[Xen-devel] Xen ARM - Exposing a PL011 to the guest

Wed, 30 Nov 2016 07:30:16 -0800 

Hi all,
Few months ago, Linaro has published the version 2 of the VM specification [1]. 


For those who don't know, the specification provides guidelines to 
guarantee a compliant OS images could run on various hypervisor (e.g 
Xen, KVM).



Looking at the specification, it will require Xen to expose new devices 
to the guest: pl011, rtc, persistent flash (for UEFI variables).



The RTC and persistent will only be used by the UEFI firwmare. The 
firwmare is custom made for Xen guest and be loaded by the toolstack, so 
we could theoretically provide PV drivers for those.



This is not the case for the PL011. The guest will be shipped with a 
PL011/SBSA UART driver,.This means it will expect to access it through MMIO.



So we have to emulate a PL011. The question is where? Before suggesting 
some ideas, the guest/user will expect to be able to interact with the 
console through the UART. This means that the UART and xenconsoled needs 
to communicate together.


I think we can distinct two places where the PL011 could be emulated:
in the hypervisor, or outside the hypervisor.


Emulating the UART in the hypervisor means that we take the risk to 
increase to the attack surface of Xen if there is a bug in the emulation 
code. The attack surface could be reduced by emulating the UART in 
another exception level (e.g EL1, EL0) but still under the control of 
the hypervisor. Usually the guest is communicating between with 
xenconsoled using a ring. For the first console this could be discovered 
using hypercall HVMOP_get_param. For the second and onwards, it 
described in xenstore. I would not worry too much about emulating 
multiple PL011s, so we could implement the PV frontend in Xen.



Emulating the UART outside the hypervisor (e.g in DOM0 or special 
domain) would require to bring the concept of ioreq server on ARM. Which 
left the question where do we emulate the PL011? The best place would be 
xenconsoled. But I am not sure how would be the security impact here. 
Does all guest consoles are emulated within the same daemon?



I would lean towards the first solution if we implement all the security 
safety I mentioned. Although, the second solution would be a good move 
if we decide to implement more devices (e.g RTC, pflash) in the future.


Do you have any opinions?

Cheers,


[1] 
http://people.linaro.org/~christoffer.dall/VMSystemSpecificationForARM-v2.0-rc1.pdf


--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel






















					Reply via email to