[Bug 251046] bhyve PCI passthrough does not work inside jail

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 30 May 2021 12:38:53 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046

Anatoli <me@anatoli.ws> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |me@anatoli.ws

--- Comment #7 from Anatoli <me@anatoli.ws> ---
Hi All,

> Even then I'm not sure why it's useful to jail the bhyve process - what does it buy you?

The idea to run bhyve inside jail is to provide an additional layer of security
for potential vm-escape vulnerabilities in bhyve.

This is the way VMs are executed on Linux (protected by AppArmor and SEL) and
Illumos.

Currently it's possible to run bhyve in jail, but not with PCI passthrough.

> A better solution would be to extend pci(4) so that bhyve can use it to do everything required for PCI passthrough.

Mark, could you please give us a hint on what should be done to extend pci(4)
so jail changes are not needed? We are willing to implement this, but need some
guidance.

One more security improvement that bhyve needs is to run it without root, but
that's another story for another report.

-- 
You are receiving this mail because:
You are on the CC list for the bug.