Re: A question on ACRN Design

Chen, Jason CJ

Hi, Lonnie,


If I understand your point correctly, you actually want to build a logic partitioned scenario which ensure each guest is isolated w/ its partitioned HW resource?


From my P.O.V,  the idea is great 😊,  and ACRN actually supports such scenario. But the coming questions are:

  • How could we support IO sharing? eg. a few guests want to share the storage device
  • Even there is no need for IO sharing,  we still expect HW/platform improvement in the future to avoid cases such like the following:
    • Devices shared interrupt pin
    • Devices based on shared explicit device (eg. GPIO, I2C)
    • Devices based on shared implicit resource (eg. sideband to control the device power)
    • Devices with DMA but not protected by IOMMU


I may not be able to list all, my point here is that under current situation, ACRN can only claim to support pass-thru devices with limitations. So you may setup your scenario based on logical partition, but with a few known limitations.


Thanks & Best Regards,


Jason Chen


IAGS -> SSE -> Intel ACRN Hypervisor Team


From: acrn-users@... <acrn-users@...> On Behalf Of Lonnie Cumberland
Sent: Saturday, January 16, 2021 6:54 AM
To: acrn-users@...
Subject: [acrn-users] A question on ACRN Design


Greetings All,


Although I am still very new to ACRN and various development efforts, I often wondered about this question as it relates to ACRN and other Type-1 Hypervisors as well.


ACRN, like XEN, uses the approach of having a Dom0 for device drivers and main control services and has DomU for the user VM's


So then, here is what I am wondering.


Why is this design used when it seems to me that there should not be a single Dom0 for the drivers and such that if one crashes hard then there is the possibility that it can crash other critical drivers and code that is currently running?


Would it not be better to have each system driver in its own Dom0 that is running independently from the other drivers such that if a crash, or malicious attack, occurs then only that driver fails while the rest of the system is protected.  Full OS's do not have to be run in these driver Dom0 instances as I was thinking along the lines of Unikernels for each driver.


It seems like there could be many ways to set this up and it appears to be safer to me, but I have wondered why this approach has not been used?


Just a Noob learning here so please forgive me if there is something blatantly obvious that I just do not see.




Join to automatically receive all group messages.