From patchwork Thu Mar 24 03:13:42 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 8656911 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 4F8B39F44D for ; Thu, 24 Mar 2016 03:18:11 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 2ED772034F for ; Thu, 24 Mar 2016 03:18:09 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 04631202E5 for ; Thu, 24 Mar 2016 03:18:07 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aivjd-0002ra-LS; Thu, 24 Mar 2016 03:14:57 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aivjb-0002qt-Ue for xen-devel@lists.xenproject.org; Thu, 24 Mar 2016 03:14:56 +0000 Received: from [193.109.254.147] by server-7.bemta-14.messagelabs.com id A7/57-04065-FAB53F65; Thu, 24 Mar 2016 03:14:55 +0000 X-Env-Sender: konrad.wilk@oracle.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1458789292!33527772!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 8.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 52681 invoked from network); 24 Mar 2016 03:14:53 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-5.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 24 Mar 2016 03:14:53 -0000 Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u2O3DkUw009964 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Mar 2016 03:13:46 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u2O3Dkm3014929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Mar 2016 03:13:46 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u2O3Djxo021636; Thu, 24 Mar 2016 03:13:45 GMT Received: from localhost.localdomain (/209.6.196.81) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 23 Mar 2016 20:13:45 -0700 Date: Wed, 23 Mar 2016 23:13:42 -0400 From: Konrad Rzeszutek Wilk To: Jan Beulich Message-ID: <20160324031342.GC13266@localhost.localdomain> References: <1458064616-23101-1-git-send-email-konrad.wilk@oracle.com> <1458064616-23101-13-git-send-email-konrad.wilk@oracle.com> <56F2AD7102000078000DFAEB@prv-mh.provo.novell.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <56F2AD7102000078000DFAEB@prv-mh.provo.novell.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: aserv0022.oracle.com [141.146.126.234] Cc: Wei Liu , Stefano Stabellini , andrew.cooper3@citrix.com, Ian Jackson , mpohlack@amazon.de, ross.lagerwall@citrix.com, xen-devel@lists.xenproject.org, Daniel De Graaf , sasha.levin@oracle.com Subject: Re: [Xen-devel] [PATCH v4 12/34] xen/xsplice: Hypervisor implementation of XEN_XSPLICE_op X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Wed, Mar 23, 2016 at 07:51:29AM -0600, Jan Beulich wrote: > >>> On 15.03.16 at 18:56, wrote: > > --- a/xen/common/Kconfig > > +++ b/xen/common/Kconfig > > @@ -168,4 +168,15 @@ config SCHED_DEFAULT > > > > endmenu > > > > +# Enable/Disable xsplice support > > +config XSPLICE > > + bool "xSplice live patching support" > > + default y > > Isn't it a little early in the series to default this to on? I am ambitious! > > And then of course the EXPERT question comes up again. No > matter that IanC is no longer around to help with the > argumentation, the point he has been making about too many > flavors ending up in the wild continues to apply. 'too many flavors'? As in different versions of Xen with or without these options enabled? .. snip.. > > > +static int find_payload(const xen_xsplice_name_t *name, struct payload **f) > ..snip.. > > + return -EFAULT; > > + > > + spin_lock_recursive(&payload_lock); > > Why do you need a recursive lock here? I think something like this > should be reasoned about in the commit message. The earlier version used an extra parameter (locked) to diffrenciate whether to take a lock or not as the caller could have taken it. Andrew didn't like it particularly and asked it to be recursive so that we don't by accident mess up the locking. .. snip.. > > +static int xsplice_upload(xen_sysctl_xsplice_upload_t *upload) .. snip.. > > + out: > > + vfree(raw_data); > > By