[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen ARM Dom0less passthrough without IOMMU

On 17/12/2019 01:18, Stefano Stabellini wrote:
On Mon, 16 Dec 2019, Julien Grall wrote:
On 16/12/2019 23:05, Stefano Stabellini wrote:
On Mon, 16 Dec 2019, Julien Grall wrote:
On 16/12/2019 18:02, Andrei Cherechesu wrote:
But even with this patch, RAM in DomU is not direct mapped (i.e Guest
Address == Host Physical Address). This means that DMA-capable device
not work properly in DomU.

We could theoritically map DomU direct mapped, but this would break the
isolation provided by the hypervisor.

Yes, being able to map the DomU memory 1:1 can be pretty useful for some
very embedded dom0less configurations, in fact I was surprised that a
couple of Xilinx users asked me for that recently. Typically, the users
are aware of the consequences but they still find them better than the
alternative (i.e. the lack of isolation is bad but is tolerable in their
This does not make much sense... The whole point of a hypervisor is to isolate
guest between each other... So if you are happy with the lack of isolation,
then why are you using an hypervisor at the first place?

There are a number of reasons, although they are all variation of the
same theme. In all these cases the IOMMU cannot be used for one reason
or the other (a device is not behind the IOMMU, or due to an errata,

- multiple baremetal apps
The user wants to run two or more baremetal (unikernel-like)
applications. The user owns both applications and she is not much
concerned about isolation (although it is always desirable when

- multiple OSes
This is similar to the one before, however, instead of multiple
baremetal apps, we are talking about multiple full OSes. For instance,
Linux and Android or Linux and VxWorks. Again, they are both maintained
by the same user (no multi-tenancy) so isolation is desirable but it is
not the top concern.

- real-time / no real-time
The user wants to run a real-time OS or real-time baremetal app and a
non real-time OS. For instance a tiny baremetal app controlling one
specific device and Linux. Again, the user is responsible for both
systems so isolation is not a concern.

In all these cases the users has to run multiple OSes or baremetal apps
so she needs a hypervisor. However, it is tolerable that the apps are
not actually fully isolated from each others because they are both
developed and deployed together by the same "owner".

I don't think "maintained and deployed by the same owner" is enough to justify it is somewhat safe to use it. You also need to trust your users. For instance, if you allow your users to interact with the OS (e.g installing app...) or have internet, then you will be one day or another prone to a vulnerability.

A good example that come into mind is the blackhat talk in 2017 about BluePill (see [1]). This is one case where isolation was dismissed, yet it bite them after.

This was only one OS. I let you imagine with a system multiple OSes...


[1] https://www.blackhat.com/docs/us-17/wednesday/us-17-Bazhaniuk-BluePill-For-Your-Phone.pdf

Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.