From: Thomas Leonard <talex5@gmail.com>
To: Alyssa Ross <hi@alyssa.is>
Cc: Michael Raskin <7c6f434c@mail.ru>, discuss@spectrum-os.org
Subject: Re: Qubes-lite With KVM and Wayland
Date: Wed, 10 Mar 2021 14:19:49 +0000 [thread overview]
Message-ID: <CAG4opy-5u1hn3jZPJgh+NnGFjX7J2gb_ytFETFsKX2g_Rp2Dig@mail.gmail.com> (raw)
In-Reply-To: <20210309165922.mg6hdqzzeurdmjsq@x220.qyliss.net>
On Tue, 9 Mar 2021 at 16:59, Alyssa Ross <hi@alyssa.is> wrote:
>
> On Sun, Mar 07, 2021 at 12:52:36PM +0000, Thomas Leonard wrote:
> > On Wed, 27 Jan 2021 at 17:31, Thomas Leonard <talex5@gmail.com> wrote:
> > [...]
> > > If any of this sounds useful for spectrum let me know. I can try and
> > > tidy it up; it's all a huge mess at the moment!
> >
> > I got a bit further (fixed my sommelier problems), but have run out of
> > time for now :-(
> >
> > I've written up where I got to here:
> >
> > https://roscidus.com/blog/blog/2021/03/07/qubes-lite-with-kvm-and-wayland/
>
> I saw this online the other day and started reading it without realising
> it was you, and then I saw you were using Nix and thought "wow, that's
> close to what I'm (not) doing", and then I saw the Spectrum section, and
> then realised who the author was. :)
:-)
> I'll quote a little from it and reply to bits:
>
> > When I wanted a newer package (socat with vsock support, only just
> > released) I just told Nix to install it from the latest Git checkout of
> > nixpkgs.
>
> I'm excited to learn that socat has vsock support now! That's going to
> be very useful. I have a half-done patch somewhere that adds vsock
> support to strace that I should finish up as well.
Yeah, I'm using it as a hacky replacement for qrexec for now. The fact
that it connects to the network system, and allows you to specify the
target VM ID, makes it look like it's designed to go between VMs, but
it doesn't seem like it does. I worry that they'll enable that at some
point and create a sudden security problem...
> > True, my squashfs image is getting a bit big. Maybe I should instead
> > make a minimal squashfs boot image, plus a shared directory of hard
> > links to the required files. That would allow sharing the data with the
> > host. I could also just share the whole /nix/store directory, if I
> > wanted to make all host software available to guests.
>
> I think the solution I will end up going with for this will be a custom
> virtiofsd implementation that can implement some access controls.
Sounds sensible.
> > I didn’t have time to write and debug C++ code for every missing
> > Wayland protocol, so I took a short-cut: I wrote my own Wayland library,
> > ocaml-wayland, and then used that to write my own version of sommelier.
> > With that, adding support for copying text was fairly easy.
>
> Well this is interesting! I definitely want to learn more about this.
I've put it up here: https://github.com/talex5/wayland-virtwl-proxy
There's a default.nix file, so it should build easily enough (make
sure to git clone with submodules). I'd be interested to know if it
works for other people. I've been using it for about a week now, and
it seems fine with firefox, evince and xfce4-terminal (the apps I
use).
But e.g. kitty won't run because there's no `wl_drm` support. I don't
know anything about graphics acceleration. But someone on Hacker News
commented that you did panfrost, so I guess you know about that sort
of thing.
> > * One problem with virtwl is that, while we can receive shared
> > memory FDs from the host, we can’t export guest memory to the
> > host. This is unfortunate, because in Wayland the shared memory for
> > window contents is allocated by the application from guest memory,
> > and the proxy therefore has to copy each frame. If the host
> > provided the memory to the guest, this wouldn’t be needed. There
> > is a wl_drm protocol for allocating video memory, which might help
> > here, but I don’t know how that works and, like many Wayland
> > specifications, it seems to be in the process of being replaced by
> > something else.
>
> Yeah, this comes up on the virtio mailing list from time to time. It's
> a very difficult problem to solve, but there might be a solution some
> day. I think I've written about my own explorations in this area on
> this list before.
