From: Juergen Gross <jgross@suse.com>
To: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: CONFIG_XEN_VIRTIO{_FORCE_GRANT} interferes with nested virt
Date: Wed, 5 Oct 2022 14:57:01 +0200 [thread overview]
Message-ID: <4bd95b8b-dbdb-b5ce-fe18-ce6bbcf715fe@suse.com> (raw)
In-Reply-To: <Yz17cLIb1V0zjEjK@mail-itl>
[-- Attachment #1.1.1: Type: text/plain, Size: 829 bytes --]
On 05.10.22 14:41, Marek Marczykowski-Górecki wrote:
> Hi,
>
> When booting Xen with Linux dom0 nested under KVM,
> CONFIG_XEN_VIRTIO_FORCE_GRANT=y makes it unable to use virtio devices
> provided by L0 hypervisor (KVM with qemu). With PV dom0, grants are
> required for virtio even if just CONFIG_XEN_VIRTIO is enabled.
>
> This is probably uncommon corner case, but one that has bitten me in my
> CI setup... I think Xen should set smarter
> virtio_require_restricted_mem_acc(), that enforces it only for devices
> really provided by another Xen VM (not by the "outer host"), but I'm not
> sure how that could be done. Any ideas?
>
It should be possible to add a boot parameter for that purpose. Using it
would open a security hole, though (basically like all PCI passthrough to
PV guests).
Juergen
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
next prev parent reply other threads:[~2022-10-05 12:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-05 12:41 CONFIG_XEN_VIRTIO{_FORCE_GRANT} interferes with nested virt Marek Marczykowski-Górecki
2022-10-05 12:57 ` Juergen Gross [this message]
2022-10-05 13:25 ` Marek Marczykowski-Górecki
2022-10-05 13:34 ` Juergen Gross
2022-10-05 13:51 ` Marek Marczykowski-Górecki
2022-10-05 15:04 ` Juergen Gross
2022-10-05 15:35 ` Marek Marczykowski-Górecki
2022-10-05 15:45 ` Juergen Gross
2022-10-05 16:48 ` Marek Marczykowski-Górecki
2022-10-06 6:37 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4bd95b8b-dbdb-b5ce-fe18-ce6bbcf715fe@suse.com \
--to=jgross@suse.com \
--cc=marmarek@invisiblethingslab.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.