On 6/20/25 20:41, Stefano Stabellini wrote: > Hi all, > > Regarding hardware domain and control domain separation, Ayan sent to > xen-devel an architecture specification (a design document) that I wrote > previously about the topic. This is written as safety document so it is > using a language and structure specific for that. However, it contains > much of the explanation needed on the topic: > > https://lore.kernel.org/xen-devel/20250304183115.2509666-1-ayan.kumar.hal...@amd.com/ > > If you take Virtio and PV drivers aside, the conceptual model is very > simple. I suggest we start from there, also because deployments without > Virtio/PV drivers are indeed possible. Often in mixed-criticality > environments device sharing is absent or very limited.
That's why I was so surprised that Xen was needed at all, instead of a microhypervisor being used. It makes a more sense once the need to run existing Unsafe VMs and the desire for an existing ecosystem is considered. > When we bring Virtio and PV drivers into the picture, things get more > complex. One simple mental model is that they are only allowed between > Unsafe VMs, because we cannot guarantee that neither the protocols nor > the widely adopted implementations are entirely free from interference. > So, Virtio (and PV drivers) between Unsafe VMs are OK, but Safe VMs > should be left alone. > > There are lots of extra details in the document about the problems of > freedom from interference and Virtio. I wrote those details to explain why > Virtio between Safe and Unsafe VMs cannot be expected to work without > modifications today (people will ask for this, this way we'll have the > answers ready). I also wrote those details so that if someone wanted to > do an analysis on this topic and potentially deploy an entirely written > from scratch Virtio driver-protocol-backend implementation, they would > have a starting point for their investigation. What are the ways in which the ring buffer setup is bad? It's worth noting that grants are only applicable for situations where the shared memory is allocated by the frontend. They are not applicable when the shared memory is (of necessity) allocated by the backend, as happens in virtio-GPU with blob objects and virtio-FS with DAX. These are not currently supported by Xen and should not be relevant to safety-critical workloads. Interference is inherent to these protocols as the backend-allocated memory is pageable by the backend and so the backend can force the frontend to take a blocking page fault at any time it accesses the memory. This is not a preferred configuration and will only be needed due to Linux kernel memory management limitations. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
