Date
1 - 5 of 5
Logical partition scenario and GFX sharing
|
Mikko Kovanen
Hi,
I’m pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope.
Best regards, Mikko Kovanen Senior Specialist, SW Mobile: +358 40 779 7528
Aava Mobile Oy Nahkatehtaankatu 2 | 90130 Oulu, Finland
|
|
|
|
Hi Mikko,
You are correct, resources cannot be shared between VMs in the logical partition scenario. It sounds from the brief description of your use-case that you do not need hard realtime or Functional Safety certification, is that correct?
One thing that may be possible, but I don’t know if anyone has tried it yet is to run Android in a Docker container directly in the Service VM. See this page for more info on how to run Android in a Docker container: https://01.org/projectceladon/documentation/getting-started/on-container
Would that help you keep the surface attack of your system reasonably contained?
Thanks, Geoffroy
From: acrn-users@... <acrn-users@...>
On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM To: acrn-users@... Subject: [acrn-users] Logical partition scenario and GFX sharing
Hi,
I’m pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope.
Best regards, Mikko Kovanen Senior Specialist, SW Mobile: +358 40 779 7528
Aava Mobile Oy Nahkatehtaankatu 2 | 90130 Oulu, Finland
|
|
|
|
Mikko Kovanen
Hi Geoffroy,
thanks for answering and confirming my assumption. You are correct, RT or FUSA is not required. For security we are currently mainly focused on requirement that Android display data should be protected from other VMs, and at the same time the security related development, evaluation, maintenance, attestation and monitoring efforts should be kept reasonably low (i.e. the virtualized environment should not significantly increase the security scope). For that a logical partition scenario with GVT-g would have been pretty good match. Since that is not possible I guess the next options would be: a. Integrating ACRN DM in Android - Some development effort needed - Only slight increase for security efforts since Android itself is already in security scope b. Using as simple service VM as possible - Significant increase for development effort since service VM would need to be self-made (e.g. from Yocto) - Even with simple service VM the security scope would increase significantly because there likely is no way to exclude the service VM from security evaluation, maintenance, attestation and monitoring Best regards, Mikko From: acrn-users@... <acrn-users@...> On Behalf Of Geoffroy Van Cutsem via lists.projectacrn.org Sent: 8. lokakuutata 2020 17:33 To: acrn-users@... Subject: Re: [acrn-users] Logical partition scenario and GFX sharing Hi Mikko, You are correct, resources cannot be shared between VMs in the logical partition scenario. It sounds from the brief description of your use-case that you do not need hard realtime or Functional Safety certification, is that correct? One thing that may be possible, but I don't know if anyone has tried it yet is to run Android in a Docker container directly in the Service VM. See this page for more info on how to run Android in a Docker container: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F01.org%2Fprojectceladon%2Fdocumentation%2Fgetting-started%2Fon-container&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdata=IumOvztJpjgUapq4h0XZTvLqm%2BX1E0lv01%2B%2BbefNZfQ%3D&reserved=0 Would that help you keep the surface attack of your system reasonably contained? Thanks, Geoffroy From: mailto:acrn-users@... <mailto:acrn-users@...> On Behalf Of Mikko Kovanen Sent: Tuesday, October 6, 2020 3:19 PM To: mailto:acrn-users@... Subject: [acrn-users] Logical partition scenario and GFX sharing Hi, I'm pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope. Best regards, Mikko Kovanen Senior Specialist, SW Mobile: +358 40 779 7528 https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.aavamobile.com%2F&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdata=HIVUJGOloR9S6ma7TRiWDuouiJbfrQl5KXHdBembMEk%3D&reserved=0 Aava Mobile Oy Nahkatehtaankatu 2 | 90130 Oulu, Finland
|
|
|
|
Hi Mikko,
toggle quoted messageShow quoted text
Thanks for confirming these points (both about RT and FuSa). I have added a few comments in-line below. Cheers, Geoffroy
-----Original Message-----I agree, this sounded like the most promising option. Do you need much graphics performance for your Windows VM? If we can find a way to have the Windows VM display output transferred (over a network? Shared memory?) to the Android VM and let it manage it, would that help you? (Note that I'm kind of thinking aloud here so far 😊) Since that is not possible I guess the next options would be:I am not aware that this has ever been done. But China is on holiday at the moment, where many ACRN developers are located. They'll be back next week and perhaps can tell if anyone ever tried this. b. Using as simple service VM as possibleAre you aware of "meta-acrn" [https://github.com/intel/meta-acrn/]? It provides a layer with recipes for building a Service VM OS for ACRN (as well as a Linux Guest OS, but you don't need this part). It's a pretty basic OS at this stage so unless you really need to trim it down, this may be a very good starting point and save you quite some effort. - Even with simple service VM the security scope would increase significantly
|
|
|
|
Mikko Kovanen
Hi Geoffrey,
toggle quoted messageShow quoted text
thanks for getting back. I have added my comments in-line. Best regards, Mikko
-----Original Message-----It is indeed possible that for most use cases the graphics performance is not critical, one concern however is that Windows 10 itself might not work smoothly enough. To achieve this kind of setup the UEFI GOP framebuffer might be sufficient to allow Windows to run (I did a quick test by disabling the GFX device from device manager in our Apollolake based Windows 10 tablet, which as far as I understand should revert Windows 10 into using framebuffer provided by GOP driver, and it was still usable). Some data also suggests that Windows could run entirely headless with RDP. Virtualization with decreased cores and memory will of course degrade the performance further for this setup, so more investigation regarding the performance is needed. Unfortunately I haven't yet been able to get GVT-g working with ACRN in our devices to get through the Windows installation process, so first I need to perform the Windows installation with some other method (GVT-d, different host machine, QEMU-KVM...), and then check the performance with the pre-installed image for RDP without any GFX adapter and for VNC with UEFI GOP GFX. Most probable candidate for Android in our case would be Celadon and there the kernel appears to have at least some ACRN stuff integrated, though so far I have only taken a quick glimpse at i915 driver sources (based on my limited experience the i915 driver can be quite difficult when it comes to cherry-picking changes between different kernel versions).Since that is not possible I guess the next options would be:I am not aware that this has ever been done. But China is on holiday at the b. Using as simple service VM as possibleAre you aware of "meta-acrn"
|
|
|
