docs/devel/multi-process.rst

22 QEMU can be susceptible to security attacks because it is a large,
24 Many of these features can be configured out of QEMU, but even a reduced
25 configuration QEMU has a large amount of code a guest can potentially
33 QEMU can be broadly described as providing three main services. One is a
34 VM control point, where VMs can be created, migrated, re-configured, and
44 host processes. Each of these processes can be given only the privileges
66 can emulate provides a large surface of interfaces which could potentially
70 can be separated from the QEMU functions that manage the emulation of
94 a couple of existing QEMU features that can run emulation code
100 Virtio guest device drivers can be connected to vhost user applications
105 application is a daemon process that can be contacted via a known UNIX
114 process, the application can also be sent other file descriptors over
115 the socket, which then can be used by the vhost user application in
125 execution returns to the KVM driver so it can inform QEMU to emulate the
128 One of the events that can cause a return to QEMU is when a guest device
134 application can directly receive MMIO store notifications from the KVM
154 These descriptors can be passed to ``mmap()`` by the vhost application
168 Much of the vhost model can be re-used by separated device emulation. In
181 stores are asynchronous, the guest can continue after the store event
184 Another difference is that in the vhost user model, a single daemon can
187 access the files or devices the VM it's running on behalf of can access.
216 sockets. The processes can be executed either as standalone processes,
232 the same type can be managed by a single QMP monitor.
247 Remote emulation processes can be monitored via QMP, similar to QEMU
255 can be monitored over the UNIX socket path */tmp/disk-mon*.
270 can be used to add a device emulated in a remote process
339 MMIO handlers, or creating a child bus that other proxy devices can be
365 PCI devices also have a configuration space that can be accessed by the
375 "pci-device-proxy" class that can serve as the parent of a PCI device
410 that the emulation process can ``mmap()`` to directly access guest
432 An QMP "device\_add" command can add a device emulated by a remote
545 device emulation code can access.
552 that physical address can be translated to a local virtual address. The
576 *QEMUfile* that can be passed to ``qemu_save_device_state()`` to send
585 process can add considerable latency to IO operations. The optimizations
592 Vhost user applications can receive guest virtio driver stores directly
600 descriptor that QEMU can use for configuration, and a slave descriptor
601 that the emulation process can use to receive MMIO notifications. QEMU
612 well as which bus the range resides on (e.g., on an x86machine, it can
615 A device can have multiple physical address ranges it responds to (e.g.,
616 a PCI device can have multiple BARs), so the structure will also include
637 includes a sequence number that can be used to reply to the MMIO, and
678 Some MMIO loads do not have device side-effects. These MMIOs can be
685 emulation program can control KVM access to the shadow image by sending
687 side-effects (and can be completed immediately), and which require a
688 MMIO request to the emulation program. The access map can also inform
721 be passed to the device emulation program. Only one slave can be created
729 command can be executed while the guest is running, such as the case
758 request structures. Multiple structures can be returned if there are
775 There are several ioctl()s that can be performed on the slave
779 allocate memory for the shadow image. This memory can later be
785 specifies which areas of the image can complete guest loads without
800 and the KVM driver can satisfy guest loads from the shadow image without
806 Each KVM per-CPU thread can handle MMIO operation on behalf of the guest
808 matching *kvm\_io\_device* to see if the MMIO can be handled by the KVM
825 Stores can be handled asynchronously unless the pending MMIO request
848 acknowledged by the guest, so they can re-trigger the interrupt if their
857 The interrupt route can be found with
863 Intx routing can be changed when the guest programs the APIC the device
911 enforce that the differing processes can only access the objects they
918 Discretionary access control allows each user to control who can access
932 categories, and can establish rules for how processes and files can
940 type can perform on a file with a given type. QEMU separation could take
949 emulation processes can have a type separate from the main QEMU process
950 and non-network emulation process, and only that type can access the
958 process's set is a superset of the file's set. This enforcement can be