Oleksii Kurochko [Mon, 19 Jun 2023 13:47:37 +0000 (15:47 +0200)]
xen/riscv: introduce reset_stack() function
The reason for reset_stack() introduction is that stack should be
reset twice:
1. Before jumping to C world at the start of _start() function.
2. After jumping from 1:1 mapping world.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Roger Pau Monné [Mon, 19 Jun 2023 13:46:03 +0000 (15:46 +0200)]
iommu/vtd: fix address translation for leaf entries
Fix two issues related to leaf address lookups in VT-d:
* When translating an address that falls inside of a superpage in the
IOMMU page tables the fetching of the PTE value wasn't masking of the
contiguous related data, which caused the returned data to be
corrupt as it would contain bits that the caller would interpret as
part of the address.
* When the requested leaf address wasn't mapped by a superpage the
returned value wouldn't have any of the low 12 bits set, thus missing
the permission bits expected by the caller.
Take the opportunity to also adjust the function comment to note that
when returning the full PTE the bits above PADDR_BITS are removed.
Fixes: c71e55501a61 ('VT-d: have callers specify the target level for page table walks') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
xen/arm: p2m: Enable support for 32bit IPA for ARM_32
Refer ARM DDI 0406C.d ID040418, B3-1345,
"A stage 2 translation with an input address range of 31-34 bits can
start the translation either:
- With a first-level lookup, accessing a first-level translation
table with 2-16 entries.
- With a second-level lookup, accessing a set of concatenated
second-level translation tables"
Thus, for 32 bit IPA, there will be no concatenated root level tables.
So, the root-order is 0.
Also, Refer ARM DDI 0406C.d ID040418, B3-1348
"Determining the required first lookup level for stage 2 translations
For a stage 2 translation, the output address range from the stage 1
translations determines the required input address range for the stage 2
translation. The permitted values of VTCR.SL0 are:
0b00 Stage 2 translation lookup must start at the second level.
0b01 Stage 2 translation lookup must start at the first level.
VTCR.T0SZ must indicate the required input address range. The size of
the input address region is 2^(32-T0SZ) bytes."
Thus VTCR.SL0 = 1 (maximum value) and VTCR.T0SZ = 0 when the size of
input address region is 2^32 bytes.
When 32 bit physical addresses are used (ie PHYS_ADDR_T_32=y),
"va >> ZEROETH_SHIFT" causes an overflow.
Also, there is no zeroeth level page table on Arm32.
Also took the opportunity to clean up dump_pt_walk(). One could use
DECLARE_OFFSETS() macro instead of declaring an array of page table
offsets.
xen/arm: guest_walk: LPAE specific bits should be enclosed within "ifndef CONFIG_PHYS_ADDR_T_32"
As the previous patch introduces CONFIG_PHYS_ADDR_T_32 to support 32 bit
physical addresses, the code specific to "Large Physical Address Extension"
(ie LPAE) should be enclosed within "ifndef CONFIG_PHYS_ADDR_T_32".
Refer xen/arch/arm/include/asm/short-desc.h, "short_desc_l1_supersec_t"
unsigned int extbase1:4; /* Extended base address, PA[35:32] */
unsigned int extbase2:4; /* Extended base address, PA[39:36] */
Thus, extbase1 and extbase2 are not valid when 32 bit physical addresses
are supported.
xen/arm: Introduce choice to enable 64/32 bit physical addressing
Some Arm based hardware platforms which does not support LPAE
(eg Cortex-R52), uses 32 bit physical addresses.
Also, users may choose to use 32 bits to represent physical addresses
for optimization.
To support the above use cases, we have introduced arch independent
config to choose if the physical address can be represented using
32 bits (PHYS_ADDR_T_32) or 64 bits (!PHYS_ADDR_T_32).
For now only ARM_32 provides support to enable 32 bit physical
addressing.
