On Fri, Sep 24, 2021 at 05:02:46PM +0100, Alex Bennée wrote:
Hi,
Hi,
2.1 Stable ABI for foreignmemory mapping to non-dom0 ([STR-57]) ───────────────────────────────────────────────────────────────
Currently the foreign memory mapping support only works for dom0 due to reference counting issues. If we are to support backends running in their own domains this will need to get fixed.
Estimate: 8w
I'm pretty sure it was discussed before, but I can't find relevant (part of) thread right now: does your model assumes the backend (running outside of dom0) will gain ability to map (or access in other way) _arbitrary_ memory page of a frontend domain? Or worse: any domain? That is a significant regression in terms of security model Xen provides. It would give the backend domain _a lot more_ control over the system that it normally has with Xen PV drivers - negating significant part of security benefits of using driver domains.
So, does the above require frontend agreeing (explicitly or implicitly) for accessing specific pages by the backend? There were several approaches to that discussed, including using grant tables (as PV drivers do), vIOMMU(?), or even drastically different model with no shared memory at all (Argo). Can you clarify which (if any) approach your attempt of VirtIO on Xen will use?
A more general idea: can we collect info on various VirtIO on Xen approaches (since there is more than one) in a single place, including: - key characteristics, differences - who is involved - status - links to relevant threads, maybe
I'd propose to revive https://wiki.xenproject.org/wiki/Virtio_On_Xen