hardware domain and control domain separation

[Stefano Stabellini <sstabellini@xxxxxxxxxx>]

Hi all,

Regarding hardware domain and control domain separation, Ayan sent to
xen-devel an architecture specification (a design document) that I wrote
previously about the topic. This is written as safety document so it is
using a language and structure specific for that. However, it contains
much of the explanation needed on the topic:

https://lore.kernel.org/xen-devel/20250304183115.2509666-1-ayan.kumar.halder@xxxxxxx/

If you take Virtio and PV drivers aside, the conceptual model is very
simple. I suggest we start from there, also because deployments without
Virtio/PV drivers are indeed possible. Often in mixed-criticality
environments device sharing is absent or very limited.

When we bring Virtio and PV drivers into the picture, things get more
complex. One simple mental model is that they are only allowed between
Unsafe VMs, because we cannot guarantee that neither the protocols nor
the widely adopted implementations are entirely free from interference.
So, Virtio (and PV drivers) between Unsafe VMs are OK, but Safe VMs
should be left alone.

There are lots of extra details in the document about the problems of
freedom from interference and Virtio. I wrote those details to explain why
Virtio between Safe and Unsafe VMs cannot be expected to work without
modifications today (people will ask for this, this way we'll have the
answers ready). I also wrote those details so that if someone wanted to
do an analysis on this topic and potentially deploy an entirely written
from scratch Virtio driver-protocol-backend implementation, they would
have a starting point for their investigation.

Cheers,

Stefano