here you allocated and filled raw_data. And now you > unconditionally free it. What is that good for? Nothing. It was added as a placeholder - as the patch titled "xsplice: Implement payload loading" is actually doing useful things. I've moved the operations around raw_data into that patch. > > +static int xsplice_list(xen_sysctl_xsplice_list_t *list) > > +{ > > + xen_xsplice_status_t status; > > + struct payload *data; > > + unsigned int idx = 0, i = 0; > > + int rc = 0; > > + > > + if ( list->nr > 1024 ) > > + return -E2BIG; > > + > > + if ( list->pad != 0 ) > > + return -EINVAL; > > + > > + if ( !guest_handle_okay(list->status, sizeof(status) * list->nr) || > > + !guest_handle_okay(list->name, XEN_XSPLICE_NAME_SIZE * list->nr) || > > + !guest_handle_okay(list->len, sizeof(uint32_t) * list->nr) ) > > guest_handle_okay() already takes into account the element size, > i.e. it's only the middle one which needs to do any multiplication. > > > + return -EINVAL; > > + > > + spin_lock_recursive(&payload_lock); > > + if ( list->idx > payload_cnt || !list->nr ) > > The list->nr check could move up outside the locked region (e.g. > merge with the pad field check). I reworked this a bit. I made it so that if list->nr is 0 we would populate list->nr=payload_count, list->version=payload_version. > > > + { > > + spin_unlock_recursive(&payload_lock); > > + return -EINVAL; > > + } > > + > > + list_for_each_entry( data, &payload_list, list ) > > Aren't you lacking a list->version check prior to entering this loop > (which would then mean you don't need to store it below, but only > on the error path from that check)? No. The toolstack has no idea of what the right version is on the first invocation. Which is OK since it gets fresh data (it is its first invocation). On subsequent invocations we gleefuly populate up to min(payload_cnt, ->nr) of data even if the version the toolstack provided is different. The toolstack will have to decide to throw away the data and retry the hypercall; or print it out as is. > > > + { > > + uint32_t len; > > + > > + if ( list->idx > i++ ) > > + continue; > > + > > + status.state = data->state; > > + status.rc = data->rc; > > + len = strlen(data->name); > > + > > + /* N.B. 'idx' != 'i'. */ > > + if ( __copy_to_guest_offset(list->name, idx * XEN_XSPLICE_NAME_SIZE, > > + data->name, len) || > > + __copy_to_guest_offset(list->len, idx, &len, 1) || > > You're not coping the NUL terminator here, which makes the result > more cumbersome to consume by the caller. Perhaps > XEN_XSPLICE_NAME_SIZE should remain to be 128 (other than > suggested above), but be specified to include the terminator? Yes. Fixed that. It also needed a minor change in: "libxc: Implementation of XEN_XSPLICE_op in libxc" to account for strlen. (+1 to its result) Here is the newly minted patch with your suggestions hopefully implemented to your liking! From 40f0e9fdb50935d4d3df608950313051a28f12b9 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Mon, 25 Jan 2016 10:51:22 -0500 Subject: [PATCH] xen/xsplice: Hypervisor implementation of XEN_XSPLICE_op The implementation does not actually do any patching. It just adds the framework for doing the hypercalls, keeping track of ELF payloads, and the basic operations: - query which payloads exist, - query for specific payloads, - check*1, apply*1, replace*1, and unload payloads. *1: Which of course in this patch are nops. The functionality is disabled on ARM until all arch components are implemented. Also by default it is disabled until the implementation is in place. We also use recursive spinlocks to so that the find_payload function does not need to have a 'lock' and 'non-lock' variant. Acked-by: Daniel De Graaf Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ross Lagerwall --- Cc: Daniel De Graaf Cc: Ian Jackson Cc: Stefano Stabellini Cc: Wei Liu v2: Rebased on keyhandler: rework keyhandler infrastructure v3: Fixed XSM. - Removed REVERTED state. Split status and error code. Add REPLACE action. Separate payload data from the payload structure. s/XSPLICE_ID_../XSPLICE_NAME_../ - Add xsplice and CONFIG_XSPLICE build toption. Fix code per Jan's review. Update the sysctl.h (change bits to enum like) - Rebase on Kconfig changes. - Add missing pad checks. Re-order keyhandler.h to build on ARM. - Rebase on build: hook the schedulers into Kconfig - s/id/name/; s/payload_list_lock/payload_lock/ - Put #ifdef CONFIG_XSPLICE in header file per Doug review. - Andrew review: - use recursive spinlocks, change name to xsplice_op, sprinkle new-lines, add local variable block, include state diagram, squash two goto labels, use vzalloc instead of alloc_xenheap_pages. - change 'state' from int32 to uint32_t - remove the err label out of xsplice_upload - use void* instaed of uint8_t - move code around to make it easier to read. - Add vmap.h to compiler under ARM. - Add missing Copyright in header file - Dropped LOADED state, make the payload go in CHECKED. v4: Made it only work on x86 per Julien's (ARM) maintainer request. v5: Dropped the load->check state example in sysctl.h Made the ->nr=0 call work. Remove rc=0 in lots of cases. --- tools/flask/policy/policy/modules/xen/xen.te | 1 + xen/common/Kconfig | 12 + xen/common/Makefile | 1 + xen/common/sysctl.c | 7 + xen/common/xsplice.c | 406 +++++++++++++++++++++++++++ xen/include/public/sysctl.h | 166 +++++++++++ xen/include/xen/xsplice.h | 35 +++ xen/xsm/flask/hooks.c | 6 + xen/xsm/flask/policy/access_vectors | 2 + 9 files changed, 636 insertions(+) create mode 100644 xen/common/xsplice.c create mode 100644 xen/include/xen/xsplice.h diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 7e69ce9..68ef6de 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -72,6 +72,7 @@ allow dom0_t xen_t:xen2 { allow dom0_t xen_t:xen2 { pmu_ctrl get_symbol + xsplice_op }; # Allow dom0 to use all XENVER_ subops and VERSION subops that have checks. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 3522ecb..d80dddb 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -182,4 +182,16 @@ config SCHED_DEFAULT endmenu +# Enable/Disable xsplice support +config XSPLICE + bool "xSplice live patching support" + default n + depends on X86 + ---help--- + Allows a running Xen hypervisor to be dynamically patched using + binary patches without rebooting. This is primarily used to binarily + patch in the field an hypervisor with XSA fixes. + + If unsure, say Y. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index e43ec49..1e4bc70 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -58,6 +58,7 @@ obj-y += vsprintf.o obj-y += wait.o obj-$(CONFIG_XENOPROF) += xenoprof.o obj-y += xmalloc_tlsf.o +obj-$(CONFIG_XSPLICE) += xsplice.o obj-bin-$(CONFIG_X86) += $(foreach n,decompress bunzip2 unxz unlzma unlzo unlz4 earlycpio,$(n).init.o) diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 253b7c8..0fac940 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -28,6 +28,7 @@ #include #include #include +#include long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) { @@ -460,6 +461,12 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) ret = tmem_control(&op->u.tmem_op); break; + case XEN_SYSCTL_xsplice_op: + ret = xsplice_op(&op->u.xsplice); + if ( ret != -EOPNOTSUPP ) + copyback = 1; + break; + default: ret = arch_do_sysctl(op, u_sysctl); copyback = 0; diff --git a/xen/common/xsplice.c b/xen/common/xsplice.c new file mode 100644 index 0000000..0047032 --- /dev/null +++ b/xen/common/xsplice.c @@ -0,0 +1,406 @@ +/* + * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +static DEFINE_SPINLOCK(payload_lock); +static LIST_HEAD(payload_list); + +static unsigned int payload_cnt; +static unsigned int payload_version = 1; + +struct payload { + uint32_t state; /* One of the XSPLICE_STATE_*. */ + int32_t rc; /* 0 or -XEN_EXX. */ + struct list_head list; /* Linked