From: David Vrabel <david.vrabel@citrix.com>
To: Jan Beulich <JBeulich@suse.com>, Wei Liu <wei.liu2@citrix.com>
Cc: StefanoStabellini <sstabellini@kernel.org>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
Anthony Perard <anthony.perard@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
dgdegra@tycho.nsa.gov
Subject: Re: Device model operation hypercall (DMOP, re qemu depriv)
Date: Tue, 2 Aug 2016 14:02:18 +0100 [thread overview]
Message-ID: <57A099DA.1030003@citrix.com> (raw)
In-Reply-To: <57A0A6F00200007800101BCB@prv-mh.provo.novell.com>
On 02/08/16 12:58, Jan Beulich wrote:
>>>> On 02.08.16 at 13:38, <wei.liu2@citrix.com> wrote:
>> On Mon, Aug 01, 2016 at 06:41:20AM -0600, Jan Beulich wrote:
>>>>>> On 01.08.16 at 13:32, <ian.jackson@eu.citrix.com> wrote:
>>>> 4. We could invent a new hypercall `DMOP' for hypercalls which device
>>>> models should be able to use, which always has the target domain in
>>>> a fixed location in the arguments. We have the dom0 privcmd driver
>>>> know about this one hypercall number and the location of the target
>>>> domid.
>>>>
>>>> Option 4 has the following advantages:
>>>>
>>>> * The specification of which hypercalls are authorised to qemu is
>>>> integrated with the specification of the hypercalls themselves:
>>>> There is no need to maintain a separate table which can get out of
>>>> step (or contain security bugs).
>>>>
>>>> * The changes required to the rest of the system are fairly small.
>>>> In particular:
>>>>
>>>> * We need only one small, non-varying, patch to the dom0 kernel.
>>>>
>>>>
>>>> Let me flesh out option 4 in more detail:
>>>>
>>>>
>>>> We define a new hypercall DMOP.
>>>>
>>>> Its first argument is always a target domid. The DMOP hypercall
>>>> number and position of the target domid in the arguments are fixed.
>>>>
>>>> A DMOP is defined to never put at risk the stability or security of
>>>> the whole system, nor of the domain which calls DMOP. However, a DMOP
>>>> may have arbitrary effects on the target domid.
>>>
>>> With the exception of this and the privcmd layer described below,
>>> DMOP == HVMCTL afaics. The privcmd layer is independent anyway.
>>> And the security aspect mentioned above won't disappear if we
>>> use DMOP instead of HVMCTL. So I don't see why the hvmctl
>>> series as is can't be the starting point of this, with the stability/
>>> security concerns addressed subsequently, for being orthogonal.
>>>
>>
>> Yeah, to turn HVMCTL to DMOP:
>>
>> 1. s/HVMCTL/DMOP/
>> 2. maybe s/interface_version//
>
> Andrew had brought up 2 too, but I'm really not sure that'd be a
> good idea. I rather think we should keep it but maybe (other than
> domctl/sysctl) recognize older versions. In any event I consider
> having it better for an unstable interface (as Ian said, libxc is
> supposed to provide the stable one).
A stable user space library API is no good for an in-kernel emulator,
like that needed for Intel GVT-g -- the hypercall ABI needs to be stable.
David
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-08-02 13:02 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-28 17:01 XenProject/XenServer QEMU working group, Friday 8th July, 2016, 15:00 Jennifer Herbert
2016-08-01 11:32 ` Device model operation hypercall (DMOP, re qemu depriv) Ian Jackson
2016-08-01 12:41 ` Jan Beulich
2016-08-02 11:38 ` Wei Liu
2016-08-02 11:58 ` Jan Beulich
2016-08-02 13:02 ` David Vrabel [this message]
2016-08-02 13:29 ` Jan Beulich
2016-08-03 10:29 ` Ian Jackson
2016-08-03 12:03 ` Jan Beulich
2016-08-03 13:37 ` Ian Jackson
2016-08-03 14:16 ` Jan Beulich
2016-08-03 14:21 ` George Dunlap
2016-08-03 16:10 ` Ian Jackson
2016-08-03 16:18 ` Jan Beulich
2016-08-04 11:21 ` Ian Jackson
2016-08-04 13:24 ` Jan Beulich
2016-08-05 16:28 ` Ian Jackson
2016-08-08 11:18 ` Jan Beulich
2016-08-08 13:46 ` Ian Jackson
2016-08-08 14:07 ` Jan Beulich
2016-08-26 11:38 ` Ian Jackson
2016-08-26 12:58 ` Jan Beulich
2016-08-26 14:35 ` Ian Jackson
2016-08-26 15:13 ` Jan Beulich
2016-08-30 11:02 ` Ian Jackson
2016-08-30 21:47 ` Stefano Stabellini
2016-09-02 14:08 ` Wei Liu
2016-08-09 10:29 ` Jan Beulich
2016-08-09 10:48 ` Ian Jackson
2016-08-09 11:30 ` Jan Beulich
2016-08-12 9:44 ` George Dunlap
2016-08-12 11:50 ` Jan Beulich
2016-08-15 9:39 ` George Dunlap
2016-08-15 10:19 ` Jan Beulich
2016-08-15 10:47 ` George Dunlap
2016-08-15 11:20 ` Jan Beulich
2016-08-15 12:07 ` Ian Jackson
2016-08-15 14:20 ` Jan Beulich
2016-08-15 14:57 ` George Dunlap
2016-08-15 15:22 ` Jan Beulich
2016-08-15 14:50 ` David Vrabel
2016-08-15 15:24 ` Jan Beulich
2016-08-26 11:29 ` Ian Jackson
2016-08-26 12:58 ` Jan Beulich
2016-08-02 11:37 ` Wei Liu
2016-08-02 11:42 ` George Dunlap
2016-08-02 12:34 ` Wei Liu
2016-09-09 15:16 ` Jennifer Herbert
2016-09-09 15:34 ` David Vrabel
2016-09-12 13:47 ` George Dunlap
2016-09-12 14:32 ` Jan Beulich
2016-09-13 10:37 ` George Dunlap
2016-09-13 11:53 ` Jan Beulich
2016-09-13 16:07 ` David Vrabel
2016-09-14 9:51 ` Jan Beulich
2016-09-21 11:21 ` Ian Jackson
2016-09-21 11:28 ` George Dunlap
2016-09-21 11:58 ` Jan Beulich
2016-09-21 11:55 ` Jan Beulich
2016-09-21 12:23 ` Device model operation hypercall (DMOP, re qemu depriv) [and 1 more messages] Ian Jackson
2016-09-21 12:48 ` Jan Beulich
2016-09-21 13:24 ` Ian Jackson
2016-09-21 13:56 ` Jan Beulich
2016-09-21 15:06 ` Ian Jackson
2016-09-21 17:09 ` George Dunlap
2016-09-22 8:47 ` Jan Beulich
2016-09-09 16:18 ` XenProject/XenServer QEMU working group minutes, 30th August 2016 Jennifer Herbert
2016-09-12 7:16 ` Juergen Gross
2016-10-14 18:01 ` QEMU XenServer/XenProject Working group meeting 29th September 2016 Jennifer Herbert
2016-10-18 19:54 ` Stefano Stabellini
2016-10-20 17:37 ` Lars Kurth
2016-10-20 18:53 ` Stefano Stabellini
2017-02-28 18:18 ` QEMU XenServer/XenProject Working group meeting 10th February 2017 Jennifer Herbert
2017-06-05 13:48 ` QEMU XenServer/XenProject Working group meeting 10th May 2017 Jennifer Herbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57A099DA.1030003@citrix.com \
--to=david.vrabel@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=ian.jackson@eu.citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).