Andrew Cooper [Thu, 8 Jun 2023 09:59:37 +0000 (10:59 +0100)]
tools/ocaml/xc: Fix xc_physinfo() bindings
The original change doesn't compile on ARM:
xenctrl_stubs.c: In function 'stub_xc_physinfo':
xenctrl_stubs.c:821:16: error: unused variable 'arch_cap_flags_tag' [-Werror=unused-variable]
821 | int r, arch_cap_flags_tag;
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
but it was buggy too.
First, it tried storing an int in a pointer slot, causing heap corruption.
Next, it is not legitimate to exclude arm32 in the toolstack as it explicitly
can operate an arm64 toolstack and build arm64 domains. That in turn means
that you can't stash a C uint32_t in an OCaml int.
Rewrite the arch_capabilities handling from scratch. Break it out into a
separate function, and make the construction of arch_physinfo_cap_flags common
to prevent other indirection bugs.
Reintroduce arm_physinfo_caps with the fields broken out.
Fixes: 56a7aaa16bfe ("tools: add physinfo arch_capabilities handling for Arm") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com>
Andrew Cooper [Fri, 9 Jun 2023 15:59:20 +0000 (16:59 +0100)]
CI: Add Ocaml to the alpine containers
This gets more coverage of optional parts of the build, and makes it easier to
trial Ocaml related changes in the smoke tests.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Juergen Gross [Tue, 30 May 2023 08:54:09 +0000 (10:54 +0200)]
tools/xenstore: remove stale TODO file
The TODO file is not really helpful any longer. It contains only
entries which no longer apply or it is unknown what they are meant
for ("Dynamic/supply nodes", "Remove assumption that rename doesn't
fail").
Juergen Gross [Tue, 30 May 2023 08:54:07 +0000 (10:54 +0200)]
tools/xenstore: make some write limit functions static
Some wrl_*() functions are only used in xenstored_domain.c, so make
them static. In order to avoid the need of forward declarations, move
the whole function block to the start of the file.
Juergen Gross [Tue, 30 May 2023 08:54:06 +0000 (10:54 +0200)]
tools/xenstore: rename hashtable_insert() and let it return 0 on success
Today hashtable_insert() returns 0 in case of an error. Change that to
let it return an errno value in the error case and 0 in case of success.
In order to avoid any missed return value checks or related future
backport errors, rename hashtable_insert() to hashtable_add().
Even if not used today, do the same switch for the return value of
hashtable_expand().
Juergen Gross [Tue, 30 May 2023 08:54:04 +0000 (10:54 +0200)]
tools/xenstore: do some cleanup of hashtable.c
Do the following cleanups:
- hashtable_count() isn't used at all, so remove it
- replace prime_table_length and max_load_factor with macros
- make hash() static
- add a loadlimit() helper function
- remove the /***/ lines between functions
- do some style corrections
Roger Pau Monne [Thu, 8 Jun 2023 09:59:39 +0000 (11:59 +0200)]
x86/hvm: print valid CR4 bits in case of error
Some of the current users of hvm_cr4_guest_valid_bits() don't print
the valid mask in case of error, and thus the resulting error messages
are not as helpful as they could be.
Amend callers to always print the value of hvm_cr4_guest_valid_bits()
together with the rejected bits in the checked value. Also take the
opportunity and adjust all the users to use the same print formatter.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 7 Jun 2023 09:27:35 +0000 (10:27 +0100)]
CI: Fix the github actions Coverity run
The Install step is failing with:
Package python-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
E: Package 'python-dev' has no installation candidate
is only available from another source
However the following packages replace it:
python2-dev python2 python-dev-is-python3
which is a side effect of ubuntu-latest having changed from 20.04 to 22.04.
Drop python-dev as python3-dev is already present, and used a fixed runs-on to
avoid such problems in the future.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Juergen Gross [Tue, 30 May 2023 08:24:24 +0000 (10:24 +0200)]
tools/xenstore: switch quota management to be table based
Instead of having individual quota variables switch to a table based
approach like the generic accounting. Include all the related data in
the same table and add accessor functions.
This enables to use the command line --quota parameter for setting all
possible quota values, keeping the previous parameters for
compatibility.
Juergen Gross [Tue, 30 May 2023 08:24:22 +0000 (10:24 +0200)]
tools/xenstore: use generic accounting for remaining quotas
The maxrequests, node size, number of node permissions, and path length
quota are a little bit special, as they are either active in
transactions only (maxrequests), or they are just per item instead of
count values. Nevertheless being able to know the maximum number of
those quota related values per domain would be beneficial, so add them
to the generic accounting.
The per domain value will never show current numbers other than zero,
but the maximum number seen can be gathered the same way as the number
of nodes during a transaction.
To be able to use the const qualifier for a new function switch
domain_is_unprivileged() to take a const pointer, too.
For printing the quota/max values, adapt the print format string to
the longest quota name (now 17 characters long).
Juergen Gross [Tue, 30 May 2023 08:24:21 +0000 (10:24 +0200)]
tools/xenstore: remember global and per domain max accounting values
Add saving the maximum values of the different accounting data seen
per domain and (for unprivileged domains) globally, and print those
values via the xenstore-control quota command. Add a sub-command for
resetting the global maximum values seen.
This should help for a decision how to set the related quotas.
Juergen Gross [Tue, 30 May 2023 08:24:16 +0000 (10:24 +0200)]
tools/xenstore: add current connection to domain_memory_add() parameters
In order to enable switching memory accounting to the generic array
based accounting, add the current connection to the parameters of
domain_memory_add().
This requires to add the connection to some other functions, too.
Juergen Gross [Tue, 30 May 2023 08:24:14 +0000 (10:24 +0200)]
tools/xenstore: add framework to commit accounting data on success only
Instead of modifying accounting data and undo those modifications in
case of an error during further processing, add a framework for
collecting the needed changes and commit them only when the whole
operation has succeeded.
This scheme can reuse large parts of the per transaction accounting.
The changed_domain handling can be reused, but the array size of the
accounting data should be possible to be different for both use cases.
Juergen Gross [Tue, 30 May 2023 08:24:12 +0000 (10:24 +0200)]
tools/xenstore: manage per-transaction domain accounting data in an array
In order to prepare keeping accounting data in an array instead of
using independent fields, switch the struct changed_domain accounting
data to that scheme, for now only using an array with one element.
In order to be able to extend this scheme add the needed indexing enum
to xenstored_domain.h.
Juergen Gross [Tue, 30 May 2023 08:24:11 +0000 (10:24 +0200)]
tools/xenstore: take transaction internal nodes into account for quota
The accounting for the number of nodes of a domain in an active
transaction is not working correctly, as it is checking the node quota
only against the number of nodes outside the transaction.
This can result in the transaction finally failing, as node quota is
checked at the end of the transaction again.
On the other hand even in a transaction deleting many nodes, new nodes
might not be creatable, in case the node quota was already reached at
the start of the transaction.
Luca Fancellu [Wed, 31 May 2023 07:24:10 +0000 (08:24 +0100)]
tools: add physinfo arch_capabilities handling for Arm
On Arm, the SVE vector length is encoded in arch_capabilities field
of struct xen_sysctl_physinfo, make use of this field in the tools
when building for arm.
Create header arm-arch-capabilities.h to handle the arch_capabilities
field of physinfo for Arm.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Luca Fancellu [Wed, 31 May 2023 07:24:09 +0000 (08:24 +0100)]
xen/physinfo: encode Arm SVE vector length in arch_capabilities
When the arm platform supports SVE, advertise the feature in the
field arch_capabilities in struct xen_sysctl_physinfo by encoding
the SVE vector length in it.
Luca Fancellu [Wed, 31 May 2023 07:24:08 +0000 (08:24 +0100)]
xen: enable Dom0 to use SVE feature
Add a command line parameter to allow Dom0 the use of SVE resources,
the command line parameter sve=<integer>, sub argument of dom0=,
controls the feature on this domain and sets the maximum SVE vector
length for Dom0.
Add a new function, parse_signed_integer(), to parse an integer
command line argument.
Luca Fancellu [Wed, 31 May 2023 07:24:07 +0000 (08:24 +0100)]
xen/common: add dom0 xen command line argument for Arm
Currently x86 defines a Xen command line argument dom0=<list> where
there can be specified dom0 controlling sub-options, to use it also
on Arm, move the code that loops through the list of arguments from
x86 to the common code and from there, call architecture specific
functions to handle the comma separated sub-options.
Luca Fancellu [Wed, 31 May 2023 07:24:06 +0000 (08:24 +0100)]
arm/sve: save/restore SVE context switch
Save/restore context switch for SVE, allocate memory to contain
the Z0-31 registers whose length is maximum 2048 bits each and
FFR who can be maximum 256 bits, the allocated memory depends on
how many bits is the vector length for the domain and how many bits
are supported by the platform.
Save P0-15 whose length is maximum 256 bits each, in this case the
memory used is from the fpregs field in struct vfp_state,
because V0-31 are part of Z0-31 and this space would have been
unused for SVE domain otherwise.
Create zcr_el{1,2} fields in arch_vcpu, initialise zcr_el2 on vcpu
creation given the requested vector length and restore it on
context switch, save/restore ZCR_EL1 value as well.
List import macros from Linux in README.LinuxPrimitives.
Luca Fancellu [Wed, 31 May 2023 07:24:03 +0000 (08:24 +0100)]
xen/arm: add SVE vector length field to the domain
Add sve_vl field to arch_domain and xen_arch_domainconfig struct,
to allow the domain to have an information about the SVE feature
and the number of SVE register bits that are allowed for this
domain.
sve_vl field is the vector length in bits divided by 128, this
allows to use less space in the structures.
The field is used also to allow or forbid a domain to use SVE,
because a value equal to zero means the guest is not allowed to
use the feature.
Check that the requested vector length is lower or equal to the
platform supported vector length, otherwise fail on domain
creation.
Check that only 64 bit domains have SVE enabled, otherwise fail.
Luca Fancellu [Wed, 31 May 2023 07:24:02 +0000 (08:24 +0100)]
xen/arm: enable SVE extension for Xen
Enable Xen to handle the SVE extension, add code in cpufeature module
to handle ZCR SVE register, disable trapping SVE feature on system
boot only when SVE resources are accessed.
While there, correct coding style for the comment on coprocessor
trapping.
Now cptr_el2 is part of the domain context and it will be restored
on context switch, this is a preparation for saving the SVE context
which will be part of VFP operations, so restore it before the call
to save VFP registers.
To save an additional isb barrier, restore cptr_el2 before an
existing isb barrier and move the call for saving VFP context after
that barrier. To keep a (mostly) specularity of ctxt_switch_to()
and ctxt_switch_from(), move vfp_save_state() up in the function.
Change the KConfig entry to make ARM64_SVE symbol selectable, by
default it will be not selected.
Create sve module and sve_asm.S that contains assembly routines for
the SVE feature, this code is inspired from linux and it uses
instruction encoding to be compatible with compilers that does not
support SVE, imported instructions are documented in
README.LinuxPrimitives.
Add a feature to the diff-report.py script that improves the comparison
between two analysis report, one from a baseline codebase and the other
from the changes applied to the baseline.
The comparison between reports of different codebase is an issue because
entries in the baseline could have been moved in position due to addition
or deletion of unrelated lines or can disappear because of deletion of
the interested line, making the comparison between two revisions of the
code harder.
Having a baseline report, a report of the codebase with the changes
called "new report" and a git diff format file that describes the
changes happened to the code from the baseline, this feature can
understand which entries from the baseline report are deleted or shifted
in position due to changes to unrelated lines and can modify them as
they will appear in the "new report".
Having the "patched baseline" and the "new report", now it's simple
to make the diff between them and print only the entry that are new.
Luca Fancellu [Thu, 25 May 2023 08:33:59 +0000 (09:33 +0100)]
xen/misra: add diff-report.py tool
Add a new tool, diff-report.py that can be used to make diff between
reports generated by xen-analysis.py tool.
Currently this tool supports the Xen cppcheck text report format in
its operations.
The tool prints every finding that is in the report passed with -r
(check report) which is not in the report passed with -b (baseline).
x86/microcode: Add missing unlock in microcode_update_helper()
microcode_update_helper() may return early while holding
cpu_add_remove_lock, hence preventing any writers from taking it again.
Leave through the `put` label instead so it's properly released.
Fixes: 5ed12565aa32 ("microcode: rendezvous CPUs in NMI handler and load ucode") Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 5 Jun 2023 09:48:59 +0000 (10:48 +0100)]
xen: Fix incorrect taint constant
Insecure is the word being looked for here. Especially given the nature of
the sole caller, and the (correct) comment next to it.
Also update the taint marker from 'U' to 'I' for consistency; this isn't
expected to impact anyone in practice.
Fixes: 82c0d3d491cc ("xen: Add an unsecure Taint type") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Mon, 5 Jun 2023 14:54:30 +0000 (16:54 +0200)]
x86emul: AVX512-FP16 testing
Naming of some of the builtins isn't fully consistent with that of pre-
existing ones, so there's a need for a new BR2() wrapper macro.
With the tests providing some proof of proper functioning of the
emulator code also enable use of the feature by guests, as there's no
other infrastructure involved in enabling this ISA extension.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Henry Wang <Henry.Wang@arm.com> # CHANGELOG
Jan Beulich [Mon, 5 Jun 2023 13:02:39 +0000 (15:02 +0200)]
build: use $(dot-target)
While slightly longer, I agree with Andrew that using it helps
readability. Where touching them anyway, also wrap some overly long
lines.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
These are easiest in that they have same-size source and destination
vectors, yet they're different from other conversion insns in that they
use opcodes which have different meaning in the 0F encoding space
({,V}H{ADD,SUB}P{S,D}), hence requiring a little bit of overriding.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:58:25 +0000 (14:58 +0200)]
x86emul: handle AVX512-FP16 Map6 misc insns
While, as before, this leverages that the Map6 encoding space is a very
sparse clone of the "0f38" one, switch around the simd_size overriding
for opcode 2D. This way fewer separate overrides are needed.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:57:47 +0000 (14:57 +0200)]
x86emul: handle AVX512-FP16 fma-like insns
The Map6 encoding space is a very sparse clone of the "0f38" one. Once
again re-use that table, as the entries corresponding to invalid opcodes
in Map6 are simply benign with simd_size forced to other than simd_none
(preventing undue memory reads in SrcMem handling early in
x86_emulate()).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:56:25 +0000 (14:56 +0200)]
x86emul: handle AVX512-FP16 Map5 arithmetic insns
This encoding space is a very sparse clone of the "twobyte" one. Re-use
that table, as the entries corresponding to invalid opcodes in Map5 are
simply benign with simd_size forced to other than simd_none (preventing
undue memory reads in SrcMem handling early in x86_emulate()).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:55:07 +0000 (14:55 +0200)]
x86emul: handle AVX512-FP16 insns encoded in 0f3a opcode map
In order to re-use (also in subsequent patches) existing code and tables
as much as possible, simply introduce a new boolean field in emulator
state indicating whether an insn is one with a half-precision source.
Everything else then follows "naturally".
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 5 Jun 2023 12:53:54 +0000 (14:53 +0200)]
x86emul: rework compiler probing in the test harness
Checking for what $(SIMD) contains was initially right, but already the
addition of $(FMA) wasn't. Later categories (correctly) weren't added.
Instead what is of interest is anything the main harness source file
uses outside of suitable #if and without resorting to .byte, as that's
the one file (containing actual tests) which has to succeed in building.
The auxiliary binary blobs we utilize may fail to build; the resulting
empty blobs are recognized and reported as "n/a" when the harness is
run.
Note that strictly speaking we'd need to probe the assembler. We assume
that a compiler knowing of a certain ISA extension is backed by an
equally capable assembler.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 1 Jun 2023 14:26:02 +0000 (15:26 +0100)]
x86/ucode: Exit early from early_update_cache() if loading not available
If for any reason early_microcode_init() concludes that no microcode loading
is available, early_update_cache() will fall over a NULL function pointer:
which is actually parse_blob()'s use of ucode_ops.collect_cpu_info.
Skip trying to cache anything if microcode loading is unavailable.
Fixes: dc380df12acf ("x86/ucode: load microcode earlier on boot CPU") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 31 May 2023 15:26:56 +0000 (16:26 +0100)]
xen/cpu-policy: Add an IBRS -> AUTO_IBRS dependency
AUTO_IBRS is an extention over regular (AMD) IBRS, and needs hiding if IBRS is
levelled out for any reason.
Fixes: defaf651631a ("x86/hvm: Expose Automatic IBRS to guests") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Olaf Hering [Wed, 31 May 2023 16:06:56 +0000 (17:06 +0100)]
xentrace: remove return value from monitor_tbufs
The program is structured so that fatal errors cause exit() to be
called directly, rather than being passed up the stack; returning a
value here may mislead people into believing otherwise.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: George Dunlap <george.dunlap@cloud.com>
Jan Beulich [Wed, 31 May 2023 14:04:30 +0000 (16:04 +0200)]
vPCI: fix test harness build
The earlier commit introduced two uses of is_hardware_domain().
Fixes: 465217b0f872 ("vPCI: account for hidden devices") Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Wed, 31 May 2023 10:01:11 +0000 (12:01 +0200)]
vPCI: account for hidden devices
Hidden devices (e.g. an add-in PCI serial card used for Xen's serial
console) are associated with DomXEN, not Dom0. This means that while
looking for overlapping BARs such devices cannot be found on Dom0's list
of devices; DomXEN's list also needs to be scanned.
Suppress vPCI init altogether for r/o devices (which constitute a subset
of hidden ones).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org>
In xen/include/public/io/9pfs.h the name of the Xenstore backend node
"security-model" should be "security_model", as this is how the Xen
tools are creating it and qemu is reading it.
Fixes: ad58142e73a9 ("xen/public: move xenstore related doc into 9pfs.h") Fixes: cf1d2d22fdfd ("docs/misc: Xen transport for 9pfs") Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Oleksii Kurochko [Wed, 31 May 2023 09:59:53 +0000 (11:59 +0200)]
xen/riscv: align __bss_start
bss clear cycle requires proper alignment of __bss_start.
ALIGN(PAGE_SIZE) before "*(.bss.page_aligned)" in xen.lds.S
was removed as any contribution to "*(.bss.page_aligned)" have to
specify proper aligntment themselves.
Fixes: cfa0409f7cbb ("xen/riscv: initialize .bss section") Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Bobby Eshleman <bobbyeshleman@gmail.com>
Oleksii Kurochko [Wed, 31 May 2023 09:55:58 +0000 (11:55 +0200)]
xen/riscv: introduce setup_initial_pages
The idea was taken from xvisor but the following changes
were done:
* Use only a minimal part of the code enough to enable MMU
* rename {_}setup_initial_pagetables functions
* add an argument for setup_initial_mapping to have
an opportunity to make set PTE flags.
* update setup_initial_pagetables function to map sections
with correct PTE flags.
* Rewrite enable_mmu() to C.
* map linker addresses range to load addresses range without
1:1 mapping. It will be 1:1 only in case when
load_start_addr is equal to linker_start_addr.
* add safety checks such as:
* Xen size is less than page size
* linker addresses range doesn't overlap load addresses
range
* Rework macros {THIRD,SECOND,FIRST,ZEROETH}_{SHIFT,MASK}
* change PTE_LEAF_DEFAULT to RW instead of RWX.
* Remove phys_offset as it is not used now
* Remove alignment of {map, pa}_start &= XEN_PT_LEVEL_MAP_MASK(0);
in setup_inital_mapping() as they should be already aligned.
Make a check that {map_pa}_start are aligned.
* Remove clear_pagetables() as initial pagetables will be
zeroed during bss initialization
* Remove __attribute__((section(".entry")) for setup_initial_pagetables()
as there is no such section in xen.lds.S
* Update the argument of pte_is_valid() to "const pte_t *p"
* Add check that Xen's load address is aligned at 4k boundary
* Refactor setup_initial_pagetables() so it is mapping linker
address range to load address range. After setup needed
permissions for specific section ( such as .text, .rodata, etc )
otherwise RW permission will be set by default.
* Add function to check that requested SATP_MODE is supported
Origin: git@github.com:xvisor/xvisor.git 9be2fdd7 Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Bobby Eshleman <bobbyeshleman@gmail.com>
Andrew Cooper [Tue, 30 May 2023 15:03:16 +0000 (16:03 +0100)]
x86/spec-ctrl: Update hardware hints
* Rename IBRS_ALL to EIBRS. EIBRS is the term that everyone knows, and this
makes ARCH_CAPS_EIBRS match the X86_FEATURE_EIBRS form.
* Print RRSBA too, which is also a hint about behaviour.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
This is an AMD feature to reduce the IBRS handling overhead. Once enabled,
processes running at CPL=0 are automatically IBRS-protected even if
SPEC_CTRL.IBRS is not set. Furthermore, the RAS/RSB is cleared on VMEXIT.
The feature is exposed in CPUID and toggled in EFER.
Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 30 May 2023 10:00:34 +0000 (12:00 +0200)]
x86/vPIC: register only one ELCR handler instance
There's no point consuming two port-I/O slots. Even less so considering
that some real hardware permits both ports to be accessed in one go,
emulating of which requires there to be only a single instance.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Simplify the declarations by getting rid of the macro (and thus the
__aligned/__section/__used attributes) in the header. No functional change
intended as the macro/attributes are present in the respective definitions in
xen/arch/arm/mm.c.
Fixes: 1c78d76b67e1 ("xen/arm64: mm: Introduce helpers to prepare/enable/disable the identity mapping") Signed-off-by: Stewart Hildebrand <stewart.hildebrand@amd.com> Acked-by: Julien Grall <jgrall@amazon.com>
Cyril Rébert [Tue, 30 May 2023 09:57:42 +0000 (11:57 +0200)]
tools/xenstore: remove deprecated parameter from xenstore commands help
Completing commit c65687e ("tools/xenstore: remove socket-only option from xenstore client").
As the socket-only option (-s) has been removed from the Xenstore access commands (xenstore-*),
also remove the parameter from the commands help (xenstore-* -h).
Luca Fancellu [Tue, 30 May 2023 09:57:02 +0000 (11:57 +0200)]
xen/misra: xen-analysis.py: Fix latent bug
Currenly there is a latent bug that is not triggered because
the function cppcheck_merge_txt_fragments is called with the
parameter strip_paths having a list of only one element.
The bug is that the split function should not be in the
loop for strip_paths, but one level before, fix it.
Jan Beulich [Tue, 30 May 2023 09:54:55 +0000 (11:54 +0200)]
VMX/cpu-policy: check availability of RDTSCP and INVPCID
Both have separate enable bits, which are optional. While on real
hardware we can perhaps expect these VMX controls to be available if
(and only if) the base CPU feature is available, when running
virtualized ourselves this may not be the case.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
xen: dt: Replace u64 with uint64_t as the callback function parameters for dt_for_each_range()
In the callback functions invoked by dt_for_each_range() ie handle_pci_range(),
map_range_to_domain(), 'u64' should be replaced with 'uint64_t' as the data type
for the parameters. The reason being Xen coding style mentions that u32/u64
should be avoided.
Also dt_for_each_range() invokes the callback functions with 'uint64_t'
arguments. Thus, is_bar_valid() needs to change the parameter types accordingly.
xen/arm: domain_build: Check if the address fits the range of physical address
handle_pci_range() and map_range_to_domain() take addr and len as uint64_t
parameters. Then frame numbers are obtained from addr and len by right shifting
with PAGE_SHIFT. The frame numbers are expressed using unsigned long.
Now if 64-bit >> PAGE_SHIFT, the result will have 52-bits as valid. On a 32-bit
system, 'unsigned long' is 32-bits. Thus, there is a potential loss of value
when the result is stored as 'unsigned long'.
To mitigate this issue, we check if the starting and end address can be
contained within the range of physical address supported on the system. If not,
then an appropriate error is returned.
xen/arm: smmu: Use writeq_relaxed_non_atomic() for writing to SMMU_CBn_TTBR0
Refer ARM IHI 0062D.c ID070116 (SMMU 2.0 spec), 17-360, 17.3.9,
SMMU_CBn_TTBR0 is a 64 bit register. Thus, one can use
writeq_relaxed_non_atomic() to write to it instead of invoking
writel_relaxed() twice for lower half and upper half of the register.
This also helps us as p2maddr is 'paddr_t' (which may be u32 in future).
Thus, one can assign p2maddr to a 64 bit register and do the bit
manipulations on it, to generate the value for SMMU_CBn_TTBR0.
xen/arm: Introduce a wrapper for dt_device_get_address() to handle paddr_t
dt_device_get_address() can accept uint64_t only for address and size.
However, the address/size denotes physical addresses. Thus, they should
be represented by 'paddr_t'.
Consequently, we introduce a wrapper for dt_device_get_address() ie
dt_device_get_paddr() which accepts address/size as paddr_t and inturn
invokes dt_device_get_address() after converting address/size to
uint64_t.
The reason for introducing this is that in future 'paddr_t' may not
always be 64-bit. Thus, we need an explicit wrapper to do the type
conversion and return an error in case of truncation.
With this, callers can now invoke dt_device_get_paddr(). However, ns16550.c
is left unchanged as it requires some prior cleanup. For details, see
https://patchew.org/Xen/20230413173735.48387-1-ayan.kumar.halder@amd.com.
This will be addressed in a subsequent series.
The DT functions (dt_read_number(), device_tree_get_reg(), fdt_get_mem_rsv())
currently accept or return 64-bit values.
In future when we support 32-bit physical address, these DT functions are
expected to accept/return 32-bit or 64-bit values (depending on the width of
physical address). Also, we wish to detect if any truncation has occurred
(i.e. while parsing 32-bit physical addresses from 64-bit values read from DT).
device_tree_get_reg() should now be able to return paddr_t. This is invoked by
various callers to get DT address and size.
For fdt_get_mem_rsv(), we have introduced a wrapper named
fdt_get_mem_rsv_paddr() which will invoke fdt_get_mem_rsv() and translate
uint64_t to paddr_t. The reason being we cannot modify fdt_get_mem_rsv() as it
has been imported from external source.
For dt_read_number(), we have also introduced a wrapper named dt_read_paddr()
dt_read_paddr() to read physical addresses. We chose not to modify the original
function as it is used in places where it needs to specifically read 64-bit
values from dt (For e.g. dt_property_read_u64()).
Xen prints warning when it detects truncation in cases where it is not able to
return error.
Also, replaced u32/u64 with uint32_t/uint64_t in the functions touched
by the code changes.
xen/arm: domain_build: Track unallocated pages using the frame number
rangeset_{xxx}_range() functions are invoked with 'start' and 'size' as
arguments which are either 'uint64_t' or 'paddr_t'. However, the function
accepts 'unsigned long' for 'start' and 'size'. 'unsigned long' is 32 bits for
Arm32. Thus, there is an implicit downcasting from 'uint64_t'/'paddr_t' to
'unsigned long' when invoking rangeset_{xxx}_range().
So, it may seem there is a possibility of lose of data due to truncation.
In reality, 'start' and 'size' are always page aligned. And Arm32 currently
supports 40 bits as the width of physical address.
So if the addresses are page aligned, the last 12 bits contain zeroes.
Thus, we could instead pass page frame number which will contain 28 bits (40-12
on Arm32) and this can be represented using 'unsigned long'.
On Arm64, this change will not induce any adverse side effect as the max
supported width of physical address is 48 bits. Thus, the width of 'gfn'
(ie 48 - 12 = 36) can be represented using 'unsigned long' (which is 64 bits
wide).
Roger Pau Monné [Fri, 26 May 2023 07:18:37 +0000 (09:18 +0200)]
vpci/header: cope with devices not having vpci allocated
When traversing the list of pci devices assigned to a domain cope with
some of them not having the vpci struct allocated. It should be
possible for the hardware domain to have read-only devices assigned
that are not handled by vPCI, such support will be added by further
patches.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Anthony PERARD [Fri, 26 May 2023 07:17:46 +0000 (09:17 +0200)]
build: use $(filechk, ) for all compat/.xlat/%.lst
Making use of filechk means that we don't have to use
$(move-if-changed,). It also means that will have sometimes "UPD .." in
the build output when the target changed, rather than having "GEN ..."
all the time when "xlat.lst" happen to have a more recent modification
timestamp.
While there, replace `grep -v` by `sed '//d'` to avoid an extra
fork and pipe when building.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Tested-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Fri, 26 May 2023 07:16:44 +0000 (09:16 +0200)]
x86/shadow: restrict OOS allocation to when it's really needed
PV domains won't use it, and even HVM ones won't when OOS is turned off
for them. There's therefore no point in putting extra pressure on the
(limited) pool of memory.
While there also zap the sh_type_to_size[] entry when OOS is disabled
altogether.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Yann Dirson [Fri, 26 May 2023 07:15:39 +0000 (09:15 +0200)]
docs: fix complex-and-wrong xenstore-path wording
"0 or 1 ... to indicate whether it is capable or incapable, respectively"
is luckily just swapped words. Making this shorter will
make the reading easier.
Jan Beulich [Fri, 26 May 2023 07:15:18 +0000 (09:15 +0200)]
build: shorten macro references
Presumably by copy-and-paste we've accumulated a number of instances of
$(@D)/$(@F), which really is nothing else than $@. The split form only
needs using when we want to e.g. insert a leading . at the beginning of
the file name portion of the full name.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Acked-by: Alistair Francis <alistair.francis@wdc.com>
projects / people / aperard / xen-unstable.git / log