[v2,34/40] xen/mpu: free init memory in MPU system

Message ID	20230113052914.3845596-35-Penny.Zheng@arm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: Penny Zheng <Penny.Zheng@arm.com> To: xen-devel@lists.xenproject.org Cc: wei.chen@arm.com, Penny Zheng <Penny.Zheng@arm.com>, Stefano Stabellini <sstabellini@kernel.org>, Julien Grall <julien@xen.org>, Bertrand Marquis <bertrand.marquis@arm.com>, Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>, Penny Zheng <penny.zheng@arm.com> Subject: [PATCH v2 34/40] xen/mpu: free init memory in MPU system Date: Fri, 13 Jan 2023 13:29:07 +0800 Message-Id: <20230113052914.3845596-35-Penny.Zheng@arm.com> In-Reply-To: <20230113052914.3845596-1-Penny.Zheng@arm.com> References: <20230113052914.3845596-1-Penny.Zheng@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	xen/arm: Add Armv8-R64 MPU support to Xen - Part#1 \| expand [v2,00/41] xen/arm: Add Armv8-R64 MPU support to Xen - Part#1 [v2,01/40] xen/arm: remove xen_phys_start and xenheap_phys_end from config.h [v2,02/40] xen/arm: make ARM_EFI selectable for Arm64 [v2,03/40] xen/arm: adjust Xen TLB helpers for Armv8-R64 PMSA [v2,04/40] xen/arm: add an option to define Xen start address for Armv8-R [v2,05/40] xen/arm64: prepare for moving MMU related code from head.S [v2,06/40] xen/arm64: move MMU related code from head.S to head_mmu.S [v2,07/40] xen/arm64: add .text.idmap for Xen identity map sections [v2,08/40] xen/arm: use PA == VA for EARLY_UART_VIRTUAL_ADDRESS on Armv-8R [v2,09/40] xen/arm: decouple copy_from_paddr with FIXMAP [v2,10/40] xen/arm: split MMU and MPU config files from config.h [v2,11/40] xen/mpu: build up start-of-day Xen MPU memory region map [v2,12/40] xen/mpu: introduce helpers for MPU enablement [v2,13/40] xen/mpu: introduce unified function setup_early_uart to map early UART [v2,14/40] xen/arm64: head: Jump to the runtime mapping in enable_mm() [v2,15/40] xen/arm: move MMU-specific memory management code to mm_mmu.c/mm_mmu.h [v2,16/40] xen/arm: introduce setup_mm_mappings [v2,17/40] xen/mpu: plump virt/maddr/mfn convertion in MPU system [v2,18/40] xen/mpu: introduce helper access_protection_region [v2,19/40] xen/mpu: populate a new region in Xen MPU mapping table [v2,20/40] xen/mpu: plump early_fdt_map in MPU systems [v2,21/40] xen/arm: move MMU-specific setup_mm to setup_mmu.c [v2,22/40] xen/mpu: implement MPU version of setup_mm in setup_mpu.c [v2,23/40] xen/mpu: initialize frametable in MPU system [v2,24/40] xen/mpu: introduce "mpu,xxx-memory-section" [v2,25/40] xen/mpu: map MPU guest memory section before static memory initialization [v2,26/40] xen/mpu: destroy an existing entry in Xen MPU memory mapping table [v2,27/40] xen/mpu: map device memory resource in MPU system [v2,28/40] xen/mpu: map boot module section in MPU system [v2,29/40] xen/mpu: introduce mpu_memory_section_contains for address range check [v2,30/40] xen/mpu: disable VMAP sub-system for MPU systems [v2,31/40] xen/mpu: disable FIXMAP in MPU system [v2,32/40] xen/mpu: implement MPU version of ioremap_xxx [v2,33/40] xen/arm: check mapping status and attributes for MPU copy_from_paddr [v2,34/40] xen/mpu: free init memory in MPU system [v2,35/40] xen/mpu: destroy boot modules and early FDT mapping in MPU system [v2,36/40] xen/mpu: Use secure hypervisor timer for AArch64v8R [v2,37/40] xen/mpu: move MMU specific P2M code to p2m_mmu.c [v2,38/40] xen/mpu: implement setup_virt_paging for MPU system [v2,39/40] xen/mpu: re-order xen_mpumap in arch_init_finialize [v2,40/40] xen/mpu: add Kconfig option to enable Armv8-R AArch64 support

Message ID

20230113052914.3845596-35-Penny.Zheng@arm.com (mailing list archive)

