| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 03 Nov 2022 10:39:21 +0100
From: "Arnd Bergmann" <arnd@...db.de>
To: "Elliot Berman" <quic_eberman@...cinc.com>,
"Bjorn Andersson" <quic_bjorande@...cinc.com>,
"Dmitry Baryshkov" <dmitry.baryshkov@...aro.org>
Cc: "Murali Nalajala" <quic_mnalajal@...cinc.com>,
"Trilok Soni" <quic_tsoni@...cinc.com>,
"Srivatsa Vaddagiri" <quic_svaddagi@...cinc.com>,
"Carl van Schaik" <quic_cvanscha@...cinc.com>,
"Prakruthi Deepak Heragu" <quic_pheragu@...cinc.com>,
"Andy Gross" <agross@...nel.org>,
"Jassi Brar" <jassisinghbrar@...il.com>,
linux-arm-kernel@...ts.infradead.org,
"Mark Rutland" <mark.rutland@....com>,
"Lorenzo Pieralisi" <lorenzo.pieralisi@....com>,
"Sudeep Holla" <sudeep.holla@....com>,
"Marc Zyngier" <maz@...nel.org>,
"Rob Herring" <robh+dt@...nel.org>,
"Krzysztof Kozlowski" <krzysztof.kozlowski+dt@...aro.org>,
"Jonathan Corbet" <corbet@....net>,
"Will Deacon" <will@...nel.org>,
"Catalin Marinas" <catalin.marinas@....com>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
"Srinivas Kandagatla" <srinivas.kandagatla@...aro.org>,
"Amol Maheshwari" <amahesh@....qualcomm.com>,
"Kalle Valo" <kvalo@...nel.org>, devicetree@...r.kernel.org,
linux-doc@...r.kernel.org, linux-arm-msm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 13/21] gunyah: vm_mgr: Introduce basic VM Manager
On Wed, Nov 2, 2022, at 19:44, Elliot Berman wrote:
> On 11/2/2022 12:31 AM, Arnd Bergmann wrote:
>>> +static long gh_dev_ioctl_create_vm(unsigned long arg)
>>> +{
>>> + struct gunyah_vm *ghvm;
>>> + struct file *file;
>>> + int fd, err;
>>> +
>>> + /* arg reserved for future use. */
>>> + if (arg)
>>> + return -EINVAL;
>>
>> Do you have something specific in mind here? If 'create'
>> is the only command you support, and it has no arguments,
>> it would be easier to do it implicitly during open() and
>> have each fd opened from /dev/gunyah represent a new VM.
>>
>
> I'd like the argument here to support different types of virtual
> machines. I want to leave open what "different types" can be in case
> something new comes up in the future, but immediately "different type"
> would correspond to a few different authentication mechanisms for
> virtual machines that Gunyah supports.
>
> In this series, I'm only supporting unauthenticated virtual machines
> because they are the simplest to get up and running from a Linux
> userspace. When I introduce the other authentication mechanisms, I'll
> expand much more on how they work, but I'll give quick overview here.
> Other authentication mechanisms that are currently supported by Gunyah
> are "protected VM" and, on Qualcomm platforms, "PIL/carveout VMs".
> Protected VMs are *loosely* similar to the protected firmware design for
> KVM and intended to support Android virtualization use cases.
> PIL/carevout VMs are special virtual machines that can run on Qualcomm
> firmware which authenticate in a way similar to remoteproc firmware (MDT
> loader).
Ok, thanks for the background. Having different types of virtual
machines does mean that you may need some complexity, but I would
still lean towards using the simpler context management of opening
the /dev/gunyah device node to get a new context, and then using
ioctls on each fd to manage that context, instead of going through
the extra indirection of having a secondary 'open context' command
that always requires opening two file descriptors.
>> I'm correct, you can just turn the entire bus/device/driver
>> structure within your code into simple function calls, where
>> the main code calls vm_mgr_probe() as an exported function
>> instead of creating a device.
>
> Ack. I can do this, although I am nervous about this snowballing into a
> situation where I have a mega-module.
>
> > Please stop beating everything in a single module.
>
> https://lore.kernel.org/all/250945d2-3940-9830-63e5-beec5f44010b@linaro.org/
I see you concern, but I wasn't suggesting having everything
in one module either. There are three common ways of splitting
things into separate modules:
- I suggested having the vm_mgr module as a library block that
exports a few symbols which get used by the core module. The
module doesn't do anything on its own, but loading the core
module forces loading the vm_mgr.
- Alternatively one can do the opposite, and have symbols
exported by the core module, with the vm_mgr module using
it. This would make sense if you commonly have the core
module loaded on virtual machines that do not need to manage
other VMs.
- The method you have is to have a lower "bus" level that
abstracts device providers from consumers, with both sides
hooking into the bus. This makes sense for physical buses
like PCI or USB where both the host driver and the function
driver are unaware of implementation details of the other,
but in your case it does not seem like a good fit.
Arnd
Powered by blists - more mailing lists