Ian Campbell [Wed, 23 Apr 2014 15:32:45 +0000 (16:32 +0100)]
xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
The function vgic_irq_rank may return NULL is the IRQ is not in range handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.
I've checked the rest of the emulation and this is only place where the lock
is taken before the rank is checked.
This is CVE-2014-2986 / XSA-94.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Reported-by: Thomas Leonard <talex5@gmail.com> Reviewed-by: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Wed, 23 Apr 2014 13:08:51 +0000 (15:08 +0200)]
use BOOT_DIR as xen.gz install location
Xen is currently installed into /boot, which is a hardcoded path. This
makes it impossible to install two xen.rpm packages from 'make rpmball'
in parallel because rpm complains about conflicting files.
Use BOOT_DIR to define the install path to make it possible to install
xen.gz below --prefix=.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 14:13:48 +0000 (16:13 +0200)]
tools/libxl: remove XEN_RUN_DIR from install target
xencommons creates the _hardcoded_ /var/run/xen already, there is no
need to create and package this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Using XEN_RUN_DIR instead of /var/run/xen tree-wide may be done in a
followup patch.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 10:52:50 +0000 (12:52 +0200)]
tools/pygrub: remove /var/run/xend/boot from install target
pygrub stores the temporary kernel+initrd files in /var/run/pygrub, or
any other directory specified with --output-directory=<dir>. If the
default dir is missing pygrub will create it.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 10:04:39 +0000 (12:04 +0200)]
tools: remove /var/lock/subsys from install target
/var/lock/subsys is used only in tools/hotplug/Linux/init.d/xendomains.
The start() function already does a "mkdir /var/lock/subsys", so its not
required to create this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/lock is a symlink. rpm complains that '/var/lock'
(the symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 09:55:21 +0000 (11:55 +0200)]
tools: remove /var/run/xenstored from install target
xenstored already does "mkdir /var/run/xenstored" on startup, so its not
required to create this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:05 +0000 (13:23 -0400)]
vtpmmgr: use XSM label as vTPM kernel hash
Because there is not currently a method for the vTPM Manager to obtain a
build hash of a vTPM, use the hash of the vTPM's XSM label as a
substitute. This allows the vTPM Manager to distinguish between vTPMs
intended to be paired with a hardware domain kernel (which cannot use
pv-grub) and vTPMs which are paired with a pv-grub domain and therefore
contain reliable measurements of the guest kernel in PCRs 4 and 5.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:04 +0000 (13:23 -0400)]
stubdom/grub: verify vTPM label if requested
This adds an optional argument --vtpm-label=<label> to the pv-grub
command line. If specified, a vtpm device must be connected to the
pv-grub domain and the backend of this device must have the given XSM
label (which may start with a * to indicate a wildcard). Verifying the
label of the vTPM before sending measurements prevents a disaggregated
control domain that has access to xenstore but not to the guest domains
from causing the measurements performed by pv-grub to be discarded,
allowing the forgery of arbitrary kernel measurements in the TPM.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:03 +0000 (13:23 -0400)]
vtpm: add deep quote support
This allows the client of a vTPM to request a quote from the physical
TPM which includes PCRs from both the physical and virtual TPMs, signed
by an AIK from the physical TPM. This quote can be used to provide
evidence of the complete launch environment of a virtual machine.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:02 +0000 (13:23 -0400)]
vtpm: add ordinal for obtaining an EK signature
For a vTPM to be useful for remote attestation, proof that the vTPM's EK
was generated and held within a secure vTPM implementation is necessary.
This patch adds an ordinal to the vTPM which will request a quote
providing this evidence from the TPM Manager; it only functions during
the first startup of a given vTPM in order to provide proof that the EK
was freshly generated (and not a key whose private part is available
elsewhere).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:01 +0000 (13:23 -0400)]
vtpm: passthru requests to manager
When sending commands to a vTPM, commands with the VTPM_TAG_REQ2 tag are
passed directly to the TPM Manager since they are used in the management
interface to the TPM Manager. The VTPM_TAG_REQ tag is translated to
TPM_TAG_RQU_COMMAND to allow access to the physical TPM for certain
ordinals (PCRRead, Extend, and GetRandom).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Jason Andryuk [Mon, 21 Apr 2014 17:23:00 +0000 (13:23 -0400)]
vtpmmgr: Convert TPM_Seal to use TPM_PCR_INFO_LONG
Infineon 1.2 TPMs fail TPM_Seal commands with TPM_BAD_PARAMETER when
PCRS are specified by a TPM_PCR_INFO structure. Using a
TPM_PCR_INFO_LONG structure to specify PCRs succeeds, so update to use
that. This also requires changes to use TPM_STORED_DATA12 for the
result.
Signed-off-by: Jason Andryuk <andryuk@aero.org> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Daniel De Graaf [Mon, 21 Apr 2014 17:22:58 +0000 (13:22 -0400)]
vtpmmgr: add example control tools
The manage-vtpmmgr.pl script is an example client for interacting with
the TPM Manager; it is intended to run in a management domain with a
vTPM (which may be dom0). It is used to create and manage vTPMs and
vTPM groups.
The calc.pl script is an example manager of a vTPM group. It signs
the configuration lists used by the TPM Manager with a locally held
private key.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:22:57 +0000 (13:22 -0400)]
vtpmmgr: add TPM group support
This is a complete rewrite of the disk format and key hierarchy for the
TPM Manager. The new format supports multiple groups of vTPMs which
define the permitted configurations where a given vTPM's keys are
available, allowing upgrades of critical components while retaining the
secrecy of cryptographic keys.
New features of the TPM Manager are explained in the README and in the
definitions of the management commands in vtpm_manager.h.
New features for vTPMs:
1. The size of the state blob for a vTPM is expanded from 52 to 64
bytes in order to support future vTPMs using SHA-2/3 instead of SHA-1.
2. vTPMs can obtain a quote from the physical TPM with certain
resettable PCRs set to include information about the vTPM. This can be
used by a vTPM to provide evidence of its integrity, including the
secrecy of its EK, and for deep quotes.
Some additional changes made by this rewrite that may impact existing
users:
1. The value of WELLKNOWN_OWNER_AUTH was incorrect for the physical TPM;
the convention is to use all zero bits for well-known authentication
values, not all one bits.
2. Randomly generating the owner auth value for the physical TPM is no
longer supported, as it prevents later creation or certification of
AIKs (which the old manager did not support).
3. The vTPM Manager needs to be provisioned with a PCR composite and an
upgrade authority's public key before it will save data across boots.
The current implementation still has some limitations:
* 5 valid system PCR selections per group
* The vTPM Manager's disk can use at most 2MB of space
* The vTPM domain's build hash is always set to null/zero
Most of the code relating to upgrade and rollback protection is
currently stubbed out, but future versions can add:
* Support for using the TPM's monotonic counter to prevent rollback
of vTPM data by taking and restoring disk snapshots
* Masking the master disk encryption key using a value stored in the
TPM's NVRAM so that revocation of old data is possible without
relying on all previously authorized software stacks to respect the
monotonic counter's value
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
A guest is allowed to use invalidate cache by set/way instruction (i.e DCISW)
without any restriction. As the cache is shared with Xen, the guest invalidate
an address being in used by Xen. This may lead a Xen crash because the memory
state is invalid.
Set the bit HCR.SWIO to upgrade invalidate cache by set/way instruction to an
invalidate and clean.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Reported-by: Thomas Leonard <tal36@cam.ac.uk> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: Don't let the guest access the coprocessors registers
In Xen we only handle save/restore for coprocessor 10 and 11 (NEON). Other
coprocessors (0-9, 12-13) are currently exposed to the guest and may lead
to data shared between guest.
Disable access to all coprocessor except 10 and 11 by setting correctly
HCTPR.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: Inject an undefined instruction when the coproc/sysreg is not handled
Currently Xen panics if it's unable to handle a coprocessor/sysreg instruction.
Replace this behavior by inject an undefined instruction to the faulty guest
and log if Xen is in debug mode.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Tue, 22 Apr 2014 12:45:10 +0000 (14:45 +0200)]
x86/EPT: correct double unmap_domain_page() on error path
c/s 3d90d6e6 "x86/EPT: split super pages upon mismatching memory types"
accidentally introduced an error path where the epte domain page would be
unmapped twice if splitting the superpage failed.
Only unmap the page if the loop is to be continued. When breaking from the
loop, the page will be unmapped by the subsequent code.
Coverity-ID: 1203047 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Daniel De Graaf [Tue, 22 Apr 2014 10:10:13 +0000 (12:10 +0200)]
allow hardware domain != dom0
This adds a hypervisor command line option "hardware_dom=" which takes a
domain ID. When the domain with this ID is created, it will be used
as the hardware domain.
This is intended to be used when domain 0 is a dedicated stub domain for
domain building, allowing the hardware domain to be de-privileged and
act only as a driver domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:08:56 +0000 (12:08 +0200)]
x86/HVM: use fixed TSC value when saving or restoring domain
When a domain is saved each VCPU's TSC value needs to be preserved. To get it we
use hvm_get_guest_tsc(). This routine (either itself or via get_s_time() which
it may call) calculates VCPU's TSC based on current host's TSC value (by doing a
rdtscll()). Since this is performed for each VCPU separately we end up with
un-synchronized TSCs.
Similarly, during a restore each VCPU is assigned its TSC based on host's current
tick, causing virtual TSCs to diverge further.
With this, we can easily get into situation where a guest may see time going
backwards.
Instead of reading new TSC value for each VCPU when saving/restoring it we should
use the same value across all VCPUs.
Reported-by: Philippe Coquard <philippe.coquard@mpsa.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:08:06 +0000 (12:08 +0200)]
x86/svm: enable TSC scaling
TSC ratio enabling logic is inverted: we want to use it when we
are running in native tsc mode, i.e. when d->arch.vtsc is zero.
Also, since now svm_set_tsc_offset()'s calculations depend
on vtsc's value, we need to call hvm_funcs.set_tsc_offset() after
vtsc changes in tsc_set_info().
In addition, with TSC ratio enabled, svm_set_tsc_offset() will
need to do rdtsc. With that we may end up having TSCs on guest's
processors out of sync. d->arch.hvm_domain.sync_tsc which is set
by the boot processor can now be used by APs as reference TSC
value instead of host's current TSC.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:07:37 +0000 (12:07 +0200)]
x86: use native RDTSC(P) execution when guest and host frequencies are the same
We should be able to continue using native RDTSC(P) execution on
HVM/PVH guests after migration if host and guest frequencies are
equal (this includes the case when the frequencies are made equal
by TSC scaling feature).
This also allows us to revert main part of commit 4aab59a3 (svm: Do not
intercept RDTSC(P) when TSC scaling is supported by hardware) which
was wrong: while RDTSC intercepts were disabled domain's vtsc could
still be set, leading to inconsistent view of guest's TSC.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 22 Apr 2014 10:05:44 +0000 (12:05 +0200)]
ACPI/ERST: fix signed/unsigned type conflicts
Error checks exist in the respective code path that expect negative
values to indicate errors, yet negative values can't be communicated
through size_t. Thus ssize_t needs to be introduced (also on ARM for
consistency, even if the code in question isn't currently being used
on there).
The bug is theoretical only in so far as all the involved code is
effectively dead. Reflect this by excluding that code from non-debug
builds.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Christoph Egger <chegger@amazon.de>
Jan Beulich [Tue, 22 Apr 2014 10:04:20 +0000 (12:04 +0200)]
x86/MSI: drop workaround for insecure Dom0 kernels
Considering that
- the workaround is expensive (iterating through the entire P2M space
of a domain),
- the planned elimination of the expensiveness (by propagating the type
change step by step to the individual P2M leaves) wouldn't address
the IOMMU side of things (as for it to obey to the changed
permissions the adjustments must be pushed down immediately through
the entire tree)
- the proper solution (PHYSDEVOP_msix_prepare) should by now be
implemented by all security conscious Dom0 kernels
remove the workaround, killing eventual guests that would be known to
become a security risk instead.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Daniel De Graaf [Thu, 17 Apr 2014 08:10:33 +0000 (10:10 +0200)]
implement is_hardware_domain using hardware_domain global
This requires setting the hardware_domain variable earlier in
domain_create so that functions called from it (primarily in
arch_domain_create) observe the correct results when they call
is_hardware_domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
pvh dom0: make xsm_map_gmfn_foreign available for x86
In this patch we make xsm_map_gmfn_foreign available for x86 also. This
is used in the next patch "pvh dom0: Add and remove foreign pages" in
function p2m_add_foreign.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
In this patch, a new type p2m_map_foreign is introduced for pages
that toolstack on an auto translated dom0 or a control domain maps
from foreign domains that its creating or supporting during its
run time.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
The "A" constraint, while documented up to gcc 4.5 as "The a and d
registers, as a pair (for instructions that return half the result in
one and half in the other)," never really behaved that (natural) way,
but always meant (and is now also documented so) %eax _or_ %edx (%rax
_or_ %rdx on x86-64) unless the operand was wide enough to require both
(i.e. more than 32 bits on ix86 and more than 64 bits on x86-64).
Interestingly something internal to the compiler changed between 4.4
and 4.5 to actually expose the difference - up to gcc 4.4 I was unable
to construct a case where, when only the low half of the result is
actually looked at, the result would be considered to be in %edx/%rdx
(and %eax/%rax would be treated as unmodified by the instruction).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Tested-by: Don Slutz <dslutz@verizon.com>
xen/arm: Pass the timer "clock-frequency" to DOM0 in make_timer_node()
If the DT representing the ARM generic timer mentions a clock-frequency,
propragate it to the DT that is built for DOM0.
This is necessary as a workaround for boards (Odroid-XU) where CNTFRQ is not
set or returns a wrong value.
Ideally CNTFRQ should be set by the boot loader. The bootloader should respect
the ARM ARM (see B.8.1.1):
"The CNTFRQ register is UNKNOWN at reset, and therefore the counter
frequency must written to CNTFRQ as part of the system boot process."
For the Odroid-XU the SPL BL2 code is entered in NS HYP mode which prevents
the execution of the mcr call to set CNTFRQ.
Andrew Cooper [Tue, 15 Apr 2014 18:18:42 +0000 (19:18 +0100)]
tools/libxc: Remove valgrind conditional sections from libxc
The ifdef sections are not enabled at all in tree, and their justification is
out of date now that Xen hypercall support exists upstream in valgrind.
This also removes a commented-out tweak to CFLAGS in the libxc Makefile which
is not being used, and becomes stale given this patch. In the unlikely event
that any developers were using the line, the results can be more easily
achieved by tweaking APPEND_CFLAGS in the environment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Fri, 11 Apr 2014 15:46:14 +0000 (16:46 +0100)]
tools/libxl: Improvements to libxl-save-helper when using valgrind
Fix two unfree()'d allocations in libxl-save-helper, to get them out of the
way of other legitimate complaints from valgrind.
The first is easy; close the interface to libxc when done with it.
The second can be fixed by removing the complexity of creating the logging
instance. Initialise the global 'logger' in place rather than as an
allocation, which requires changing the indirection of its use in 5 locations.
struct xentoollog_logger_tellparent and function createlogger_tellparent() are
now unused and removed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Fri, 11 Apr 2014 15:46:13 +0000 (16:46 +0100)]
libxl/save-helper: Code motion of logging functions
... in preparation for a subsequent functional fix
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Wei Liu [Thu, 10 Apr 2014 15:26:31 +0000 (16:26 +0100)]
libxl/gentypes.py: don't generate JSON for private type(s)
Private types are only useful inside libxl. They don't have a valid JSON
generation function by default.
Currently there's only one private type, that's libxl_ev_link. Not
skipping this field causes testidl to fail as the code generated for
this type is NULL.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
On arm64, VFP instructions requires vfpregs to be 128-byte aligned.
By chance, the field is already correctly aligned. In the case if someone
decides to add a new field before, Xen will receive a data abort as soon as
it saves/restores VFP.
We are safe on arm32 as the only constraint is to be 32-byte aligned.
The Linux = issue which this works around was fixed in v3.13 via f52bb722547f
"ARM: mm: Correct virt_to_phys patching for 64 bit physical addresses".
This is the second attempt to revert this. Now that we have fixed
allocate_memory_11 to allocate accessible memory on 32-bit this is safe to do.
This is not quite a straight revert since we need to ensure that for 32-bit
domain 0 we do not allocate dom0's memory above 4GB where the domain cannot
access it without paging (which is disabled at start of day) and LPAE (which
the kernel may not support) enabled.
Ian Campbell [Fri, 4 Apr 2014 12:56:58 +0000 (13:56 +0100)]
xen: arm: probe the kernel to determine the guest type earlier
We need to know if the kernel is 32- or 64- bit capable sooner so that we know
what sort of domain we are building when allocating memory to it (so we can
place appropriate limits when allocating RAM to the guest). At the moment
kernel_prepare() decides this but it needs the memory to have already been
allocated.
Therefore split the probing functionality of kernel_prepare() and call it much
earlier. The remainder of kernel_prepare() deals with where to place the
kernel in RAM which can be deferred until kernel_load() so do so.
Document the input and output of kernel_probe() and _load().
Jan Beulich [Mon, 14 Apr 2014 13:13:33 +0000 (15:13 +0200)]
MAINTAINERS: extend coverage for "THE REST"
As agreed upon in offlist discussion among the committers, make all
committers eligible to approve changes to code not having its
maintainership covered explicitly. (For committers to make changes to
such code, generally an ack from a second committer is going to be
required.)
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Tim Deegan <tim@xen.org>
Because some of the leaf p2m functions return 0 for failure and
TRUE for success, the real errno is lost. We change some of those
functions to return proper -errno. Also, any code in the immediate
vicinity that is in coding style violation is fixed up.
This patch doesn't change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
This patch renames set_p2m_entry defined in arch/x86/mm/p2m.c
to p2m_set_entry which makes it consistent with other functions
from that file. It also facilitates changing the function signature
to return approriate errno for failure cases. This patch doesn't
change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
This patch renames "public" functions in p2m-pt.c. In addition to
making them more descriptive, it also frees up "p2m_set_entry" name
to be used later. This patch doesn't change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
- Remove version from installed package name, to make "upgrades" work
- Add conffiles to manage files in /etc on package install/update/remove
- Added in description that this is a .deb for testing only
Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Fri, 11 Apr 2014 09:27:04 +0000 (11:27 +0200)]
further prefetch cleanup
- commit 630017f4 ("xen: x86 & generic: change to __builtin_prefetch()")
removed the ARCH_HAS_PREFETCH{,W} defines, but left the
ARCH_HAS_SPINLOCK_PREFETCH one in place
- the x86 special casing code has always been dead due to the two
respective CONFIG_* settings not getting defined anywhere
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:22:49 +0000 (11:22 +0200)]
libxl: allow dom0 to be destroyed
When dom0 is not the hardware domain, it can be destroyed in the same
way as any other service domain. To avoid accidental use when a domain
is not resolved, destroying domain 0 requires passing -f to xl destroy.
Since the hypervisor already prevents a domain from destroying itself,
this patch is only useful in a disaggregated environment.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:20:55 +0000 (11:20 +0200)]
rename dom0 to hardware_domain
This should not change any functionality other than renaming the global
variable. In a few cases (primarily the domain building code), a local
variable or argument named dom0 was created and used instead of the
global hardware_domain to clarify that the domain being used in this
case is actually domain 0.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Christoph Egger <chegger@amazon.de> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:20:08 +0000 (11:20 +0200)]
prevent 0 from being used as a dynamic domid
When the hardware domain is made distinct from dom0, it becomes possible
to shut down and destroy domain 0 while leaving the hypervisor running.
If this happens, prevent this domain ID from being considered for
allocation to a new guest.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:19:16 +0000 (11:19 +0200)]
iommu: Move dom0 setup code to __hwdom_init
When the hardware domain is split from domain 0, the initialization code
for the hardware domain cannot be in the __init section, since the
actual domain creation happens after these sections have been discarded.
Create a __hwdom_init section designator to annotate these functions,
and control it using the XSM configuration option for now (since XSM is
required to take advantage of the security benefits of disaggregation).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:16:52 +0000 (11:16 +0200)]
use domid check in is_hardware_domain
Instead of checking is_privileged to determine if a domain should
control the hardware, check that the domain_id is equal to zero (which
is currently the only domain for which is_privileged is true). This
allows other places where domain_id is checked for zero to be replaced
with is_hardware_domain.
The distinction between is_hardware_domain, is_control_domain, and
domain 0 is based on the following disaggregation model:
Domain 0 bootstraps the system. It may remain to perform requested
builds of domains that need a minimal trust chain (i.e. vTPM domains).
Other than being built by the hypervisor, nothing is special about this
domain - although it may be useful to have is_control_domain() return
true depending on the toolstack it uses to build other domains.
The hardware domain manages devices for PCI pass-through to driver
domains or can act as a driver domain itself, depending on the desired
degree of disaggregation. It is also the domain managing devices that
do not support pass-through: PCI configuration space access, parsing the
hardware ACPI tables and system power or machine check events. This is
the only domain where is_hardware_domain() is true. The return of
is_control_domain() may be false for this domain.
The control domain manages other domains, controls guest launch and
shutdown, and manages resource constraints; is_control_domain() returns
true. The functionality guarded by is_control_domain may in the future
be adapted to use explicit hypercalls, eliminating the special treatment
of this domain. It may be reasonable to have multiple control domains
on a multi-tenant system.
Guest domains and other service or driver domains are all treated
identically by the hypervisor; the security policy may further constrain
administrative actions on or communication between these domains.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Thu, 10 Apr 2014 14:07:17 +0000 (16:07 +0200)]
x86: fix pinned cache attribute handling
- make sure UC- is only used for PAT purposes (MTRRs and hence EPT
don't have this type)
- add order input to "get", and properly handle conflict case (forcing
an EPT page split)
- properly detect (and refuse) overlaps during "set"
- properly use RCU constructs
- support deleting ranges through a special type input to "set"
- set ignore-PAT flag in epte_get_entry_emt() when "get" succeeds
- set "get" output to ~0 (invalid) rather than 0 (UC) on error (the
caller shouldn't be looking at it anyway)
- move struct hvm_mem_pinned_cacheattr_range from header to C file
(used only there)
Note that the code (before and after this change) implies the GFN
ranges passed to the hypercall to be inclusive, which is in contrast
to the sole current user in qemu (all variants). It is not clear to me
at which layer (qemu, libxc, hypervisor) this would best be fixed.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 10 Apr 2014 14:06:09 +0000 (16:06 +0200)]
x86/EPT: IOMMU snoop capability should not affect memory type selection
This capability solely makes a statement on cache coherency guarantees
by the IOMMU. It does specifically not imply any further guarantees
implied by certain memory types (cachability, ordering).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 10 Apr 2014 14:05:12 +0000 (16:05 +0200)]
x86/EPT: split super pages upon mismatching memory types
... between constituent pages. To indicate such, the page order is
being passed down to the vMTRR routines, with a negative return value
(possible only on order-non-zero pages) indicating such collisions.
Some code redundancy reduction is being done to ept_set_entry() along
the way, allowing the new handling to be centralized to a single place
there.
In order to keep ept_set_entry() fast and simple, the actual splitting
is being deferred to the EPT_MISCONFIG VM exit handler.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 10 Apr 2014 14:01:41 +0000 (16:01 +0200)]
x86/EPT: force re-evaluation of memory type as necessary
The main goal here is to drop the bogus dependency of
epte_get_entry_emt() on d->arch.hvm_domain.params[HVM_PARAM_IDENT_PT].
Any change to state influencing epte_get_entry_emt()'s decision needs
to result in re-calculation. Do this by using the EPT_MISCONFIG VM
exit, storing an invalid memory type into EPT's emt field (leaving the
IOMMU, which doesn't care about memory types, unaffected).
This is being done in a hierarchical manner to keep execution time
down: Initially only the top level directory gets invalidated this way.
Upon access, the involved intermediate page table levels get cleared
back to zero, and the leaf entry gets its field properly set. For 4k
leaves all other entries in the same directory also get processed to
amortize the cost of the extra VM exit (which halved the number of
these VM exits in my testing).
This restoring can result in spurious EPT_MISCONFIG VM exits (since
two vCPU-s may access addresses involving identical page table
structures). Rather than simply returning in such cases (and risking
that such a VM exit results from a real mis-configuration, which
would then result in an endless loop rather than killing the VM), a
per-vCPU flag is being introduced indicating when such a spurious VM
exit might validly happen - if another one occurs right after VM re-
entry, the flag would generally end up being clear, causing the VM
to be killed as before on such VM exits.
Note that putting a reserved memory type value in the EPT structures
isn't formally sanctioned by the specification. Intel isn't willing to
adjust the specification to make this or a similar use of the
EPT_MISCONFIG VM exit formally possible, but they have indicated that
us using this is low risk wrt forward compatibility.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Ian Campbell [Wed, 9 Apr 2014 11:51:16 +0000 (12:51 +0100)]
xen: arm: rework dom0 initrd and dtb placement
This now uses the same decision tree as libxc (which is much easier to test).
The main change is to explicitly handle the placement at 128MB or end of RAM
as two cases, rather than combining with MIN. The effect is the same but the
code is clearer.
Secondly the attempt to place the modules right after the kernel is removed,
since it is redundant with the case where placing them at the end of RAM ends
up abutting the kernel.
Also round the kernel size up to a 2MB boundary.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Julien Grall <julien.grall@linaro.org>
Ian Campbell [Wed, 9 Apr 2014 11:51:14 +0000 (12:51 +0100)]
tools: arm: improve placement of initial modules.
314c9815e2f5 "tools: implement initial ramdisk support for ARM." broke starting
guests with <= 128 MB ram by placing the boot modules (dtb and initrd)
immediately after the kernel in this case, running the risk of them being
overwritten. Instead place the modules at the end of RAM, as the hypervisor
does for dom0.
The hypervisor also falls back to placing things before the kernel as a last
resort before failing, so add that here too.
Tested with the Debian installer initrd and guests of 96MB, 128MB, 256MB and
1GB. All work, also tested with 64MB but the installer doesn't run with so
little RAM (but our placement of the initrd is correct).
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Julien Grall <julien.grall@linaro.org> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Mon, 7 Apr 2014 11:07:04 +0000 (12:07 +0100)]
xen: make sure that likely and unlikely convert the expression to a boolean
According to http://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html
__builtin_expect has the prototype:
long __builtin_expect (long exp, long c)
If sizeof(exp) > sizeof(long) then this will effectively mask off the top bits
of exp, meaning that the if in "if (unlikey(x))" will see the masked version,
which might be false when true was expected, likely has the same issue.
