|
Dren posted:I haven't set up VT-D with pci-e passthrough, last I looked it seemed like kind of a pain in the rear end. My guess is that it doesn't fully address the security concerns but I don't know the architecture well enough to say. The whole idea behind VT-d/IOMMU is to enforce access control on DMAs between a VM's memory and PCIe devices. The PCI topology on your motherboard is divided into groups, and devices within the same group share the same partitioned memory space, so they (and their assigned VM) can read/write each others' memory, while devices in a different group cannot. Good implementations of VT-d put each physical PCIe slot, and sometimes on-board components like NICs, into separate groups so that each device can be individually assigned to a different VM while still maintaining the isolation. Some cards, like 10G NICs and non-gaming GPUs, support SR-IOV, which is an implementation of access control on the card itself, so you can arbitrarily partition the card's resources (NIC queues, execution units, memory, etc) and assign each partition to a separate VM. Short answer: properly implemented it should mitigate concerns about malicious GPU code affecting things outside of a VM. SamDabbers fucked around with this message at 21:01 on Jun 21, 2017 |
#
¿
Jun 21, 2017 20:58
|
|
|
|
| # ¿ Apr 30, 2024 23:27 |
|