[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC 4/6] capabilities: introduce console io as a domain capability

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Thu, 3 Aug 2023 22:24:18 +0100
Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>
Delivery-date: Thu, 03 Aug 2023 21:24:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Daniel,

On 03/08/2023 16:41, Daniel P. Smith wrote:

On 8/1/23 21:01, Stefano Stabellini wrote:
On Tue, 1 Aug 2023, Daniel P. Smith wrote:
patch the field is renamed to capabilities to encapsulate thecapabilities adomain has been granted. The first capability being the ability toread/write
the Xen console.

Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Patch looks fine to me aside the two minor nits. I am not sure I
understand 100% the difference between capabilities and roles but I am
OK with the patch. I'd like to hear Julien's feedback on this as well.
This might be worth a section in the hypervisor-guide. As mentioned inthe cover letter, this was originally proposed as being under XSM. Achallenge I ran into is that, depending on your view, the`is_privileged` field and `hardware_domain` global were either abused asa function check and a non-resource privilege check or are justmultifaceted variables. This is why the concept of the role was struckupon, it is more intuitive (for me at least) that have a role issomething that imparts accesses (privilege checks) and dictateshypervisor behaviors when handling the domain (function checks). Thisthen brings us to an access or behavior that may be inherent to somerole(s) but may want to grant on an individually to a guest. A primeexample of this is console_io, for which it is inherent that thehardware domain role will have access but may want to grant to a guestwithout granting it an entire role. This is why I provided foridentifying these capabilities so that they may be assigned individuallyto a domain.

Thanks for the explanation. Just to confirm my understanding, what youare suggesting is that for a given role, a domain will at least have thematching capabilities (more could be granted). Is that correct?

If so, this wouldn't this mean we can remove d->role and simply used->capabilities?

While the role/capability is a natural progression from how thehypervisor currently operates. Another approach that could be considerto deliver a similar experience would be to break down every access andfunction into a capability and then define the standard roles as aconglomeration of certain capabilities.

At least from the explanation above, I think it would make sense tobreak down role to multiple capabilities.

Cheers,

--
Julien Grall

Follow-Ups:
- Re: [RFC 4/6] capabilities: introduce console io as a domain capability
  - From: Daniel P. Smith

References:
- [RFC 0/6] Hyperlaunch domain roles and capabilities
  - From: Daniel P. Smith
- [RFC 4/6] capabilities: introduce console io as a domain capability
  - From: Daniel P. Smith
- Re: [RFC 4/6] capabilities: introduce console io as a domain capability
  - From: Stefano Stabellini
- Re: [RFC 4/6] capabilities: introduce console io as a domain capability
  - From: Daniel P. Smith

Prev by Date: Re: [RFC 4/6] capabilities: introduce console io as a domain capability
Next by Date: [ovmf test] 182168: all pass - PUSHED
Previous by thread: Re: [RFC 4/6] capabilities: introduce console io as a domain capability
Next by thread: Re: [RFC 4/6] capabilities: introduce console io as a domain capability
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.