Re: [Xen-users] PCI Passthrough

[Paul Schulze <avlex@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

Thanks Chris, this sounds very promising. If I run into any problems,  
I will take you up on your offer. For now I am still in the planning  
stage for this project of mine, which by the way proves to be much  
more work than I initially thought.
Thanks alot for the hint about IOMMU, Todd, I think you nailed the  
main problem I am facing, my initial thoughts were that as long as  
only one DomU has exclusive rights to a certain PCI device, it would  
not pose a threat to the entire system.
I have already heard about IOMMU being implemented in Intel CPUs (or  
probably the North Bridge, because as I hear that is where the Memory  
Controller is located) only, however, as far as I can see AMD isn't  
quiet there yet (I hear they postponed it to 2009 again, almost  
reminds me of GNU/Hurd). However, that is one of the main problems I  
am facing: Intel does not offer a suitable basis for low power  
systems with desktop performance. I already looked far and wide for a  
suitable CPU + Mainboard combination with low power consumption and  
onboard 3D graphics that are worth something and I'm sorry to say,  
but Intel's are definitively not (compared to the AMD 4x50e CPUs with  
AMD780G chipsets at least). So I am basically bound to AMD for this  
particular project.
I already looked around for clues on a software IOMMU implementation  
too, but the only thing I could find was SWIOTLB. As I understand it,  
this solution merely allows 32bit devices to use more than 4gb of  
RAM, or is there a way to use it as a software IOMMU in the sense of  
Intel VT-d too? If not, is there another way to emulate IOMMU or at  
least protect the system from a potentially compromised privileged  
DomU until AMD CPUs supporting this feature are available? And am I  
correct to assume that a possible feature for AMD CPUs will possibly  
not need support from the chipset, because the Memory Controller is  
located on the CPU?
I hope someone can help me out of my confusion,


Paul.

- --
Paul Schulze
avlex@xxxxxxx
Public Key: http://solaris-net.dyndns.org/keys/key_avlex.asc

"Making mistakes is human,
but to really fuck things up you need Computers"


Am 24.05.2008 um 14:35 schrieb Christopher Isip:

> On Fri, May 23, 2008 at 11:57 PM, Todd Deshane <deshantm@xxxxxxxxx>  
> wrote:
> Hi Paul,
>
> I'm not going to answer all your questions since I don't have a lot of
> experience with many of the things you mention. However I can do
> the second part and give some hints on what I do know.
>
> > Is that possible and am I really gaining security for the whole  
> system or is
> > this just my imagination and doesn't make any sense at all? How  
> about the
> > performance, especially for the graphics adapter, do I have to  
> factor in
> > bigger losses there (maybe because PCI passthrough doesn't  
> support the full
> > PCIe 16x speed)? Has anyone tried something similar yet or am I  
> the first to
> > think this might be a good idea?
>
> For PCI passthrough to be secure you need a system that has an  
> IOMMU. It is
> my understanding that the only IOMMUs that are currently available  
> are in the
> Intel VT-d systems. The reason you need the IOMMU is that otherwise  
> the
> domain that you give direct access to the physical device could DMA  
> into
> main memory and compromise the security of the system.
>
> So, you first need to look for a system with an IOMMU.
>
> I really like you explanation of what you want and what you are  
> trying to
> accomplish, I believe you are right on in terms of the VGA  
> passthrough and
> using serial for the Xen output instead. I have read the  
> experiences of others
> for that case and it seems that part you could do.
>
> People have also reported using Xen and mythTV, so I think that is  
> also
> quite possible.
>
> There are a lot of details to get right, but by the sounds of it  
> you are willing
> to figure them and make things work. As for all the networking  
> stuff Xen is
> pretty good at that already and it will be a matter of setting it up.
>
> Your biggest initial hurdle is the IOMMU. Take a look at the VT-d  
> stuff there
> is a lot going on with that on the xen mailing lists. (try  
> xen.markmail.org if
> you haven't already, it has pretty good search).
>
> You can find information on some of the other things as well, but I  
> would
> expect that within the next few days others would share their  
> experiences
> on some of the items that you mentioned.
>
> Cheers,
> Todd
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
>
> I am currently running a mythtv backend in a Xen domU.  It seems to  
> be working well.  I am on the last stages of configuration.  Its  
> using Ubuntu Hardy. Since it is a 2.6.24 kernel (compared to my  
> Dom0 2.6.18), there are far fewer DMA errors.
> Some issues that I haven't resolved yet:
>  mythfilldatabase segfault in dmesg ( runs fine on command line)
>  PVR 250/500 record at default bitrate (2.2 Gb an hour) as opposed  
> to settings in the database.
> The domU does not have a mysql server.  This is still in dom0 but I  
> will be moving that to its own domU next.   It also nfs mounts the  
> video directories from dom0.  I like to keep my DomUs at 4 Gigabyte  
> or less for easy backup to a DVD.
> If you need help setting up your mythtv DomU, let me know.
>
> Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFIOJCaYDWOGtiChoARAg7OAJ9AndUfRxJ0ry4Hw1TBNYTpD49JrQCdHxef
trWM+6qHbE7NolGi8jwkc38=
=W9mE
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users