From: Boris Brezillon <boris.brezillon@collabora.com>
To: Zach Reizner <zachr@google.com>
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Zach Reizner" <zachr@chromium.org>,
"David Stevens" <stevensd@chromium.org>,
"Stéphane Marchesin" <marcheu@chromium.org>,
"Tomeu Vizoso" <tomeu.vizoso@collabora.com>,
"Tomasz Figa" <tfiga@chromium.org>,
virtio-dev@lists.oasis-open.org,
"Alexandros Frantzis" <alexandros.frantzis@collabora.co.uk>
Subject: [virtio-dev] Re: [RFC] Upstreaming virtio-wayland (or an alternative)
Date: Mon, 17 Feb 2020 19:21:50 +0100 [thread overview]
Message-ID: <20200217192150.07f9e253@collabora.com> (raw)
In-Reply-To: <CAFNex=BuHdsEjFK3_cTqO2nOE-kB_MSH26sCTekF_6AK8Fyv3Q@mail.gmail.com>
On Mon, 17 Feb 2020 09:47:46 -0800
Zach Reizner <zachr@google.com> wrote:
> > Thats why I don't like the new virtio device idea much and would prefer
> > vhost being reused, either directly (#1) or via proxy (#2).
>
> For crosvm's purposes, we are looking at ways to reduce vhost usage in
> order to reduce host kernel exposure to untrusted guest input,
> including from the guest kernel. That is why a non-vhost based
> solution would be prefered.
Okay, I didn't know you were avoiding vhost-based solutions to
reduce the attack surface.
>
> > Any potential security hole should be considered IMHO, even if it's not
> > easily exploitable.
>
> I second Boris's statement. In the age of Spectre-like exploits,
> keeping secrets from other processes should be considered riskier than
> using FDs to prove that a process can access a resource.
>
> > We might be able to do that lazily if we add
> > ->virtio_fd_to_vfd()/->virtio_vfd_to_fd() hooks to the file_operations
> > struct, instead of expecting the subsystem to pro-actively create those
> > mappings (when those hooks are not implemented, that means the resource
> > backed by this FD can't be passed on a VSOCK).
>
> virtio-wayland actually will handle passing arbitrary FDs back and
> forth, but it does have special handling for virtio-gpu dmabufs. For
> everything else, virtio-wayland will determine if the FD is
> readable/writable/mappable and will recreate a pipe/memfd on the other
> side to emulate the FD. For mappable FDs, this is limited host->guest
> passing because in practice this is used only by the compositor to
> send the keyboard mapping to clients. The pipes are needed for both
> host->guest and guest->host because they are used to request clipboard
> content. The only FDs that require special handling are ones where
> there already is a host-side FD corresponding to the guest side FD,
> such as the case of wayland socket connections or dmabufs.
>
> As for the question of which solution to go for, I would suggest
> either 3 (dedicated virtio device) or combining features from
> virtio-wayland with virtio-gpu. I don't think extending vsock is a
> good idea because there's enough going on with virtio-wayland with
> respect to FD passing and emulation that a generic interface will be
> too opinionated.
Can you be more specific? What would be the limitations of such a
generic interface that would make it unusable for the virtio-wayland
use case?
> I like the combination with virtio-gpu because it
> already has two related but separate graphics concepts combined into
> one device (display and rendering), so wayland would feel right at
> home.
Except that, looking at the virtio-wayland code nothing in there looks
fundamentally wayland specific, or even display-server specific. Sure,
FD passing support is focused on what wayland needs (pipes, dmabuf FDs,
...), but I see nothing that would prevent making it generic enough to
pass other kind of resources if we ever need to.
> Because wayland benefits from allocation and sharing of
> virtio-gpu buffers, a virtio-gpu combo device simplifies access to
> those buffers, whereas the separate virtio devices as implemented in
> crosvm requires bridging of resource handles (in guest kernel) and FDs
> (in crosvm).
I must admit I'm not a huge fan of integrating a protocol-agnostic
message passing interface (with FD-passing support) to virtio-gpu.
Sounds like something that could be re-used without virtio-gpu being
involved to me. As for the resource bridging thing, that's more or less
what I proposed with the generic interface to translate resource handles
(what I called VFDs) to local FDs. It would probably be easier with a
vhost-based solution, but your resource bridge interface in crosvm
seems to provide the same kind of abstraction. Any reason you want to
avoid this split?
---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org
next prev parent reply other threads:[~2020-02-17 18:22 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 17:28 [virtio-dev] [RFC] Upstreaming virtio-wayland (or an alternative) Boris Brezillon
2020-02-10 5:06 ` [virtio-dev] " David Stevens
2020-02-17 10:02 ` Boris Brezillon
2020-02-17 10:22 ` David Stevens
2020-02-10 13:38 ` Gerd Hoffmann
2020-02-10 16:09 ` Stefan Hajnoczi
2020-02-17 10:28 ` Boris Brezillon
2020-02-17 12:32 ` Gerd Hoffmann
2020-02-17 13:44 ` Boris Brezillon
[not found] ` <CADMs+9YC3QHOsmsB9pjA-AFC+fc=_a+tSqBbDsecNvkhBc85Dw@mail.gmail.com>
2020-02-17 11:02 ` Boris Brezillon
2020-02-17 13:58 ` Boris Brezillon
[not found] ` <CAFNex=BuHdsEjFK3_cTqO2nOE-kB_MSH26sCTekF_6AK8Fyv3Q@mail.gmail.com>
2020-02-17 18:21 ` Boris Brezillon [this message]
[not found] ` <CAFNex=A8fU3e=FYP=t7jQ0J2E5aoyGKujhj8Df+vOhkzV8etgA@mail.gmail.com>
2020-02-19 8:52 ` Boris Brezillon
2020-02-24 10:33 ` Boris Brezillon
2020-02-24 12:12 ` Gerd Hoffmann
2020-02-24 12:45 ` Boris Brezillon
2020-02-24 13:18 ` Boris Brezillon
2020-02-24 13:42 ` Gerd Hoffmann
2020-02-24 13:57 ` Boris Brezillon
2020-02-24 14:25 ` Boris Brezillon
2020-02-24 13:35 ` Gerd Hoffmann
2020-02-24 12:32 ` Gerd Hoffmann
2020-02-25 15:21 ` [virtio-dev] " Boris Brezillon
2020-02-25 15:55 ` Alex Bennée
2020-02-26 9:25 ` Boris Brezillon
2020-02-26 15:12 ` Gerd Hoffmann
2020-02-26 17:05 ` Boris Brezillon
2020-02-27 10:29 ` Gerd Hoffmann
2020-02-27 12:24 ` Boris Brezillon
2020-02-27 4:20 ` David Stevens
2020-02-27 9:09 ` Boris Brezillon
[not found] ` <CAFNex=C4wm7=iH9XmyHoTSdkDfA3vbFOuLaaQ4aLjE9keu_NDg@mail.gmail.com>
2020-02-27 9:33 ` Boris Brezillon
2020-02-27 11:14 ` David Stevens
2020-02-27 11:51 ` Boris Brezillon
2020-02-27 14:43 ` Gerd Hoffmann
2020-02-28 8:04 ` Boris Brezillon
2020-02-28 9:27 ` Gerd Hoffmann
2020-02-28 10:11 ` David Stevens
2020-02-28 10:30 ` Gerd Hoffmann
2020-03-02 2:24 ` David Stevens
2020-03-02 9:28 ` Boris Brezillon
2020-02-28 10:31 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200217192150.07f9e253@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=alexandros.frantzis@collabora.co.uk \
--cc=kraxel@redhat.com \
--cc=marcheu@chromium.org \
--cc=stefanha@redhat.com \
--cc=stevensd@chromium.org \
--cc=tfiga@chromium.org \
--cc=tomeu.vizoso@collabora.com \
--cc=virtio-dev@lists.oasis-open.org \
--cc=zachr@chromium.org \
--cc=zachr@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.