Jan Beulich [Fri, 25 Apr 2014 10:12:38 +0000 (12:12 +0200)]
VT-d: suppress UR signaling for desktop chipsets
Unsupported Requests can be signaled for malformed writes to the MSI
address region, e.g. due to buggy or malicious DMA set up to that
region. These should normally result in IOMMU faults, but don't on
the desktop chipsets dealt with here.
This is CVE-2013-3495 / XSA-59.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Don Dugger <donald.d.dugger@intel.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
Jan Beulich [Fri, 25 Apr 2014 10:11:55 +0000 (12:11 +0200)]
VT-d: suppress UR signaling for server chipsets
Unsupported Requests can be signaled for malformed writes to the MSI
address region, e.g. due to buggy or malicious DMA set up to that
region. These should normally result in IOMMU faults, but don't on
the server chipsets dealt with here.
IDs 0xe00, 0xe01, and 0xe04 ... 0xe0b (Ivytown) aren't needed here -
Intel confirmed the issue to be fixed in hardware there.
This is CVE-2013-3495 / XSA-59.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Don Dugger <donald.d.dugger@intel.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
Jan Beulich [Fri, 25 Apr 2014 10:07:22 +0000 (12:07 +0200)]
x86/P2M: simplify write_p2m_entry()
The "table_mfn" parameter really isn't needed anywhere, so it gets
dropped.
The "struct vcpu *" one was always bogus (as was being made up by
paging_write_p2m_entry()), and is not commonly used. It can be easily
enough made up in the one place (sh_unshadow_for_p2m_change()) it is
needed, and we can otherwise pass "struct domain *" instead, properly
reflecting that P2M operations are per-domain.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org>
Daniel De Graaf [Thu, 24 Apr 2014 20:39:10 +0000 (16:39 -0400)]
vtpmmgr: fix 32-bit compilation
The internal MPI word size matches the word size of the platform rather
than using uint32_t/uint64_t, so constant MPI objects need to be
initialized with that in mind.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
George Dunlap [Wed, 23 Apr 2014 13:19:43 +0000 (14:19 +0100)]
docs: Give advice on dealing with quoting special characters
The man page mentions passing config snippets key=val in xl create.
Unfortunately, the config syntax contain characters which are
interpreted (and often discarded) by the shell before getting passed
in, resulting in a parsing error.
For example:
xl create hvm.cfg cpus="0-3"
The shell will eat the quotes and pass 'cpus=0-3' to xl, which won't
parse properly without the quotes.
Mention this in the man page, and recommend the use of single quotes, as well
as separating multiple arguments with a semicolon, thus:
xl create hvm.cfg 'cpus="0-3"; pci=["1.0","1.1"]'
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Campbell [Thu, 17 Apr 2014 12:57:24 +0000 (13:57 +0100)]
xen: arm: fully implement multicall interface.
I'm not sure what I was smoking at the time of 5d74ad1a082e "xen: arm:
implement do_multicall_call for both 32 and 64-bit" but it is obviously
insufficient since it doesn't actually wire up the hypercall.
Before doing so we need to make the usual adjustments for ARM and turn the
unsigned longs into xen_ulong_t. There is no difference in the resulting
structure for x86.
There are knock on changes to the trace interface, but again they are nops on
x86.
For 32-bit ARM guests we require that the arguments which they pass to a
hypercall via a multicall do not use the upper bits of xen_ulong_t and kill
them if they violate this. This should ensure that no ABI surprises can be
silently lurking when running on a 32-bit hypervisor waiting to pounce when the
same kernel is run on a 64-bit hypervisor. Killing the guest is harsh but it
will be far easier to relax the restriction if it turns out to cause problems
than to tighten it up if we were lax to begin with.
In the interests of clarity and always using explicitly sized types change the
unsigned int in the hypercall arguments to a uint32_t. There is no actual
change here on any platform.
We should consider backporting this to 4.4.1 in case a guest decides they want
to use a multicall in common code e.g. I suggested such a thing while
reviewing a netback change recently.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: keir@xen.org Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Julien Grall <julien.grall@linaro.org>
Jan Beulich [Tue, 22 Apr 2014 11:30:33 +0000 (12:30 +0100)]
x86/HAP: drop pointless assertions
Just like for shadow code, hap_map_domain_page() is just a thin
wrapper around map_domain_page(), which cannot fail. Asserting its
success is redundant.
hap_unmap_domain_page() should also not be used for something not
mapped through hap_map_domain_page().
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Tue, 15 Apr 2014 14:10:07 +0000 (15:10 +0100)]
x86/p2m: also clear defer_nested_flush on error
While presumably benign (domain creation ought to fail when P2M setup
fails) let's be on the safe side and clear the flag as intended. And
actually, the code can be streamlined quite a bit by recognizing that
the only difference between the success and error cases is the message
printed in each case. With that, a stray spin_unlock() also goes away.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Christoph Egger <chegger@amazon.de> Acked-by: Tim Deegan <tim@xen.org>
Tim Deegan [Thu, 3 Apr 2014 16:07:47 +0000 (18:07 +0200)]
asm-offsets: encode magic asm-offset runes as strings.
Newer versions of clang attempt to parse inline assembler even when
not asked to assemble it. Wrap our not-for-assembly runes as strings
of the form ``.ascii "==>MAGIC RUNES<=="'' so clang doesn't choke on
them.
While we're at it, assemble more of the final output line in the C
file, to make the sed expression shorter.
Reported-by: Julien Grall <julien.grall@linaro.org> Suggested-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Add a "force-ept" command line option to allow EPT to be enabled when
VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present.
Due to CVE-2013-2212, this feature is required by default as a
prerequisite for using EPT. If you are not using PCI Passthrough, or
trust the guest administrator who would be using passthrough, then the
requirement can be relaxed. This option is particularly useful for
nested virtualization, to allow the L1 hypervisor to use EPT even if
the L0 hypervisor does not provide VM_ENTRY_LOAD_GUEST_PAT.
Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Ian Campbell [Wed, 23 Apr 2014 15:32:45 +0000 (16:32 +0100)]
xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
The function vgic_irq_rank may return NULL is the IRQ is not in range handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.
I've checked the rest of the emulation and this is only place where the lock
is taken before the rank is checked.
This is CVE-2014-2986 / XSA-94.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Reported-by: Thomas Leonard <talex5@gmail.com> Reviewed-by: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Wed, 23 Apr 2014 13:08:51 +0000 (15:08 +0200)]
use BOOT_DIR as xen.gz install location
Xen is currently installed into /boot, which is a hardcoded path. This
makes it impossible to install two xen.rpm packages from 'make rpmball'
in parallel because rpm complains about conflicting files.
Use BOOT_DIR to define the install path to make it possible to install
xen.gz below --prefix=.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 14:13:48 +0000 (16:13 +0200)]
tools/libxl: remove XEN_RUN_DIR from install target
xencommons creates the _hardcoded_ /var/run/xen already, there is no
need to create and package this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Using XEN_RUN_DIR instead of /var/run/xen tree-wide may be done in a
followup patch.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 10:52:50 +0000 (12:52 +0200)]
tools/pygrub: remove /var/run/xend/boot from install target
pygrub stores the temporary kernel+initrd files in /var/run/pygrub, or
any other directory specified with --output-directory=<dir>. If the
default dir is missing pygrub will create it.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 10:04:39 +0000 (12:04 +0200)]
tools: remove /var/lock/subsys from install target
/var/lock/subsys is used only in tools/hotplug/Linux/init.d/xendomains.
The start() function already does a "mkdir /var/lock/subsys", so its not
required to create this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/lock is a symlink. rpm complains that '/var/lock'
(the symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Olaf Hering [Thu, 17 Apr 2014 09:55:21 +0000 (11:55 +0200)]
tools: remove /var/run/xenstored from install target
xenstored already does "mkdir /var/run/xenstored" on startup, so its not
required to create this directory during make install|rpmball.
Without this change installing the resulting xen.rpm will fail on
systems where /var/run is a symlink. rpm complains that '/var/run' (the
symlink) is already owned by some other system rpm package.
Signed-off-by: Olaf Hering <olaf@aepfle.de> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:05 +0000 (13:23 -0400)]
vtpmmgr: use XSM label as vTPM kernel hash
Because there is not currently a method for the vTPM Manager to obtain a
build hash of a vTPM, use the hash of the vTPM's XSM label as a
substitute. This allows the vTPM Manager to distinguish between vTPMs
intended to be paired with a hardware domain kernel (which cannot use
pv-grub) and vTPMs which are paired with a pv-grub domain and therefore
contain reliable measurements of the guest kernel in PCRs 4 and 5.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:04 +0000 (13:23 -0400)]
stubdom/grub: verify vTPM label if requested
This adds an optional argument --vtpm-label=<label> to the pv-grub
command line. If specified, a vtpm device must be connected to the
pv-grub domain and the backend of this device must have the given XSM
label (which may start with a * to indicate a wildcard). Verifying the
label of the vTPM before sending measurements prevents a disaggregated
control domain that has access to xenstore but not to the guest domains
from causing the measurements performed by pv-grub to be discarded,
allowing the forgery of arbitrary kernel measurements in the TPM.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:03 +0000 (13:23 -0400)]
vtpm: add deep quote support
This allows the client of a vTPM to request a quote from the physical
TPM which includes PCRs from both the physical and virtual TPMs, signed
by an AIK from the physical TPM. This quote can be used to provide
evidence of the complete launch environment of a virtual machine.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:02 +0000 (13:23 -0400)]
vtpm: add ordinal for obtaining an EK signature
For a vTPM to be useful for remote attestation, proof that the vTPM's EK
was generated and held within a secure vTPM implementation is necessary.
This patch adds an ordinal to the vTPM which will request a quote
providing this evidence from the TPM Manager; it only functions during
the first startup of a given vTPM in order to provide proof that the EK
was freshly generated (and not a key whose private part is available
elsewhere).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:23:01 +0000 (13:23 -0400)]
vtpm: passthru requests to manager
When sending commands to a vTPM, commands with the VTPM_TAG_REQ2 tag are
passed directly to the TPM Manager since they are used in the management
interface to the TPM Manager. The VTPM_TAG_REQ tag is translated to
TPM_TAG_RQU_COMMAND to allow access to the physical TPM for certain
ordinals (PCRRead, Extend, and GetRandom).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Jason Andryuk [Mon, 21 Apr 2014 17:23:00 +0000 (13:23 -0400)]
vtpmmgr: Convert TPM_Seal to use TPM_PCR_INFO_LONG
Infineon 1.2 TPMs fail TPM_Seal commands with TPM_BAD_PARAMETER when
PCRS are specified by a TPM_PCR_INFO structure. Using a
TPM_PCR_INFO_LONG structure to specify PCRs succeeds, so update to use
that. This also requires changes to use TPM_STORED_DATA12 for the
result.
Signed-off-by: Jason Andryuk <andryuk@aero.org> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Daniel De Graaf [Mon, 21 Apr 2014 17:22:58 +0000 (13:22 -0400)]
vtpmmgr: add example control tools
The manage-vtpmmgr.pl script is an example client for interacting with
the TPM Manager; it is intended to run in a management domain with a
vTPM (which may be dom0). It is used to create and manage vTPMs and
vTPM groups.
The calc.pl script is an example manager of a vTPM group. It signs
the configuration lists used by the TPM Manager with a locally held
private key.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Daniel De Graaf [Mon, 21 Apr 2014 17:22:57 +0000 (13:22 -0400)]
vtpmmgr: add TPM group support
This is a complete rewrite of the disk format and key hierarchy for the
TPM Manager. The new format supports multiple groups of vTPMs which
define the permitted configurations where a given vTPM's keys are
available, allowing upgrades of critical components while retaining the
secrecy of cryptographic keys.
New features of the TPM Manager are explained in the README and in the
definitions of the management commands in vtpm_manager.h.
New features for vTPMs:
1. The size of the state blob for a vTPM is expanded from 52 to 64
bytes in order to support future vTPMs using SHA-2/3 instead of SHA-1.
2. vTPMs can obtain a quote from the physical TPM with certain
resettable PCRs set to include information about the vTPM. This can be
used by a vTPM to provide evidence of its integrity, including the
secrecy of its EK, and for deep quotes.
Some additional changes made by this rewrite that may impact existing
users:
1. The value of WELLKNOWN_OWNER_AUTH was incorrect for the physical TPM;
the convention is to use all zero bits for well-known authentication
values, not all one bits.
2. Randomly generating the owner auth value for the physical TPM is no
longer supported, as it prevents later creation or certification of
AIKs (which the old manager did not support).
3. The vTPM Manager needs to be provisioned with a PCR composite and an
upgrade authority's public key before it will save data across boots.
The current implementation still has some limitations:
* 5 valid system PCR selections per group
* The vTPM Manager's disk can use at most 2MB of space
* The vTPM domain's build hash is always set to null/zero
Most of the code relating to upgrade and rollback protection is
currently stubbed out, but future versions can add:
* Support for using the TPM's monotonic counter to prevent rollback
of vTPM data by taking and restoring disk snapshots
* Masking the master disk encryption key using a value stored in the
TPM's NVRAM so that revocation of old data is possible without
relying on all previously authorized software stacks to respect the
monotonic counter's value
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com>
A guest is allowed to use invalidate cache by set/way instruction (i.e DCISW)
without any restriction. As the cache is shared with Xen, the guest invalidate
an address being in used by Xen. This may lead a Xen crash because the memory
state is invalid.
Set the bit HCR.SWIO to upgrade invalidate cache by set/way instruction to an
invalidate and clean.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Reported-by: Thomas Leonard <tal36@cam.ac.uk> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: Don't let the guest access the coprocessors registers
In Xen we only handle save/restore for coprocessor 10 and 11 (NEON). Other
coprocessors (0-9, 12-13) are currently exposed to the guest and may lead
to data shared between guest.
Disable access to all coprocessor except 10 and 11 by setting correctly
HCTPR.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
xen/arm: Inject an undefined instruction when the coproc/sysreg is not handled
Currently Xen panics if it's unable to handle a coprocessor/sysreg instruction.
Replace this behavior by inject an undefined instruction to the faulty guest
and log if Xen is in debug mode.
This is CVE-2014-2915 / XSA-93.
Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Tue, 22 Apr 2014 12:45:10 +0000 (14:45 +0200)]
x86/EPT: correct double unmap_domain_page() on error path
c/s 3d90d6e6 "x86/EPT: split super pages upon mismatching memory types"
accidentally introduced an error path where the epte domain page would be
unmapped twice if splitting the superpage failed.
Only unmap the page if the loop is to be continued. When breaking from the
loop, the page will be unmapped by the subsequent code.
Coverity-ID: 1203047 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Daniel De Graaf [Tue, 22 Apr 2014 10:10:13 +0000 (12:10 +0200)]
allow hardware domain != dom0
This adds a hypervisor command line option "hardware_dom=" which takes a
domain ID. When the domain with this ID is created, it will be used
as the hardware domain.
This is intended to be used when domain 0 is a dedicated stub domain for
domain building, allowing the hardware domain to be de-privileged and
act only as a driver domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:08:56 +0000 (12:08 +0200)]
x86/HVM: use fixed TSC value when saving or restoring domain
When a domain is saved each VCPU's TSC value needs to be preserved. To get it we
use hvm_get_guest_tsc(). This routine (either itself or via get_s_time() which
it may call) calculates VCPU's TSC based on current host's TSC value (by doing a
rdtscll()). Since this is performed for each VCPU separately we end up with
un-synchronized TSCs.
Similarly, during a restore each VCPU is assigned its TSC based on host's current
tick, causing virtual TSCs to diverge further.
With this, we can easily get into situation where a guest may see time going
backwards.
Instead of reading new TSC value for each VCPU when saving/restoring it we should
use the same value across all VCPUs.
Reported-by: Philippe Coquard <philippe.coquard@mpsa.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:08:06 +0000 (12:08 +0200)]
x86/svm: enable TSC scaling
TSC ratio enabling logic is inverted: we want to use it when we
are running in native tsc mode, i.e. when d->arch.vtsc is zero.
Also, since now svm_set_tsc_offset()'s calculations depend
on vtsc's value, we need to call hvm_funcs.set_tsc_offset() after
vtsc changes in tsc_set_info().
In addition, with TSC ratio enabled, svm_set_tsc_offset() will
need to do rdtsc. With that we may end up having TSCs on guest's
processors out of sync. d->arch.hvm_domain.sync_tsc which is set
by the boot processor can now be used by APs as reference TSC
value instead of host's current TSC.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Boris Ostrovsky [Tue, 22 Apr 2014 10:07:37 +0000 (12:07 +0200)]
x86: use native RDTSC(P) execution when guest and host frequencies are the same
We should be able to continue using native RDTSC(P) execution on
HVM/PVH guests after migration if host and guest frequencies are
equal (this includes the case when the frequencies are made equal
by TSC scaling feature).
This also allows us to revert main part of commit 4aab59a3 (svm: Do not
intercept RDTSC(P) when TSC scaling is supported by hardware) which
was wrong: while RDTSC intercepts were disabled domain's vtsc could
still be set, leading to inconsistent view of guest's TSC.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Tue, 22 Apr 2014 10:05:44 +0000 (12:05 +0200)]
ACPI/ERST: fix signed/unsigned type conflicts
Error checks exist in the respective code path that expect negative
values to indicate errors, yet negative values can't be communicated
through size_t. Thus ssize_t needs to be introduced (also on ARM for
consistency, even if the code in question isn't currently being used
on there).
The bug is theoretical only in so far as all the involved code is
effectively dead. Reflect this by excluding that code from non-debug
builds.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Christoph Egger <chegger@amazon.de>
Jan Beulich [Tue, 22 Apr 2014 10:04:20 +0000 (12:04 +0200)]
x86/MSI: drop workaround for insecure Dom0 kernels
Considering that
- the workaround is expensive (iterating through the entire P2M space
of a domain),
- the planned elimination of the expensiveness (by propagating the type
change step by step to the individual P2M leaves) wouldn't address
the IOMMU side of things (as for it to obey to the changed
permissions the adjustments must be pushed down immediately through
the entire tree)
- the proper solution (PHYSDEVOP_msix_prepare) should by now be
implemented by all security conscious Dom0 kernels
remove the workaround, killing eventual guests that would be known to
become a security risk instead.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Daniel De Graaf [Thu, 17 Apr 2014 08:10:33 +0000 (10:10 +0200)]
implement is_hardware_domain using hardware_domain global
This requires setting the hardware_domain variable earlier in
domain_create so that functions called from it (primarily in
arch_domain_create) observe the correct results when they call
is_hardware_domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
pvh dom0: make xsm_map_gmfn_foreign available for x86
In this patch we make xsm_map_gmfn_foreign available for x86 also. This
is used in the next patch "pvh dom0: Add and remove foreign pages" in
function p2m_add_foreign.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
In this patch, a new type p2m_map_foreign is introduced for pages
that toolstack on an auto translated dom0 or a control domain maps
from foreign domains that its creating or supporting during its
run time.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
The "A" constraint, while documented up to gcc 4.5 as "The a and d
registers, as a pair (for instructions that return half the result in
one and half in the other)," never really behaved that (natural) way,
but always meant (and is now also documented so) %eax _or_ %edx (%rax
_or_ %rdx on x86-64) unless the operand was wide enough to require both
(i.e. more than 32 bits on ix86 and more than 64 bits on x86-64).
Interestingly something internal to the compiler changed between 4.4
and 4.5 to actually expose the difference - up to gcc 4.4 I was unable
to construct a case where, when only the low half of the result is
actually looked at, the result would be considered to be in %edx/%rdx
(and %eax/%rax would be treated as unmodified by the instruction).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Tested-by: Don Slutz <dslutz@verizon.com>
xen/arm: Pass the timer "clock-frequency" to DOM0 in make_timer_node()
If the DT representing the ARM generic timer mentions a clock-frequency,
propragate it to the DT that is built for DOM0.
This is necessary as a workaround for boards (Odroid-XU) where CNTFRQ is not
set or returns a wrong value.
Ideally CNTFRQ should be set by the boot loader. The bootloader should respect
the ARM ARM (see B.8.1.1):
"The CNTFRQ register is UNKNOWN at reset, and therefore the counter
frequency must written to CNTFRQ as part of the system boot process."
For the Odroid-XU the SPL BL2 code is entered in NS HYP mode which prevents
the execution of the mcr call to set CNTFRQ.
Andrew Cooper [Tue, 15 Apr 2014 18:18:42 +0000 (19:18 +0100)]
tools/libxc: Remove valgrind conditional sections from libxc
The ifdef sections are not enabled at all in tree, and their justification is
out of date now that Xen hypercall support exists upstream in valgrind.
This also removes a commented-out tweak to CFLAGS in the libxc Makefile which
is not being used, and becomes stale given this patch. In the unlikely event
that any developers were using the line, the results can be more easily
achieved by tweaking APPEND_CFLAGS in the environment.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Fri, 11 Apr 2014 15:46:14 +0000 (16:46 +0100)]
tools/libxl: Improvements to libxl-save-helper when using valgrind
Fix two unfree()'d allocations in libxl-save-helper, to get them out of the
way of other legitimate complaints from valgrind.
The first is easy; close the interface to libxc when done with it.
The second can be fixed by removing the complexity of creating the logging
instance. Initialise the global 'logger' in place rather than as an
allocation, which requires changing the indirection of its use in 5 locations.
struct xentoollog_logger_tellparent and function createlogger_tellparent() are
now unused and removed.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Andrew Cooper [Fri, 11 Apr 2014 15:46:13 +0000 (16:46 +0100)]
libxl/save-helper: Code motion of logging functions
... in preparation for a subsequent functional fix
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Wei Liu [Thu, 10 Apr 2014 15:26:31 +0000 (16:26 +0100)]
libxl/gentypes.py: don't generate JSON for private type(s)
Private types are only useful inside libxl. They don't have a valid JSON
generation function by default.
Currently there's only one private type, that's libxl_ev_link. Not
skipping this field causes testidl to fail as the code generated for
this type is NULL.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
On arm64, VFP instructions requires vfpregs to be 128-byte aligned.
By chance, the field is already correctly aligned. In the case if someone
decides to add a new field before, Xen will receive a data abort as soon as
it saves/restores VFP.
We are safe on arm32 as the only constraint is to be 32-byte aligned.
The Linux = issue which this works around was fixed in v3.13 via f52bb722547f
"ARM: mm: Correct virt_to_phys patching for 64 bit physical addresses".
This is the second attempt to revert this. Now that we have fixed
allocate_memory_11 to allocate accessible memory on 32-bit this is safe to do.
This is not quite a straight revert since we need to ensure that for 32-bit
domain 0 we do not allocate dom0's memory above 4GB where the domain cannot
access it without paging (which is disabled at start of day) and LPAE (which
the kernel may not support) enabled.
Ian Campbell [Fri, 4 Apr 2014 12:56:58 +0000 (13:56 +0100)]
xen: arm: probe the kernel to determine the guest type earlier
We need to know if the kernel is 32- or 64- bit capable sooner so that we know
what sort of domain we are building when allocating memory to it (so we can
place appropriate limits when allocating RAM to the guest). At the moment
kernel_prepare() decides this but it needs the memory to have already been
allocated.
Therefore split the probing functionality of kernel_prepare() and call it much
earlier. The remainder of kernel_prepare() deals with where to place the
kernel in RAM which can be deferred until kernel_load() so do so.
Document the input and output of kernel_probe() and _load().
Jan Beulich [Mon, 14 Apr 2014 13:13:33 +0000 (15:13 +0200)]
MAINTAINERS: extend coverage for "THE REST"
As agreed upon in offlist discussion among the committers, make all
committers eligible to approve changes to code not having its
maintainership covered explicitly. (For committers to make changes to
such code, generally an ack from a second committer is going to be
required.)
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Tim Deegan <tim@xen.org>
Because some of the leaf p2m functions return 0 for failure and
TRUE for success, the real errno is lost. We change some of those
functions to return proper -errno. Also, any code in the immediate
vicinity that is in coding style violation is fixed up.
This patch doesn't change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org>
This patch renames set_p2m_entry defined in arch/x86/mm/p2m.c
to p2m_set_entry which makes it consistent with other functions
from that file. It also facilitates changing the function signature
to return approriate errno for failure cases. This patch doesn't
change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
This patch renames "public" functions in p2m-pt.c. In addition to
making them more descriptive, it also frees up "p2m_set_entry" name
to be used later. This patch doesn't change any functionality.
Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com> Acked-by: Tim Deegan <tim@xen.org>
- Remove version from installed package name, to make "upgrades" work
- Add conffiles to manage files in /etc on package install/update/remove
- Added in description that this is a .deb for testing only
Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Jan Beulich [Fri, 11 Apr 2014 09:27:04 +0000 (11:27 +0200)]
further prefetch cleanup
- commit 630017f4 ("xen: x86 & generic: change to __builtin_prefetch()")
removed the ARCH_HAS_PREFETCH{,W} defines, but left the
ARCH_HAS_SPINLOCK_PREFETCH one in place
- the x86 special casing code has always been dead due to the two
respective CONFIG_* settings not getting defined anywhere
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:22:49 +0000 (11:22 +0200)]
libxl: allow dom0 to be destroyed
When dom0 is not the hardware domain, it can be destroyed in the same
way as any other service domain. To avoid accidental use when a domain
is not resolved, destroying domain 0 requires passing -f to xl destroy.
Since the hypervisor already prevents a domain from destroying itself,
this patch is only useful in a disaggregated environment.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:20:55 +0000 (11:20 +0200)]
rename dom0 to hardware_domain
This should not change any functionality other than renaming the global
variable. In a few cases (primarily the domain building code), a local
variable or argument named dom0 was created and used instead of the
global hardware_domain to clarify that the domain being used in this
case is actually domain 0.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Christoph Egger <chegger@amazon.de> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:20:08 +0000 (11:20 +0200)]
prevent 0 from being used as a dynamic domid
When the hardware domain is made distinct from dom0, it becomes possible
to shut down and destroy domain 0 while leaving the hypervisor running.
If this happens, prevent this domain ID from being considered for
allocation to a new guest.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:19:16 +0000 (11:19 +0200)]
iommu: Move dom0 setup code to __hwdom_init
When the hardware domain is split from domain 0, the initialization code
for the hardware domain cannot be in the __init section, since the
actual domain creation happens after these sections have been discarded.
Create a __hwdom_init section designator to annotate these functions,
and control it using the XSM configuration option for now (since XSM is
required to take advantage of the security benefits of disaggregation).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
Daniel De Graaf [Fri, 11 Apr 2014 09:16:52 +0000 (11:16 +0200)]
use domid check in is_hardware_domain
Instead of checking is_privileged to determine if a domain should
control the hardware, check that the domain_id is equal to zero (which
is currently the only domain for which is_privileged is true). This
allows other places where domain_id is checked for zero to be replaced
with is_hardware_domain.
The distinction between is_hardware_domain, is_control_domain, and
domain 0 is based on the following disaggregation model:
Domain 0 bootstraps the system. It may remain to perform requested
builds of domains that need a minimal trust chain (i.e. vTPM domains).
Other than being built by the hypervisor, nothing is special about this
domain - although it may be useful to have is_control_domain() return
true depending on the toolstack it uses to build other domains.
The hardware domain manages devices for PCI pass-through to driver
domains or can act as a driver domain itself, depending on the desired
degree of disaggregation. It is also the domain managing devices that
do not support pass-through: PCI configuration space access, parsing the
hardware ACPI tables and system power or machine check events. This is
the only domain where is_hardware_domain() is true. The return of
is_control_domain() may be false for this domain.
The control domain manages other domains, controls guest launch and
shutdown, and manages resource constraints; is_control_domain() returns
true. The functionality guarded by is_control_domain may in the future
be adapted to use explicit hypercalls, eliminating the special treatment
of this domain. It may be reasonable to have multiple control domains
on a multi-tenant system.
Guest domains and other service or driver domains are all treated
identically by the hypervisor; the security policy may further constrain
administrative actions on or communication between these domains.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Keir Fraser <keir@xen.org>
Jan Beulich [Thu, 10 Apr 2014 14:07:17 +0000 (16:07 +0200)]
x86: fix pinned cache attribute handling
- make sure UC- is only used for PAT purposes (MTRRs and hence EPT
don't have this type)
- add order input to "get", and properly handle conflict case (forcing
an EPT page split)
- properly detect (and refuse) overlaps during "set"
- properly use RCU constructs
- support deleting ranges through a special type input to "set"
- set ignore-PAT flag in epte_get_entry_emt() when "get" succeeds
- set "get" output to ~0 (invalid) rather than 0 (UC) on error (the
caller shouldn't be looking at it anyway)
- move struct hvm_mem_pinned_cacheattr_range from header to C file
(used only there)
Note that the code (before and after this change) implies the GFN
ranges passed to the hypercall to be inclusive, which is in contrast
to the sole current user in qemu (all variants). It is not clear to me
at which layer (qemu, libxc, hypervisor) this would best be fixed.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Kevin Tian <kevin.tian@intel.com>
Jan Beulich [Thu, 10 Apr 2014 14:06:09 +0000 (16:06 +0200)]
x86/EPT: IOMMU snoop capability should not affect memory type selection
This capability solely makes a statement on cache coherency guarantees
by the IOMMU. It does specifically not imply any further guarantees
implied by certain memory types (cachability, ordering).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
projects / xen.git / log