From patchwork Wed Apr 27 19:26:59 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 8962401 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 8C377BF29F for ; Wed, 27 Apr 2016 19:35:05 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id AFE782021F for ; Wed, 27 Apr 2016 19:35:03 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B10562026C for ; Wed, 27 Apr 2016 19:35:01 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avVD0-0007do-3n; Wed, 27 Apr 2016 19:33:14 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avVCy-0007dg-Kg for xen-devel@lists.xenproject.org; Wed, 27 Apr 2016 19:33:12 +0000 Received: from [85.158.143.35] by server-3.bemta-6.messagelabs.com id 8B/A0-07120-8F311275; Wed, 27 Apr 2016 19:33:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFIsWRWlGSWpSXmKPExsUyZ7p8oO53YcV wgze7JCy+b5nM5MDocfjDFZYAxijWzLyk/IoE1oxJi7czFXSeZKz49/sxSwPjtamMXYxcHEIC bUwSL99cY4dwvjFKvLy3mwXC2cgo8WbqGaiybkaJr+ebmbsYOYGcIokFmxezdjFycLAJmEi8W eUIEhYRWM4o8eJMHkg9s8AHRok1134ygSSEBYIlJjxYzw5iswioSrTvmQxm8wq4Ssye2M0OMk dCQE5iwYV0EJNTwE3izbpoiE2uEg+vfGcBsSUEDCVOP9zGOIGRfwEjwypG9eLUorLUIl1jvaS izPSMktzEzBxdQwMzvdzU4uLE9NScxKRiveT83E2MwBBiAIIdjB3/nA4xSnIwKYnybvijEC7E l5SfUpmRWJwRX1Sak1p8iFGGg0NJgveZkGK4kGBRanpqRVpmDjCYYdISHDxKIrxpIGne4oLE3 OLMdIjUKUZjji0Lbqxl4jiyZdNJJiGWvPy8VClx3kCQUgGQ0ozSPLhBsCi7xCgrJczLCHSaEE 9BalFuZgmq/CtGcQ5GJWHeoyBTeDLzSuD2vQI6hQnolMuHZEFOKUlESEk1MHZf/6QdKPwq7p6 9+cvu7RvM3i954mod43/HM3Ol6jubpiib6R/Wpa6sftffLVxfv/tU4X2RGC/ziyayAvXfVT9a z3bTudNk19T7znOm0CoXpqDZJit3uu736xARWnKM46Xy7Pdvr+nPmL1ih3xTYvmyhOpdWSkqW /SvbM+8pM6g7NSquZq3UomlOCPRUIu5qDgRALK3p3qtAgAA X-Env-Sender: konrad@char.us.oracle.com X-Msg-Ref: server-3.tower-21.messagelabs.com!1461785589!11085646!1 X-Originating-IP: [156.151.31.81] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTU2LjE1MS4zMS44MSA9PiAyODgzMzk=\n X-StarScan-Received: X-StarScan-Version: 8.34; banners=-,-,- X-VirusChecked: Checked Received: (qmail 63302 invoked from network); 27 Apr 2016 19:33:10 -0000 Received: from userp1040.oracle.com (HELO userp1040.oracle.com) (156.151.31.81) by server-3.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 27 Apr 2016 19:33:10 -0000 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u3RJS0Sl004551 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Apr 2016 19:28:01 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u3RJRxPQ027188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Apr 2016 19:28:00 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u3RJRxRf012635; Wed, 27 Apr 2016 19:27:59 GMT Received: from char.us.oracle.com (/10.137.176.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 27 Apr 2016 12:27:58 -0700 Received: by char.us.oracle.com (Postfix, from userid 1000) id 8DF086A0115; Wed, 27 Apr 2016 15:27:57 -0400 (EDT) From: Konrad Rzeszutek Wilk To: konrad@kernel.org, xen-devel@lists.xenproject.org, sasha.levin@oracle.com, andrew.cooper3@citrix.com, ross.lagerwall@citrix.com, mpohlack@amazon.de Date: Wed, 27 Apr 2016 15:26:59 -0400 Message-Id: <1461785241-4481-3-git-send-email-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1461785241-4481-1-git-send-email-konrad.wilk@oracle.com> References: <1461785241-4481-1-git-send-email-konrad.wilk@oracle.com> X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: Wei Liu , Daniel De Graaf , Stefano Stabellini , Ian Jackson , Konrad Rzeszutek Wilk Subject: [Xen-devel] [PATCH v10 02/24] xen/xsplice: Hypervisor implementation of XEN_XSPLICE_op X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The implementation does not actually do any patching. It just adds the framework for doing the hypercalls, keeping track of ELF payloads, and the basic operations: - query which payloads exist, - query for specific payloads, - check*1, apply*1, replace*1, and unload payloads. *1: Which of course in this patch are nops. The functionality is disabled on ARM until all arch components are implemented. Also by default it is disabled until the implementation is in place. We also use recursive spinlocks to so that the find_payload function does not need to have a 'lock' and 'non-lock' variant. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ross Lagerwall Reviewed-by: Andrew Cooper Acked-by: Daniel De Graaf Reviewed-by: Jan Beulich --- Cc: Daniel De Graaf Cc: Ian Jackson Cc: Stefano Stabellini Cc: Wei Liu v2: Rebased on keyhandler: rework keyhandler infrastructure v3: Fixed XSM. - Removed REVERTED state. Split status and error code. Add REPLACE action. Separate payload data from the payload structure. s/XSPLICE_ID_../XSPLICE_NAME_../ - Add xsplice and CONFIG_XSPLICE build toption. Fix code per Jan's review. Update the sysctl.h (change bits to enum like) - Rebase on Kconfig changes. - Add missing pad checks. Re-order keyhandler.h to build on ARM. - Rebase on build: hook the schedulers into Kconfig - s/id/name/; s/payload_list_lock/payload_lock/ - Put #ifdef CONFIG_XSPLICE in header file per Doug review. - Andrew review: - use recursive spinlocks, change name to xsplice_op, sprinkle new-lines, add local variable block, include state diagram, squash two goto labels, use vzalloc instead of alloc_xenheap_pages. - change 'state' from int32 to uint32_t - remove the err label out of xsplice_upload - use void* instaed of uint8_t - move code around to make it easier to read. - Add vmap.h to compiler under ARM. - Add missing Copyright in header file - Dropped LOADED state, make the payload go in CHECKED. v4: Made it only work on x86 per Julien's (ARM) maintainer request. v5: Dropped the load->check state example in sysctl.h Made the ->nr=0 call work. Remove rc=0 in lots of cases. Update header from design doc. v6: Update what 'idx' means. Don't drop lock in find_payload. Make find_name copy data. v7: Don't print -EINVAL when payload_cnt is zero (and toolstack provides idx as zero). Change return code to -ENOSYS, so change callback setting based on -ENOSYS and -EOPNOTSUPP. Add extra printk in keyhandler. Use if (..) else in xsplice_upload instead of two 'if'. Remove #ifdef in XSM machinery. Add Andrew's Reviewed-by. Rebase on x86/cpu: Sysctl and common infrastructure for levelling context switching and xen+tools: Export maximum host and guest cpu featuresets via SYSCTL v9: s/find_name/get_name/, drop locks when allocating data. Drop conditional expression on copyback Move the allocation on upload outside the spinlock. Add (TECH PREVIEW) to the Kconfig help Return -EINVAL if the CHECK or UNLOAD action is to be performed and the payload state is not in expected state. Print 'c' not 'u' when invoking the keyhandler. v10: Dropped Reviewed-by. Use copy_from_guest in get_name Drop XSPLICE_ACTION_CHECK Fix 'else' coding violation s/uint32_t/unsigned int/ on state2str and add missing blanks. v10 - patch inline in v8 patchset response Use Jan's version of if/else if flow in upload code. --- tools/flask/policy/policy/modules/xen/xen.te | 1 + xen/common/Kconfig | 12 + xen/common/Makefile | 1 + xen/common/sysctl.c | 7 + xen/common/xsplice.c | 383 +++++++++++++++++++++++++++ xen/include/public/sysctl.h | 165 ++++++++++++ xen/include/xen/xsplice.h | 35 +++ xen/xsm/flask/hooks.c | 4 + xen/xsm/flask/policy/access_vectors | 2 + 9 files changed, 610 insertions(+) create mode 100644 xen/common/xsplice.c create mode 100644 xen/include/xen/xsplice.h diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 2a2630d..daa1315 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -74,6 +74,7 @@ allow dom0_t xen_t:xen2 { get_symbol get_cpu_levelling_caps get_cpu_featureset + xsplice_op }; # Allow dom0 to use all XENVER_ subops that have checks. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index ad9f7bf..692ef51 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -188,4 +188,16 @@ config SCHED_DEFAULT endmenu +# Enable/Disable xsplice support +config XSPLICE + bool "xSplice live patching support (TECH PREVIEW)" + default n + depends on X86 + ---help--- + Allows a running Xen hypervisor to be dynamically patched using + binary patches without rebooting. This is primarily used to binarily + patch in the field an hypervisor with XSA fixes. + + If unsure, say Y. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 77de27e..910ac69 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -57,6 +57,7 @@ obj-y += vsprintf.o obj-y += wait.o obj-$(CONFIG_XENOPROF) += xenoprof.o obj-y += xmalloc_tlsf.o +obj-$(CONFIG_XSPLICE) += xsplice.o obj-bin-$(CONFIG_X86) += $(foreach n,decompress bunzip2 unxz unlzma unlzo unlz4 earlycpio,$(n).init.o) diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 253b7c8..9a4cc1f 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -28,6 +28,7 @@ #include #include #include +#include long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) { @@ -460,6 +461,12 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) ret = tmem_control(&op->u.tmem_op); break; + case XEN_SYSCTL_xsplice_op: + ret = xsplice_op(&op->u.xsplice); + if ( ret != -ENOSYS && ret != -EOPNOTSUPP ) + copyback = 1; + break; + default: ret = arch_do_sysctl(op, u_sysctl); copyback = 0; diff --git a/xen/common/xsplice.c b/xen/common/xsplice.c new file mode 100644 index 0000000..73e50f0 --- /dev/null +++ b/xen/common/xsplice.c @@ -0,0 +1,383 @@ +/* + * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +/* Protects against payload_list operations. */ +static DEFINE_SPINLOCK(payload_lock); +static LIST_HEAD(payload_list); + +static unsigned int payload_cnt; +static unsigned int payload_version = 1; + +struct payload { + uint32_t state; /* One of the XSPLICE_STATE_*. */ + int32_t rc; /* 0 or -XEN_EXX. */ + struct list_head list; /* Linked to 'payload_list'. */ + char name[XEN_XSPLICE_NAME_SIZE]; /* Name of it. */ +}; + +static int get_name(const xen_xsplice_name_t *name, char *n) +{ + if ( !name->size || name->size > XEN_XSPLICE_NAME_SIZE ) + return -EINVAL; + + if ( name->pad[0] || name->pad[1] || name->pad[2] ) + return -EINVAL; + + if ( copy_from_guest(n, name->name, name->size) ) + return -EFAULT; + + if ( n[name->size - 1] ) + return -EINVAL; + + return 0; +} + +static int verify_payload(const xen_sysctl_xsplice_upload_t *upload, char *n) +{ + if ( get_name(&upload->name, n) ) + return -EINVAL; + + if ( !upload->size ) + return -EINVAL; + + if ( upload->size > MB(2) ) + return -EINVAL; + + if ( !guest_handle_okay(upload->payload, upload->size) ) + return -EFAULT; + + return 0; +} + +static struct payload *find_payload(const char *name) +{ + struct payload *data, *found = NULL; + + ASSERT(spin_is_locked(&payload_lock)); + list_for_each_entry ( data, &payload_list, list ) + { + if ( !strcmp(data->name, name) ) + { + found = data; + break; + } + } + + return found; +} + +static void free_payload(struct payload *data) +{ + ASSERT(spin_is_locked(&payload_lock)); + list_del(&data->list); + payload_cnt--; + payload_version++; + xfree(data); +} + +static int xsplice_upload(xen_sysctl_xsplice_upload_t *upload) +{ + struct payload *data, *found; + char n[XEN_XSPLICE_NAME_SIZE]; + int rc; + + rc = verify_payload(upload, n); + if ( rc ) + return rc; + + data = xzalloc(struct payload); + + spin_lock(&payload_lock); + + found = find_payload(n); + if ( IS_ERR(found) ) + rc = PTR_ERR(found); + else if ( found ) + rc = -EEXIST; + else if ( !data ) + rc = -ENOMEM; + else + { + memcpy(data->name, n, strlen(n)); + data->state = XSPLICE_STATE_CHECKED; + INIT_LIST_HEAD(&data->list); + + list_add_tail(&data->list, &payload_list); + payload_cnt++; + payload_version++; + } + spin_unlock(&payload_lock); + + if ( rc ) + xfree(data); + + return rc; +} + +static int xsplice_get(xen_sysctl_xsplice_get_t *get) +{ + struct payload *data; + int rc; + char n[XEN_XSPLICE_NAME_SIZE]; + + rc = get_name(&get->name, n); + if ( rc ) + return rc; + + spin_lock(&payload_lock); + + data = find_payload(n); + if ( IS_ERR_OR_NULL(data) ) + { + spin_unlock(&payload_lock); + + if ( !data ) + return -ENOENT; + + return PTR_ERR(data); + } + + get->status.state = data->state; + get->status.rc = data->rc; + + spin_unlock(&payload_lock); + + return 0; +} + +static int xsplice_list(xen_sysctl_xsplice_list_t *list) +{ + xen_xsplice_status_t status; + struct payload *data; + unsigned int idx = 0, i = 0; + int rc = 0; + + if ( list->nr > 1024 ) + return -E2BIG; + + if ( list->pad ) + return -EINVAL; + + if ( list->nr && + (!guest_handle_okay(list->status, list->nr) || + !guest_handle_okay(list->name, XEN_XSPLICE_NAME_SIZE * list->nr) || + !guest_handle_okay(list->len, list->nr)) ) + return -EINVAL; + + spin_lock(&payload_lock); + if ( list->idx >= payload_cnt && payload_cnt ) + { + spin_unlock(&payload_lock); + return -EINVAL; + } + + if ( list->nr ) + { + list_for_each_entry( data, &payload_list, list ) + { + uint32_t len; + + if ( list->idx > i++ ) + continue; + + status.state = data->state; + status.rc = data->rc; + len = strlen(data->name) + 1; + + /* N.B. 'idx' != 'i'. */ + if ( __copy_to_guest_offset(list->name, idx * XEN_XSPLICE_NAME_SIZE, + data->name, len) || + __copy_to_guest_offset(list->len, idx, &len, 1) || + __copy_to_guest_offset(list->status, idx, &status, 1) ) + { + rc = -EFAULT; + break; + } + + idx++; + + if ( (idx >= list->nr) || hypercall_preempt_check() ) + break; + } + } + list->nr = payload_cnt - i; /* Remaining amount. */ + list->version = payload_version; + spin_unlock(&payload_lock); + + /* And how many we have processed. */ + return rc ? : idx; +} + +static int xsplice_action(xen_sysctl_xsplice_action_t *action) +{ + struct payload *data; + char n[XEN_XSPLICE_NAME_SIZE]; + int rc; + + rc = get_name(&action->name, n); + if ( rc ) + return rc; + + spin_lock(&payload_lock); + + data = find_payload(n); + if ( IS_ERR_OR_NULL(data) ) + { + spin_unlock(&payload_lock); + + if ( !data ) + return -ENOENT; + + return PTR_ERR(data); + } + + switch ( action->cmd ) + { + case XSPLICE_ACTION_UNLOAD: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + free_payload(data); + /* No touching 'data' from here on! */ + data = NULL; + } + else + rc = -EINVAL; + break; + + case XSPLICE_ACTION_REVERT: + if ( data->state == XSPLICE_STATE_APPLIED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_CHECKED; + data->rc = 0; + } + break; + + case XSPLICE_ACTION_APPLY: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_APPLIED; + data->rc = 0; + } + break; + + case XSPLICE_ACTION_REPLACE: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_CHECKED; + data->rc = 0; + } + break; + + default: + rc = -EOPNOTSUPP; + break; + } + + spin_unlock(&payload_lock); + + return rc; +} + +int xsplice_op(xen_sysctl_xsplice_op_t *xsplice) +{ + int rc; + + if ( xsplice->pad ) + return -EINVAL; + + switch ( xsplice->cmd ) + { + case XEN_SYSCTL_XSPLICE_UPLOAD: + rc = xsplice_upload(&xsplice->u.upload); + break; + + case XEN_SYSCTL_XSPLICE_GET: + rc = xsplice_get(&xsplice->u.get); + break; + + case XEN_SYSCTL_XSPLICE_LIST: + rc = xsplice_list(&xsplice->u.list); + break; + + case XEN_SYSCTL_XSPLICE_ACTION: + rc = xsplice_action(&xsplice->u.action); + break; + + default: + rc = -EOPNOTSUPP; + break; + } + + return rc; +} + +static const char *state2str(unsigned int state) +{ +#define STATE(x) [XSPLICE_STATE_##x] = #x + static const char *const names[] = { + STATE(CHECKED), + STATE(APPLIED), + }; +#undef STATE + + if ( state >= ARRAY_SIZE(names) || !names[state] ) + return "unknown"; + + return names[state]; +} + +static void xsplice_printall(unsigned char key) +{ + struct payload *data; + + printk("'%c' pressed - Dumping all xsplice patches\n", key); + + if ( !spin_trylock(&payload_lock) ) + { + printk("Lock held. Try again.\n"); + return; + } + + list_for_each_entry ( data, &payload_list, list ) + printk(" name=%s state=%s(%d)\n", data->name, + state2str(data->state), data->state); + + spin_unlock(&payload_lock); +} + +static int __init xsplice_init(void) +{ + register_keyhandler('x', xsplice_printall, "print xsplicing info", 1); + return 0; +} +__initcall(xsplice_init); + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 82a2a3e..3fa1fe7 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -848,6 +848,169 @@ struct xen_sysctl_cpu_featureset { typedef struct xen_sysctl_featureset xen_sysctl_featureset_t; DEFINE_XEN_GUEST_HANDLE(xen_sysctl_featureset_t); +/* + * XEN_SYSCTL_XSPLICE_op + * + * Refer to the docs/unstable/misc/xsplice.markdown + * for the design details of this hypercall. + * + * There are four sub-ops: + * XEN_SYSCTL_XSPLICE_UPLOAD (0) + * XEN_SYSCTL_XSPLICE_GET (1) + * XEN_SYSCTL_XSPLICE_LIST (2) + * XEN_SYSCTL_XSPLICE_ACTION (3) + * + * The normal sequence of sub-ops is to: + * 1) XEN_SYSCTL_XSPLICE_UPLOAD to upload the payload. If errors STOP. + * 2) XEN_SYSCTL_XSPLICE_GET to check the `->rc`. If -XEN_EAGAIN spin. + * If zero go to next step. + * 3) XEN_SYSCTL_XSPLICE_ACTION with XSPLICE_ACTION_APPLY to apply the patch. + * 4) XEN_SYSCTL_XSPLICE_GET to check the `->rc`. If in -XEN_EAGAIN spin. + * If zero exit with success. + */ + +/* + * Structure describing an ELF payload. Uniquely identifies the + * payload. Should be human readable. + * Recommended length is upto XEN_XSPLICE_NAME_SIZE. + * Includes the NUL terminator. + */ +#define XEN_XSPLICE_NAME_SIZE 128 +struct xen_xsplice_name { + XEN_GUEST_HANDLE_64(char) name; /* IN: pointer to name. */ + uint16_t size; /* IN: size of name. May be upto + XEN_XSPLICE_NAME_SIZE. */ + uint16_t pad[3]; /* IN: MUST be zero. */ +}; +typedef struct xen_xsplice_name xen_xsplice_name_t; +DEFINE_XEN_GUEST_HANDLE(xen_xsplice_name_t); + +/* + * Upload a payload to the hypervisor. The payload is verified + * against basic checks and if there are any issues the proper return code + * will be returned. The payload is not applied at this time - that is + * controlled by XEN_SYSCTL_XSPLICE_ACTION. + * + * The return value is zero if the payload was succesfully uploaded. + * Otherwise an EXX return value is provided. Duplicate `name` are not + * supported. + * + * The payload at this point is verified against basic checks. + * + * The `payload` is the ELF payload as mentioned in the `Payload format` + * section in the xSplice design document. + */ +#define XEN_SYSCTL_XSPLICE_UPLOAD 0 +struct xen_sysctl_xsplice_upload { + xen_xsplice_name_t name; /* IN, name of the patch. */ + uint64_t size; /* IN, size of the ELF file. */ + XEN_GUEST_HANDLE_64(uint8) payload; /* IN, the ELF file. */ +}; +typedef struct xen_sysctl_xsplice_upload xen_sysctl_xsplice_upload_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_upload_t); + +/* + * Retrieve an status of an specific payload. + * + * Upon completion the `struct xen_xsplice_status` is updated. + * + * The return value is zero on success and XEN_EXX on failure. This operation + * is synchronous and does not require preemption. + */ +#define XEN_SYSCTL_XSPLICE_GET 1 + +struct xen_xsplice_status { +#define XSPLICE_STATE_CHECKED 1 +#define XSPLICE_STATE_APPLIED 2 + uint32_t state; /* OUT: XSPLICE_STATE_*. */ + int32_t rc; /* OUT: 0 if no error, otherwise -XEN_EXX. */ +}; +typedef struct xen_xsplice_status xen_xsplice_status_t; +DEFINE_XEN_GUEST_HANDLE(xen_xsplice_status_t); + +struct xen_sysctl_xsplice_get { + xen_xsplice_name_t name; /* IN, name of the payload. */ + xen_xsplice_status_t status; /* IN/OUT, state of it. */ +}; +typedef struct xen_sysctl_xsplice_get xen_sysctl_xsplice_get_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_get_t); + +/* + * Retrieve an array of abbreviated status and names of payloads that are + * loaded in the hypervisor. + * + * If the hypercall returns an positive number, it is the number (up to `nr`) + * of the payloads returned, along with `nr` updated with the number of remaining + * payloads, `version` updated (it may be the same across hypercalls. If it + * varies the data is stale and further calls could fail). The `status`, + * `name`, and `len`' are updated at their designed index value (`idx`) with + * the returned value of data. + * + * If the hypercall returns E2BIG the `nr` is too big and should be + * lowered. The upper limit of `nr` is left to the implemention. + * + * Note that due to the asynchronous nature of hypercalls the domain might have + * added or removed the number of payloads making this information stale. It is + * the responsibility of the toolstack to use the `version` field to check + * between each invocation. if the version differs it should discard the stale + * data and start from scratch. It is OK for the toolstack to use the new + * `version` field. + */ +#define XEN_SYSCTL_XSPLICE_LIST 2 +struct xen_sysctl_xsplice_list { + uint32_t version; /* OUT: Hypervisor stamps value. + If varies between calls, we are + * getting stale data. */ + uint32_t idx; /* IN: Index into hypervisor list. */ + uint32_t nr; /* IN: How many status, name, and len + should fill out. Can be zero to get + amount of payloads and version. + OUT: How many payloads left. */ + uint32_t pad; /* IN: Must be zero. */ + XEN_GUEST_HANDLE_64(xen_xsplice_status_t) status; /* OUT. Must have enough + space allocate for nr of them. */ + XEN_GUEST_HANDLE_64(char) name; /* OUT: Array of names. Each member + MUST XEN_XSPLICE_NAME_SIZE in size. + Must have nr of them. */ + XEN_GUEST_HANDLE_64(uint32) len; /* OUT: Array of lengths of name's. + Must have nr of them. */ +}; +typedef struct xen_sysctl_xsplice_list xen_sysctl_xsplice_list_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_list_t); + +/* + * Perform an operation on the payload structure referenced by the `name` field. + * The operation request is asynchronous and the status should be retrieved + * by using either XEN_SYSCTL_XSPLICE_GET or XEN_SYSCTL_XSPLICE_LIST hypercall. + */ +#define XEN_SYSCTL_XSPLICE_ACTION 3 +struct xen_sysctl_xsplice_action { + xen_xsplice_name_t name; /* IN, name of the patch. */ +#define XSPLICE_ACTION_UNLOAD 1 +#define XSPLICE_ACTION_REVERT 2 +#define XSPLICE_ACTION_APPLY 3 +#define XSPLICE_ACTION_REPLACE 4 + uint32_t cmd; /* IN: XSPLICE_ACTION_*. */ + uint32_t timeout; /* IN: Zero if no timeout. */ + /* Or upper bound of time (ms) */ + /* for operation to take. */ +}; +typedef struct xen_sysctl_xsplice_action xen_sysctl_xsplice_action_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_action_t); + +struct xen_sysctl_xsplice_op { + uint32_t cmd; /* IN: XEN_SYSCTL_XSPLICE_*. */ + uint32_t pad; /* IN: Always zero. */ + union { + xen_sysctl_xsplice_upload_t upload; + xen_sysctl_xsplice_list_t list; + xen_sysctl_xsplice_get_t get; + xen_sysctl_xsplice_action_t action; + } u; +}; +typedef struct xen_sysctl_xsplice_op xen_sysctl_xsplice_op_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_op_t); + struct xen_sysctl { uint32_t cmd; #define XEN_SYSCTL_readconsole 1 @@ -875,6 +1038,7 @@ struct xen_sysctl { #define XEN_SYSCTL_tmem_op 24 #define XEN_SYSCTL_get_cpu_levelling_caps 25 #define XEN_SYSCTL_get_cpu_featureset 26 +#define XEN_SYSCTL_xsplice_op 27 uint32_t interface_version; /* XEN_SYSCTL_INTERFACE_VERSION */ union { struct xen_sysctl_readconsole readconsole; @@ -902,6 +1066,7 @@ struct xen_sysctl { struct xen_sysctl_tmem_op tmem_op; struct xen_sysctl_cpu_levelling_caps cpu_levelling_caps; struct xen_sysctl_cpu_featureset cpu_featureset; + struct xen_sysctl_xsplice_op xsplice; uint8_t pad[128]; } u; }; diff --git a/xen/include/xen/xsplice.h b/xen/include/xen/xsplice.h new file mode 100644 index 0000000..b9f08cd --- /dev/null +++ b/xen/include/xen/xsplice.h @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. + * + */ + +#ifndef __XEN_XSPLICE_H__ +#define __XEN_XSPLICE_H__ + +struct xen_sysctl_xsplice_op; + +#ifdef CONFIG_XSPLICE + +int xsplice_op(struct xen_sysctl_xsplice_op *); + +#else + +#include /* For -ENOSYS */ +static inline int xsplice_op(struct xen_sysctl_xsplice_op *op) +{ + return -ENOSYS; +} + +#endif /* CONFIG_XSPLICE */ + +#endif /* __XEN_XSPLICE_H__ */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 6295768..c2df48f 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -814,6 +814,10 @@ static int flask_sysctl(int cmd) case XEN_SYSCTL_get_cpu_featureset: return domain_has_xen(current->domain, XEN2__GET_CPU_FEATURESET); + case XEN_SYSCTL_xsplice_op: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__XSPLICE_OP, NULL); + default: printk("flask_sysctl: Unknown op %d\n", cmd); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index bdb7b89..e9ab149 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -97,6 +97,8 @@ class xen2 get_cpu_levelling_caps # XEN_SYSCTL_get_cpu_featureset get_cpu_featureset +# XEN_SYSCTL_xsplice_op + xsplice_op } # Classes domain and domain2 consist of operations that a domain performs on