Re: Logical partition scenario and GFX sharing

Mikko Kovanen

Hi Geoffrey,

thanks for getting back. I have added my comments in-line.

Best regards,

-----Original Message-----
From: acrn-users@... <acrn-users@...>
On Behalf Of Geoffroy Van Cutsem via
Sent: 10. lokakuutata 2020 2:38
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

Thanks for confirming these points (both about RT and FuSa).

I have added a few comments in-line below.


-----Original Message-----
From: acrn-users@...
On Behalf Of Mikko Kovanen
Sent: Friday, October 9, 2020 7:32 AM
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Geoffroy,

thanks for answering and confirming my assumption. You are correct,
RT or FUSA is not required.
For security we are currently mainly focused on requirement that
Android display data should be protected from other VMs, and at the
same time the security related development, evaluation, maintenance,
attestation and monitoring efforts should be kept reasonably low (i.e.
the virtualized environment should not significantly increase the
security scope). For that a logical partition scenario with GVT-g would have
been pretty good match.

I agree, this sounded like the most promising option. Do you need much
graphics performance for your Windows VM? If we can find a way to have
the Windows VM display output transferred (over a network? Shared
memory?) to the Android VM and let it manage it, would that help you?
(Note that I'm kind of thinking aloud here so far 😊)
It is indeed possible that for most use cases the graphics performance is not critical, one concern however is that Windows 10 itself might not work smoothly enough. To achieve this kind of setup the UEFI GOP framebuffer might be sufficient to allow Windows to run (I did a quick test by disabling the GFX device from device manager in our Apollolake based Windows 10 tablet, which as far as I understand should revert Windows 10 into using framebuffer provided by GOP driver, and it was still usable). Some data also suggests that Windows could run entirely headless with RDP. Virtualization with decreased cores and memory will of course degrade the performance further for this setup, so more investigation regarding the performance is needed. Unfortunately I haven't yet been able to get GVT-g working with ACRN in our devices to get through the Windows installation process, so first I need to perform the Windows installation with some other method (GVT-d, different host machine, QEMU-KVM...), and then check the performance with the pre-installed image for RDP without any GFX adapter and for VNC with UEFI GOP GFX.

Since that is not possible I guess the next options would be:

a. Integrating ACRN DM in Android
- Some development effort needed
- Only slight increase for security efforts since Android itself is
already in security scope
I am not aware that this has ever been done. But China is on holiday at the
moment, where many ACRN developers are located. They'll be back next
week and perhaps can tell if anyone ever tried this.
Most probable candidate for Android in our case would be Celadon and there the kernel appears to have at least some ACRN stuff integrated, though so far I have only taken a quick glimpse at i915 driver sources (based on my limited experience the i915 driver can be quite difficult when it comes to cherry-picking changes between different kernel versions).

b. Using as simple service VM as possible
- Significant increase for development effort since service VM would
need to be self-made (e.g. from Yocto)
Are you aware of "meta-acrn"
p;reserved=0]? It provides a layer with recipes for building a Service VM OS
for ACRN (as well as a Linux Guest OS, but you don't need this part). It's a
pretty basic OS at this stage so unless you really need to trim it down, this
may be a very good starting point and save you quite some effort.

- Even with simple service VM the security scope would increase
significantly because there likely is no way to exclude the service VM
from security evaluation, maintenance, attestation and monitoring

Best regards,

From: acrn-users@...
On Behalf Of Geoffroy Van Cutsem via
Sent: 8. lokakuutata 2020 17:33
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

You are correct, resources cannot be shared between VMs in the logical
partition scenario. It sounds from the brief description of your
use-case that you do not need hard realtime or Functional Safety
certification, is that correct?

One thing that may be possible, but I don't know if anyone has tried
it yet is to run Android in a Docker container directly in the Service
VM. See this page for more info on how to run Android in a Docker

Would that help you keep the surface attack of your system reasonably


From: mailto:acrn-users@... <mailto:acrn-
users@...> On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM
To: mailto:acrn-users@...
Subject: [acrn-users] Logical partition scenario and GFX sharing


  I'm pretty sure it is not possible but just in case I have missed
something crucial, is it possible to use GFX sharing (for example with
GVT-g) in logical partition scenario? The usage scenario we are
investigating is such that it would have Android running on one user
VM and Windows on another, both would need at least reasonable GFX
performance, and it would be beneficial to not have a service VM to
decrease security scope.

Best regards,
Mikko Kovanen

Senior Specialist, SW
Mobile: +358 40 779 7528

Aava Mobile Oy
Nahkatehtaankatu 2  |   90130 Oulu, Finland

Join to automatically receive all group messages.