Nicola Vetrini [Tue, 22 Aug 2023 06:53:24 +0000 (08:53 +0200)]
vm_event: rework inclusions to use arch-indipendent header
The arch-specific header <asm/vm_event.h> should be included by the
common header <xen/vm_event.h>, so that the latter can be included
in the source files.
This also resolves violations of MISRA C:2012 Rule 8.4 that were
caused by declarations for
'vm_event_{fill_regs,set_registers,monitor_next_interrupt}'
in <asm/vm_event.h> not being visible when
defining functions in 'xen/arch/x86/vm_event.c'
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Jan Beulich [Tue, 22 Aug 2023 06:52:49 +0000 (08:52 +0200)]
mem-sharing: move (x86) / drop (Arm) arch_dump_shared_mem_info()
When !MEM_SHARING no useful output is produced. Move the function into
mm/mem_sharing.c while conditionalizing the call to it, thus allowing to
drop it altogether from Arm (and eliminating the need to introduce stubs
on PPC and RISC-V).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> #arm Acked-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Simon Gaiser [Tue, 22 Aug 2023 06:51:38 +0000 (08:51 +0200)]
x86/hpet: Disable legacy replacement mode after IRQ test
As far as I understand the HPET legacy mode is not required after the
timer IRQ test. For previous discussion see [1] and [2]. Keeping it
enabled prevents reaching deeper C-states on some systems and thereby
also S0ix residency. So disable it after the timer IRQ test worked. Note
that this code path is only reached when opt_hpet_legacy_replacement < 0,
so explicit user choice is still honored.
Wei Chen [Mon, 14 Aug 2023 04:25:26 +0000 (12:25 +0800)]
xen/arm64: prepare for moving MMU related code from head.S
We want to reuse head.S for MPU systems, but there are some
code are implemented for MMU systems only. We will move such
code to another MMU specific file. But before that we will
do some indentations fix in this patch to make them be easier
for reviewing:
1. Fix the indentations and incorrect style of code comments.
2. Fix the indentations for .text.header section.
3. Rename puts() to asm_puts() for global export
Julien Grall [Mon, 21 Aug 2023 17:02:05 +0000 (18:02 +0100)]
xen/public: arch-arm: All PSR_* defines should be unsigned
The defines PSR_* are field in registers and always unsigned. So
add 'U' to clarify.
This should help with MISRA Rule 7.2.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Julien Grall [Mon, 21 Aug 2023 17:01:09 +0000 (18:01 +0100)]
xen/arm: vgic: Use 'unsigned int' rather than 'int' whenever it is possible
Switch to unsigned int for the return/parameters of the following
functions:
* REG_RANK_NR(): 'b' (number of bits) and the return is always positive.
'n' doesn't need to be size specific.
* vgic_rank_offset(): 'b' (number of bits), 'n' (register index),
's' (size of the access) are always positive.
* vgic_{enable, disable}_irqs(): 'n' (rank index) is always positive
* vgic_get_virq_type(): 'n' (rank index) and 'index' (register
index) are always positive.
* vgic_get_rank(): 'rank' is an index and therefore always positive.
Take the opportunity to propogate the unsignedness to the local
variable used for the arguments.
This will remove some of the warning reported by GCC 12.2.1 when
passing the flags -Wsign-conversion/-Wconversion.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Julien Grall [Mon, 21 Aug 2023 16:57:07 +0000 (17:57 +0100)]
xen/arm: vmmio: The number of entries cannot be negative
The number of virtual MMIO regions cannot be negative. So switch
the field 'num_entries' and 'max_num_entries' to 'unsigned int'.
The new type is then propagated to the caller and the vGIC
code.
Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com>
Mark more files as "adopted" and configure Rule 8.3 in order to:
- exclude violations involving the type ret_t;
- exclude violations involving both an internal and an external file,
thus avoiding touching adopted code.
Andrew Cooper [Fri, 18 Aug 2023 09:47:46 +0000 (10:47 +0100)]
rombios: Avoid using K&R function syntax
Clang-15 complains:
tcgbios.c:598:25: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
void tcpa_calling_int19h()
^
void
C2x formally removes K&R syntax. The declarations for these functions in
32bitprotos.h are already ANSI compatible. Update the definitions to match.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 17 Aug 2023 20:32:53 +0000 (21:32 +0100)]
rombios: Work around GCC issue 99578
GCC 12 objects to pointers derived from a constant:
util.c: In function 'find_rsdp':
util.c:429:16: error: array subscript 0 is outside array bounds of 'uint16_t[0]' {aka 'short unsigned int[]'} [-Werror=array-bounds]
429 | ebda_seg = *(uint16_t *)ADDR_FROM_SEG_OFF(0x40, 0xe);
cc1: all warnings being treated as errors
This is a GCC bug, but work around it rather than turning array-bounds
checking off generally.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Fri, 18 Aug 2023 13:04:28 +0000 (15:04 +0200)]
x86emul: rework wrapping of libc functions in test and fuzzing harnesses
Our present approach is working fully behind the compiler's back. This
was found to not work with LTO. Employ ld's --wrap= option instead. Note
that while this makes the build work at least with new enough gcc (it
doesn't with gcc7, for example, due to tool chain side issues afaict),
according to my testing things still won't work when building the
fuzzing harness with afl-cc: While with the gcc7 tool chain I see afl-as
getting invoked, this does not happen with gcc13. Yet without using that
assembler wrapper the resulting binary will look uninstrumented to
afl-fuzz.
While checking the resulting binaries I noticed that we've gained uses
of snprintf() and strstr(), which only just so happen to not cause any
problems. Add a wrappers for them as well.
Since we don't have any actual uses of v{,sn}printf(), no definitions of
their wrappers appear (just yet). But I think we want
__wrap_{,sn}printf() to properly use __real_v{,sn}printf() right away,
which means we need delarations of the latter.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Juergen Gross [Mon, 14 Aug 2023 07:47:05 +0000 (09:47 +0200)]
tools/xenstore: introduce get_node_const()
Add a variant of get_node() returning a const struct node pointer.
Note that all callers of this new variant don't supply a pointer where
to store the canonical node name, while all callers needing a non-const
node do supply this pointer. This results in an asymmetric
simplification of the two variants.
Juergen Gross [Mon, 14 Aug 2023 07:47:03 +0000 (09:47 +0200)]
tools/xenstore: merge is_valid_nodename() into canonicalize()
Today is_valid_nodename() is always called directly after calling
canonicalize(), with the exception of do_unwatch(), where the call
is missing (which is not correct, but results just in a wrong error
reason being returned).
Juergen Gross [Mon, 14 Aug 2023 07:47:02 +0000 (09:47 +0200)]
tools/xenstore: merge get_spec_node() into get_node_canonicalized()
Add a "allow_special" parameter to get_node_canonicalized() allowing
to merge get_spec_node() into get_node_canonicalized().
Add the same parameter to is_valid_nodename(), as this will simplify
check_watch_path().
This is done in preparation to introducing a get_node() variant
returning a pointer to const struct node.
Note that this will change how special node names are going to be
validated, as now the normal restrictions for node names will be
applied:
- they can't end with "/"
- they can't contain "//"
- they can't contain characters other than the ones allowed for normal
nodes
- the length of the node name is restricted by the max path length
quota
For defined special node names this isn't any real restriction, though.
Juergen Gross [Mon, 14 Aug 2023 07:47:00 +0000 (09:47 +0200)]
tools/xenstore: alloc new memory in domain_adjust_node_perms()
In order to avoid modifying the node data in the data base in case a
domain is gone, let domain_adjust_node_perms() allocate new memory for
the permissions in case they need to be modified. As this should
happen only in very rare cases, it is fine to do this even when having
copied the node data already.
Juergen Gross [Mon, 14 Aug 2023 07:46:58 +0000 (09:46 +0200)]
tools/xenstore: don't use struct node_perms in struct node
Open code struct node_perms in struct node in order to prepare using
struct node_hdr in struct node.
Add two helpers to transfer permissions between struct node and struct
node_perms and a helper to directly get connection base permissions
from a node.
Let perms_to_strings() take a struct node as parameter and rename it
to node_perms_to_strings().
Juergen Gross [Mon, 14 Aug 2023 07:46:57 +0000 (09:46 +0200)]
tools/xenstore: rework struct xs_tdb_record_hdr
Struct xs_tdb_record_hdr is used for nodes stored in the data base.
When working on a node, struct node is being used, which is including
the same information as struct xs_tdb_record_hdr, but in a different
format. Rework struct xs_tdb_record_hdr in order to prepare including
it in struct node.
Do the following modifications:
- move its definition to xenstored_core.h, as the reason to put it into
utils.h are no longer existing
- rename it to struct node_hdr, as the "tdb" in its name has only
historical reasons
- replace the empty permission array at the end with a comment about
the layout of data in the data base (concatenation of header,
permissions, node contents, and children list)
- use narrower types for num_perms and datalen, as those are naturally
limited to XENSTORE_PAYLOAD_MAX (childlen is different here, as it is
in theory basically unlimited)
Juergen Gross [Mon, 14 Aug 2023 07:46:56 +0000 (09:46 +0200)]
tools/xenstore: move copying of node data out of db_fetch()
Today the node data is copied in db_fetch() on each data base read in
order to avoid accidental data base modifications when working on a
node.
read_node() is the only caller of db_fetch() which isn't freeing the
returned data area immediately after using it. The other callers don't
modify the returned data, so they don't need the data to be copied.
Move copying of the data into read_node(), resulting in a speedup of
the other callers due to no memory allocation and no copying being
needed anymore.
This allows to let db_fetch() return a pointer to const data.
As db_fetch() can't return any error other than ENOENT now, error
handling for the callers can be simplified.
Juergen Gross [Mon, 14 Aug 2023 07:46:52 +0000 (09:46 +0200)]
tools/xenstore: drop use of tdb
Today all Xenstore nodes are stored in a TDB data base. This data base
has several disadvantages:
- It is using a fixed sized hash table, resulting in high memory
overhead for small installations with only very few VMs, and a rather
large performance hit for systems with lots of VMs due to many
collisions.
The hash table size today is 7919 entries. This means that e.g. in
case of a simple desktop use case with 2 or 3 VMs probably far less
than 10% of the entries will be used (assuming roughly 100 nodes per
VM). OTOH a setup on a large server with 500 VMs would result in
heavy conflicts in the hash list with 5-10 nodes per hash table entry.
- TDB is using a single large memory area for storing the nodes. It
only ever increases this area and will never shrink it afterwards.
This will result in more memory usage than necessary after a peak of
Xenstore usage.
- Xenstore is only single-threaded, while TDB is designed to be fit
for multi-threaded use cases, resulting in much higher code
complexity than needed.
- Special use cases of Xenstore are not possible to implement with TDB
in an effective way, while an implementation of a data base tailored
for Xenstore could simplify some handling (e.g. transactions) a lot.
So drop using TDB and store the nodes directly in memory making them
easily accessible. Use a hash-based lookup mechanism for fast lookup
of nodes by their full path.
For now only replace TDB keeping the current access functions.
The single lock in struct ffa_ctx is complemented with rx_lock and tx_lock.
The old lock is used for small critical sections, like increasing
shm_count or adding another shm to shm_list.
rx_lock and tx_lock are only acquired using spin_trylock() which for
well-behaving guests should always succeed. Guests using the RX and TX
buffers are expected to serialize accesses before doing the FF-A
request.
xen/arm: ffa: add support to reclaim shared memory
Adds support to reclaim memory previously shared with FFA_MEM_SHARE.
A memory region that doesn't need to be shared any longer can be
reclaimed with FFA_MEM_RECLAIM once the SP doesn't use it any longer.
This is checked by the SPMC and not in control of the mediator.
Adds a check that the SP supports the needed FF-A feature
FFA_MEM_RECLAIM.
Adds support for a guest to share memory with an SP using FFA_MEM_SHARE.
Only memory regions small enough to be shared with a single call to
FFA_MEM_SHARE are supported.
With this commit we have a FF-A version 1.1 [1] mediator able to
communicate with a Secure Partition in secure world using shared memory.
The secure world must use FF-A version 1.1, but the guest is free to use
version 1.0 or version 1.1.
Adds a check that the SP supports the needed FF-A features
FFA_MEM_SHARE_64 or FFA_MEM_SHARE_32.
According to DEN0077A version 1.1 REL0
- Section 10.9.2 Memory region handle, page 167
- Table 10.18 at page 175
- Table 10.15 at page 168
- Section 10.11.4 Flags usage, page 184-187
add defines needed for sharing using the function FFA_MEM_SHARE and
friends.
Also add limits for how many shared buffers that a guest can have at
once and how large a shared buffer can be at most.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
xen/arm: move regpair_to_uint64() and uint64_to_regpair() to regs.h
Moves the two helper functions regpair_to_uint64() and
uint64_to_regpair() from xen/arch/arm/tee/optee.c to the common arm
specific regs.h. This enables reuse of these functions in the FF-A
mediator in a subsequent patch.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Reviewed-by: Henry Wang <Henry.Wang@arm.com>
xen/arm: ffa: support guest FFA_PARTITION_INFO_GET
Adds support in the mediator to handle FFA_PARTITION_INFO_GET requests
from a guest. The requests are forwarded to the SPMC and the response is
translated according to the FF-A version in use by the guest.
Using FFA_PARTITION_INFO_GET changes the owner of the RX buffer to the
caller (the guest in this case), so once it is done with the buffer it
must be released using FFA_RX_RELEASE before another call can be made.
Adds support in the mediator to map and unmap the RX and TX buffers
provided by the guest using the two FF-A functions FFA_RXTX_MAP and
FFA_RXTX_UNMAP.
These buffer are later used to transmit data that cannot be passed in
registers only.
xen/arm: ffa: send guest events to Secure Partitions
The FF-A specification defines framework messages sent as direct
requests when certain events occurs. For instance when a VM (guest) is
created or destroyed. Only SPs which have subscribed to these events
will receive them. An SP can subscribe to these messages in its
partition properties.
Adds a check that the SP supports the needed FF-A features
FFA_PARTITION_INFO_GET and FFA_RX_RELEASE.
The partition properties of each SP is retrieved with
FFA_PARTITION_INFO_GET which returns the information in our RX buffer.
Using FFA_PARTITION_INFO_GET changes the owner of the RX buffer to the
caller (us), so once we're done with the buffer it must be released
using FFA_RX_RELEASE before another call can be made.
Adds support for sending a FF-A direct request. Checks that the SP also
supports handling a 32-bit direct request. 64-bit direct requests are
not used by the mediator itself so there is not need to check for that.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Thu, 17 Aug 2023 14:25:51 +0000 (16:25 +0200)]
IOMMU/x86: fix build with old gcc after IO-APIC RTE changes
Old gcc (up to at least 4.3.4) won't cope with initializers involving
unnamed struct/union fields.
Fixes: 3e033172b025 ("x86/iommu: pass full IO-APIC RTE for remapping table update") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jason Andryuk [Thu, 17 Aug 2023 14:24:49 +0000 (16:24 +0200)]
tboot: Disable CET at shutdown
tboot_shutdown() calls into tboot to perform the actual system shutdown.
tboot isn't built with endbr annotations, and Xen has CET-IBT enabled on
newer hardware. shutdown_entry isn't annotated with endbr and Xen
faults:
Panic on CPU 0:
CONTROL-FLOW PROTECTION FAULT: #CP[0003] endbranch
And Xen hangs at this point.
Disabling CET-IBT let Xen and tboot power off, but reboot was
perfoming a poweroff instead of a warm reboot. Disabling all of CET,
i.e. shadow stacks as well, lets tboot reboot properly.
Fixes: cdbe2b0a1aec ("x86: Enable CET Indirect Branch Tracking") Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Jan Beulich [Thu, 17 Aug 2023 14:24:17 +0000 (16:24 +0200)]
libxl: slightly correct JSON generation of CPU policy
The "cpuid_empty" label is also (in principle; maybe only for rubbish
input) reachable in the "cpuid_only" case. Hence the label needs to live
ahead of the check of the variable.
Fixes: 5b80cecb747b ("libxl: introduce MSR data in libxl_cpuid_policy") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Nicola Vetrini [Mon, 14 Aug 2023 09:05:30 +0000 (11:05 +0200)]
x86: address MISRA C:2012 Rule 5.3
Address some occurrences of shadowing between the global
variable 'e820' in 'xen/arch/x86/e820.c' and the function
parameter name of 'e820_add_range'.
Since the function is only ever called with the global variable
as the actual parameter, so there is no need to have it as a parameter
because both are defined in the same file (mentioned above).
This in turn causes several other functions to lose their parameter
'e820' because they are involved in the call chain that leads to
'e820_add_range'.
Similarly, 'kexec_reserve_area' is only ever called with the static
variable 'boot_e820' as a parameter, which is defined in the same file
as the function, thus it does not need that parameter, which is a cause
of shadowing, as explained above.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Mon, 14 Aug 2023 08:53:06 +0000 (10:53 +0200)]
xen/arm: traps: remove unused function 'dump_guest_s1_walk'
The function has no uses in the codebase, and can be removed.
This also avoids the violation of MISRA C:2012 Rule 8.4 and Rule 2.1
because it has no declaration and the function's code is unreachable.
automation: switch from Debian unstable to bookworm
Debian unstable used in the Xen containers is actually bookworm.
Switching to bookworm which is now stable means we are not basing our
containers on a moving target anymore.
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Nicola Vetrini [Mon, 14 Aug 2023 08:00:12 +0000 (10:00 +0200)]
cpufreq: add missing include of header 'pmstat.h'
The missing header included by this patch provides a declaration for
'set_px_pminfo' that is visible prior to the definition in this file.
This also resolves a violation of MISRA C:2012 Rule 8.4.
Fixes: 452119c09420 ("x86 and ia64: move cpufreq notify code to commone place") Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Mon, 14 Aug 2023 07:59:30 +0000 (09:59 +0200)]
x86/setup: add missing headers
The missing headers declare variables 'xen_cpuidle' and 'use_invpcid'
that are then defined inside the file.
This is undesirable and also violates MISRA C:2012 Rule 8.4.
Adding suitable "#include"s resolves the issue.
The type of the variable 'xen_cpuidle' also changes according to
s/s8/int8_t/.
Fixes: 3eab82196b02 ("x86: PIT broadcast to fix local APIC timer stop issue for Deep C state") Fixes: 63dc135aeaf9 ("x86: invpcid support") Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Mon, 14 Aug 2023 07:58:37 +0000 (09:58 +0200)]
x86/hpet: make variable 'per_cpu__cpu_bc_channel' static
The variable is only ever used inside the file where it's
defined, therefore it can have static storage. This also
resolves a violation of MISRA C:2012 Rule 8.4 due to the absence
of a declaration prior to the definition.
Jan Beulich [Mon, 14 Aug 2023 07:58:19 +0000 (09:58 +0200)]
build: correct gas --noexecstack check
The check was missing an escape for the inner $, thus breaking things
in the unlikely event that the underlying assembler doesn't support this
option.
Fixes: 62d22296a95d ("build: silence GNU ld warning about executable stacks") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Fri, 11 Aug 2023 07:59:49 +0000 (09:59 +0200)]
x86: adjust comparison for earlier signedness change
Interestingly only Clang warns about the now bogus less-than-zero
comparison. Convert it to something that's more explicitly doing what
the comment says.
Fixes: 4086857cc159 ("x86: implement cpuid() in terms of cpuid_count()") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com>
Michal Orzel [Thu, 10 Aug 2023 11:25:44 +0000 (13:25 +0200)]
xen/arm: Skip inclusion of domU nodes into hwdom dt /chosen node
Configuration for dom0less domUs is stored under /chosen/<domu> nodes
present in the host device tree provided to Xen. All the properties and
sub nodes there are meant only for Xen. However, at the moment we still
copy them (except for modules that we skip) into hardware domain /chosen
node. Fix it by adding "xen,domain" compatible into the list of nodes to
skip in handle_node().
Michal Orzel [Thu, 10 Aug 2023 11:25:43 +0000 (13:25 +0200)]
xen/arm: Fix initrd placeholders generation in make_chosen_node()
When booting a dom0less domU without initial ramdisk, it was observed
that Xen still creates empty linux,initrd-{start,end} properties under
/chosen node. This is because in make_chosen_node(), generation of initrd
placeholders (later on filled with the real values) is protected with
a check for presence of kernel bootmodule (always present) instead of
initrd bootmodule. Fix it along with renaming the variable from "mod" to
"initrd" to prevent similar mistakes in the future.
Fixes: 48f4bf6bdeb4 ("arm/acpi: Create min DT stub for Dom0") Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Nicola Vetrini [Wed, 9 Aug 2023 11:02:34 +0000 (13:02 +0200)]
arm/efi: address MISRA C:2012 Rule 8.4
the function 'fdt_add_uefi_nodes' can be defined static, as its
only callers are within the same file. This in turn avoids
violating Rule 8.4 because no declaration is present.
Nicola Vetrini [Thu, 10 Aug 2023 13:16:20 +0000 (15:16 +0200)]
x86/nmi: include missing header with declarations for 'watchdog_*'
Include an additional header to make the declarations for
functions 'watchdog_*' visible prior to their definition in the
file, thereby resolving the violations of MISRA C:2012 Rule 8.4.
No functional change.
Fixes: c8177e691f0f ("watchdog: Move watchdog from being x86 specific to common code") Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Thu, 10 Aug 2023 13:15:12 +0000 (15:15 +0200)]
x86: make some functions and variables static rather than extern
The functions and variables touched by this commit can be static,
as they are only used within the same unit. This in turn addresses
the absence of declarations that violates MISRA C:2012 Rule 8.4.
Fixes: 741367e77d6c ("mce: Clean-up mcheck_init handler") Fixes: 45f57813f646 ("x86/MCE: implement recoverscan for AMD") Fixes: 155587481e39 ("x86/microcode: Scan the initramfs payload for microcode blob") Fixes: af50dd63cf8d ("Pull nmi/traps changes from Linux 2.6.14.") Fixes: fef244b179c0 ("x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint") Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Thu, 10 Aug 2023 13:13:58 +0000 (15:13 +0200)]
xen/include: make a declaration of 'get_sec' visible where needed
A declaration for 'get_sec' is added in 'xen/include/xen/time.h' to
be available for every call site (in particular 'cper.h').
This also resolves a violation of MISRA C:2012 Rule 8.4.
Fixes: c8cb30cfc87a ("mce: Provide ERST interface") Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Nicola Vetrini [Thu, 10 Aug 2023 13:13:21 +0000 (15:13 +0200)]
xen: make 'saved_cmdline' static
The variable 'saved_cmdline' can be defined static,
as its only uses are within the same file. This in turn avoids
violating MISRA C:2012 Rule 8.4 because no declaration is present.
Nicola Vetrini [Thu, 10 Aug 2023 13:12:56 +0000 (15:12 +0200)]
xen/memory: make 'ioreq_server_max_frames' static
The function 'ioreq_server_max_frames' can be defined static,
as its only uses are within the same file. This in turn avoids
violating MISRA C:2012 Rule 8.4 because no declaration is present.
Jan Beulich [Thu, 10 Aug 2023 13:11:37 +0000 (15:11 +0200)]
x86: implement cpuid() in terms of cpuid_count()
Since as a bug workaround (likely inapplicable to any 64-bit CPUs, but
it probably doesn't hurt to keep this) we clear %ecx on input anyway,
we can as well fall back to cpuid_count(). This allows getting rid of
four risky casts and makes things type-safe. The latter aspect requires
two type adjustments elsewhere. While adjusting init_intel_cacheinfo(),
convert three other local variables there as well. For the struct
cpuinfo_x86 change it is relevant to note that no 64-bit CPU comes
without CPUID support, and hence cpuid_level is never set to -1; the
comment there was simply stale.
No functional change intended, yet of course generated code isn't
identical.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Simone Ballarin [Wed, 9 Aug 2023 08:07:59 +0000 (10:07 +0200)]
automation/eclair: update clean guidelines
This patch splits the former list in two separate selectors
clean_guidelines_common and additional_clean_guidelines.
clean_guidelines_common contains the guidelines that are clean
in both the analyzed builds, instead additional_clean_guidelines
is popolated depending on the current one.
The following clean guidelines have been added:
- MC3R1.R1.1;
- MC3R1.R1.3;
- MC3R1.R3.1;
- MC3R1.R4.1;
- MC3R1.R17.4;
- MC3R1.R22.6;
- MC3R1.D4.3 (just x86_64);
- MC3R1.R5.3 (just arm64);
- MC3R1.R7.2 (just arm64);
- MC3R1.R8.6 (just arm64);
- MC3R1.R9.3 (just arm64).
Nicola Vetrini [Wed, 9 Aug 2023 13:59:40 +0000 (15:59 +0200)]
xen/delay: address MISRA C:2012 Rule 5.3
The variable 'msec' declared in the macro shadows the local
variable in 'ehci_dbgp_bios_handoff', but to prevent any
future clashes with other functions the macro is converted to
a static inline function.
Jan Beulich [Wed, 9 Aug 2023 13:58:37 +0000 (15:58 +0200)]
move max_page and total_pages to common code
Common code references both, so the variables shouldn't need declaring
and defining by every arch. While moving the definitions, add
__read_mostly (__ro_after_init would only be appropriate when
!mem_hotplug).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com>
Jan Beulich [Wed, 9 Aug 2023 13:57:28 +0000 (15:57 +0200)]
common: asm/desc.h is an x86-only header
From briefly going over 9062553a0dc1 it looks like the #include in what
was ac_timer.c was added there for no reason. It's unneeded now in any
event, and it is the sole reason for Arm to have that dummy header.
Purge that, thus avoiding PPC (and later RISC-V) to also gain one.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com>
Jan Beulich [Wed, 9 Aug 2023 13:54:45 +0000 (15:54 +0200)]
common: move Linux-inherited fixed width type decls to common header
Have these in one place, for all architectures to use. Also use the C99
types as the "original" ones, and derive the Linux compatible ones
(which we're trying to phase out). For __s<N>, seeing that no uses exist
anymore, move them to a new Linux compatibility header (as an act of
precaution - as said, we don't have any uses of these types right now).
In some Flask sources inclusion of asm/byteorder.h needs moving later.
No functional change intended.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <jgrall@amazon.com>
Michal Orzel [Tue, 8 Aug 2023 11:07:39 +0000 (13:07 +0200)]
xen/arm64: head: Introduce a helper to flush local TLBs
Instead of repeating the same sequence of instructions to flush the TLBs
in various places, introduce a macro flush_xen_tlb_local and make use of
it. This is similar to what was done for arm32 by the commit: dea9dddeceec8a1d68da24b14d5b2396effe555f
This is also making the flush sequence in enable_mmu more clear and
consistent.
Juergen Gross [Wed, 9 Aug 2023 07:05:55 +0000 (09:05 +0200)]
tools/xl: reject bootloader=pygrub in case pygrub is disabled
In case Xen has been configured with "--disable-pygrub", don't accept
the domain config option "bootloader=pygrub".
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Juergen Gross [Wed, 9 Aug 2023 07:05:40 +0000 (09:05 +0200)]
tools: add configure option for libfsimage
The only in-tree user of libfsimage is pygrub. Now that it is possible
to disable the build of pygrub, the same should be possible for
libfsimage.
Add an option for controlling the build of libfsimage. The default is
on if pygrub is being built, and off if it isn't. Without pygrub the
build of libfsimage can be enabled via --enable-libfsimage.
Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Juergen Gross [Wed, 9 Aug 2023 07:05:23 +0000 (09:05 +0200)]
tools: add configure option for disabling pygrub
Add a "--disable-pygrub" option for being able to disable the build
and installation of pygrub.
There are two main reasons to do so:
- A main reason to use pygrub is to allow a PV guest to choose its
bitness (32- or 64-bit). Pygrub allows that by looking into the boot
image and to start the guest in the correct mode depending on the
kernel selected. With 32-bit PV guests being deprecated and the
possibility to even build a hypervisor without 32-bit PV support,
this use case is gone for at least some configurations.
- Pygrub is running in dom0 with root privileges. As it is operating
on guest controlled data (the boot image) and taking decisions based
on this data, there is a higher security risk. Not being possible
to use pygrub is thus a step towards a reduction of attack surface.
Default is still to build and install pygrub.
Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Shawn Anastasio [Wed, 9 Aug 2023 07:04:24 +0000 (09:04 +0200)]
ns16550: Guard accesses to `vuart` field by CONFIG_ARM
When CONFIG_ARM is defined, a `vuart` field is added to struct ns16550,
but accesses to this field in ns16550_uart_dt_init weren't correctly
guarded. Fix build on !ARM platforms that define CONFIG_HAS_DEVICE_TREE
by correctly guarding access to the vuart field in this function.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 9 Aug 2023 07:03:51 +0000 (09:03 +0200)]
libxenstat/Linux: pass nul-terminated string to strpbrk()
While what "tmp" points to has been cleared at the end of the first
iteration of parseNetDevLine()'s main loop, this is too late for the
first iteration's invocation of strpbrk() (copying the interface name).
Properly nul-terminate the string at population time instead, removing
the late clearing.
While there also eliminate a confusing (because of being wrong) comment:
A regex parsing error would be handled one further scope outwards. Here
we're dealing with field 1 vs any of the later fields.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Michal Orzel [Tue, 8 Aug 2023 08:50:59 +0000 (10:50 +0200)]
automation: Fix missing smoke.serial in artifacts of qemu arm32 jobs
It was observed that smoke.serial file (used to store boot logs) is
missing in artifacts of qemu based arm32 jobs. This is because the
artifacts:paths listing smoke.serial specifies paths relative to the
project directory but the qemu-smoke-dom0{less}-arm32.sh scripts create
this file under binaries/. Fix it so that smoke.serial gets created in
project directory just like for every other test job.
Nicola Vetrini [Tue, 8 Aug 2023 12:22:51 +0000 (14:22 +0200)]
x86/setup: address MISRA C:2012 Rule 5.3 and 8.3
The parameters in the function declaration 'construct_dom0' violate
Rule 8.3:
"All declarations of an object or function shall use the same names
and type qualifiers", but also cause shadowing inside the declaration
scope with the variable "static struct file __initdata kernel;" in
'xen/common/efi/boot.c'. Renaming the parameters in the declaration
resolves both issues
The local variable 'mask' is removed because it shadows the homonymous
variable defined in an outer scope. There's no change to the semantics since
the last use of this variable is in the scope touched by this commit.
Nicola Vetrini [Tue, 8 Aug 2023 11:08:07 +0000 (13:08 +0200)]
x86: refactor macros in 'xen-mca.h'
The macros defined 'xen/include/public/arch-x86/xen-mca.h' are revised
to address the following concerns:
- needless underscore prefixes for parameter names;
- the variable 'i' in function 'mce_action' that is shadowed
by the local variable in the macro.
Therefore, the refactoring aims to resolve present shadowing
issues, which violate MISRA C:2012 Rule 5.3, and lessen the
probability of future ones with some renames.
Nicola Vetrini [Tue, 8 Aug 2023 11:08:05 +0000 (13:08 +0200)]
x86/include: address MISRA C:2012 Rule 5.3.
Variable 'mpc_default_type' in 'xen/arch/x86/include/asm/mpspec.h'
has no uses and causes shadowing with function parameter names
in 'mpparse.c'. Therefore, it is removed.
No functional changes.
Signed-off-by: Nicola Vetrini <nicola.vetrini@bugseng.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
projects / xen.git / log