From: Jason Andryuk Date: Wed, 16 Apr 2025 21:29:08 +0000 (-0400) Subject: xen/arm: dom0less seed xenstore grant table entry X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=7fc8120a2a857b43087c316d38e010da2d1cacf2;p=people%2Fandrewcoop%2Fxen.git xen/arm: dom0less seed xenstore grant table entry xenstored maps other domains' xenstore pages. Currently this relies on init-dom0less or xl to seed the grants from Dom0. With split hardware/control/xenstore domains, this is problematic since we don't want the hardware domain to be able to map other domains' resources without their permission. Instead have the hypervisor seed the grant table entry for every dom0less domain. The grant is then accessible as normal. C xenstored uses grants, so it can map the xenstore pages from a non-dom0 xenstore domain. OCaml xenstored uses foreign mappings, so it can only run from a privileged domain (dom0). Add a define to indicate the late alloc xsentore PFN, to better indicate what is being checked. Use UINT64_MAX instead of ~0ULL as the HVM_PARAM field is a uint64_t. UINT64_MAX is not defined, so add it. Signed-off-by: Jason Andryuk Reviewed-by: Stefano Stabellini --- diff --git a/xen/arch/arm/dom0less-build.c b/xen/arch/arm/dom0less-build.c index bb8cc3be43..188ef40b52 100644 --- a/xen/arch/arm/dom0less-build.c +++ b/xen/arch/arm/dom0less-build.c @@ -20,6 +20,8 @@ #include #include +#define XENSTORE_PFN_LATE_ALLOC UINT64_MAX + static domid_t __initdata xs_domid = DOMID_INVALID; static bool __initdata need_xenstore; @@ -756,7 +758,7 @@ static int __init alloc_xenstore_params(struct kernel_info *kinfo) if ( (kinfo->dom0less_feature & (DOM0LESS_XENSTORE | DOM0LESS_XS_LEGACY)) == (DOM0LESS_XENSTORE | DOM0LESS_XS_LEGACY) ) - d->arch.hvm.params[HVM_PARAM_STORE_PFN] = ~0ULL; + d->arch.hvm.params[HVM_PARAM_STORE_PFN] = XENSTORE_PFN_LATE_ALLOC; else if ( kinfo->dom0less_feature & DOM0LESS_XENSTORE ) { rc = alloc_xenstore_page(d); @@ -788,6 +790,12 @@ static void __init initialize_domU_xenstore(void) rc = alloc_xenstore_evtchn(d); if ( rc < 0 ) panic("%pd: Failed to allocate xenstore_evtchn\n", d); + + if ( gfn != XENSTORE_PFN_LATE_ALLOC && IS_ENABLED(CONFIG_GRANT_TABLE) ) + { + ASSERT(gfn < UINT32_MAX); + gnttab_seed_entry(d, GNTTAB_RESERVED_XENSTORE, xs_domid, gfn); + } } } diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 6c77867f8c..e75ff98aff 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -4346,6 +4346,20 @@ static void gnttab_usage_print(struct domain *rd) printk("no active grant table entries\n"); } +#ifdef CONFIG_DOM0LESS_BOOT +void __init gnttab_seed_entry(const struct domain *d, unsigned int idx, + domid_t be_domid, uint32_t frame) +{ + const struct grant_table *gt = d->grant_table; + + ASSERT(!d->creation_finished); + ASSERT(gt->gt_version == 1); + shared_entry_v1(gt, idx).flags = GTF_permit_access; + shared_entry_v1(gt, idx).domid = be_domid; + shared_entry_v1(gt, idx).frame = frame; +} +#endif + static void cf_check gnttab_usage_print_all(unsigned char key) { struct domain *d; diff --git a/xen/include/xen/grant_table.h b/xen/include/xen/grant_table.h index 50edfecfb6..297d7669e9 100644 --- a/xen/include/xen/grant_table.h +++ b/xen/include/xen/grant_table.h @@ -33,6 +33,10 @@ struct grant_table; +/* Seed a gnttab entry for Hyperlaunch/dom0less. */ +void gnttab_seed_entry(const struct domain *d, unsigned int idx, + domid_t be_domid, uint32_t frame); + #ifdef CONFIG_GRANT_TABLE extern unsigned int opt_gnttab_max_version; diff --git a/xen/include/xen/types.h b/xen/include/xen/types.h index e8d419b954..73ddccbbd5 100644 --- a/xen/include/xen/types.h +++ b/xen/include/xen/types.h @@ -44,6 +44,7 @@ typedef __UINTPTR_TYPE__ uintptr_t; #define UINT8_MAX (255) #define UINT16_MAX (65535) #define UINT32_MAX (4294967295U) +#define UINT64_MAX (18446744073709551615ULL) #define INT_MAX ((int)(~0U>>1)) #define INT_MIN (-INT_MAX - 1)