On 2025-03-06 20:47, Stefano Stabellini wrote:
On Thu, 6 Mar 2025, Jason Andryuk wrote:
With a split hardware and control domain, the control domain may still
want and xenstore access. Currently this relies on init-dom0less to
seed the grants. This is problematic since we don't want hardware
domain to be able to map the control domain's resources. Instead have
the hypervisor see the grant table entry. The grant is then accessible
as normal.
This is also useful with a xenstore stubdom to setup the xenbus page
much earlier.
Reading the patch, it seems that what is doing is letting the xenstore
domain map the domU's grant table page. Is that correct?
The end result is everything is setup for xenstored to map
GNTTAB_RESERVED_XENSTORE at some time later.
If so, I would suggest to update the commit message as follows:
With split hardware/control/xenstore domains, the xenstore domain may
still want to access other domains' xenstore page. Currently this relies
on init-dom0less to seed the grants from Dom0. This is problematic
since we don't want the hardware domain to be able to map other domains'
resources without their permission. Instead have the hypervisor seed
the grant table entry for every dom0less domain. The grant is then
accessible as normal.
I'll go with a tweaked version of yours:
xenstored maps other domains' xenstore pages. Currently this relies
on init-dom0less or xl to seed the grants from Dom0. With split
hardware/control/xenstore domains, this is problematic since we don't
want the hardware domain to be able to map other domains' resources
without their permission. Instead have the hypervisor seed the grant
table entry for every dom0less domain. The grant is then accessible as
normal.
Regards,
Jason
