[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Notes for xen summit 2018 design session] PCI pass-through with de-privileged QEMU



On Mon, Jul 02, 2018 at 02:04:45PM +0000, Lars Kurth wrote:
> This is a session hosted by Xin Li from Citrix on PCI-passthrough in a 
> deprivleged QEMU.

Including Elena as she did a patch for this (so that any PCI operation does not
require root access).
> 
> (Went over key points of QEMU de-priv talk - see 
> https://www.slideshare.net/xen_com_mgr/xpdds18-qemu-and-xen-reducing-the-attack-surface-paul-durrant-citrix)
> 
> Problem is syses nodes need to be opened.
> 
> Doug: Can we use Linux namespaces as an improvement?
> Paul: Can we use add-fd to pass FDs to QEMU?
> 
> X: Yes. That's possible.
> 
> Doug: KVM just passes through vfio. Just one file to do everything to
> pass resources.
> Paul: We don't have vfio yet.
> 
> X: XAPI needs the whole of sysfs
> 
> George: why in XAPI you passes all sysfs?
> 
> It is just the current design.
> 
> Part of the directory is already used by USB passthru, so it needs to
> get the permission
> 
> G: xl already does USB passthrough
> 
> P: That has been working for a long time.
> 
> D: Can we not pass through the whole sysfs.
> 
> X: You can only get first 64 bytes out, which is not enough
> 
> X: Intel dev says to use polling mode to verify is masked is done.
> 
> G: Can we just take a bunch of stuff out of QEMU?
> 
> P: when Roger's stuff's done, should be OK. For now QEMU needs to work.
> 
> G: Does accessing 64 bytes make it able to do harm.
> 
> P: To a degree.
> 
> 
> D: vfio, there is one file that is passthrough, which has a bunch of
> ioctl. That can be looked at. Linux already has done a bunch for work to
> avoid QEMU touching stuff. It has probably reached those sysfs nodes.
> 
> G: vfio work in dom0?
> 
> P: Nothing prevents you from turning it on.
> 
> G: We can try, it is a stopgap before PVH anyway.
> 
> P: We can have a look.
> 
> QEMU passthrough code is Xen specific.
> 
> P: Intel hooked in GVT-g to make it looks like sr-iov device. It
> probably works because all ios are handled by QEMU. To make it work with
> Xen more work is needed: Xen's handler is inside Dom0.
> 
> G: Can we just use the one in QEMU?
> 
> P: Worth investigating. Check out vfio before adding new dmops.
> 
> Xin will investigate vfio after the session.
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxxx
> https://lists.xenproject.org/mailman/listinfo/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.