On 2014-06-13 10:45, Paolo Bonzini wrote:
> Il 13/06/2014 08:23, Jan Kiszka ha scritto:
>>>> That would preserve zero-copy capabilities (as long as you can work
>>>> against the shared mem directly, e.g. doing DMA from a physical NIC or
>>>> storage device into it) and keep the hypervisor out of the loop.
>> >
>> > This seems ill thought out.  How will you program a NIC via the virtio
>> > protocol without a hypervisor?  And how will you make it safe?  You'll
>> > need an IOMMU.  But if you have an IOMMU you don't need shared memory.
>>
>> Scenarios behind this are things like driver VMs: You pass through the
>> physical hardware to a driver guest that talks to the hardware and
>> relays data via one or more virtual channels to other VMs. This confines
>> a certain set of security and stability risks to the driver VM.
> 
> I think implementing Xen hypercalls in jailhouse for grant table and
> event channels would actually make a lot of sense.  The Xen
> implementation is 2.5kLOC and I think it should be possible to compact
> it noticeably, especially if you limit yourself to 64-bit guests.

At least the grant table model seems unsuited for Jailhouse. It allows a
guest to influence the mapping of another guest during runtime. This we
want (or even have) to avoid in Jailhouse.

I'm therefore more in favor of a model where the shared memory region is
defined on cell (guest) creation by adding a virtual device that comes
with such a region.

Jan

> 
> It should also be almost enough to run Xen PVH guests as jailhouse
> partitions.
> 
> If later Xen starts to support virtio, you will get that for free.
> 
> Paolo