Thanks to all the participants in this thread for the interest in Hyperlaunch and
the support for enabling common advanced boot functionality for Xen across
architectures.
I'm aiming to provide here a hopefully-fairly-objective overview of the issues
being raised so that we can ensure that these are covered, and then I will also
give my views afterwards.
------------------------------------------------------------
= Naming and communication
- Ensuring expectations are set correctly for the Hyperlaunch name
- communicating the value of it, differentiation for Xen
- avoiding sub-branding it for feature subsets, use cases, technologies
- Retiring the term 'dom0less'
- How to describe the "starting multiple VMs at host boot" functionality
- How to describe further Hyperlaunch functionality beyond this
- eg. isolation properties and relevance to critical systems
- eg. running without a classic dom0
- How Hyperlaunch relates to other boot functionalities and technologies,
including:
- architecture-specific aspects and architecture-neutral aspects
- Device Tree
- boot domain
- control domain, hardware domain, dom0
- domain builder
- system measurement
- XSM
- DRTM
- etc.
= Migration
- Providing a forward path for existing users of dom0less functionality
across the technical changes for Hyperlaunch cross-architecture implementation
- document compatibility
- support a "dom0less mode" with existing Device Tree structure
- documentation updates to be paired with progress on code implementation
= Community resourcing
- Supporting code review and merge of Hyperlaunch changes into Xen
- transitioning existing Arm logic into common, including FDT
- Provision of accurate, consistent documentation materials to support
effective communication to existing and prospective users, developers and other
stakeholders
- Ensuring that the document structure supports ongoing maintenance:
- Multiple use cases, structure docs accordingly: eg.
- use case: static partitioning, critical + non-critical VMs
- use case: measured launch with a boot domain
- use case: fast VM start for embedded systems
- Architecture of Hyperlaunch, relevance to other hypervisors
- nested systems
- Design, review and agreement for common cross-architecture and
arch-extensible interfaces, including:
- common boot data structures
- Device Tree structure
- hypfs entries
- introspection to determine hyperlaunched system status
- Development of test cases
- CI of Hyperlaunch interfaces, to ensure that it stays working
------------------------------------------------------------
Views arrived at in discussion with Rich and Daniel, and after reading the
thread contributions, follow this point.
"Hyperlaunch" is to be the common name across architectures for a flexible,
configurable boot system for coordinating the launch of multiple VMs by the
hypervisor, with a common implementation, pooling resources and development
risk across the Xen community. The interfaces are core to it.
From the Hyperlaunch design document (reviewed + committed to the tree):
"The design enables seamless transition for existing systems that require a dom0, and provides a new general capability to build and launch alternative configurations of virtual machines, including support for static partitioning and accelerated start of VMs during host boot, while adhering to the principles of least privilege. It incorporates the existing dom0less functionality, extended to fold in the new developments from the Hyperlaunch project, with support for both x86 and Arm platform architectures, building upon and replacing the earlier 'late hardware domain' feature for disaggregation of dom0.
Hyperlaunch is designed to be flexible and reusable across multiple use cases, and our aim is to ensure that it is capable, widely exercised, comprehensively tested, and well understood by the Xen community."
https://xenbits.xen.org/docs/4.17-testing/designs/launch/hyperlaunch.htmlie. Hyperlaunch was created to move away from point solutions that hard-code
specific launch configurations, isolation properties and threat models. It
isn't just about starting domains -- it is about enabling the construction of
complex use cases runtimes for Xen. It is the result of iterative design
starting with the disaggregation for the late hardware domain, through
dom0less development and then with the comprehensive hyperlaunch design and
implementation that builds upon them both.
The current interest and investment in Hyperlaunch is driven by its relevance
to Safety Critical systems due to the isolation properties and improvement
in the ability to certify the software -- this is closely related to but
slightly different from starting multiple VMs at host boot.
To encourage commonality and allow for future development, we should not
use architecture-specific or vendor-specific name variations, and also avoid
technology-specific name variations (eg. Device Tree or "DT").
Instead, the use case configurations should themselves be describable.
Thanks again,
Christopher