guest or the dom0. This might be pertinent
> information if you were expecting your firewall to provide isolation.
I figured that a domU having direct hardware access would open
security holes; however, the VM I built is for monitoring our Internet
connection, and I couldn't figure a way to sniff that traffic without
direct hardware access. It's a tightly secured VM with only pinhole
access to it in any case. If there's a better way to configure a VM
for traffic sniffing, I'd be interested in hearing...
Regards,
David
--
David L. Parsley
Manager of Network Services, Bridgewater College
"If I have seen further, it is by standing on ye shoulders of giants"
- Isaac Newton
More information about the Fedora-xen
mailing list