When PHYS_ADDR_T_32 is defined, PADDR_BITS is set to 32. Note that we
use "unsigned long" (not "uint32_t") to denote the datatype of physical
address. This is done to avoid using a cast each time PAGE_* macros are
used on paddr_t. For eg PAGE_SIZE is defined as unsigned long. Thus,
each time PAGE_SIZE is used with paddr_t, the result will be
"unsigned long".
On 32-bit architecture, "unsigned long" is 32-bit wide. Thus, it can be
used to denote physical address.
When PHYS_ADDR_T_32 is not defined for ARM_32, PADDR_BITS is set to 40.
For ARM_64, PADDR_BITS is set to 48.
The last two are same as the current configuration used today on Xen.
xen/arm: p2m: Use the pa_range_info table to support arm32 and arm64
Restructure the code so that one can use pa_range_info[] table for both
arm32 as well as arm64.
Also, removed the hardcoding for P2M_ROOT_ORDER and P2M_ROOT_LEVEL as
p2m_root_order can be obtained from the pa_range_info[].root_order and
p2m_root_level can be obtained from pa_range_info[].sl0.
Refer ARM DDI 0406C.d ID040418, B3-1345,
"Use of concatenated first-level translation tables
...However, a 40-bit input address range with a translation granularity of 4KB
requires a total of 28 bits of address resolution. Therefore, a stage 2
translation that supports a 40-bit input address range requires two concatenated
first-level translation tables,..."
Thus, root-order is 1 for 40-bit IPA on arm32.
Refer ARM DDI 0406C.d ID040418, B3-1348,
"Determining the required first lookup level for stage 2 translations
For a stage 2 translation, the output address range from the stage 1
translations determines the required input address range for the stage 2
translation. The permitted values of VTCR.SL0 are:
0b00 Stage 2 translation lookup must start at the second level.
0b01 Stage 2 translation lookup must start at the first level.
VTCR.T0SZ must indicate the required input address range. The size of the input
address region is 2^(32-T0SZ) bytes."
Thus VTCR.SL0 = 1 (maximum value) and VTCR.T0SZ = -8 when the size of input
address region is 2^40 bytes.
Thus, pa_range_info[].t0sz = 1 (VTCR.S) | 8 (VTCR.T0SZ) ie 11000b which is 24.
VTCR.T0SZ, is bits [5:0] for arm64.
VTCR.T0SZ is bits [3:0] and S(sign extension), bit[4] for arm32.
For this, we have used struct bitfields to convert pa_range_info[].t0sz to its
arm32 variant.
pa_range_info[] is indexed by ID_AA64MMFR0_EL1.PARange which is present in Arm64
only. This is the reason we do not specify the indices for arm32. Also, we
duplicated the entry "{ 40, 24/*24*/, 1, 1 }" between arm64 and
arm32. This is done to avoid introducing extra #if-defs.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
[julien: Tweak some comments and one check] Acked-by: Julien Grall <jgrall@amazon.com>
Andrew Cooper [Wed, 24 May 2023 14:41:21 +0000 (15:41 +0100)]
x86/cpu-policy: Derive RSBA/RRSBA for guest policies
The RSBA bit, "RSB Alternative", means that the RSB may use alternative
predictors when empty. From a practical point of view, this mean "Retpoline
not safe".
Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a
statement that IBRS is implemented in hardware (as opposed to the form
retrofitted to existing CPUs in microcode).
The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS
property that predictions are tagged with the mode in which they were learnt.
Therefore, it means "when eIBRS is active, the RSB may fall back to
alternative predictors but restricted to the current prediction mode". As
such, it's stronger statement than RSBA, but still means "Retpoline not safe".
CPUs are not expected to enumerate both RSBA and RRSBA.
Add feature dependencies for EIBRS and RRSBA. While technically they're not
linked, absolutely nothing good can come of letting the guest see RRSBA
without EIBRS. Nor a guest seeing EIBRS without IBRSB. Furthermore, we use
this dependency to simplify the max derivation logic.
The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS
dependency maybe hiding RRSBA). We can run any VM, even if it has been told
"somewhere you might run, Retpoline isn't safe".
The default policies are more complicated. A guest shouldn't see both bits,
but it needs to see one if the current host suffers from any form of RSBA, and
which bit it needs to see depends on whether eIBRS is visible or not.
Therefore, the calculation must be performed after sanitise_featureset().
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 25 May 2023 19:31:22 +0000 (20:31 +0100)]
x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate
In order to level a VM safely for migration, the toolstack needs to know the
RSBA/RRSBA properties of the CPU, whether or not they happen to be enumerated.
See the code comment for details.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 26 May 2023 09:35:47 +0000 (10:35 +0100)]
x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations()
This is prep work, split out to simply the diff on the following change.
* Rename to retpoline_calculations(), and call unconditionally. It is
shortly going to synthesise missing enumerations required for guest safety.
* For the model check switch statement, store the result in a variable and
break rather than returning directly.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Michal Orzel [Wed, 14 Jun 2023 07:30:18 +0000 (09:30 +0200)]
xen: Append a newline character to panic() where missing
Missing newline is inconsistent with the rest of the callers, since
panic() expects it.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Michal Orzel [Wed, 14 Jun 2023 09:41:44 +0000 (11:41 +0200)]
xen/arm: Remove stray semicolon at VREG_REG_HELPERS/TLB_HELPER* callers
This is inconsistent with the rest of the code where macros are used
to define functions, as it results in an empty declaration (i.e.
semicolon with nothing before it) after function definition. This is also
not allowed by C99.
Take the opportunity to undefine TLB_HELPER* macros after last use.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
xen/arm: traps: remove inlining of handle_ro_raz()
To comply with MISRA C:2012 Rule 8.10 ("An inline function shall be
declared with the static storage class"), remove inline function
specifier from handle_ro_raz() since asking the compiler to inline
such function does not seem to add any kind of value.
Andrew Cooper [Tue, 13 Jun 2023 16:25:42 +0000 (17:25 +0100)]
xen/grant: Purge PIN_FAIL()
The name PIN_FAIL() is poor; it's not used only for pinning failures. More
importantly, it interferes with code legibility by hiding control flow.
Expand and drop it.
* Drop redundant "rc = rc" assignment
* Rework gnttab_copy_buf() to be simpler by dropping the rc variable
As a side effect, this fixes several violations of MISRA rule 2.1 (dead code -
the while() following a goto).
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 9 May 2022 10:18:20 +0000 (11:18 +0100)]
x86/shadow: Don't use signed bitfield in sh_emulate_ctxt
'int' bitfields in particular have implementation defined behaviour under gcc
and can change signed-ness with -funsigned-bitfields.
There is no need for low_bit_was_clear to be a bitfield in the first place; it
is only used as a boolean. Doing so even improves the code generation in
sh_emulate_map_dest() to avoid emitting a merge with structure padding.
Spotted by Eclair MISRA scanner.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Mon, 9 May 2022 10:17:35 +0000 (11:17 +0100)]
x86/p2m.h: Add include guards
Spotted by Eclair MISRA scanner.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Thu, 15 Jun 2023 09:00:22 +0000 (11:00 +0200)]
Arm: drop bogus ALIGN() from linker script
Having ALIGN() inside a section definition usually makes sense only with
a label definition following (an exception case is a few lines out of
context, where cache line sharing is intended to be avoided).
Constituents of .bss.page_aligned need to specify their own alignment
correctly anyway, or else they're susceptible to link order changing.
This requirement is already met: Arm-specific code has no such object,
while common (EFI) code has another one. That one has suitable alignment
specified.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich [Thu, 15 Jun 2023 08:59:56 +0000 (10:59 +0200)]
spinlock: alter inlining of _spin_lock_cb()
To comply with Misra rule 8.10 ("An inline function shall be declared
with the static storage class"), convert what is presently
_spin_lock_cb() to an always-inline (and static) helper, while making
the function itself a thin wrapper, just like _spin_lock() is.
While there drop the unlikely() from the callback check, and correct
indentation in _spin_lock().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich [Thu, 15 Jun 2023 08:59:30 +0000 (10:59 +0200)]
libxg: shrink variable scope in xc_core_arch_map_p2m_list_rw()
This in particular allows to drop a dead assignment to "ptes" from near
the end of the function.
Coverity ID: 1532314 Fixes: bd7a29c3d0b9 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support linear p2m table") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Wed, 14 Jun 2023 10:31:23 +0000 (12:31 +0200)]
libxl: drop dead assignments to "ret" from libxl__domain_config_setdefault()
The variable needs to be properly set only on the error paths.
Coverity ID: 1532311 Fixes: ab4440112bec ("xl / libxl: push parsing of SSID and CPU pool ID down to libxl") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.cm> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Olaf Hering [Tue, 13 Jun 2023 12:42:14 +0000 (14:42 +0200)]
tools: fix make rpmball
Commit 438c5ffa44e99cceb574c0f9946aacacdedd2952 ("rpmball: Adjust to
new rpm, do not require --force") attempted to handle stricter
directory permissions in newer distributions.
This introduced a few issues:
- /boot used to be a constant prior commit 6475d700055fa952f7671cee982a23de2f5e4a7c ("use BOOT_DIR as xen.gz
install location"), since this commit the location has to be
referenced via ${BOOT_DIR}
- it assumed the prefix and the various configurable paths match the
glob pattern /*/*/*
Adjust the code to build a filelist on demand and filter directories
from an installed filesystem.rpm. This works on a SUSE system, and
will likely work on a RedHat based system as well.
Take the opportunity to replace the usage of $RPM_BUILD_ROOT with
%buildroot, and use pushd/popd pairs.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Roger Pau Monné [Tue, 13 Jun 2023 12:41:32 +0000 (14:41 +0200)]
iommu/amd-vi: fix checking for Invalidate All support in amd_iommu_resume()
The iommu local variable does not point to to a valid amd_iommu element
after the call to for_each_amd_iommu(). Instead check whether any IOMMU
on the system doesn't support Invalidate All in order to perform the
per-domain and per-device flushes.
Fixes: 9c46139de889 ('amd iommu: Support INVALIDATE_IOMMU_ALL command.') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 13 Jun 2023 09:14:50 +0000 (11:14 +0200)]
x86: minor tidying of identify_cpu()
Fields that generic_identify() sets unconditionally don't need pre-
setting. (In fact the compiler removes some of those assignments anyway,
at least in release builds.)
With the setting of ->cpuid_level to -1 gone, also drop the respective
BUG_ON() from default_init().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Viresh Kumar [Tue, 13 Jun 2023 09:12:24 +0000 (11:12 +0200)]
libxl: Call libxl__virtio_devtype.set_default() early enough
The _setdefault() function for virtio devices is getting called after
libxl__prepare_dtb(), which is late as libxl__prepare_dtb() expects the
defaults to be already set by this time.
Call libxl__virtio_devtype.set_default() from
libxl__domain_config_setdefault(), in a similar way as other devices
like disk, etc.
Suggested-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Viresh Kumar [Tue, 13 Jun 2023 09:12:10 +0000 (11:12 +0200)]
libxl: virtio: Remove unused frontend nodes
Only the VirtIO backend will watch xenstore to find out when a new
instance needs to be created for a guest, and read the parameters from
there. VirtIO frontend are only virtio, so they will not do anything
with the xenstore nodes. They can be removed.
While at it, also add a comment to the libxl_virtio.c file.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Andrew Cooper [Thu, 8 Jun 2023 09:59:37 +0000 (10:59 +0100)]
tools/ocaml/xc: Fix xc_physinfo() bindings
The original change doesn't compile on ARM:
xenctrl_stubs.c: In function 'stub_xc_physinfo':
xenctrl_stubs.c:821:16: error: unused variable 'arch_cap_flags_tag' [-Werror=unused-variable]
821 | int r, arch_cap_flags_tag;
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
but it was buggy too.
First, it tried storing an int in a pointer slot, causing heap corruption.
Next, it is not legitimate to exclude arm32 in the toolstack as it explicitly
can operate an arm64 toolstack and build arm64 domains. That in turn means
that you can't stash a C uint32_t in an OCaml int.
Rewrite the arch_capabilities handling from scratch. Break it out into a
separate function, and make the construction of arch_physinfo_cap_flags common
to prevent other indirection bugs.
Reintroduce arm_physinfo_caps with the fields broken out.
Fixes: 56a7aaa16bfe ("tools: add physinfo arch_capabilities handling for Arm") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com>
Andrew Cooper [Fri, 9 Jun 2023 15:59:20 +0000 (16:59 +0100)]
CI: Add Ocaml to the alpine containers
This gets more coverage of optional parts of the build, and makes it easier to
trial Ocaml related changes in the smoke tests.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Juergen Gross [Tue, 30 May 2023 08:54:09 +0000 (10:54 +0200)]
tools/xenstore: remove stale TODO file
The TODO file is not really helpful any longer. It contains only
entries which no longer apply or it is unknown what they are meant
for ("Dynamic/supply nodes", "Remove assumption that rename doesn't
fail").
Juergen Gross [Tue, 30 May 2023 08:54:07 +0000 (10:54 +0200)]
tools/xenstore: make some write limit functions static
Some wrl_*() functions are only used in xenstored_domain.c, so make
them static. In order to avoid the need of forward declarations, move
the whole function block to the start of the file.
Juergen Gross [Tue, 30 May 2023 08:54:06 +0000 (10:54 +0200)]
tools/xenstore: rename hashtable_insert() and let it return 0 on success
Today hashtable_insert() returns 0 in case of an error. Change that to
let it return an errno value in the error case and 0 in case of success.
In order to avoid any missed return value checks or related future
backport errors, rename hashtable_insert() to hashtable_add().
Even if not used today, do the same switch for the return value of
hashtable_expand().
Juergen Gross [Tue, 30 May 2023 08:54:04 +0000 (10:54 +0200)]
tools/xenstore: do some cleanup of hashtable.c
Do the following cleanups:
- hashtable_count() isn't used at all, so remove it
- replace prime_table_length and max_load_factor with macros
- make hash() static
- add a loadlimit() helper function
- remove the /***/ lines between functions
- do some style corrections
Roger Pau Monne [Thu, 8 Jun 2023 09:59:39 +0000 (11:59 +0200)]
x86/hvm: print valid CR4 bits in case of error
Some of the current users of hvm_cr4_guest_valid_bits() don't print
the valid mask in case of error, and thus the resulting error messages
are not as helpful as they could be.
Amend callers to always print the value of hvm_cr4_guest_valid_bits()
together with the rejected bits in the checked value. Also take the
opportunity and adjust all the users to use the same print formatter.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 7 Jun 2023 09:27:35 +0000 (10:27 +0100)]
CI: Fix the github actions Coverity run
The Install step is failing with:
Package python-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
E: Package 'python-dev' has no installation candidate
is only available from another source
However the following packages replace it:
python2-dev python2 python-dev-is-python3
which is a side effect of ubuntu-latest having changed from 20.04 to 22.04.
Drop python-dev as python3-dev is already present, and used a fixed runs-on to
avoid such problems in the future.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Juergen Gross [Tue, 30 May 2023 08:24:24 +0000 (10:24 +0200)]
tools/xenstore: switch quota management to be table based
Instead of having individual quota variables switch to a table based
approach like the generic accounting. Include all the related data in
the same table and add accessor functions.
This enables to use the command line --quota parameter for setting all
possible quota values, keeping the previous parameters for
compatibility.
Juergen Gross [Tue, 30 May 2023 08:24:22 +0000 (10:24 +0200)]
tools/xenstore: use generic accounting for remaining quotas
The maxrequests, node size, number of node permissions, and path length
quota are a little bit special, as they are either active in
transactions only (maxrequests), or they are just per item instead of
count values. Nevertheless being able to know the maximum number of
those quota related values per domain would be beneficial, so add them
to the generic accounting.
The per domain value will never show current numbers other than zero,
but the maximum number seen can be gathered the same way as the number
of nodes during a transaction.
To be able to use the const qualifier for a new function switch
domain_is_unprivileged() to take a const pointer, too.
For printing the quota/max values, adapt the print format string to
the longest quota name (now 17 characters long).
Juergen Gross [Tue, 30 May 2023 08:24:21 +0000 (10:24 +0200)]
tools/xenstore: remember global and per domain max accounting values
Add saving the maximum values of the different accounting data seen
per domain and (for unprivileged domains) globally, and print those
values via the xenstore-control quota command. Add a sub-command for
resetting the global maximum values seen.
This should help for a decision how to set the related quotas.
Juergen Gross [Tue, 30 May 2023 08:24:16 +0000 (10:24 +0200)]
tools/xenstore: add current connection to domain_memory_add() parameters
In order to enable switching memory accounting to the generic array
based accounting, add the current connection to the parameters of
domain_memory_add().
This requires to add the connection to some other functions, too.
Juergen Gross [Tue, 30 May 2023 08:24:14 +0000 (10:24 +0200)]
tools/xenstore: add framework to commit accounting data on success only
Instead of modifying accounting data and undo those modifications in
case of an error during further processing, add a framework for
collecting the needed changes and commit them only when the whole
operation has succeeded.
This scheme can reuse large parts of the per transaction accounting.
The changed_domain handling can be reused, but the array size of the
accounting data should be possible to be different for both use cases.
Juergen Gross [Tue, 30 May 2023 08:24:12 +0000 (10:24 +0200)]
tools/xenstore: manage per-transaction domain accounting data in an array
In order to prepare keeping accounting data in an array instead of
using independent fields, switch the struct changed_domain accounting
data to that scheme, for now only using an array with one element.
In order to be able to extend this scheme add the needed indexing enum
to xenstored_domain.h.
Juergen Gross [Tue, 30 May 2023 08:24:11 +0000 (10:24 +0200)]
tools/xenstore: take transaction internal nodes into account for quota
The accounting for the number of nodes of a domain in an active
transaction is not working correctly, as it is checking the node quota
only against the number of nodes outside the transaction.
This can result in the transaction finally failing, as node quota is
checked at the end of the transaction again.
On the other hand even in a transaction deleting many nodes, new nodes
might not be creatable, in case the node quota was already reached at
the start of the transaction.
Luca Fancellu [Wed, 31 May 2023 07:24:10 +0000 (08:24 +0100)]
tools: add physinfo arch_capabilities handling for Arm
On Arm, the SVE vector length is encoded in arch_capabilities field
of struct xen_sysctl_physinfo, make use of this field in the tools
when building for arm.
Create header arm-arch-capabilities.h to handle the arch_capabilities
field of physinfo for Arm.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Luca Fancellu [Wed, 31 May 2023 07:24:09 +0000 (08:24 +0100)]
xen/physinfo: encode Arm SVE vector length in arch_capabilities
When the arm platform supports SVE, advertise the feature in the
field arch_capabilities in struct xen_sysctl_physinfo by encoding
the SVE vector length in it.
Luca Fancellu [Wed, 31 May 2023 07:24:08 +0000 (08:24 +0100)]
xen: enable Dom0 to use SVE feature
Add a command line parameter to allow Dom0 the use of SVE resources,
the command line parameter sve=<integer>, sub argument of dom0=,
controls the feature on this domain and sets the maximum SVE vector
length for Dom0.
Add a new function, parse_signed_integer(), to parse an integer
command line argument.
Luca Fancellu [Wed, 31 May 2023 07:24:07 +0000 (08:24 +0100)]
xen/common: add dom0 xen command line argument for Arm
Currently x86 defines a Xen command line argument dom0=<list> where
there can be specified dom0 controlling sub-options, to use it also
on Arm, move the code that loops through the list of arguments from
x86 to the common code and from there, call architecture specific
functions to handle the comma separated sub-options.
Luca Fancellu [Wed, 31 May 2023 07:24:06 +0000 (08:24 +0100)]
arm/sve: save/restore SVE context switch
Save/restore context switch for SVE, allocate memory to contain
the Z0-31 registers whose length is maximum 2048 bits each and
FFR who can be maximum 256 bits, the allocated memory depends on
how many bits is the vector length for the domain and how many bits
are supported by the platform.
Save P0-15 whose length is maximum 256 bits each, in this case the
memory used is from the fpregs field in struct vfp_state,
because V0-31 are part of Z0-31 and this space would have been
unused for SVE domain otherwise.
Create zcr_el{1,2} fields in arch_vcpu, initialise zcr_el2 on vcpu
creation given the requested vector length and restore it on
context switch, save/restore ZCR_EL1 value as well.
List import macros from Linux in README.LinuxPrimitives.
Luca Fancellu [Wed, 31 May 2023 07:24:03 +0000 (08:24 +0100)]
xen/arm: add SVE vector length field to the domain
Add sve_vl field to arch_domain and xen_arch_domainconfig struct,
to allow the domain to have an information about the SVE feature
and the number of SVE register bits that are allowed for this
domain.
sve_vl field is the vector length in bits divided by 128, this
allows to use less space in the structures.
The field is used also to allow or forbid a domain to use SVE,
because a value equal to zero means the guest is not allowed to
use the feature.
Check that the requested vector length is lower or equal to the
platform supported vector length, otherwise fail on domain
creation.
Check that only 64 bit domains have SVE enabled, otherwise fail.
Luca Fancellu [Wed, 31 May 2023 07:24:02 +0000 (08:24 +0100)]
xen/arm: enable SVE extension for Xen
Enable Xen to handle the SVE extension, add code in cpufeature module
to handle ZCR SVE register, disable trapping SVE feature on system
boot only when SVE resources are accessed.
While there, correct coding style for the comment on coprocessor
trapping.
Now cptr_el2 is part of the domain context and it will be restored
on context switch, this is a preparation for saving the SVE context
which will be part of VFP operations, so restore it before the call
to save VFP registers.
To save an additional isb barrier, restore cptr_el2 before an
existing isb barrier and move the call for saving VFP context after
that barrier. To keep a (mostly) specularity of ctxt_switch_to()
and ctxt_switch_from(), move vfp_save_state() up in the function.
Change the KConfig entry to make ARM64_SVE symbol selectable, by
default it will be not selected.
Create sve module and sve_asm.S that contains assembly routines for
the SVE feature, this code is inspired from linux and it uses
instruction encoding to be compatible with compilers that does not
support SVE, imported instructions are documented in
README.LinuxPrimitives.
Add a feature to the diff-report.py script that improves the comparison
between two analysis report, one from a baseline codebase and the other
from the changes applied to the baseline.
The comparison between reports of different codebase is an issue because
entries in the baseline could have been moved in position due to addition
or deletion of unrelated lines or can disappear because of deletion of
the interested line, making the comparison between two revisions of the
code harder.
Having a baseline report, a report of the codebase with the changes
called "new report" and a git diff format file that describes the
changes happened to the code from the baseline, this feature can
understand which entries from the baseline report are deleted or shifted
in position due to changes to unrelated lines and can modify them as
they will appear in the "new report".
Having the "patched baseline" and the "new report", now it's simple
to make the diff between them and print only the entry that are new.
Luca Fancellu [Thu, 25 May 2023 08:33:59 +0000 (09:33 +0100)]
xen/misra: add diff-report.py tool
Add a new tool, diff-report.py that can be used to make diff between
reports generated by xen-analysis.py tool.
Currently this tool supports the Xen cppcheck text report format in
its operations.
The tool prints every finding that is in the report passed with -r
(check report) which is not in the report passed with -b (baseline).
x86/microcode: Add missing unlock in microcode_update_helper()
microcode_update_helper() may return early while holding
cpu_add_remove_lock, hence preventing any writers from taking it again.
Leave through the `put` label instead so it's properly released.
Fixes: 5ed12565aa32 ("microcode: rendezvous CPUs in NMI handler and load ucode") Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 5 Jun 2023 09:48:59 +0000 (10:48 +0100)]
xen: Fix incorrect taint constant
Insecure is the word being looked for here. Especially given the nature of
the sole caller, and the (correct) comment next to it.
Also update the taint marker from 'U' to 'I' for consistency; this isn't
expected to impact anyone in practice.
Fixes: 82c0d3d491cc ("xen: Add an unsecure Taint type") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Mon, 5 Jun 2023 14:54:30 +0000 (16:54 +0200)]
x86emul: AVX512-FP16 testing
Naming of some of the builtins isn't fully consistent with that of pre-
existing ones, so there's a need for a new BR2() wrapper macro.
With the tests providing some proof of proper functioning of the
emulator code also enable use of the feature by guests, as there's no
other infrastructure involved in enabling this ISA extension.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Henry Wang <Henry.Wang@arm.com> # CHANGELOG
Jan Beulich [Mon, 5 Jun 2023 13:02:39 +0000 (15:02 +0200)]
build: use $(dot-target)
While slightly longer, I agree with Andrew that using it helps
readability. Where touching them anyway, also wrap some overly long
lines.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
These are easiest in that they have same-size source and destination
vectors, yet they're different from other conversion insns in that they
use opcodes which have different meaning in the 0F encoding space
({,V}H{ADD,SUB}P{S,D}), hence requiring a little bit of overriding.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:58:25 +0000 (14:58 +0200)]
x86emul: handle AVX512-FP16 Map6 misc insns
While, as before, this leverages that the Map6 encoding space is a very
sparse clone of the "0f38" one, switch around the simd_size overriding
for opcode 2D. This way fewer separate overrides are needed.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:57:47 +0000 (14:57 +0200)]
x86emul: handle AVX512-FP16 fma-like insns
The Map6 encoding space is a very sparse clone of the "0f38" one. Once
again re-use that table, as the entries corresponding to invalid opcodes
in Map6 are simply benign with simd_size forced to other than simd_none
(preventing undue memory reads in SrcMem handling early in
x86_emulate()).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:56:25 +0000 (14:56 +0200)]
x86emul: handle AVX512-FP16 Map5 arithmetic insns
This encoding space is a very sparse clone of the "twobyte" one. Re-use
that table, as the entries corresponding to invalid opcodes in Map5 are
simply benign with simd_size forced to other than simd_none (preventing
undue memory reads in SrcMem handling early in x86_emulate()).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:55:07 +0000 (14:55 +0200)]
x86emul: handle AVX512-FP16 insns encoded in 0f3a opcode map
In order to re-use (also in subsequent patches) existing code and tables
as much as possible, simply introduce a new boolean field in emulator
state indicating whether an insn is one with a half-precision source.
Everything else then follows "naturally".
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:53:54 +0000 (14:53 +0200)]
x86emul: rework compiler probing in the test harness
Checking for what $(SIMD) contains was initially right, but already the
addition of $(FMA) wasn't. Later categories (correctly) weren't added.
Instead what is of interest is anything the main harness source file
uses outside of suitable #if and without resorting to .byte, as that's
the one file (containing actual tests) which has to succeed in building.
The auxiliary binary blobs we utilize may fail to build; the resulting
empty blobs are recognized and reported as "n/a" when the harness is
run.
Note that strictly speaking we'd need to probe the assembler. We assume
that a compiler knowing of a certain ISA extension is backed by an
equally capable assembler.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / people / aperard / xen-unstable.git / log