From: Boris Brezillon <boris.brezillon@collabora.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Zach Reizner" <zachr@google.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Zach Reizner" <zachr@chromium.org>,
"David Stevens" <stevensd@chromium.org>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Tomeu Vizoso" <tomeu.vizoso@collabora.com>,
"Tomasz Figa" <tfiga@chromium.org>,
virtio-dev@lists.oasis-open.org,
"Alexandros Frantzis" <alexandros.frantzis@collabora.co.uk>
Subject: [virtio-dev] Re: [RFC] Upstreaming virtio-wayland (or an alternative)
Date: Mon, 24 Feb 2020 14:18:35 +0100 [thread overview]
Message-ID: <20200224141835.798fac4e@collabora.com> (raw)
In-Reply-To: <20200224134513.660fb144@collabora.com>
On Mon, 24 Feb 2020 13:45:13 +0100
Boris Brezillon <boris.brezillon@collabora.com> wrote:
> On Mon, 24 Feb 2020 13:12:55 +0100
> Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> > On Mon, Feb 24, 2020 at 11:33:48AM +0100, Boris Brezillon wrote:
> > > On Mon, 17 Feb 2020 19:21:50 +0100
> > > Boris Brezillon <boris.brezillon@collabora.com> wrote:
> > >
> > > > > > Thats why I don't like the new virtio device idea much and would prefer
> > > > > > vhost being reused, either directly (#1) or via proxy (#2).
> > > > >
> > > > > For crosvm's purposes, we are looking at ways to reduce vhost usage in
> > > > > order to reduce host kernel exposure to untrusted guest input,
> > > > > including from the guest kernel. That is why a non-vhost based
> > > > > solution would be prefered.
> > > >
> > > > Okay, I didn't know you were avoiding vhost-based solutions to
> > > > reduce the attack surface.
> > >
> > > Looks like they implemented vhost-less vsock in Firecracker[1]. Not
> > > sure how much work that would be to port this implementation to crosvm,
> > > but maybe that's an option.
> > >
> > > [1]https://github.com/firecracker-microvm/firecracker/pull/1176
> >
> > Well, the nice thing about vsock is that (a) you have the same interface
> > on guest and host, and (b) it is hypervisor-agnostic. Applications can
> > simply use the usual system calls (socket, bind, listen, connect) with
> > AF_VSOCK socket type and be done with it.
> >
> > When not using vhost this goes away (on the host side). firecracker
> > seems to have a vsock <-> unix socket bridge in vmm userspace instead
> > (pull req msg sounds like that, didn't check the code).
>
> That's also my understanding. Note that you still keep the genericity
> on the guest side, which is a good thing I guess.
>
> >
> > I think there can be only one vsock device per guest. So you can't have
> > multiple instances, one with a vsock backend on the host and one with a
> > userspace backend on the host, then pick one of the two depending on the
> > use case.
> >
> > So, one advantage of a separate device would be that we'll gain some
> > flexibility in terms of the host side implementation. vsock vhost can
> > be used together with a wayland userspace backend.
>
> Yes, though if you really want to avoid vhost to reduce the attack
> surface, you'll probably want to never use vhost instead of having this
> restriction on a per-use-case basis.
>
> But let's say we go for a dedicated virtio-device to preserve this
> granularity. Should we aim at providing a generic virtio-msg device or
> should we keep this so-called wayland-specific virtio device (I'd like
> to remind you that it's actually protocol-agnostic)?
Maybe there's another option (not sure I mentioned it previously):
de-correlate the message passing and fd-passing interfaces. If we add a
virtio-fd device that takes care of FD passing between guest and host,
we can still use a regular vsock to pass messages (can be vhost or
!vhost depending on your level of paranoïa). The wayland proxies would
then queue/dequeue messages to/from the vsock and FDs to/from virtio-fd.
---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org
next prev parent reply other threads:[~2020-02-24 13:18 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 17:28 [virtio-dev] [RFC] Upstreaming virtio-wayland (or an alternative) Boris Brezillon
2020-02-10 5:06 ` [virtio-dev] " David Stevens
2020-02-17 10:02 ` Boris Brezillon
2020-02-17 10:22 ` David Stevens
2020-02-10 13:38 ` Gerd Hoffmann
2020-02-10 16:09 ` Stefan Hajnoczi
2020-02-17 10:28 ` Boris Brezillon
2020-02-17 12:32 ` Gerd Hoffmann
2020-02-17 13:44 ` Boris Brezillon
[not found] ` <CADMs+9YC3QHOsmsB9pjA-AFC+fc=_a+tSqBbDsecNvkhBc85Dw@mail.gmail.com>
2020-02-17 11:02 ` Boris Brezillon
2020-02-17 13:58 ` Boris Brezillon
[not found] ` <CAFNex=BuHdsEjFK3_cTqO2nOE-kB_MSH26sCTekF_6AK8Fyv3Q@mail.gmail.com>
2020-02-17 18:21 ` Boris Brezillon
[not found] ` <CAFNex=A8fU3e=FYP=t7jQ0J2E5aoyGKujhj8Df+vOhkzV8etgA@mail.gmail.com>
2020-02-19 8:52 ` Boris Brezillon
2020-02-24 10:33 ` Boris Brezillon
2020-02-24 12:12 ` Gerd Hoffmann
2020-02-24 12:45 ` Boris Brezillon
2020-02-24 13:18 ` Boris Brezillon [this message]
2020-02-24 13:42 ` Gerd Hoffmann
2020-02-24 13:57 ` Boris Brezillon
2020-02-24 14:25 ` Boris Brezillon
2020-02-24 13:35 ` Gerd Hoffmann
2020-02-24 12:32 ` Gerd Hoffmann
2020-02-25 15:21 ` [virtio-dev] " Boris Brezillon
2020-02-25 15:55 ` Alex Bennée
2020-02-26 9:25 ` Boris Brezillon
2020-02-26 15:12 ` Gerd Hoffmann
2020-02-26 17:05 ` Boris Brezillon
2020-02-27 10:29 ` Gerd Hoffmann
2020-02-27 12:24 ` Boris Brezillon
2020-02-27 4:20 ` David Stevens
2020-02-27 9:09 ` Boris Brezillon
[not found] ` <CAFNex=C4wm7=iH9XmyHoTSdkDfA3vbFOuLaaQ4aLjE9keu_NDg@mail.gmail.com>
2020-02-27 9:33 ` Boris Brezillon
2020-02-27 11:14 ` David Stevens
2020-02-27 11:51 ` Boris Brezillon
2020-02-27 14:43 ` Gerd Hoffmann
2020-02-28 8:04 ` Boris Brezillon
2020-02-28 9:27 ` Gerd Hoffmann
2020-02-28 10:11 ` David Stevens
2020-02-28 10:30 ` Gerd Hoffmann
2020-03-02 2:24 ` David Stevens
2020-03-02 9:28 ` Boris Brezillon
2020-02-28 10:31 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200224141835.798fac4e@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=alexandros.frantzis@collabora.co.uk \
--cc=kraxel@redhat.com \
--cc=marcheu@chromium.org \
--cc=stefanha@redhat.com \
--cc=stevensd@chromium.org \
--cc=tfiga@chromium.org \
--cc=tomeu.vizoso@collabora.com \
--cc=virtio-dev@lists.oasis-open.org \
--cc=zachr@chromium.org \
--cc=zachr@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox