Fouad Hilly [Thu, 22 Aug 2024 13:04:26 +0000 (14:04 +0100)]
x86/ucode: Utilize ucode_force and remove opt_ucode_allow_same
Pass xen-ucode flags to do low level checks on microcode version and utilize
it to allow for microcode downgrade or reapply the same version of the
microcode. ucode_force is required to be passed to a low level Intel and AMD
for version checks to be done.
While adding ucode_force, opt_ucode_allow_same was removed. Remove
opt_ucode_allow_same from documentation.
Update CHANGELOG.md for opt_ucode_allow_same removal.
Signed-off-by: Fouad Hilly <fouad.hilly@cloud.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86/boot: Add missing __XEN__ definition for 32 bit code
We are compiling Xen source code so we should define __XEN__ macro.
We don't want to import all definitions from XEN_CFLAGS (as done for
other options) because most of them are processor dependent and
do not apply to 32 bit.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
tools/oxenstored: Switch to using the plugin for Xenctrl.domain_getinfo
Also run 'make format' on the file to reformat an adjacent block of code
correctly.
Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com> Acked-by: Christian Lindig <christian.lindig@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
tools/oxenstored: Load the plugin for Xenctrl.domain_getinfo
Oxenstored dynamically loads the plugin provided in ocaml/libs/xsd_glue.
The plugin is verified to be providing the specified plugin_interface
during its loading.
If a V2 of the plugin is produced, V1 will still be present, and a new
version should only be loaded if it's verified to exist
(New oxenstored can run in an environment with only V1 of the plugin).
The plugin is not switched to as of yet, the old Xenctrl stubs are still
used.
Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com> Acked-by: Christian Lindig <christian.lindig@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
ocaml/libs: Implement a dynamically-loaded plugin for Xenctrl.domain_getinfo
This plugin intends to hide the unstable Xenctrl interface under a
stable one. In case of the change in the interface, a V2 of this plugin
would need to be produced, but V1 with the old interface would
need to be kept (with potential change in the implementation) in the
meantime.
To reduce the need for such changes in the future, this plugin only
provides the absolute minimum functionality that Oxenstored uses - only
three fields of the domaininfo struct are used and presented here.
Oxenstored currently uses the single-domain domain_getinfo function,
whereas domain_getinfolist is a potentially more efficient option. Both
of these are provided in the plugin to allow a transition from one to
the other without modifying the interface in the future. Both return
identical structures and rely on the same fields in xenctrl, thus if one
of them breaks, both will break, and a new version of the interface
would need to be issued.
Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com> Acked-by: Christian Lindig <christian.lindig@cloud.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Thu, 22 Aug 2024 19:18:15 +0000 (20:18 +0100)]
x86/bitops: Use the POPCNT instruction when available
It has existed in x86 CPUs since 2008, so we're only 16 years late adding
support. With all the other scafolding in place, implement arch_hweightl()
for x86.
The only complication is that the call to arch_generic_hweightl() is behind
the compilers back. Address this by writing it in ASM and ensure that it
preserves all registers.
Copy the code generation from generic_hweightl(). It's not a complicated
algorithm, and is easy to regenerate if needs be, but cover it with the same
unit tests as test_generic_hweightl() just for piece of mind.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 22 Aug 2024 20:39:59 +0000 (21:39 +0100)]
xen/bitops: Implement hweight64() in terms of hweight{l,32}()
... and drop generic_hweight{32,64}().
This is identical on all architectures except ARM32. Add one extra SELF_TEST
to check that hweight64() works when the input is split in half.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Thu, 22 Aug 2024 20:40:11 +0000 (21:40 +0100)]
xen/bitops: Implement hweight32() in terms of hweightl()
... and drop generic_hweight32().
As noted previously, the only two users of hweight32() are in __init paths.
The int-optimised form of generic_hweight() is only two instructions shorter
than the long-optimised form, and even then only on architectures which lack
fast multiplication, so there's no point providing an int-optimised form.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Thu, 22 Aug 2024 17:13:57 +0000 (18:13 +0100)]
xen/bitops: Drop the remnants of hweight{8,16}()
They are no more. No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
x86/time: split CMOS read and probe logic into function
The current logic to probe for the CMOS RTC is open-coded in get_cmos_time(),
move it to a separate function that both serves the purpose of testing for the
CMOS RTC existence and returning its value.
The goal is to be able to split the probing and the reading logic into separate
helpers, and putting the current logic in a separate function helps simplifying
further changes.
A transient *rtc_p variable is introduced as a parameter to the function, that
will be removed by further changes. Also note that due to the code movement,
now cmos_rtc_probe will only get cleared on a second call to get_cmos_time(),
as the newly introduced cmos_probe() function doesn't modify the variable
anymore.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
x86/time: move CMOS edge detection into read helper
Move the logic that ensures the CMOS RTC data is read just after it's been
updated into the __get_cmos_time() function that does the register reads. This
requires returning a boolean from __get_cmos_time() to signal whether the read
has been successfully performed after an update.
Note that while __get_cmos_time() can be used without waiting for the update
edge, so far the only caller does wait for it, hence move the code inside of
the function.
The goal, albeit not accomplished by this patch, is to be able to split the
probing and the reading of the CMOS RTC data into two separate functions.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
x86/time: introduce helper to fetch Xen wallclock when running as a guest
Move the current code in get_wallclock_time() to fetch the Xen wallclock
information from the shared page when running as a guest into a separate
helper.
No functional change intended.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 9 Sep 2024 11:40:47 +0000 (13:40 +0200)]
x86/HVM: reduce recursion in linear_{read,write}()
Let's make explicit what the compiler may or may not do on our behalf:
The 2nd of the recursive invocations each can fall through rather than
re-invoking the function. This will save us from adding yet another
parameter (or more) to the function, just for the recursive invocations.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
When a device has been reset on dom0 side, the Xen hypervisor
doesn't get notification, so the cached state in vpci is all
out of date compare with the real device state.
To solve that problem, add a new hypercall to support the reset
of pcidev and clear the vpci state of device. So that once the
state of device is reset on dom0 side, dom0 can call this
hypercall to notify hypervisor.
The behavior of different reset types may be different in the
future, so divide them now so that they can be easily modified
in the future without affecting the hypercall interface.
Andrew Cooper [Wed, 4 Sep 2024 12:27:03 +0000 (13:27 +0100)]
x86/trampoline: Move the trampoline declarations out of <asm/config.h>
asm/config.h is included in every translation unit (via xen/config.h), while
only a handful of functions actually interact with the trampoline.
Move the infrastructure into its own header, and take the opportunity to
document everything.
Change trampoline_realmode_entry() and wakeup_start() to be nocall functions,
rather than char arrays. Also switch to fixed width integers which are less
likely to diverge from the asm declaration.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 4 Sep 2024 13:48:53 +0000 (14:48 +0100)]
x86/acpi: Drop acpi_video_flags and use bootsym(video_flags) directly
This removes a level of indirection, as well as removing a somewhat misleading
name; the variable is really "S3 video quirks".
More importantly however it makes it very clear that, right now, parsing the
cmdline and quirks depends on having already placed the trampoline; a
dependency which is going to be gnarly to untangle.
That said, fixing the quirk is easy. The Toshiba Satellite 4030CDT has an
Intel Celeron 300Mhz CPU (Pentium 2 era) from 1998 when MMX was the headline
feature, sporting 64M of RAM. Being a 32-bit processor, it hasn't been able
to run Xen for about a decade now, so drop the quirk entirely.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
tools/ocaml: Build infrastructure for OCaml dynamic libraries
Dynamic libraries in OCaml require an additional compilation step on top
of the already specified steps for static libraries. Add an appropriate
template to Makefile.rules.
Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@cloud.com>
Jan Beulich [Fri, 6 Sep 2024 10:47:58 +0000 (12:47 +0200)]
x86emul: mark new "cp" local var maybe-unused
Just for the sake of the 32-bit build of the test harness. This wants
reverting once unconditional uses of the variable appear (AMX, AVX10).
Fixes: b20e3fbc3ec9 ("x86emul: introduce a struct cpu_policy * local in x86_emulate()") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Fri, 6 Sep 2024 06:41:18 +0000 (08:41 +0200)]
x86emul/test: fix build with gas 2.43
Drop explicit {evex} pseudo-prefixes. New gas (validly) complains when
they're used on things other than instructions. Our use was potentially
ahead of macro invocations - see simd.h's "override" macro.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Fri, 6 Sep 2024 06:40:21 +0000 (08:40 +0200)]
x86/xstate: enable AMX components
These being controlled by XCR0, enabling support is relatively
straightforward. Note however that there won't be any use of them until
their dependent ISA extension CPUID flags are exposed, not the least due
to recalculate_xstate() handling the dependencies in kind of a reverse
manner.
Note that xstate_check_sizes() already covers the two new states.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 4 Sep 2024 14:09:28 +0000 (16:09 +0200)]
x86: fix UP build with gcc14
The complaint is:
In file included from ././include/xen/config.h:17,
from <command-line>:
arch/x86/smpboot.c: In function ‘link_thread_siblings.constprop’:
./include/asm-generic/percpu.h:16:51: error: array subscript [0, 0] is outside array bounds of ‘long unsigned int[1]’ [-Werror=array-bounds=]
16 | (*RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]))
./include/xen/compiler.h:140:29: note: in definition of macro ‘RELOC_HIDE’
140 | (typeof(ptr)) (__ptr + (off)); })
| ^~~
arch/x86/smpboot.c:238:27: note: in expansion of macro ‘per_cpu’
238 | cpumask_set_cpu(cpu2, per_cpu(cpu_sibling_mask, cpu1));
| ^~~~~~~
In file included from ./arch/x86/include/generated/asm/percpu.h:1,
from ./include/xen/percpu.h:30,
from ./arch/x86/include/asm/cpuid.h:9,
from ./arch/x86/include/asm/cpufeature.h:11,
from ./arch/x86/include/asm/system.h:6,
from ./include/xen/list.h:11,
from ./include/xen/mm.h:68,
from arch/x86/smpboot.c:12:
./include/asm-generic/percpu.h:12:22: note: while referencing ‘__per_cpu_offset’
12 | extern unsigned long __per_cpu_offset[NR_CPUS];
| ^~~~~~~~~~~~~~~~
Which I consider bogus in the first place ("array subscript [0, 0]" vs a
1-element array). Yet taking the experience from 99f942f3d410 ("Arm64:
adjust __irq_to_desc() to fix build with gcc14") I guessed that
switching function parameters to unsigned int (which they should have
been anyway) might help. And voilà ...
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 4 Sep 2024 14:07:41 +0000 (16:07 +0200)]
mktarball: only archive Xen
As was basically decided already a while ago, remove - in the simplest
possible way - the archiving of both qemu-s and mini-os from tarball
generation.
With this the subtree-force-update-all prereq isn't needed anymore in
the top level Makefile. That goal, including the respective ones
underneath tools/, then also are unreferenced and hence are being
dropped, too.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 4 Sep 2024 14:06:21 +0000 (16:06 +0200)]
x86emul/test: rename "cp"
In preparation of introducing a const struct cpu_policy * local in
x86_emulate(), rename that global variable to something more suitable:
"cp" is our commonly used name for function parameters or local
variables of type struct cpu_policy *, and the present name of the
global could hence have interfered already.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 4 Sep 2024 14:05:03 +0000 (16:05 +0200)]
SUPPORT.md: split XSM from Flask
XSM is a generic framework, which in particular is also used by SILO.
With this it can't really be experimental: Arm mandates SILO for having
a security supported configuration.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
SBI has an API for shutdown so wire it up. However, the spec does allow the
call not to be implemented, so we have to cope with sbi_shutdown() returning.
There is a reboot-capable SBI extention, but in the short term route
machine_restart() into machine_halt().
Then, use use machine_halt() rather than an infinite loop at the end of
start_xen(). This avoids the Qemu smoke test needing to wait for the full
timeout in order to succeed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
Michal Orzel [Tue, 3 Sep 2024 12:48:34 +0000 (14:48 +0200)]
arm/div64: Drop do_div() macro for GCC version < 4
As stated in README, the minimum supported GCC version for arm32 is
4.9, therefore drop the custom do_div() macro in favor of using the
optimized version.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Penny Zheng [Fri, 30 Aug 2024 09:08:21 +0000 (10:08 +0100)]
xen: make VMAP support in MMU system only
Introduce CONFIG_HAS_VMAP which is selected by the architectures that
use MMU. vm_init() does not do anything if CONFIG_HAS_VMAP is not
enabled.
HAS_VMAP is widely used in ALTERNATIVE feature to remap a range of
memory with new memory attributes. Since this is highly dependent on
virtual address translation, we choose to make HAS_VMAP selected by
MMU. And ALTERNATIVE depends on HAS_VMAP.
At the moment, the users of HARDEN_BRANCH_PREDICTOR requires to use the
vmap() to update the exceptions vectors. While it might be possible to
rework the code, it is believed that speculative attackes would be
difficult to exploit on non-MMU because the software is tightly
controlled. So for now make HARDEN_BRANCH_PREDICTOR to depend on the
MMU.
Also took the opportunity to remove "#ifdef VMAP_VIRT_START .. endif"
from vmap.c. Instead vmap.c is compiled when HAS_VMAP is enabled. Thus,
HAS_VMAP is now enabled from x86, ppc and riscv architectures as all of
them use MMU and has VMAP_VIRT_START defined.
Andrew Cooper [Thu, 22 Aug 2024 18:04:44 +0000 (19:04 +0100)]
xen/bitops: Introduce generic_hweightl() and hweightl()
There are 6 remaining callers in Xen:
* The two hweight32() calls, _domain_struct_bits() and efi_find_gop_mode(),
are __init only.
* The two hweight_long() calls are both in bitmap_weight().
* The two hweight64() calls are hv_vpset_nr_banks() and x86_emulate().
Only bitmap_weight() and possibly hv_vpset_nr_banks() can be considered fast
paths, and they're all of GPR-width form.
Furthermore, the differences between a generic int and generic long form is
only an ADD and SHIFT, and only in !CONFIG_HAS_FAST_MULTIPLY builds.
Therefore, it is definitely not worth having both generic implemenations.
Implement generic_hweightl() based on the current generic_hweight64(),
adjusted to be compatible with ARM32, along with standard SELF_TESTS.
Implement hweightl() with usual constant-folding and arch opt-in support. PPC
is the only architecture that devates from generic, and it simply uses the
builtin.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 22 Aug 2024 16:01:53 +0000 (17:01 +0100)]
xen/bitops: Convert 'hweight(x) > 1' to new multiple_bits_set()
Using hweight() is an especially expensive way of determining simply if
multiple bits are set in a value. Worse, 4 of the 10 hweight() calls in Xen
are of this form.
Switch to the new multiple_bits_set() helper. This is far more efficient than
the longhand hweight() algorithm and, owing to its simplicity, likely more
efficient than even a dedicated instruction on a superscalar processor.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 22 Aug 2024 15:38:53 +0000 (16:38 +0100)]
xen/bitops: Introduce a multiple_bits_set() helper
This will be used to simplify real logic in the following patch. Add compile
and boot time testing as with other bitops.
Because the expression is so simple, implement it as a function-like macro
which is generic on the type of it's argument, rather than having multiple
variants.
Testing function-like macros needs a minor adjustments to the infrastructure
in xen/self-tests.h to avoid bracketing the fn parameter. The utility of this
outweighs the associated risks.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 28 Aug 2024 19:43:28 +0000 (20:43 +0100)]
xen/bitops: Switch from __pure to attr_const
All of the ffs()/fls() infrastructure is in fact (attr) const, because it
doesn't even read global state. This allows the compiler even more
flexibility to optimise.
No functional change.
Reported-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 30 Aug 2024 15:32:08 +0000 (16:32 +0100)]
ARM/vgic: Use for_each_set_bit() in gic_find_unused_lr()
There are no bits set in lr_mask beyond nr_lrs, so when substituting
bitmap_for_each() for for_each_set_bit(), we don't need to worry about the
upper bound.
However, the type of lr_mask does matter, so switch it to be uint64_t * and
move unsigned long * override until the find_next_zero_bit() call.
Move lr_val into a narrower scope and drop used_lr as it's declared by
for_each_set_bit() itself.
Drop the nr_lrs variable and use gic_get_nr_lrs() in the one location its now
used. It hides a triple pointer dereference, and while it may not be needed
in the PRISTINE case, it certainly doesn't need to be live across the rest of
the function.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Andrew Cooper [Fri, 30 Aug 2024 14:20:17 +0000 (15:20 +0100)]
ARM/vgic: Correct the expression for lr_all_full()
The current expression hits UB with 31 LRs (shifting into the sign bit), and
malfunctions with 32 LRs (shifting beyond the range of int). Swapping 1 for
1ULL fixes some of these, but still malfunctions at 64 LRs which is the
architectural limit.
Instead, shift -1ULL right in order to create the mask.
Fixes: 596f885a3202 ("xen/arm: set GICH_HCR_UIE if all the LRs are in use") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
libxl: Update the documentation of libxl_xen_console_read_line()
Despite its name, libxl_xen_console_read_line() does not read a line,
it fills the buffer with as many characters as fit. Update the
documentation to reflect the real behaviour of the function. Rename
line_r to avoid confusion since it is a pointer to an array of
characters.
Signed-off-by: Javi Merino <javi.merino@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
libxl: Remove unnecessary buffer zeroing and zalloc()
When reading the console, xen overwrites the contents of the buffer,
so there is no need to zero the buffer before passing it to xen.
Instead, add a NULL at the end of the buffer.
While we are at it, change the zalloc() of the buffer back to
malloc() as it was before bdf4131 (libxl: don't leak buf in
libxl_xen_console_read_start error handling, 2013-12-03). The comment
in that commit message says that the intent of the commit was to
change malloc+memset to zalloc(), but only for the
libxl_xen_console_reader struct, not for the buffer.
Signed-off-by: Javi Merino <javi.merino@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
libxl: Fix nul-termination of the return value of libxl_xen_console_read_line()
When built with ASAN, "xl dmesg" crashes in the "printf("%s", line)"
call in main_dmesg(). ASAN reports a heap buffer overflow: an
off-by-one access to cr->buffer.
The readconsole sysctl copies up to count characters into the buffer,
but it does not add a null character at the end. Despite the
documentation of libxl_xen_console_read_line(), line_r is not
nul-terminated if 16384 characters were copied to the buffer.
Fix this by asking xc_readconsolering() to fill the buffer up to size
- 1. As the number of characters in the buffer is only needed in
libxl_xen_console_read_line(), make it a local variable there instead
of part of the libxl__xen_console_reader struct.
Fixes: 4024bae739cc ("xl: Add subcommand 'xl dmesg'") Reported-by: Edwin Török <edwin.torok@cloud.com> Signed-off-by: Javi Merino <javi.merino@cloud.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
****************************************
Panic on CPU 1:
FATAL PAGE FAULT
[error_code=0003]
Faulting linear address: ffff82d0404011ea
****************************************
For the time being revert opt_allow_unsafe to be __read_mostly.
Fixes: bfcb0abb191f ('types: replace remaining uses of s8') Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 2 Sep 2024 09:58:21 +0000 (11:58 +0200)]
x86: drop map-low-16Mb leftovers
Prior work (e.g. cbabbc9f5659 ["x86/boot: Size the boot/directmap
mappings dynamically"]) has fully eliminated that hardcoded boundary.
Drop both the linker script assertion (the upper bound is now the stubs
area) and the artificial extending of xen.efi's image size.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 2 Sep 2024 09:57:22 +0000 (11:57 +0200)]
types: replace remaining uses of s8
... and move the type itself to linux-compat.h.
While doing so,
- convert __read_mostly to __ro_after_init for respective variables
having their type changed (for acpi_numa add the attribute anew),
- in cpuid_hypervisor_leaves() drop a cast altogether,
- switch an adjacent struct arch_irq_desc field to bool.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 2 Sep 2024 09:56:24 +0000 (11:56 +0200)]
x86: drop s<N>/u<N> overrides from mkelf32
Use uint<N>_t instead (s<N> were unused altogether). While adjusting
swap<N>() drop excessive casts and rename the arguments to avoid leading
underscores.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Add defensive return statement at the end of an unreachable
default case. Other than improve safety, this meets the requirements
to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
statement shall terminate every switch-clause".
Anthony PERARD [Fri, 30 Aug 2024 09:49:40 +0000 (09:49 +0000)]
libxl: Probe QEMU for -run-with chroot=dir and use it
QEMU 9.0 have removed "-chroot" command line option, which have been
deprecated since QEMU 8.1 in favor of "-run-with chroot=dir".
Look into the result of the QMP command "query-command-line-options"
to find out if "-run-with chroot=dir" is available. Then use it in
place of "-chroot".
Resolves: xen-project/xen#187 Signed-off-by: Anthony PERARD <anthony.perard@vates.tech> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Andrew Cooper [Wed, 28 Aug 2024 19:20:34 +0000 (20:20 +0100)]
x86/pv: Make cr4_pv32_mask be PV32-only
The user of cr4_pv32_mask (the cr4_pv32_restore() function) only exists in a
CONFIG_PV32 build, but right now the variable is unconditionally set up.
To start with, move the setup into set_in_cr4() and remove it from it's
somewhat ad-hoc position in __start_xen(). This means the variable will be
set up in two steps for a CONFIG_PV32=y build, but it's cleaner and more
robust logic overall.
With that, there's no good reason for the variable to stay in setup.c. Move
it to x86/pv/domain.c (beside opt_pv32, for want of any better place to live),
and move the declaration to beside set_in_cr4() and mmu_cr4_features which is
a better position than setup.h.
Guard the reference with CONFIG_PV32, and fix up a recent typo in an adjacent
comment while at it.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Victor Lira [Thu, 29 Aug 2024 22:34:23 +0000 (15:34 -0700)]
automation: use expect utility in xilinx tests
Fixes: 95764a0817a5 (automation: update xilinx test scripts (tty))
This patch introduced a CI failure due to a timeout in xilinx-x86_64 test.
Change xilinx-x86_64 and xilinx-arm64 scripts to use "expect" utility
to determine test result and allow early exit from tests.
Add "expect" to xilinx container environment (dockerfile).
Rename references to "QEMU" in "qemu-key.exp" expect script to "TEST" to be
used by both QEMU and hardware tests.
Signed-off-by: Victor Lira <victorm.lira@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Victor Lira [Thu, 29 Aug 2024 22:34:22 +0000 (15:34 -0700)]
automation: fix false success in qemu tests
Fix flaw in qemu-*.sh tests that producess a false success. The following
lines produces success despite the "expect" script producing nonzero exit
status:
set +e
...
./automation/scripts/qemu-key.exp | sed 's/\r\+$//'
(end of file)
The default exit status for a pipeline using "|" operator is that of the
rightmost command. Fix this by setting the "pipefail" option in the shell,
and removing "set +e" allowing the expect script to determine the result.
Signed-off-by: Victor Lira <victorm.lira@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Jan Beulich [Thu, 29 Aug 2024 08:03:53 +0000 (10:03 +0200)]
Arm64: adjust __irq_to_desc() to fix build with gcc14
With the original code I observe
In function ‘__irq_to_desc’,
inlined from ‘route_irq_to_guest’ at arch/arm/irq.c:465:12:
arch/arm/irq.c:54:16: error: array subscript -2 is below array bounds of ‘irq_desc_t[32]’ {aka ‘struct irq_desc[32]’} [-Werror=array-bounds=]
54 | return &this_cpu(local_irq_desc)[irq];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
which looks pretty bogus: How in the world does the compiler arrive at
-2 when compiling route_irq_to_guest()? Yet independent of that the
function's parameter wants to be of unsigned type anyway, as shown by
a vast majority of callers (others use plain int when they really mean
non-negative quantities). With that adjustment the code compiles fine
again.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Michal Orzel <michal.orzel@amd.com>
Xenia Ragiadakou [Thu, 29 Aug 2024 08:02:46 +0000 (10:02 +0200)]
ioreq: do not build arch_vcpu_ioreq_completion() for non-VMX configurations
VIO_realmode_completion is specific to vmx realmode and thus the function
arch_vcpu_ioreq_completion() has actual handling work only in VMX-enabled build,
as for the rest x86 and ARM build configurations it is basically a stub.
Here a separate configuration option ARCH_VCPU_IOREQ_COMPLETION introduced that
tells whether the platform we're building for requires any specific ioreq
completion handling. As of now only VMX has such requirement, so the option is
selected by INTEL_VMX, for other configurations a generic default stub is
provided (it is ARM's version of arch_vcpu_ioreq_completion() moved to common
header).
For partial writes the non-written parts of registers are folded into
the full 64-bit value from what they're presently set to. That's wrong
to do though when the behavior is write-1-to-clear: Writes not
including to low 3 bits would unconditionally clear all ISR bits which
are presently set. Re-calculate the value to use.
Fixes: be07023be115 ("x86/vhpet: add support for level triggered interrupts") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 29 Aug 2024 08:01:19 +0000 (10:01 +0200)]
x86emul: drop further Xeon Phi decode leftovers
Special casing in x86emul_decode() can be dropped, while overrides done
in decode_0f38() can move into ext0f38_table[]. That table's S/G
prefetch entries aren't needed anymore either.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Anthony PERARD [Thu, 29 Aug 2024 08:00:46 +0000 (10:00 +0200)]
libxl: Implement QEMU command line probe
Starting with QEMU 9.0, the option "-chroot", that we use for the
"dmrestrict" feature, is removed. We need to find out which to use
between "-chroot" and "-run-with chroot=dir".
This patch implement the machinery to spawn QEMU, and to run the QMP
command "query-command-line-options" but doesn't yet look at the
actual result. Whether or not to use "-run-with chroot=dir" will be
implemented in a follow up patch.
The command line used to spawn the qemu we want to probe is mostly
similar to the one we already use for the device model, "-machine
none" comes from libvirt.
This patch implement the probing on qemu-xen, even if we probably not
going to use the result. We could check the feature wanted for the
domain being created, but this could get complicated fairly quickly.
We already need to check the options "b_info->dm_restrict" for
"-chroot" and "state->dm_runas" for "-runas" (which is deprecated).
Signed-off-by: Anthony PERARD <anthony.perard@vates.tech> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Roger Pau Monne [Wed, 28 Aug 2024 11:30:44 +0000 (13:30 +0200)]
x86/dom0: disable SMAP for PV domain building only
Move the logic that disables SMAP so it's only performed when building a PV
dom0, PVH dom0 builder doesn't require disabling SMAP.
The fixes tag is to account for the wrong usage of cpu_has_smap in
create_dom0(), it should instead have used
boot_cpu_has(X86_FEATURE_XEN_SMAP). Fix while moving the logic to apply to PV
only.
While there also make cr4_pv32_mask __ro_after_init.
Fixes: 493ab190e5b1 ('xen/sm{e, a}p: allow disabling sm{e, a}p for Xen itself') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tamas K Lengyel [Wed, 28 Aug 2024 13:38:23 +0000 (09:38 -0400)]
oss-fuzz: Fix coverage runtime error
The oss-fuzz infrastructure collects runtime coverage information for debugging
and fuzzing evaluation. Currently it appears broken due to missing C files.
This is because the fuzzer's Makefile only symlinks the C files from various
locations in the Xen source tree into the build folder. These symlinks however
are gone as oss-fuzz uses separate docker containers for the build and for the
run.
Update the oss-fuzz build script to copy the required C files into the
build folder to fix this oss-fuzz specific issue.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 27 Aug 2024 23:33:19 +0000 (00:33 +0100)]
ARM/vgic: Fix variable shadowing in vgic_to_sgi()
for_each_set_bit() allocates its own variable intentionally as loop-scope
only. Unfortunately, this causes the inner 'i' to shadow the outer 'i', and
violates MISRA Rule 5.3.
Drop the outermost 'i' and 'vcpuid' variables, moving them into a more narrow
scope and correcting them to be unsigned which they should have been all
along. Update the printk() formatting of vcpuid to match.
Fixes: 9429f1a6c475 ("ARM/vgic: Use for_each_set_bit() in vgic_to_sgi()") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Rewrite them to be more concise and useful. Use 0x prefixes for hex, rather
than being ambiguous, and identify the problem target vCPU / mode, rather than
simply saying something was wrong.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Frediano Ziglio [Thu, 22 Aug 2024 14:00:43 +0000 (15:00 +0100)]
x86/boot: Preserve the value clobbered by the load-base calculation
Right now, Xen clobbers the value at 0xffc when performing it's load-base
calculation. We've got plenty of free registers at this point, so the value
can be preserved easily.
This fixes a real bug booting under Coreboot+SeaBIOS, where 0xffc happens to
be the cbmem pointer (e.g. Coreboot's dmesg ring, among other things).
However, there's also a better choice of memory location to use than 0xffc, as
all our supported boot protocols have a pointer to an info structure in %ebx.
Update the documentation to match.
Fixes: 1695e53851e5 ("x86/boot: Fix the boot time relocation calculations") Fixes: d96bb172e8c9 ("x86/entry: Early PVH boot code") Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 26 Aug 2024 08:33:09 +0000 (10:33 +0200)]
x86emul: drop and avoid use of BUG()
Generally it is not a good idea to use BUG() in emulator code. Even for
internal flaws we're better off returning errors to callers, rather than
crashing the system. Replace the sole remaining use and remove the
test / fuzzing harness surrogate. Put in place a declaration pleasing
the compiler when finding uses in Xen headers, while at the same time
breaking the build (at linking time) in case an active reference would
newly appear.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jiqian Chen [Mon, 26 Aug 2024 08:32:05 +0000 (10:32 +0200)]
x86/pvh: Add PHYSDEVOP_setup_gsi for PVH dom0
The gsi of a passthrough device must be configured for it to be
able to be mapped into a hvm domU.
But When dom0 is PVH, the gsis may not get registered(see below
clarification), it causes the info of apic, pin and irq not be
added into irq_2_pin list, and the handler of irq_desc is not set,
then when passthrough a device, setting ioapic affinity and vector
will fail.
To fix above problem, on Linux kernel side, a new code will
need to call PHYSDEVOP_setup_gsi for passthrough devices to
register gsi when dom0 is PVH.
So, add PHYSDEVOP_setup_gsi into hvm_physdev_op for above
purpose.
Clarify two questions:
First, why the gsi of devices belong to PVH dom0 can work?
Because when probe a driver to a normal device, it uses the normal
probe function of pci device, in its callstack, it requests irq
and unmask corresponding ioapic of gsi, then trap into xen and
register gsi finally.
Callstack is(on linux kernel side) pci_device_probe->
request_threaded_irq-> irq_startup-> __unmask_ioapic->
io_apic_write, then trap into xen hvmemul_do_io->
hvm_io_intercept-> hvm_process_io_intercept->
vioapic_write_indirect-> vioapic_hwdom_map_gsi-> mp_register_gsi.
So that the gsi can be registered.
Second, why the gsi of passthrough device can't work when dom0
is PVH?
Because when assign a device to passthrough, it uses the specific
probe function of pciback, in its callstack, it doesn't install a
fake irq handler due to the ISR is not running. So that
mp_register_gsi on Xen side is never called, then the gsi is not
registered.
Callstack is(on linux kernel side) pcistub_probe->pcistub_seize->
pcistub_init_device-> xen_pcibk_reset_device->
xen_pcibk_control_isr->isr_on==0.
Jan Beulich [Mon, 26 Aug 2024 08:30:40 +0000 (10:30 +0200)]
x86/x2APIC: correct cluster tracking upon CPUs going down for S3
Downing CPUs for S3 is somewhat special: Since we can expect the system
to come back up in exactly the same hardware configuration, per-CPU data
for the secondary CPUs isn't de-allocated (and then cleared upon re-
allocation when the CPUs are being brought back up). Therefore the
cluster_cpus per-CPU pointer will retain its value for all CPUs other
than the final one in a cluster (i.e. in particular for all CPUs in the
same cluster as CPU0). That, however, is in conflict with the assertion
early in init_apic_ldr_x2apic_cluster().
Note that the issue is avoided on Intel hardware, where we park CPUs
instead of bringing them down.
Extend the bypassing of the freeing to the suspend case, thus making
suspend/resume also a tiny bit faster.
Fixes: 2e6c8f182c9c ("x86: distinguish CPU offlining from CPU removal") Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Nikola Jelic [Mon, 26 Aug 2024 08:27:53 +0000 (10:27 +0200)]
xen: PE/COFF image header
Added PE/COFF generic image header which shall be used for EFI
application format for x86/risc-v. x86 and risc-v source shall be adjusted
to use this header in following commits. pe.h header is taken over from
linux kernel with minor changes in terms of formatting and structure member comments.
Also, COFF relocation and win cert structures are ommited, since these are not relevant for Xen.
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 36e4fc57fc16 Signed-off-by: Nikola Jelic <nikola.jelic@rt-rk.com> Signed-off-by: Milan Djokic <milan.djokic@rt-rk.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Victor Lira [Fri, 23 Aug 2024 22:29:04 +0000 (15:29 -0700)]
automation: update xilinx test scripts (tty)
Update serial device names from ttyUSB* to test board specific names.
Update xilinx-smoke-dom0-x86_64 with new Xen command line console options,
which are now set as Gitlab CI/CD variables. Abstract the directory where
binaries are stored. Increase the timeout to match new setup.
Signed-off-by: Victor Lira <victorm.lira@amd.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Wed, 19 Jun 2024 19:39:54 +0000 (20:39 +0100)]
x86/xstate: Switch back to for_each_set_bit()
In all 3 examples, we're iterating over a scaler. They have an upper bound of
63 which is to exclude the top bit; the COMPRESSED bit.
recalculate_xstate() calculates xstates directly and doesn't set the
COMPRESSED bit. Both xstate_{un,}compressed_size() take architectural
register values, neither of which permit the COMPRESSED bit either.
xstate_uncompressed_size() has an ASSERT() covering this properly; add a
equivelent ASSERT() to xstate_compressed_size() too.
This alone produces:
add/remove: 0/0 grow/shrink: 0/4 up/down: 0/-161 (-161)
Function old new delta
compress_xsave_states 66 58 -8
xstate_uncompressed_size 119 71 -48
xstate_compressed_size 124 76 -48
recalculate_xstate 347 290 -57
where xstate_{un,}compressed_size() have practically halved in size despite
being small before.
The change in compress_xsave_states() is unexpected. The function is almost
entirely dead code, and within what remains there's a smaller stack frame. I
suspect it's leftovers that the optimiser couldn't fully discard.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 19 Jun 2024 14:46:47 +0000 (15:46 +0100)]
xen/bitops: Introduce for_each_set_bit()
The prior version (renamed to bitmap_for_each()) was inefficeint when used
over a scalar, but this is the more common usage even before accounting for
the many opencoded forms.
Introduce a new version which operates on scalars only and does so without
spilling them to memory. This in turn requires the addition of a type-generic
form of ffs().
Add testing for the new construct alongside the ffs/fls testing.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Tue, 18 Jun 2024 22:23:11 +0000 (23:23 +0100)]
xen/bitops: Rename for_each_set_bit() to bitmap_for_each()
The current implementation wants to take an in-memory bitmap. However, all
ARM callers and all-but-1 x86 callers spill a scalar to the stack in order to
use the "generic arbitrary bitmap" helpers under the hood.
This works, but is far from ideal.
Rename the construct and move it into bitmap.h, because having an iterator for
an arbitrary bitmap is a useful thing.
This will allow us to re-implement for_each_set_bit() to be more appropriate
for scalar values.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Michal Orzel <michal.orzel@amd.com>
projects / xen.git / log