Xenia Ragiadakou [Mon, 13 Feb 2023 15:26:43 +0000 (16:26 +0100)]
x86/iommu: snoop control is allowed only by Intel VT-d
The AMD-Vi driver forces coherent accesses by hardwiring the FC bit to 1.
Therefore, given that iommu_snoop is used only when the iommu is enabled,
when Xen is configured with only the AMD iommu enabled, iommu_snoop can be
reduced to a #define to true.
No functional change intended.
Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 13 Feb 2023 15:26:03 +0000 (16:26 +0100)]
x86/shadow: make iommu_snoop usage consistent with HAP's
First of all the variable is meaningful only when an IOMMU is in use for
a guest. Qualify the check accordingly, like done elsewhere. Furthermore
the controlling command line option is supposed to take effect on VT-d
only. Since command line parsing happens before we know whether we're
going to use VT-d, force the variable back to set when instead running
with AMD IOMMU(s).
Since it may end up misleading, also remove the clearing of the flag in
iommu_setup() and vtd_setup()'s error path. The variable simply is
meaningless with IOMMU(s) disabled, so there's no point touching it
there.
Finally also correct a relevant nearby comment.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Xenia Ragiadakou <burzalodowa@gmail.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Mon, 13 Feb 2023 09:13:47 +0000 (10:13 +0100)]
build: move double-$ into as-option-add
It's imo helping readability as well as uses a little if properly
arranging for sufficiently late macro expansion is part of the macro
itself, rather than all (applicable) instances of its users.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Juergen Gross [Mon, 13 Feb 2023 09:10:24 +0000 (10:10 +0100)]
xen/public: fix 9pfs documentation of connection sequence
The documented connection sequence in xen/include/public/io/9pfs.h has
a bug: the frontend needs to wait for the backend to have published its
features before being able to allocate its rings and event-channels.
While correcting that, make it clear that there might be multiple
rings and event-channels by adding "(s)".
Juergen Gross [Mon, 13 Feb 2023 09:10:06 +0000 (10:10 +0100)]
xen/public: fix 9pfs Xenstore entry documentation
In xen/include/public/io/9pfs.h the documentation regarding the
Xenstore entries isn't reflecting reality: the "tag" Xenstore entry
is on the frontend side, not on the backend one.
Jan Beulich [Mon, 13 Feb 2023 09:09:15 +0000 (10:09 +0100)]
x86/shadow: re-work 4-level SHADOW_FOREACH_L2E()
First of all move the almost loop-invariant condition out of the loop;
transform it into an altered loop boundary, noting that the updating of
_gl2p is relevant only at one use site, and then also only inside the
_code blob it provides. Then drop the shadow_mode_external() part of the
condition as being redundant with the is_pv_32bit_domain() check.
Further, since the new local variable wants to be "unsigned int",
convert the loop induction variable accordingly. Finally also adjust
formatting as most code needs touching anyway.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 13 Feb 2023 09:07:03 +0000 (10:07 +0100)]
x86/shadow: replace sh_reset_l3_up_pointers()
Rather than doing a separate hash walk (and then even using the vCPU
variant, which is to go away), do the up-pointer-clearing right in
sh_unpin(), as an alternative to the (now further limited) enlisting on
a "free floating" list fragment. This utilizes the fact that such list
fragments are traversed only for multi-page shadows (in shadow_free()
and sh_next_page()). Furthermore sh_terminate_list() is a safe guard
only anyway, which isn't in use in the common case (it actually does
something only for BIGMEM configurations).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
The patch introduces an implementation of basic exception handlers:
- to save/restore context
- to handle an exception itself. The handler calls wait_for_interrupt
now, nothing more.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Jan Beulich [Thu, 9 Feb 2023 09:52:39 +0000 (10:52 +0100)]
riscv: add temporary riscv64_defconfig alias
This is to allow building of Xen without going through a separate
tiny64_defconfig build step, just like is possible for all other
architectures. Eventually the symlink will want replacing by,
presumably, an empty file just like other arches have.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Architecturally, an event delivery which starts in CPL<3 and switches shadow
stack will first validate the Supervisor Shadow Stack Token (setting the busy
bit), then pushes CS/LIP/SSP. One example of this is an NMI interrupting Xen.
Some CPUs suffer from an issue called fracturing, whereby a fault/vmexit/etc
between setting the busy bit and completing the event injection renders the
action non-restartable, because when it comes time to restart, the busy bit is
found to be already set.
This is far more easily encountered under virt, yet it is not the fault of the
hypervisor, nor the fault of the guest kernel. The fault lies somewhere
between the architectural specification, and the uarch behaviour.
Intel have allocated CPUID.7[1].ecx[18] CET_SSS to enumerate that supervisor
shadow stacks are safe to use. Because of how Xen lays out its shadow stacks,
fracturing is not expected to be a problem on native.
Detect this case on boot and default to not using shstk if virtualised.
Specifying `cet=shstk` on the command line will override this heuristic and
enable shadow stacks irrespective.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Juergen Gross [Thu, 9 Feb 2023 14:41:48 +0000 (15:41 +0100)]
docs: clarify xenstore permission documentation
In docs/misc/xenstore.txt the description of the Xenstore node access
permissions is missing one important aspect, which can be found only
in the code or in the wiki [1]:
The first permission entry is defining the owner of the node via the
domid, and the access rights for all domains NOT having a dedicated
permission entry.
Make that aspect clear in the official documentation.
Anthony PERARD [Thu, 9 Feb 2023 16:14:48 +0000 (16:14 +0000)]
libs/util: Fix parallel build between flex/bison and CC rules
flex/bison generate two targets, and when those targets are
prerequisite of other rules they are considered independently by make.
We can have a situation where the .c file is out-of-date but not the
.h, git checkout for example. In this case, if a rule only have the .h
file as prerequiste, make will procced and start to build the object.
In parallel, another target can have the .c file as prerequisite and
make will find out it need re-generating and do so, changing the .h at
the same time. This parallel task breaks the first one.
To avoid this scenario, we put both the header and the source as
prerequisite for all object even if they only need the header.
Reported-by: Andrew Cooper <Andrew.Cooper3@citrix.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Anthony PERARD [Thu, 9 Feb 2023 12:11:40 +0000 (12:11 +0000)]
libs/util: Remove unused headers in libxlu_pci.c
libxlu_pci.c doesn't use any "xlu__cfg*()" functions and doesn't use
any of the disk parsing functions "xlu__disk*()", so all those headers
can be removed.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Julien Grall [Fri, 27 Jan 2023 18:55:46 +0000 (18:55 +0000)]
tools/xenstored: hashtable: Constify the parameters of hashfn/eqfn
The parameters of hashfn/eqfn should never be modified. So constify
them and propagate the const to the users.
Take the opportunity to solve some coding style issues around the
code modified.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Julien Grall <jgrall@amazon.com> Acked-by: George Dunlap <george.dunlap@cloud.com> Acked-by: Ian Jackson <ijackson@chiark.greenend.org.uk> Reviewed-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Thu, 9 Feb 2023 17:04:30 +0000 (17:04 +0000)]
docs/process: branching-checklist: Use consistent indentation
At the moment, branch-checklist.txt is using a mix of soft and hard
tab. They are both meant to be represented using 8 characters.
In Xen we tend to use 4-space softtab represented with 4 characters. So
to avoid having to use a different editor configuration, switch all
the indentation to 4-space softtab.
Signed-off-by: Julien Grall <jgrall@amazon.com> Acked-by: George Dunlap <george.dunlap@cloud.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com>
Roger Pau Monné [Tue, 8 Nov 2022 11:38:50 +0000 (12:38 +0100)]
x86/paging: return -EINVAL for paging domctls for dying domains
The current logic returns 0 and leaves the domctl parameter uninitialized for
any parameter fetching operations (like the GET_ALLOCATION operation), which
is not helpful from a toolstack point of view, because there's no indication
that the data hasn't been fetched.
For at least the Ocaml stubs, this ends up passing back stack rubble as if it
were a correct result.
Inform the caller properly that it hasn't got any data.
Reported-by: Edwin Török <edvin.torok@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Juergen Gross [Fri, 27 Jan 2023 16:17:39 +0000 (17:17 +0100)]
tools/helpers: don't log errors when trying to load PVH xenstore-stubdom
When loading a Xenstore stubdom the loader doesn't know whether the
lo be loaded kernel is a PVH or a PV one. So it tries to load it as
a PVH one first, and if this fails it is loading it as a PV kernel.
This results in errors being logged in case the stubdom is a PV kernel.
Suppress those errors by setting the minimum logging level to
"critical" while trying to load the kernel as PVH.
In case PVH mode and PV mode loading fails, retry PVH mode loading
without changing the log level in order to get the error messages
logged.
Fixes: f89955449c5a ("tools/init-xenstore-domain: support xenstore pvh stubdom") Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
ns16550: remove unneeded truncation check in the DT init code
In an earlier commit (7c1de0038895), "ns16550.io_size" was u32 and
"io_size" was u64. Thus, the ASSERT() was needed to check if the values
are the same.
However, in a later commit (c9f8e0aee507), "ns16550.io_size" was changed
to u64. Thus, the ASSERT() became redundant.
So, now as "io_size" and "uart->io_size" are both u64, there will be no
truncation. Thus, one can remove the ASSERT() and extra assignment.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
The patch introduces a set of registers which should be saved to and
restored from a stack after an exception occurs and a set of defines
which will be used during exception context saving/restoring.
Originally <asm/processor.h> header was introduced in the patch series
from Bobby so partially it was
re-used and the following changes were done:
- Move all RISCV_CPU_USER_REGS_* to asm/asm-offsets.c
- Remove RISCV_CPU_USER_REGS_OFFSET & RISCV_CPU_USER_REGS_SIZE as
there is no sense in them after RISCV_CPU_USER_REGS_* were moved to
asm/asm-offsets.c
- Remove RISCV_PCPUINFO_* as they aren't needed for current status of
the RISC-V port
- register_t renamed to unsigned long
- rename wait_for_interrupt to wfi
Signed-off-by: Bobby Eshleman <bobby.eshleman@gmail.com> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
The following changes were made in comparison with <asm/csr.h> from
Linux:
* remove all defines as they are defined in riscv_encoding.h
* leave only csr_* macros
Because printk() relies on a serial driver (like the ns16550 driver)
and drivers require working virtual memory (ioremap()) there is not
print functionality early in Xen boot.
The patch introduces the basic stuff of early_printk functionality
which will be enough to print 'hello from C environment".
Originally early_printk.{c,h} was introduced by Bobby Eshleman
(https://github.com/glg-rv/xen/commit/a3c9916bbdff7ad6030055bbee7e53d1aab71384)
but some functionality was changed:
early_printk() function was changed in comparison with the original as
common isn't being built now so there is no vscnprintf.
This commit adds early printk implementation built on the putc SBI call.
As sbi_console_putchar() is already being planned for deprecation
it is used temporarily now and will be removed or reworked after
real uart will be ready.
Signed-off-by: Bobby Eshleman <bobby.eshleman@gmail.com> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Bobby Eshleman <bobby.eshleman@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Michal Orzel [Thu, 2 Feb 2023 08:49:05 +0000 (09:49 +0100)]
xen/arm: Add support for booting gzip compressed uImages
At the moment, Xen does not support booting gzip compressed uImages.
This is because we are trying to decompress the kernel before probing
the u-boot header. This leads to a failure as the header always appears
at the top of the image (and therefore obscuring the gzip header).
Move the call to kernel_uimage_probe before kernel_decompress and make
the function self-containing by taking the following actions:
- take a pointer to struct bootmodule as a parameter,
- check the comp field of a u-boot header to determine compression type,
- in case of compressed image, call kernel_decompress passing uImage
header size as an offset to gzip header,
- set up zimage.{kernel_addr,len} accordingly,
- return -ENOENT in case of a u-boot header not found to distinguish it
amongst other return values and make it the only case for falling
through to try to probe other image types.
Modify kernel_decompress to take an additional parameter being an offset
to a gzip header from start address. This is needed so that a function
can first operate on a region containing actually compressed kernel (in case
of compressed uImage, size of u-boot header is an offset to a gzip header)
and then at the end pass the entire region (as it was before taking an offset
into account) to fw_unreserved_regions for freeing.
This approach avoids splitting the uImage probing into 2 stages (executed
before and after decompression) which otherwise would be necessary to
properly parse header, update boot module start and size before
decompression and update zimage.{kernel_addr,len} afterwards.
Remove the limitation from the booting.txt documentation.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewwed-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Thu, 2 Feb 2023 08:49:04 +0000 (09:49 +0100)]
xen/arm: Move kernel_uimage_probe definition after kernel_decompress
In a follow-up patch, we will be calling kernel_decompress function from
within kernel_uimage_probe to support booting compressed images with
u-boot header. Therefore, move the kernel_uimage_probe definition after
kernel_decompress so that the latter is visible to the former.
xen/device_tree: remove incorrect and unused dt_irq() and dt_irq_flags() macros
Macro dt_irq() is broken because the macro parameter has the same name with
the struct dt_irq member "irq".
Macro dt_irq_flags() is broken as well because struct dt_irq has no member
named "flags".
Since no one seems to have ever tried to use them and eventually stumble upon
the issues above, remove them instead of fixing them.
Fixes: 886f34045bf0 ("xen/arm: Add helpers to retrieve an interrupt description from the device tree") Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: Julien Grall <jgrall@amazon.com>
Anthony PERARD [Wed, 8 Feb 2023 08:21:24 +0000 (09:21 +0100)]
libs/light: Makefile cleanup
Rework "libacpi.h" include in "libxl_x86_acpi.c" as to be more
selective about the include path and only add "tools/libacpi/". Also
"libxl_dom.c" don't use "libacpi.h" anymore. Use "-iquote" for libacpi
headers.
Get rid of the weird "$(eval stem =" in the middle of a recipe and use
a make automatic variable "$(*F)" instead.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com>
Anthony PERARD [Wed, 8 Feb 2023 08:21:11 +0000 (09:21 +0100)]
libs/light: Rework targets prerequisites
No need for $(AUTOSRCS), GNU make can generate them as needed when
trying to build them as needed when trying to build the object. Also,
those two AUTOSRCS don't need to be a prerequisite of "all". As for
the "clean" target, those two files are already removed via "_*.c".
We don't need $(AUTOINCS) either:
- As for both _libxl_save_msgs*.h headers, we are adding more
selective dependencies so the headers will still be generated as
needed.
- "clean" rule already delete the _*.h files, so AUTOINCS aren't needed
there.
"libxl_internal_json.h" doesn't seems to have ever existed, so the
dependency is removed.
Rework objects prerequisites, to have them dependents on either
"libxl.h" or "libxl_internal.h". "libxl.h" is not normally included
directly in the source code as "libxl_internal.h" is used instead, but
we have "libxl.h" as prerequisite of "libxl_internal.h", so generated
headers will still be generated as needed.
Make doesn't need "libxl.h" to generate "testidl.c", "libxl.h" is only
needed later when building "testidl.o". This avoid the need to
regenerate "testidl.c" when only "libxl.h" changed. Also use automatic
variables $< and $@.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com>
The following changes were done in Xen code base in comparison with OpenSBI:
* Remove "#include <sbi/sbi_const.h>" as most of the stuff inside
it is present in Xen code base.
* Add macros _UL and _ULL as they were in <sbi/sbi_const.h> before
* Add SATP32_MODE_SHIFT/SATP64_MODE_SHIFT/SATP_MODE_SHIFT as they will
be used in riscv/mm.c
* Add CAUSE_IRQ_FLAG which is going to be used insised exception
handler
* Change ulong to unsigned long in macros REG_PTR(...)
* Change s32 to int32_t
Originally authored by Anup Patel <anup.patel@wdc.com>
Work with some registers requires csr command which is part of
Zicsr.
Also ISA was changed from r64ima to r64g where G is represented the
“IMAFDZicsr Zifencei” base and extensions so basically it is the same
as it was before plus additional extensions we will need in the
nearest future.
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
x86: do not include asm/hvm/support.h when not used
When none of the declarations and macro definitions in asm/hvm/support.h is
referred in the file, do not include the header.
To fix subsequent build errors, which were not triggered before due to the
indirect inclusion of the missing headers by asm/hvm/support.h, include any
missing headers.
No functional change intended.
Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 7 Feb 2023 14:18:18 +0000 (15:18 +0100)]
libxl/x86: use public interface TSC mode definitions
Now that they're properly represented in the public interface, stop
using literal numbers.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Anthony PERARD [Tue, 7 Feb 2023 14:17:53 +0000 (15:17 +0100)]
libs: Fix auto-generation of version-script for unstable libs
When there isn't a version-script for a shared library (like for
unstable libs), we create one based on the current Xen version. But
that version-script became out-of-date as soon as Xen's version
changes and make as no way to regenerate the version-script on
rebuild.
For unstable libs, we only needs the symver to be different from a
previous release of Xen. There's an option "--default-symver" which
allow to use the soname as symver and as the soname have the Xen
release version, it will be different for every release. With
--default-symver we don't need to generate a version-script.
But we also need to know if there's already an existing version script
, for that we introduce $(version-script) to be used to point to the
path of the existing script. (Guessing if a version script exist for a
stable library with for example $(wildcard) won't work as a file will
exist when building the library without this patch.)
We don't need the version-script unless we are making the shared
library so it is removed from the "all" target.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86/hygon: do not include asm/hvm/support.h when not used
Since none of the declarations and macro definitions in asm/hvm/support.h is
referred in x86/cpu/hygon.c, remove the unnecessary include.
To resolve the subsequent build error for implicit declaration of wrmsrl()
and rdmsrl() triggered in asm/spec_ctrl.h, replace asm/msr-index.h with
asm/msr.h in asm/spec_ctrl.h's included headers.
No functional change intended.
Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 6 Feb 2023 15:03:00 +0000 (16:03 +0100)]
tools/symbols: drop asm/types.h inclusion
While this has been there forever, it's not clear to me what it was
(thought to be) needed for. In fact, all three instances of the header
already exclude their entire bodies when __ASSEMBLY__ was defined.
Hence, with no other assembly files including this header, we can at the
same time get rid of those conditionals.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Bernhard Kaindl [Thu, 2 Feb 2023 17:13:19 +0000 (18:13 +0100)]
tools/xenmon: Fix xenmon.py for with python3.x
Fixes for Py3:
* class Delayed(): file not defined; also an error for pylint -E. Inherit
object instead for Py2 compatibility. Fix DomainInfo() too.
* Inconsistent use of tabs and spaces for indentation (in one block)
Signed-off-by: Bernhard Kaindl <bernhard.kaindl@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
"After caml_release_runtime_system() was called and until
caml_acquire_runtime_system() is called, the C code must not access any OCaml
data, nor call any function of the run-time system, nor call back into OCaml
code."
Previously, the value was a naked C pointer, so dereferencing it wasn't
"accessing any Ocaml data", but the fix to avoid naked C pointers added a
layer of indirection through an Ocaml Custom object, meaning that the common
pattern of using _H() in a blocking section is unsafe.
In order to fix:
* Drop the _H() macro and replace it with a static inline xch_of_val().
* Opencode the assignment into Data_custom_val() in the constructors.
* Rename "value xch" parameters to "value xch_val" so we can consistently
have "xc_interface *xch" on the stack, and obtain the pointer with the GC
lock still held.
* Drop the _D() macro while at it, because it's just pointless indirection.
Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free") Signed-off-by: Edwin Török <edwin.torok@cloud.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
"After caml_release_runtime_system() was called and until
caml_acquire_runtime_system() is called, the C code must not access any OCaml
data, nor call any function of the run-time system, nor call back into OCaml
code."
More than what the manual says, the intf pointer is (potentially) invalidated
by caml_enter_blocking_section() if another thread happens to perform garbage
collection at just the right (wrong) moment.
Rewrite the logic. There's no need to stash data in the Ocaml object until
the success path at the very end.
Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Edwin Török [Thu, 12 Jan 2023 11:38:38 +0000 (11:38 +0000)]
tools/ocaml/xc: Fix binding for xc_domain_assign_device()
The patch adding this binding was plain broken, and unreviewed. It modified
the C stub to add a 4th parameter without an equivalent adjustment in the
Ocaml side of the bindings.
In 64bit builds, this causes us to dereference whatever dead value is in %rcx
when trying to interpret the rflags parameter.
This has gone unnoticed because Xapi doesn't use this binding (it has its
own), but unbreak the binding by passing RDM_RELAXED unconditionally for
now (matching the libxl default behaviour).
Fixes: 9b34056cb4 ("tools: extend xc_assign_device() to support rdm reservation policy") Signed-off-by: Edwin Török <edwin.torok@cloud.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Andrew Cooper [Mon, 30 Jan 2023 16:37:49 +0000 (16:37 +0000)]
tools/ocaml/evtchn: Misc cleanup
* Remove local integers when all we're returning is Val_int() of another
variable. The CAMLlocal*() can't be optimised automatically, as it's
registered with the GC.
* Rename "virq_type" to "virq" and "_port" to "port".
* In stub_eventchn_pending(), rename 'port' to 'rc', to be consistent with
all other stubs that return xenevtchn_port_or_error_t.
* In stub_eventchn_unmask(), check for rc == -1 to be consistent with all
other stubs.
No practical change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
"After caml_release_runtime_system() was called and until
caml_acquire_runtime_system() is called, the C code must not access any OCaml
data, nor call any function of the run-time system, nor call back into OCaml
code."
Previously, the value was a naked C pointer, so dereferencing it wasn't
"accessing any Ocaml data", but the fix to avoid naked C pointers added a
layer of indirection through an Ocaml Custom object, meaning that the common
pattern of using _H() in a blocking section is unsafe.
In order to fix:
* Drop the _H() macro and replace it with a static inline xce_of_val().
* Opencode the assignment into Data_custom_val() in the two constructors.
* Rename "value xce" parameters to "value xce_val" so we can consistently
have "xenevtchn_handle *xce" on the stack, and obtain the pointer with the
GC lock still held.
Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") Signed-off-by: Edwin Török <edwin.torok@cloud.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Andrew Cooper [Tue, 31 Jan 2023 10:59:42 +0000 (10:59 +0000)]
tools/ocaml/libs: Allocate the correct amount of memory for Abstract_tag
caml_alloc() takes units of Wsize (word size), not bytes. As a consequence,
we're allocating 4 or 8 times too much memory.
Ocaml has a helper, Wsize_bsize(), but it truncates cases which aren't an
exact multiple. Use a BUILD_BUG_ON() to cover the potential for truncation,
as there's no rounding-up form of the helper.
Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") Fixes: d3e649277a13 ("ocaml: add mmap bindings implementation.") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Edwin Török [Tue, 11 May 2021 15:56:50 +0000 (15:56 +0000)]
tools/oxenstored: validate config file before live update
The configuration file can contain typos or various errors that could prevent
live update from succeeding (e.g. a flag only valid on a different version).
Unknown entries in the config file would be ignored on startup normally,
add a strict --config-test that live-update can use to check that the config file
is valid *for the new binary*.
For compatibility with running old code during live update recognize
--live --help as an equivalent to --config-test.
Signed-off-by: Edwin Török <edvin.torok@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Edwin Török [Fri, 2 Dec 2022 17:17:32 +0000 (17:17 +0000)]
tools/ocaml: add 'make format' for OCaml files
Using `ocp-indent` for now to just make minimal modifications in
tabs vs spaces and get the right indentation.
This avoids perpetuating a formatting style that is inconsistent with
the rest of Xen, and that makes preparing and submitting patches more
difficult (OCaml indentation tools usually only support spaces, not tabs).
No functional change.
Signed-off-by: Edwin Török <edvin.torok@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Anthony PERARD [Thu, 19 Jan 2023 15:22:55 +0000 (15:22 +0000)]
build: replace get-fields.sh by a python script
The get-fields.sh which generate all the include/compat/.xlat/*.h
headers is quite slow. It takes for example nearly 3 seconds to
generate platform.h on a recent machine, or 2.3 seconds for memory.h.
Rewriting the mix of shell/sed/python into a single python script make
the generation of those file a lot faster.
No functional change, the headers generated are identical.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Cpuid leaf 4 contains information about how the state of the tsc, its
mode, and some additional information. A commit that is queued for
linux would like to use this to determine whether the tsc mode has been
set to 'no emulation' in order to make some decisions about which
clocksource is more reliable.
Expose this information in the public API headers so that they can
subsequently be imported into linux and used there.
Juergen Gross [Mon, 6 Feb 2023 07:52:15 +0000 (08:52 +0100)]
xen/public: move xenstore related doc into 9pfs.h
The Xenstore related documentation is currently to be found in
docs/misc/9pfs.pandoc, instead of the related header file
xen/include/public/io/9pfs.h like for most other paravirtualized
device protocols.
There is a comment in the header pointing at the document, but the
given file name is wrong. Additionally such headers are meant to be
copied into consuming projects (Linux kernel, qemu, etc.), so pointing
at a doc file in the Xen git repository isn't really helpful for the
consumers of the header.
This situation is far from ideal, which is already being proved by the
fact that neither qemu nor the Linux kernel are implementing the
device attach/detach protocol correctly.
Change that by moving the Xenstore related 9pfs documentation from
docs/misc/9pfs.pandoc into xen/include/public/io/9pfs.h.
x86/vpmu: remove unused svm and vmx specific headers
Fixes: 8c20aca6751b ("x86/vPMU: invoke <vendor>_vpmu_initialise() through a hook as well") Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Fixes: 2191599bacb7 ("x86/emul: Simplfy emulation state setup") Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
tools/python: change 's#' size type for Python >= 3.10
Python < 3.10 by default uses 'int' type for data+size string types
(s#), unless PY_SSIZE_T_CLEAN is defined - in which case it uses
Py_ssize_t. The former behavior was removed in Python 3.10 and now it's
required to define PY_SSIZE_T_CLEAN before including Python.h, and using
Py_ssize_t for the length argument. The PY_SSIZE_T_CLEAN behavior is
supported since Python 2.5.
Adjust bindings accordingly.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Luca Fancellu [Mon, 30 Jan 2023 11:01:32 +0000 (11:01 +0000)]
xen/cppcheck: add parameter to skip given MISRA rules
Add parameter to skip the passed MISRA rules during the cppcheck
analysis, the rules are specified as a list of comma separated
rules with the MISRA number notation (e.g. 1.1,1.3,...).
Modify convert_misra_doc.py script to take an extra parameter
giving a list of MISRA rule to be skipped, comma separated.
While there, fix some typos in the help and print functions.
Modify settings.py and cppcheck_analysis.py to have a new
parameter (--cppcheck-skip-rules) used to specify a list of
MISRA rule to be skipped during the cppcheck analysis.
Sort alphabetically cppcheck report entries when producing the text
report, this will help comparing different reports and will group
together findings from the same file.
The sort operation is performed with two criteria, the first one is
sorting by misra rule, the second one is sorting by file.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
[stefano: add black line for code style] Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
xen/arm: Probe the load/entry point address of an uImage correctly
Currently, kernel_uimage_probe() does not read the load/entry point address
set in the uImge header. Thus, info->zimage.start is 0 (default value). This
causes, kernel_zimage_place() to treat the binary (contained within uImage)
as position independent executable. Thus, it loads it at an incorrect
address.
The correct approach would be to read "uimage.load" and set
info->zimage.start. This will ensure that the binary is loaded at the
correct address. Also, read "uimage.ep" and set info->entry (ie kernel entry
address).
If user provides load address (ie "uimage.load") as 0x0, then the image is
treated as position independent executable. Xen can load such an image at
any address it considers appropriate. A position independent executable
cannot have a fixed entry point address.
This behavior is applicable for both arm32 and arm64 platforms.
Earlier for arm32 and arm64 platforms, Xen was ignoring the load and entry
point address set in the uImage header. With this commit, Xen will use them.
This makes the behavior of Xen consistent with uboot for uimage headers.
Users who want to use Xen with statically partitioned domains, can provide
non zero load address and entry address for the dom0/domU kernel. It is
required that the load and entry address provided must be within the memory
region allocated by Xen.
A deviation from uboot behaviour is that we consider load address == 0x0,
to denote that the image supports position independent execution. This
is to make the behavior consistent across uImage and zImage.
Andrew Cooper [Wed, 25 Jan 2023 16:18:16 +0000 (16:18 +0000)]
x86/shadow: Fix PV32 shadowing when CONFIG_HVM is enabled
The OSSTest bisector identified an issue with c/s 1894049fa283 ("x86/shadow:
L2H shadow type is PV32-only") in !HVM builds.
The bug is ultimately caused by sh_type_to_size[] not actually being specific
to HVM guests, and it's position in shadow/hvm.c mislead the reasoning.
To fix the issue that OSSTest identified, SH_type_l2h_64_shadow must still
have the value 1 in any CONFIG_PV32 build. But simply adjusting this leaves
us with misleading logic, and a reasonable chance of making a related error
again in the future.
In hindsight, moving sh_type_to_size[] out of common.c in the first place a
mistake. Therefore, move sh_type_to_size[] back to living in common.c,
leaving a comment explaining why it happens to be inside an HVM conditional.
This effectively reverts the second half of 4fec945409fc ("x86/shadow: adjust
and move sh_type_to_size[]") while retaining the other improvements from the
same changeset.
While making this change, also adjust the sh_type_to_size[] declaration to
match its definition.
Fixes: 4fec945409fc ("x86/shadow: adjust and move sh_type_to_size[]") Fixes: 1894049fa283 ("x86/shadow: L2H shadow type is PV32-only") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@cloud.com>
Jason Andryuk [Thu, 26 Jan 2023 09:58:23 +0000 (10:58 +0100)]
libxl: fix guest kexec - skip cpuid policy
When a domain performs a kexec (soft reset), libxl__build_pre() is
called with the existing domid. Calling libxl__cpuid_legacy() on the
existing domain fails since the cpuid policy has already been set, and
the guest isn't rebuilt and doesn't kexec.
xc: error: Failed to set d1's policy (err leaf 0xffffffff, subleaf 0xffffffff, msr 0xffffffff) (17 = File exists): Internal error
libxl: error: libxl_cpuid.c:494:libxl__cpuid_legacy: Domain 1:Failed to apply CPUID policy: File exists
libxl: error: libxl_create.c:1641:domcreate_rebuild_done: Domain 1:cannot (re-)build domain: -3
libxl: error: libxl_xshelp.c:201:libxl__xs_read_mandatory: xenstore read failed: `/libxl/1/type': No such file or directory
libxl: warning: libxl_dom.c:49:libxl__domain_type: unable to get domain type for domid=1, assuming HVM
During a soft_reset, skip calling libxl__cpuid_legacy() to avoid the
issue. Before commit 34990446ca91, the libxl__cpuid_legacy() failure
would have been ignored, so kexec would continue.
Fixes: 34990446ca91 ("libxl: don't ignore the return value from xc_cpuid_apply_policy") Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
I'm observing guest kexec trigger xenstored to abort on a double free.
gdb output:
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
at ./nptl/pthread_kill.c:44
at ./nptl/pthread_kill.c:78
at ./nptl/pthread_kill.c:89
at ../sysdeps/posix/raise.c:26
at talloc.c:119
ptr=ptr@entry=0x559fae724290) at talloc.c:232
at xenstored_core.c:2945
(gdb) frame 5
at talloc.c:119
119 TALLOC_ABORT("Bad talloc magic value - double free");
(gdb) frame 7
at xenstored_core.c:2945
2945 talloc_increase_ref_count(conn);
(gdb) p conn
$1 = (struct connection *) 0x559fae724290
The trace shows that DESTROY was called for connection 0x559fae724290,
but that is the same pointer (conn) main() was looping through from
connections. So it wasn't actually removed from the connections list?
Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling
connection I/O" fixes the abort/double free. I think the use of
list_for_each_entry_safe is incorrect. list_for_each_entry_safe makes
traversal safe for deleting the current iterator, but RELEASE/do_release
will delete some other entry in the connections list. I think the
observed abort is because list_for_each_entry has next pointing to the
deleted connection, and it is used in the subsequent iteration.
Add a comment explaining the unsuitability of list_for_each_entry_safe.
Also notice that the old code takes a reference on next which would
prevents a use-after-free.
Michal Orzel [Mon, 23 Jan 2023 13:10:23 +0000 (14:10 +0100)]
automation: Modify static-mem check in qemu-smoke-dom0less-arm64.sh
At the moment, the static-mem check relies on the way Xen exposes the
memory banks in device tree. As this might change, the check should be
modified to be generic and not to rely on device tree. In this case,
let's use /proc/iomem which exposes the memory ranges in %08x format
as follows:
<start_addr>-<end_addr> : <description>
This way, we can grep in /proc/iomem for an entry containing memory
region defined by the static-mem configuration with "System RAM"
description. If it exists, mark the test as passed. Also, take the
opportunity to add 0x prefix to domu_{base,size} definition rather than
adding it in front of each occurence.
Julien Grall [Tue, 24 Jan 2023 19:32:14 +0000 (19:32 +0000)]
xen/arm32: head: Remove restriction where to load Xen
At the moment, bootloaders can load Xen anywhere in memory but the
region 2MB - 4MB. While I am not aware of any issue, we have no way
to tell the bootloader to avoid that region.
In addition to that, in the future, Xen may grow over 2MB if we
enable feature like UBSAN or GCOV. To avoid widening the restriction
on the load address, it would be better to get rid of it.
When the identity mapping is clashing with the Xen runtime mapping,
we need an extra indirection to be able to replace the identity
mapping with the Xen runtime mapping.
Reserve a new memory region that will be used to temporarily map Xen.
For convenience, the new area is re-using the same first slot as the
domheap which is used for per-cpu temporary mapping after a CPU has
booted.
Furthermore, directly map boot_second (which cover Xen and more)
to the temporary area. This will avoid to allocate an extra page-table
for the second-level and will helpful for follow-up patches (we will
want to use the fixmap whilst in the temporary mapping).
Lastly, some part of the code now needs to know whether the temporary
mapping was created. So reserve r12 to store this information.
Julien Grall [Tue, 24 Jan 2023 19:31:11 +0000 (19:31 +0000)]
xen/arm32: head: Introduce an helper to flush the TLBs
The sequence for flushing the TLBs is 4 instruction long and often
requires an explanation how it works.
So create a helper and use it in the boot code (switch_ttbr() is left
alone until we decide the semantic of the call).
Note that in secondary_switched, we were also flushing the instruction
cache and branch predictor. Neither of them was necessary because:
* We are only supporting IVIPT cache on arm32, so the instruction
cache flush is only necessary when executable code is modified.
None of the boot code is doing that.
* The instruction cache is not invalidated and misprediction is not
a problem at boot.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Tue, 24 Jan 2023 19:31:08 +0000 (19:31 +0000)]
xen/arm32: head: Jump to the runtime mapping in enable_mmu()
At the moment, enable_mmu() will return to an address in the 1:1 mapping
and each path is responsible to switch to the runtime mapping.
In a follow-up patch, the behavior to switch to the runtime mapping
will become more complex. So to avoid more code/comment duplication,
move the switch in enable_mmu().
Lastly, take the opportunity to replace load from literal pool with
mov_w.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Tested-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Tue, 24 Jan 2023 19:27:49 +0000 (19:27 +0000)]
xen/arm: Clean-up the memory layout
In a follow-up patch, the base address for the common mappings will
vary between arm32 and arm64. To avoid any duplication, define
every mapping in the common region from the previous one.
Take the opportunity to:
* add missing *_SIZE for FIXMAP_VIRT_* and XEN_VIRT_*
* switch to MB()/GB() to avoid hexadecimal (easier to read)
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Tue, 24 Jan 2023 19:26:09 +0000 (19:26 +0000)]
xen/arm32: flushtlb: Reduce scope of barrier for local TLB flush
Per G5-9224 in ARM DDI 0487I.a:
"A DSB NSH is sufficient to ensure completion of TLB maintenance
instructions that apply to a single PE. A DSB ISH is sufficient to
ensure completion of TLB maintenance instructions that apply to PEs
in the same Inner Shareable domain.
"
This is quoting the Armv8 specification because I couldn't find an
explicit statement in the Armv7 specification. Instead, I could find
bits in various places that confirm the same implementation.
Furthermore, Linux has been using 'nsh' since 2013 (62cbbc42e001
"ARM: tlb: reduce scope of barrier domains for TLB invalidation").
This means barrier after local TLB flushes could be reduced to
non-shareable.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Tue, 24 Jan 2023 19:25:50 +0000 (19:25 +0000)]
xen/arm64: flushtlb: Implement the TLBI repeat workaround for TLB flush by VA
Looking at the Neoverse N1 errata document, it is not clear to me
why the TLBI repeat workaround is not applied for TLB flush by VA.
The TLB flush by VA helpers are used in flush_xen_tlb_range_va_local()
and flush_xen_tlb_range_va(). So if the range size is a fixed size smaller
than a PAGE_SIZE, it would be possible that the compiler remove the loop
and therefore replicate the sequence described in the erratum 1286807.
So the TLBI repeat workaround should also be applied for the TLB flush
by VA helpers.
Fixes: 22e323d115d8 ("xen/arm: Add workaround for Cortex-A76/Neoverse-N1 erratum #1286807") Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Tue, 24 Jan 2023 19:25:19 +0000 (19:25 +0000)]
xen/arm64: flushtlb: Reduce scope of barrier for local TLB flush
Per D5-4929 in ARM DDI 0487H.a:
"A DSB NSH is sufficient to ensure completion of TLB maintenance
instructions that apply to a single PE. A DSB ISH is sufficient to
ensure completion of TLB maintenance instructions that apply to PEs
in the same Inner Shareable domain.
"
This means barrier after local TLB flushes could be reduced to
non-shareable.
Note that the scope of the barrier in the workaround has not been
changed because Linux v6.1-rc8 is also using 'ish' and I couldn't
find anything in the Neoverse N1 suggesting that a 'nsh' would
be sufficient.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
ns16550: fix the use of simple_strtoul() for parsing u64
One should be using simple_strtoull() ( instead of simple_strtoul() )
to assign value to 'u64' variable. The reason being u64 can be
represented by 'unsigned long long' on all the platforms (ie Arm32,
Arm64 and x86).
Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Anthony PERARD [Mon, 23 Jan 2023 14:03:58 +0000 (15:03 +0100)]
build: fix building flask headers before descending in flask/ss/
Unfortunatly, adding prerequisite to "$(obj)/ss/built_in.o" doesn't
work because we have "$(obj)/%/built_in.o: $(obj)/% ;" in Rules.mk.
So, make is allow to try to build objects in "xsm/flask/ss/" before
generating the headers.
Adding a prerequisite on "$(obj)/ss" instead will fix the issue as
that's the target used to run make in this subdirectory.
Unfortunatly, that target is also used when running `make clean`, so
we want to ignore it in this case. $(MAKECMDGOALS) can't be used in
this case as it is empty, but we can guess which operation is done by
looking at the list of loaded makefiles.
Fixes: 7a3bcd2babcc ("build: build everything from the root dir, use obj=$subdir") Reported-by: "Daniel P. Smith" <dpsmith@apertussolutions.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 14 Dec 2021 16:51:28 +0000 (16:51 +0000)]
x86/hvm: Enable guest access to MSR_PKRS
Have guest_{rd,wr}msr(), via hvm_{get,set}_reg(), access either the live
register, or stashed state, depending on context. Include MSR_PKRS for
migration, and let the guest have full access.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 14 Dec 2021 16:51:28 +0000 (16:51 +0000)]
x86/hvm: Context switch MSR_PKRS
Under PKS, MSR_PKRS is available and based on the CPUID policy alone, and
usable independently of CR4.PKS. See the large comment in prot-key.h for
details of the context switching arrangement.
Use WRMSRNS right away, as we don't care about serialsing properties for
context switching this MSR.
Sanitise MSR_PKRS on boot. In anticipation of wanting to use PKS for Xen in
the future, arrange for the sanitisation to occur prior to potentially setting
CR4.PKS; if PKEY0.{AD,WD} leak in from a previous context, we will triple
fault immediately on setting CR4.PKS.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com>
Andrew Cooper [Tue, 14 Dec 2021 16:51:28 +0000 (16:51 +0000)]
x86/prot-key: Split PKRU infrastructure out of asm/processor.h
asm/processor.h is in desperate need of splitting up, and protection key
functionality in only used in the emulator and pagewalk. Introduce a new
asm/prot-key.h and move the relevant content over.
Rename the PKRU_* constants to drop the user part and to use the architectural
terminology.
Drop the read_pkru_{ad,wd}() helpers entirely. The pkru infix is about to
become wrong, and the sole user is shorter and easier to follow without the
helpers.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 14 Dec 2021 16:51:28 +0000 (16:51 +0000)]
x86/prot-key: Enumeration for Protection Key Supervisor
Protection Key Supervisor works in a very similar way to Protection Key User,
except that instead of a PKRU register used by the {RD,WR}PKRU instructions,
the supervisor protection settings live in MSR_PKRS and is accessed using
normal {RD,WR}MSR instructions.
PKS has the same problematic interactions with PV guests as PKU (more infact,
given the guest kernel's CPL), so we'll only support this for HVM guests for
now.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 10 Jan 2023 10:57:21 +0000 (10:57 +0000)]
x86/boot: Sanitise PKRU on boot
While the reset value of the register is 0, it might not be after kexec/etc.
If PKEY0.{WD,AD} have leaked in from an earlier context, construction of a PV
dom0 will explode.
Sequencing wise, this must come after setting CR4.PKE, and before we touch any
user mappings.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 18 Jan 2023 19:20:05 +0000 (19:20 +0000)]
x86/vmx: Partially revert "x86/vmx: implement Notify VM Exit"
The original patch tried to do two things - implement VMNotify, and
re-optimise VT-x to not intercept #DB/#AC by default.
The second part is buggy in multiple ways. Both GDBSX and Introspection need
to conditionally intercept #DB, which was not accounted for. Also, #DB
interception has nothing at all to do with cpu_has_monitor_trap_flag.
Revert the second half, leaving #DB/#AC intercepted unilaterally, but with
VMNotify active by default when available.
Fixes: 573279cde1c4 ("x86/vmx: implement Notify VM Exit") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
projects / xen.git / log