|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] PCI Passthrough
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again,Thanks Chris, this sounds very promising. If I run into any problems, I will take you up on your offer. For now I am still in the planning stage for this project of mine, which by the way proves to be much more work than I initially thought. Thanks alot for the hint about IOMMU, Todd, I think you nailed the main problem I am facing, my initial thoughts were that as long as only one DomU has exclusive rights to a certain PCI device, it would not pose a threat to the entire system. I have already heard about IOMMU being implemented in Intel CPUs (or probably the North Bridge, because as I hear that is where the Memory Controller is located) only, however, as far as I can see AMD isn't quiet there yet (I hear they postponed it to 2009 again, almost reminds me of GNU/Hurd). However, that is one of the main problems I am facing: Intel does not offer a suitable basis for low power systems with desktop performance. I already looked far and wide for a suitable CPU + Mainboard combination with low power consumption and onboard 3D graphics that are worth something and I'm sorry to say, but Intel's are definitively not (compared to the AMD 4x50e CPUs with AMD780G chipsets at least). So I am basically bound to AMD for this particular project. I already looked around for clues on a software IOMMU implementation too, but the only thing I could find was SWIOTLB. As I understand it, this solution merely allows 32bit devices to use more than 4gb of RAM, or is there a way to use it as a software IOMMU in the sense of Intel VT-d too? If not, is there another way to emulate IOMMU or at least protect the system from a potentially compromised privileged DomU until AMD CPUs supporting this feature are available? And am I correct to assume that a possible feature for AMD CPUs will possibly not need support from the chipset, because the Memory Controller is located on the CPU? I hope someone can help me out of my confusion, Paul. - -- Paul Schulze avlex@xxxxxxx Public Key: http://solaris-net.dyndns.org/keys/key_avlex.asc "Making mistakes is human, but to really fuck things up you need Computers" Am 24.05.2008 um 14:35 schrieb Christopher Isip: On Fri, May 23, 2008 at 11:57 PM, Todd Deshane <deshantm@xxxxxxxxx> wrote:Hi Paul, I'm not going to answer all your questions since I don't have a lot of experience with many of the things you mention. However I can do the second part and give some hints on what I do know.> Is that possible and am I really gaining security for the whole system or is > this just my imagination and doesn't make any sense at all? How about the > performance, especially for the graphics adapter, do I have to factor in > bigger losses there (maybe because PCI passthrough doesn't support the full > PCIe 16x speed)? Has anyone tried something similar yet or am I the first to> think this might be a good idea?For PCI passthrough to be secure you need a system that has an IOMMU. It is my understanding that the only IOMMUs that are currently available are in the Intel VT-d systems. The reason you need the IOMMU is that otherwise the domain that you give direct access to the physical device could DMA intomain memory and compromise the security of the system. So, you first need to look for a system with an IOMMU.I really like you explanation of what you want and what you are trying to accomplish, I believe you are right on in terms of the VGA passthrough and using serial for the Xen output instead. I have read the experiences of othersfor that case and it seems that part you could do.People have also reported using Xen and mythTV, so I think that is alsoquite possible.There are a lot of details to get right, but by the sounds of it you are willing to figure them and make things work. As for all the networking stuff Xen ispretty good at that already and it will be a matter of setting it up.Your biggest initial hurdle is the IOMMU. Take a look at the VT-d stuff there is a lot going on with that on the xen mailing lists. (try xen.markmail.org ifyou haven't already, it has pretty good search).You can find information on some of the other things as well, but I would expect that within the next few days others would share their experienceson some of the items that you mentioned. Cheers, Todd _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-usersI am currently running a mythtv backend in a Xen domU. It seems to be working well. I am on the last stages of configuration. Its using Ubuntu Hardy. Since it is a 2.6.24 kernel (compared to my Dom0 2.6.18), there are far fewer DMA errors.Some issues that I haven't resolved yet: mythfilldatabase segfault in dmesg ( runs fine on command line)PVR 250/500 record at default bitrate (2.2 Gb an hour) as opposed to settings in the database.The domU does not have a mysql server. This is still in dom0 but I will be moving that to its own domU next. It also nfs mounts the video directories from dom0. I like to keep my DomUs at 4 Gigabyte or less for easy backup to a DVD.If you need help setting up your mythtv DomU, let me know. Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFIOJCaYDWOGtiChoARAg7OAJ9AndUfRxJ0ry4Hw1TBNYTpD49JrQCdHxef trWM+6qHbE7NolGi8jwkc38= =W9mE -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |