[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] PCI passthrough appears to be regressing
From: VÃt_Å esták <groups-no-private-mail--contact-me-at--co
Date: 2016-01-31 17:41:29
Message-ID: a316148a-109f-4446-b741-e122a3823143 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Do you mean HVM, or PVH? I believe you mean PVH, as HVMs with PV
stubdomains is much smaller mitigation factor.
In either case, does this imply dropping support for non-IOMMU systems?
- If no, it would require maintaining support and templates for both PV and
HV. (HV includes both HVM and PVH. Is there an established term for this?)
I am not sure if it is much of work.
- If yes, do you have an estimate for end of security updates of last Qubes
with support for non-IOMMU systems? I believe my laptop will EOL sooner,
but I'd like to have some idea about that (for multiple reasons).
Regards,
VÃt Å esták 'v6ak'
On Sunday, January 31, 2016 at 5:27:40 PM UTC+1, joanna wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Sat, Jan 30, 2016 at 08:20:45AM -0800, Eric Shelton wrote:
> > I'm not sure that I have anything concrete enough to open an issue yet
> > (aside from https://github.com/QubesOS/qubes-issues/issues/1659), but I
> > think it is worth initiating a discussion about PCI passthrough support
> > having regressed from Qubes 2.0 (where pretty much everything seemed to
> > work, including passthrough to HVM domains), and that it appears to only
> be
> > getting worse over time. For example, see these recent discussions:
> >
> > https://groups.google.com/forum/#!topic/qubes-users/VlbfFyNGNTs
> > https://groups.google.com/d/msg/qubes-devel/YqdhlmYtMY0/vCO3QHLBBgAJ
> > https://groups.google.com/d/msg/qubes-users/cmPRMOkxkdA/gIV68O0-CQAJ
> >
> > The state of things seems to be something along these lines:
> > - everything worked pretty well under Qubes 2.0
> > - starting with Qubes 3.0, PCI passthrough to HVM domains broke (I think
> it
> > is a libvirt related issue, as passthrough would still work using 'xl'
> to
> > start a domain)
> > - it seems people are having less success doing passthrough under Xen
> 4.6
> > than under Xen 4.4. However, there is no hard evidence on this.
> > - Linux kernel 4.4 appears to break PCI passthrough for network devices
> > entirely (not so much what is going on with Qubes today, but evidence
> that
> > Xen's PCI passthrough support is getting worse, not better). Although
> the
> > Qubes team has opted to move forward despite the above issues, this
> > represents the point at which Qubes will no longer be able to do the one
> > passthrough thing it relies on - isolating network adapters.
> >
> > The effects of this today are that PCI passthrough questions are popping
> up
> > more frequently on qubes-users, and the fixes that used to reliably
> address
> > passthrough problems (for example, setting passthrough to permissive)
> seem
> > to be less helpful, as problems seem to be lurking deeper within Xen, or
> > perhaps changes to Xen mean that other fixes should be used instead.
> >
> > The effects of this in the future is that it grows less and less likely
> > that the vision of doing a separate GUI domain via GPU passthrough can
> be
> > successfully executed. It is hard enough to get a GPU passed through to
> > begin with (thanks to weird abuses of PCI features by GPU makers to
> > facilitate DRM, I'm uncertain it will ever work for anything other than
> > Intel GPUs, which is only due to specific efforts on Intel's part to
> make
> > it work in Xen). The above issues make it much worse.
> >
>
> The longer-term plan is for us to move to HVMs for everything: AppVMs,
> ServiceVMs, and, of course, for the GUI domain also. This should not only
> resolve the passthrough problems (assuming IOMMU works well), but also
> reduce
> complexity in the hypervisor required to handle such VMs (see e.g. XSA
> 148). We
> plan on starting this work once an early 4.0 is out.
>
> Are the DRM-related problems with passthrough for some GPUs you mentioned
> above
> also encountered on HVMs, or are they limited to PVs only?
>
> Thanks,
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCAAGBQJWrjW7AAoJEDOT2L8N3GcYzokQAMaollANSZxTmfPqi6hHeOqk
> HWMDKQbHZnaUSfVTBIpfhWv8HDVw7r0Kunud+hDf9wGDTQnFwbpJYEeXBRE006kj
> XT6193i0DGxqEazf8HjdVfVRdU2lkls9yvPx5gZpNw/KXooUs+nzhebHihaqJqR6
> CrgJKUIX7o1MSR0mePJswvWK0UAb88KGBs5XZjstM2opFXyCn1BPxE4KWC+Etk0H
> FZosDBJekNQGvfF08N4Fgsneu55d82CVnVBcVWKV8Tcslb3oO8NYMQC9JQhE4UsX
> 8JNaZLqpVEN1kwbJOY/qEduDtV/hmBh9oI6+0Jb5Olo0qKpiUebnkUnEXaCxd9Gj
> aYcAdUS/uYj0sIVF7Ywe66NHPrNUcyuwm91l+EoCtA0d6gGB23KKfHymueOJ/X4p
> RHznEcNZF02JJ8kVUtuc0uEkw32Nt7GAxoZ3H4PIsURoXvUJ1OKQo1LO6ovBHING
> t2pK876vSJu+V0m1PuI98laHItpV7RG618AfZVyLuk5EKTchbfOmrMbu6K83Th+s
> wIoKlNYIPTuBPmyMSwLOvWKVHYk+vYNh1QX8lP32gwUxk+YrLwWq2eUZUnslZfTI
> dkdb7A1pTjboXTTUmWnPwgEMylSJQcSUf1SQjXJ+adaHI+4ePAq9pBUXXDq4Iv/w
> xFx3KpJESTrIvx0RiPQA
> =LY/z
> -----END PGP SIGNATURE-----
>
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/a316148a-109f-4446-b741-e122a3823143%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Do you mean HVM, or PVH? I believe you mean PVH, as HVMs with PV \
stubdomains is much smaller mitigation factor.<br><br>In either case, does this imply \
dropping support for non-IOMMU systems?<br>- If no, it would require maintaining \
support and templates for both PV and HV. (HV includes both HVM and PVH. Is there an \
established term for this?) I am not sure if it is much of work.<br>- If yes, do you \
have an estimate for end of security updates of last Qubes with support for \
non-IOMMU systems? I believe my laptop will EOL sooner, but I'd like to have some \
idea about that (for multiple reasons).<br><br>Regards,<br>VÃt Å esták \
'v6ak'<br><br>On Sunday, January 31, 2016 at 5:27:40 PM UTC+1, joanna \
wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: \
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">-----BEGIN PGP SIGNED \
MESSAGE----- <br>Hash: SHA256
<br>
<br>On Sat, Jan 30, 2016 at 08:20:45AM -0800, Eric Shelton wrote:
<br>> I'm not sure that I have anything concrete enough to open an issue yet
<br>> (aside from <a href="https://github.com/QubesOS/qubes-issues/issues/1659" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com%2F \
QubesOS%2Fqubes-issues%2Fissues%2F1659\46sa\75D\46sntz\0751\46usg\75AFQjCNHf7W1ySN4KRHioTUiYHMvN04Q0UQ';return \
true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com \
%2FQubesOS%2Fqubes-issues%2Fissues%2F1659\46sa\75D\46sntz\0751\46usg\75AFQjCNHf7W1ySN4KRHioTUiYHMvN04Q0UQ';return \
true;">https://github.com/QubesOS/<wbr>qubes-issues/issues/1659</a>), but I <br>> \
think it is worth initiating a discussion about PCI passthrough support <br>> \
having regressed from Qubes 2.0 (where pretty much everything seemed to <br>> \
work, including passthrough to HVM domains), and that it appears to only be <br>> \
getting worse over time. For example, see these recent discussions: <br>>
<br>> <a href="https://groups.google.com/forum/#!topic/qubes-users/VlbfFyNGNTs" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/forum/#!topic/qubes-users/VlbfFyNGNTs';return \
true;" onclick="this.href='https://groups.google.com/forum/#!topic/qubes-users/VlbfFyNGNTs';return \
true;">https://groups.google.com/<wbr>forum/#!topic/qubes-users/<wbr>VlbfFyNGNTs</a> \
<br>> <a href="https://groups.google.com/d/msg/qubes-devel/YqdhlmYtMY0/vCO3QHLBBgAJ" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/msg/qubes-devel/YqdhlmYtMY0/vCO3QHLBBgAJ';return \
true;" onclick="this.href='https://groups.google.com/d/msg/qubes-devel/YqdhlmYtMY0/vCO3QHLBBgAJ';return \
true;">https://groups.google.com/d/<wbr>msg/qubes-devel/YqdhlmYtMY0/<wbr>vCO3QHLBBgAJ</a>
<br>> <a href="https://groups.google.com/d/msg/qubes-users/cmPRMOkxkdA/gIV68O0-CQAJ" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/msg/qubes-users/cmPRMOkxkdA/gIV68O0-CQAJ';return \
true;" onclick="this.href='https://groups.google.com/d/msg/qubes-users/cmPRMOkxkdA/gIV68O0-CQAJ';return \
true;">https://groups.google.com/d/<wbr>msg/qubes-users/cmPRMOkxkdA/<wbr>gIV68O0-CQAJ</a>
<br>>
<br>> The state of things seems to be something along these lines:
<br>> - everything worked pretty well under Qubes 2.0
<br>> - starting with Qubes 3.0, PCI passthrough to HVM domains broke (I think it
<br>> is a libvirt related issue, as passthrough would still work using \
'xl' to <br>> start a domain)
<br>> - it seems people are having less success doing passthrough under Xen 4.6
<br>> than under Xen 4.4. However, there is no hard evidence on this.
<br>> - Linux kernel 4.4 appears to break PCI passthrough for network devices
<br>> entirely (not so much what is going on with Qubes today, but evidence that
<br>> Xen's PCI passthrough support is getting worse, not better). Although \
the <br>> Qubes team has opted to move forward despite the above issues, this
<br>> represents the point at which Qubes will no longer be able to do the one
<br>> passthrough thing it relies on - isolating network adapters.
<br>>
<br>> The effects of this today are that PCI passthrough questions are popping up
<br>> more frequently on qubes-users, and the fixes that used to reliably address
<br>> passthrough problems (for example, setting passthrough to permissive) seem
<br>> to be less helpful, as problems seem to be lurking deeper within Xen, or
<br>> perhaps changes to Xen mean that other fixes should be used instead.
<br>>
<br>> The effects of this in the future is that it grows less and less likely
<br>> that the vision of doing a separate GUI domain via GPU passthrough can be
<br>> successfully executed. It is hard enough to get a GPU passed through to
<br>> begin with (thanks to weird abuses of PCI features by GPU makers to
<br>> facilitate DRM, I'm uncertain it will ever work for anything other than
<br>> Intel GPUs, which is only due to specific efforts on Intel's part to \
make <br>> it work in Xen). The above issues make it much worse.
<br>>
<br>
<br>The longer-term plan is for us to move to HVMs for everything: AppVMs,
<br>ServiceVMs, and, of course, for the GUI domain also. This should not only
<br>resolve the passthrough problems (assuming IOMMU works well), but also reduce
<br>complexity in the hypervisor required to handle such VMs (see e.g. XSA 148). We
<br>plan on starting this work once an early 4.0 is out.
<br>
<br>Are the DRM-related problems with passthrough for some GPUs you mentioned above
<br>also encountered on HVMs, or are they limited to PVs only?
<br>
<br>Thanks,
<br>joanna.
<br>-----BEGIN PGP SIGNATURE-----
<br>
<br>iQIcBAEBCAAGBQJWrjW7AAoJEDOT2L<wbr>8N3GcYzokQAMaollANSZxTmfPqi6hH<wbr>eOqk
<br>HWMDKQbHZnaUSfVTBIpfhWv8HDVw7r<wbr>0Kunud+<wbr>hDf9wGDTQnFwbpJYEeXBRE006kj
<br>XT6193i0DGxqEazf8HjdVfVRdU2lkl<wbr>s9yvPx5gZpNw/KXooUs+<wbr>nzhebHihaqJqR6
<br>CrgJKUIX7o1MSR0mePJswvWK0UAb88<wbr>KGBs5XZjstM2opFXyCn1BPxE4KWC+<wbr>Etk0H
<br>FZosDBJekNQGvfF08N4Fgsneu55d82<wbr>CVnVBcVWKV8Tcslb3oO8NYMQC9JQhE<wbr>4UsX
<br>8JNaZLqpVEN1kwbJOY/qEduDtV/<wbr>hmBh9oI6+<wbr>0Jb5Olo0qKpiUebnkUnEXaCxd9Gj
<br>aYcAdUS/<wbr>uYj0sIVF7Ywe66NHPrNUcyuwm91l+<wbr>EoCtA0d6gGB23KKfHymueOJ/X4p
<br>RHznEcNZF02JJ8kVUtuc0uEkw32Nt7<wbr>GAxoZ3H4PIsURoXvUJ1OKQo1LO6ovB<wbr>HING
<br>t2pK876vSJu+<wbr>V0m1PuI98laHItpV7RG618AfZVyLuk<wbr>5EKTchbfOmrMbu6K83Th+s
<br>wIoKlNYIPTuBPmyMSwLOvWKVHYk+<wbr>vYNh1QX8lP32gwUxk+<wbr>YrLwWq2eUZUnslZfTI
<br>dkdb7A1pTjboXTTUmWnPwgEMylSJQc<wbr>SUf1SQjXJ+adaHI+<wbr>4ePAq9pBUXXDq4Iv/w
<br>xFx3KpJESTrIvx0RiPQA
<br>=LY/z
<br>-----END PGP SIGNATURE-----
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:qubes-devel+unsubscribe@googlegroups.com">qubes-devel+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:qubes-devel@googlegroups.com">qubes-devel@googlegroups.com</a>.<br /> To \
view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/qubes-devel/a316148a-109f-4446-b741-e122a38231 \
43%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/ \
msgid/qubes-devel/a316148a-109f-4446-b741-e122a3823143%40googlegroups.com</a>.<br /> \
For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_2362_1362300538.1454262089627--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic