On Wed, 11 Jun 2025, Jason Andryuk wrote: > On 2025-06-11 09:27, Jan Beulich wrote: > > On 11.06.2025 00:57, Jason Andryuk wrote: > > > Allow the hwdom to access the console, and to access physical > > > information about the system. > > > > > > xenconsoled can read Xen's dmesg. If it's in hwdom, then that > > > permission would be required. > > > > Why would xenconsoled run in the hardware domain? It's purely a software > > construct, isn't it? As a daemon, putting it in the control domain may > > make sense. Otherwise it probably ought to go in a service domain. > > My approach has been to transform dom0 into the hardware domain and add a new > control domain. xenconsoled was left running in the hardware domain.
I think we should keep xenconsoled in the hardware domain because the control domain should be just optional. (However, one could say that with Denis' recent changes xenconsoled is also optional because one can use console hypercalls or emulators (PL011, NS16550) for all DomUs.) > I suppose it could move. Maybe that would be fine? I haven't tried. The > Hyperlaunch code populates the console grants to point at the hardware domain, > and I just followed that. > > One aspect of why I left most things running in the Hardware domain was to not > run things in the Control domain. If Control is the highest privileged > entity, we'd rather run software in lower privileged places. Especially > something like xenconsoled which is receiving data from the domUs. Yes, I agree with Jason. It is a bad idea to run xenconsoled in the Control Domain because the Control Domain is meant to be safe from interference. We want to keep the number of potential vehicles for interference down to a minimum and shared memory between Control Domain and DomUs is certainly a vehicle for interference.
