[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen ARM Dom0less passthrough without IOMMU



On Mon, 16 Dec 2019, Julien Grall wrote:
> On 16/12/2019 23:05, Stefano Stabellini wrote:
> > On Mon, 16 Dec 2019, Julien Grall wrote:
> > > On 16/12/2019 18:02, Andrei Cherechesu wrote:
> > > But even with this patch, RAM in DomU is not direct mapped (i.e Guest
> > > Physical
> > > Address == Host Physical Address). This means that DMA-capable device
> > > would
> > > not work properly in DomU.
> > > 
> > > We could theoritically map DomU direct mapped, but this would break the
> > > isolation provided by the hypervisor.
> > 
> > Yes, being able to map the DomU memory 1:1 can be pretty useful for some
> > very embedded dom0less configurations, in fact I was surprised that a
> > couple of Xilinx users asked me for that recently. Typically, the users
> > are aware of the consequences but they still find them better than the
> > alternative (i.e. the lack of isolation is bad but is tolerable in their
> > configuration.)
> This does not make much sense... The whole point of a hypervisor is to isolate
> guest between each other... So if you are happy with the lack of isolation,
> then why are you using an hypervisor at the first place?

There are a number of reasons, although they are all variation of the
same theme. In all these cases the IOMMU cannot be used for one reason
or the other (a device is not behind the IOMMU, or due to an errata,
etc.)

- multiple baremetal apps
The user wants to run two or more baremetal (unikernel-like)
applications. The user owns both applications and she is not much
concerned about isolation (although it is always desirable when
possible.)

- multiple OSes
This is similar to the one before, however, instead of multiple
baremetal apps, we are talking about multiple full OSes. For instance,
Linux and Android or Linux and VxWorks. Again, they are both maintained
by the same user (no multi-tenancy) so isolation is desirable but it is
not the top concern.

- real-time / no real-time
The user wants to run a real-time OS or real-time baremetal app and a
non real-time OS. For instance a tiny baremetal app controlling one
specific device and Linux. Again, the user is responsible for both
systems so isolation is not a concern.

In all these cases the users has to run multiple OSes or baremetal apps
so she needs a hypervisor. However, it is tolerable that the apps are
not actually fully isolated from each others because they are both
developed and deployed together by the same "owner".


> >  From an implementation perspective, it should be a matter of calling
> > allocate_memory_11 instead of allocate_memory from construct_domU. I
> > wanted to experiment with it myself but I haven't had the time. If
> > nothing else, it would be useful to have a patch around to do it if
> > needed.
> This is not that simple. You at least also need to:
>     - Update the code to generate the DT based on the new 1:1 address
>     - Modify the various emulation in Xen because they rely on Xen guest
> memory layout
>     - Modify is_domain_direct_mapped() to deal with guest
> 
> I probably missed other bits. Anyway, this is not something I am willing to
> accept upstream as this break the core idea of an hypervisor.

If you prefer not to have it upstream, I would be happy to maintain it
downstream in Xilinx/Xen or another tree, and take it as a contribution
from Andrei if he volunteers to write and test the patch.

Andrei, if you are going to write the patch, thanks in advance :-)
Otherwise, I might get to it at some point but it might me a while.

Cheers,

Stefano

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.