|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen ARM Dom0less passthrough without IOMMU
On 17/12/2019 01:18, Stefano Stabellini wrote: On Mon, 16 Dec 2019, Julien Grall wrote:On 16/12/2019 23:05, Stefano Stabellini wrote:On Mon, 16 Dec 2019, Julien Grall wrote:On 16/12/2019 18:02, Andrei Cherechesu wrote: But even with this patch, RAM in DomU is not direct mapped (i.e Guest Physical Address == Host Physical Address). This means that DMA-capable device would not work properly in DomU. We could theoritically map DomU direct mapped, but this would break the isolation provided by the hypervisor.Yes, being able to map the DomU memory 1:1 can be pretty useful for some very embedded dom0less configurations, in fact I was surprised that a couple of Xilinx users asked me for that recently. Typically, the users are aware of the consequences but they still find them better than the alternative (i.e. the lack of isolation is bad but is tolerable in their configuration.)This does not make much sense... The whole point of a hypervisor is to isolate guest between each other... So if you are happy with the lack of isolation, then why are you using an hypervisor at the first place?There are a number of reasons, although they are all variation of the same theme. In all these cases the IOMMU cannot be used for one reason or the other (a device is not behind the IOMMU, or due to an errata, etc.) - multiple baremetal apps The user wants to run two or more baremetal (unikernel-like) applications. The user owns both applications and she is not much concerned about isolation (although it is always desirable when possible.) - multiple OSes This is similar to the one before, however, instead of multiple baremetal apps, we are talking about multiple full OSes. For instance, Linux and Android or Linux and VxWorks. Again, they are both maintained by the same user (no multi-tenancy) so isolation is desirable but it is not the top concern. - real-time / no real-time The user wants to run a real-time OS or real-time baremetal app and a non real-time OS. For instance a tiny baremetal app controlling one specific device and Linux. Again, the user is responsible for both systems so isolation is not a concern. In all these cases the users has to run multiple OSes or baremetal apps so she needs a hypervisor. However, it is tolerable that the apps are not actually fully isolated from each others because they are both developed and deployed together by the same "owner". I don't think "maintained and deployed by the same owner" is enough to justify it is somewhat safe to use it. You also need to trust your users. For instance, if you allow your users to interact with the OS (e.g installing app...) or have internet, then you will be one day or another prone to a vulnerability. A good example that come into mind is the blackhat talk in 2017 about BluePill (see [1]). This is one case where isolation was dismissed, yet it bite them after. This was only one OS. I let you imagine with a system multiple OSes... Cheers,[1] https://www.blackhat.com/docs/us-17/wednesday/us-17-Bazhaniuk-BluePill-For-Your-Phone.pdf -- Julien Grall _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |