Andrew Cooper [Tue, 9 Jan 2024 20:51:18 +0000 (20:51 +0000)]
XSA-296: Don't rely on PV-L1TF side effects
When CONFIG_SHADOW_PAGING is compiled out, PV-L1TF defaults to domain_crash()
on vulnerable hardware. While this has technically demonstrated that Xen
isn't vulnerable to XSA-296, it's an unclean exit.
The pv64 case can already spot and correct the race condition, while the
pv32pae test is no different to running on non-L1TF vulnerable hardware
already.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 9 Jan 2024 11:59:14 +0000 (11:59 +0000)]
runner: Use virt caps to identify whether a test can run
Right now, --host filters a test selection using xen_caps to exclude full
environments. Furthermore, without passing --host, xtf-runner will try to
start a test even when we know it can't be constructed, leaving an xl error to
the user and reporting CRASH.
The virt capabilities are more fine grained, and include other information
such as the availability of hap and shadow paging.
Split run_test() out of run_tests() and use the test's required caps to short
circuit to SKIP.
Rework the existing --host filtering in terms of virt caps, which simplifies
the invocation of tests_from_selection().
This causes ~hap and ~shadow variation tests to SKIP rather than CRASH when
run on hardware without HAP (or with HAP disabled in firmware), or with Shadow
compiled out.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 5 Jan 2024 21:48:39 +0000 (21:48 +0000)]
runner: More extensive Python 3 universal_newline fixes
When pv32pae is disabled e.g. due to CET being active, under Python 3, we
still get:
Executing 'xl create -p tests/example/test-pv32pae-example.cfg'
b'Parsing config from tests/example/test-pv32pae-example.cfg\nlibxl: error: ...\n'
Error: Failed to create VM
out, rather than `xl create`'s stdout/stderr rendered nicely.
All subprocess invocations we make will want universal_newlines, so wrap the
functions to have it active by default, but still allow it to be explicitly
turned off by passing universal_newlines = None.
Reinstate the use of check_output() now that we've upped the minimum python
version to 2.7.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Anthony PERARD [Thu, 17 Aug 2023 10:51:11 +0000 (11:51 +0100)]
xtf-runner: python3 fix
issue:
File "/home/xtf/xtf-runner", line 410, in interpret_selection
if not line.startswith("xen_caps"):
^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: startswith first arg must be bytes or a tuple of bytes, not str
Adding `universal_newlines` open stdout as text file, so line should
be a `str`. `universal_newlines` is available on python 2.7. A new
alias `text` is only available in python 3.7.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 4 Jan 2023 23:19:26 +0000 (23:19 +0000)]
link: Move x86-ism out of the linker script
... in preparation to reuse it for all architectures. In order to keep
various parts of the linker script all together, use a multi-include file with
header and footer delineations.
While moving things, drop the alignment check for the two stacks. Neither
need page alignment architecturally.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 29 Sep 2022 10:04:51 +0000 (12:04 +0200)]
build: silence GNU ld 2.39 warning about executable stacks
While for C files the compiler is supposed to arrange for emitting
respective information, for assembly sources we're responsible ourselves.
For the new use of cc-option to work we cannot pass -S to the compiler
anymore. We need the compiler to actually invoke the assembler, so switch
to using -c.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 29 Sep 2022 10:04:28 +0000 (12:04 +0200)]
build: suppress GNU ld 2.39 warning about RWX load segments
We cannot really avoid such and we're also not really at risk because of
them, as we control page table permissions ourselves rather than relying
on a loader of some sort.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 31 May 2022 16:37:10 +0000 (17:37 +0100)]
build: Fix build with GCC 4.8.5
GCC 4.8.5 complains:
xtf/arch/x86/pv/traps.c: In function 'init_callbacks':
xtf/arch/x86/pv/traps.c:126:13: error: initializer element is not constant
.address = INIT_XEN_CALLBACK(__KERN_CS, _u(entry_EVTCHN)),
^
xtf/arch/x86/pv/traps.c:126:13: error: (near initialization for 'cb[0].address')
Drop the static const.
Reported-by: Samuel Verschelde <stormi-xcp@ylix.fr> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 29 Mar 2022 12:19:26 +0000 (13:19 +0100)]
build: Rename obj-perarch to obj-perbits
As part of adding ARM support, we'll want to have something else named arch in
the build system. obj-perbits is a better name anyway for what this actually
does.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Sat, 5 Feb 2022 17:28:16 +0000 (17:28 +0000)]
build: Make head.S invariant to link order
Introduce .text.head, ensure it is linked first, and use it in
{hvm,pv}/head.S. This removes the need for head-$(env).o to be linked first,
removing all head special casing in the build system.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Thu, 30 Sep 2021 06:52:30 +0000 (08:52 +0200)]
xsa-227: Fix link to XSA-227 web page
Current link is invalid and gives the following error:
"The requested URL was not found on this server."
Fix it.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
XSA-227 was first written before c/s 487bce87eda33 "Docs: Fix the generated
advisory links" but upstreamed later, hence the missing of the tree-wide
cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 17 Aug 2021 20:55:01 +0000 (21:55 +0100)]
common: Move {BITS,BYTES}_PER_LONG into limits.h
We're already using compiler-provided __*_TYPE__ macros, so instead of basing
BYTES_PER_LONG on __i386__ or __x86_64__, just use __SIZEOF_LONG__ directly.
This form doesn't require editing to add different architectures.
Add some build assertions that we have a half-way sane compile environment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 10 May 2021 17:03:09 +0000 (18:03 +0100)]
common: Make a weak default for arch_crash_hard()
arch_crash_hard() is used from common code, and in the most basic case can
just be an infinite loop. Both x86 PV and HVM keep their more specific
implementations.
Move the declaration from arch/traps.h to framework.h
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 1 Jul 2021 12:12:34 +0000 (13:12 +0100)]
build: Fix build when only python3 is available
The shebang lines in the python scrips - xtf-runner in particular - still need
work, but this at least fixes `make` on systems without `python` on $PATH.
Default to python3 in CI too.
Reported-by: Pranjal Singh <008pranjalsingh@gmail.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Pranjal Singh <008pranjalsingh@gmail.com>
Andrew Cooper [Wed, 19 May 2021 21:08:59 +0000 (22:08 +0100)]
Work around GCC issue 99578
GCC 11.1 objects to pointers derived from a constant:
error: '__builtin_memcpy' offset [0, 7] is out of the bounds [0, 0] [-Werror=array-bounds]
This is a GCC bug, but work around it rather than turning array-bounds
checking off generally.
Reported-by: Damien Thenot <damien.thenot@vates.fr> Reported-by: Christopher Clark <christopher.w.clark@gmail.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Christopher Clark <christopher.w.clark@gmail.com>
Andrew Cooper [Mon, 17 May 2021 09:48:57 +0000 (10:48 +0100)]
build: Fix build with binutils 2.36
Passing -no-pie to ld has never been correct, and binutils 2.36 now objects
properly to it. https://sourceware.org/bugzilla/show_bug.cgi?id=27050
When this workaround was introduced, we used $(CC) to link, but this was
adjusted back to $(LD) with c/s 8486a388e2 ("build: Use LD").
However, the adjustment should always have been passed to the compile step,
not the link step. Move the adjustment into COMMON_CFLAGS.
Fixes: c92015f8ab ("build: disable PIE during linking if necessary") Fixes: 8486a388e2 ("build: Use LD") Reported-by: Damien Thenot <damien.thenot@vates.fr> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Wed, 5 May 2021 06:34:16 +0000 (08:34 +0200)]
Fix issue with clang --target when cross compiling using LLVM
When using LLVM and cross compiling, the CC expands to:
clang --target=<target_triple>
Example of target triple: aarch64-linux-gnu.
However the current code assigning --target based on the
cross compiler does not work if we pass the full path to
CROSS_COMPILE. In this case the build fails.
Fix the issue so that when cross compiling using LLVM
only the basename of cross compiler path is used.
Closes #2
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
main.c:164:15: warning: Although the value stored to 'cr4' is used in the enclosing expression, the value is never actually read from 'cr4' [deadcode.DeadStores]
write_cr4(cr4 &= ~X86_CR4_DE);
^ ~~~~~~~~~~~
Rework all impacted logic avoid dead stores of this form.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 00:36:20 +0000 (01:36 +0100)]
gnttab: Fix scan-build core.CallAndMessage issues
scan-build complains:
arch/x86/grant_table.c:41:17: warning: 1st function call argument is an uninitialized value [core.CallAndMessage]
pte_from_gfn(gnttab_gfns[i], PF_SYM(AD, RW, P)), UVMF_INVLPG);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
because it can't observe that GNTTABOP_setup_table fills the variable on its
success path.
Initialising the array (which is currently one entry) isn't trivial because
the array is variadic. Drop the nr_frames variable and use the sizeof()
expression directly, to create compile-time constant size.
A similar issue is reported against xsa-255, but this is trivial to resolve.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 15:55:09 +0000 (16:55 +0100)]
Drop dependency on gcc-multilib
inttypes.h in particular isn't a freestanding header, and certain distros have
problems providing suitable freestanding headers anyway. This also gets more
complicated as we start supporting other architectures.
Take the plunge and switch to entirely local headers only.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 15 Apr 2021 17:05:05 +0000 (18:05 +0100)]
Fix LGTM static analysis issues
* xtf-runner: Class TestInstance implements __hash__ but does not define __eq__.
* mkinfo.py: Import of 'os' is not used.
LGTM also complains about gdt/idt/tss being global symbols with too-short
names. As they're the most appropriate architectural names, insert
suppression comments.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Wed, 10 Mar 2021 10:43:32 +0000 (11:43 +0100)]
xtf: Perform misc code cleanup
* Define macro ALIGN to set alignment. Header file asm_macros.h should not
contain architecture specific code. Replace hardcoded alignment value with
a call to macro ALIGN.
* Move declaration of shared_info into xtf/traps.h. Declaration of
shared_info structure should be placed in xtf/traps.h as it is a common
declaration for all the possible architectures.
* Do not protect including <arch/barrier.h>. We should always include
<arch/barrier.h> and rely on the compiler to throw an error. This would
avoid increasing #if protection each time we would add a new architecture.
Signed-off-by: Michal Orzel <michal.orzel@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
[Also implement HYPERCALL0 as it is frequently opencoded] Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 11 Nov 2020 12:57:45 +0000 (12:57 +0000)]
hypercall: Refine fix for Clang code generation bug
It was incorrect to switch "=a" to "+a" and set up hcall, as the hypercall
number is encoded in the offset within hypercall_page. Switch res back to
just an output.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 6 Nov 2020 18:53:39 +0000 (18:53 +0000)]
hypercall: Work around Clang code generation bug
_hypercall64_4() is mis-compiled by some versions of Clang (5 is ok, 9 and
later not), in a way which breaks the XSA-286 PoC.
Clang loses the association between argument 4 being in %r10 between the input
"a" (_a4) and the output "=&r" (__ign4), so while the input is handled
correctly, the clobber on the output is missed.
In the XSA-286, PoC, this causes clang to hoist the setting of DOMID_SELF out
of the loop, and the test subsequently to malfunction on debug versions of Xen
which intentionally clobber the hypercall parameters.
Rewrite the hypercall macros to a single "+r" parameter form, rather than dual
input/output form, which causes all tested versions of Clang to set up %r10 on
each loop iteration.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Wed, 23 Sep 2020 13:09:03 +0000 (14:09 +0100)]
Adjust XSA-221 PoC based on XSA-343 behaviour change
XSA-343 has made SCHEDOP_poll fail for un-established event channels, which is
reasonable behaviour. Don't bother trying to audit the error codes, and
always run to the end of the loop.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Fri, 5 Jun 2020 19:20:50 +0000 (20:20 +0100)]
Remove ambiguous uses of iret/lret
GAS of at least version 2.34 complains:
Warning: no instruction mnemonic suffix given and no register operands; using default for `lret'
This is legitimate, as without a suffix, there are up to 3 possible encodings
actually meant.
Use l/q suffixes as appropriate, using __ASM_SEL() in cases where we need to
conditionally select between the suffixes. Use the same trick to clean up
some code32/64 statements.
Sadly, this cannot be done for the single ambiguous use of lcall, because
lcallq isn't accepted as a valid mnemonic. Leave the XSA-298 PoC as it is.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
There are a number of ways to do this, but by far the most efficient way is to
have vsnprintf() expand \n's in the output buffer.
This however is non-standard behaviour for vsnprintf(). Rename it to
vsnprintf_internal() and take extra flags, and have vprintk() use the new
LF_TO_CRLF control flag.
Inside vsnprintf_internal(), rearrange the non-format and %c logic to share
the expansion logic, as well as extending the logic to fmt_string().
Extend the selftests to confirm correct behaviour in both modes, for all ways
of being able to pass newline characters into a format operation.
Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 4 Jun 2020 17:36:57 +0000 (18:36 +0100)]
Fix assembler type warnings with newer binutils
GAS of at least version 2.34 complains:
hypercall_page.S: Assembler messages:
hypercall_page.S:24: Warning: symbol 'HYPERCALL_set_trap_table' already has its type set
...
hypercall_page.S:71: Warning: symbol 'HYPERCALL_arch_7' already has its type set
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 27 Apr 2020 13:57:35 +0000 (14:57 +0100)]
xtf-runner: Python3 fix when not specifying --quiet
Andy reports:
Combined test results:
Traceback (most recent call last):
File "./xtf-runner", line 716, in <module>
sys.exit(main())
File "./xtf-runner", line 711, in main
return run_tests(opts)
File "./xtf-runner", line 559, in run_tests
if res == "SUCCESS" and opts.quiet >= 2:
TypeError: '>=' not supported between instances of 'NoneType' and 'int'
Reported-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Currently the xenbus_write() does not handle ring wrapping around
correctly. When ring buffer is almost full and there is not enough
space for next packet (e.g. there is 12 bytes of space left, but the
packet header needs to transmit 16 bytes) the memcpy() goes out of the
ring buffer boundry.
Instead, the part variable should be limited to the space available in
the ring buffer, so the memcpy() can fill up the buffer, update len
variable (to indicate that there is still some data to be copied) and
thereby the xenbus_write() loop can iterate again to finish copying
the remainder of data to the beginning of the ring buffer.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 17 Feb 2020 09:48:26 +0000 (09:48 +0000)]
Fix asm constraints for push/pop instructions
There are several issues with 64bit builds. Correct the types/constraints to
prohibit encoding 32bit registers, and immediates which can't be represented
as a 32bit signed extended number.
Introduce asm_checks() in selftest as a build-time check for constraint corner
cases, to be extended as needed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / xtf.git / log