On 21.06.2025 02:41, Stefano Stabellini wrote: > Regarding hardware domain and control domain separation, Ayan sent to > xen-devel an architecture specification (a design document) that I wrote > previously about the topic. This is written as safety document so it is > using a language and structure specific for that. However, it contains > much of the explanation needed on the topic: > > https://lore.kernel.org/xen-devel/20250304183115.2509666-1-ayan.kumar.hal...@amd.com/
Yet even there the line between Hardware and Control is already blurred imo. Take "Reboot and shutdown the platform", for example. It seems pretty likely that Hardware has ways to achieve that without involving a hypercall. You can also see that (kind of) connection in the hypervisor itself: The special handling of a domain shutting down is in hwdom_shutdown(), with the call to it keyed to is_hardware_domain() (as is to be expected from the function's name). Furthermore there it is (again) assumed that Control has full privileges. I did mention before that I'm not convinced any domain, in a disaggregated setup, would need to have (nor should have) full privilege. Also a more fundamental question I was wondering about: If Control had full privilege, nothing else in the system ought to be able to interfere with it. Yet then how does that domain communicate with the outside world? It can't have PV or Virtio drivers after all. And even if its sole communication channel was a UART, Hardware would likely be able to interfere. Jan