>
> > I’m not sure how guest-to-guest communication works with KVM.
>
> It... doesn't really, at least not the way it does with Xen.
> virtio-vhost-user[1] is promising, but very early stages. I've talked
> in quite a lot of detail about how that works on this list before as
> well. guest-to-guest communication was my main area of work for most of
> the second half of last year (and what ended up causing me to burn out).
I guess once you've got shared memory and inter-VM interrupts it might
be possible to reuse the Xen protocols and drivers. I made a firewall
VM on Qubes that did that a few years ago
(https://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/).
But the virtio protocols will probably be more widely supported in
future.
> [1]: https://wiki.qemu.org/Features/VirtioVhostUser
>
> > I hope the SpectrumOS project will resume at some point
>
> Me too! Maybe it's resuming right now! (Although I'm not committing --
> just because I'm feeling ready to get back into it today doesn't mean
> that's going to be sustainable again yet.)
:-)
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
next prev parent reply other threads:[~2021-03-10 19:50 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-05 19:27 New user getting started questions Thomas Leonard
2021-01-05 20:09 ` Michael Raskin
2021-01-06 7:04 ` Alyssa's break Alyssa Ross
2021-01-06 9:11 ` Michał "rysiek" Woźniak
2021-01-06 7:00 ` New user getting started questions Alyssa Ross
2021-01-06 15:56 ` Thomas Leonard
2021-01-07 11:38 ` Thomas Leonard
2021-01-07 15:33 ` Thomas Leonard
2021-01-14 12:29 ` Alyssa Ross
2021-01-14 12:51 ` Alyssa Ross
2021-01-20 13:04 ` Thomas Leonard
2021-01-27 17:31 ` Thomas Leonard
2021-03-07 12:52 ` Thomas Leonard
2021-03-09 16:59 ` Qubes-lite With KVM and Wayland Alyssa Ross
2021-03-10 14:19 ` Thomas Leonard [this message]
2021-03-10 22:34 ` Alyssa Ross
2021-03-09 16:25 ` New user getting started questions Alyssa Ross
2021-03-13 7:21 ` Thomas Leonard
2021-03-13 13:52 ` Alyssa Ross
2021-10-30 12:58 ` Thomas Leonard
2021-11-03 11:36 ` Alyssa Ross
2021-11-03 18:27 ` Thomas Leonard
2021-11-10 12:58 ` Alyssa Ross
2021-11-10 12:00 ` Thomas Leonard
2021-11-11 11:09 ` Alyssa Ross
2021-11-11 16:12 ` Thomas Leonard
2021-11-12 10:47 ` Alyssa Ross
2022-03-13 15:08 ` Thomas Leonard
2022-03-15 14:06 ` Alyssa Ross
2022-03-15 20:23 ` Alyssa Ross
2022-03-16 16:18 ` Using virtio-gpu instead of virtwl Thomas Leonard
2022-03-16 16:54 ` Alyssa Ross
2022-03-21 12:10 ` Thomas Leonard
2022-03-21 16:05 ` Alyssa Ross
2022-03-22 11:08 ` Thomas Leonard
2022-03-22 11:16 ` Alyssa Ross
2022-03-22 20:05 ` Thomas Leonard
2022-04-06 12:19 ` Thomas Leonard
2022-04-13 17:12 ` Thomas Leonard
2022-04-14 13:57 ` Alyssa Ross
2022-04-19 12:58 ` Thomas Leonard
2022-04-19 12:01 ` Alyssa Ross
2022-05-15 15:20 ` Thomas Leonard
2022-05-16 11:55 ` Alyssa Ross
2022-05-18 9:55 ` Thomas Leonard
2022-06-05 16:29 ` Thomas Leonard
2022-08-09 12:00 ` Alyssa Ross
2022-10-10 15:16 ` Thomas Leonard
2022-10-10 16:53 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG4opy-5u1hn3jZPJgh+NnGFjX7J2gb_ytFETFsKX2g_Rp2Dig@mail.gmail.com \
--to=talex5@gmail.com \
--cc=7c6f434c@mail.ru \
--cc=discuss@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).