Jan Beulich [Thu, 3 Aug 2023 15:35:39 +0000 (17:35 +0200)]
libxl: allow building with old gcc again
We can't use initializers of unnamed struct/union members just yet.
Fixes: d638fe233cb3 ("libxl: use the cpuid feature names from cpufeatureset.h") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 3 Aug 2023 15:35:26 +0000 (17:35 +0200)]
libxl: avoid shadowing of index()
Because of -Wshadow the build otherwise fails with old enough glibc.
While there also obey line length limits for msr_add().
Fixes: 6d21cedbaa34 ("libxl: add support for parsing MSR features") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 2 Aug 2023 12:44:30 +0000 (13:44 +0100)]
x86/gen-cpuid: Avoid violations of Misra rule 1.3
Add the script to the X86 section in ./MAINTAINERS.
Structures or unions without any named members aren't liked by Misra
(nor the C standard). Avoid emitting such for leaves without any known
bits.
The placeholders are affected similarly, but are only visible to MISRA in the
middle of a patch series adding a new leaf. The absence of a name was
intentional as these defines need to not duplicate names.
As that's not deemed acceptable any more, move placeholder processing into the
main loop and append the the word number to generate unique names.
Andrew Cooper [Fri, 28 Jul 2023 19:27:01 +0000 (20:27 +0100)]
x86: Delete str()
This is used in an assertion only, which is somewhat dubious to begin with and
isn't expected to surivive the x86-S work (where TR is expected to become
become be a NUL selector).
Delete it now. This avoids many cases where as a global symbol, it shadows
local string variables.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Tested-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
Andrew Cooper [Fri, 17 Feb 2023 14:10:58 +0000 (14:10 +0000)]
x86/entry: Rename the exception entrypoints
This makes the names match the architectural short names that we use
elsewhere. This avoids 'debug' in particular from being a global symbol
shadowed by many local parameter names.
Remove the DECLARE_TRAP_HANDLER{,_CONST}() infrastructure. Only NMI/#MC are
referenced externally (and NMI will cease to be soon, as part of adding FRED
support). Move the entrypoint declarations into the respective traps.c where
they're used, rather than keeping them visible across ~all of Xen.
Drop the long-stale comment at the top of init_idt_traps(). It's mostly
discussing a 32bit Xen, and bogus otherwise as it's impossible to use trap
gates correctly for these purposes.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Tested-by: Nicola Vetrini <nicola.vetrini@bugseng.com>
Shawn Anastasio [Wed, 2 Aug 2023 08:53:46 +0000 (10:53 +0200)]
xen/ppc: Switch to medium PIC code model
Switch Xen to the medium PIC code model on Power. Among other things,
this allows us to be load address agnostic and will open the door to
booting on bare metal PowerNV systems that don't use OpenFirmware.
Also update XEN_VIRT_START to 0xc000000000000000, which is equivalent to
address 0x0 when the MMU is off. This prevents Open Firmware from
loading Xen at an offset from its base load address, so the DECL_SECTION
hack in xen.lds.S is no longer required.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Wed, 2 Aug 2023 08:52:44 +0000 (10:52 +0200)]
drivers/char: address MISRA C:2012 Rule 5.3
The following strategies are adopted to deal with violations
of MISRA C:2012 Rule 5.3:
"An identifier declared in an inner scope shall not hide an
identifier declared in an outer scope".
Local variable 'ctrl' shadows a variable defined in an outer scope.
Since the innermost variable is used only once after being set, it is safe
to remove it entirely.
The enum constant 'baud' is shadowed by local a local variable at line
1476, and renaming the enum constant avoid such conflicts.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Wed, 2 Aug 2023 08:52:17 +0000 (10:52 +0200)]
xen/common: address MISRA C:2012 Rule 5.3
The following strategies are adopted to deal with violations
of MISRA C:2012 Rule 5.3:
"An identifier declared in an inner scope shall not hide an
identifier declared in an outer scope".
- s/nodes/numa_nodes/ for the file-scope variable in 'common/numa.c';
- move the variable 'struct compat_remove_from_physmap cmp' inside
the outer union variable 'cmp' to avoid shadowing it.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 2 Aug 2023 08:51:39 +0000 (10:51 +0200)]
common: move simple_strto{,u}l{,l}() to lib/
Convert style from a Xen/Linux mix to pure Xen while doing the move. No
other changes, despite having been heavily tempted to do some - at the
very least to make simple_strtoul() and simple_strtoull() the same in
how they deal with non-numeric digits.
xen/spinlock: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters to address violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
xen/lib: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Tue, 1 Aug 2023 09:51:28 +0000 (11:51 +0200)]
amd/iommu: rename functions to address MISRA C:2012 Rule 5.3
The functions 'machine_bfd' and 'guest_bfd' have gained the
prefix 'get_' to avoid the mutual shadowing with the homonymous
parameters in these functions.
Jan Beulich [Tue, 1 Aug 2023 09:50:29 +0000 (11:50 +0200)]
x86/HVM: tidy _hvm_load_entry() for style
The primary goal is to eliminate the Misra-non-compliance of "desc"
shadowing at least the local variable in hvm_load(). Suffix both local
variables with underscores, while also
- dropping leading underscores from parameter names (applying this also
to the two wrapper macros),
- correcting indentation,
- correcting brace placement,
- dropping unnecessary parentheses around parameter uses when those are
passed on as plain arguments.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
EFI: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters to address violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monné [Tue, 1 Aug 2023 09:48:39 +0000 (11:48 +0200)]
x86/iommu: pass full IO-APIC RTE for remapping table update
So that the remapping entry can be updated atomically when possible.
Doing such update atomically will avoid Xen having to mask the IO-APIC
pin prior to performing any interrupt movements (ie: changing the
destination and vector fields), as the interrupt remapping entry is
always consistent.
This also simplifies some of the logic on both VT-d and AMD-Vi
implementations, as having the full RTE available instead of half of
it avoids to possibly read and update the missing other half from
hardware.
While there remove the explicit zeroing of new_ire fields in
ioapic_rte_to_remap_entry() and initialize the variable at definition
so all fields are zeroed. Note fields could be also initialized with
final values at definition, but I found that likely too much to be
done at this time.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 1 Aug 2023 09:47:38 +0000 (11:47 +0200)]
x86: avoid Misra Rule 19.1 violations
Not exactly overlapping accesses to objects on the left and right hand
sides of an assignment are generally UB, and hence disallowed by Misra.
While in the specific cases we're talking about here no actual UB can
result as long as the compiler doesn't act actively "maliciously", let's
still switch to using casts combined with exactly overlapping accesses.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86emul: remove local variable to address MISRA C:2012 Rule 5.3
The local variable removed by this commit shadowed another declared in
an outer scope and thus violates Rule 5.3. It was introduced as part of
a refactoring by commit abf5fb62f73d0dbeabc6a8cd6dbb55174b36c8d1.
No functional changes.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
x86emul: avoid shadowing to address MISRA C:2012 Rule 5.3
Rule 5.3 has the following headline:
"An identifier declared in an inner scope shall not hide an
identifier declared in an outer scope"
The declaration of local variable 'cpuid_leaf' causes
shadowing with the homonymous function to happen, therefore
the variable is renamed to avoid this.
No functional changes.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
The local variable 'p2mt' shadows a declaration of the same variable
in the enclosing scope, but removing the inner declaration
does not alter the semantics ('p2mt' is an output for the get_gfn
call later on) and this resolves a violation of
MISRA C:2012 Rule 5.3.
No functional changes.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
"A core will fail to exit CC6 after about 1044 days after the last
system reset. The time of failure may vary depending on the spread
spectrum and REFCLK frequency."
Detect when running on AMD Zen2 and setup a timer to prevent entering
C6 after 1000 days of uptime. Take into account the TSC value at boot
in order to account for any time elapsed before Xen has been booted.
Worst case we end up disabling C6 before strictly necessary, but that
would still be safe, and it's better than not taking the TSC value
into account and hanging.
Disable C6 by updating the MSR listed in the revision guide, this
avoids applying workarounds in the CPU idle drivers, as the processor
won't be allowed to enter C6 by the hardware itself.
Print a message once C6 is disabled in order to let the user know.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
IOMMU: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters to address violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function or
data declarations and the ones used in the corresponding function or
data definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
x86/IRQ: address violations of MISRA C: 2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
xen/IRQ: address violations of MISRA C: 2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
Peter Hoyes [Mon, 31 Jul 2023 13:03:14 +0000 (15:03 +0200)]
xl: Add escape character argument to xl console
Add -e argument to xl console and pass to new escape_character argument
of libxl_console_exec.
Introduce a new API version to support this new argument and advertise
the new functionality in libxl.h
In libxl_console_exec, there are currently two call sites to execl,
which uses varargs, in order to support optionally passing
'start-notify-fd' to the console client. In order to support passing
the 'escape' argument optionally too, refactor to instead have a single
call site to execv, which has the same behavior but takes an array of
arguments.
If -e is not specified, --escape is not passed to the console client and
the existing value (^]) is used as a default.
Update the xl docs.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Anthony PERARD [Mon, 31 Jul 2023 13:02:34 +0000 (15:02 +0200)]
Config.mk: evaluate XEN_COMPILE_ARCH and XEN_OS immediately
With GNU make 4.4, the number of execution of the command present in
these $(shell ) increased greatly. This is probably because as of make
4.4, exported variable are also added to the environment of $(shell )
construct.
So to avoid having these command been run more than necessary, we
will replace ?= by an equivalent but with immediate expansion.
Reported-by: Jason Andryuk <jandryuk@gmail.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Tested-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Anthony PERARD [Mon, 31 Jul 2023 13:02:18 +0000 (15:02 +0200)]
build: evaluate XEN_BUILD_* and XEN_DOMAIN immediately
With GNU make 4.4, the number of execution of the command present in
these $(shell ) increased greatly. This is probably because as of make
4.4, exported variable are also added to the environment of $(shell )
construct.
Also, `make -d` shows a lot of these:
Makefile:15: not recursively expanding XEN_BUILD_DATE to export to shell function
Makefile:16: not recursively expanding XEN_BUILD_TIME to export to shell function
Makefile:17: not recursively expanding XEN_BUILD_HOST to export to shell function
Makefile:14: not recursively expanding XEN_DOMAIN to export to shell function
So to avoid having these command been run more than necessary, we
will replace ?= by an equivalent but with immediate expansion.
Reported-by: Jason Andryuk <jandryuk@gmail.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Tested-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 28 Jul 2023 17:42:12 +0000 (18:42 +0100)]
x86/amd: Fix DE_CFG truncation in amd_check_zenbleed()
This line:
val &= ~chickenbit;
ends up truncating val to 32 bits, and turning off various errata workarounds
in Zen2 systems.
Fixes: f91c5ea97067 ("x86/amd: Mitigations for Zenbleed") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
xen/keyhandler: address violations of MISRA C:2012 Rule 8.3 and drop bool_t
Change types in function definitions to be consistent with the
corresponding declarations.
This addresses violations of MISRA C:2012 Rule 8.3: "All declarations
of an object or function shall use the same names and type qualifiers".
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
[stefano: fix error in commit message] Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen/arm: mechanical renaming to address MISRA C:2012 Rule 5.3
Rule 5.3 has the following headline:
"An identifier declared in an inner scope shall not hide an
identifier declared in an outer scope"
The function parameters renamed in this patch are hiding a variable defined
in an enclosing scope or a function identifier.
The following renames have been made:
- s/guest_mode/guest_mode_on/ to distinguish from function 'guest_mode'
- s/struct module_name/struct module_info/ to distinguish from the homonymous
parameters, since the structure contains more information than just the name.
- s/file_name/file_info in 'xen/arch/arm/efi/efi-boot.h' for consistency with
the previous renaming.
xen/notifier: address violations of MISRA C:2012 Rule 8.3
Change parameter names in function declarations to be consistent with
the corresponding definitions. This addesses violations of MISRA C:2012
Rule 8.3: "All declarations of an object or function shall use the same
names and type qualifiers".
xen: change names and type qualifiers in copy_domain_page() declaration
Change names and type qualifiers of parameters in copy_domain_page()
declaration to keep consistency with the corresponding definition.
This addresses violations of MISRA C:2012 Rule 8.3: "All declarations
of an object or function shall use the same names and type qualifiers".
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
libxl: Add missing libxl__virtio_devtype to device_type_tbl array
Without it being present it won't be possible to use some
libxl__device_type's callbacks for virtio devices as the common code
can only invoke these callbacks (by dereferencing a pointer) for valid
libxl__device_type's elements when iterating over device_type_tbl[].
Please note, there is no issue within current the code base as virtio
devices don't use callbacks that depend on libxl__virtio_devtype
presence in device_type_tbl[]. The issue will appear as soon as we start
using these callbacks (for example, dm_needed).
iommu/vtd: rename io_apic_read_remap_rte() local variable
Preparatory change to unify the IO-APIC pin variable name between
io_apic_read_remap_rte() and amd_iommu_ioapic_update_ire(), so that
the local variable can be made a function parameter with the same name
across vendors.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
x86/ioapic: RTE modifications must use ioapic_write_entry
Do not allow to write to RTE registers using io_apic_write and instead
require changes to RTE to be performed using ioapic_write_entry.
This is in preparation for passing the full contents of the RTE to the
IOMMU interrupt remapping handlers, so remapping entries for IO-APIC
RTEs can be updated atomically when possible.
While immediately this commit might expand the number of MMIO accesses
in order to update an IO-APIC RTE, further changes will benefit from
getting the full RTE value passed to the IOMMU handlers, as the logic
is greatly simplified when the IOMMU handlers can get the complete RTE
value in one go.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
xen/arm/atomic: change parameter name in atomic_cmpxchg() definition
Change parameter name from 'ptr' to 'v' in the function definition thus
addressing violations of MISRA C:2012 Rule 8.3: "All declarations of an
object or function shall use the same names and type qualifiers".
xen/arm32: head: Widen the use of the temporary mapping
At the moment, the temporary mapping is only used when the virtual
runtime region of Xen is clashing with the physical region.
In follow-up patches, we will rework how secondary CPU bring-up works
and it will be convenient to use the fixmap area for accessing
the root page-table (it is per-cpu).
Rework the code to use temporary mapping when the Xen physical address
is not overlapping with the temporary mapping.
This also has the advantage to simplify the logic to identity map
Xen.
This patch was originally part of [1] but it was reverted due to
Xen not booting on the Arndale. The second patch of this series
is fixing it (confirmed by booting on the Arndale). So I am including
this patch.
device_tree: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
Rework TEE mediators to put them under a submenu in Kconfig.
The submenu is only visible if UNSUPPORTED is activated as all currently
existing mediators are UNSUPPORTED.
While there rework a bit the configuration so that OP-TEE and FF-A
mediators are selecting the generic TEE interface instead of depending
on it.
Make the TEE option hidden as it is of no interest for anyone to select
it without one of the mediators so having them select it instead should
be enough.
Add a wrapper function for tdb_fetch taking the name of the node in
the data base as a parameter. Let it return a data pointer and the
length of the data via a length pointer provided as additional
parameter.
Move logging of the TDB access from the callers into the wrapper.
This enables to make set_tdb_key() and tdb_ctx static.
This is in preparation to replace TDB with a more simple data storage.
tools/xenstore: switch get_acc_data() to use name instead of key
Eliminate further TDB_DATA usage by switching get_acc_data() and
get_acc_domid() from a TDB key to the name of the node in the data base
as a parameter.
This is in preparation to replace TDB with a more simple data storage.
tools/xenstore: rename do_tdb_write() and change parameter type
Rename do_tdb_write() to db_write() and replace the key parameter with
db_name specifying the name of the node in the data base, and the data
parameter with a data pointer and a length.
Do the same key parameter type change for write_node_raw(), too.
This is in preparation to replace TDB with a more simple data storage.
Just like it's done for the XEN_DOMCTL_memory_mapping hypercall, add
the permissions checks to vPCI map_range(), which is used to map the
BARs into the domain p2m.
Adding those checks requires that for x86 PVH hardware domain builder
the permissions are set before initializing the IOMMU, or else
attempts to initialize vPCI done as part of IOMMU device setup will
fail due to missing permissions to create the BAR mappings.
While moving the call to dom0_setup_permissions() convert the panic()
used for error handling to a printk, the caller will already panic if
required.
In case get_spec_node() is being called for a special node starting
with '@' it won't set *canonical_name. This can result in a crash of
xenstored due to dereferencing the uninitialized name in
fire_watches().
This is no security issue as it requires either a privileged caller or
ownership of the special node in question by an unprivileged caller
(which is questionable, as this would make the owner privileged in some
way).
Fixes: d6bb63924fc2 ("tools/xenstore: introduce dummy nodes for special watch paths") Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
On typical Power VMs (e.g. QEMU's -M pseries), a variety of services
including an early serial console are provided by Open Firmware.
Implement the required interfaces to call into Open Firmware and write
to the serial console.
Since Open Firmware runs in 32-bit Big Endian mode and Xen runs in
64-bit Little Endian mode, a thunk is required to save/restore
any potentially-clobbered registers as well as to perform the
required endianness switch. Thankfully, linux already has such
a routine, which was imported into ppc64/of-call.S.
Support for bare metal (PowerNV) will be implemented in a future
patch.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Peter Hoyes [Thu, 27 Jul 2023 07:47:33 +0000 (09:47 +0200)]
tools/console: Add escape argument to configure escape character
Dom0 may be accessed via telnet, meaning the default escape character
(which is the same as telnet's) cannot be directly used to exit the
console. It would be helpful to make the escape character customizable
in such use cases.
Add --escape argument to console tool for this purpose.
Add argument to getopt options, parse and validate the escape character
and pass value to console_loop.
If --escape is not specified, it falls back to the existing behavior
using DEFAULT_ESCAPE_SEQUENCE.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Hongda Deng <hongda.deng@arm.com>
Add two pipelines that analyze an ARM64 and a X86_64 build with the
ECLAIR static analyzer on the guidelines contained in Set1.
The analysis configuration is stored in automation/eclair_analysis.
All commits on the xen-project/xen:staging branch will be analyzed
and their artifacts will be stored indefinitely; the integration will
report differential information with respect to the previous analysis.
All commits on other branches or repositories will be analyzed and
only the last ten artifacts will be kept; the integration will report
differential information with respect to the analysis done on the common
ancestor with xen-project/xen:staging (if available).
Currently the pipeline variable ENABLE_ECLAIR_BOT is set to "n".
Doing so disables the generation of comments with the analysis summary
on the commit threads. The variable can be set to "y" if the a masked
variable named ECLAIR_BOT_TOKEN is set with the impersonation token of
an account with enough privileges to write on all repositories.
Additionaly any repository should be able to read a masked variable
named WTOKEN with the token provided by BUGSENG.
The analysis fails if it contains violations of guidelines tagged as
clean:added. The list of clean guidelines are maintained in
automation/eclair_analysis/ECLAIR/tagging.ecl.
automation: Add xen builds for the ECLAIR analyses
This patch defines an ARM64 and a X86_64 build for the
ECLAIR pipelines.
These files are used by the analyze.sh script in
automation/eclair_analysis: it initially calls prepare.sh,
then runs into an ECLAIR environment build.sh.
Only the toolchain invocations triggered by build.sh
are analyzed; the prepare.sh script is instead intended
to perform all the required operations for building xen
that are not supposed to be analyzed: e.g. dependencies
build.
The files with extension ecl are ECLAIR configurations that
are loaded during the analysis phase or during the report
generation phase: analysis.ecl is the main file for the analysis
phase, while reports.ecl is the one for the report phase.
All other ecl files are included by one of the two main ones.
The actions* scripts implement the integration with the CI server,
they are completely general and can be amended to work with any CI
server. Their presence in xen.git is recommended so that maintainance
would be easier.
analyze.sh is the script that actually triggers the analysis.
xen/kernel: change parameter name in add_taint() definition
Change parameter name from 'flag' to 'taint' for consistency with
the corresponding declaration.
This addresses a violation of MISRA C:2012 Rule 8.3: "All declarations
of an object or function shall use the same names and type qualifiers".
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
xen/event: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
xen: use parameter name 'mcs' in arch_do_multicall_call()
Make function declaration and definition consistent using the same
parameter name ('mcs' do denote a pointer to an 'mc_state').
This addresses a violation of MISRA C:2012 Rule 8.3: "All declarations
of an object or function shall use the same names and type qualifiers".
Andrew Cooper [Wed, 19 Jul 2023 12:37:37 +0000 (13:37 +0100)]
x86/boot: Update construct_dom0() to take a const char *cmdline
With hvm_copy_to_guest_*() able to use const sources, update construct_dom0()
and friends to pass a const cmdline pointer. Nothing in these paths have a
reason to be modifying the command line passed in.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 19 Jul 2023 10:57:46 +0000 (11:57 +0100)]
xen/x86: Use const char * for string literals (2)
This hunk was accidentally missing from a previous change.
Fixes: d642c0706678 ("xen/x86: Use const char * for string literals") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 19 Jul 2023 10:30:56 +0000 (11:30 +0100)]
x86/hvm: Allow hvm_copy_to_guest_*() to come from const sources
The work to fix MISRA rule 7.4 (using mutable pointers to string literals)
identifies that string literals do indeed get passed into
hvm_copy_to_guest_linear() by way of the PVH dom0 command line.
This higlights that the copy_to_* helpers really ought to take a const
source. Update the function types to match, and cast away constness in the
wrappers around __hvm_copy() where HVMCOPY_to_guest is used.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 25 Jul 2023 15:32:35 +0000 (16:32 +0100)]
xen: Drop the (almost) unused extern start[]
This global variable is shadowed by plenty local variables, violating MISRA
rule 5.3. Some architectures happen to have a symbol by the name of start in
their head.S's, but it's not a useful symbol to reference from C.
In fact, the single use of the global start[] in RISC-V means to use _start[]
as the linker symbol at the beginning of the .text section, not the function
which happens to be in the same location.
Fix RISC-V to use the right symbol for it's calculation, and drop the extern.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
Andrew Cooper [Wed, 17 May 2023 09:13:36 +0000 (10:13 +0100)]
x86/cpu-policy: Advertise MSR_ARCH_CAPS to guests by default
With xl/libxl now able to control the policy bits for MSR_ARCH_CAPS, it is
safe to advertise to guests by default. In turn, we don't need the special
case to expose details to dom0.
This advertises MSR_ARCH_CAPS to guests on *all* Intel hardware, even if the
register content ends up being empty.
- Advertising ARCH_CAPS and not RSBA signals "retpoline is safe here and
everywhere you might migrate to". This is important because it avoids the
guest kernel needing to rely on model checks.
- Alternatively, levelling for safety across the Broadwell/Skylake divide
requires advertising ARCH_CAPS and RSBA, meaning "retpoline not safe on
some hardware you might migrate to".
On Cascade Lake and later hardware, guests can now see RDCL_NO (not vulnerable
to Meltdown) amongst others. This causes substantial performance
improvements, as guests are no longer applying software mitigations in cases
where they don't need to.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Introduce support for handling MSR features in
libxl_cpuid_parse_config(). The MSR policies are added to the
libxl_cpuid_policy like the CPUID one, which gets passed to
xc_cpuid_apply_policy().
This allows existing users of libxl to provide MSR related features as
key=value pairs to libxl_cpuid_parse_config() without requiring the
usage of a different API.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
libxl: use the cpuid feature names from cpufeatureset.h
The current implementation in libxl_cpuid_parse_config() requires
keeping a list of cpuid feature bits that should be mostly in sync
with the contents of cpufeatureset.h.
Avoid such duplication by using the automatically generated list of
cpuid features in INIT_FEATURE_NAMES in order to map feature names to
featureset bits, and then translate from featureset bits into cpuid
leaf, subleaf, register tuple.
Note that the full contents of the previous cpuid translation table
can't be removed. That's because some feature names allowed by libxl
are not described in the featuresets, or because naming has diverged
and the previous nomenclature is preserved for compatibility reasons.
Should result in no functional change observed by callers, albeit some
new cpuid features will be available as a result of the change.
While there constify cpuid_flags name field.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
libxl: split logic to parse user provided CPUID features
Move the CPUID value parsers out of libxl_cpuid_parse_config() into a
newly created cpuid_add() local helper. This is in preparation for
also adding MSR feature parsing support.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Add a new array field to libxl_cpuid_policy in order to store the MSR
policies.
Adding the MSR data in the libxl_cpuid_policy_list type is done so
that existing users can seamlessly pass MSR features as part of the
CPUID data, without requiring the introduction of a separate
domain_build_info field, and a new set of handlers functions.
Note that support for parsing the old JSON format is kept, as that's
required in order to restore domains or received migrations from
previous tool versions. Differentiation between the old and the new
formats is done based on whether the contents of the 'cpuid' field is
an array or a map JSON object.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Currently libxl_cpuid_policy_list is an opaque type to the users of
libxl, and internally it's an array of xc_xend_cpuid objects.
Change the type to instead be a structure that contains one array for
CPUID policies, in preparation for it also holding another array for
MSR policies.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
libs/guest: introduce support for setting guest MSRs
Like it's done with CPUID, introduce support for passing MSR values to
xc_cpuid_apply_policy(). The chosen format for expressing MSR policy
data matches the current one used for CPUID. Note that existing
callers of xc_cpuid_apply_policy() can pass NULL as the value for the
newly introduced 'msr' parameter in order to preserve the same
functionality, and in fact that's done in libxl on this patch.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
docs/misra: document the usage of array range initializers
The usage of a documented GNU extension that allows a range of elements
in an array to be initalized to the same value using a designated
initalizer is added to this document, to fully comply with
MISRA C:2012 Rule 1.1.
Leo Yan [Mon, 24 Jul 2023 08:52:11 +0000 (16:52 +0800)]
docs: Correct name for xen-command-line.pandoc
In the commit d661611d08 ("docs/markdown: Switch to using pandoc, and
fix underscore escaping"), the documentation suffix was changed from
".markdown" to ".pandoc"; however, the reference was missed to update.
This patch updates the documentation name to xen-command-line.pandoc.
Fixes: d661611d08 ("docs/markdown: Switch to using pandoc, and fix underscore escaping") Signed-off-by: Leo Yan <leo.yan@linaro.org> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
xen/cpu: change parameter name in __cpu_up() declaration
Change parameter name from 'cpunum' to 'cpu' to keep consistency with
the name used in the corresponding definitions thus addressing a
violation of MISRA C:2012 Rule 8.3: "All declarations of an object or
function shall use the same names and type qualifiers".
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Rule 1.1 is uncontroversial and we are already following it.
Rule 5.6 has been deemed a good rule to have by the MISRA C group.
However, we do have a significant amount of violations that will take
time to resolve and might require partial deviations in the form of
in-code comments or MISRA C scanners special configurations (ECLAIR).
For new code, we want this rule to generally apply hence the addition to
docs/misra/rules.rst.
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 22 May 2023 22:03:00 +0000 (23:03 +0100)]
x86/amd: Mitigations for Zenbleed
Zenbleed is a malfunction on AMD Zen2 uarch parts which results in corruption
of the vector registers. An attacker can trigger this bug deliberately in
order to access stale data in the physical vector register file. This can
include data from sibling threads, or a higher-privilege context.
Microcode is the preferred mitigation but in the case that's not available use
the chickenbit as instructed by AMD. Re-evaluate the mitigation on late
microcode load too.
This is XSA-433 / CVE-2023-20593.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Update ppc64/head.S to set up an initial boot stack, zero the .bss
section, and jump to C. The required setup is done using 32-bit
immediate address loads for now, but they will be changed to
TOC-relative loads once the position-independent code model is enabled.
Additionally, move the cpu0_boot_stack declaration to setup.c and change
STACK_ORDER from 2 to 0. For now, ppc64 is using 64k pages and thus the
larger STACK_ORDER is unnecessary.
Finally, refactor the endian fixup trampoline into its own macro, since it
will need to be used in multiple places, including every time we make a
call into firmware.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Acked-by: Jan Beulich <jbeulich@suse.com>
common: Move a few more standalone macros from xen/lib.h to xen/macros.h
Move a few more macros which have no dependencies on other headers from
xen/lib.h to xen/macros.h. Notably, this includes BUILD_BUG_ON* and
ARRAY_SIZE.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
x86/cpu-policy: address violations of MISRA C:2012 Rule 8.3 on parameter names
Change parameter names in function declarations to be consistent with
the ones used in the correponding definitions, thus addressing
violations of MISRA C:2012 Rule 8.3: "All declarations of an object or
function shall use the same names and type qualifiers".
libxl: arm: Add grant_usage parameter for virtio devices
Currently, the grant mapping related device tree properties are added if
the backend domain is not Dom0. While Dom0 is privileged and can do
foreign mapping for the entire guest memory, it is still desired for
Dom0 to access guest's memory via grant mappings and hence map only what
is required.
This commit adds the "grant_usage" parameter for virtio devices, which
provides better control over the functionality.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: George Dunlap <george.dunlap@cloud.com>
The fix for XSA-417 had a bug: domain_alloc_permrefs() will not return
a negative value in case of an error, but a plain errno value.
Note this is not considered to be a security issue, as the only case
where domain_alloc_permrefs() will return an error is a failed memory
allocation. As a guest should not be able to drive Xenstore out of
memory, this is NOT a problem a guest can trigger at will.
x86/mtrr: address violations of MISRA C:2012 Rule 8.3 on parameter types
Change parameter types of function declarations to be consistent with
the ones used in the corresponding definitions,
thus addressing violations of MISRA C:2012 Rule 8.3 ("All declarations
of an object or function shall use the same names and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
x86/HVM: address violations of MISRA C:2012 Rules 8.2 and 8.3
Give a name to unnamed parameters thus addressing violations of
MISRA C:2012 Rule 8.2 ("Function types shall be in prototype form with
named parameters").
Keep consistency between parameter names and types used in function
declarations and the ones used in the corresponding function
definitions, thus addressing violations of MISRA C:2012 Rule 8.3
("All declarations of an object or function shall use the same names
and type qualifiers").
No functional changes.
Signed-off-by: Federico Serafini <federico.serafini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Fri, 21 Jul 2023 06:31:09 +0000 (08:31 +0200)]
x86/vRTC: move and tidy convert_hour() and {to,from}_bcd()
This is to avoid the need for forward declarations, which in turn
addresses a violation of MISRA C:2012 Rule 8.3 ("All declarations of an
object or function shall use the same names and type qualifiers").
While doing so,
- drop inline (leaving the decision to the compiler),
- add const,
- add unsigned,
- correct style.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
MISRA C:2012 Rule 4.1 has the following headline:
"Octal and hexadecimal escape sequences shall be terminated."
The string literals modified by this patch contain octal or
hexadecimal escape sequences that are neither terminated by the
end of the literal, nor by the beginning of another escape sequence.
Therefore, such unterminated sequences have been split into a
separate literal as a way to comply with the rule and preserve the
semantics of the code.
projects / xen.git / log