Geoffroy Van Cutsem
This sounds like a reasonable question to ask, and I don’t know the answer to it. I’ve added the “acrn-dev” mailing on CC so our architects can see your question and help answer it.
From: acrn-users@... <acrn-users@...>
On Behalf Of Lonnie Cumberland
Although I am still very new to ACRN and various development efforts, I often wondered about this question as it relates to ACRN and other Type-1 Hypervisors as well.
ACRN, like XEN, uses the approach of having a Dom0 for device drivers and main control services and has DomU for the user VM's
So then, here is what I am wondering.
Why is this design used when it seems to me that there should not be a single Dom0 for the drivers and such that if one crashes hard then there is the possibility that it can crash other critical drivers and code that is currently running?
Would it not be better to have each system driver in its own Dom0 that is running independently from the other drivers such that if a crash, or malicious attack, occurs then only that driver fails while the rest of the system is protected. Full OS's do not have to be run in these driver Dom0 instances as I was thinking along the lines of Unikernels for each driver.
It seems like there could be many ways to set this up and it appears to be safer to me, but I have wondered why this approach has not been used?
Just a Noob learning here so please forgive me if there is something blatantly obvious that I just do not see.