Created attachment 303656 [details] Upload text data to vfio-pci passthrough GPU VRAM with using nvatools 1) Release of Ubuntu Host - Ubuntu 20.04.5 LTS / Release : 20.04 Guest - Ubuntu 18.04.6 LTS / Release : 18.04 2) Kernel version Host - 5.15.0-57-generic Guest - 5.4.0-137-generic 3) Version of the package libpciaccess0: Installed: 0.16-0ubuntu1 Candidate: 0.16-0ubuntu1 libpciaccess-dev: Installed: 0.16-0ubuntu1 Candidate: 0.16-0ubuntu1 4) Expected to happen When the virtual machine is running, the Host could not access the virtual machine's pci passthrough device via libpciaccess. 5) Happened instead When the virtual machine is running, the host can access the virtual machine's pci passthrough device via libpciaccess. In this case, host can interrupt passthrough pci device, or access passthrough pci device memory to leak virtual machine data. We checked this by creating a virtual machine using vfio-pci passthrough GPU in QEMU. In addition, when running GPU applications such as CUDA in a virtual machine, we found that data inside passthrough GPU VRAM can be accessed from the host via libpciaccess(nvatools). We proceeded as follows. 1. Create and run VMs with vfio-pci passthrough GPU. 2. Upload text data from the host via nvatools to the VRAM on the passthrough GPU. 3. The VM can see the text data in the GPU VRAM.
Created attachment 303657 [details] VM lspci -vvv
Created attachment 303658 [details] Host lspci -vvv
Closing this as "answered" because while this kind of protection would be desirable, we don't have hardware mechanisms yet to support it. See Alex's response at https://lore.kernel.org/r/20230127103205.50795e59.alex.williamson@redhat.com