[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Stratos-dev] Xen Rust VirtIO demos work breakdown for Project Stratos
On Mon, 27 Sep 2021, Christopher Clark wrote: > On Mon, Sep 27, 2021 at 3:06 AM Alex Bennée via Stratos-dev > <stratos-dev@xxxxxxxxxxxxxxxxxxx> wrote: > > Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> writes: > > > [[PGP Signed Part:Undecided]] > > On Fri, Sep 24, 2021 at 05:02:46PM +0100, Alex Bennée wrote: > >> Hi, > > > > Hi, > > > >> 2.1 Stable ABI for foreignmemory mapping to non-dom0 ([STR-57]) > >> ─────────────────────────────────────────────────────────────── > >> > >> Currently the foreign memory mapping support only works for dom0 > due > >> to reference counting issues. If we are to support backends > running in > >> their own domains this will need to get fixed. > >> > >> Estimate: 8w > >> > >> > >> [STR-57] <https://linaro.atlassian.net/browse/STR-57> > > > > I'm pretty sure it was discussed before, but I can't find relevant > > (part of) thread right now: does your model assumes the backend > (running > > outside of dom0) will gain ability to map (or access in other way) > > _arbitrary_ memory page of a frontend domain? Or worse: any domain? > > The aim is for some DomU's to host backends for other DomU's instead of > all backends being in Dom0. Those backend DomU's would have to be > considered trusted because as you say the default memory model of VirtIO > is to have full access to the frontend domains memory map. > > > I share Marek's concern. I believe that there are Xen-based systems that will > want to run guests using VirtIO devices without extending > this level of trust to the backend domains. >From a safety perspective, it would be challenging to deploy a system with privileged backends. From a safety perspective, it would be a lot easier if the backend were unprivileged. This is one of those times where safety and security requirements are actually aligned.
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |