x86/efi: move the logic to detect PE build support
So that it can be used by the linker script also. With this change the
linker script processor is capable of knowing whether the build has
been performed with PE support or not, and thus create a dummy efi
symbol only when required.
This avoid using a conditional expression with DEFINED on the linker
script, and prevents the following build error with lld (LLVM linker):
ld -melf_x86_64_fbsd -T xen.lds -N prelink.o --build-id=sha1 \
/root/src/xen/xen/common/symbols-dummy.o -o /root/src/xen/xen/.xen-syms.0
ld: error: xen.lds:233: symbol not found: efi
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
--- Cc: Jan Beulich <jbeulich@suse.com> Cc: Andrew Cooper <andrew.cooper3@citrix.com> Cc: Daniel Kiper <daniel.kiper@oracle.com>
Ian Jackson [Thu, 12 Jul 2018 14:36:11 +0000 (15:36 +0100)]
xen: oprofile/nmi_int.c: Drop unwanted sexual reference
This is not really very nice.
This line doesn't have much value in itself. The rest of this comment
block is pretty clear what it wants to convey. So delete it.
(While we are here, adopt the CODING_STYLE-mandated formatting.)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Lars Kurth <lars.kurth.xen@gmail.com> Acked-by: George Dunlap <dunlapg@umich.edu Acked-by: Jan Beulich <JBeulich@suse.com>
---
v3: Restore erroneously-dropped tab.
v2: Delete the comment entirely.
Jan Beulich [Thu, 12 Jul 2018 08:47:33 +0000 (10:47 +0200)]
x86/shadow: fetch CPL just once in sh_page_fault()
This isn't as much of an optimization than to avoid triggering a gcc bug
affecting 5.x ... 7.x, triggered by any asm() put inside the ad hoc
"rewalk" loop and taking as an (output?) operand a register variable
tied to %rdx (an "rdx" clobber is fine). The issue is due to an apparent
collision in register use with the modulo operation in vtlb_hash(),
which (with optimization enabled) involves a multiplication of two
64-bit values with the upper half (in %rdx) of the 128-bit result being
of interest.
Such an asm() was originally meant to be implicitly introduced into the
code when converting most indirect calls through the hvm_funcs table to
direct calls (via alternative instruction patching); that model was
switched to clobbers due to further compiler problems, but I think the
change here is worthwhile nevertheless.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org>
Jan Beulich [Thu, 12 Jul 2018 08:46:58 +0000 (10:46 +0200)]
x86/shim: fully ignore "nosmp" and "maxcpus="
In the shim case, the number of CPUs should be solely controlled by the
guest configuration file. Make sure the command line options are fully
(and not just partially) ignored.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
This can happen because a piece of logic to calculate first_dirty
during block merging in free_heap_pages() is missing for the following
scenario:
1. Current block's first_dirty equals to INVALID_DIRTY_IDX
2. Successor block is free but its first_dirty != INVALID_DIRTY_IDX
3. The successor is merged into current block
4. Current block's first_dirty still equals to INVALID_DIRTY_IDX
This will trigger the assertion during allocation of such block in
alloc_heap_pages() because there will be pages with PGC_need_scrub
bit set despite the claim of first_dirty that the block is scrubbed.
Add the missing piece of logic and slightly update the comment for
the predecessor case to better capture the code's intent.
Fixes 1a37f33ea613 ("mm: Place unscrubbed pages at the end of pagelist")
Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
The code has been around since the beginning of Xen Arm. However, I am
not aware of any user and the code is pretty bogus:
1) It is assuming virtual address == physical address.
2) The cache is not cleaned after the Image is loaded but the Image
is started with Cache disabled.
3) There are not clear ABI with the guest.
Xen is currently supporting 3 other formats (zImage, Image, U-boot Image)
as well as gzip compressed version of each formats. All of them are well
documented and widely use.
xen/arm: Remove the variable dom0_11_mapping and open-code the value
Dom0 (aka hardware domain on Arm) is always direct mapped. Rather than
using a global variable to store a const, directly open-code it or
replace the use with is_domain_direct_mapped(...) macros.
This will also help a follow-up patch to move all domain_build.c in
init.
a75703b2f0f585a2fc6a7bcdb7d16a61bcf5e6b0 unconditionally enabled
building of rombios and stubdoms but unfortunately these two pieces do
not build successfully with clang. rombios unconditionally depends on
the build of iPXE and upstream iPXE does not support building with
clang. Similiarly the build of the stubdoms depends on the build of
newlib which does not support being built with clang.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Juergen Gross [Fri, 8 Jun 2018 09:51:12 +0000 (11:51 +0200)]
tools/libxencall: enforce proper alignment of hypercall buffers
xencall_alloc_buffer() is used throughout Xen tools for allocating
hypercall buffers. Allocation is done at page granularity. For simple
administration each allocated set of pages contains a small header
holding the number of pages of that set. The hypercall buffer is
located directly after the 4 byte sized header, leading to a wrong
alignment for e.g. pointers.
Repair that by using a 16 byte sized header enforcing the same
alignment as malloc().
Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Wei Liu [Tue, 10 Jul 2018 08:13:43 +0000 (09:13 +0100)]
MAINTAINERS: use https for git trees
Commit message stolen from a reply from Ian:
The git protocol is not just unencrypted, but also unauthenticated.
In theory it is possible to verify the signed tags for actual
releases, but that is a cumbersome process which I very much doubt
anyone really does.
As for the various branch tips, there is currently no way (unless you
have a shell account on xenbits) to get any kind of authenticated
value.
Conversely, if you use an https url, you get some cryptographic
authentication of what you are cloning. The crypto there is far from
perfect but it is massively better than nothing.
Additionally, in general, using and supporting https also means that
*what users are accessing* is encrypted. This enhances user privacy.
In the specific case of the git trees on xenbits this is a very minor
consideration.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Wei Liu [Tue, 10 Jul 2018 08:07:28 +0000 (09:07 +0100)]
MAINTAINERS: drop USB PV DRIVERS entry
Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Jan Beulich [Tue, 10 Jul 2018 10:22:31 +0000 (12:22 +0200)]
x86/spec-ctrl: command line handling adjustments
For one, "no-xen" should not imply "no-eager-fpu", as "eager FPU" mode
is to guard guests, not Xen itself, which is also expressed so by
print_details().
And then opt_ssbd, despite being off by default, should also be cleared
by the "no" and "no-xen" sub-options.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
libxl/xl: rename id to unique-id in vdispl xen store
In the display protocol connector's id is named as unique-id. This patch renames
it in the libxl/xl code and uses XENDISPL_FIELD... definitions from the protocol
header.
Signed-off-by: Oleksandr Grytsov <oleksandr_grytsov@epam.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Lars Kurth [Tue, 1 May 2018 12:34:00 +0000 (13:34 +0100)]
Replace occurances of xen.org with xenproject.org
This is a general clean-up activity. It also avoids mails being
sent to xen-devel@lists.xenproject.org and xen-devel@lists.xen.org
when used with add_maintainers.pl/git send-email.
Signed-off-by: Lars Kurth <lars.kurth@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Released-acked-by: Juergen Gross <jgross@suse.com>
FreeBSD package manager uses /usr/local/ as the default install path,
but that's not part of the compiler search path, so add it using the
APPEND_{LIB/INCLUDES} variables.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
firmware/seabios: fix build on systems with non GNU toolchains
SeaBIOS requires gcc and GNU ld in order to build, so allow setting
SEABIOSCC and SEABIOSLD by the caller when building in order to pass
the path to the compiler and linker that should be used when building
SeaBIOS.
Note that the LD32BIT-y variable was used by FreeBSD builds and is no
longer needed due to the ability to select the LD to use for SeaBIOS
builds, so remove it.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
newlib has a hardcoded dependency on texinfo, which in turn means that
Xen has this dependency when building the stub domains. The files that
newlib generates are never used or exposed by the Xen build system so
its really a wasted effort to require a heavy (size wise) package for
the build of something that's thrown away. Instead of adding it as a
requirement this patches out the code path in newlib that uses it so
that the files are never generated.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Andrew Cooper [Thu, 5 Jul 2018 15:25:39 +0000 (15:25 +0000)]
x86/msr: Rename the msr policy objects
After attempting to develop the infrastructure, it turns out that the choice
of naming is suboptimal.
Rename msr_domain_policy to just msr_policy to mirror the CPUID side of
things, and alter the 'dp' variable name convention to 'mp'. While altering
all the names, export all of the system msr_policy objects (which are already
global symbols).
Rename msr_vcpu_policy to vcpu_msrs and switch 'vp' to 'msrs' in code. Update
the arch_vcpu field name to match.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 9 Jul 2018 09:13:48 +0000 (10:13 +0100)]
tools/libs: Fix stable library ABI breakage from c/s e1ed22be85
For libxengnttab.map, introducing a new VERS* section must be matched with a
equivalent SONAME bump.
For libxencall.map, the hunk as presented would have been ok, if Xen 4.11
hadn't been released between xencall_buffers_never_fault() and xencall_fd()
being introduced. Given the timing of the release, xencall_fd() needs moving
into a new VERS_1.2 section.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Jan Beulich [Mon, 9 Jul 2018 08:53:32 +0000 (10:53 +0200)]
x86: drop dead asm-offsets definitions
UREGS_user_sizeof had a use long, long ago on x86, and apparently was
blindly cloned into ARM code.
The uses of UREGS_saved_upcall_mask and UREGS_{ds,es,fs,gs} disappeared
in 71eb3a65e3 ("VMX: streamline entry.S code") and 110b2d6e8a ("SVM:
streamline entry.S code").
There are other ARM side UREGS_* which look to be unused, but I'd prefer
to leave deciding on their disposition to ARM folks.
irq_caps_offset and next_in_list_offset were introduced in 57b0566668
("Re-enable MSI support") without any user.
VCPU_failsafe_{addr,sel} and _VGCF_failsafe_disables_events uses went
away in d9b7ef209a ("x86: drop failsafe callback invocation from
assembly").
CPUINFO_processor_id looks to have been introduced without user by 917335d8b3 ("x86: Avoid assumptions about C struct layouts from asm
code").
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Jan Beulich [Mon, 9 Jul 2018 08:52:50 +0000 (10:52 +0200)]
x86: consolidate legacy FPU state loading
First of all introduce a helper function instead of replicating almost
the same code for PV and HVM. The differences between the two pieces of
code actually points out an issue (which is also addressed here): In
the HVM case FCW would not have been set to FCW_RESET in certain cases
(note for example that XRSTOR loads FCW_DEFAULT rather then FCW_RESET
when the respective xstate_bv bit is clear).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 9 Jul 2018 08:51:02 +0000 (10:51 +0200)]
x86: correctly set nonlazy_xstate_used when loading full state
In this case, just like xcr0_accum, nonlazy_xstate_used should always be
set to the intended new value, rather than possibly leaving the flag set
from a prior state load.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 9 Jul 2018 08:49:37 +0000 (10:49 +0200)]
x86: fix dependency tracking for asm/indirect_thunk_asm.h
Including the header solely at the assembler level means the compiler
can't record the header as a dependency in .*.o.d files. Arrange for the
header to be include-able at the C level instead.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Ian Jackson [Fri, 25 May 2018 14:40:27 +0000 (15:40 +0100)]
tools/tests/depriv: New test utility for deprivilege auditing
I have chosen to licence this utility as LGPL-v2.1-only, similar to
other LGPL elements of the Xen tools, because it may want to be moved
into or combined with osstest or some other project at some point in
the future, so it wants a licence compatible with osstest's AGPLv3+.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Jackson [Mon, 14 May 2018 13:33:50 +0000 (14:33 +0100)]
libxl: Provide better error message when qemu restrict user not found
Add mention of LIBXL_QEMU_USER_RANGE_BASE, in case that is what the
user was intending.
Cc: Anthony Perard <anthony.perard@citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Ian Jackson [Fri, 4 May 2018 15:29:17 +0000 (16:29 +0100)]
tools: xencall, xengnttab, xengntshr: Provide access to internal fds
I want this to support my qemu depriv descriptor audit tool.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Jackson [Fri, 4 May 2018 15:00:42 +0000 (16:00 +0100)]
libxc: Provide access to internal handles
In order to support auditing of qemu depriv, my audit tool wants to
know the fd of a privcmd handle on which it can easily make
hypercalls. xencall provides such a handle, but has no cooked
facilities for making hypercalls. So I open a libxc handle. That
means I need to get the privcmd fd out of the libxc handle.
ISTM that it is best to do this by providing an interface to get the
underlying library handles for a libxc handle. This kind of interface
is quite common elsewhere and has not caused problems.
libxc is not a stable API so the downside risk of providing this
access is not significant.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
x86/vhpet: check that the set interrupt route is valid
The value written by the guest must be valid according to the mask
provided in the interrupt routing capabilities register. If the
interrupt is not valid set it to the first valid IRQ in the
capabilities field if the timer is enabled, else just clear the field.
Also refuse to start any timer that has an invalid interrupt route.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tamas K Lengyel [Thu, 5 Jul 2018 13:29:44 +0000 (15:29 +0200)]
EFI: add EFI_LOAD_OPTION support
When booting Xen via UEFI the Xen config file can contain multiple
sections each describing different boot options. It is currently only
possible to choose which section to boot with if the buffer contains a
string. UEFI provides a different standard to pass optional arguments
to an application, and in this patch we make Xen properly parse this
buffer, thus making it possible to have separate EFI boot options
present for the different config sections.
Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
This patch is adding a way to enable/disable inguest pagefault
events. It introduces the xc_monitor_inguest_pagefault function
and adds the inguest_pagefault_disabled in the monitor structure.
This is needed by the introspection so it will only get gla
faults and not get spammed with other faults.
In p2m_mem_access_check() we emulate so no event will get sent.
Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> Acked-by: Tamas K Lengyel <tamas@tklengyel.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Zhaoxin is a x86 IC designer. Its SOC products support both CPU
virtualization and I/O virtualization, which are compatible with Intel
VMX and VT-d respectively. Zhaoxin has 'Shanghai' CPU vendor ID.
Signed-off-by: DavidWang <davidwang@zhaoxin.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 4 Jul 2018 13:32:31 +0000 (14:32 +0100)]
tools: Move ARRAY_SIZE() into xen-tools/libs.h
xen-tools/libs.h currently contains a shared BUILD_BUG_ON() implementation and
is used by some tools. Extend this to include ARRAY_SIZE and clean up all the
opencoding.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Ian Jackson [Mon, 25 Jun 2018 14:48:32 +0000 (15:48 +0100)]
process docs: Add some detail about changes during branching
Split out the required work for the new and old branches and be more
specific about what is to be done. In the RT checklist, reformat and
expand the "turn off debug" instructions.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Ian Jackson [Mon, 25 Jun 2018 14:46:25 +0000 (15:46 +0100)]
process docs: Drop some obsolete stuff
* Drop reference to long-gone Citrix-internal HG trees
* Drop reference to RT-accessible web pages; web page editing
is now handled via the RM, community manager, etc.
* Drop reference to git description files; this is not needed
because now we have one tree with all branches, not one per branch
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Fri, 16 Mar 2018 14:04:53 +0000 (14:04 +0000)]
tools/ocaml: Drop int_array_of_uuid_string()
This function is entirely internal to xenctrl stubs, and serves only to
convert the uuid string to an integer array (making 16 memory allocations as
it goes), while the C stubs turns the integer array back into a binary array.
Instead, pass the string all the way down into C, and have sscanf() unpack it
directly into a xen_domain_handle_t object.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Christian Lindig <christian.lindig@citrix.com>
Andrew Cooper [Wed, 11 Apr 2018 13:34:02 +0000 (13:34 +0000)]
x86/cpuid: Alter the policy logic for leaf 0xb to be multi-invocation
The new data lives in the .topo union, rather than being treated as a single
leaf in the basic union.
While adjusting cpuid_policy, pad .basic to CPUID_GUEST_NR_BASIC for the
benefit of people extending the number of leaves in the future.
Host data is scanned when filling in the raw policy, but Xen still discards
any toolstack settings for now.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
Andrew Cooper [Wed, 27 Jun 2018 12:26:36 +0000 (13:26 +0100)]
x86: Address "Bitwise-and with zero CONSTANT_EXPRESSION_RESULT" Coverity issues
Coverity complains at code which which performs a bitwise and with a constant
that happens to be zero. Rearrange the C to test the constant first and short
circuit the bitwise and.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com>
Andrew Cooper [Tue, 23 May 2017 16:32:30 +0000 (17:32 +0100)]
x86/vmx: Don't leak EFER.NXE into guest context
Intel hardware only uses 4 bits in MSR_EFER. Changes to LME and LMA are
handled automatically via the VMENTRY_CTLS.IA32E_MODE bit.
SCE is handled by ad-hoc logic in context_switch(), vmx_restore_guest_msrs()
and vmx_update_guest_efer(), and works by altering the host SCE value to match
the setting the guest wants. This works because, in HVM vcpu context, Xen
never needs to execute a SYSCALL or SYSRET instruction.
However, NXE has never been context switched. Unlike SCE, NXE cannot be
context switched at vcpu boundaries because disabling NXE makes PTE.NX bits
reserved and cause a pagefault when encountered. This means that the guest
always has Xen's setting in effect, irrespective of the bit it can see and
modify in its virtualised view of MSR_EFER.
This isn't a major problem for production operating systems because they, like
Xen, always turn the NXE on when it is available. However, it does have an
observable effect on which guest PTE bits are valid, and whether
PFEC_insn_fetch is visible in a #PF error code.
Second generation VT-x hardware has host and guest EFER fields in the VMCS,
and support for loading and saving them automatically. First generation VT-x
hardware needs to use MSR load/save lists to cause an atomic switch of
MSR_EFER on vmentry/exit.
Therefore we update vmx_init_vmcs_config() to find and use guest/host EFER
support when available (and MSR load/save lists on older hardware) and drop
all ad-hoc alteration of SCE.
There are two minor complications when selecting the EFER setting:
* For shadow guests, NXE is a paging setting and must remain under host
control, but this is fine as Xen also handles the pagefaults.
* When the Unrestricted Guest control is clear, hardware doesn't tolerate LME
and LMA being different. This doesn't matter in practice as we intercept
all writes to CR0 and reads from MSR_EFER, so can provide architecturally
consistent behaviour from the guests point of view.
With changing how EFER is loaded, vmcs_dump_vcpu() needs adjusting. Read EFER
from the appropriate information source, and identify when dumping the guest
EFER value which source was used.
As a result of fixing EFER context switching, we can remove the Intel-special
case from hvm_nx_enabled() and let guest_walk_tables() work with the real
guest paging settings.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Support load-only guest MSR list entries
Currently, the VMX_MSR_GUEST type maintains completely symmetric guest load
and save lists, by pointing VM_EXIT_MSR_STORE_ADDR and VM_ENTRY_MSR_LOAD_ADDR
at the same page, and setting VM_EXIT_MSR_STORE_COUNT and
VM_ENTRY_MSR_LOAD_COUNT to the same value.
However, for MSRs which we won't let the guest have direct access to, having
hardware save the current value on VMExit is unnecessary overhead.
To avoid this overhead, we must make the load and save lists asymmetric. By
making the entry load count greater than the exit store count, we can maintain
two adjacent lists of MSRs, the first of which is saved and restored, and the
second of which is only restored on VMEntry.
For simplicity:
* Both adjacent lists are still sorted by MSR index.
* It undefined behaviour to insert the same MSR into both lists.
* The total size of both lists is still limited at 256 entries (one 4k page).
Split the current msr_count field into msr_{load,save}_count, and introduce a
new VMX_MSR_GUEST_LOADONLY type, and update vmx_{add,find}_msr() to calculate
which sublist to search, based on type. VMX_MSR_HOST has no logical sublist,
whereas VMX_MSR_GUEST has a sublist between 0 and the save count, while
VMX_MSR_GUEST_LOADONLY has a sublist between the save count and the load
count.
One subtle point is that inserting an MSR into the load-save list involves
moving the entire load-only list, and updating both counts.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Pass an MSR value into vmx_msr_add()
The main purpose of this change is to allow us to set a specific MSR value,
without needing to know whether there is already a load/save list slot for it.
Previously, callers wanting this property needed to call both vmx_add_*_msr()
and vmx_write_*_msr() to cover both cases, and there are no callers which want
the old behaviour of being a no-op if an entry already existed for the MSR.
As a result of this API improvement, the default value for guest MSRs need not
be 0, and the default for host MSRs need not be passed via hardware register.
In practice, this cleans up the VPMU allocation logic, and avoids an MSR read
as part of vcpu construction.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Improvements to LBR MSR handling
The main purpose of this patch is to only ever insert the LBR MSRs into the
guest load/save list once, as a future patch wants to change the behaviour of
vmx_add_guest_msr().
The repeated processing of lbr_info and the guests MSR load/save list is
redundant, and a guest using LBR itself will have to re-enable
MSR_DEBUGCTL.LBR in its #DB handler, meaning that Xen will repeat this
redundant processing every time the guest gets a debug exception.
Rename lbr_fixup_enabled to lbr_flags to be a little more generic, and use one
bit to indicate that the MSRs have been inserted into the load/save list.
Shorten the existing FIXUP* identifiers to reduce code volume.
Furthermore, handing the guest #MC on an error isn't a legitimate action. Two
of the three failure cases are definitely hypervisor bugs, and the third is a
boundary case which shouldn't occur in practice. The guest also won't execute
correctly, so handle errors by cleanly crashing the guest.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Support remote access to the MSR lists
At the moment, all modifications of the MSR lists are in current context.
However, future changes may need to put MSR_EFER into the lists from domctl
hypercall context.
Plumb a struct vcpu parameter down through the infrastructure, and use
vmx_vmcs_{enter,exit}() for safe access to the VMCS in vmx_add_msr(). Use
assertions to ensure that access is either in current context, or while the
vcpu is paused.
Note these expectations beside the fields in arch_vmx_struct, and reorder the
fields to avoid unnecessary padding.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr()
Instead of having multiple algorithms searching the MSR lists, implement a
single one. It has the semantics required by vmx_add_msr(), to identify the
position in which an MSR should live, if it isn't already present.
There will be a marginal improvement for vmx_find_msr() by avoiding the
function pointer calls to vmx_msr_entry_key_cmp(), and a major improvement for
vmx_add_msr() by using a binary search instead of a linear search.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: Internal cleanup for MSR load/save infrastructure
* Use an arch_vmx_struct local variable to reduce later code volume.
* Use start/total instead of msr_area/msr_count. This is in preparation for
more finegrained handling with later changes.
* Use ent/end pointers (again for preparation), and to make the vmx_add_msr()
logic easier to follow.
* Make the memory allocation block of vmx_add_msr() unlikely, and calculate
virt_to_maddr() just once.
No practical change to functionality.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Mon, 7 May 2018 10:57:00 +0000 (11:57 +0100)]
x86/vmx: API improvements for MSR load/save infrastructure
Collect together related infrastructure in vmcs.h, rather than having it
spread out. Turn vmx_{read,write}_guest_msr() into static inlines, as they
are simple enough.
Replace 'int type' with 'enum vmx_msr_list_type', and use switch statements
internally. Later changes are going to introduce a new type.
Rename the type identifiers for consistency with the other VMX_MSR_*
constants.
No functional change.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Wed, 20 Jun 2018 07:43:57 +0000 (15:43 +0800)]
x86/suspend: Fix restoration of guest state across S3/S4
The call to freeze_domains() in enter_state() guarentees that we are
running in idle context for the duration of S3/S4.
In restore_rest_processor_state(), the stts() is problematic as it
unilaterally sets %cr0.ts even in fully_eager FPU context. It also fails to
account for the non-lazy xsave state. Luckily, these are both latent bugs, as
the FPU state is corrected by the subsequent context switch away from the idle
vcpu.
Another aspect is that the !is_idle_vcpu(curr) paths in
restore_rest_processor_state() are actually dead code, and removing
these highlights that the segment saving logic is also unused.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Thu, 24 May 2018 17:41:53 +0000 (17:41 +0000)]
x86: Improvements to ler debugging
* Command line documentation for what the option does.
* Implement a canonicalise_addr() helper and replace the opencoded use in
sign_extend_msr()
* Canonicalise the ler pointers and print symbol information.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Thu, 24 May 2018 17:20:09 +0000 (17:20 +0000)]
x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit
Currently, whenever the guest writes a nonzero value to MSR_DEBUGCTL, Xen
updates a host MSR load list entry with the current hardware value of
MSR_DEBUGCTL.
On VMExit, hardware automatically resets MSR_DEBUGCTL to 0. Later, when the
guest writes to MSR_DEBUGCTL, the current value in hardware (0) is fed back
into guest load list. As a practical result, `ler` debugging gets lost on any
PCPU which has ever scheduled an HVM vcpu, and the common case when `ler`
debugging isn't active, guest actions result in an unnecessary load list entry
repeating the MSR_DEBUGCTL reset.
Restoration of Xen's debugging setting needs to happen from the very first
vmexit. Due to the automatic reset, Xen need take no action in the general
case, and only needs to load a value when debugging is active.
This could be fixed by using a host MSR load list entry set up during
construct_vmcs(). However, a more efficient option is to use an alternative
block in the VMExit path, keyed on whether hypervisor debugging has been
enabled.
In order to set this up, drop the per cpu ler_msr variable (as there is no
point having it per cpu when it will be the same everywhere), and use a single
read_mostly variable instead. Split calc_ler_msr() out of percpu_traps_init()
for clarity.
Finally, clean up do_debug(). Reinstate LBR early to help catch cascade
errors, which allows for the removal of the out label.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Andrew Cooper [Wed, 27 Jun 2018 11:34:47 +0000 (12:34 +0100)]
x86/msr: Use the architectural layout for MSR_{MISC_ENABLES,PLATFORM_INFO}
This simplifies future interactions with the toolstack, by removing the need
for per-MSR custom accessors when shuffling data in/out of a policy.
Use a 32bit raw backing integer (for simplicity), and use a bitfield to move
the cpuid_faulting field to its appropriate position.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Sergey Dyasli <sergey.dyasli@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
Andrew Cooper [Wed, 27 Jun 2018 11:34:47 +0000 (11:34 +0000)]
x86/msr: Drop {MISC_ENABLES,PLATFORM_INFO}.available
These MSRs are non-architectural and the available booleans were used in lieu
of an architectural signal of availability.
However, in hindsight, the additional booleans make toolstack MSR interactions
more complicated. The MSRs are unconditionally available to HVM guests, but
currently for PV guests, are hidden when CPUID faulting is unavailable.
Instead, switch them to being unconditionally readable, even for PV guests.
The new behaviour is:
* PLATFORM_INFO is unconditionally readable even for PV guests and will
indicate the presence or absence of CPUID Faulting in bit 31.
* MISC_FEATURES_ENABLES is unconditionally readable, and bit 0 may be set
iff PLATFORM_INFO reports that CPUID Faulting is available.
As a minor bugfix, CPUID Faulting for HVM guests is not restricted to
Intel/AMD hardware. In particular, VIA have a VT-x implementaion conforming
to the Intel specification.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Sergey Dyasli <sergey.dyasli@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Andrew Cooper [Fri, 29 Jun 2018 16:28:13 +0000 (16:28 +0000)]
xen: Plumb an is_priv boolean into domain_create()
The current mechanism of setting dom0->is_privileged after construction means
that the is_control_domain() predicate returns false during construction.
In particular, this means that the CPUID Faulting special case in
init_domain_msr_policy() fails to take effect. (In actual fact, faulting
support is advertised to dom0, but attempting to configure it is silently
ignored because of the dom0 special case in ctxt_switch_levelling().)
This could be implemented using a flag in xen_domctl_createdomain, but using
an extra boolean parameter like this means that we can't accidentally allow
domain_create() to create a second dom0 due to parameter mis-auditing.
While adjusting the setting of dom0->is_privileged, drop the redundant zeroing
of dom0->target.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Julien Grall <julien.grall@arm.com>
Jan Beulich [Mon, 2 Jul 2018 11:11:33 +0000 (13:11 +0200)]
x86: move per-vendor early CPU init declarations
They're local to cpu/, so they belong into cpu/cpu.h (and some of them
have been out of use for quite some time). Drop the asm/setup.h
inclusions then as well.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Jan Beulich [Mon, 2 Jul 2018 11:10:19 +0000 (13:10 +0200)]
x86/HPET: drop useless check
Commit 9e051a840d ("x86/hpet: Improve handling of timer_deadline")
removed all code between for_each_cpu() and cpumask_test_cpu(),
rendering the latter pointless.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@ctirix.com>
svm: don't clear interception for MSRs required for introspection
This patch mirrors the VMX code that doesn't allow
vmx_clear_msr_intercept() to clear interception of MSRs that an
introspection agent is trying to monitor.
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Current update process of already bound MSI interrupts is wrong
because unmap_domain_pirq calls pci_disable_msi, which disables MSI
interrupts on the device. On the other hand map_domain_pirq doesn't
enable MSI, so the current update process of already enabled MSI
entries is wrong because MSI control bit will be disabled by
unmap_domain_pirq and not re-enabled by map_domain_pirq.
In order to fix this avoid unmapping the PIRQs and just update the
binding of the PIRQ. A new arch helper to do that is introduced.
Note that MSI-X is not affected because unmap_domain_pirq only
disables the MSI enable control bit for the MSI case, for MSI-X the
bit is left untouched by unmap_domain_pirq.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
projects / people / royger / xen.git / log