[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Notes for xen summit 2018 design session] PCI pass-through with de-privileged QEMU

To: Lars Kurth <lars.kurth@xxxxxxxxxx>, Elena Ufimtseva <elena.ufimtseva@xxxxxxxxxx>
From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date: Mon, 2 Jul 2018 10:54:50 -0400
Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, "Xin Li \(Talons\)" <xin.li@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Paul Durrant <Paul.Durrant@xxxxxxxxxx>, "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 02 Jul 2018 14:55:06 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jul 02, 2018 at 02:04:45PM +0000, Lars Kurth wrote:
> This is a session hosted by Xin Li from Citrix on PCI-passthrough in a 
> deprivleged QEMU.

Including Elena as she did a patch for this (so that any PCI operation does not
require root access).
> 
> (Went over key points of QEMU de-priv talk - see 
> https://www.slideshare.net/xen_com_mgr/xpdds18-qemu-and-xen-reducing-the-attack-surface-paul-durrant-citrix)
> 
> Problem is syses nodes need to be opened.
> 
> Doug: Can we use Linux namespaces as an improvement?
> Paul: Can we use add-fd to pass FDs to QEMU?
> 
> X: Yes. That's possible.
> 
> Doug: KVM just passes through vfio. Just one file to do everything to
> pass resources.
> Paul: We don't have vfio yet.
> 
> X: XAPI needs the whole of sysfs
> 
> George: why in XAPI you passes all sysfs?
> 
> It is just the current design.
> 
> Part of the directory is already used by USB passthru, so it needs to
> get the permission
> 
> G: xl already does USB passthrough
> 
> P: That has been working for a long time.
> 
> D: Can we not pass through the whole sysfs.
> 
> X: You can only get first 64 bytes out, which is not enough
> 
> X: Intel dev says to use polling mode to verify is masked is done.
> 
> G: Can we just take a bunch of stuff out of QEMU?
> 
> P: when Roger's stuff's done, should be OK. For now QEMU needs to work.
> 
> G: Does accessing 64 bytes make it able to do harm.
> 
> P: To a degree.
> 
> 
> D: vfio, there is one file that is passthrough, which has a bunch of
> ioctl. That can be looked at. Linux already has done a bunch for work to
> avoid QEMU touching stuff. It has probably reached those sysfs nodes.
> 
> G: vfio work in dom0?
> 
> P: Nothing prevents you from turning it on.
> 
> G: We can try, it is a stopgap before PVH anyway.
> 
> P: We can have a look.
> 
> QEMU passthrough code is Xen specific.
> 
> P: Intel hooked in GVT-g to make it looks like sr-iov device. It
> probably works because all ios are handled by QEMU. To make it work with
> Xen more work is needed: Xen's handler is inside Dom0.
> 
> G: Can we just use the one in QEMU?
> 
> P: Worth investigating. Check out vfio before adding new dmops.
> 
> Xin will investigate vfio after the session.
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxxx
> https://lists.xenproject.org/mailman/listinfo/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [Notes for xen summit 2018 design session] PCI pass-through with de-privileged QEMU
  - From: Lars Kurth

Prev by Date: Re: [Xen-devel] [PATCH v3 5/6] vpt: add support for level interrupts
Next by Date: Re: [Xen-devel] [PATCH 5/7] xen: Don't build libelf for Arm
Previous by thread: [Xen-devel] [Notes for xen summit 2018 design session] PCI pass-through with de-privileged QEMU
Next by thread: Re: [Xen-devel] [PATCH RFC] tools/libxl: Switch Arm guest type to PVH
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.