This is mostly likely to affect x86_32 and arm32 builds. x86_32 is not
present on 4.3 onwards and a quick grep of current staging shows that all the
existing arm32 uses of both likely and unlikely already pass a boolean. I
noticed this with an as yet unposted patch which did not have this property.
Also the defintion of likely might not have had the expected affect for cases
where a true value > 1 might be passed.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Cc: Keir Fraser <keir@xen.org> Cc: Tim Deegan <tim@xen.org>
Ian Campbell [Tue, 8 Apr 2014 15:37:58 +0000 (16:37 +0100)]
build: remove Linux kernel build integration.
We haven't shipped a XenoLinux kernel for more releases than I can remember.
We held onto these because osstest was using them but this is no longer the
case.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
These are a xend-ism. Since Xen 4.1 the recommened way to configure networking
has been to use the distro facilities (e.g.
http://wiki.xen.org/wiki/HostConfiguration/Networking)
Ian Campbell [Wed, 9 Apr 2014 08:26:23 +0000 (09:26 +0100)]
docs: remove stray CONFIG_XENDs and configure option from docs.
These were added by 7dbfc2f8b054 "docs: Honour --{en, dis}able-xend when
building docs" between v1 and the (eventually committed) v2 of 9e8672f1c36d
"tools: remove xend and associated python modules" and were missed when
rebasing for v2.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Tested-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Wed, 9 Apr 2014 14:13:25 +0000 (16:13 +0200)]
x86/AMD: feature masking is unavailable on Fam11
Reported-by: Aravind Gopalakrishnan<aravind.gopalakrishnan@amd.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The root cause is there is an wronng
'write_unlock(&pcd_tree_rwlocks[firstbyte])' in function
tmem_try_to_evict_pgp().
Nobody will lock &pcd_tree_rwlocks if dedup=0, but the write_unlock() will be
executed anyway. This was introduced by a git commit 38c433d0c711406778aba1ae183a195da98656f0 ("tmem: add page deduplication with
optional compression or trailing-zero-elimination")
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Bob Liu [Tue, 28 Jan 2014 04:28:32 +0000 (12:28 +0800)]
tmem: reorg the shared pool allocate path
Reorg the code to make it more readable.
Check the return value of shared_pool_join() and drop a unneeded call to
it. Disable creating a shared & persistant pool in an advance place.
Note that one might be tempted to delay the creation of the pool even
further in the code. That however would break the behavior of the code
- that is if we ended up creating a shared pool and the
'uuid_lo == -1L && uuid_hi == -1L' logic stands we still need to
create a pool - just not shared type.
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Bob Liu [Tue, 28 Jan 2014 04:28:31 +0000 (12:28 +0800)]
tmem: cleanup: refactor function tmemc_shared_pool_auth()
Make function tmemc_shared_pool_auth() more readable.
Note that the previous check for free being set the first time
'(free == -1)' in the loop is now removed. That is OK because
when we set free the first time ('free = i;') we follow it
immediately with a break to get out of the loop.
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Bob Liu [Tue, 28 Jan 2014 04:28:28 +0000 (12:28 +0800)]
tmem: remove unneeded parameters from obj destroy path
Parameters "selective" and "no_rebalance" are meaningless in obj
destroy path, this patch remove them. No place uses
no_rebalance=1. In the obj_destroy path we always call it with
no_balance=0.
Note that this will now free it only if:
obj->last_client == cli_id
Which is OK - even if we allocate a non-shared pool we set by
default the obj->last_client to TMEM_CLI_ID_NULL so even if
the pool is never used, the pool_flush will take care of removing
those.
Signed-off-by: Bob Liu <bob.liu@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
projects / xen.git / log