device hotplug & file handles

device hotplug & file handles

[Gerd Hoffmann]

  Hi,

For usb device pass-through (aka -device usb-host) it would be very
useful to pass file handles from libvirt to qemu.  The workflow would
change from ...

  (1) libvirt enables access to /dev/usb/$bus/$dev
  (2) libvirt passes $bus + $dev (using hostbus + hostaddr properties)
      to qemu.
  (3) qemu opens /dev/usb/$bus/$dev

... to ...

  (1) libvirt opens /dev/usb/$bus/$dev
  (2) libvirt passes filehandle to qemu.

Question is how can we pass the file descriptor best?  My idea would be
to simply add an fd property to usb-host:

 * Coldplug would be "-device usb-host,fd=<nr>" (cmd line).
 * Hotplug would be "device_add usb-host,fd=<getfd-name>" (monitor).

Will that work from libvirt point of view?
Or does anyone have an better idea?

thanks,
  Gerd

PS: background: https://bugzilla.redhat.com/show_bug.cgi?id=1595525

Re: device hotplug & file handles

[Peter Krempa]

On Thu, May 07, 2020 at 16:49:14 +0200, Gerd Hoffmann wrote:
>   Hi,
> 
> For usb device pass-through (aka -device usb-host) it would be very
> useful to pass file handles from libvirt to qemu.  The workflow would
> change from ...
> 
>   (1) libvirt enables access to /dev/usb/$bus/$dev
>   (2) libvirt passes $bus + $dev (using hostbus + hostaddr properties)
>       to qemu.
>   (3) qemu opens /dev/usb/$bus/$dev
> 
> ... to ...
> 
>   (1) libvirt opens /dev/usb/$bus/$dev
>   (2) libvirt passes filehandle to qemu.
> 
> Question is how can we pass the file descriptor best?  My idea would be
> to simply add an fd property to usb-host:
> 
>  * Coldplug would be "-device usb-host,fd=<nr>" (cmd line).
>  * Hotplug would be "device_add usb-host,fd=<getfd-name>" (monitor).

We have prior art for both approaches so it's fine.

> 
> Will that work from libvirt point of view?

Sure! Just please make sure that the new approach is detectable somehow.
Either via device-list-properties or query-qmp-schema.

> Or does anyone have an better idea?
> 
> thanks,
>   Gerd
> 
> PS: background: https://bugzilla.redhat.com/show_bug.cgi?id=1595525
> 

Re: device hotplug & file handles

[Eric Blake]

On 5/7/20 9:49 AM, Gerd Hoffmann wrote:
>    Hi,
> 
> For usb device pass-through (aka -device usb-host) it would be very
> useful to pass file handles from libvirt to qemu.  The workflow would
> change from ...
> 
>    (1) libvirt enables access to /dev/usb/$bus/$dev
>    (2) libvirt passes $bus + $dev (using hostbus + hostaddr properties)
>        to qemu.
>    (3) qemu opens /dev/usb/$bus/$dev
> 
> ... to ...
> 
>    (1) libvirt opens /dev/usb/$bus/$dev
>    (2) libvirt passes filehandle to qemu.
> 
> Question is how can we pass the file descriptor best?  My idea would be
> to simply add an fd property to usb-host:
> 
>   * Coldplug would be "-device usb-host,fd=<nr>" (cmd line).
>   * Hotplug would be "device_add usb-host,fd=<getfd-name>" (monitor).
> 
> Will that work from libvirt point of view?
> Or does anyone have an better idea?

Qemu already has -add-fd (both a CLI version, and a QMP version when a 
Unix socket can pass fds), at which point any existing interface that 
uses qemu_open() will understand the magic syntax /dev/fdset/NNN to 
refer to the existing fd previously passed in via -add-fd.  Libvirt is 
already able to use this feature for some cases (for example, see 
src/qemu/qemu_command.c:qemuBuildChrChardevFileStr).  So all that 
remains is making sure -device usb-host uses qemu_open(), and if it 
didn't already do so, also making sure libvirt can find a way to 
introspect when usb-host started supporting fdset usage.

Or put another way, let's use the generic fd mechanism that qemu already 
supports, rather than inventing yet another syntax.

> 
> thanks,
>    Gerd
> 
> PS: background: https://bugzilla.redhat.com/show_bug.cgi?id=1595525
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: device hotplug & file handles

[Michal Privoznik]

On 5/7/20 4:49 PM, Gerd Hoffmann wrote:
>    Hi,
> 
> For usb device pass-through (aka -device usb-host) it would be very
> useful to pass file handles from libvirt to qemu.  The workflow would
> change from ...
> 
>    (1) libvirt enables access to /dev/usb/$bus/$dev
>    (2) libvirt passes $bus + $dev (using hostbus + hostaddr properties)
>        to qemu.
>    (3) qemu opens /dev/usb/$bus/$dev
> 
> ... to ...
> 
>    (1) libvirt opens /dev/usb/$bus/$dev
>    (2) libvirt passes filehandle to qemu.
> 
> Question is how can we pass the file descriptor best?  My idea would be
> to simply add an fd property to usb-host:
> 
>   * Coldplug would be "-device usb-host,fd=<nr>" (cmd line).
>   * Hotplug would be "device_add usb-host,fd=<getfd-name>" (monitor).
> 
> Will that work from libvirt point of view?
> Or does anyone have an better idea?
> 
> thanks,
>    Gerd
> 
> PS: background: https://bugzilla.redhat.com/show_bug.cgi?id=1595525
> 

I don't have a better idea, but a little background on why libvirt even 
invented private /dev in the first place. The reason was that 
occasionally, when udev ran its rules it would overwrite the security 
labels on /dev nodes set by libvirt and thus denying access to QEMU. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1354251

Now, I think there is the same risk with what you are proposing. This 
isn't problem for DAC where permissions are checked during open(), but 
it may be a problem for SELinux where each individual operation with the 
FD is inspected.

Having said that, I am not against this approach, in fact I'm in favour 
of it. Let's hope that people learned that having udev overwriting 
seclabels is a bad idea and the bug won't appear again.

Michal