From: Boris Brezillon <boris.brezillon@collabora.com>
To: Zach Reizner <zachr@google.com>
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Zach Reizner" <zachr@chromium.org>,
"David Stevens" <stevensd@chromium.org>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Tomeu Vizoso" <tomeu.vizoso@collabora.com>,
"Tomasz Figa" <tfiga@chromium.org>,
virtio-dev@lists.oasis-open.org,
"Alexandros Frantzis" <alexandros.frantzis@collabora.co.uk>
Subject: [virtio-dev] Re: [RFC] Upstreaming virtio-wayland (or an alternative)
Date: Mon, 17 Feb 2020 19:21:50 +0100 [thread overview]
Message-ID: <20200217192150.07f9e253@collabora.com> (raw)
In-Reply-To: <CAFNex=BuHdsEjFK3_cTqO2nOE-kB_MSH26sCTekF_6AK8Fyv3Q@mail.gmail.com>
On Mon, 17 Feb 2020 09:47:46 -0800
Zach Reizner <zachr@google.com> wrote:
> > Thats why I don't like the new virtio device idea much and would prefer
> > vhost being reused, either directly (#1) or via proxy (#2).
>
> For crosvm's purposes, we are looking at ways to reduce vhost usage in
> order to reduce host kernel exposure to untrusted guest input,
> including from the guest kernel. That is why a non-vhost based
> solution would be prefered.
Okay, I didn't know you were avoiding vhost-based solutions to
reduce the attack surface.
>
> > Any potential security hole should be considered IMHO, even if it's not
> > easily exploitable.
>
> I second Boris's statement. In the age of Spectre-like exploits,
> keeping secrets from other processes should be considered riskier than
> using FDs to prove that a process can access a resource.
>
> > We might be able to do that lazily if we add
> > ->virtio_fd_to_vfd()/->virtio_vfd_to_fd() hooks to the file_operations
> > struct, instead of expecting the subsystem to pro-actively create those
> > mappings (when those hooks are not implemented, that means the resource
> > backed by this FD can't be passed on a VSOCK).
>
> virtio-wayland actually will handle passing arbitrary FDs back and
> forth, but it does have special handling for virtio-gpu dmabufs. For
> everything else, virtio-wayland will determine if the FD is
> readable/writable/mappable and will recreate a pipe/memfd on the other
> side to emulate the FD. For mappable FDs, this is limited host->guest
> passing because in practice this is used only by the compositor to
> send the keyboard mapping to clients. The pipes are needed for both
> host->guest and guest->host because they are used to request clipboard
> content. The only FDs that require special handling are ones where
> there already is a host-side FD corresponding to the guest side FD,
> such as the case of wayland socket connections or dmabufs.
>
> As for the question of which solution to go for, I would suggest
> either 3 (dedicated virtio device) or combining features from
> virtio-wayland with virtio-gpu. I don't think extending vsock is a
> good idea because there's enough going on with virtio-wayland with
> respect to FD passing and emulation that a generic interface will be
> too opinionated.
Can you be more specific? What would be the limitations of such a
generic interface that would make it unusable for the virtio-wayland
use case?
> I like the combination with virtio-gpu because it
> already has two related but separate graphics concepts combined into
> one device (display and rendering), so wayland would feel right at
> home.
Except that, looking at the virtio-wayland code nothing in there looks
fundamentally wayland specific, or even display-server specific. Sure,
FD passing support is focused on what wayland needs (pipes, dmabuf FDs,
...), but I see nothing that would prevent making it generic enough to
pass other kind of resources if we ever need to.
> Because wayland benefits from allocation and sharing of
> virtio-gpu buffers, a virtio-gpu combo device simplifies access to
> those buffers, whereas the separate virtio devices as implemented in
> crosvm requires bridging of resource handles (in guest kernel) and FDs
> (in crosvm).
I must admit I'm not a huge fan of integrating a protocol-agnostic
message passing interface (with FD-passing support) to virtio-gpu.
