[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH][0/4] PCI Driver Domains

Attached to the four e-mails that will follow this one are patches which
will implement PCI Driver Domains. These patches *should* apply cleanly
to xen-unstable changeset 8680:2add7a262530. A description of the
contents of each patch will be included in the e-mails to follow.

I have implemented PCI Driver Domains as a PCI Backend and PCI Frontend
which communicate PCI configuration space requests via a shared page and
event channel. Using the functionality added in changeset 8460, Xen can
allow a domU to have direct access to physical I/O resources (i/o
memory, i/o ports, interrupts). By allowing the domU to run the device
driver for a particular device, we provide a more secure, isolated
environment for that device driver to execute in (i.e. if it crashes, it
should only take the domU with it, not Xen, dom0, or other domUs).

PCI devices must be "hidden" from domain 0 at boot. To specify which
devices, use the "pciback.hide" kernel command-line parameter (same
syntax as Xen 2.0's physdev_dom0_hide parameter except pass it to your
Linux in domain 0 instead of Xen). PCI devices are subsequently seized
by the backend (a regular PCI driver under Linux) during boot and owned
by the pciback module (see /sys/bus/pci/driver/pciback/ for a list of
devices it seized). Because the devices are not really hidden from
domain 0 (they are seized before any other driver has a chance to attach
to them), you can still view all of your devices in domain 0 using tools
like lspci.

Devices can be assigned to driver domains in the domain's configuration
file or on the command-line. The syntax for the command-line and the
flat files should be backwards compatible with Xen 2.0 (see the included
documentation for information on the new syntax and the SXP syntax).

Xend detects the physical resources that a device requires and asks Xen
to give the driver domain permission to them prior to the domain
starting. Once the domain boots, the PCI frontend will interact with the
PCI backend to share a single page and event channel and to determine
where the PCI root buses are (which should be probed for devices by the

Driver domains address a large of security and stability concerns
related to device drivers. Misbehaving (buggy) or malicious device
drivers that would normally run at the same privilege level of the
domain 0 kernel can be more isolated. While driver domains address a
number of security concerns, a few remain and these should be considered
prior to using this code. I've documented a few of them in the included
documentation but the included list should not be considered exhaustive.

I've tested this code on several classes of PCI devices (sound, network,
serial ports) and on a couple different computers (all of the x86
variety) and found it to "work for me". I did not have access to a wide
range of PCI devices or to different architectures for testing purposes.
I'd be interested in hearing success/failure stories especially from
those of you who have strange devices.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.