On 2017-07-26 00:52, Gustavo Lima Chaves wrote: > On Friday, July 17, 2015 at 12:25:11 AM UTC-7, Valentine Sinitsyn wrote: >> On 17.07.2015 12:06, Jan Kiszka wrote: >>> On 2015-07-17 09:00, Valentine Sinitsyn wrote: >>>> Hi everybody, >>>> >>>> On 17.07.2015 11:29, Jan Kiszka wrote: >>>>> The answer to this is what is listed under that TODO item: adding a >>>>> timeout to the communication region protocol and fail a cell that does >>>>> not react in time. The only challenge of this is that the hypervisor has >>>>> no notion of time so far. >>>> I also have a few places that are crying for timeout infrastructure in >>>> amd_iommu code (otherwise we leave the hypervisor potentially vulnerable >>>> to a hard lockup), so patches are very welcome. :) >>> >>> OK, good to know. Would be polling for a timeout sufficient in your use >>> case? Then we could start with a simpler infrastructure. >> I think so. In fact, I just thought that amd_iommu is naturally >> x86-specific, so if I could rely on something like PM Timer/HPET inside >> the hypervisor, it would already be enough. >> >> Valentine > > That's interesting. So we kidnap one of those timers to the hypervisor only > (since the cells are using APIC timers and are good with them) and gain > timers on that level, right? Leaving the root cell out of the way on the > watchdog task looks safer for me as well (reading through the thread). We > could have policies to reload cells even without participation of the root > one. Has anyone experimented with those different clocks on x86 already? >
In this last comments, I was not talking about a timer but a clock. We already share the PM "Timer" (which is a clock in reality) across all cells (because it is read-only and trivially handed out via PIO access masks). We could also use it in the hypervisor on x86 in order to gain a notion of time. However, we may also need a timer in order to implement a watchdog. And, with safety in mind, we may need some redundancy in that concept, e.g. a second independent time source, to avoid nasty error modes when some time source goes mad. Regarding cell management without the root cell: If it's only about restart, that would be doable. But generally, this is not possibly without reload. And loading can only be done with the help of the root cell. That's an architectural property of Jailhouse, to offload all the logic and drivers and you-name-it to the root cell. Jan -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
