Xen devel - May 2005 - USB virtualization question

Is it possible to differentiate multiple USB ports and assign one port to
be used only by a specified virtual machine when doing usb virtualization?

As USB devices are enumerated, I don''t see a way to do that.

Any insignts on this issue?

Thanks in advance!

-x

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Fri, 2005-05-06 at 02:46 -0400, Xin Zhao wrote:
> Is it possible to differentiate multiple USB ports and assign one port to
> be used only by a specified virtual machine when doing usb virtualization?
> 
This is the intended behaviour of the current 2.4 code and the 2.6 code
I''m working on will also implement this behaviour.  There is a question
as to whether we want to be able to assign specific devices to virtual
machines when they are plugged in regardless of the port.  This feature
might be added later.

I''ve only tested the 2.4 code with one device and one front end domain
though so I can''t guarantee it actually works.
> As USB devices are enumerated, I don''t see a way to do that.
> 
> Any insignts on this issue?
> 
> Thanks in advance!
> 
> -x
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Thanks a lot for your reply. But what I really want to know is the
feasibility of differentiating
multiple USB ports and restrict ,say, USB port1 to be accessed by a
specified virtual machine.

Your reply sounds like differentiation is doable, but whether you
can do access control on certain ports is undetermined. Is my
interpretation right?

Thanks,
-x

On Fri, 6 May 2005, Harry Butterworth wrote:
> On Fri, 2005-05-06 at 02:46 -0400, Xin Zhao wrote:
> > Is it possible to differentiate multiple USB ports and assign one port
to
> > be used only by a specified virtual machine when doing usb
virtualization?
> >
> This is the intended behaviour of the current 2.4 code and the 2.6 code
> I''m working on will also implement this behaviour.  There is a
question
> as to whether we want to be able to assign specific devices to virtual
> machines when they are plugged in regardless of the port.  This feature
> might be added later.
>
> I''ve only tested the 2.4 code with one device and one front end
domain
> though so I can''t guarantee it actually works.
>
> > As USB devices are enumerated, I don''t see a way to do that.
> >
> > Any insignts on this issue?
> >
> > Thanks in advance!
> >
> > -x
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
> >
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Fri, 2005-05-06 at 06:36 -0400, Xin Zhao wrote:
> Thanks a lot for your reply. But what I really want to know is the
> feasibility of differentiating
> multiple USB ports and restrict ,say, USB port1 to be accessed by a
> specified virtual machine.
If I understand your question correctly then the answer is yes, this is
the intended behaviour, probably works already with the 2.4 code and
will work when I release the 2.6 code.
> 
> Your reply sounds like differentiation is doable, but whether you
> can do access control on certain ports is undetermined. Is my
> interpretation right?
I''m not sure I understand the difference between differentiation and
access control.



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Thanks a lot for your reply. But what I really want to know is the
> feasibility of differentiating
> multiple USB ports and restrict ,say, USB port1 to be accessed by a
> specified virtual machine.
You can give different USB ports to different domains.  This should work even 
for devices on hubs.
> Your reply sounds like differentiation is doable, but whether you
> can do access control on certain ports is undetermined. Is my
> interpretation right?
Something else we''d like to have (which I think Harry was referring to)
is the
ability to associate *particular devices* with a virtual machine and give it 
access to them regardless of where you plug in.  E.g. your domain will get 
access to your digital camera, no matter when / where you plug it in. 
We''d
like to build this in later.

