On Mon, 27 Sep 2021, Christopher Clark wrote: > On Mon, Sep 27, 2021 at 3:06 AM Alex Bennée via Stratos-dev wrote: > > Marek Marczykowski-Górecki writes: > > > [[PGP Signed Part:Undecided]] > > On Fri, Sep 24, 2021 at 05:02:46PM +0100, Alex Bennée wrote: > >> Hi, > > > > Hi, > > > >> 2.1 Stable ABI for foreignmemory mapping to non-dom0 ([STR-57]) > >> ─────────────────────────────────────────────────────────────── > >> > >>   Currently the foreign memory mapping support only works for dom0 due > >>   to reference counting issues. If we are to support backends running in > >>   their own domains this will need to get fixed. > >> > >>   Estimate: 8w > >> > >> > >> [STR-57] > > > > I'm pretty sure it was discussed before, but I can't find relevant > > (part of) thread right now: does your model assumes the backend (running > > outside of dom0) will gain ability to map (or access in other way) > > _arbitrary_ memory page of a frontend domain? Or worse: any domain? > > The aim is for some DomU's to host backends for other DomU's instead of > all backends being in Dom0. Those backend DomU's would have to be > considered trusted because as you say the default memory model of VirtIO > is to have full access to the frontend domains memory map. > > > I share Marek's concern. I believe that there are Xen-based systems that will want to run guests using VirtIO devices without extending > this level of trust to the backend domains. From a safety perspective, it would be challenging to deploy a system with privileged backends. From a safety perspective, it would be a lot easier if the backend were unprivileged. This is one of those times where safety and security requirements are actually aligned.