Julien Grall [Tue, 14 Jun 2016 08:31:00 +0000 (09:31 +0100)]
xen/arm: Rework the interface of p2m_lookup and use typesafe gfn and mfn
The prototype and the declaration of p2m_lookup disagree on how the
function should be used. One expect a frame number whilst the other
an address.
Thankfully, everyone is using with an address today. However, most of
the callers have to convert a guest frame to an address. Modify
the interface to take a guest physical frame in parameter and return
a machine frame.
Whilst modifying the interface, use typesafe gfn and mfn for clarity
and catching possible misusage.
Julien Grall [Tue, 28 Jun 2016 13:37:57 +0000 (14:37 +0100)]
xen: Use a typesafe to define INVALID_GFN
Also take the opportunity to convert arch/x86/debug.c to the typesafe gfn.
Signed-off-by: Julien Grall <julien.grall@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Elena Ufimtseva <elena.ufimtseva@oracle.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Julien Grall [Fri, 24 Jun 2016 14:38:54 +0000 (15:38 +0100)]
xen: Use a typesafe to define INVALID_MFN
Also take the opportunity to convert arch/x86/debug.c to the typesafe
mfn and use proper printf format for MFN/GFN when the code around is
modified.
Signed-off-by: Julien Grall <julien.grall@arm.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Julien Grall [Tue, 28 Jun 2016 12:31:32 +0000 (13:31 +0100)]
xen/passthrough: x86: Use INVALID_GFN rather than INVALID_MFN
A variable containing a guest frame should be compared to INVALID_GFN
and not INVALID_MFN.
Signed-off-by: Julien Grall <julien.grall@arm.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Tim Deegan <tim@xen.org>
libxl: move DEFINE_DEVICE* macros to libxl_internal.h
In order to be able to have all functions related to a device type in
a single source file move the macros used to generate device type
specific functions to libxl_internal.h. Rename the macros as they are
no longer local to a source file. While at it hide device remove and
device destroy in one macro as those are always used in pairs. Move
usage of the macros to the appropriate source files.
Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Wei Liu [Wed, 8 Jun 2016 14:01:02 +0000 (15:01 +0100)]
libxl: only issue cpu-add call to QEMU for not present CPU
Calculate the final bitmap for CPUs to add to avoid having annoying
error messages complaining those CPUs are already present. Example
message is like (wrapped):
libxl: error: libxl_qmp.c:287:qmp_handle_error_response: received an
error message from QMP server: Unable to add CPU: 0, it already exists
We can also properly handle error from QMP now.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Wei Liu [Tue, 7 Jun 2016 09:03:39 +0000 (10:03 +0100)]
libxl: introduce libxl__qmp_query_cpus
It interrogates QEMU for CPUs and update the bitmap accordingly.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Julien Grall [Tue, 28 Jun 2016 16:34:31 +0000 (17:34 +0100)]
xen/arm: io: Protect the handlers with a read-write lock
Currently, accessing the I/O handlers does not require to take a lock
because new handlers are always added at the end of the array. In a
follow-up patch, this array will be sort to optimize the look up.
Given that most of the time the I/O handlers will not be modify,
using a spinlock will add contention when multiple vCPU are accessing
the emulated MMIOs. So use a read-write lock to protected the handlers.
Finally, take the opportunity to re-indent correctly domain_io_init.
Julien Grall [Tue, 28 Jun 2016 15:51:54 +0000 (16:51 +0100)]
xen/arm: gic-v3: No need to sort the Redistributor regions
The sorting was required by the vGIC emulation until commit 9b9d51e98edb8c5c731e2d06dfad3633053d88a4 "xen/arm: vgic-v3:
Correctly retrieve the vCPU associated to a re-distributor".
Furthermore, the code is buggy because both local variables 'l' and 'r'
point to the same region.
So drop the code which sort the Redistributors array.
Julien Grall [Tue, 14 Jun 2016 11:50:26 +0000 (12:50 +0100)]
xen/arm: map_dev_mmio_region: The iomem permission check should be done on MFN
The helper iomem_access_permitted expects MFNs in parameters and not
GNFs. Thankfully only the hardware domain can call this function and
it will always be with GFNS == MFNs for now.
Also, fix the printf to use the MFN range and not the GFN one.
XSM/policy: Allow the source domain access to settime and setdomainhandle domctls while creating domain.
This patch resolves the following permission denied scenarios while creating
new domU :
avc: denied { setdomainhandle } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain
A dedicated Xen driver domain init service starts "xl devd" in domU. But
currently, it is only supplied in the form of a SysV init script, which
systemd users run through a backward compatiblity wrapper automatically
generated by systemd-sysv-generator. This patch adds a (naturally more
lightweight) native systemd unit to be used instead.
The xendriverdomain service is only relevant to domU, but should not run
in dom0. Therefore, the systemd unit uses "ConditionVirtualization=xen",
which evaluates to true in domU and (since systemd version 214, released
on 2014-06-11) to false in dom0. Users or distributors who need to be
compatible with even older systemd versions, but still want to prevent
"xl devd" startup in dom0, could add the following line in [Service]:
ExecStartPre=/bin/sh -c "! grep -q control_d /proc/xen/capabilities"
(Please rerun autogen.sh after applying this patch)
Signed-off-by: Rusty Bird <rustybird@openmailbox.org> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: rerun autogen.sh ]
Andrew Cooper [Thu, 30 Jun 2016 16:40:23 +0000 (17:40 +0100)]
tools/xl: Allow callers of `xl info` to select specific information
When scripting, it is much more convenient to use:
[root@fusebot ~]# xl info xen_version
4.8-unstable
than to construct some sed/awk/other to parse:
[root@fusebot ~]# xl info
...
xen_version : 4.8-unstable
...
This works by wrapping all printf() calls in main_info() with maybe_printf(),
which formats its arguments, compares the resulting string to the provided
restriction, and discards it if no match is found.
A restriction like this doesn't make sense in combination with --numa, so is
excluded in that case.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
xen: credit2: when tickling, check idle cpus first
If there are idle pCPUs, it's always better to try to
"ship" the new vCPU there, instead than letting it
preempting on a currently busy one.
This commit also adds a cpumask_test_or_cycle() helper
function, to make it easier to code the preference for
the pCPU where the vCPU was running before.
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
xen: sched: make the 'tickled' perf counter clearer
In fact, what we have right now, i.e., tickle_idlers_none
and tickle_idlers_some, is not good enough for describing
what really happens in the various tickling functions of
the various scheduler.
Switch to a more descriptive set of counters, such as:
- tickled_no_cpu: for when we don't tickle anyone
- tickled_idle_cpu: for when we tickle one or more
idler
- tickled_busy_cpu: for when we tickle one or more
non-idler
While there, fix style of an "out:" label in sched_rt.c.
xen/arm64: Use the correct TLBs flush instruction to nuke stage-2 TLBs
The function flush_tlb is called to invalidate the TLBs for the current
domain when the stage-2 page tables are modified.
On ARMv8, the instruction "tlbi vmalle1is" (resp. "tlbi vmalle1") will
invalidate stage 1 entries associated to the current VMID (see D4-1811 in
ARM DDI 0487A.j).
Given that an implementation is allowed to cache separately stage 1 and
stage 2 translation (see D4.7.1), the instructions will not remove stage
2 entries when the translation is not combined in a single entry.
This will result the TLBs to hold invalid entries and possibly multiple
entries using the same VA.
Use "tlbi vmalls12e1is" (resp. "tlbi vmalls12e1"), to flush both stage
1 and 2 entries when the domain p2m is changed.
Also modify flush_tlb_local to invalidate stage 1 and 2 for the local
TLBs. Note that this function is used in the instruction abort path
before translating a GVA to a IPA. As far as I understand is to avoid a
guest poisoning the DTLB when memacces is in use. We might be able to
only invalidate stage 1 entries. However, I choose the safest way for now
(i.e invalidating stage 1 and 2 entries). We would need to introduce a
new set of helpers when we will want to restrict it.
Move xen/paging.h #include from hvm/monitor.h to hvm/monitor.c (include strictly
where needed) and also change to asm/paging.h (include strictly what's needed).
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Tamas K Lengyel [Thu, 7 Jul 2016 12:25:50 +0000 (14:25 +0200)]
monitor: rename and relocate vm_event_monitor_traps
The function vm_event_monitor_traps actually belongs in the monitor subsystem.
As part of this patch we fix the sync input's type to bool_t to match how
the callers use it.
Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Wei Liu [Sat, 2 Jul 2016 11:35:30 +0000 (12:35 +0100)]
libxl/netbsd: check num_exec in hotplug function
This basically replicates the same logic in libxl_linux.c but with one
change -- only test num_exec == 0 in nic hotplug case because NetBSD let
QEMU call a script itself. Without this patch libxl will loop
indefinitely trying to execute hotplug script.
Jan Beulich [Tue, 5 Jul 2016 09:17:53 +0000 (11:17 +0200)]
x86emul: fold local variables
Declare some variables to they can be used by multiple pieces of code,
allowing some figure braces to be dropped (which don't align nicely
when used inside of case labeled statements).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Tue, 5 Jul 2016 09:17:25 +0000 (11:17 +0200)]
x86emul: drop pointless and add useful default cases
There's no point in having default cases when all possible values have
respective case statements, or when there's just a "break" statement.
Otoh the two main switch() statements better get default cases added,
just to cover the case of someone altering one of the two lookup arrays
without suitably changing these switch statements.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
A VM_EVENT_FLAG_VCPU_PAUSED flag in a vm-event response should only be treated
as informative that the toolstack user wants the vm-event subsystem to unpause
the target vCPU, but not be relied upon to decide if the target vCPU is actually
paused.
That being said, this patch does the following:
* Fixes (replaces) the old behavior in vm_event_resume, which relied on
VM_EVENT_FLAG_VCPU_PAUSED to determine if the target vCPU is paused, by
actually checking the vCPU vm-event pause-count.
* ASSERTs that the vCPU is paused in vm_event_set_registers and
vm_event_toggle_singlestep.
* Ignores VM_EVENT_FLAG_DENY @ vm_event_register_write_resume if the target vCPU
is not paused. Also adjusts comment in public/vm_event.h to reflect that.
Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Tamas K Lengyel [Mon, 4 Jul 2016 10:10:00 +0000 (12:10 +0200)]
x86/vm_event: add HVM debug exception vm_events
Since in-guest debug exceptions are now unconditionally trapped to Xen, adding
a hook for vm_event subscribers to tap into this new always-on guest event. We
rename along the way hvm_event_breakpoint_type to hvm_event_type to better
match the various events that can be passed with it. We also introduce the
necessary monitor_op domctl's to enable subscribing to the events.
This patch also provides monitor subscribers to int3 events proper access
to the instruction length necessary for accurate event-reinjection. Without
this subscribers manually have to evaluate if the int3 instruction has any
prefix attached which would change the instruction length.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Tianyang Chen [Thu, 30 Jun 2016 12:01:02 +0000 (14:01 +0200)]
sched: rtds: use non-atomic bit-ops
Vcpu flags are checked and cleared atomically. Performance can be
improved with corresponding non-atomic versions since schedule.c
already has spin_locks in place.
Tianyang Chen [Thu, 30 Jun 2016 12:00:34 +0000 (14:00 +0200)]
sched: rtds code clean-up
No functional change:
-aligned comments in rt_vcpu struct
-removed double underscores from the names of some functions
-fixed coding sytle for control structures involving lists
-fixed typos in the comments
-added comments for UPDATE_LIMIT_SHIFT
Below commit introduced a new macro MSR_IA32_FEATURE_CONTROL for
IA32_FEATURE_CONTROL MSR but it didn't remove old IA32_FEATURE_CONTROL_MSR
macro. The new one has better naming convention, so remove the old as a
duplication. Also move the macros of bit definition of IA32_FEATURE_CONTROL MSR
down to make them together with the new one. The *_MSR* infix is also removed as
it is pointless.
mwait-idle: prevent SKL-H boot failure when C8+C9+C10 enabled
Some SKL-H configurations require "max_cstate=7" to boot.
While that is an effective workaround, it disables C10.
......
Above commit also used SGX_ENABLE (bit 18) in IA32_FEATURE_CONTROL MSR without a
macro for it. A new macro IA32_FEATURE_CONTROL_SGX_ENABLE is also added for
better code and future use.
Relevant code that uses those macros are changed accordingly.
Signed-off-by: Kai Huang <kai.huang@linux.intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Wed, 29 Jun 2016 14:38:50 +0000 (16:38 +0200)]
x86/EFI + Live Patch: avoid symbol address truncation
ld associates __init_end, placed outside of any section by the linker
script, with the following section, resulting in a huge (wrapped, as it
would be negative) section relative offset. COFF symbol tables store
section relative addresses, and hence the above leads to assembler
truncation warnings when all symbols get included in the symbol table
(for Live Patching code). To overcome this, move __init_end past both
ALIGN() directives. The consuming code (init_done()) is fine with such
an adjustment (the distinction really would only be relevant for the
loop claring the pages, and I think it's acceptable to clear a few
more on - for now - EFI). This effectively results in the
(__init_begin,__init_end) and (__2M_init_start,__2M_init_end) pairs to
become identical, with their different names only serving documentation
purposes now.
Note that moving __init_end and __2M_init_end into .init is not a good
idea, as that would significantly grow xen.efi binary size.
While inspecting symbol table and ld behavior I also noticed that
__2M_text_start gets put at address zero in the EFI case, which hasn't
caused problems solely because we don't actually reference that symbol.
Correct the setting of the initial address, and comment out said symbol
for the time being, as with the initial address correction it would in
turn cause an assembler truncation warning similar to the one mentioned
above.
While checking init_done() for correctness with the above changes I
noticed that code can easily be folded there, at once correcting the
logged amount of memory which has got freed for the 2M-alignment case
(i.e. EFI right now).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Julien Grall [Tue, 28 Jun 2016 16:17:08 +0000 (17:17 +0100)]
xen: Use typesafe gfn in xenmem_add_to_physmap_one
The x86 version of the function xenmem_add_to_physmap_one contains
variable name gpfn and gfn which make the code very confusing.
I have left unchanged for now.
Also, rename gpfn to gfn in the ARM version as the latter is the correct
acronym for a guest physical frame.
Finally, remove the trailing whitespace around the changes.
the arm64 image header changed. While the size of the header isn't changed,
some members have changed their usage.
Update Xen to this updated image header.
The main changes are that the first magic is gone and that there is an
image size, now.
In case we read a size != 0, let's use this image size, now. This does
allow us to check if the kernel Image is larger than the size given in
the device tree, too.
Additionally, add an error message if the magic is not found. This might
be the case with kernel's < 3.12 prior to
This is acceptable as the support of Xen for ARM64 in Linux has been added
in Linux 3.11 and the number of boards supported by Linux 3.11 on ARM64 is
very limited: ARM models and X-gene. And for the latter it was an early
support with only the serial and timer upstreamed.
Tamas K Lengyel [Tue, 28 Jun 2016 09:36:03 +0000 (11:36 +0200)]
vm_event: clear up return value of vm_event_monitor_traps
The return value has not been clearly defined, with the function
never returning 0 which seemingly indicated a condition where the
guest should crash.
In this patch we define -rc as error condition where a subscriber is
present but an error prevented the notification from being sent;
0 where there is no subscriber or the notification was sent and the vCPU
is not paused (i.e. safe to continue execution as normal); and 1 where the
notification was sent with the vCPU paused and we are waiting for a
response.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:35:40 +0000 (11:35 +0200)]
vt-d: convert conditionals of qi_ctrl->qinval_maddr into ASSERT()s
QI ought to have got disabled if any of the IOMMU table setup
failed. A QI function (other than enable_qinval) is unreachable
when qi_ctrl->qinval_maddr is zero.
Signed-off-by: Quan Xu <quan.xu@intel.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:35:19 +0000 (11:35 +0200)]
vt-d: synchronize for Device-TLB flush one by one
Today we do Device-TLB flush synchronization after issuing flush
requests for all ATS devices belonging to a VM. Doing so however
imposes a limitation, i.e. that we can not figure out which flush
request is blocked in the flush queue list, based on VT-d spec.
To prepare correct Device-TLB flush timeout handling in next patch,
we change the behavior to synchronize for every Device-TLB flush
request. So the Device-TLB flush interface is changed a little bit,
by checking timeout within the function instead of outside of function.
Accordingly we also do a similar change for flush interfaces of
IOTLB/IEC/Context, i.e. moving synchronization into the function.
Since there is no user of a non-synced interface, we just rename
existing ones with _sync suffix.
Signed-off-by: Quan Xu <quan.xu@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Quan Xu [Tue, 28 Jun 2016 09:33:39 +0000 (11:33 +0200)]
IOMMU: add a timeout parameter for device IOTLB invalidation
The parameter 'iommu_dev_iotlb_timeout' specifies the timeout
of device IOTLB invalidation in milliseconds. By default, the
timeout is 1000 milliseconds, which can be boot-time changed.
We also confirmed with VT-d hardware team that 1 milliseconds
is large enough for VT-d IOMMU internal invalidation.
the existing panic() is eliminated and we bubble up the timeout
of device IOTLB invalidation for further processing, as the
PCI-e Address Translation Services (ATS) mandates a timeout of
60 seconds for device IOTLB invalidation. Obviously we can't
spin for 60 seconds or otherwise Xen hypervisor hangs.
Signed-off-by: Quan Xu <quan.xu@intel.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:26 +0000 (10:04 -0400)]
xsm: add a default policy to .init.data
This adds a Kconfig option and support for including the XSM policy from
tools/flask/policy in the hypervisor so that the bootloader does not
need to provide a policy to get sane behavior from an XSM-enabled
hypervisor. The policy provided by the bootloader, if present, will
override the built-in policy.
Enabling this option only builds the policy if checkpolicy is available
during compilation of the hypervisor; otherwise, it does nothing. The
XSM policy is not moved out of tools because that remains the primary
location for installing and configuring the policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:24 +0000 (10:04 -0400)]
xsm: clean up unregistration
The only possible value of original_ops was &dummy_xsm_ops, and
unregister_xsm was never used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:23 +0000 (10:04 -0400)]
xsm: annotate setup functions with __init
These functions were only called from __init functions.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Tue, 21 Jun 2016 17:09:23 +0000 (13:09 -0400)]
xen: move FLASK entry under XSM in Kconfig
Since enabling XSM is required to enable FLASK, place the option for
FLASK below the one for XSM. In addition, since it does not make sense
to enable XSM without any XSM providers, and FLASK is the only XSM
provider, hide the option to disable FLASK under EXPERT.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Jan Beulich [Fri, 24 Jun 2016 09:50:07 +0000 (11:50 +0200)]
init: fix build with older gcc
__setup_str is used on arrays of char, so there aren't any relocatable
items. Hence __initconst has to be used here, not __initconstrel.
Whatever led to the revert of commit 59b151d2c0 (the original version
of a6066af5b1 "xen/init: Annotate all command line parameter
infrastructure as const" must have got addressed meanwhile - with the
patch here I can't see that old gcc (4.3ish) report a section type
conflict anymore.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tamas K Lengyel [Fri, 24 Jun 2016 08:31:45 +0000 (10:31 +0200)]
monitor: Rename hvm/event to hvm/monitor
Mechanical renaming to better describe that the code in hvm/event is part of
the monitor subsystem.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Tamas K Lengyel [Fri, 24 Jun 2016 08:26:32 +0000 (10:26 +0200)]
monitor: rename vm_event_monitor_get_capabilities
The monitor_get_capabilities check actually belongs to the monitor subsystem so
relocating and renaming it to sanitize the code's name and location. Mechanical
patch, no code changes introduced.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Acked-by: Julien Grall <julien.grall@arm.com>
Wei Liu [Thu, 23 Jun 2016 15:10:29 +0000 (16:10 +0100)]
xen: make available hvm_fep to non-debug build as well
Originally hvm_fep was guarded by NDEBUG, which means it was only
available to debug builds.
However there is value in having it in non-debug builds as well. Users
can use it to run tests in a setup that replicates a production
environment.
Make it clear with a sync_console style warning that this option can't
be used in production setup. Update command line documentation
accordingly. Finally mark Xen as tainted when this feature is used.
Add a kconfig option under x86 to configure hvm_fep.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Besides the 14MHz external clock, the SCIF might be clocked by an
internal 66MHz clock. If this is the case, the current clock source
selection breaks this configuration. Same for the settings done by
the firmware for data bits, stop bits and parity.
Completely drop this and rely on the settings done by the firmware.
Dirk Behme [Wed, 22 Jun 2016 11:49:06 +0000 (13:49 +0200)]
xen/arm: drivers: scif: Remove dead code
The two struct members baud and clock_hz are in the end read only
variables nowhere used for anything useful. Removing them makes
the code much simpler without changing any functionality.
Julien Grall [Thu, 23 Jun 2016 15:50:19 +0000 (17:50 +0200)]
arm: rename gmfn_to_mfn to gfn_to_mfn and use gfn/mfn typesafe
The correct acronym for a guest physical frame is gfn. Also use
the recently introduced typesafe gfn/mfn to avoid mixing the two
different kind of frame.
Jan Beulich [Thu, 23 Jun 2016 15:48:45 +0000 (17:48 +0200)]
x86emul: support MOVBE and CRC32
The former in an attempt to at least gradually support all simple data
movement instructions. The latter just because it shares the opcode
with the former.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 23 Jun 2016 15:47:44 +0000 (17:47 +0200)]
VMX: ensure MSR index enum and array remain in sync
... by using dedicated initializers. Also add an ASSERT() to make sure
unintentional addition of holes to the array gets noticed. Ditch
MSR_INDEX_SIZE as redundant with VMX_MSR_COUNT.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 23 Jun 2016 15:46:55 +0000 (17:46 +0200)]
VMX: use non-atomic bitops to manage MSR state
All host_msr_state accesses are solely on the owning CPU, and all
guest_msr_state ones solely when the vCPU is current or being switched
to. This, btw, is also in line with the use of find_first_set_bit()
(which would be bogus if ->flags could get updated behind its back).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Tue, 21 Jun 2016 16:38:25 +0000 (17:38 +0100)]
xen/init: Move initcall infrastructure into .init.data
Its contents is constant.
The ALIGN(32) is also dropped. On x86, there is nothing between it and a
larger alignment. On ARM, __init_end_efi is between the two, but its sole use
is to fill SizeOfRawData in the PE Section Table, and doesn't require any
specific alignment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
Andrew Cooper [Thu, 9 Jun 2016 14:41:27 +0000 (15:41 +0100)]
arm/init: Move .init.proc.info into .init.data
Its contents is constant, and only requires pointer alignment, so move it
adacent to .init.setup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Julien Grall <julien.grall@arm.com>
Andrew Cooper [Mon, 8 Feb 2016 10:19:34 +0000 (10:19 +0000)]
xen/init: Annotate all command line parameter infrastructure as const
There is no reason for any of it to be modified. Additionally, link
.init.setup beside the other constant .init data.
While editing this area, correct the types used in the extern
declarations for __setup_start and __setup_end to match the types the
linker actually produces.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
Jan Beulich [Wed, 22 Jun 2016 10:00:44 +0000 (12:00 +0200)]
x86/vMSI-X: use generic intercept handler in place of MMIO one
This allows us to see the full ioreq without having to peek into state
which is supposedly private to the emulation framework.
Suggested-by: Paul Durrant <Paul.Durrant@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 22 Jun 2016 09:59:39 +0000 (11:59 +0200)]
x86/vMSI-X: drop list lock
msixtbl_pt_{,un}register() already run with both the PCI devices lock
and the domain event lock held, so there's no need for another lock.
Just to be on the safe side, acquire the domain event lock in the
cleanup function (albeit I don't think this is strictly necessary).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Wed, 22 Jun 2016 09:58:31 +0000 (11:58 +0200)]
x86/vMSI-X: defer intercept handler registration
There's no point in registering the internal MSI-X table intercept
functions on all domains - it is sufficient to do so once a domain gets
an MSI-X capable device assigned.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:21 +0000 (10:04 -0400)]
xen/xsm: remove .xsm_initcall.init section
Since FLASK is the only implementation of XSM hooks in Xen, using an
iterated initcall dispatch for setup is overly complex. Change this to
a direct function call to a globally visible function; if additional XSM
hooks are added in the future, a switching mechanism will be needed
regardless, and that can be placed in xsm_core.c.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:20 +0000 (10:04 -0400)]
flask: improve unknown permission handling
When an unknown domctl, sysctl, or other operation is encountered in the
FLASK security server, use the allow_unknown bit in the security policy
to decide if the permission should be allowed or denied. This allows
new operations to be tested without needing to immediately add security
checks; however, it is not flexible enough to avoid adding the actual
permission checks. An error message is printed to the hypervisor
console when this fallback is encountered.
This patch will allow operations that are not handled by the existing
hooks only if the policy was compiled with "checkpolicy -U allow". In
previous releases, this bit did nothing, and the default remains to deny
the unknown operations.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:19 +0000 (10:04 -0400)]
flask: remove xen_flask_userlist operation
This operation has no known users, and is primarily useful when an MLS
policy is in use (which has never been shipped with Xen). In addition,
the information it provides does not actually depend on hypervisor
state (only on the XSM policy), so an application that needs it could
compute the results without needing to involve the hypervisor.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:16 +0000 (10:04 -0400)]
flask: unify {get, set}vcpucontext permissions
These permissions were initially split because they were in separate
domctls, but this split is very unlikely to actually provide security
benefits: it would require a carefully contrived situation for a domain
to both need access to one type of CPU register and also need to be
prohibited from accessing another type.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:15 +0000 (10:04 -0400)]
flask/policy: remove unused example
The access vectors defined here have never been used by xenstore.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:14 +0000 (10:04 -0400)]
flask/policy: xenstore stubdom policy
This adds the xenstore_t type to the example policy for use by a
xenstore stub domain; see the init-xenstore-domain tool for how this
type needs to be used.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Daniel De Graaf [Mon, 20 Jun 2016 14:04:13 +0000 (10:04 -0400)]
flask/policy: remove unused support for binary modules
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
projects / xen.git / log