projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c8f077c) | patch
use domid check in is_hardware_domain
authorDaniel De Graaf <dgdegra@tycho.nsa.gov>
Fri, 11 Apr 2014 09:16:52 +0000 (11:16 +0200)
committerJan Beulich <jbeulich@suse.com>
Fri, 11 Apr 2014 09:16:52 +0000 (11:16 +0200)
commit97587d01b36b1e8f406c7c93e5ae9c50646bcaeb
tree2d48417ed7e7e2f9f57d2736ba5e94a3a77fba01tree | snapshot
parentc8f077c7962efd64dd42ccf70fab6db239f940facommit | diff
use domid check in is_hardware_domain

Instead of checking is_privileged to determine if a domain should
control the hardware, check that the domain_id is equal to zero (which
is currently the only domain for which is_privileged is true).  This
allows other places where domain_id is checked for zero to be replaced
with is_hardware_domain.

The distinction between is_hardware_domain, is_control_domain, and
domain 0 is based on the following disaggregation model:

Domain 0 bootstraps the system.  It may remain to perform requested
builds of domains that need a minimal trust chain (i.e. vTPM domains).
Other than being built by the hypervisor, nothing is special about this
domain - although it may be useful to have is_control_domain() return
true depending on the toolstack it uses to build other domains.

The hardware domain manages devices for PCI pass-through to driver
domains or can act as a driver domain itself, depending on the desired
degree of disaggregation.  It is also the domain managing devices that
do not support pass-through: PCI configuration space access, parsing the
hardware ACPI tables and system power or machine check events.  This is
the only domain where is_hardware_domain() is true.  The return of
is_control_domain() may be false for this domain.

The control domain manages other domains, controls guest launch and
shutdown, and manages resource constraints; is_control_domain() returns
true.  The functionality guarded by is_control_domain may in the future
be adapted to use explicit hypercalls, eliminating the special treatment
of this domain.  It may be reasonable to have multiple control domains
on a multi-tenant system.

Guest domains and other service or driver domains are all treated
identically by the hypervisor; the security policy may further constrain
administrative actions on or communication between these domains.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
19 files changed:
xen/arch/arm/domain.c diff | blob | history
xen/arch/arm/gic.c diff | blob | history
xen/arch/arm/vgic.c diff | blob | history
xen/arch/arm/vtimer.c diff | blob | history
xen/arch/arm/vuart.c diff | blob | history
xen/arch/x86/cpu/mcheck/vmce.c diff | blob | history
xen/arch/x86/domain.c diff | blob | history
xen/arch/x86/hvm/i8254.c diff | blob | history
xen/arch/x86/mm.c diff | blob | history
xen/arch/x86/time.c diff | blob | history
xen/arch/x86/traps.c diff | blob | history
xen/common/domain.c diff | blob | history
xen/common/kernel.c diff | blob | history
xen/common/xenoprof.c diff | blob | history
xen/drivers/passthrough/amd/pci_amd_iommu.c diff | blob | history
xen/drivers/passthrough/iommu.c diff | blob | history
xen/drivers/passthrough/vtd/iommu.c diff | blob | history
xen/drivers/passthrough/vtd/x86/vtd.c diff | blob | history
xen/include/xen/sched.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.