Lin Liu [Thu, 21 Oct 2021 02:52:39 +0000 (03:52 +0100)]
xen/device-tree: Remove use of *_to_cpup() helpers
These wrappers simply hide a deference, which adds to the cognitive complexity
of reading the code. As such, they're not going to be included in the new
byteswap infrastructure.
No functional change.
Signed-off-by: Lin Liu <lin.liu@citrix.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Bertrand Marquis <bertrand.marquis@arm.com>
Lin Liu [Wed, 20 Oct 2021 04:29:46 +0000 (04:29 +0000)]
xen/lib: Switch to xen/byteorder.h
In divmod.c, additionally swap xen/lib.h for xen/macros.h as only ABS() is
needed.
In find-next-bit.c, ext2 has nothing to do with this logic. It was a local
modification when the logic was imported from Linux, because Xen didn't have a
suitable helper at the time.
The new infrastructure does have a suitable primitive, so use it.
No functional change.
Signed-off-by: Lin Liu <lin.liu@citrix.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Lin Liu [Mon, 9 May 2022 05:47:10 +0000 (01:47 -0400)]
xen: Implement common byte{order,swap}.h
The current swab??() infrastructure is unnecessarily complicated, and can be
replaced entirely with compiler builtins.
All supported compilers provide __BYTE_ORDER__ and __builtin_bswap??().
Nothing in Xen cares about the values of __{BIG,LITTLE}_ENDIAN; just that one
of them is defined. Therefore, centralise their definitions in xen/config.h
Signed-off-by: Lin Liu <lin.liu@citrix.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Thu, 17 Apr 2025 08:01:19 +0000 (10:01 +0200)]
x86/HVM: update repeat count upon nested lin->phys failure
For the X86EMUL_EXCEPTION case the repeat count must be correctly
propagated back. Since for the recursive invocation we use a local
helper variable, its value needs copying to the caller's one.
While there also correct the off-by-1 range in the comment ahead of the
function (strictly speaking for the "DF set" case we'd need to put
another, different range there as well).
Fixes: 53f87c03b4ea ("x86emul: generalize exception handling for rep_* hooks") Reported-by: Manuel Andreas <manuel.andreas@tum.de> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Thu, 17 Apr 2025 08:00:41 +0000 (10:00 +0200)]
Arm: cpu_*_map adjustments
First, they all start out zeroed. There's no point doing an initial
cpumask_clear() on them.
Next, only cpu_online_map may be altered post-boot, and even that only
rarely. Add respective placement attributes.
Finally, cpu_present_map really isn't anything more than an alias of
cpu_possible_map. Avoid the copying, and have the linker provide the
symbol (if needed in the first place; it is needed right now as
common code references the symbol).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
EFI: Avoid crash calling PrintErrMesg from efi_multiboot2
Although code is compiled with -fpic option data is not position
independent. This causes data pointer to become invalid if
code is not relocated properly which is what happens for
efi_multiboot2 which is called by multiboot entry code.
Code tested adding
PrintErrMesg(L"Test message", EFI_BUFFER_TOO_SMALL);
in efi_multiboot2 before calling efi_arch_edd (this function
can potentially call PrintErrMesg).
After the patch:
Booting `XenServer (Serial)'Booting `XenServer (Serial)'
Test message: Buffer too small
BdsDxe: loading Boot0000 "UiApp" from Fv(7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1)/FvFile(462CAA21-7614-4503-836E-8AB6F4662331)
BdsDxe: starting Boot0000 "UiApp" from Fv(7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1)/FvFile(462CAA21-7614-4503-836E-8AB6F4662331)
Andrew Cooper [Tue, 15 Apr 2025 12:49:01 +0000 (13:49 +0100)]
CI: Build with --prefix=/usr rather than setting LD_LIBRARY_PATH
This also moves executables too.
I'm not sure why xilinx-smoke-dom0-x86_64.sh was overriding PATH too, as
/usr/local is clearly in PATH given the other tests, but drop that too.
No practical change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
is_xen_heap_page() and is_xen_heap_mfn() are not implemented for arm32 MPU.
Thus, introduce the stubs for these functions in asm/mpu/mm.h and move the
original code to asm/mmu/mm.h (as it is used for arm32 MMU based system).
xen/arm32: Create the same boot-time MPU regions as arm64
Create Boot-time MPU protection regions (similar to Armv8-R AArch64) for
Armv8-R AArch32.
Also, defined *_PRBAR macros for arm32. The only difference from arm64 is that
XN is 1-bit for arm32.
Define the system registers and macros in mpu/cpregs.h.
Introduce WRITE_SYSREG_ASM() to write to system registers in assembly.
x86/mm: account for the offset when performing subpage r/o MMIO access
The current logic in subpage_mmio_write_emulate() doesn't take into account
the page offset, and always performs the writes at offset 0 (start of the
page).
Fix this by accounting for the offset before performing the write.
Fixes: 8847d6e23f97 ('x86/mm: add API for marking only part of a MMIO page read only') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen/config.h: Move BITS_PER_* definitions from asm/config.h to xen/config.h
BITS_PER_* values can be defined in a common way using compiler-provided macros.
Thus, these definitions are moved to xen/config.h to reduce duplication across
architectures.
Additionally, *_BYTEORDER macros are removed, as BITS_PER_* values now come
directly from the compiler environment.
The arch_fls() implementation for Arm and PPC is updated to use BITS_PER_INT
instead of a hardcoded value of 32.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <jgrall@amazon.com>
This avoids the need to re-compress it in every test job. This saves minutes
of wallclock time.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
Andrew Cooper [Thu, 10 Apr 2025 20:39:16 +0000 (21:39 +0100)]
CI: Switch to new argo artefact
The argo artefact is now a cpio archive and can be appended to dom?-rootfs
directly, rather than being part of of the overlay. Drop the
copy_dom?_files() functions.
xen-argo.ko has moved into the standard location, so update the insmod path.
No practical change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
CI: remove now unused alpine-3.18-arm64-rootfs job and its container
This got moved to test-artifacts.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech>
CI: avoid repacking initrd as part of the test job
Use the new test-artifacts which provide rootfs.cpio.gz rather than
initrd.tar.gz. rootfs.cpio.gz also has all the necessary top-level
directories, and includes the rc_verbose setting, so these modifications can
be dropped.
Having that, do not repack the whole initrd, but only pack modified
files and rely on Linux handling of concatenated archives.
This allows packing just test-related files (which includes the whole
toolstack), instead of the whole initrd.
For xilinx-smoke-dom0-x86_64.sh, this involves instructing grub not to unzip
the archive, as doing so corrupts it.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
Andrew Cooper [Sat, 12 Apr 2025 14:33:01 +0000 (15:33 +0100)]
CI: Rename intermediate artefacts in qemu-* scripts
Right now, we have initrd.cpio.gz as domU, and initrd.tar.gz as the base for
dom0.
Rename initrd.cpio.gz to domU-rootfs.cpio.gz, and xen-rootfs.cpio.gz to
dom0-rootfs.cpio.gz to make it clearer which is which. Rename the VM from
test to domU.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
The previous attempt has correct diagnosis, but added -notransfer flag
in a wrong place - it should be used in the first (outer) match out of
two, not the second (inner) one.
Fixes: 1e12cbd6af2c ("CI: fix waiting for final test message") Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen/cpufreq: only set gov NULL when cpufreq_driver.setpolicy is NULL
amd-cppc on active mode bypasses the scaling governor layer, and
provides its own P-state selection algorithms in hardware. Consequently,
when it is used, the driver's -> setpolicy() callback is invoked
to register per-CPU utilization update callbacks, not the ->target()
callback.
So, only when cpufreq_driver.setpolicy is NULL, we need to deliberately
set old gov as NULL to trigger the according gov starting.
Signed-off-by: Penny Zheng <Penny.Zheng@amd.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Daniel P. Smith [Mon, 14 Apr 2025 11:08:56 +0000 (13:08 +0200)]
kconfig: introduce option to independently enable libfdt
Currently, the inclusion of libfdt is controlled by the CONFIG_HAS_DEVICE_TREE
kconfig flag. This flag also changes behavior in a few places, such as boot
module processing for XSM. To support the ability to include libfdt without
changing these behaviors, introduce CONFIG_LIBFDT. The inclusion of
libfdt is then moved under CONFIG_LIBFDT.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com> Signed-off-by: Jason Andryuk <jason.andryuk@amd.com> Reviewed-by: Denis Mukhin <dmukhin@ford.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Enable previously added CONFIG_STACK_PROTECTOR feature for ARM
platform. Initialize stack protector magic value very early, at the
very beginning of start_xen() function.
We want to do this early because prior to that
boot_stack_chk_guard_setup() call, default stack protector guard value
is used. While it is fine for general development and testing, it does
not provide highest security level, because potential attacker will
know the default value and can alter a payload, so correct stack
guard value will be placed in the correct position.
Apart from that argument, boot_stack_chk_guard_setup() should be
called prior to enabling secondary CPUs to avoid race with them.
xen: common: add ability to enable stack protector
Both GCC and Clang support -fstack-protector feature, which add stack
canaries to functions where stack corruption is possible. This patch
makes general preparations to enable this feature on different
supported architectures:
- Added CONFIG_HAS_STACK_PROTECTOR option so each architecture
can enable this feature individually
- Added user-selectable CONFIG_STACK_PROTECTOR option
- Implemented code that sets up random stack canary and a basic
handler for stack protector failures
Stack guard value is initialized in two phases:
1. Pre-defined randomly-selected value.
2. Own implementation of linear congruent random number generator. It
relies on get_cycles() being available very early. If get_cycles()
returns zero, it would leave pre-defined value from the previous step.
boot_stack_chk_guard_setup() is declared as always_inline to ensure
that it will not trigger stack protector by itself. And of course,
caller should ensure that stack protection code will not be reached
later. It is possible to call the same function from an ASM code by
introducing simple trampoline in stack-protector.c, but right now
there is no use case for such trampoline.
As __stack_chk_fail() is not called by Xen source code directly, and
only called by compiler-generated code, it does not needed to be
declared separately. So we need separate MISRA deviation for it.
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Mon, 14 Apr 2025 11:05:52 +0000 (13:05 +0200)]
x86/mem-sharing: short-circuit p2m_is_shared() when MEM_SHARING=n
Some of the uses of dom_cow aren't easily DCE-able (without extra
#ifdef-ary), and hence it being constantly NULL when MEM_SHARING=n
misguides Coverity into thinking that there may be a NULL deref in
if ( p2m_is_shared(t) )
d = dom_cow;
if ( get_page(page, d) )
return page;
(in get_page_from_mfn_and_type()). Help the situation by making
p2m_is_shared() be compile-time false when MEM_SHARING=n, thus also
permitting the compiler to DCE some other code.
Note that p2m_is_sharable() isn't used outside of mem_sharing.c, and
hence P2M_SHARABLE_TYPES can simply be left undefined when
MEM_SHARING=n.
Coverity ID: 1645573 Fixes: 79d91e178a1a ("dom_cow is needed for mem-sharing only") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tamas K Lengyel <tamas@tklengyel.com>
Jan Beulich [Mon, 14 Apr 2025 11:04:28 +0000 (13:04 +0200)]
x86/EFI: sanitize DLL characteristics in binary
In GNU ld --disable-reloc-section implies --disable-dynamicbase (and
also --disable-high-entropy-va, just fyi). Therefore to yield
functionally identical binaries independent of whether mkreloc needs to
come into play, add --dynamicbase as well.
GNU ld further defaults to --high-entropy-va (along with --dynamicbase
and --nxcompat) unless "Cygwin-like". This seems wrong to me; that
default should be dependent upon "MinGW-like" instead; for the purpose
of building EFI binaries with a PE32+-capable ELF linker neither
"Cygwin-like" nor "MinGW-like" ought to be true. We certainly don't mean
to have this bit set in the DLL characteristics, so suppress its
setting.
Sadly while --high-entropy-va is supported by GNU ld 2.25,
--disable-high-entropy-va was introduced only in 2.36. Luckily the
defaulting to --high-entropy-va was also only introduced in 2.36. Plus
--disable-reloc-section was introduced precisely there, too. Hence
leverage the probing we do as to base relocation generation, to also
determine whether to pass --disable-high-entropy-va.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
It appears as sometimes it takes more time for Xen even start booting,
mostly due to firmware and fetching large boot files by grub. In some
jobs the current timeout is pretty close to the actual time needed, and
sometimes (rarely for now) test fails due to timeout expiring in the
middle of dom0 booting. This will be happening more often if the
initramfs will grow (and with more complex tests).
This has been observed on some dom0pvh-hvm jobs, at least on runners hw3
and hw11.
Switch to using expect (console.exp) for more robust test output
handling. This allows waiting separately for Xen starting to boot and
then for the test to complete. For now, set both of those to 120s, which
pessimistically bumps timeout for the whole test to 240s (from 120s).
Add S3 handling to console.exp via SUSPEND_MSG + WAKEUP_CMD.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Expect normally discards initial part of its buffer after matching the
patter, before looking for the next one. If both PASSED and LOG_MSG
happen to be in the buffer at the same time, depending on their order,
only one will be matched and the waiting for the other will timeout.
Example expect -d output of this happening (parts eclipsed for brevity):
expect: does "\r\r\r\nWelcome to Alpine Linux 3.18\r\r\r\n...\r\r\r\r\n(domU) + echo 'pci test passed'\r\r\r\r\n(domU) pci test passed\r\r\r\r..." (spawn_id exp4) match regular expression "pci test passed"? Gate "pci test passed"? gate=yes re=yes
...
Gate keeper glob pattern for '\nWelcome to Alpine Linux' is '
Welcome to Alpine Linux'. Activating booster.
expect: does "'\r\r\r\r\n(domU) pci test passed\r\r\r\r\n(domU) [ ok ]\r\r\r\r\n(domU) [ ok ]\r\r\r\r\n(domU) \r\r\r\r\r\n(domU) domU Welcome to Alpine Linux 3.18\r\r\r\r\n(domU) \rKernel 6.6.56 on an x86_64 (/dev/hvc0)\r\r\r\r\n(domU) \r\r\r\r\r\n" (spawn_id exp4) match regular expression "\nWelcome to Alpine Linux"? Gate "\nWelcome to Alpine Linux"? gate=no
Fix this by using -notransfer flag to keep matched part in the buffer.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Acked-by: Andrew Cooper <andrew.cooper3@citix.com>
CI: wait for Xen to start before waiting for test to complete
Add additional stage in console output parsing - wait for first message
from Xen. The message is defined via BOOT_MSG variable. This has two
effects:
- distinguishes failing Xen to load at all from later test failures
- resets timeout when Xen starts loading
The latter is especially relevant for hardware tests where firmware +
network boot may take some time before Xen starts booting. The two-stage
timeout is more robust solution than increasing the overall timeout.
The issue has been observed on some dom0pvh-hvm jobs, at least on
runners hw3 and hw11. This patch is a first stage before qubes-x86-64.sh
is switched to use expect in the next stage.
While at it, consistently use 'expect -re' for all matches. This
especially allows matching newlines ("\n"), which will become relevant
in the next patch. And document variables used in console.exp.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Mon, 7 Apr 2025 17:15:32 +0000 (18:15 +0100)]
CI: Drop stale test-artifacts/alpine/3.18.dockerfile
This should have been dropped too, as the authoritative copy lives in another
repo now.
Fixes: babe11b46c1a ("CI: Drop alpine-3.18-rootfs-export and use test-artefacts") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Jan Beulich [Thu, 10 Apr 2025 08:56:29 +0000 (10:56 +0200)]
include: sort $(wildcard ...) results
The order of items is stored in .*.chk.cmd, and hence variations between
how items are ordered would result in re-invocation of the checking rule
during "make install-xen" despite that already having successfully run
earlier on. The difference can become noticable when building (as non-
root) and installing (as root) use different GNU make versions: In 3.82
the sorting was deliberately undone, just for it to be restored in 4.3.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Daniel P. Smith [Wed, 9 Apr 2025 13:32:26 +0000 (15:32 +0200)]
x86/boot: introduce domid field to struct boot_domain
boot_domain stores the domid until it is used to create (and allocate)
struct domain. d->domain_id is not available early enough.
boot_domain domids are initialized to DOMID_INVALID. If not overridden
by device tree, domids of DOMID_INVALID are assigned a valid value. The
domid will be optionally parsed from the device tree configuration.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com> Signed-off-by: Jason Andryuk <jason.andryuk@amd.com> Signed-off-by: Alejandro Vallejo <agarciav@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Daniel P. Smith [Wed, 9 Apr 2025 13:32:02 +0000 (15:32 +0200)]
x86/boot: introduce boot domain
To begin moving toward allowing the hypervisor to construct more than one
domain at boot, a container is needed for a domain's build information.
Introduce a new header, <xen/asm/bootdomain.h>, that contains the initial
struct boot_domain that encapsulate the build information for a domain.
Add a kernel and ramdisk boot module reference along with a struct domain
reference to the new struct boot_domain. This allows a struct boot_domain
reference to be the only parameter necessary to pass down through the domain
construction call chain.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com> Signed-off-by: Alejandro Vallejo <agarciav@amd.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Jan Beulich [Wed, 9 Apr 2025 13:30:15 +0000 (15:30 +0200)]
libxc/PM: correct (not just) error handling in xc_get_cpufreq_para()
From their introduction all xc_hypercall_bounce_pre() uses, when they
failed, would properly cause exit from the function including cleanup,
yet without informing the caller of the failure. Purge the unlock_1
label for being both pointless and mis-named.
An earlier attempt to switch to the usual split between return value and
errno wasn't quite complete.
HWP work made the cleanup of the "available governors" array
conditional, neglecting the fact that the condition used may not be the
condition that was used to allocate the buffer (as the structure field
is updated upon getting back EAGAIN). Since cleanup can be done even if
no buffer was allocated, drop the conditional there again.
Fixes: 4513025a8790 ("libxc: convert sysctl interfaces over to hypercall buffers")
Amends: 73367cf3b4b4 ("libxc: Fix xc_pm API calls to return negative error and stash error in errno") Fixes: 31e264c672bc ("pmstat&xenpm: Re-arrage for cpufreq union") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
Andrew Cooper [Wed, 9 Apr 2025 10:36:40 +0000 (11:36 +0100)]
x86/ucode: Extend warning about disabling digest check too
This was missed by accident.
Fixes: b63951467e96 ("x86/ucode: Extend AMD digest checks to cover Zen5 CPUs") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
The current implementation of PVH dom0 relies on vPCI to trap and handle
accesses to the MMCFG area. Previous implementation of PVH dom0 (v1)
didn't have vPCI, and as a classic PV dom0, relied on the MMCFG range being
RO. As such hvm_emulate_one_mmio() had to special case write accesses to
the MMCFG area.
With PVH dom0 using vPCI, and the MMCFG accesses being fully handled there,
hvm_emulate_one_mmio() should never handle accesses to MMCFG, making the
code effectively unreachable.
Remove it and leave an ASSERT to make sure MMCFG accesses never get into
hvm_emulate_one_mmio(). As a result of the removal of one of the users of
mmcfg_intercept_write(), the function can now be moved into the same
translation unit where it's solely used, allowing it to be made static and
effectively built only when PV support is enabled.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Roger Pau Monne [Mon, 31 Mar 2025 16:56:01 +0000 (18:56 +0200)]
automation/dockers: add to README how to rebuild all containers
Document in the README how to rebuild all containers. This is helpful when
populating a local docker registry for testing purposes.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Tue, 8 Apr 2025 16:09:15 +0000 (17:09 +0100)]
x86/ucode: Extend AMD digest checks to cover Zen5 CPUs
AMD have updated the SB-7033 advisory to include Zen5 CPUs. Extend the digest
check to cover Zen5 too.
In practice, cover everything until further notice.
Observant readers may be wondering where the update to the digest list is. At
the time of writing, no Zen5 patches are available via a verifiable channel.
xen: x86: irq: initialize irq desc in create_irq()
While building xen with GCC 14.2.1 with "-fcondition-coverage" option
or with "-Og", the compiler produces a false positive warning:
arch/x86/irq.c: In function ‘create_irq’:
arch/x86/irq.c:281:11: error: ‘desc’ may be used uninitialized [-Werror=maybe-uninitialized]
281 | ret = init_one_irq_desc(desc);
| ^~~~~~~~~~~~~~~~~~~~~~~
arch/x86/irq.c:269:22: note: ‘desc’ was declared here
269 | struct irq_desc *desc;
| ^~~~
cc1: all warnings being treated as errors
make[2]: *** [Rules.mk:252: arch/x86/irq.o] Error 1
While we have signed/unsigned comparison both in "for" loop and in
"if" statement, this still can't lead to use of uninitialized "desc",
as either loop will be executed at least once, or the function will
return early. So this is a clearly false positive warning due to a
bug [1] in GCC.
Jan Beulich [Tue, 8 Apr 2025 07:38:36 +0000 (09:38 +0200)]
Config.mk: correct gcc5 check
Passing the -dumpversion option to gcc may only print the major version
(my system 4.x.y printed major and minor, which in nowaday's scheme is
then indeed just 5 for 5.x, which in turn is what my secondary system
compiler does).
Fixes: 40458f752550 ("Xen: Update compiler baseline checks") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
tools/libxl: search PATH for QEMU if `QEMU_XEN_PATH` is not absolute
`QEMU_XEN_PATH` will be configured as `qemu-system-i386` with no clue where, if
`--with-system-qemu` is set without giving a path (as matched in the case `yes`
but not `*`). However, the existence of the executable is checked by `access()`,
that will not look for anywhere in $PATH but the current directory. And since it
is possible for `qemu-system-i386` (or any other configured values) to be
executed from PATH later, we'd better find that in PATH and return the full path
for the caller to check against.
Signed-off-by: Hongbo <hehongbo@mail.com> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
CPUID leaf 0x2 emits one-byte descriptors in its four output registers
EAX, EBX, ECX, and EDX. For these descriptors to be valid, the most
significant bit (MSB) of each register must be clear.
Leaf 0x2 parsing at intel.c only validated the MSBs of EAX, EBX, and
ECX, but left EDX unchecked.
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1881148215c6 Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen: vm_event: do not do vm_event_op for an invalid domain
A privileged domain can issue XEN_DOMCTL_vm_event_op with
op->domain == DOMID_INVALID. In this case vm_event_domctl()
function will get NULL as the first parameter and this will
cause hypervisor panic, as it tries to derefer this pointer.
Fix the issue by checking if valid domain is passed in.
Fixes: 48b84249459f ("xen/vm-event: Drop unused u_domctl parameter from vm_event_domctl()") Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
In order to close a race window for Xenstore live update when using
the new unique_id of domains, the migration stream needs to contain
this unique_id for each domain known by Xenstore.
Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech>
CI: adjust resolving network interface into PCI device
Change how PCI device lookup is done to handle also USB devices, in
which case get the USB controller. Instead of taking basename of the
'device' symlink, resolve the full path (example:
/sys/devices/pci0000:00/0000:00:09.0/usb4/4-7/4-7:1.0) and take the
first part after pci0000:00. Theoretically it could be a bridge, but VM
has flat PCI topology.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
CI: wait for the network interface in PCI passthrough tests
The network driver initializes asynchronously, and it may not be ready
yet by the time the startup script is called. This is especially the
case for USB network adapter (where the PCI device is the USB
controller) in the upcoming runner.
Don't bother about separate timeout - test timeout will cover this part
too.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Andrew Cooper [Thu, 3 Apr 2025 14:37:23 +0000 (15:37 +0100)]
x86/AMD: Convert wrmsr_amd_safe() to use asm goto()
Bloat-o-meter reports:
add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-29 (-29)
Function old new delta
_probe_mask_msr 99 94 -5
init_amd 2418 2394 -24
but this under-reports because .fixup doesn't contain sized/typed symbols.
This also drops two "mov -EFAULT, %reg; jmp ...;" sequences too, so the net
saving is -50.
wrmsr_amd_safe()'s return value is only checked against 0 (if at all), and
because of this, the compiler can now avoid manifesting the 0/-EFAULT
constants entirely, and the %[fault] label simply lands on the right basic
block.
Convert to Xen style while rewriting.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 3 Apr 2025 10:49:02 +0000 (11:49 +0100)]
xen/link: Drop .fixup section from non-x86 architectures
The fixup section is only used by x86, and we're working to remove it there
too. Logic in the fixup section is unconnected to it's origin site, and
interferes with backtraces/etc.
Remove the section from the architectures which don't use it.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Acked-by: Shawn Anastasio <sanastasio@raptorengineering.com>
tools/libxl: do not use `-c -E` compiler options together
It makes no sense to request for preprocessor only output and also request
object file generation. Fix the _libxl.api-for-check target to only use
-E (preprocessor output).
Also Clang 20.0 reports an error if both options are used.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> Fixes: 2862bf5b6c81 ('libxl: enforce prohibitions of internal callers') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech>
Improve error handling in VMX wrappers by switching to `asm goto()` where
possible.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/210 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
x86/emulate: Remove HAVE_AS_RDRAND and HAVE_AS_RDSEED
The new toolchain baseline knows the RDRAND and RDSEED instructions; no need
to carry the workaround in the code.
Fix up arch_get_random() too.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/208 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The new toolchain baseline knows both the XSAVEOPT and CLWB instructions.
It knows CLFLUSHOPT too, so fix up those.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/205 Signed-off-by: "Alexander M. Merritt" <alexander@edera.dev> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 7 Apr 2025 10:16:43 +0000 (12:16 +0200)]
x86emul: replace _BYTES_PER_LONG
We can now easily use __SIZEOF_LONG__ instead. For this to also work in
the test harness, move hvmloader's STR() to common-macros.h.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech>
The new toolchain baseline knows the CRC32 instructions; no need to carry the
workaround in the code.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/206 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The new toolchain baseline knows the INVPCID instruction; no need to carry the
workaround in the code.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/209 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The new toolchain baseline knows the {RD,WR}{F,G}SBASE instructions; no need
to carry the workaround in the code.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/207 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
The new toolchain baseline knows the VMX instructions; no need to carry the
workaround in the code.
Inline __vmxoff() into it's single caller.
Updated formatting in the wrappers to consistent.
No functional change.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/202 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Michal Orzel [Wed, 2 Apr 2025 08:42:33 +0000 (10:42 +0200)]
xen/arm: Drop process_shm_chosen()
There's no benefit in having process_shm_chosen() next to process_shm().
The former is just a helper to pass "/chosen" node to the latter for
hwdom case. Drop process_shm_chosen() and instead use process_shm()
passing NULL as node parameter, which will result in searching for and
using /chosen to find shm node (the DT full path search is done in
process_shm() to avoid expensive lookup if !CONFIG_STATIC_SHM). This
will simplify future handling of hw/control domain separation.
Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Michal Orzel [Wed, 2 Apr 2025 08:42:32 +0000 (10:42 +0200)]
xen/arm: Don't call process_shm_chosen() during ACPI boot
Static shared memory requires device-tree boot. At the moment, booting
with ACPI enabled and CONFIG_STATIC_SHM=y results in a data abort when
dereferencing node in process_shm() because dt_host is always NULL.
Fixes: 09c0a8976acf ("xen/arm: enable statically shared memory on Dom0") Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Jan Beulich [Thu, 3 Apr 2025 07:39:52 +0000 (09:39 +0200)]
x86/boot: re-order .init.data contributions
Putting a few bytes ahead of page tables isn't very efficient; there's
a gap almost worth a full page. To avoid re-ordering of items in the
source file, simply put the few small items in sub-section 1, for them
to end up after the page tables, followed (in the final binary) by non-
page-aligned items from other CUs.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Jan Beulich [Thu, 3 Apr 2025 07:39:35 +0000 (09:39 +0200)]
x86/CPU: don't hard-code MTRR availability
In particular if we're running virtualized, the underlying hypervisor
(which may be another Xen) may not surface MTRRs, and offer PAT only.
Fixes: 5a281883cdc3 ("Hardcode many cpu features for x86/64 -- we know 64-bit") Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 3 Apr 2025 07:39:13 +0000 (09:39 +0200)]
x86/MTRR: hook mtrr_bp_restore() back up
Unlike stated in the offending commit's description,
load_system_tables() wasn't the only thing left to retain from the
earlier restore_rest_processor_state(). Note that MTRR state was still
reloaded via mtrr_aps_sync_end(), but that happens quite a bit later in
the resume process.
While there also do Misra-related tidying for the function itself: The
function being used from assembly only means it doesn't need to have a
declaration, but wants to be asmlinkage.
Fixes: 4304ff420e51 ("x86/S3: Drop {save,restore}_rest_processor_state() completely") Reported-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Jan Beulich [Thu, 3 Apr 2025 07:38:41 +0000 (09:38 +0200)]
x86/MTRR: constrain AP sync and BSP restore
mtrr_set_all() has quite a bit of overhead, which is entirely useless
when set_mtrr_state() really does nothing. Furthermore, with
mtrr_state.def_type never initialized from hardware, post_set()'s
unconditional writing of the MSR means would leave us running in UC
mode after the sync.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com>
This is Intel i7-7567U in NUC 7i7BNH. This one is an older one, with no
firmware updates (last update from 2023) and no microcode udpates
either. While this firmware supports UEFI, network boot works only in
legacy mode - thus legacy is used here (via iPXE, instead of grub2.efi).
Testing legacy boot path may be a useful thing on its own.
Add the same set of tests as on ADL runner.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Evtchn fifos are not needed on smaller systems; the older interface is
lightweight and sufficient. Also, event_fifo causes runtime anonymous
memory allocations, which are undesirable. Additionally, it exposes an
extra interface to the guest, which is also undesirable unless
necessary.
Make it possible to disable evtchn fifo.
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Acked-by: Michal Orzel <michal.orzel@amd.com>
The new toolchain baseline knows the STAC/CLAC instructions,
no need to carry the workaround in the code.
Resolves: https://gitlab.com/xen-project/xen/-/work_items/203 Signed-off-by: Denis Mukhin <dmukhin@ford.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper [Tue, 1 Apr 2025 22:56:46 +0000 (23:56 +0100)]
x86/vmx: Use asm goto() in _vmx_cpu_up()
With the new toolchain baseline, we can make use of asm goto() in certain
places, and the VMXON invocation is one example.
This removes the logic to set up rc (including a fixup section where bactraces
have no connection to the invoking function), the logic to decode it,
including the default case which was dead but not visibly-so to the compiler.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Fri, 28 Mar 2025 10:04:31 +0000 (10:04 +0000)]
xen/lzo: Remove more remanants of TMEM
This logic was inserted by commit 447f613c5404 ("lzo: update LZO compression
to current upstream version") but was only relevant for the TMEM logic, so
should have been deleted in commit c492e19fdd05 ("xen: remove tmem from
hypervisor")
Fixes: c492e19fdd05 ("xen: remove tmem from hypervisor") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Michal Orzel [Wed, 2 Apr 2025 10:10:13 +0000 (12:10 +0200)]
xen/arm: Include xen/vmap.h in mm.c
As reported by ECLAIR scan, MISRA requires declaration to be visible
(R8.4). This is not the case for ioremap().
Fixes: 2cd02c27d327 ("arm/mpu: Implement stubs for ioremap_attr on MPU") Signed-off-by: Michal Orzel <michal.orzel@amd.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen: simplify bitmap_to_xenctl_bitmap for little endian
The little endian implementation of bitmap_to_xenctl_bitmap leads to
unnecessary xmallocs and xfrees. Given that Xen only supports little
endian architectures, it is worth optimizing.
This patch removes the need for the xmalloc on little endian
architectures.
Remove clamp_last_byte as it is only called once and only needs to
modify one byte. Inline it.
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
ARM MPU system doesn't need to use paging memory pool, as MPU memory
mapping table at most takes only one 4KB page, which is enough to
manage the maximum 255 MPU memory regions, for all EL2 stage 1
translation and EL1 stage 2 translation.
Introduce ARCH_PAGING_MEMPOOL Kconfig common symbol, selected for Arm
MMU systems and x86. Removed stubs from RISC-V now that the common code
provide them and the functions are not gonna be used.
Wrap the code inside 'construct_domU' that deal with p2m paging
allocation in a new function 'domain_p2m_set_allocation', protected
by ARCH_PAGING_MEMPOOL, this is done in this way to prevent polluting
the former function with #ifdefs and improve readability
Introduce arch_{get,set}_paging_mempool_size stubs for architecture
with !ARCH_PAGING_MEMPOOL.
Remove 'struct paging_domain' from Arm 'struct arch_domain' when the
field is not required.
Implement ioremap_attr() stub for MPU system; the
implementation of ioremap() is the same between MMU
and MPU system, and it relies on ioremap_attr(), so
move the definition from mmu/pt.c to arm/mm.c.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
The MPU system requires static memory to work, select that
when building this memory management subsystem.
While there, provide a restriction for the ARM_EFI Kconfig
parameter to be built only when !MPU, the EFI stub is not
used as there are no implementation of UEFI services for
armv8-r.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
projects / xen.git / log