[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/4] XSM changes for split hardware / control domain

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Wed, 11 Jun 2025 01:08:10 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+hyWWQPC6eAmVxESsZ5Fjyitqm8UWy7uYu+kgaAlnGc=; b=jtYtIIZ+MAs/tJVVSxKuUk5/v5tf/ytM6Nv1FJGWvHh+ULyN57+n6uxiPpyR1C/QZKBTAAYoc0unABtmr2rol1zBDJf6RPB1ChCM9nN8mdUthy2a90+zbtrFv31SFRdhbOiowFniKLBFSEztIVqQGkEnfLcdyhfCYV0k3RPGPftHwlSAQU0AOy+aItdNkTPOnpQQ8aqdzyF3b7tro14MW5OcMBviJ7byr4ioiUqZfJjLQOeT4JoiGxBV8UeiminbT/mgQ8iubl3krsTqZk9cTQK61bh3lU8aIUngmbTMQ54Vz/akXOyqPlM42DdlSb4dtIsozzEGSfCHFtnpHTZ/ng==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gWhkfNJHlY2wm+bvjR6U0NIZXPYINTwj5/c8YpPy9Wz4XzpdYMjlqTAuQWj1PucIWMfEFT6EiUgI5itGF7VyrpQZ/NmtBNQcdfUT4ha4QHIOUNDm0oBhkGB9/dQoR9XQTQl9k0tjJ9j3w73vLkEYxY3NOqqS/+VIf641vHeIp1y8j7VVqU5xGkwBRcys+O33E0PETP8Xyk5QKY+TXUDT6Lq2pqJLCLYkfMYILuNyrar3QE2P1RTSezhwQHuTXs+tFDqzy+/pJGN3ofiDHk3i7W3Zj19kQBPhFcAc8ERMNOs1k1uGSirXMiOpjjjurmUfCH7KXA6VrxRzXuvDLF1jtw==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 11 Jun 2025 17:47:38 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2025-06-11 09:28, Jan Beulich wrote:

On 11.06.2025 00:57, Jason Andryuk wrote:

Theses are the broad changes needed for a split hardware / control
domain.

An earlier posting gave device_model privileges to hardware domain.  For
this posting, it was split out into a new capability.  This way the
operator can choose where to run the device models without making the
hardware domain have the permissions.

The first patch add XSM_HW_PRIV for the hardware hypercalls.  Unlike the
first posting, the control domain can call these hypercalls even though
it doesn't really make sense.  The idea was to keep the control domain
all powerful from an XSM perspective.

SILO is changed to allow control, hardwware or xenstore to service
domUs.  Xenstore and hardware will use grants for PV interfaces.
Control wouldn't typically provide PV interfaces to domUs, but it is
given the permision to do so.  Again, to keep control all powerful.

xsm/dummy: Allow hwdom SYSCTL_readconsole/physinfo this is not strictly
needed.  xenconsoled could read Xen's dmesg.  If it's in hwdom, then
that permission would be required.  SYSCTL_physinfo is mainly to silence
xl messages, which are mostly cosmetic.

Jason Andryuk (4):
   xen/xsm: Add XSM_HW_PRIV
   xsm/silo: Support hwdom/control domains
   xen: Add DOMAIN_CAPS_DEVICE_MODEL & XEN_DOMCTL_CDF_device_model
   xsm/dummy: Allow hwdom SYSCTL_readconsole/physinfo


Overall I can't help the impression that this level of disaggregation simply
requires the use of Flask.
I have thought about that. The problem with Flask is the complexity of the security server. We don't want to have to deal with all that code. A fixed policy is easier for our coverage testing.
Exposing separate control, hardware and xenstore capabilities, it makes sense for the default policy to function with them. This would be a coarse level of functionality, and Flask would remain for fine-grain and MAC enforcement. 

Regards,
Jason

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.