to 'payload_list'. */ + char name[XEN_XSPLICE_NAME_SIZE]; /* Name of it. */ +}; + +static int verify_name(const xen_xsplice_name_t *name) +{ + if ( !name->size || name->size > XEN_XSPLICE_NAME_SIZE ) + return -EINVAL; + + if ( name->pad[0] || name->pad[1] || name->pad[2] ) + return -EINVAL; + + if ( !guest_handle_okay(name->name, name->size) ) + return -EINVAL; + + return 0; +} + +static int verify_payload(const xen_sysctl_xsplice_upload_t *upload) +{ + if ( verify_name(&upload->name) ) + return -EINVAL; + + if ( !upload->size ) + return -EINVAL; + + if ( upload->size > MB(2) ) + return -EINVAL; + + if ( !guest_handle_okay(upload->payload, upload->size) ) + return -EFAULT; + + return 0; +} + +/* + * We may be holding the payload_lock or not. Hence we need + * the recursive spinlock. Or we can judiciously use an + * lock argument to differenciate - but it is simpler with recursive locks. + */ +static struct payload *find_payload(const xen_xsplice_name_t *name) +{ + struct payload *data, *found = NULL; + char n[XEN_XSPLICE_NAME_SIZE]; + int rc; + + rc = verify_name(name); + if ( rc ) + return ERR_PTR(rc); + + if ( __copy_from_guest(n, name->name, name->size) ) + return ERR_PTR(-EFAULT); + + if ( n[name->size - 1] ) + return ERR_PTR(-EINVAL); + + spin_lock_recursive(&payload_lock); + + list_for_each_entry ( data, &payload_list, list ) + { + if ( !strcmp(data->name, n) ) + { + found = data; + break; + } + } + + spin_unlock_recursive(&payload_lock); + + return found; +} + +/* We MUST be holding the payload_lock spinlock. */ +static void free_payload(struct payload *data) +{ + ASSERT(spin_is_locked(&payload_lock)); + list_del(&data->list); + payload_cnt--; + payload_version++; + xfree(data); +} + +static int xsplice_upload(xen_sysctl_xsplice_upload_t *upload) +{ + struct payload *data; + int rc; + + rc = verify_payload(upload); + if ( rc ) + return rc; + + data = find_payload(&upload->name); + if ( data && !IS_ERR(data) /* Found. */ ) + return -EEXIST; + + if ( IS_ERR(data) ) + return PTR_ERR(data); + + data = xzalloc(struct payload); + if ( !data ) + return -ENOMEM; + + rc = -EFAULT; + if ( __copy_from_guest(data->name, upload->name.name, upload->name.size) ) + goto out; + + rc = -EINVAL; + if ( data->name[upload->name.size - 1] ) + goto out; + + rc = 0; + data->state = XSPLICE_STATE_CHECKED; + INIT_LIST_HEAD(&data->list); + + spin_lock_recursive(&payload_lock); + list_add_tail(&data->list, &payload_list); + payload_cnt++; + payload_version++; + spin_unlock_recursive(&payload_lock); + + out: + if ( rc ) + xfree(data); + + return rc; +} + +static int xsplice_get(xen_sysctl_xsplice_get_t *get) +{ + struct payload *data; + int rc; + + rc = verify_name(&get->name); + if ( rc ) + return rc; + + spin_lock_recursive(&payload_lock); + + data = find_payload(&get->name); + if ( IS_ERR_OR_NULL(data) ) + { + spin_unlock_recursive(&payload_lock); + if ( !data ) + return -ENOENT; + + return PTR_ERR(data); + } + + get->status.state = data->state; + get->status.rc = data->rc; + + spin_unlock_recursive(&payload_lock); + + return 0; +} + +static int xsplice_list(xen_sysctl_xsplice_list_t *list) +{ + xen_xsplice_status_t status; + struct payload *data; + unsigned int idx = 0, i = 0; + int rc = 0; + + if ( list->nr > 1024 ) + return -E2BIG; + + if ( list->pad ) + return -EINVAL; + + if ( list->nr && + (!guest_handle_okay(list->status, list->nr) || + !guest_handle_okay(list->name, XEN_XSPLICE_NAME_SIZE * list->nr) || + !guest_handle_okay(list->len, list->nr)) ) + return -EINVAL; + + spin_lock_recursive(&payload_lock); + if ( list->idx > payload_cnt ) + { + spin_unlock_recursive(&payload_lock); + return -EINVAL; + } + + if ( list->nr ) + { + list_for_each_entry( data, &payload_list, list ) + { + uint32_t len; + + if ( list->idx > i++ ) + continue; + + status.state = data->state; + status.rc = data->rc; + len = strlen(data->name) + 1; + + /* N.B. 'idx' != 'i'. */ + if ( __copy_to_guest_offset(list->name, idx * XEN_XSPLICE_NAME_SIZE, + data->name, len) || + __copy_to_guest_offset(list->len, idx, &len, 1) || + __copy_to_guest_offset(list->status, idx, &status, 1) ) + { + rc = -EFAULT; + break; + } + + idx++; + + if ( (idx >= list->nr) || hypercall_preempt_check() ) + break; + } + } + list->nr = payload_cnt - i; /* Remaining amount. */ + list->version = payload_version; + spin_unlock_recursive(&payload_lock); + + /* And how many we have processed. */ + return rc ? : idx; +} + +static int xsplice_action(xen_sysctl_xsplice_action_t *action) +{ + struct payload *data; + int rc; + + rc = verify_name(&action->name); + if ( rc ) + return rc; + + spin_lock_recursive(&payload_lock); + data = find_payload(&action->name); + if ( IS_ERR_OR_NULL(data) ) + { + spin_unlock_recursive(&payload_lock); + if ( !data ) + return -ENOENT; + + return PTR_ERR(data); + } + + switch ( action->cmd ) + { + case XSPLICE_ACTION_CHECK: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_CHECKED; + data->rc = 0; + } + break; + + case XSPLICE_ACTION_UNLOAD: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + free_payload(data); + /* No touching 'data' from here on! */ + data = NULL; + } + break; + + case XSPLICE_ACTION_REVERT: + if ( data->state == XSPLICE_STATE_APPLIED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_CHECKED; + data->rc = 0; + } + break; + + case XSPLICE_ACTION_APPLY: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_APPLIED; + data->rc = 0; + } + break; + + case XSPLICE_ACTION_REPLACE: + if ( data->state == XSPLICE_STATE_CHECKED ) + { + /* No implementation yet. */ + data->state = XSPLICE_STATE_CHECKED; + data->rc = 0; + } + break; + + default: + rc = -EOPNOTSUPP; + break; + } + + spin_unlock_recursive(&payload_lock); + + return rc; +} + +int xsplice_op(xen_sysctl_xsplice_op_t *xsplice) +{ + int rc; + + if ( xsplice->pad ) + return -EINVAL; + + switch ( xsplice->cmd ) + { + case XEN_SYSCTL_XSPLICE_UPLOAD: + rc = xsplice_upload(&xsplice->u.upload); + break; + + case XEN_SYSCTL_XSPLICE_GET: + rc = xsplice_get(&xsplice->u.get); + break; + + case XEN_SYSCTL_XSPLICE_LIST: + rc = xsplice_list(&xsplice->u.list); + break; + + case XEN_SYSCTL_XSPLICE_ACTION: + rc = xsplice_action(&xsplice->u.action); + break; + + default: + rc = -EOPNOTSUPP; + break; + } + + return rc; +} + +static const char *state2str(uint32_t state) +{ +#define STATE(x) [XSPLICE_STATE_##x] = #x + static const char *const names[] = { + STATE(CHECKED), + STATE(APPLIED), + }; +#undef STATE + + if (state >= ARRAY_SIZE(names) || !names[state]) + return "unknown"; + + return names[state]; +} + +static void xsplice_printall(unsigned char key) +{ + struct payload *data; + + if ( !spin_trylock_recursive(&payload_lock) ) + { + printk("Lock held. Try again.\n"); + return; + } + + list_for_each_entry ( data, &payload_list, list ) + printk(" name=%s state=%s(%d)\n", data->name, + state2str(data->state), data->state); + + spin_unlock_recursive(&payload_lock); +} + +static int __init xsplice_init(void) +{ + register_keyhandler('x', xsplice_printall, "print xsplicing info", 1); + return 0; +} +__initcall(xsplice_init); + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 96680eb..ce674d8 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -766,6 +766,170 @@ struct xen_sysctl_tmem_op { typedef struct xen_sysctl_tmem_op xen_sysctl_tmem_op_t; DEFINE_XEN_GUEST_HANDLE(xen_sysctl_tmem_op_t); +/* + * XEN_SYSCTL_XSPLICE_op + * + * Refer to the docs/unstable/misc/xsplice.markdown + * for the design details of this hypercall. + * + * There are four sub-ops: + * XEN_SYSCTL_XSPLICE_UPLOAD (0) + * XEN_SYSCTL_XSPLICE_GET (1) + * XEN_SYSCTL_XSPLICE_LIST (2) + * XEN_SYSCTL_XSPLICE_ACTION (3) + * + * The normal sequence of sub-ops is to: + * 1) XEN_SYSCTL_XSPLICE_UPLOAD to upload the payload. If errors STOP. + * 2) XEN_SYSCTL_XSPLICE_GET to check the `->rc`. If -XEN_EAGAIN spin. + * If zero go to next step. + * 3) XEN_SYSCTL_XSPLICE_ACTION with XSPLICE_ACTION_APPLY to apply the patch. + * 4) XEN_SYSCTL_XSPLICE_GET to check the `->rc`. If in -XEN_EAGAIN spin. + * If zero exit with success. + */ + +/* + * Structure describing an ELF payload. Uniquely identifies the + * payload. Should be human readable. + * Recommended length is upto XEN_XSPLICE_NAME_SIZE. + * Includes the NUL terminator. + */ +#define XEN_XSPLICE_NAME_SIZE 128 +struct xen_xsplice_name { + XEN_GUEST_HANDLE_64(char) name; /* IN: pointer to name. */ + uint16_t size; /* IN: size of name. May be upto + XEN_XSPLICE_NAME_SIZE. */ + uint16_t pad[3]; /* IN: MUST be zero. */ +}; +typedef struct xen_xsplice_name xen_xsplice_name_t; +DEFINE_XEN_GUEST_HANDLE(xen_xsplice_name_t); + +/* + * Upload a payload to the hypervisor. The payload is verified + * against basic checks and if there are any issues the proper return code + * will be returned. The payload is not applied at this time - that is + * controlled by XEN_SYSCTL_XSPLICE_ACTION. + * + * The return value is zero if the payload was succesfully uploaded. + * Otherwise an EXX return value is provided. Duplicate `name` are not + * supported. + * + * The payload at this point is verified against basic checks. + * + * The `payload` is the ELF payload as mentioned in the `Payload format` + * section in the xSplice design document. + */ +#define XEN_SYSCTL_XSPLICE_UPLOAD 0 +struct xen_sysctl_xsplice_upload { + xen_xsplice_name_t name; /* IN, name of the patch. */ + uint64_t size; /* IN, size of the ELF file. */ + XEN_GUEST_HANDLE_64(uint8) payload; /* IN, the ELF file. */ +}; +typedef struct xen_sysctl_xsplice_upload xen_sysctl_xsplice_upload_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_upload_t); + +/* + * Retrieve an status of an specific payload. + * + * Upon completion the `struct xen_xsplice_status` is updated. + * + * The return value is zero on success and XEN_EXX on failure. This operation + * is synchronous and does not require preemption. + */ +#define XEN_SYSCTL_XSPLICE_GET 1 + +struct xen_xsplice_status { +#define XSPLICE_STATE_CHECKED 1 +#define XSPLICE_STATE_APPLIED 2 + uint32_t state; /* OUT: XSPLICE_STATE_*. */ + int32_t rc; /* OUT: 0 if no error, otherwise -XEN_EXX. */ +}; +typedef struct xen_xsplice_status xen_xsplice_status_t; +DEFINE_XEN_GUEST_HANDLE(xen_xsplice_status_t); + +struct xen_sysctl_xsplice_get { + xen_xsplice_name_t name; /* IN, name of the payload. */ + xen_xsplice_status_t status; /* IN/OUT, state of it. */ +}; +typedef struct xen_sysctl_xsplice_get xen_sysctl_xsplice_get_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_get_t); + +/* + * Retrieve an array of abbreviated status and names of payloads that are + * loaded in the hypervisor. + * + * If the hypercall returns an positive number, it is the number (up to `nr`) + * of the payloads returned, along with `nr` updated with the number of remaining + * payloads, `version` updated (it may be the same across hypercalls. If it + * varies the data is stale and further calls could fail). The `status`, + * `name`, and `len`' are updated at their designed index value (`idx`) with + * the returned value of data. + * + * If the hypercall returns E2BIG the `nr` is too big and should be + * lowered. The upper limit of `nr` is left to the implemention. + * + * Note that due to the asynchronous nature of hypercalls the domain might have + * added or removed the number of payloads making this information stale. It is + * the responsibility of the toolstack to use the `version` field to check + * between each invocation. if the version differs it should discard the stale + * data and start from scratch. It is OK for the toolstack to use the new + * `version` field. + */ +#define XEN_SYSCTL_XSPLICE_LIST 2 +struct xen_sysctl_xsplice_list { + uint32_t version; /* OUT: Hypervisor stamps value. + If varies between calls, we are + * getting stale data. */ + uint32_t idx; /* IN: Index into array. */ + uint32_t nr; /* IN: How many status, name, and len + should fill out. Can be zero to get + amount of payloads and version. + OUT: How many payloads left. */ + uint32_t pad; /* IN: Must be zero. */ + XEN_GUEST_HANDLE_64(xen_xsplice_status_t) status; /* OUT. Must have enough + space allocate for nr of them. */ + XEN_GUEST_HANDLE_64(char) name; /* OUT: Array of names. Each member + MUST XEN_XSPLICE_NAME_SIZE in size. + Must have nr of them. */ + XEN_GUEST_HANDLE_64(uint32) len; /* OUT: Array of lengths of name's. + Must have nr of them. */ +}; +typedef struct xen_sysctl_xsplice_list xen_sysctl_xsplice_list_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_list_t); + +/* + * Perform an operation on the payload structure referenced by the `name` field. + * The operation request is asynchronous and the status should be retrieved + * by using either XEN_SYSCTL_XSPLICE_GET or XEN_SYSCTL_XSPLICE_LIST hypercall. + */ +#define XEN_SYSCTL_XSPLICE_ACTION 3 +struct xen_sysctl_xsplice_action { + xen_xsplice_name_t name; /* IN, name of the patch. */ +#define XSPLICE_ACTION_CHECK 1 +#define XSPLICE_ACTION_UNLOAD 2 +#define XSPLICE_ACTION_REVERT 3 +#define XSPLICE_ACTION_APPLY 4 +#define XSPLICE_ACTION_REPLACE 5 + uint32_t cmd; /* IN: XSPLICE_ACTION_*. */ + uint32_t timeout; /* IN: Zero if no timeout. */ + /* Or upper bound of time (ms) */ + /* for operation to take. */ +}; +typedef struct xen_sysctl_xsplice_action xen_sysctl_xsplice_action_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_action_t); + +struct xen_sysctl_xsplice_op { + uint32_t cmd; /* IN: XEN_SYSCTL_XSPLICE_*. */ + uint32_t pad; /* IN: Always zero. */ + union { + xen_sysctl_xsplice_upload_t upload; + xen_sysctl_xsplice_list_t list; + xen_sysctl_xsplice_get_t get; + xen_sysctl_xsplice_action_t action; + } u; +}; +typedef struct xen_sysctl_xsplice_op xen_sysctl_xsplice_op_t; +DEFINE_XEN_GUEST_HANDLE(xen_sysctl_xsplice_op_t); + struct xen_sysctl { uint32_t cmd; #define XEN_SYSCTL_readconsole 1 @@ -791,6 +955,7 @@ struct xen_sysctl { #define XEN_SYSCTL_pcitopoinfo 22 #define XEN_SYSCTL_psr_cat_op 23 #define XEN_SYSCTL_tmem_op 24 +#define XEN_SYSCTL_xsplice_op 25 uint32_t interface_version; /* XEN_SYSCTL_INTERFACE_VERSION */ union { struct xen_sysctl_readconsole readconsole; @@ -816,6 +981,7 @@ struct xen_sysctl { struct xen_sysctl_psr_cmt_op psr_cmt_op; struct xen_sysctl_psr_cat_op psr_cat_op; struct xen_sysctl_tmem_op tmem_op; + struct xen_sysctl_xsplice_op xsplice; uint8_t pad[128]; } u; }; diff --git a/xen/include/xen/xsplice.h b/xen/include/xen/xsplice.h new file mode 100644 index 0000000..5c84851 --- /dev/null +++ b/xen/include/xen/xsplice.h @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. + * + */ + +#ifndef __XEN_XSPLICE_H__ +#define __XEN_XSPLICE_H__ + +struct xen_sysctl_xsplice_op; + +#ifdef CONFIG_XSPLICE + +int xsplice_op(struct xen_sysctl_xsplice_op *); + +#else + +#include /* For -EOPNOTSUPP */ +static inline int xsplice_op(struct xen_sysctl_xsplice_op *op) +{ + return -EOPNOTSUPP; +} + +#endif /* CONFIG_XSPLICE */ + +#endif /* __XEN_XSPLICE_H__ */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 1eaec58..3ef0441 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -808,6 +808,12 @@ static int flask_sysctl(int cmd) case XEN_SYSCTL_tmem_op: return domain_has_xen(current->domain, XEN__TMEM_CONTROL); +#ifdef CONFIG_XSPLICE + case XEN_SYSCTL_xsplice_op: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__XSPLICE_OP, NULL); +#endif + default: printk("flask_sysctl: Unknown op %d\n", cmd); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 56600bb..1c59b58 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -93,6 +93,8 @@ class xen2 pmu_ctrl # PMU use (domains, including unprivileged ones, will be using this operation) pmu_use +# XEN_SYSCTL_xsplice_op + xsplice_op } # Classes domain and domain2 consist of operations that a domain performs on