Add HIP 0001 ring buffer proposal for Hyperlight I/O #1112
Conversation
Updated image links in README.md to use GitHub assets.
Replace smart quotes with ASCII quotes and backticks and fix minor grammatical issues in the RNG buffer proposal README.
andreiltd
requested review from
danbugs,
dblnz,
devigned,
jprendes,
ludfjig,
marosset,
simongdavies and
syntactically
as code owners
andreiltd
added
area/documentation
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| **Risk**: Malicious guest corrupting the queue **Mitigation**: Do not expose low level queue API to |
There was a problem hiding this comment.
I don't know that not exposing it to the guest does anything. The guest is fully untrusted and so we need to do the mitigation suggested after this, that we serialize all data as known types and do assertions as suggested.
| and `len` as raw bytes providing 12 bytes of inline storage. We should asses if any of flatbuffer | ||
| schema serialized data can actually fit into small inline data. | ||
|
|
||
| **4. Descriptor Chaining - scatter gather list** |
There was a problem hiding this comment.
Is it proposed to implement this now or as future option?
| example `ioeventfd` for kvm). This is especially useful for streaming scenarios where the guest can | ||
| continue processing while the host consumes data asynchronously. | ||
|
|
||
| **3. Inline Descriptors** |
There was a problem hiding this comment.
Is this proposed to be implemented now or as possible improvement in the future
| 2. Device writes up to buffer length | ||
| 3. Device sets actual written length in descriptor | ||
| 4. If `actual_length > buffer_length`, device sets a `TRUNCATED` flag, | ||
| 5. Driver can re-submit with larger buffer if needed |
There was a problem hiding this comment.
I can image this would be possible performance issue? Can we provide a metric for when this occurs and a way to improve initial buffer size?
| Snapshotting requires that the descriptor table has no in-flight guest-to-host requests and any | ||
| attempt to snapshot a sandbox with such pending requests will result in a snapshot failure. | ||
|
|
||
| ### Difference from spec |
There was a problem hiding this comment.
Oh from from virtio spec, let's link the mention above to here
| ### Snapshotting | ||
|
|
||
| Snapshotting requires that the descriptor table has no in-flight guest-to-host requests and any | ||
| attempt to snapshot a sandbox with such pending requests will result in a snapshot failure. |
|
|
||
| The design leverages virtio's well-defined publishing/consumption semantics and memory safety | ||
| guarantees while adapting them to Hyperlight's specific needs. Since we control both ends of the | ||
| queue, we can deviate from strict virtio compliance where it makes sense. |
There was a problem hiding this comment.
could we link to the section below?
|
|
||
| ``` | ||
|
|
||
| ### Test Plan |
There was a problem hiding this comment.
love seeing the comprehensive testing!
|
|
||
| ``` | ||
|
|
||
| ### Test Plan |
There was a problem hiding this comment.
Maybe worth outlining the implemenation plan a bit? Will this come in a couple different PRs or behind feature flags, etc?
jsturtevant
left a comment
jsturtevant
left a comment
There was a problem hiding this comment.
This looks great, thanks for such a detailed write up. Left a few minor comments but otherwise this seems like it would set up the project to work well for the future
2 participants
Rendered