[V8,2/4] x86/altp2m: Add hypercall to set a range of sve bits
diff mbox series

Message ID 20200117133059.14602-2-aisaila@bitdefender.com
State New, archived
Headers show
Series
  • [V8,1/4] x86/mm: Add array_index_nospec to guest provided index values
Related show

Commit Message

Alexandru Isaila Jan. 17, 2020, 1:31 p.m. UTC
By default the sve bits are not set.
This patch adds a new hypercall, xc_altp2m_set_supress_ve_multi(),
to set a range of sve bits.
The core function, p2m_set_suppress_ve_multi(), does not break in case
of a error and it is doing a best effort for setting the bits in the
given range. A check for continuation is made in order to have
preemption on large ranges.
The gfn of the first error is stored in
xen_hvm_altp2m_suppress_ve_multi.first_error_gfn and the error code is
stored in xen_hvm_altp2m_suppress_ve_multi.first_error.
If no error occurred the values will be 0.

Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>

---
CC: Ian Jackson <ian.jackson@eu.citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: "Roger Pau Monné" <roger.pau@citrix.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>
CC: Razvan Cojocaru <rcojocaru@bitdefender.com>
CC: Tamas K Lengyel <tamas@tklengyel.com>
CC: Petre Pircalabu <ppircalabu@bitdefender.com>
---
Changes since V7:
	- Fix commit message
	- Move all in values in the sve initializer
	- Drop sve.first_error check.
---
 tools/libxc/include/xenctrl.h   |  4 ++
 tools/libxc/xc_altp2m.c         | 33 +++++++++++++++
 xen/arch/x86/hvm/hvm.c          | 20 +++++++++
 xen/arch/x86/mm/p2m.c           | 75 +++++++++++++++++++++++++--------
 xen/include/public/hvm/hvm_op.h | 13 ++++++
 xen/include/xen/mem_access.h    |  3 ++
 6 files changed, 130 insertions(+), 18 deletions(-)

Comments

Jan Beulich Jan. 17, 2020, 2:33 p.m. UTC | #1
On 17.01.2020 14:31, Alexandru Stefan ISAILA wrote:
> By default the sve bits are not set.
> This patch adds a new hypercall, xc_altp2m_set_supress_ve_multi(),
> to set a range of sve bits.
> The core function, p2m_set_suppress_ve_multi(), does not break in case
> of a error and it is doing a best effort for setting the bits in the
> given range. A check for continuation is made in order to have
> preemption on large ranges.
> The gfn of the first error is stored in
> xen_hvm_altp2m_suppress_ve_multi.first_error_gfn and the error code is
> stored in xen_hvm_altp2m_suppress_ve_multi.first_error.
> If no error occurred the values will be 0.

I'm sorry for being nitpicky here, but this still isn't fully in
line with ...

> --- a/xen/include/public/hvm/hvm_op.h
> +++ b/xen/include/public/hvm/hvm_op.h
> @@ -46,6 +46,16 @@ struct xen_hvm_altp2m_suppress_ve {
>      uint64_t gfn;
>  };
>  
> +struct xen_hvm_altp2m_suppress_ve_multi {
> +    uint16_t view;
> +    uint8_t suppress_ve; /* Boolean type. */
> +    uint8_t pad1;
> +    int32_t first_error; /* Should be set to 0. */
> +    uint64_t first_gfn; /* Value may be updated. */
> +    uint64_t last_gfn;
> +    uint64_t first_error_gfn; /* Gfn of the first error. */
> +};

... this: There's nothing said here about zeroing first_error_gfn
(and FAOD there doesn't need to be), and even first_error correctly
says only "should". Hence the values will be non-zero when there
was no error only if the caller had set them to zero. Anyway, this
alone surely is no reason for a v9, so take it just as a benign
(for the moment) remark.

Jan
Petre Ovidiu PIRCALABU Jan. 21, 2020, 12:57 p.m. UTC | #2
On Fri, 2020-01-17 at 15:31 +0200, Alexandru Stefan ISAILA wrote:
> By default the sve bits are not set.
> This patch adds a new hypercall, xc_altp2m_set_supress_ve_multi(),
> to set a range of sve bits.
> The core function, p2m_set_suppress_ve_multi(), does not break in
> case
> of a error and it is doing a best effort for setting the bits in the
> given range. A check for continuation is made in order to have
> preemption on large ranges.
> The gfn of the first error is stored in
> xen_hvm_altp2m_suppress_ve_multi.first_error_gfn and the error code
> is
> stored in xen_hvm_altp2m_suppress_ve_multi.first_error.
> If no error occurred the values will be 0.
> 
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
> 
Reviewed-by: Petre Pircalabu <ppircalabu@bitdefender.com>
Alexandru Isaila Jan. 21, 2020, 3:09 p.m. UTC | #3
Hi George,

This is a kind reminder, when you have the time, can you take a look at 
this series?

Regards,
Alex

On 17.01.2020 15:31, Alexandru Stefan ISAILA wrote:
> By default the sve bits are not set.
> This patch adds a new hypercall, xc_altp2m_set_supress_ve_multi(),
> to set a range of sve bits.
> The core function, p2m_set_suppress_ve_multi(), does not break in case
> of a error and it is doing a best effort for setting the bits in the
> given range. A check for continuation is made in order to have
> preemption on large ranges.
> The gfn of the first error is stored in
> xen_hvm_altp2m_suppress_ve_multi.first_error_gfn and the error code is
> stored in xen_hvm_altp2m_suppress_ve_multi.first_error.
> If no error occurred the values will be 0.
> 
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
> 
> ---
> CC: Ian Jackson <ian.jackson@eu.citrix.com>
> CC: Wei Liu <wl@xen.org>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: George Dunlap <George.Dunlap@eu.citrix.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: "Roger Pau Monné" <roger.pau@citrix.com>
> CC: George Dunlap <george.dunlap@eu.citrix.com>
> CC: Razvan Cojocaru <rcojocaru@bitdefender.com>
> CC: Tamas K Lengyel <tamas@tklengyel.com>
> CC: Petre Pircalabu <ppircalabu@bitdefender.com>
> ---
> Changes since V7:
> 	- Fix commit message
> 	- Move all in values in the sve initializer
> 	- Drop sve.first_error check.
> ---
>   tools/libxc/include/xenctrl.h   |  4 ++
>   tools/libxc/xc_altp2m.c         | 33 +++++++++++++++
>   xen/arch/x86/hvm/hvm.c          | 20 +++++++++
>   xen/arch/x86/mm/p2m.c           | 75 +++++++++++++++++++++++++--------
>   xen/include/public/hvm/hvm_op.h | 13 ++++++
>   xen/include/xen/mem_access.h    |  3 ++
>   6 files changed, 130 insertions(+), 18 deletions(-)
> 
> diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
> index 75f191ae3a..cc4eb1e3d3 100644
> --- a/tools/libxc/include/xenctrl.h
> +++ b/tools/libxc/include/xenctrl.h
> @@ -1923,6 +1923,10 @@ int xc_altp2m_switch_to_view(xc_interface *handle, uint32_t domid,
>                                uint16_t view_id);
>   int xc_altp2m_set_suppress_ve(xc_interface *handle, uint32_t domid,
>                                 uint16_t view_id, xen_pfn_t gfn, bool sve);
> +int xc_altp2m_set_supress_ve_multi(xc_interface *handle, uint32_t domid,
> +                                   uint16_t view_id, xen_pfn_t first_gfn,
> +                                   xen_pfn_t last_gfn, bool sve,
> +                                   xen_pfn_t *error_gfn, int32_t *error_code);
>   int xc_altp2m_get_suppress_ve(xc_interface *handle, uint32_t domid,
>                                 uint16_t view_id, xen_pfn_t gfn, bool *sve);
>   int xc_altp2m_set_mem_access(xc_interface *handle, uint32_t domid,
> diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
> index 09dad0355e..46fb725806 100644
> --- a/tools/libxc/xc_altp2m.c
> +++ b/tools/libxc/xc_altp2m.c
> @@ -234,6 +234,39 @@ int xc_altp2m_set_suppress_ve(xc_interface *handle, uint32_t domid,
>       return rc;
>   }
>   
> +int xc_altp2m_set_supress_ve_multi(xc_interface *handle, uint32_t domid,
> +                                   uint16_t view_id, xen_pfn_t first_gfn,
> +                                   xen_pfn_t last_gfn, bool sve,
> +                                   xen_pfn_t *error_gfn, int32_t *error_code)
> +{
> +    int rc;
> +    DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
> +
> +    arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
> +    if ( arg == NULL )
> +        return -1;
> +
> +    arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
> +    arg->cmd = HVMOP_altp2m_set_suppress_ve_multi;
> +    arg->domain = domid;
> +    arg->u.suppress_ve_multi.view = view_id;
> +    arg->u.suppress_ve_multi.first_gfn = first_gfn;
> +    arg->u.suppress_ve_multi.last_gfn = last_gfn;
> +    arg->u.suppress_ve_multi.suppress_ve = sve;
> +
> +    rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
> +                  HYPERCALL_BUFFER_AS_ARG(arg));
> +
> +    if ( arg->u.suppress_ve_multi.first_error )
> +    {
> +        *error_gfn = arg->u.suppress_ve_multi.first_error_gfn;
> +        *error_code = arg->u.suppress_ve_multi.first_error;
> +    }
> +
> +    xc_hypercall_buffer_free(handle, arg);
> +    return rc;
> +}
> +
>   int xc_altp2m_set_mem_access(xc_interface *handle, uint32_t domid,
>                                uint16_t view_id, xen_pfn_t gfn,
>                                xenmem_access_t access)
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index 4723f5d09c..4d79b4934e 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -4520,6 +4520,7 @@ static int do_altp2m_op(
>       case HVMOP_altp2m_destroy_p2m:
>       case HVMOP_altp2m_switch_p2m:
>       case HVMOP_altp2m_set_suppress_ve:
> +    case HVMOP_altp2m_set_suppress_ve_multi:
>       case HVMOP_altp2m_get_suppress_ve:
>       case HVMOP_altp2m_set_mem_access:
>       case HVMOP_altp2m_set_mem_access_multi:
> @@ -4678,6 +4679,25 @@ static int do_altp2m_op(
>           }
>           break;
>   
> +    case HVMOP_altp2m_set_suppress_ve_multi:
> +    {
> +        uint64_t max_phys_addr = (1UL << d->arch.cpuid->extd.maxphysaddr) - 1;
> +
> +        a.u.suppress_ve_multi.last_gfn = min(a.u.suppress_ve_multi.last_gfn,
> +                                             max_phys_addr);
> +
> +        if ( a.u.suppress_ve_multi.pad1 ||
> +             a.u.suppress_ve_multi.first_gfn > a.u.suppress_ve_multi.last_gfn )
> +            rc = -EINVAL;
> +        else
> +        {
> +            rc = p2m_set_suppress_ve_multi(d, &a.u.suppress_ve_multi);
> +            if ( (!rc || rc == -ERESTART) && __copy_to_guest(arg, &a, 1) )
> +                rc = -EFAULT;
> +        }
> +        break;
> +    }
> +
>       case HVMOP_altp2m_get_suppress_ve:
>           if ( a.u.suppress_ve.pad1 || a.u.suppress_ve.pad2 )
>               rc = -EINVAL;
> diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
> index 00b24342fc..3a2929c365 100644
> --- a/xen/arch/x86/mm/p2m.c
> +++ b/xen/arch/x86/mm/p2m.c
> @@ -3026,44 +3026,83 @@ out:
>    */
>   int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve,
>                           unsigned int altp2m_idx)
> +{
> +    int rc;
> +    struct xen_hvm_altp2m_suppress_ve_multi sve = {
> +        altp2m_idx, suppress_ve, 0, 0, gfn_x(gfn), gfn_x(gfn), 0
> +    };
> +
> +    if ( !(rc = p2m_set_suppress_ve_multi(d, &sve)) )
> +        rc = sve.first_error;
> +
> +    return rc;
> +}
> +
> +/*
> + * Set/clear the #VE suppress bit for multiple pages.  Only available on VMX.
> + */
> +int p2m_set_suppress_ve_multi(struct domain *d,
> +                              struct xen_hvm_altp2m_suppress_ve_multi *sve)
>   {
>       struct p2m_domain *host_p2m = p2m_get_hostp2m(d);
>       struct p2m_domain *ap2m = NULL;
> -    struct p2m_domain *p2m;
> -    mfn_t mfn;
> -    p2m_access_t a;
> -    p2m_type_t t;
> -    int rc;
> +    struct p2m_domain *p2m = host_p2m;
> +    uint64_t start = sve->first_gfn;
> +    int rc = 0;
>   
> -    if ( altp2m_idx > 0 )
> +    if ( sve->view > 0 )
>       {
> -        if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> -             d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
> +        if ( sve->view >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> +             d->arch.altp2m_eptp[array_index_nospec(sve->view, MAX_EPTP)] ==
>                mfn_x(INVALID_MFN) )
>               return -EINVAL;
>   
> -        p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx);
> +        p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, sve->view);
>       }
> -    else
> -        p2m = host_p2m;
>   
> -    gfn_lock(host_p2m, gfn, 0);
> +    p2m_lock(host_p2m);
>   
>       if ( ap2m )
>           p2m_lock(ap2m);
>   
> -    rc = altp2m_get_effective_entry(p2m, gfn, &mfn, &t, &a, AP2MGET_query);
> +    while ( sve->last_gfn >= start )
> +    {
> +        p2m_access_t a;
> +        p2m_type_t t;
> +        mfn_t mfn;
> +        int err = 0;
>   
> -    if ( rc )
> -        goto out;
> +        if ( (err = altp2m_get_effective_entry(p2m, _gfn(start), &mfn, &t, &a,
> +                                               AP2MGET_query)) &&
> +             !sve->first_error )
> +        {
> +            sve->first_error_gfn = start; /* Save the gfn of the first error */
> +            sve->first_error = err; /* Save the first error code */
> +        }
>   
> -    rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, t, a, suppress_ve);
> +        if ( !err && (err = p2m->set_entry(p2m, _gfn(start), mfn,
> +                                           PAGE_ORDER_4K, t, a,
> +                                           sve->suppress_ve)) &&
> +             !sve->first_error )
> +        {
> +            sve->first_error_gfn = start; /* Save the gfn of the first error */
> +            sve->first_error = err; /* Save the first error code */
> +        }
> +
> +        /* Check for continuation if it's not the last iteration. */
> +        if ( sve->last_gfn >= ++start && hypercall_preempt_check() )
> +        {
> +            rc = -ERESTART;
> +            break;
> +        }
> +    }
> +
> +    sve->first_gfn = start;
>   
> -out:
>       if ( ap2m )
>           p2m_unlock(ap2m);
>   
> -    gfn_unlock(host_p2m, gfn, 0);
> +    p2m_unlock(host_p2m);
>   
>       return rc;
>   }
> diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
> index 353f8034d9..d344606864 100644
> --- a/xen/include/public/hvm/hvm_op.h
> +++ b/xen/include/public/hvm/hvm_op.h
> @@ -46,6 +46,16 @@ struct xen_hvm_altp2m_suppress_ve {
>       uint64_t gfn;
>   };
>   
> +struct xen_hvm_altp2m_suppress_ve_multi {
> +    uint16_t view;
> +    uint8_t suppress_ve; /* Boolean type. */
> +    uint8_t pad1;
> +    int32_t first_error; /* Should be set to 0. */
> +    uint64_t first_gfn; /* Value may be updated. */
> +    uint64_t last_gfn;
> +    uint64_t first_error_gfn; /* Gfn of the first error. */
> +};
> +
>   #if __XEN_INTERFACE_VERSION__ < 0x00040900
>   
>   /* Set the logical level of one of a domain's PCI INTx wires. */
> @@ -339,6 +349,8 @@ struct xen_hvm_altp2m_op {
>   #define HVMOP_altp2m_vcpu_disable_notify  13
>   /* Get the active vcpu p2m index */
>   #define HVMOP_altp2m_get_p2m_idx          14
> +/* Set the "Supress #VE" bit for a range of pages */
> +#define HVMOP_altp2m_set_suppress_ve_multi 15
>       domid_t domain;
>       uint16_t pad1;
>       uint32_t pad2;
> @@ -353,6 +365,7 @@ struct xen_hvm_altp2m_op {
>           struct xen_hvm_altp2m_change_gfn           change_gfn;
>           struct xen_hvm_altp2m_set_mem_access_multi set_mem_access_multi;
>           struct xen_hvm_altp2m_suppress_ve          suppress_ve;
> +        struct xen_hvm_altp2m_suppress_ve_multi    suppress_ve_multi;
>           struct xen_hvm_altp2m_vcpu_disable_notify  disable_notify;
>           struct xen_hvm_altp2m_get_vcpu_p2m_idx     get_vcpu_p2m_idx;
>           uint8_t pad[64];
> diff --git a/xen/include/xen/mem_access.h b/xen/include/xen/mem_access.h
> index e4d24502e0..00e594a0ad 100644
> --- a/xen/include/xen/mem_access.h
> +++ b/xen/include/xen/mem_access.h
> @@ -75,6 +75,9 @@ long p2m_set_mem_access_multi(struct domain *d,
>   int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve,
>                           unsigned int altp2m_idx);
>   
> +int p2m_set_suppress_ve_multi(struct domain *d,
> +                              struct xen_hvm_altp2m_suppress_ve_multi *suppress_ve);
> +
>   int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve,
>                           unsigned int altp2m_idx);
>   
>
George Dunlap Jan. 21, 2020, 5:30 p.m. UTC | #4
On 1/21/20 3:09 PM, Alexandru Stefan ISAILA wrote:
> Hi George,
> 
> This is a kind reminder, when you have the time, can you take a look at 
> this series?

It's on the top of my list of things to review.  :-) I should be able to
get to it Thursday.

 -George
George Dunlap Jan. 23, 2020, 12:35 p.m. UTC | #5
On 1/17/20 1:31 PM, Alexandru Stefan ISAILA wrote:
> By default the sve bits are not set.
> This patch adds a new hypercall, xc_altp2m_set_supress_ve_multi(),
> to set a range of sve bits.
> The core function, p2m_set_suppress_ve_multi(), does not break in case
> of a error and it is doing a best effort for setting the bits in the
> given range. A check for continuation is made in order to have
> preemption on large ranges.
> The gfn of the first error is stored in
> xen_hvm_altp2m_suppress_ve_multi.first_error_gfn and the error code is
> stored in xen_hvm_altp2m_suppress_ve_multi.first_error.
> If no error occurred the values will be 0.
> 
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>

Acked-by: George Dunlap <george.dunlap@citrix.com>

Patch
diff mbox series

diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 75f191ae3a..cc4eb1e3d3 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -1923,6 +1923,10 @@  int xc_altp2m_switch_to_view(xc_interface *handle, uint32_t domid,
                              uint16_t view_id);
 int xc_altp2m_set_suppress_ve(xc_interface *handle, uint32_t domid,
                               uint16_t view_id, xen_pfn_t gfn, bool sve);
+int xc_altp2m_set_supress_ve_multi(xc_interface *handle, uint32_t domid,
+                                   uint16_t view_id, xen_pfn_t first_gfn,
+                                   xen_pfn_t last_gfn, bool sve,
+                                   xen_pfn_t *error_gfn, int32_t *error_code);
 int xc_altp2m_get_suppress_ve(xc_interface *handle, uint32_t domid,
                               uint16_t view_id, xen_pfn_t gfn, bool *sve);
 int xc_altp2m_set_mem_access(xc_interface *handle, uint32_t domid,
diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
index 09dad0355e..46fb725806 100644
--- a/tools/libxc/xc_altp2m.c
+++ b/tools/libxc/xc_altp2m.c
@@ -234,6 +234,39 @@  int xc_altp2m_set_suppress_ve(xc_interface *handle, uint32_t domid,
     return rc;
 }
 
+int xc_altp2m_set_supress_ve_multi(xc_interface *handle, uint32_t domid,
+                                   uint16_t view_id, xen_pfn_t first_gfn,
+                                   xen_pfn_t last_gfn, bool sve,
+                                   xen_pfn_t *error_gfn, int32_t *error_code)
+{
+    int rc;
+    DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
+
+    arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
+    if ( arg == NULL )
+        return -1;
+
+    arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
+    arg->cmd = HVMOP_altp2m_set_suppress_ve_multi;
+    arg->domain = domid;
+    arg->u.suppress_ve_multi.view = view_id;
+    arg->u.suppress_ve_multi.first_gfn = first_gfn;
+    arg->u.suppress_ve_multi.last_gfn = last_gfn;
+    arg->u.suppress_ve_multi.suppress_ve = sve;
+
+    rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
+                  HYPERCALL_BUFFER_AS_ARG(arg));
+
+    if ( arg->u.suppress_ve_multi.first_error )
+    {
+        *error_gfn = arg->u.suppress_ve_multi.first_error_gfn;
+        *error_code = arg->u.suppress_ve_multi.first_error;
+    }
+
+    xc_hypercall_buffer_free(handle, arg);
+    return rc;
+}
+
 int xc_altp2m_set_mem_access(xc_interface *handle, uint32_t domid,
                              uint16_t view_id, xen_pfn_t gfn,
                              xenmem_access_t access)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 4723f5d09c..4d79b4934e 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4520,6 +4520,7 @@  static int do_altp2m_op(
     case HVMOP_altp2m_destroy_p2m:
     case HVMOP_altp2m_switch_p2m:
     case HVMOP_altp2m_set_suppress_ve:
+    case HVMOP_altp2m_set_suppress_ve_multi:
     case HVMOP_altp2m_get_suppress_ve:
     case HVMOP_altp2m_set_mem_access:
     case HVMOP_altp2m_set_mem_access_multi:
@@ -4678,6 +4679,25 @@  static int do_altp2m_op(
         }
         break;
 
+    case HVMOP_altp2m_set_suppress_ve_multi:
+    {
+        uint64_t max_phys_addr = (1UL << d->arch.cpuid->extd.maxphysaddr) - 1;
+
+        a.u.suppress_ve_multi.last_gfn = min(a.u.suppress_ve_multi.last_gfn,
+                                             max_phys_addr);
+
+        if ( a.u.suppress_ve_multi.pad1 ||
+             a.u.suppress_ve_multi.first_gfn > a.u.suppress_ve_multi.last_gfn )
+            rc = -EINVAL;
+        else
+        {
+            rc = p2m_set_suppress_ve_multi(d, &a.u.suppress_ve_multi);
+            if ( (!rc || rc == -ERESTART) && __copy_to_guest(arg, &a, 1) )
+                rc = -EFAULT;
+        }
+        break;
+    }
+
     case HVMOP_altp2m_get_suppress_ve:
         if ( a.u.suppress_ve.pad1 || a.u.suppress_ve.pad2 )
             rc = -EINVAL;
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 00b24342fc..3a2929c365 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -3026,44 +3026,83 @@  out:
  */
 int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve,
                         unsigned int altp2m_idx)
+{
+    int rc;
+    struct xen_hvm_altp2m_suppress_ve_multi sve = {
+        altp2m_idx, suppress_ve, 0, 0, gfn_x(gfn), gfn_x(gfn), 0
+    };
+
+    if ( !(rc = p2m_set_suppress_ve_multi(d, &sve)) )
+        rc = sve.first_error;
+
+    return rc;
+}
+
+/*
+ * Set/clear the #VE suppress bit for multiple pages.  Only available on VMX.
+ */
+int p2m_set_suppress_ve_multi(struct domain *d,
+                              struct xen_hvm_altp2m_suppress_ve_multi *sve)
 {
     struct p2m_domain *host_p2m = p2m_get_hostp2m(d);
     struct p2m_domain *ap2m = NULL;
-    struct p2m_domain *p2m;
-    mfn_t mfn;
-    p2m_access_t a;
-    p2m_type_t t;
-    int rc;
+    struct p2m_domain *p2m = host_p2m;
+    uint64_t start = sve->first_gfn;
+    int rc = 0;
 
-    if ( altp2m_idx > 0 )
+    if ( sve->view > 0 )
     {
-        if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
-             d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
+        if ( sve->view >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
+             d->arch.altp2m_eptp[array_index_nospec(sve->view, MAX_EPTP)] ==
              mfn_x(INVALID_MFN) )
             return -EINVAL;
 
-        p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx);
+        p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, sve->view);
     }
-    else
-        p2m = host_p2m;
 
-    gfn_lock(host_p2m, gfn, 0);
+    p2m_lock(host_p2m);
 
     if ( ap2m )
         p2m_lock(ap2m);
 
-    rc = altp2m_get_effective_entry(p2m, gfn, &mfn, &t, &a, AP2MGET_query);
+    while ( sve->last_gfn >= start )
+    {
+        p2m_access_t a;
+        p2m_type_t t;
+        mfn_t mfn;
+        int err = 0;
 
-    if ( rc )
-        goto out;
+        if ( (err = altp2m_get_effective_entry(p2m, _gfn(start), &mfn, &t, &a,
+                                               AP2MGET_query)) &&
+             !sve->first_error )
+        {
+            sve->first_error_gfn = start; /* Save the gfn of the first error */
+            sve->first_error = err; /* Save the first error code */
+        }
 
-    rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, t, a, suppress_ve);
+        if ( !err && (err = p2m->set_entry(p2m, _gfn(start), mfn,
+                                           PAGE_ORDER_4K, t, a,
+                                           sve->suppress_ve)) &&
+             !sve->first_error )
+        {
+            sve->first_error_gfn = start; /* Save the gfn of the first error */
+            sve->first_error = err; /* Save the first error code */
+        }
+
+        /* Check for continuation if it's not the last iteration. */
+        if ( sve->last_gfn >= ++start && hypercall_preempt_check() )
+        {
+            rc = -ERESTART;
+            break;
+        }
+    }
+
+    sve->first_gfn = start;
 
-out:
     if ( ap2m )
         p2m_unlock(ap2m);
 
-    gfn_unlock(host_p2m, gfn, 0);
+    p2m_unlock(host_p2m);
 
     return rc;
 }
diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
index 353f8034d9..d344606864 100644
--- a/xen/include/public/hvm/hvm_op.h
+++ b/xen/include/public/hvm/hvm_op.h
@@ -46,6 +46,16 @@  struct xen_hvm_altp2m_suppress_ve {
     uint64_t gfn;
 };
 
+struct xen_hvm_altp2m_suppress_ve_multi {
+    uint16_t view;
+    uint8_t suppress_ve; /* Boolean type. */
+    uint8_t pad1;
+    int32_t first_error; /* Should be set to 0. */
+    uint64_t first_gfn; /* Value may be updated. */
+    uint64_t last_gfn;
+    uint64_t first_error_gfn; /* Gfn of the first error. */
+};
+
 #if __XEN_INTERFACE_VERSION__ < 0x00040900
 
 /* Set the logical level of one of a domain's PCI INTx wires. */
@@ -339,6 +349,8 @@  struct xen_hvm_altp2m_op {
 #define HVMOP_altp2m_vcpu_disable_notify  13
 /* Get the active vcpu p2m index */
 #define HVMOP_altp2m_get_p2m_idx          14
+/* Set the "Supress #VE" bit for a range of pages */
+#define HVMOP_altp2m_set_suppress_ve_multi 15
     domid_t domain;
     uint16_t pad1;
     uint32_t pad2;
@@ -353,6 +365,7 @@  struct xen_hvm_altp2m_op {
         struct xen_hvm_altp2m_change_gfn           change_gfn;
         struct xen_hvm_altp2m_set_mem_access_multi set_mem_access_multi;
         struct xen_hvm_altp2m_suppress_ve          suppress_ve;
+        struct xen_hvm_altp2m_suppress_ve_multi    suppress_ve_multi;
         struct xen_hvm_altp2m_vcpu_disable_notify  disable_notify;
         struct xen_hvm_altp2m_get_vcpu_p2m_idx     get_vcpu_p2m_idx;
         uint8_t pad[64];
diff --git a/xen/include/xen/mem_access.h b/xen/include/xen/mem_access.h
index e4d24502e0..00e594a0ad 100644
--- a/xen/include/xen/mem_access.h
+++ b/xen/include/xen/mem_access.h
@@ -75,6 +75,9 @@  long p2m_set_mem_access_multi(struct domain *d,
 int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve,
                         unsigned int altp2m_idx);
 
+int p2m_set_suppress_ve_multi(struct domain *d,
+                              struct xen_hvm_altp2m_suppress_ve_multi *suppress_ve);
+
 int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve,
                         unsigned int altp2m_idx);