On Wed, 22 Aug 2018 09:04:13 +0200 Harald Freudenberger <freude@xxxxxxxxxxxxx> wrote: > Well, sooner or later this has to work. Yesterday we tested the control > domain thing with trying to pull some simple data from a 'controlled' domain > to the TKE - doesn't work with a Linux LPAR. I will investigate the details in the > next weeks. However, long-term it should be possible to run scenarios > like having one KVM guest control all the domains used by other KVM guests. > With respect to the KVM vfio driver, currently there should be just the > rule that for a guest the control domain mask should be equal or a superset > of the usage domain mask. This is by convention as the architecture is > not so clear here, but this is enforced on every place which deals with > usage and control domains (SE, TKE). Thanks for the update; this makes me think we really should fiddle with the masks in the kernel (as opposed to doing it higher up in the stack).