Cheers,
Mark
>
> Thanks,
> -x
>
> On Fri, 6 May 2005, Harry Butterworth wrote:
> > On Fri, 2005-05-06 at 02:46 -0400, Xin Zhao wrote:
> > > Is it possible to differentiate multiple USB ports and assign one
port
> > > to be used only by a specified virtual machine when doing usb
> > > virtualization?
> >
> > This is the intended behaviour of the current 2.4 code and the 2.6
code
> > I''m working on will also implement this behaviour.  There is
a question
> > as to whether we want to be able to assign specific devices to virtual
> > machines when they are plugged in regardless of the port.  This
feature
> > might be added later.
> >
> > I''ve only tested the 2.4 code with one device and one front
end domain
> > though so I can''t guarantee it actually works.
> >
> > > As USB devices are enumerated, I don''t see a way to do
that.
> > >
> > > Any insignts on this issue?
> > >
> > > Thanks in advance!
> > >
> > > -x
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Is it possible to differentiate multiple USB ports and assign one port to
> be used only by a specified virtual machine when doing usb virtualization?
>
> As USB devices are enumerated, I don''t see a way to do that.
Domain 0 retains control of the USB host controller.
1. When you plug in a USB device, dom0 will do generic USB configuration 
operations like assigning it an address.
2. Then it''ll probe its device drivers to see if any of them are
interested -
at this port, the USB backend driver will recognise that the device is 
plugged into a port it''s interested in.
3. The USB backend driver informs the frontend that there''s a device on
the
port.
4. The frontend domain does the generic config tasks like assigning an 
address.  The backend "fakes out" the SET_ADDRESS operation, otherwise
dom0
won''t know what address the device has ;-)

For data path operations, USB requests are queued into the device channel by 
the frontend.  The backend is responsible for checking that the requests are 
safe (i.e. address only the correct domain''s memory) and then proxying
them
to the device itself.

The advantages of this design are:
1. flexible - give any attached device to a domain, from any individual port
2. safe - don''t have to trust a domain not to access forbidden memory 
(although you do trust the device itself isn''t malicious or
exploitable)
3. dom0 doesn''t have to have a driver for the device itself, as long as
the
target domain can drive it.

HTH,
Mark
> Any insignts on this issue?
>
> Thanks in advance!
>
> -x
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Thanks. Mark and Harry.

Now I understand the current status.

-x



On Fri, 6 May 2005, Mark Williamson wrote:
> > Thanks a lot for your reply. But what I really want to know is the
> > feasibility of differentiating
> > multiple USB ports and restrict ,say, USB port1 to be accessed by a
> > specified virtual machine.
>
> You can give different USB ports to different domains.  This should work
even
> for devices on hubs.
>
> > Your reply sounds like differentiation is doable, but whether you
> > can do access control on certain ports is undetermined. Is my
> > interpretation right?
>
> Something else we''d like to have (which I think Harry was
referring to) is the
> ability to associate *particular devices* with a virtual machine and give
it
> access to them regardless of where you plug in.  E.g. your domain will get
> access to your digital camera, no matter when / where you plug it in. 
We''d
> like to build this in later.
>
> Cheers,
> Mark
>
> >
> > Thanks,
> > -x
> >
> > On Fri, 6 May 2005, Harry Butterworth wrote:
> > > On Fri, 2005-05-06 at 02:46 -0400, Xin Zhao wrote:
> > > > Is it possible to differentiate multiple USB ports and
assign one port
> > > > to be used only by a specified virtual machine when doing
usb
> > > > virtualization?
> > >
> > > This is the intended behaviour of the current 2.4 code and the
2.6 code
> > > I''m working on will also implement this behaviour. 
There is a question
> > > as to whether we want to be able to assign specific devices to
virtual
> > > machines when they are plugged in regardless of the port.  This
feature
> > > might be added later.
> > >
> > > I''ve only tested the 2.4 code with one device and one
front end domain
> > > though so I can''t guarantee it actually works.
> > >
> > > > As USB devices are enumerated, I don''t see a way to
do that.
> > > >
> > > > Any insignts on this issue?
> > > >
> > > > Thanks in advance!
> > > >
> > > > -x
> > > >
> > > > _______________________________________________
> > > > Xen-devel mailing list
> > > > Xen-devel@lists.xensource.com
> > > > http://lists.xensource.com/xen-devel
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel