Tamas K Lengyel [Thu, 7 Jul 2016 12:25:50 +0000 (14:25 +0200)]
monitor: rename and relocate vm_event_monitor_traps
The function vm_event_monitor_traps actually belongs in the monitor subsystem.
As part of this patch we fix the sync input's type to bool_t to match how
the callers use it.
Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Wei Liu [Sat, 2 Jul 2016 11:35:30 +0000 (12:35 +0100)]
libxl/netbsd: check num_exec in hotplug function
This basically replicates the same logic in libxl_linux.c but with one
change -- only test num_exec == 0 in nic hotplug case because NetBSD let
QEMU call a script itself. Without this patch libxl will loop
indefinitely trying to execute hotplug script.
Jan Beulich [Tue, 5 Jul 2016 09:17:53 +0000 (11:17 +0200)]
x86emul: fold local variables
Declare some variables to they can be used by multiple pieces of code,
allowing some figure braces to be dropped (which don't align nicely
when used inside of case labeled statements).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 5 Jul 2016 09:17:25 +0000 (11:17 +0200)]
x86emul: drop pointless and add useful default cases
There's no point in having default cases when all possible values have
respective case statements, or when there's just a "break" statement.
Otoh the two main switch() statements better get default cases added,
just to cover the case of someone altering one of the two lookup arrays
without suitably changing these switch statements.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
A VM_EVENT_FLAG_VCPU_PAUSED flag in a vm-event response should only be treated
as informative that the toolstack user wants the vm-event subsystem to unpause
the target vCPU, but not be relied upon to decide if the target vCPU is actually
paused.
That being said, this patch does the following:
* Fixes (replaces) the old behavior in vm_event_resume, which relied on
VM_EVENT_FLAG_VCPU_PAUSED to determine if the target vCPU is paused, by
actually checking the vCPU vm-event pause-count.
* ASSERTs that the vCPU is paused in vm_event_set_registers and
vm_event_toggle_singlestep.
* Ignores VM_EVENT_FLAG_DENY @ vm_event_register_write_resume if the target vCPU
is not paused. Also adjusts comment in public/vm_event.h to reflect that.
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Tamas K Lengyel [Mon, 4 Jul 2016 10:10:00 +0000 (12:10 +0200)]
x86/vm_event: add HVM debug exception vm_events
Since in-guest debug exceptions are now unconditionally trapped to Xen, adding
a hook for vm_event subscribers to tap into this new always-on guest event. We
rename along the way hvm_event_breakpoint_type to hvm_event_type to better
match the various events that can be passed with it. We also introduce the
necessary monitor_op domctl's to enable subscribing to the events.
This patch also provides monitor subscribers to int3 events proper access
to the instruction length necessary for accurate event-reinjection. Without
this subscribers manually have to evaluate if the int3 instruction has any
prefix attached which would change the instruction length.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Tianyang Chen [Thu, 30 Jun 2016 12:01:02 +0000 (14:01 +0200)]
sched: rtds: use non-atomic bit-ops
Vcpu flags are checked and cleared atomically. Performance can be
improved with corresponding non-atomic versions since schedule.c
already has spin_locks in place.
Tianyang Chen [Thu, 30 Jun 2016 12:00:34 +0000 (14:00 +0200)]
sched: rtds code clean-up
No functional change:
-aligned comments in rt_vcpu struct
-removed double underscores from the names of some functions
-fixed coding sytle for control structures involving lists
-fixed typos in the comments
-added comments for UPDATE_LIMIT_SHIFT
Below commit introduced a new macro MSR_IA32_FEATURE_CONTROL for
IA32_FEATURE_CONTROL MSR but it didn't remove old IA32_FEATURE_CONTROL_MSR
macro. The new one has better naming convention, so remove the old as a
duplication. Also move the macros of bit definition of IA32_FEATURE_CONTROL MSR
down to make them together with the new one. The *_MSR* infix is also removed as
it is pointless.
mwait-idle: prevent SKL-H boot failure when C8+C9+C10 enabled
Some SKL-H configurations require "max_cstate=7" to boot.
While that is an effective workaround, it disables C10.
......
Above commit also used SGX_ENABLE (bit 18) in IA32_FEATURE_CONTROL MSR without a
macro for it. A new macro IA32_FEATURE_CONTROL_SGX_ENABLE is also added for
better code and future use.
Relevant code that uses those macros are changed accordingly.
Signed-off-by: Kai Huang <kai.huang@linux.intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Wed, 29 Jun 2016 14:38:50 +0000 (16:38 +0200)]
x86/EFI + Live Patch: avoid symbol address truncation
ld associates __init_end, placed outside of any section by the linker
script, with the following section, resulting in a huge (wrapped, as it
would be negative) section relative offset. COFF symbol tables store
section relative addresses, and hence the above leads to assembler
truncation warnings when all symbols get included in the symbol table
(for Live Patching code). To overcome this, move __init_end past both
ALIGN() directives. The consuming code (init_done()) is fine with such
an adjustment (the distinction really would only be relevant for the
loop claring the pages, and I think it's acceptable to clear a few
more on - for now - EFI). This effectively results in the
(__init_begin,__init_end) and (__2M_init_start,__2M_init_end) pairs to
become identical, with their different names only serving documentation
purposes now.
Note that moving __init_end and __2M_init_end into .init is not a good
idea, as that would significantly grow xen.efi binary size.
While inspecting symbol table and ld behavior I also noticed that
__2M_text_start gets put at address zero in the EFI case, which hasn't
caused problems solely because we don't actually reference that symbol.
Correct the setting of the initial address, and comment out said symbol
for the time being, as with the initial address correction it would in
turn cause an assembler truncation warning similar to the one mentioned
above.
While checking init_done() for correctness with the above changes I
noticed that code can easily be folded there, at once correcting the
logged amount of memory which has got freed for the 2M-alignment case
(i.e. EFI right now).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Julien Grall [Tue, 28 Jun 2016 16:17:08 +0000 (17:17 +0100)]
xen: Use typesafe gfn in xenmem_add_to_physmap_one
The x86 version of the function xenmem_add_to_physmap_one contains
variable name gpfn and gfn which make the code very confusing.
I have left unchanged for now.
Also, rename gpfn to gfn in the ARM version as the latter is the correct
acronym for a guest physical frame.
Finally, remove the trailing whitespace around the changes.
the arm64 image header changed. While the size of the header isn't changed,
some members have changed their usage.
Update Xen to this updated image header.
The main changes are that the first magic is gone and that there is an
image size, now.
In case we read a size != 0, let's use this image size, now. This does
allow us to check if the kernel Image is larger than the size given in
the device tree, too.
Additionally, add an error message if the magic is not found. This might
be the case with kernel's < 3.12 prior to
This is acceptable as the support of Xen for ARM64 in Linux has been added
in Linux 3.11 and the number of boards supported by Linux 3.11 on ARM64 is
very limited: ARM models and X-gene. And for the latter it was an early
support with only the serial and timer upstreamed.
Tamas K Lengyel [Tue, 28 Jun 2016 09:36:03 +0000 (11:36 +0200)]
vm_event: clear up return value of vm_event_monitor_traps
The return value has not been clearly defined, with the function
never returning 0 which seemingly indicated a condition where the
guest should crash.
In this patch we define -rc as error condition where a subscriber is
present but an error prevented the notification from being sent;
0 where there is no subscriber or the notification was sent and the vCPU
is not paused (i.e. safe to continue execution as normal); and 1 where the
notification was sent with the vCPU paused and we are waiting for a
response.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:35:40 +0000 (11:35 +0200)]
vt-d: convert conditionals of qi_ctrl->qinval_maddr into ASSERT()s
QI ought to have got disabled if any of the IOMMU table setup
failed. A QI function (other than enable_qinval) is unreachable
when qi_ctrl->qinval_maddr is zero.
Signed-off-by: Quan Xu <quan.xu@intel.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:35:19 +0000 (11:35 +0200)]
vt-d: synchronize for Device-TLB flush one by one
Today we do Device-TLB flush synchronization after issuing flush
requests for all ATS devices belonging to a VM. Doing so however
imposes a limitation, i.e. that we can not figure out which flush
request is blocked in the flush queue list, based on VT-d spec.
To prepare correct Device-TLB flush timeout handling in next patch,
we change the behavior to synchronize for every Device-TLB flush
request. So the Device-TLB flush interface is changed a little bit,
by checking timeout within the function instead of outside of function.
Accordingly we also do a similar change for flush interfaces of
IOTLB/IEC/Context, i.e. moving synchronization into the function.
Since there is no user of a non-synced interface, we just rename
existing ones with _sync suffix.
Signed-off-by: Quan Xu <quan.xu@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:33:39 +0000 (11:33 +0200)]
IOMMU: add a timeout parameter for device IOTLB invalidation
The parameter 'iommu_dev_iotlb_timeout' specifies the timeout
of device IOTLB invalidation in milliseconds. By default, the
timeout is 1000 milliseconds, which can be boot-time changed.
We also confirmed with VT-d hardware team that 1 milliseconds
is large enough for VT-d IOMMU internal invalidation.
the existing panic() is eliminated and we bubble up the timeout
of device IOTLB invalidation for further processing, as the
PCI-e Address Translation Services (ATS) mandates a timeout of
60 seconds for device IOTLB invalidation. Obviously we can't
spin for 60 seconds or otherwise Xen hypervisor hangs.
Signed-off-by: Quan Xu <quan.xu@intel.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:26 +0000 (10:04 -0400)]
xsm: add a default policy to .init.data
This adds a Kconfig option and support for including the XSM policy from
tools/flask/policy in the hypervisor so that the bootloader does not
need to provide a policy to get sane behavior from an XSM-enabled
hypervisor. The policy provided by the bootloader, if present, will
override the built-in policy.
Enabling this option only builds the policy if checkpolicy is available
during compilation of the hypervisor; otherwise, it does nothing. The
XSM policy is not moved out of tools because that remains the primary
location for installing and configuring the policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:24 +0000 (10:04 -0400)]
xsm: clean up unregistration
The only possible value of original_ops was &dummy_xsm_ops, and
unregister_xsm was never used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:23 +0000 (10:04 -0400)]
xsm: annotate setup functions with __init
These functions were only called from __init functions.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Tue, 21 Jun 2016 17:09:23 +0000 (13:09 -0400)]
xen: move FLASK entry under XSM in Kconfig
Since enabling XSM is required to enable FLASK, place the option for
FLASK below the one for XSM. In addition, since it does not make sense
to enable XSM without any XSM providers, and FLASK is the only XSM
provider, hide the option to disable FLASK under EXPERT.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Jan Beulich [Fri, 24 Jun 2016 09:50:07 +0000 (11:50 +0200)]
init: fix build with older gcc
__setup_str is used on arrays of char, so there aren't any relocatable
items. Hence __initconst has to be used here, not __initconstrel.
Whatever led to the revert of commit 59b151d2c0 (the original version
of a6066af5b1 "xen/init: Annotate all command line parameter
infrastructure as const" must have got addressed meanwhile - with the
patch here I can't see that old gcc (4.3ish) report a section type
conflict anymore.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tamas K Lengyel [Fri, 24 Jun 2016 08:31:45 +0000 (10:31 +0200)]
monitor: Rename hvm/event to hvm/monitor
Mechanical renaming to better describe that the code in hvm/event is part of
the monitor subsystem.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Tamas K Lengyel [Fri, 24 Jun 2016 08:26:32 +0000 (10:26 +0200)]
monitor: rename vm_event_monitor_get_capabilities
The monitor_get_capabilities check actually belongs to the monitor subsystem so
relocating and renaming it to sanitize the code's name and location. Mechanical
patch, no code changes introduced.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Julien Grall <julien.grall@arm.com>
Wei Liu [Thu, 23 Jun 2016 15:10:29 +0000 (16:10 +0100)]
xen: make available hvm_fep to non-debug build as well
Originally hvm_fep was guarded by NDEBUG, which means it was only
available to debug builds.
However there is value in having it in non-debug builds as well. Users
can use it to run tests in a setup that replicates a production
environment.
Make it clear with a sync_console style warning that this option can't
be used in production setup. Update command line documentation
accordingly. Finally mark Xen as tainted when this feature is used.
Add a kconfig option under x86 to configure hvm_fep.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Besides the 14MHz external clock, the SCIF might be clocked by an
internal 66MHz clock. If this is the case, the current clock source
selection breaks this configuration. Same for the settings done by
the firmware for data bits, stop bits and parity.
Completely drop this and rely on the settings done by the firmware.
Dirk Behme [Wed, 22 Jun 2016 11:49:06 +0000 (13:49 +0200)]
xen/arm: drivers: scif: Remove dead code
The two struct members baud and clock_hz are in the end read only
variables nowhere used for anything useful. Removing them makes
the code much simpler without changing any functionality.
Julien Grall [Thu, 23 Jun 2016 15:50:19 +0000 (17:50 +0200)]
arm: rename gmfn_to_mfn to gfn_to_mfn and use gfn/mfn typesafe
The correct acronym for a guest physical frame is gfn. Also use
the recently introduced typesafe gfn/mfn to avoid mixing the two
different kind of frame.
Jan Beulich [Thu, 23 Jun 2016 15:48:45 +0000 (17:48 +0200)]
x86emul: support MOVBE and CRC32
The former in an attempt to at least gradually support all simple data
movement instructions. The latter just because it shares the opcode
with the former.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 23 Jun 2016 15:47:44 +0000 (17:47 +0200)]
VMX: ensure MSR index enum and array remain in sync
... by using dedicated initializers. Also add an ASSERT() to make sure
unintentional addition of holes to the array gets noticed. Ditch
MSR_INDEX_SIZE as redundant with VMX_MSR_COUNT.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 23 Jun 2016 15:46:55 +0000 (17:46 +0200)]
VMX: use non-atomic bitops to manage MSR state
All host_msr_state accesses are solely on the owning CPU, and all
guest_msr_state ones solely when the vCPU is current or being switched
to. This, btw, is also in line with the use of find_first_set_bit()
(which would be bogus if ->flags could get updated behind its back).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Tue, 21 Jun 2016 16:38:25 +0000 (17:38 +0100)]
xen/init: Move initcall infrastructure into .init.data
Its contents is constant.
The ALIGN(32) is also dropped. On x86, there is nothing between it and a
larger alignment. On ARM, __init_end_efi is between the two, but its sole use
is to fill SizeOfRawData in the PE Section Table, and doesn't require any
specific alignment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
Andrew Cooper [Thu, 9 Jun 2016 14:41:27 +0000 (15:41 +0100)]
arm/init: Move .init.proc.info into .init.data
Its contents is constant, and only requires pointer alignment, so move it
adacent to .init.setup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Julien Grall <julien.grall@arm.com>
Andrew Cooper [Mon, 8 Feb 2016 10:19:34 +0000 (10:19 +0000)]
xen/init: Annotate all command line parameter infrastructure as const
There is no reason for any of it to be modified. Additionally, link
.init.setup beside the other constant .init data.
While editing this area, correct the types used in the extern
declarations for __setup_start and __setup_end to match the types the
linker actually produces.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
Jan Beulich [Wed, 22 Jun 2016 10:00:44 +0000 (12:00 +0200)]
x86/vMSI-X: use generic intercept handler in place of MMIO one
This allows us to see the full ioreq without having to peek into state
which is supposedly private to the emulation framework.
Suggested-by: Paul Durrant <Paul.Durrant@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 22 Jun 2016 09:59:39 +0000 (11:59 +0200)]
x86/vMSI-X: drop list lock
msixtbl_pt_{,un}register() already run with both the PCI devices lock
and the domain event lock held, so there's no need for another lock.
Just to be on the safe side, acquire the domain event lock in the
cleanup function (albeit I don't think this is strictly necessary).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 22 Jun 2016 09:58:31 +0000 (11:58 +0200)]
x86/vMSI-X: defer intercept handler registration
There's no point in registering the internal MSI-X table intercept
functions on all domains - it is sufficient to do so once a domain gets
an MSI-X capable device assigned.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:21 +0000 (10:04 -0400)]
xen/xsm: remove .xsm_initcall.init section
Since FLASK is the only implementation of XSM hooks in Xen, using an
iterated initcall dispatch for setup is overly complex. Change this to
a direct function call to a globally visible function; if additional XSM
hooks are added in the future, a switching mechanism will be needed
regardless, and that can be placed in xsm_core.c.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:20 +0000 (10:04 -0400)]
flask: improve unknown permission handling
When an unknown domctl, sysctl, or other operation is encountered in the
FLASK security server, use the allow_unknown bit in the security policy
to decide if the permission should be allowed or denied. This allows
new operations to be tested without needing to immediately add security
checks; however, it is not flexible enough to avoid adding the actual
permission checks. An error message is printed to the hypervisor
console when this fallback is encountered.
This patch will allow operations that are not handled by the existing
hooks only if the policy was compiled with "checkpolicy -U allow". In
previous releases, this bit did nothing, and the default remains to deny
the unknown operations.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:19 +0000 (10:04 -0400)]
flask: remove xen_flask_userlist operation
This operation has no known users, and is primarily useful when an MLS
policy is in use (which has never been shipped with Xen). In addition,
the information it provides does not actually depend on hypervisor
state (only on the XSM policy), so an application that needs it could
compute the results without needing to involve the hypervisor.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:16 +0000 (10:04 -0400)]
flask: unify {get, set}vcpucontext permissions
These permissions were initially split because they were in separate
domctls, but this split is very unlikely to actually provide security
benefits: it would require a carefully contrived situation for a domain
to both need access to one type of CPU register and also need to be
prohibited from accessing another type.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:15 +0000 (10:04 -0400)]
flask/policy: remove unused example
The access vectors defined here have never been used by xenstore.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:14 +0000 (10:04 -0400)]
flask/policy: xenstore stubdom policy
This adds the xenstore_t type to the example policy for use by a
xenstore stub domain; see the init-xenstore-domain tool for how this
type needs to be used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:13 +0000 (10:04 -0400)]
flask/policy: remove unused support for binary modules
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:11 +0000 (10:04 -0400)]
flask/policy: split out rules for system_r
When the all_system_role module is enabled, any domain type can be
created using the system_r role, which was the default. When it is
disabled, domains not using the default types (dom0_t and domU_t) must
use another role such as vm_r.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:10 +0000 (10:04 -0400)]
flask/policy: split into modules
This makes it easier to enable or disable parts of the XSM policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Jan Beulich [Tue, 21 Jun 2016 10:06:58 +0000 (12:06 +0200)]
x86/HVM: use available linear->phys translations in REP MOVS/STOS handling
If we have the translation result available already, we should also use
it here. In my tests with Linux guests this eliminates all calls to
hvmemul_linear_to_phys() from the STOS path and most from the MOVS one.
Also record the translation for re-use at least during response
processing.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Jan Beulich [Tue, 21 Jun 2016 10:06:13 +0000 (12:06 +0200)]
x86: show remote CPU state upon fatal NMI or unknown MCE
Quite frequently the watchdog would hit an innocent CPU, e.g. one
trying to acquire a spin lock a remote CPU holds for extended periods
of time, or a random CPU in TSC calbration rendezvous. In such cases
the register and stack dump for that CPU doesn't really help in the
analysis of the problem.
To keep things reasonable on large systems, only log CS:RIP by default.
This can be overridden via a new command line option such that full
register/stack state would get logged.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 21 Jun 2016 10:05:09 +0000 (12:05 +0200)]
x86: drop (mostly) unused guest_lNe_get_paddr()
The very few remaining uses don't make their presence really necessary:
Simplify the two L2 ones, and open code the sole common code use.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: George Dunlap <george.dunlap@citrix.com>
Juergen Gross [Tue, 21 Jun 2016 10:03:02 +0000 (12:03 +0200)]
add update indicator to vcpu_runstate_info
There has been a report about incorrect vruntime accounting in Linux
guests under Xen. A Linux kernel with CONFIG_PARAVIRT_TIME_ACCOUNTING
set is capable to do correct vruntime accounting, but this would
require the kernel to be able to read the runstate data of other cpus.
A guest mapping vcpu_runstate_info into its memory can't read this
information from another cpu but the one the data is referring to.
Reason is there is no reliable way for the guest to detect a concurrent
data update by the hypervisor. In order to support reading another
vcpu's mapped vcpu_runstate_info an indicator for an occurring update
of the runstate information is needed.
Add the possibility to activate setting this indicator in the highest
bit of state_entry_time via a vm_assist hypercall. When activated the
update indicator will be set before the runstate information is
modified in guest memory and it will be reset after modification is
done. As state_entry_time is guaranteed to be different after each
update the guest can detect any update (either in progress or while
reading the runstate data) by comparing state_entry_time before and
after reading runstate data: in case the values differ or the update
indicator was set the data might be inconsistent and should be reread.
Juergen Gross [Tue, 21 Jun 2016 10:01:55 +0000 (12:01 +0200)]
arm: add support for vm_assist hypercall
Up to now the vm_assist hypercall hasn't been supported on ARM, as
there are only x86 specific features to switch. Add support of
vm_assist on ARM for future use.
Jan Beulich [Tue, 21 Jun 2016 10:01:18 +0000 (12:01 +0200)]
x86: also generate assembler usable equates for synthesized features
... to make it possible to base alternative instruction patching upon
such.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Razvan Cojocaru [Tue, 21 Jun 2016 09:59:37 +0000 (11:59 +0200)]
vm_event: allow subscribing to write events for specific MSR-s
Previously, subscribing to MSR write events was an all-or-none
approach, with special cases for introspection MSR-s. This patch
allows the vm_event consumer to specify exactly what MSR-s it is
interested in, and as a side-effect gets rid of the
vmx_introspection_force_enabled_msrs[] special case.
The patch also introduces arch_monitor_init_domain() and
arch_monitor_cleanup_domain(), to do monitor-specific work
(as opposed to the previous way of doing all the setup in
vm_event_init_domain() / vm_event_cleanup_domain()).
This replaces the previously posted "xen: Filter out MSR write
events" patch.
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
arm/acpi: Add Server Base System Architecture UART support
The ARM Server Base System Architecture describes a generic UART
interface. It doesn't support clock control registers, modem
control, DMA and hardware flow control features. So, extend the
driver probe() to handle SBSA interface and skip the accessing
PL011 registers that are not described in SBSA document
(ARM-DEN-0029 Version 3.0, 6 APPENDIX B: GENERIC UART).
drivers/pl011: Use combination of UARTRIS and UARTMSC instead of UARTMIS
The Masked interrupt status register (UARTMIS) is not described in ARM
SBSA 2.x document. Anding of two registers UARTMSC and UARTRIS values
gives the same information as register UARTMIS.
UARTRIS, UARTMSC and UARTMIS definitions are found in PrimeCell UART
PL011 (Revision: r1p4).
- 3.3.10 Interrupt mask set/clear register, UARTIMSC
- 3.3.11 Raw interrupt status register, UARTRIS
- 3.3.12 Masked interrupt status register, UARTMIS
This change is necessary for driver to be SBSA compliant v2.x without
affecting the current driver functionality.
The default baud and clock_hz configuration parameters are hardcoded
(commit 60ff9444480995008caf) for Versatile Express. Other platforms,
these default values may not be valid and might cause problems by
programming registers IBRD and FBRD incorrectly.
So, removing driver logic that sets the baudrate to fix the problem.
The behavior is unchanged because the driver was already relying on
the boot firmware for setting the correct baudrate.
Jan Beulich [Fri, 17 Jun 2016 14:51:22 +0000 (16:51 +0200)]
hvmloader: limit CPUs exposed to guests
Various Linux versions allocate (partial) per-CPU data for all of them,
as there is no indication in MADT whether they're hotpluggable. That's
a little wasteful in terms of resource consumption especially for
- guests with not overly much memory assigned,
- 32-bit guests not having overly much address space available.
Therefore limit what we put into MADT to the "maxvcpus" value, and make
sure AML doesn't touch memory addresses corresponding to CPUs beyond
that value (we can't reasonably make the respective processor objects
disappear).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Fri, 17 Jun 2016 14:50:37 +0000 (16:50 +0200)]
x86/HVM: re-order operations in hvm_ud_intercept()
Don't fetch CS explicitly, leverage the fact that hvm_emulate_prepare()
already does (and that hvm_virtual_to_linear_addr() doesn't alter it).
At once increase the length passed to hvm_virtual_to_linear_addr() by
one: There definitely needs to be at least one more opcode byte, and we
can avoid missing a wraparound case this way.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Dario Faggioli [Fri, 17 Jun 2016 10:31:00 +0000 (12:31 +0200)]
xen: sched: use default scheduler upon an invalid "sched="
instead of just the first scheduler we find in the array.
In fact, right now, if someone makes a typo when passing
the "sched=" command line option to Xen, we (with all
schedulers configured in) pick ARINC653, which is most
likely not what one would expect.
Go for the default scheduler instead.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-By: Jonathan Creekmore <jonathan.creekmore@gmail.com>
[ 153s] cc1: warnings being treated as errors
[ 153s] xen-livepatch.c: In function 'main':
[ 153s] xen-livepatch.c:415:12: error: 'j' may be used uninitialized in this function
[ 153s] make[3]: *** [xen-livepatch.o] Error 1
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Wei Liu [Mon, 13 Jun 2016 07:49:08 +0000 (08:49 +0100)]
build: introduce XEN_RUN_STORED
It defaults to /var/run/xenstored. It will be used later to remove some
hard-coded paths in tree. There should be no visible change to default
configuration.
Install and remove it in respective Makefile targets.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
projects / xen.git / log