Demi Marie Obenour <demiobenour@gmail.com> writes:

> This leaves virtio-media and a fully custom solution based on PipeWire.
> During the discussion, the possibility of hardening virtio-media against
> a malicious device was considered.  After the call, however, I found out
> that while hardening the kernel side is definitely possible, it is also
> insufficient.  The reason is that virtio-media, as currently implemented,
> appears to be effectively V4L2 API passthrough, which would mean that the
> device can respond to V4L2 IOCTLs however it wants.  Guest userspace will
> almost certainly treat V4L2 IOCTL outputs as trusted, so hardening the
> guest kernel would be of only limited value.  Adding validation in the
> guest kernel driver would be an option, but it would add substantial
> complexity.

I've just noticed from reading the cover letter[1] for the virtio-media
spec that it looks like virtio-video might still happen:

> There is some overlap with virtio-video in regards
> to which devices it can handle. However, they take
> different approaches, potentially making them
> the preferable choice for different scenarios.

Have you looked at virtio-video at all?

[1]: https://lore.kernel.org/virtio-comment/20250304130134.1856056-1-aesteve@redhat.com/