Research hypervisor mediated copy approaches including Argo

In our various discussion about how best to limit the range of access a guest holding a backend gets to the frontend guests memory space we missed out the option of hypervisor mediated copy. Here neither guest has access to others memory space but the hypervisor does by virtue of being the hypervisor. While doing the copy the hypervisor can apply validation and permission checks to help enforce the security boundry.

One such proposal is Argo (https://wiki.xenproject.org/wiki/Argo:_Hypervisor-Mediated_Exchange_(HMX)_for_Xen). Argo enabled Xen is used in the OpenXT stack (https://openxt.org/about/) and can also further utilise architectural hardware features to enable strong isolation between tenants running on the same hardware.

The have been suggestions that Argo could be separated from Xen to become a portable hypervisor interface and then used as a security aware transport for virtio (https://www.spinics.net/lists/automotive-discussions/attachments/pdfZi7_xDH6LX.pdf).

This cards represents the research needed to:

• size up the Xen argo implementation and evaluate it's portability

• gather the current state of VirtIO over Argo

• generate a proposal for the VirtIO spec for an Argo transport (including if any wider changes/features are needed to support the new model)

• generate a set of work items for a VirtIO over Argo demo