Xen project Mailing List

Re: [PATCH 4/4] xsm/dummy: Allow hwdom SYSCTL_readconsole/physinfo

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Tue, 17 Jun 2025 07:23:43 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Jason Andryuk <jason.andryuk@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Tue, 17 Jun 2025 05:24:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.06.2025 02:10, Stefano Stabellini wrote: > On Mon, 16 Jun 2025, Jan Beulich wrote: >> On 14.06.2025 00:51, Stefano Stabellini wrote: >>> On Wed, 11 Jun 2025, Jason Andryuk wrote: >>>> On 2025-06-11 09:27, Jan Beulich wrote: >>>>> On 11.06.2025 00:57, Jason Andryuk wrote: >>>>>> Allow the hwdom to access the console, and to access physical >>>>>> information about the system. >>>>>> >>>>>> xenconsoled can read Xen's dmesg. If it's in hwdom, then that >>>>>> permission would be required. >>>>> >>>>> Why would xenconsoled run in the hardware domain? It's purely a software >>>>> construct, isn't it? As a daemon, putting it in the control domain may >>>>> make sense. Otherwise it probably ought to go in a service domain. >>>> >>>> My approach has been to transform dom0 into the hardware domain and add a >>>> new >>>> control domain. xenconsoled was left running in the hardware domain. >>> >>> I think we should keep xenconsoled in the hardware domain because the >>> control domain should be just optional. (However, one could say that with >>> Denis' recent changes xenconsoled is also optional because one can use >>> console hypercalls or emulators (PL011, NS16550) for all DomUs.) >>> >>> >>> >>>> I suppose it could move. Maybe that would be fine? I haven't tried. The >>>> Hyperlaunch code populates the console grants to point at the hardware >>>> domain, >>>> and I just followed that. >>>> >>>> One aspect of why I left most things running in the Hardware domain was to >>>> not >>>> run things in the Control domain. If Control is the highest privileged >>>> entity, we'd rather run software in lower privileged places. Especially >>>> something like xenconsoled which is receiving data from the domUs. >>> >>> Yes, I agree with Jason. It is a bad idea to run xenconsoled in the >>> Control Domain because the Control Domain is meant to be safe from >>> interference. We want to keep the number of potential vehicles for >>> interference down to a minimum and shared memory between Control Domain >>> and DomUs is certainly a vehicle for interference. >> >> As much as it is when xenconsoled runs in the hardware domain? Especially >> if the hardware domain is also running e.g. PV backends or qemu instances? > > It looks like you are thinking of the possible > interference from the Hardware Domain to the Control Domain via > xenconsoled, correct? More like interference with the system as a whole, which simply includes Control. > If that is the case, good thinking. I can see that you have really > understood the essence of the problem we are trying to solve. > > That is not an issue because the Control Domain shouldn't use PV > console. Instead, it should use the console hypercall, or the > PL011/NS16550 emulators in Xen. Well. I think the underlying concept of Control Domain being highly privileged needs more general discussion. As indicated elsewhere, I didn't think disaggregation (whichever way done) would leave any domain with effectively full privilege. I wonder what others think. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.