[Rust-VMM] [Stratos-dev] Xen Rust VirtIO demos work breakdown for Project Stratos
Stefano Stabellini
sstabellini at kernel.org
Tue Sep 28 06:26:07 UTC 2021
On Mon, 27 Sep 2021, Christopher Clark wrote:
> On Mon, Sep 27, 2021 at 3:06 AM Alex Bennée via Stratos-dev <stratos-dev at op-lists.linaro.org> wrote:
>
> Marek Marczykowski-Górecki <marmarek at invisiblethingslab.com> writes:
>
> > [[PGP Signed Part:Undecided]]
> > On Fri, Sep 24, 2021 at 05:02:46PM +0100, Alex Bennée wrote:
> >> Hi,
> >
> > Hi,
> >
> >> 2.1 Stable ABI for foreignmemory mapping to non-dom0 ([STR-57])
> >> ───────────────────────────────────────────────────────────────
> >>
> >> Currently the foreign memory mapping support only works for dom0 due
> >> to reference counting issues. If we are to support backends running in
> >> their own domains this will need to get fixed.
> >>
> >> Estimate: 8w
> >>
> >>
> >> [STR-57] <https://linaro.atlassian.net/browse/STR-57>
> >
> > I'm pretty sure it was discussed before, but I can't find relevant
> > (part of) thread right now: does your model assumes the backend (running
> > outside of dom0) will gain ability to map (or access in other way)
> > _arbitrary_ memory page of a frontend domain? Or worse: any domain?
>
> The aim is for some DomU's to host backends for other DomU's instead of
> all backends being in Dom0. Those backend DomU's would have to be
> considered trusted because as you say the default memory model of VirtIO
> is to have full access to the frontend domains memory map.
>
>
> I share Marek's concern. I believe that there are Xen-based systems that will want to run guests using VirtIO devices without extending
> this level of trust to the backend domains.
>From a safety perspective, it would be challenging to deploy a system
with privileged backends. From a safety perspective, it would be a lot
easier if the backend were unprivileged.
This is one of those times where safety and security requirements are
actually aligned.
More information about the Rust-vmm
mailing list