[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [Notes for xen summit 2018 design session] PCI pass-through with de-privileged QEMU



This is a session hosted by Xin Li from Citrix on PCI-passthrough in a 
deprivleged QEMU.

(Went over key points of QEMU de-priv talk - see 
https://www.slideshare.net/xen_com_mgr/xpdds18-qemu-and-xen-reducing-the-attack-surface-paul-durrant-citrix)

Problem is syses nodes need to be opened.

Doug: Can we use Linux namespaces as an improvement?
Paul: Can we use add-fd to pass FDs to QEMU?

X: Yes. That's possible.

Doug: KVM just passes through vfio. Just one file to do everything to
pass resources.
Paul: We don't have vfio yet.

X: XAPI needs the whole of sysfs

George: why in XAPI you passes all sysfs?

It is just the current design.

Part of the directory is already used by USB passthru, so it needs to
get the permission

G: xl already does USB passthrough

P: That has been working for a long time.

D: Can we not pass through the whole sysfs.

X: You can only get first 64 bytes out, which is not enough

X: Intel dev says to use polling mode to verify is masked is done.

G: Can we just take a bunch of stuff out of QEMU?

P: when Roger's stuff's done, should be OK. For now QEMU needs to work.

G: Does accessing 64 bytes make it able to do harm.

P: To a degree.


D: vfio, there is one file that is passthrough, which has a bunch of
ioctl. That can be looked at. Linux already has done a bunch for work to
avoid QEMU touching stuff. It has probably reached those sysfs nodes.

G: vfio work in dom0?

P: Nothing prevents you from turning it on.

G: We can try, it is a stopgap before PVH anyway.

P: We can have a look.

QEMU passthrough code is Xen specific.

P: Intel hooked in GVT-g to make it looks like sr-iov device. It
probably works because all ios are handled by QEMU. To make it work with
Xen more work is needed: Xen's handler is inside Dom0.

G: Can we just use the one in QEMU?

P: Worth investigating. Check out vfio before adding new dmops.

Xin will investigate vfio after the session.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.