Jan Beulich [Wed, 26 May 2021 07:33:02 +0000 (09:33 +0200)]
x86/guest: fix build when HVM and !PV32
The commit referenced below still wasn't careful enough - with COMPAT we
will have a compat_handle_okay() visible already, which we first need to
get rid of.
Fixes: bd1e7b47bac0 ("x86/shim: fix build when !PV32") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Connor Davis [Mon, 24 May 2021 14:34:28 +0000 (08:34 -0600)]
automation: Add container for riscv64 builds
Add a container for cross-compiling xen to riscv64.
This just includes the cross-compiler and necessary packages for
building xen itself (packages for tools, stubdoms, etc., can be
added later).
Signed-off-by: Connor Davis <connojdavis@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 25 May 2021 07:08:43 +0000 (09:08 +0200)]
x86/shadow: fix DO_UNSHADOW()
When adding the HASH_CALLBACKS_CHECK() I failed to properly recognize
the (somewhat unusually formatted) if() around the call to
hash_domain_foreach()). Gcc 11 is absolutely right in pointing out the
apparently misleading indentation. Besides adding the missing braces,
also adjust the two oddly formatted if()-s in the macro.
Fixes: 90629587e16e ("x86/shadow: replace stale literal numbers in hash_{vcpu,domain}_foreach()") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Tim Deegan <tim@xen.org>
Dario Faggioli [Tue, 18 May 2021 16:42:45 +0000 (18:42 +0200)]
automation: fix dependencies on openSUSE Tumbleweed containers
Fix the build inside our openSUSE Tumbleweed container by using
adding libzstd headers. While there, remove the explicit dependency
for python and python3 as the respective -devel packages will pull
them in anyway.
Signed-off-by: Dario Faggioli <dfaggioli@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Dario Faggioli [Tue, 18 May 2021 16:42:39 +0000 (18:42 +0200)]
automation: use DOCKER_CMD for building containers too
Use DOCKER_CMD from the environment (if defined) in the containers'
makefile too, so that, e.g., when doing `export DOCKED_CMD=podman`
podman is used for building the containers too.
Signed-off-by: Dario Faggioli <dfaggioli@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Julien Grall [Tue, 18 May 2021 17:03:05 +0000 (18:03 +0100)]
tools/libs: guest: Fix Arm build after 8fc4916daf2a
Gitlab CI spotted an issue when building the tools Arm:
xg_dom_arm.c: In function 'meminit':
xg_dom_arm.c:401:50: error: passing argument 3 of 'set_mode' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
401 | rc = set_mode(dom->xch, dom->guest_domid, dom->guest_type);
| ~~~^~~~~~~~~~~~
This is because the const was not propagated in the Arm code. Fix it
by constifying the 3rd parameter of set_mode().
Fixes: 8fc4916daf2a ("tools/libs: guest: Use const whenever we point to literal strings") Signed-off-by: Julien Grall <jgrall@amazon.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Juergen Gross [Tue, 18 May 2021 06:19:07 +0000 (08:19 +0200)]
tools/xenstore: simplify xenstored main loop
The main loop of xenstored is rather complicated due to different
handling of socket and ring-page interfaces. Unify that handling by
introducing interface type specific functions can_read() and
can_write().
Take the opportunity to remove the empty list check before calling
write_messages() because the function is already able to cope with an
empty list.
xen/arm: kernel: Propagate the error if we fail to decompress the kernel
Currently, we are ignoring any error from perform_gunzip() and replacing
the compressed kernel with the "uncompressed" kernel.
If there is a gzip failure, then it means that the output buffer may
contain garbagge. So it can result to various sort of behavior that may
be difficult to root cause.
In case of failure, free the output buffer and propagate the error.
We also need to adjust the return check for kernel_compress() as
perform_gunzip() may return a positive value.
Take the opportunity to adjust the code style for the check.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@arm.com>
Connor Davis [Mon, 17 May 2021 13:43:19 +0000 (15:43 +0200)]
xen: fix build when !CONFIG_GRANT_TABLE
Move struct grant_table; in grant_table.h above
ifdef CONFIG_GRANT_TABLE. This fixes the following:
/build/xen/include/xen/grant_table.h:84:50: error: 'struct grant_table'
declared inside parameter list will not be visible outside of this
definition or declaration [-Werror]
84 | static inline int mem_sharing_gref_to_gfn(struct grant_table *gt,
|
Signed-off-by: Connor Davis <connojdavis@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 17 May 2021 13:42:00 +0000 (15:42 +0200)]
x86/shim: fix build when !PV32
In this case compat headers don't get generated (and aren't needed).
The changes made by 527922008bce ("x86: slim down hypercall handling
when !PV32") also weren't quite sufficient for this case.
Try to limit #ifdef-ary by introducing two "fallback" #define-s.
Fixes: d23d792478db ("x86: avoid building COMPAT code when !HVM && !PV32") Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 17 May 2021 13:41:28 +0000 (15:41 +0200)]
x86emul: fix test harness build for gas 2.36
All of the sudden, besides .text and .rodata and alike, an always
present .note.gnu.property section has appeared. This section, when
converting to binary format output, gets placed according to its
linked address, causing the resulting blobs to be about 128Mb in size.
The resulting headers with a C representation of the binary blobs then
are, of course all a multiple of that size (and take accordingly long
to create). I didn't bother waiting to see what size the final
test_x86_emulator binary then would have had.
See also https://sourceware.org/bugzilla/show_bug.cgi?id=27753.
Rather than figuring out whether gas supports -mx86-used-note=, simply
remove the section while creating *.bin.
Jan Beulich [Mon, 17 May 2021 13:40:53 +0000 (15:40 +0200)]
x86/AMD: also determine L3 cache size
For Intel CPUs we record L3 cache size, hence we should also do so for
AMD and alike.
While making these additions, also make sure (throughout the function)
that we don't needlessly overwrite prior values when the new value to be
stored is zero.
Jan Beulich [Mon, 17 May 2021 13:38:39 +0000 (15:38 +0200)]
build: centralize / unify asm-offsets generation
Except for an additional prereq Arm and x86 have the same needs here,
and Arm can also benefit from the recent x86 side improvement. Recurse
into arch/*/ only for a phony include target (doing nothing on Arm),
and handle asm-offsets itself entirely locally to xen/Makefile.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com>
Andrew Cooper [Thu, 13 May 2021 15:43:27 +0000 (16:43 +0100)]
Revert "x86/PV32: avoid TLB flushing after mod_l3_entry()" and "x86/PV: restrict TLB flushing after mod_l[234]_entry()"
These reintroduce XSA-286 / CVE-2018-15469, as confirmed by the xsa-286 XTF
test run by OSSTest.
The TLB flushing is for Xen's correctness, not the guest's.
The text in c/s bed7e6cad30 is technically correct, from the guests point of
view, but clearly false as far as XSA-286 is concerned. That said, it is edcfce55917 which introduced the regression, which demonstrates that the
reasoning is flawed.
The sysconfig variable XENSTORED_ROOTDIR is not used anymore.
It used to point to a directory with tdb files, which is now a tmpfs.
In case the database is not in tmpfs, like on sysv and BSD systems,
xenstored will truncate existing database files during start.
Fixes: 2ef6ace428 ("tools: don't remove tdb data base file before starting xenstored") Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wl@xen.org>
OP-TEE mediator already have support for NULL memory references. It
was added in patch 0dbed3ad336 ("optee: allow plain TMEM buffers with
NULL address"). But it does not propagate
OPTEE_SMC_SEC_CAP_MEMREF_NULL capability flag to a guest, so well
behaving guest can't use this feature.
Note: linux optee driver honors this capability flag when handling
buffers from userspace clients, but ignores it when working with
internal calls. For instance, __optee_enumerate_devices() function
uses NULL argument to get buffer size hint from OP-TEE. This was the
reason, why "optee: allow plain TMEM buffers with NULL address" was
introduced in the first place.
This patch adds the mentioned capability to list of known
capabilities. From Linux point of view it means that userspace clients
can use this feature, which is confirmed by OP-TEE test suite:
* regression_1025 Test memref NULL and/or 0 bytes size
o regression_1025.1 Invalid NULL buffer memref registration
regression_1025.1 OK
o regression_1025.2 Input/Output MEMREF Buffer NULL - Size 0 bytes
regression_1025.2 OK
o regression_1025.3 Input MEMREF Buffer NULL - Size non 0 bytes
regression_1025.3 OK
o regression_1025.4 Input MEMREF Buffer NULL over PTA invocation
regression_1025.4 OK
regression_1025 OK
Julien Grall [Mon, 10 May 2021 17:28:16 +0000 (18:28 +0100)]
tools/xenstore: Fix indentation in the header of xenstored_control.c
Commit e867af081d94 "tools/xenstore: save new binary for live update"
seemed to have spuriously changed the indentation of the first line of
the copyright header.
The previous indentation is re-instated so all the lines are indented
the same.
Julien Grall [Thu, 6 May 2021 16:12:23 +0000 (17:12 +0100)]
tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()
ASAN reported one issue when Live Updating Xenstored:
=================================================================
==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
WRITE of size 1 at 0x7ffc194f53e0 thread T0
#0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468
#1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257
#2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273
#3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521
#4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
#5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
#6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
#7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
#8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
#0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232
This frame has 2 object(s):
[32, 40) 'head' (line 1233)
[64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable
This is happening because the callers are passing a pointer to a variable
allocated on the stack. However, the field perms is a dynamic array, so
Xenstored will end up to read outside of the variable.
Rework the code so the permissions are written one by one in the fd.
Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live update") Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Juergen Gross <jgross@suse.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
Michal Orzel [Wed, 5 May 2021 07:43:07 +0000 (09:43 +0200)]
arm/time,vtimer: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify type of vtimer structure's member: ctl to register_t.
Add macro CNTFRQ_MASK containing mask for timer clock frequency
field of CNTFRQ_EL0 register.
Modify CNTx_CTL_* macros to return unsigned long instead of
unsigned int as ctl is now of type register_t.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Acked-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:43:06 +0000 (09:43 +0200)]
arm/page: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify accesses to CTR_EL0 to use READ/WRITE_SYSREG.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:43:04 +0000 (09:43 +0200)]
arm/p2m: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify type of vtcr to register_t.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:43:03 +0000 (09:43 +0200)]
arm/gic: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify types of following members of struct gic_v3 to register_t:
-vmcr
-sre_el1
-apr0
-apr1
Add new macro GICC_IAR_INTID_MASK containing the mask
for INTID field of ICC_IAR0/1_EL1 register as only the first 23-bits
of IAR contains the interrupt number. The rest are RES0.
Therefore, take the opportunity to mask the bits [23:31] as
they should be used for an IRQ number (we don't know how the top bits
will be used).
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Acked-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:43:01 +0000 (09:43 +0200)]
arm: Modify type of actlr to register_t
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
ACTLR_EL1 system register bits are implementation defined
which means it is possibly a latent bug on current HW as the CPU
implementer may already have decided to use the top 32bit.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:43:00 +0000 (09:43 +0200)]
arm/domain: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify type of register cntkctl to register_t.
Thumbee registers are only usable by a 32-bit domain and therefore
we can just store the bottom 32-bit (IOW there is no type change).
In fact, this could technically be restricted to Armv7 HW (the
support was dropped retrospectively in Armv8) but leave it as-is
for now.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Wed, 5 May 2021 07:42:59 +0000 (09:42 +0200)]
arm64/vfp: Get rid of READ/WRITE_SYSREG32
AArch64 registers are 64bit whereas AArch32 registers
are 32bit or 64bit. MSR/MRS are expecting 64bit values thus
we should get rid of helpers READ/WRITE_SYSREG32
in favour of using READ/WRITE_SYSREG.
We should also use register_t type when reading sysregs
which can correspond to uint64_t or uint32_t.
Even though many AArch64 registers have upper 32bit reserved
it does not mean that they can't be widen in the future.
Modify type of FPCR, FPSR, FPEXC32_EL2 to register_t.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
Olaf Hering [Mon, 3 May 2021 15:47:12 +0000 (17:47 +0200)]
tools: add newlines to xenstored WRL_LOG
According to syslog(3) the fmt string does not need a newline.
The mini-os implementation of syslog requires the trailing newline.
Other calls to syslog do include the newline already, add it also to WRL_LOG.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Juergen Gross <jgross@suse.com>
Jason Andryuk [Thu, 6 May 2021 13:59:23 +0000 (09:59 -0400)]
vtpm: Correct timeout units and command duration
Add two patches:
vtpm-microsecond-duration.patch fixes the units for timeouts and command
durations.
vtpm-command-duration.patch increases the timeout linux uses to allow
commands to succeed.
Linux works around low timeouts, but not low durations. The second
patch allows commands to complete that often timeout with the lower
command durations.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:22 +0000 (09:59 -0400)]
vtpmmgr: Check req_len before unpacking command
vtpm_handle_cmd doesn't ensure there is enough space before unpacking
the req buffer. Add a minimum size check. Called functions will have
to do their own checking if they need more data from the request.
The error case is tricky since abort_egress wants to rely with a
corresponding tag. Just hardcode TPM_TAG_RQU_COMMAND since the vtpm is
sending in malformed commands in the first place.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:21 +0000 (09:59 -0400)]
vtpmmgr: Fix owner_auth & srk_auth parsing
Argument parsing only matches to before ':' and then the string with
leading ':' is passed to parse_auth_string which fails to parse. Extend
the length to include the seperator in the match.
While here, switch the seperator to "=". The man page documented "="
and the other tpm.* arguments already use "=". Since it didn't work
before, we don't need to worry about backwards compatibility.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:20 +0000 (09:59 -0400)]
vtpmmgr: Remove bogus cast from TPM2_GetRandom
The UINT32 <-> UINT16 casting in TPM2_GetRandom is incorrect. Use a
local UINT16 as needed for the TPM hardware command and assign the
result.
Suggested-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:19 +0000 (09:59 -0400)]
vtpmmgr: Support GetRandom passthrough on TPM 2.0
GetRandom passthrough currently fails when using vtpmmgr with a hardware
TPM 2.0.
vtpmmgr (8): INFO[VTPM]: Passthrough: TPM_GetRandom
vtpm (12): vtpm_cmd.c:120: Error: TPM_GetRandom() failed with error code (30)
When running on TPM 2.0 hardware, vtpmmgr needs to convert the TPM 1.2
TPM_ORD_GetRandom into a TPM2 TPM_CC_GetRandom command. Besides the
differing ordinal, the TPM 1.2 uses 32bit sizes for the request and
response (vs. 16bit for TPM2).
Place the random output directly into the tpmcmd->resp and build the
packet around it. This avoids bouncing through an extra buffer, but the
header has to be written after grabbing the random bytes so we have the
number of bytes to include in the size.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:18 +0000 (09:59 -0400)]
vtpmmgr: Shutdown more gracefully
vtpmmgr uses the default, weak app_shutdown, which immediately calls the
shutdown hypercall. This short circuits the vtpmmgr clean up logic. We
need to perform the clean up to actually Flush our key out of the tpm.
Setting do_shutdown is one step in that direction, but vtpmmgr will most
likely be waiting in tpmback_req_any. We need to call shutdown_tpmback
to cancel the wait inside tpmback and perform the shutdown.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibaut@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:17 +0000 (09:59 -0400)]
vtpmmgr: Flush all transient keys
We're only flushing 2 transients, but there are 3 handles. Use <= to also
flush the third handle since TRANSIENT_LAST is inclusive
The number of transient handles/keys is hardware dependent, so this
should query for the limit. And assignment of handles is assumed to be
sequential from the minimum. That may not be guaranteed, but seems okay
with my tpm2.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:16 +0000 (09:59 -0400)]
vtpmmgr: Flush transient keys on shutdown
Remove our key so it isn't left in the TPM for someone to come along
after vtpmmgr shutsdown.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:14 +0000 (09:59 -0400)]
vtpmmgr: Allow specifying srk_handle for TPM2
Bypass taking ownership of the TPM2 if an srk_handle is specified.
This srk_handle must be usable with Null auth for the time being.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:15 +0000 (09:59 -0400)]
vtpmmgr: Move vtpmmgr_shutdown
Reposition vtpmmgr_shutdown so it can call flush_tpm2 without a forward
declaration.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:13 +0000 (09:59 -0400)]
stubom: newlib: Enable C99 formats for %z
vtpmmgr was changed to print size_t with the %z modifier, but newlib
isn't compiled with %z support. So you get output like:
root seal: zu; sector of 13: zu
root: zu v=zu
itree: 36; sector of 112: zu
group: zu v=zu id=zu md=zu
group seal: zu; 5 in parent: zu; sector of 13: zu
vtpm: zu+zu; sector of 48: zu
Enable the C99 formats in newlib so vtpmmgr prints the numeric values.
Fixes: 9379af08ccc0 ("stubdom: vtpmmgr: Correctly format size_t with %z when printing.") Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:12 +0000 (09:59 -0400)]
vtpmmgr: Print error code to aid debugging
tpm_get_error_name returns "Unknown Error Code" when an error string
is not defined. In that case, we should print the Error Code so it can
be looked up offline. tpm_get_error_name returns a const string, so
just have the two callers always print the error code so it is always
available.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jason Andryuk [Thu, 6 May 2021 13:59:11 +0000 (09:59 -0400)]
docs: Warn about incomplete vtpmmgr TPM 2.0 support
The vtpmmgr TPM 2.0 support is incomplete. Add a warning about that to
the documentation so others don't have to work through discovering it is
broken.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jan Beulich [Fri, 7 May 2021 08:45:14 +0000 (10:45 +0200)]
Arm/optee: don't open-code xzalloc_flex_struct()
The current use of xzalloc_bytes() in optee is nearly an open-coded
version of xzalloc_flex_struct(), which was introduced after the driver
was merged.
The main difference is xzalloc_bytes() will also force the allocation to
be SMP_CACHE_BYTES aligned and therefore avoid sharing the cache line.
While sharing the cache line can have an impact on the performance, this
is also true for most of the other users of x*alloc(), x*alloc_array(),
and x*alloc_flex_struct(). So if we want to prevent sharing cache lines,
arranging for this should be done in the allocator itself.
In this case, we don't need stricter alignment than what the allocator
provides. Hence replace the call to xzalloc_bytes() with one of
xzalloc_flex_struct().
Roger Pau Monné [Fri, 7 May 2021 08:43:29 +0000 (10:43 +0200)]
x86/vhpet: fix RTC special casing
Restore setting the virtual timer callback private data to NULL if the
timer is not level triggered. This fixes the special casing done in
pt_update_irq so that the RTC interrupt when originating from the HPET
is suspended if the interrupt source is masked.
Note the RTC special casing done in pt_update_irq should only apply to
the RTC interrupt originating from the emulated RTC device (which does
set the callback private data), as in that case the callback itself
will destroy the virtual timer if the interrupt is ignored.
While there also use RTC_IRQ instead of 8 when the HPET is configured
in LegacyReplacement Mode.
Fixes: be07023be115 ("x86/vhpet: add support for level triggered interrupts") Reported-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 5 May 2021 07:07:30 +0000 (09:07 +0200)]
x86/p2m: please Clang after making certain parts HVM-only
Move a few #ifdef-s, to account for diagnostics like
p2m.c:549:1: error: non-void function does not return a value in all control paths [-Werror,-Wreturn-type]
which appear despite paging_mode_translate() resolving to constant
"false" when !HVM. All of the affected functions are intended to become
fully HVM-only anyway, with their non-translated stub handling split off
elsewhere.
Fixes: 8d012d3ddffc ("x86/p2m: {get,set}_entry hooks and p2m-pt.c are HVM-only") Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Tue, 4 May 2021 18:40:47 +0000 (19:40 +0100)]
libs/guest: Don't hide the indirection on xc_cpu_policy_t
It is bad form in C, perhaps best demonstrated by trying to read
xc_cpu_policy_destroy(), and causes const qualification to have
less-than-obvious behaviour (the hidden pointer becomes const, not the thing
it points at).
xc_cpu_policy_set_domain() needs to drop its (now normal) const qualification,
as the policy object is modified by the serialisation operation.
This also shows up a problem with the x86_cpu_policies_are_compatible(), where
the intermediate pointers are non-const.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Wei Liu [Wed, 5 May 2021 11:45:16 +0000 (11:45 +0000)]
automation: save xen config before building
It is reported that failed randconfig runs are missing the config file
which makes debugging impossible. Fix this by moving the line that
copies the config file before the build is executed.
Signed-off-by: Wei Liu <wl@xen.org> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Fri, 30 Apr 2021 19:17:55 +0000 (20:17 +0100)]
x86/xstate: Elide redundant writes in set_xcr0()
XSETBV is an expensive instruction as, amongst other things, it involves
reconfiguring the instruction decode at the frontend of the pipeline.
We have several paths which reconfigure %xcr0 in quick succession (the context
switch path has 5, including the fpu save/restore helpers), and only a single
caller takes any care to try to skip redundant writes.
Update set_xcr0() to perform amortisation automatically, and simplify the
__context_switch() path as a consequence.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monne [Wed, 17 Mar 2021 16:09:45 +0000 (17:09 +0100)]
libs/guest: introduce helper to check cpu policy compatibility
Such helpers is just a wrapper to the existing
x86_cpu_policies_are_compatible function. This requires building
policy.c from libx86 on user land also.
No user of the interface introduced.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Wed, 17 Mar 2021 15:59:37 +0000 (16:59 +0100)]
libs/guest: allow updating a cpu policy MSR data
Introduce a helper to update the MSR policy using an array of
xen_msr_entry_t entries. Note the MSRs present in the input
xen_msr_entry_t array will replace any existing entries on the
policy.
No user of the interface introduced on this patch.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Wed, 17 Mar 2021 15:49:55 +0000 (16:49 +0100)]
libs/guest: allow updating a cpu policy CPUID data
Introduce a helper to update the CPUID policy using an array of
xen_cpuid_leaf_t entries. Note the leaves present in the input
xen_cpuid_leaf_t array will replace any existing leaves on the policy.
No user of the interface introduced on this patch.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Thu, 18 Mar 2021 10:11:22 +0000 (11:11 +0100)]
libxl: don't ignore the return value from xc_cpuid_apply_policy
Also change libxl__cpuid_legacy to propagate the error from
xc_cpuid_apply_policy into callers.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Ian Jackson [Tue, 9 Mar 2021 15:00:47 +0000 (15:00 +0000)]
SUPPORT.md: Document speculative attacks status of non-shim 32-bit PV
This documents, but does not fix, XSA-370.
Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Signed-off-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 4 May 2021 08:49:59 +0000 (10:49 +0200)]
x86/time: avoid reading the platform timer in rendezvous functions
Reading the platform timer isn't cheap, so we'd better avoid it when the
resulting value is of no interest to anyone.
The consumer of master_stime, obtained by
time_calibration_{std,tsc}_rendezvous() and propagated through
this_cpu(cpu_calibration), is local_time_calibration(). With
CONSTANT_TSC the latter function uses an early exit path, which doesn't
explicitly use the field. While this_cpu(cpu_calibration) (including the
master_stime field) gets propagated to this_cpu(cpu_time).stamp on that
path, both structures' fields get consumed only by the !CONSTANT_TSC
logic of the function.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Tue, 4 May 2021 08:49:22 +0000 (10:49 +0200)]
x86/shim: don't permit HVM and PV_SHIM_EXCLUSIVE at the same time
This combination doesn't really make sense (and there likely are more);
in particular even if the code built with both options set, HVM guests
wouldn't work (and I think one wouldn't be able to create one in the
first place). The alternative here would be some presumably intrusive
#ifdef-ary to get this combination to actually build (but still not
work) again.
Fixes: 8b5b49ceb3d9 ("x86: don't include domctl and alike in shim-exclusive builds") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Rahul Singh [Mon, 3 May 2021 13:30:57 +0000 (15:30 +0200)]
iommu: move iommu_update_ire_from_msi() to xen/iommu.h
Move iommu_update_ire_from_msi(..) from passthrough/pci.c to
xen/iommu.h and wrap it under CONFIG_X86 as it is referenced in x86
code only to avoid compilation error for other architecture when
HAS_PCI is enabled.
No functional change intended.
Signed-off-by: Rahul Singh <rahul.singh@arm.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 3 May 2021 13:30:16 +0000 (15:30 +0200)]
x86/p2m: re-arrange struct p2m_domain
Combine two HVM-specific sections in two cases (i.e. going from four of
them to just two). Make defer_nested_flush bool and HVM-only, moving it
next to other nested stuff. Move default_access up into a padding hole.
When moving them anyway, also adjust comment style.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:29:49 +0000 (15:29 +0200)]
x86/p2m: write_p2m_entry_{pre,post} hooks are HVM-only
Move respective shadow code to its HVM-only source file, thus making it
possible to exclude the hooks as well. This then shows that
shadow_p2m_init() also isn't needed in !HVM builds.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
Jan Beulich [Mon, 3 May 2021 13:29:24 +0000 (15:29 +0200)]
x86/p2m: {get,set}_entry hooks and p2m-pt.c are HVM-only
With the hooks no longer needing setting, p2m_pt_init() degenerates to
(about) nothing when !HVM. As a result, p2m-pt.c doesn't need building
anymore in this case, as long as p2m_pt_init() has proper surrogates put
in place.
Unfortunately this means some new #ifdef-ary in p2m.c, but the mid-term
plan there is to get rid of (almost) all of it by splitting out the then
hopefully very few remaining non-HVM pieces.
While the movement of the paging_mode_translate() check from
p2m_remove_page() to guest_physmap_remove_page() may not be strictly
necessary anymore (it was in an early version of this change), it looks
more logical to live in the latter function, allowing to avoid acquiring
the lock in the PV case. All other callers of p2m_remove_page() already
have such a check anyway (in the altp2m case up the call stack).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:28:53 +0000 (15:28 +0200)]
x86: make mem-paging configurable and default it to off
... for being unsupported.
While doing so, make the option dependent upon HVM, which really is the
main purpose of the change.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Alexandru Isaila <aisaila@bitdefender.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:27:56 +0000 (15:27 +0200)]
x86/p2m: change_entry_type_* hooks are HVM-only
Exclude functions using them from !HVM builds, thus making it possible
to exclude the hooks as well. Also cover the already unused
memory_type_changed hook while inserting the #ifdef in the struct.
While no respective check was there, I can't see how
XEN_DOMCTL_set_broken_page_p2m could have been meant to work for PV the
way it is implemented. Restrict this operation to acting on HVM guests.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:27:42 +0000 (15:27 +0200)]
AMD/IOMMU: guest IOMMU support is for HVM only
Generally all of this is dead code anyway, but there's a caller of
guest_iommu_add_ppr_log(), and the code itself calls
p2m_change_type_one(), which is about to become HVM-only. Hence this
code, short of deleting it altogether, needs to become properly HVM-
only as well.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:26:08 +0000 (15:26 +0200)]
x86/p2m: {,un}map_mmio_regions() are HVM-only
Mirror the "translated" check the functions do to do_domctl(), allowing
the calls to be DCEd by the compiler. Add ASSERT_UNREACHABLE() to the
original checks.
Also arrange for {set,clear}_mmio_p2m_entry() and
{set,clear}_identity_p2m_entry() to respectively live next to each
other, such that clear_mmio_p2m_entry() can also be covered by the
#ifdef already covering set_mmio_p2m_entry().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Mon, 3 May 2021 13:17:19 +0000 (15:17 +0200)]
x86/p2m: set_{foreign,mmio}_p2m_entry() are HVM-only
Extend a respective #ifdef from inside set_typed_p2m_entry() to around
all three functions. Add ASSERT_UNREACHABLE() to the latter one's safety
check path.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Tue, 21 Apr 2020 16:43:56 +0000 (17:43 +0100)]
x86/hvm: Introduce control register handling for CET
Allow CR4.CET to be set, based on the CPUID policy (although these bits are
not selectable yet for VMs). CR4.CET needs interlocing with CR0.WP to
prohibit CET && !WP as a legal combination.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 29 Apr 2021 13:28:43 +0000 (14:28 +0100)]
x86: Always have CR4.PKE set in HVM context
The sole user of read_pkru() is the emulated pagewalk, and guarded behind
guest_pku_enabled() which restricts the path to HVM (hap, even) context only.
The commentary in read_pkru() concerning _PAGE_GNTTAB overlapping with
_PAGE_PKEY_BITS is only applicable to PV guests.
The context switch path, via write_ptbase() unconditionally writes CR4 on any
context switch.
Therefore, we can guarantee to separate CR4.PKE between PV and HVM context at
no extra cost. Set PKE in mmu_cr4_features on boot, so it becomes set in HVM
context, and clear it in pv_make_cr4().
Rename read_pkru() to rdpkru() now that it is a simple wrapper around the
instruction. This saves two CR4 writes on every pagewalk, which typically
occur more than one per emulation.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monne [Wed, 17 Mar 2021 14:30:57 +0000 (15:30 +0100)]
libs/guest: introduce a helper to apply a cpu policy to a domain
Such helper is very similar to the existing xc_set_domain_cpu_policy
interface, but takes an opaque xc_cpu_policy_t instead of arrays of
CPUID leaves and MSRs.
No callers of the interface introduced in this patch.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Mon, 22 Mar 2021 10:59:04 +0000 (11:59 +0100)]
tools: switch existing users of xc_get_{system,domain}_cpu_policy
With the introduction of xc_cpu_policy_get_{system,domain} and
xc_cpu_policy_serialise the current users of
xc_get_{system,domain}_cpu_policy can be switched to the new
interface.
Note that xc_get_{system,domain}_cpu_policy is removed from the public
interface and the functions are made static, since there are still
internal consumers in xg_cpuid_x86.c
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Roger Pau Monne [Wed, 17 Mar 2021 14:31:50 +0000 (15:31 +0100)]
libs/guest: introduce helper to serialize a cpu policy
Such helper allow converting a cpu policy into an array of
xen_cpuid_leaf_t and xen_msr_entry_t elements, which matches the
current interface of the CPUID/MSR functions. This is required in
order for the user to be able to parse the CPUID/MSR data.
No user of the interface introduced in this patch.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Roger Pau Monne [Tue, 16 Mar 2021 15:39:00 +0000 (16:39 +0100)]
libs/guest: introduce xc_cpu_policy_t
Introduce an opaque type that is used to store the CPUID and MSRs
policies of a domain. Such type uses the existing {cpuid,msr}_policy
structures to store the data, but doesn't expose the type to the users
of the xenguest library. There are also two arrays to allow for easier
serialization without requiring an allocation each time.
Introduce an allocation (init) and freeing function (destroy) to
manage the type.
Note the type is not yet used anywhere.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86/oprofile: remove compat accessors usage from backtrace
Remove the unneeded usage of the compat layer to copy frame pointers
from guest address space. Instead just use raw_copy_from_guest.
While there change the accessibility check of one frame_head beyond to
be performed as part of the copy, like it's done in the Linux code in
5.11 and earlier versions. Note it's unclear why this is needed.
Also drop the explicit truncation of the head pointer in the 32bit
case as all callers already pass a zero extended value. The first
value being rsp from the guest registers, and further calls will use
ebp from frame_head_32bit struct.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 29 Apr 2021 14:04:35 +0000 (16:04 +0200)]
x86: correct comment about alternatives ordering
Unlike Linux, Xen has never (so far) used alternatives patching for
memcpy() or memset(), even less such utilizing multiple alternatives.
Correct the Linux-inherited comment to match reality.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
When restoring limit the maximum leaves to the ones supported by Xen
4.12 in order to not expand the maximum leaves a guests sees. Note
this is unlikely to cause real issues.
Guests restored from Xen versions 4.13 or greater will contain CPUID
data on the stream that will override the values set by
xc_cpuid_apply_policy.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
projects / xen.git / log