State

New, archived

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
From: Penny Zheng <Penny.Zheng@arm.com>
To: xen-devel@lists.xenproject.org
Cc: wei.chen@arm.com,
	Penny Zheng <Penny.Zheng@arm.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Julien Grall <julien@xen.org>,
	Bertrand Marquis <bertrand.marquis@arm.com>,
	Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>,
	Penny Zheng <penny.zheng@arm.com>
Subject: [PATCH v2 34/40] xen/mpu: free init memory in MPU system
Date: Fri, 13 Jan 2023 13:29:07 +0800
Message-Id: <20230113052914.3845596-35-Penny.Zheng@arm.com>
In-Reply-To: <20230113052914.3845596-1-Penny.Zheng@arm.com>
References: <20230113052914.3845596-1-Penny.Zheng@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

xen/arm: Add Armv8-R64 MPU support to Xen - Part#1 | expand

Commit Message

Penny Zheng Jan. 13, 2023, 5:29 a.m. UTC

This commit implements free_init_memory in MPU system, trying to keep
the same strategy with MMU system.

In order to inserting BRK instruction into init code section, which
aims to provok a fault on purpose, we should change init code section
permission to RW at first.
Function modify_xen_mappings is introduced to modify permission of the
existing valid MPU memory region.

Then we nuke the instruction cache to remove entries related to init
text.
At last, we destroy these two MPU memory regions referring init text and
init data using destroy_xen_mappings.

Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Wei Chen <wei.chen@arm.com>
---
 xen/arch/arm/mm_mpu.c | 85 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 2 deletions(-)

Comments

Julien Grall Feb. 9, 2023, 11:27 a.m. UTC | #1

Hi Penny,

On 13/01/2023 05:29, Penny Zheng wrote:
> This commit implements free_init_memory in MPU system, trying to keep
> the same strategy with MMU system.
> 
> In order to inserting BRK instruction into init code section, which
> aims to provok a fault on purpose, we should change init code section
> permission to RW at first.
> Function modify_xen_mappings is introduced to modify permission of the
> existing valid MPU memory region.
> 
> Then we nuke the instruction cache to remove entries related to init
> text.
> At last, we destroy these two MPU memory regions referring init text and
> init data using destroy_xen_mappings.
> 
> Signed-off-by: Penny Zheng <penny.zheng@arm.com>
> Signed-off-by: Wei Chen <wei.chen@arm.com>
> ---
>   xen/arch/arm/mm_mpu.c | 85 ++++++++++++++++++++++++++++++++++++++++++-
>   1 file changed, 83 insertions(+), 2 deletions(-)
> 
> diff --git a/xen/arch/arm/mm_mpu.c b/xen/arch/arm/mm_mpu.c
> index 0b720004ee..de0c7d919a 100644
> --- a/xen/arch/arm/mm_mpu.c
> +++ b/xen/arch/arm/mm_mpu.c
> @@ -20,6 +20,7 @@
>    */
>   
>   #include <xen/init.h>
> +#include <xen/kernel.h>
>   #include <xen/libfdt/libfdt.h>
>   #include <xen/mm.h>
>   #include <xen/page-size.h>
> @@ -77,6 +78,8 @@ static const unsigned int mpu_section_mattr[MSINFO_MAX] = {
>       REGION_HYPERVISOR_BOOT,
>   };
>   
> +extern char __init_data_begin[], __init_end[];

Now we have two places define __init_end as extern. Can this instead be 
defined in setup.h?

> +
>   /* Write a MPU protection region */
>   #define WRITE_PROTECTION_REGION(sel, pr, prbar_el2, prlar_el2) ({       \
>       uint64_t _sel = sel;                                                \
> @@ -443,8 +446,41 @@ static int xen_mpumap_update_entry(paddr_t base, paddr_t limit,
>       if ( rc == MPUMAP_REGION_OVERLAP )
>           return -EINVAL;
>   
> +    /* We are updating the permission. */
> +    if ( (flags & _REGION_PRESENT) && (rc == MPUMAP_REGION_FOUND ||
> +                                       rc == MPUMAP_REGION_INCLUSIVE) )
> +    {
> +
> +        /*
> +         * Currently, we only support modifying a *WHOLE* MPU memory region,
> +         * part-region modification is not supported, as in worst case, it will
> +         * lead to three fragments in result after modification.
> +         * part-region modification will be introduced only when actual usage
> +         * come
> +         */
> +        if ( rc == MPUMAP_REGION_INCLUSIVE )
> +        {
> +            region_printk("mpu: part-region modification is not supported\n");
> +            return -EINVAL;
> +        }
> +
> +        /* We don't allow changing memory attributes. */
> +        if (xen_mpumap[idx].prlar.reg.ai != REGION_AI_MASK(flags) )
> +        {
> +            region_printk("Modifying memory attributes is not allowed (0x%x -> 0x%x).\n",
> +                          xen_mpumap[idx].prlar.reg.ai, REGION_AI_MASK(flags));
> +            return -EINVAL;
> +        }
> +
> +        /* Set new permission */
> +        xen_mpumap[idx].prbar.reg.ap = REGION_AP_MASK(flags);
> +        xen_mpumap[idx].prbar.reg.xn = REGION_XN_MASK(flags);
> +
> +        access_protection_region(false, NULL, (const pr_t*)(&xen_mpumap[idx]),
> +                                 idx);
> +    }
>       /* We are inserting a mapping => Create new region. */
> -    if ( flags & _REGION_PRESENT )
> +    else if ( flags & _REGION_PRESENT )
>       {
>           if ( rc != MPUMAP_REGION_FAILED )
>               return -EINVAL;
> @@ -831,11 +867,56 @@ void mmu_init_secondary_cpu(void)
>   
>   int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int flags)
>   {
> -    return -ENOSYS;
> +    ASSERT(IS_ALIGNED(s, PAGE_SIZE));
> +    ASSERT(IS_ALIGNED(e, PAGE_SIZE));
> +    ASSERT(s <= e);
> +    return xen_mpumap_update(s, e, flags);
>   }
>   
>   void free_init_memory(void)
>   {
> +    /* Kernel init text section. */
> +    paddr_t init_text = virt_to_maddr(_sinittext);
> +    paddr_t init_text_end = round_pgup(virt_to_maddr(_einittext));
> +    /* Kernel init data. */
> +    paddr_t init_data = virt_to_maddr(__init_data_begin);
> +    paddr_t init_data_end = round_pgup(virt_to_maddr(__init_end));
> +    unsigned long init_section[4] = {(unsigned long)init_text,
> +                                     (unsigned long)init_text_end,
> +                                     (unsigned long)init_data,
> +                                     (unsigned long)init_data_end};
> +    unsigned int nr_init = 2;

At first, it wasn't  obvious what's the 2 meant here. It also seems you 
expect the number to be in-sync with the one above.

I don't think the genericity is necessary here. But if you want it, then 
it would be better to use an array of structure (begin/end) so you can 
use ARRAY_SIZE() afterwards and avoid magic like "i * 2".

> +    uint32_t insn = AARCH64_BREAK_FAULT;

AMD is also working on 32-bit ARMv8R support. When it is easy (like) 
here it would best to avoid making the assumption about 64-bit only.

That said, to me it feels like a big part of this code could be shared 
with the MMU version.

> +    unsigned int i = 0, j = 0;
> +
> +    /* Change kernel init text section to RW. */
> +    modify_xen_mappings((unsigned long)init_text,
> +                        (unsigned long)init_text_end, REGION_HYPERVISOR_RW);
> +
> +    /*
> +     * From now on, init will not be used for execution anymore,
> +     * so nuke the instruction cache to remove entries related to init.
> +     */
> +    invalidate_icache_local();
> +
> +    /* Destroy two MPU memory regions referring init text and init data. */
> +    for ( ; i < nr_init; i++ )
> +    {
> +        uint32_t *p;
> +        unsigned int nr;
> +        int rc;
> +
> +        i = 2 * i;

... avoid such magic.

> +        p = (uint32_t *)init_section[i];
> +        nr = (init_section[i + 1] - init_section[i]) / sizeof(uint32_t);
> +
> +        for ( ; j < nr ; j++ )
> +            *(p + j) = insn;
> +
> +        rc = destroy_xen_mappings(init_section[i], init_section[i + 1]);
> +        if ( rc < 0 )
> +            panic("Unable to remove the init section (rc = %d)\n", rc);
> +    }
>   }
>   
>   int xenmem_add_to_physmap_one(

Cheers,

diff --git a/xen/arch/arm/mm_mpu.c b/xen/arch/arm/mm_mpu.c
index 0b720004ee..de0c7d919a 100644
--- a/xen/arch/arm/mm_mpu.c
+++ b/xen/arch/arm/mm_mpu.c
@@ -20,6 +20,7 @@ 
  */
 
 #include <xen/init.h>
+#include <xen/kernel.h>
 #include <xen/libfdt/libfdt.h>
 #include <xen/mm.h>
 #include <xen/page-size.h>
@@ -77,6 +78,8 @@  static const unsigned int mpu_section_mattr[MSINFO_MAX] = {
     REGION_HYPERVISOR_BOOT,
 };
 
+extern char __init_data_begin[], __init_end[];
+
 /* Write a MPU protection region */
 #define WRITE_PROTECTION_REGION(sel, pr, prbar_el2, prlar_el2) ({       \
     uint64_t _sel = sel;                                                \
@@ -443,8 +446,41 @@  static int xen_mpumap_update_entry(paddr_t base, paddr_t limit,
     if ( rc == MPUMAP_REGION_OVERLAP )
         return -EINVAL;
 
+    /* We are updating the permission. */
+    if ( (flags & _REGION_PRESENT) && (rc == MPUMAP_REGION_FOUND ||
+                                       rc == MPUMAP_REGION_INCLUSIVE) )
+    {
+
+        /*
+         * Currently, we only support modifying a *WHOLE* MPU memory region,
+         * part-region modification is not supported, as in worst case, it will
+         * lead to three fragments in result after modification.
+         * part-region modification will be introduced only when actual usage
+         * come
+         */
+        if ( rc == MPUMAP_REGION_INCLUSIVE )
+        {
+            region_printk("mpu: part-region modification is not supported\n");
+            return -EINVAL;
+        }
+
+        /* We don't allow changing memory attributes. */
+        if (xen_mpumap[idx].prlar.reg.ai != REGION_AI_MASK(flags) )
+        {
+            region_printk("Modifying memory attributes is not allowed (0x%x -> 0x%x).\n",
+                          xen_mpumap[idx].prlar.reg.ai, REGION_AI_MASK(flags));
+            return -EINVAL;
+        }
+
+        /* Set new permission */
+        xen_mpumap[idx].prbar.reg.ap = REGION_AP_MASK(flags);
+        xen_mpumap[idx].prbar.reg.xn = REGION_XN_MASK(flags);
+
+        access_protection_region(false, NULL, (const pr_t*)(&xen_mpumap[idx]),
+                                 idx);
+    }
     /* We are inserting a mapping => Create new region. */
-    if ( flags & _REGION_PRESENT )
+    else if ( flags & _REGION_PRESENT )
     {
         if ( rc != MPUMAP_REGION_FAILED )
             return -EINVAL;
@@ -831,11 +867,56 @@  void mmu_init_secondary_cpu(void)
 
 int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int flags)
 {
-    return -ENOSYS;
+    ASSERT(IS_ALIGNED(s, PAGE_SIZE));
+    ASSERT(IS_ALIGNED(e, PAGE_SIZE));
+    ASSERT(s <= e);
+    return xen_mpumap_update(s, e, flags);
 }
 
 void free_init_memory(void)
 {
+    /* Kernel init text section. */
+    paddr_t init_text = virt_to_maddr(_sinittext);
+    paddr_t init_text_end = round_pgup(virt_to_maddr(_einittext));
+    /* Kernel init data. */
+    paddr_t init_data = virt_to_maddr(__init_data_begin);
+    paddr_t init_data_end = round_pgup(virt_to_maddr(__init_end));
+    unsigned long init_section[4] = {(unsigned long)init_text,
+                                     (unsigned long)init_text_end,
+                                     (unsigned long)init_data,
+                                     (unsigned long)init_data_end};
+    unsigned int nr_init = 2;
+    uint32_t insn = AARCH64_BREAK_FAULT;
+    unsigned int i = 0, j = 0;
+
+    /* Change kernel init text section to RW. */
+    modify_xen_mappings((unsigned long)init_text,
+                        (unsigned long)init_text_end, REGION_HYPERVISOR_RW);
+
+    /*
+     * From now on, init will not be used for execution anymore,
+     * so nuke the instruction cache to remove entries related to init.
+     */
+    invalidate_icache_local();
+
+    /* Destroy two MPU memory regions referring init text and init data. */
+    for ( ; i < nr_init; i++ )
+    {
+        uint32_t *p;
+        unsigned int nr;
+        int rc;
+
+        i = 2 * i;
+        p = (uint32_t *)init_section[i];
+        nr = (init_section[i + 1] - init_section[i]) / sizeof(uint32_t);
+
+        for ( ; j < nr ; j++ )
+            *(p + j) = insn;
+
+        rc = destroy_xen_mappings(init_section[i], init_section[i + 1]);
+        if ( rc < 0 )
+            panic("Unable to remove the init section (rc = %d)\n", rc);
+    }
 }
 
 int xenmem_add_to_physmap_one(

[v2,34/40] xen/mpu: free init memory in MPU system

Commit Message

Comments

Patch