Demi Marie Obenour <demiobenour@gmail.com> writes:
This leaves virtio-media and a fully custom solution based on PipeWire. During the discussion, the possibility of hardening virtio-media against a malicious device was considered. After the call, however, I found out that while hardening the kernel side is definitely possible, it is also insufficient. The reason is that virtio-media, as currently implemented, appears to be effectively V4L2 API passthrough, which would mean that the device can respond to V4L2 IOCTLs however it wants. Guest userspace will almost certainly treat V4L2 IOCTL outputs as trusted, so hardening the guest kernel would be of only limited value. Adding validation in the guest kernel driver would be an option, but it would add substantial complexity.
I've just noticed from reading the cover letter[1] for the virtio-media spec that it looks like virtio-video might still happen:
There is some overlap with virtio-video in regards to which devices it can handle. However, they take different approaches, potentially making them the preferable choice for different scenarios.
Have you looked at virtio-video at all? [1]: https://lore.kernel.org/virtio-comment/20250304130134.1856056-1-aesteve@redh...