Sounds like something that could be re-used without virtio-gpu being
involved to me. As for the resource bridging thing, that's more or less
what I proposed with the generic interface to translate resource handles
(what I called VFDs) to local FDs. It would probably be easier with a
vhost-based solution, but your resource bridge interface in crosvm
seems to provide the same kind of abstraction. Any reason you want to
avoid this split?
---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org
next prev parent reply other threads:[~2020-02-17 18:22 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 17:28 [virtio-dev] [RFC] Upstreaming virtio-wayland (or an alternative) Boris Brezillon
2020-02-10 5:06 ` [virtio-dev] " David Stevens
2020-02-17 10:02 ` Boris Brezillon
2020-02-17 10:22 ` David Stevens
2020-02-10 13:38 ` Gerd Hoffmann
2020-02-10 16:09 ` Stefan Hajnoczi
2020-02-17 10:28 ` Boris Brezillon
2020-02-17 12:32 ` Gerd Hoffmann
2020-02-17 13:44 ` Boris Brezillon
[not found] ` <CADMs+9YC3QHOsmsB9pjA-AFC+fc=_a+tSqBbDsecNvkhBc85Dw@mail.gmail.com>
2020-02-17 11:02 ` Boris Brezillon
2020-02-17 13:58 ` Boris Brezillon
[not found] ` <CAFNex=BuHdsEjFK3_cTqO2nOE-kB_MSH26sCTekF_6AK8Fyv3Q@mail.gmail.com>
2020-02-17 18:21 ` Boris Brezillon [this message]
[not found] ` <CAFNex=A8fU3e=FYP=t7jQ0J2E5aoyGKujhj8Df+vOhkzV8etgA@mail.gmail.com>
2020-02-19 8:52 ` Boris Brezillon
2020-02-24 10:33 ` Boris Brezillon
2020-02-24 12:12 ` Gerd Hoffmann
2020-02-24 12:45 ` Boris Brezillon
2020-02-24 13:18 ` Boris Brezillon
2020-02-24 13:42 ` Gerd Hoffmann
2020-02-24 13:57 ` Boris Brezillon
2020-02-24 14:25 ` Boris Brezillon
2020-02-24 13:35 ` Gerd Hoffmann
2020-02-24 12:32 ` Gerd Hoffmann
2020-02-25 15:21 ` [virtio-dev] " Boris Brezillon
2020-02-25 15:55 ` Alex Bennée
2020-02-26 9:25 ` Boris Brezillon
2020-02-26 15:12 ` Gerd Hoffmann
2020-02-26 17:05 ` Boris Brezillon
2020-02-27 10:29 ` Gerd Hoffmann
2020-02-27 12:24 ` Boris Brezillon
2020-02-27 4:20 ` David Stevens
2020-02-27 9:09 ` Boris Brezillon
[not found] ` <CAFNex=C4wm7=iH9XmyHoTSdkDfA3vbFOuLaaQ4aLjE9keu_NDg@mail.gmail.com>
2020-02-27 9:33 ` Boris Brezillon
2020-02-27 11:14 ` David Stevens
2020-02-27 11:51 ` Boris Brezillon
2020-02-27 14:43 ` Gerd Hoffmann
2020-02-28 8:04 ` Boris Brezillon
2020-02-28 9:27 ` Gerd Hoffmann
2020-02-28 10:11 ` David Stevens
2020-02-28 10:30 ` Gerd Hoffmann
2020-03-02 2:24 ` David Stevens
2020-03-02 9:28 ` Boris Brezillon
2020-02-28 10:31 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200217192150.07f9e253@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=alexandros.frantzis@collabora.co.uk \
--cc=kraxel@redhat.com \
--cc=marcheu@chromium.org \
--cc=stefanha@redhat.com \
--cc=stevensd@chromium.org \
--cc=tfiga@chromium.org \
--cc=tomeu.vizoso@collabora.com \
--cc=virtio-dev@lists.oasis-open.org \
--cc=zachr@chromium.org \
--cc=zachr@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox