From patchwork Tue Aug 1 20:20:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337219 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7C308C04A6A for ; Tue, 1 Aug 2023 20:20:49 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574496.899816 (Exim 4.92) (envelope-from ) id 1qQvr6-00088b-My; Tue, 01 Aug 2023 20:20:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574496.899816; Tue, 01 Aug 2023 20:20:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvr6-00088U-K0; Tue, 01 Aug 2023 20:20:32 +0000 Received: by outflank-mailman (input) for mailman id 574496; Tue, 01 Aug 2023 20:20:31 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvr5-0007tB-6f for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:20:31 +0000 Received: from sender4-of-o50.zoho.com (sender4-of-o50.zoho.com [136.143.188.50]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id db082af5-30a8-11ee-8613-37d641c3527e; Tue, 01 Aug 2023 22:20:29 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1690921219023154.7244666059837; Tue, 1 Aug 2023 13:20:19 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: db082af5-30a8-11ee-8613-37d641c3527e ARC-Seal: i=1; a=rsa-sha256; t=1690921221; cv=none; d=zohomail.com; s=zohoarc; b=lNiYjknsKhksJuvxpu+1YL5h1k8mUf7MfDMTehx9xU9qY5ePFGqwxPnrerUsLBUENjnbLVykTx6E+3375JIzcLHVjrH1owt/cSAJx4+MsyWXAOYsyQ8QyOhYARJSdBcWS7hfpcs2IHDbWgZ0pPzTKoy12sj88af3NZYp1j/eQc8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921221; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=QxHgg6odiTfgWhhWOuj3R7wSlDiixIdY8mSDQ2Z3eHA=; b=QxaM6Mozt3aw6tfNbgM0mdmi6SZMN2qq8JWlFgWqRoVslhpfCKnpUG/ju1IJ8IHddkjWz3pKHO9jlZ6yqU6s/BvvLgeOITobNtuGmvPmm+JYx7JaL4W1axtMW4kQXTeMnhZ6yUSd74Cmq86A25KWy88w6SpnkfXs7KLG9/tpICQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921221; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=QxHgg6odiTfgWhhWOuj3R7wSlDiixIdY8mSDQ2Z3eHA=; b=JENP3hnykOC520uj6z57yLCmOzl6QU/5aI46l4vND4WKa2l/AGeUazOqIK8Vtu6y MapOgQvnxH7eaGAvDTmUhJDP+KGAsizdabjmyucONUw15X0hwzYwxdOfkJHLBZsU9aj hpPLkJScrv/frwb24yryVd6pgxcf0S297t3YL7CE= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, xen-devel@dornerworks.com Cc: "Daniel P. Smith" , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Nathan Studer , Stewart Hildebrand , Dario Faggioli Subject: [RFC 1/6] dom0: replace explict zero checks Date: Tue, 1 Aug 2023 16:20:01 -0400 Message-Id: <20230801202006.20322-2-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External A legacy concept is that the initial domain will have a domain id of zero. As a result there are places where a check that a domain is the inital domain is determined by an explicit check that the domid is zero. This commit seeks to abstract this check into a function call and replace all check locations with the function call. Signed-off-by: Daniel P. Smith --- xen/common/domain.c | 4 ++-- xen/common/sched/arinc653.c | 2 +- xen/common/sched/core.c | 4 ++-- xen/include/xen/sched.h | 7 +++++++ 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 304aa04fa6..8fb3c052f5 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -309,7 +309,7 @@ static int late_hwdom_init(struct domain *d) struct domain *dom0; int rv; - if ( d != hardware_domain || d->domain_id == 0 ) + if ( d != hardware_domain || is_initial_domain(d) ) return 0; rv = xsm_init_hardware_domain(XSM_HOOK, d); @@ -612,7 +612,7 @@ struct domain *domain_create(domid_t domid, d->is_privileged = flags & CDF_privileged; /* Sort out our idea of is_hardware_domain(). */ - if ( domid == 0 || domid == hardware_domid ) + if ( is_initial_domain(d) || domid == hardware_domid ) { if ( hardware_domid < 0 || hardware_domid >= DOMID_FIRST_RESERVED ) panic("The value of hardware_dom must be a valid domain ID\n"); diff --git a/xen/common/sched/arinc653.c b/xen/common/sched/arinc653.c index a82c0d7314..31e8270af3 100644 --- a/xen/common/sched/arinc653.c +++ b/xen/common/sched/arinc653.c @@ -404,7 +404,7 @@ a653sched_alloc_udata(const struct scheduler *ops, struct sched_unit *unit, * Add every one of dom0's units to the schedule, as long as there are * slots available. */ - if ( unit->domain->domain_id == 0 ) + if ( is_initial_domain(unit->domain) ) { entry = sched_priv->num_schedule_entries; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 022f548652..210ad30f94 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -585,7 +585,7 @@ int sched_init_vcpu(struct vcpu *v) */ sched_set_affinity(unit, cpumask_of(0), cpumask_of(0)); } - else if ( d->domain_id == 0 && opt_dom0_vcpus_pin ) + else if ( is_initial_domain(d) && opt_dom0_vcpus_pin ) { /* * If dom0_vcpus_pin is specified, dom0 vCPUs are pinned 1:1 to @@ -594,7 +594,7 @@ int sched_init_vcpu(struct vcpu *v) sched_set_affinity(unit, cpumask_of(processor), &cpumask_all); } #ifdef CONFIG_X86 - else if ( d->domain_id == 0 ) + else if ( is_initial_domain(d) ) { /* * In absence of dom0_vcpus_pin instead, the hard and soft affinity of diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 854f3e32c0..a9276a7bed 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -1058,6 +1058,13 @@ void scheduler_disable(void); void watchdog_domain_init(struct domain *d); void watchdog_domain_destroy(struct domain *d); +static always_inline bool is_initial_domain(const struct domain *d) +{ + static int init_domain_id = 0; + + return d->domain_id == init_domain_id; +} + /* * Use this check when the following are both true: * - Using this feature or interface requires full access to the hardware From patchwork Tue Aug 1 20:20:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337221 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 44FAFC04A6A for ; Tue, 1 Aug 2023 20:20:58 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574497.899826 (Exim 4.92) (envelope-from ) id 1qQvrL-00007Z-W0; Tue, 01 Aug 2023 20:20:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574497.899826; Tue, 01 Aug 2023 20:20:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrL-00007P-St; Tue, 01 Aug 2023 20:20:47 +0000 Received: by outflank-mailman (input) for mailman id 574497; Tue, 01 Aug 2023 20:20:46 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrK-0007tB-NS for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:20:46 +0000 Received: from sender4-of-o50.zoho.com (sender4-of-o50.zoho.com [136.143.188.50]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id e42cb24b-30a8-11ee-8613-37d641c3527e; Tue, 01 Aug 2023 22:20:44 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1690921220423235.25435125968477; Tue, 1 Aug 2023 13:20:20 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: e42cb24b-30a8-11ee-8613-37d641c3527e ARC-Seal: i=1; a=rsa-sha256; t=1690921222; cv=none; d=zohomail.com; s=zohoarc; b=DCsyMRf8xAaiW6V1MikN6A+7KB+qawGSQaoE+fU00o0RtbQCtfU4We3Qv4qG5GmZF57GQJbbB7Bl8ecL62/ZddTQxc0eLGPJfii7l+TG+WwQ76H9Qfxn1qZ2GNbZKXCURhg40/bf6gUloroHct+k1G9hIF1dsHzfW2OD5pb9pqM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921222; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=deDaH1mtD3wmtBLBicRQEslJzzR5NTIhnW//O7OUueo=; b=adqNUS2vwkEOP74LrJxnjLB3DpNLDejgALxzqz1qHmAPf/TPzdSdRnOT9UtoXLhhOwJc/xbXtDj7hClTyKSS8GYl0hZ+eUShT5EbYzV0GSKQT6XVNI0dSiuX0R5cNOh4C1CqCEtcNKyaIqYcKmTtJzku2ibzwsuB5MaHxRdIQjE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921222; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=deDaH1mtD3wmtBLBicRQEslJzzR5NTIhnW//O7OUueo=; b=Nq/4qPInj010nlvQY8Aj5jx/3/svbtKYrChM01e+EM79DiY7ZY4YWw7EznUDp+Da G5DETugcWT93dlg6z9pbgUdppwpBS0v/sRj9eMBw1oS321J39Bb9zFnuHU4AUlMQVOe SIEZN4U1zv5X5EKi85IC9W7t3DLeguLr5isP2feg= From: "Daniel P. Smith" To: Volodymyr Babchuk , Wei Liu , xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , Stefano Stabellini , Julien Grall , Bertrand Marquis , Andrew Cooper , George Dunlap , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Subject: [RFC 2/6] roles: provide abstraction for the possible domain roles Date: Tue, 1 Aug 2023 16:20:02 -0400 Message-Id: <20230801202006.20322-3-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External The existing concepts such as unbounded domain, ie. all powerful, control domain and hardware domain are, effectively, roles the domains provide for the system. Currently, these are represented with booleans within `struct domain` or global domid variables that are compared against. This patch begins to formalize these roles by replacing the `is_control` and `is_console`, along with expanding the check against the global `hardware_domain` with a single encapsulating role attribute in `struct domain`. Signed-off-by: Daniel P. Smith --- xen/arch/arm/domain_build.c | 2 ++ xen/arch/x86/setup.c | 2 ++ xen/common/domain.c | 14 +++++++++++++- xen/include/xen/sched.h | 16 +++++++++------- xen/include/xsm/dummy.h | 4 ++-- xen/xsm/flask/hooks.c | 12 ++++++------ 6 files changed, 34 insertions(+), 16 deletions(-) diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 39b4ee03a5..51b4daefe1 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -4201,6 +4201,8 @@ void __init create_dom0(void) if ( IS_ERR(dom0) ) panic("Error creating domain 0 (rc = %ld)\n", PTR_ERR(dom0)); + dom0->role |= ROLE_UNBOUNDED_DOMAIN; + if ( alloc_dom0_vcpu0(dom0) == NULL ) panic("Error creating domain 0 vcpu0\n"); diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2dbe9857aa..4e20edc3bf 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -905,6 +905,8 @@ static struct domain *__init create_dom0(const module_t *image, if ( IS_ERR(d) ) panic("Error creating d%u: %ld\n", domid, PTR_ERR(d)); + d->role |= ROLE_UNBOUNDED_DOMAIN; + init_dom0_cpuid_policy(d); if ( alloc_dom0_vcpu0(d) == NULL ) diff --git a/xen/common/domain.c b/xen/common/domain.c index 8fb3c052f5..0ff1d52e3d 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -340,6 +340,14 @@ static int late_hwdom_init(struct domain *d) setup_io_bitmap(dom0); #endif + /* + * "dom0" may have been created under the unbounded role, demote it from + * that role, reducing it to the control domain role and any other roles it + * may have been given. + */ + dom0->role &= ~(ROLE_UNBOUNDED_DOMAIN & ROLE_HARDWARE_DOMAIN); + dom0->role |= ROLE_CONTROL_DOMAIN; + rcu_unlock_domain(dom0); iommu_hwdom_init(d); @@ -609,7 +617,10 @@ struct domain *domain_create(domid_t domid, } /* Sort out our idea of is_control_domain(). */ - d->is_privileged = flags & CDF_privileged; + if ( flags & CDF_privileged ) + d->role |= ROLE_CONTROL_DOMAIN; + else + d->role &= ~ROLE_CONTROL_DOMAIN; /*ensure not set */ /* Sort out our idea of is_hardware_domain(). */ if ( is_initial_domain(d) || domid == hardware_domid ) @@ -619,6 +630,7 @@ struct domain *domain_create(domid_t domid, old_hwdom = hardware_domain; hardware_domain = d; + d->role |= ROLE_HARDWARE_DOMAIN; } TRACE_1D(TRC_DOM0_DOM_ADD, d->domain_id); diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index a9276a7bed..695f240326 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -467,8 +467,10 @@ struct domain #endif /* is node-affinity automatically computed? */ bool auto_node_affinity; - /* Is this guest fully privileged (aka dom0)? */ - bool is_privileged; +#define ROLE_UNBOUNDED_DOMAIN (1U<<0) +#define ROLE_CONTROL_DOMAIN (1U<<1) +#define ROLE_HARDWARE_DOMAIN (1U<<2) + uint8_t role; /* Can this guest access the Xen console? */ bool is_console; /* Is this guest being debugged by dom0? */ @@ -1060,9 +1062,7 @@ void watchdog_domain_destroy(struct domain *d); static always_inline bool is_initial_domain(const struct domain *d) { - static int init_domain_id = 0; - - return d->domain_id == init_domain_id; + return d->role & ROLE_UNBOUNDED_DOMAIN; } /* @@ -1076,7 +1076,8 @@ static always_inline bool is_hardware_domain(const struct domain *d) if ( IS_ENABLED(CONFIG_PV_SHIM_EXCLUSIVE) ) return false; - return evaluate_nospec(d == hardware_domain); + return evaluate_nospec(((d->role & ROLE_HARDWARE_DOMAIN) || + is_initial_domain(d)) && (d == hardware_domain)); } /* This check is for functionality specific to a control domain */ @@ -1085,7 +1086,8 @@ static always_inline bool is_control_domain(const struct domain *d) if ( IS_ENABLED(CONFIG_PV_SHIM_EXCLUSIVE) ) return false; - return evaluate_nospec(d->is_privileged); + return evaluate_nospec((d->role & ROLE_CONTROL_DOMAIN) || + is_initial_domain(d)); } #define VM_ASSIST(d, t) (test_bit(VMASST_TYPE_ ## t, &(d)->vm_assist)) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8671af1ba4..18f1ddd127 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -108,7 +108,7 @@ static XSM_INLINE int cf_check xsm_set_system_active(void) { struct domain *d = current->domain; - ASSERT(d->is_privileged); + ASSERT(d->role & ROLE_CONTROL_DOMAIN); if ( d->domain_id != DOMID_IDLE ) { @@ -116,7 +116,7 @@ static XSM_INLINE int cf_check xsm_set_system_active(void) return -EPERM; } - d->is_privileged = false; + d->role &= ~ROLE_CONTROL_DOMAIN; return 0; } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 78225f68c1..0a31719f43 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -193,7 +193,7 @@ static int cf_check flask_domain_alloc_security(struct domain *d) default: if ( domain_sid(current->domain) == SECINITSID_XENBOOT ) { - if ( d->is_privileged ) + if ( d->role & ROLE_CONTROL_DOMAIN ) dsec->sid = SECINITSID_DOM0; else if ( pv_shim ) dsec->sid = SECINITSID_DOMU; @@ -213,7 +213,7 @@ static int cf_check flask_set_system_active(void) dsec = d->ssid; - ASSERT(d->is_privileged); + ASSERT(d->role & ROLE_CONTROL_DOMAIN); ASSERT(dsec->sid == SECINITSID_XENBOOT); ASSERT(dsec->self_sid == SECINITSID_XENBOOT); @@ -224,11 +224,11 @@ static int cf_check flask_set_system_active(void) } /* - * While is_privileged has no significant meaning under flask, set to false - * as is_privileged is not only used for a privilege check but also as a - * type of domain check, specifically if the domain is the control domain. + * While domain roles have no significant meaning under flask, mask out + * control domain role as it is not only used for a privilege check but + * also as a type of domain check. */ - d->is_privileged = false; + d->role &= ~ROLE_CONTROL_DOMAIN; dsec->self_sid = dsec->sid = SECINITSID_XEN; From patchwork Tue Aug 1 20:20:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337222 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B9658C04A6A for ; Tue, 1 Aug 2023 20:21:11 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574500.899836 (Exim 4.92) (envelope-from ) id 1qQvra-0000el-AG; Tue, 01 Aug 2023 20:21:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574500.899836; Tue, 01 Aug 2023 20:21:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvra-0000ee-7l; Tue, 01 Aug 2023 20:21:02 +0000 Received: by outflank-mailman (input) for mailman id 574500; Tue, 01 Aug 2023 20:21:00 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrY-0000Vh-UH for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:21:00 +0000 Received: from sender3-of-o59.zoho.com (sender3-of-o59.zoho.com [136.143.184.59]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id ed01d9c5-30a8-11ee-b25c-6b7b168915f2; Tue, 01 Aug 2023 22:21:00 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1690921221539148.37958387649314; Tue, 1 Aug 2023 13:20:21 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: ed01d9c5-30a8-11ee-b25c-6b7b168915f2 ARC-Seal: i=1; a=rsa-sha256; t=1690921223; cv=none; d=zohomail.com; s=zohoarc; b=kjFnFBapoQ7lQPlaLmhBGvI7h1nmY845AgXgJ0HUtbJqdU5LFjp4IS1FXBnKy7xkeKljZeRqAjxiXA5syLROHfw3HyA9jjsdv70zwIGlSF7oFV9Mk1wloUHUzpiMgQG+rLdNp7iyaNegw5MhvpDZ6Qb8B5GylqTCGPxWwhU7P04= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921223; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=c36aqSstXSR6pA2kH24inhu4JODBmXhwXRJ9bra9rs8=; b=c9QZqfFpDJ1w86/B7pmdMPyXkRhywCD71Kv1KwC6Kp6mex/HXD7uxLoxYbUpq50xNhj6ARDZHQbuj3ueb/Ls9UdZd7q2Vg6NmYlh6daU2wgug+3ULYvb3ZCZWllp8vdoE3umD0M6unNdqko8YH3y+gonbTmOOKVwTMPqMbVzyM4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921223; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=c36aqSstXSR6pA2kH24inhu4JODBmXhwXRJ9bra9rs8=; b=btgPcKIbUkSCLwMaCRscbjh82/cPU6TGLwPP0U3S/ywG+tUxcBk5jNvSLzy4/hZc xDBuVQuZrMeyJSFNsNe7P0xIGLMxLW1bax6KROOPs58YV0AADiOcQNToX+WyuqtVaQF Qms39sOusy73/lmd4LFVl0dafI4DtzhOXSaca6JQ= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu Subject: [RFC 3/6] roles: add a role for xenstore domain Date: Tue, 1 Aug 2023 16:20:03 -0400 Message-Id: <20230801202006.20322-4-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External Expand the possible roles for a domain to include a role for the Xenstore domain. Signed-off-by: Daniel P. Smith Reviewed-by: Stefano Stabellini --- xen/common/domain.c | 3 +++ xen/include/xen/sched.h | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 0ff1d52e3d..dbf055c559 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -633,6 +633,9 @@ struct domain *domain_create(domid_t domid, d->role |= ROLE_HARDWARE_DOMAIN; } + if ( d->options & XEN_DOMCTL_CDF_xs_domain ) + d->role |= ROLE_XENSTORE_DOMAIN; + TRACE_1D(TRC_DOM0_DOM_ADD, d->domain_id); lock_profile_register_struct(LOCKPROF_TYPE_PERDOM, d, domid); diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 695f240326..ec0f9baff6 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -470,6 +470,7 @@ struct domain #define ROLE_UNBOUNDED_DOMAIN (1U<<0) #define ROLE_CONTROL_DOMAIN (1U<<1) #define ROLE_HARDWARE_DOMAIN (1U<<2) +#define ROLE_XENSTORE_DOMAIN (1U<<3) uint8_t role; /* Can this guest access the Xen console? */ bool is_console; @@ -1165,7 +1166,7 @@ static inline bool is_vcpu_online(const struct vcpu *v) static inline bool is_xenstore_domain(const struct domain *d) { - return d->options & XEN_DOMCTL_CDF_xs_domain; + return d->role & ROLE_XENSTORE_DOMAIN; } static always_inline bool is_iommu_enabled(const struct domain *d) From patchwork Tue Aug 1 20:20:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337223 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 11137C04A6A for ; Tue, 1 Aug 2023 20:21:21 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574503.899845 (Exim 4.92) (envelope-from ) id 1qQvrl-0001Eg-IA; Tue, 01 Aug 2023 20:21:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574503.899845; Tue, 01 Aug 2023 20:21:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrl-0001EZ-F4; Tue, 01 Aug 2023 20:21:13 +0000 Received: by outflank-mailman (input) for mailman id 574503; Tue, 01 Aug 2023 20:21:12 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrk-0000Vh-73 for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:21:12 +0000 Received: from sender3-of-o57.zoho.com (sender3-of-o57.zoho.com [136.143.184.57]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id f3c81379-30a8-11ee-b25c-6b7b168915f2; Tue, 01 Aug 2023 22:21:11 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1690921222919263.86301750890664; Tue, 1 Aug 2023 13:20:22 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: f3c81379-30a8-11ee-b25c-6b7b168915f2 ARC-Seal: i=1; a=rsa-sha256; t=1690921225; cv=none; d=zohomail.com; s=zohoarc; b=LJWZTW9Bg+L3Q9L21qmOk/5B1b4zY0rfPZxLFiwzTbtB2gaThkYoDLs1Gw8mYQy6W2grTkYZvfTx8zecJeh0hlctmBdjVEmJ0XWJyXQ3Ew4it1mVuTqus6oF9tujOpH0JPW4j5UYXW6VFQhMYOcUPAxSz1jsUEG4dYo5V5PccC4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921225; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=kf2Rd6TYnxR8dfigS+pnLDBD8C8lGV2r426kdzFRdWo=; b=SHxaszVus3sPdBwiai8onFiR+mMahjhb+zsdUVdbFpevDmDlXQuShYnIDemHUX6lkVu0C+wYcHebM2YbDDoi2hjisRn2eB/s2lHKcaE82rcWwU/fVtLynCYk4uKnRPEWAr1Xj5U5mh4kake3JFFm8NGoScphuAQ2rlyXUDrWoIk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921225; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=kf2Rd6TYnxR8dfigS+pnLDBD8C8lGV2r426kdzFRdWo=; b=a8Qo8Oav2zQrW8HSf67m7NJOl5msUgbNz0s6kOusuLrAyDHJkLZB2NVXh5pr6cXf nCAA2mi2ldd85jpcM8Rxt9y0vtKP1g0PLhHP5QhORLyT/xq6KJxJPfeyWhAKrfo7cfi 4TOdW0fi7xdhVJKZx4NUs1n6DkdN0+upfuvu7GkU= From: "Daniel P. Smith" To: Volodymyr Babchuk , xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , Stefano Stabellini , Julien Grall , Bertrand Marquis , Andrew Cooper , George Dunlap , Jan Beulich , Wei Liu Subject: [RFC 4/6] capabilities: introduce console io as a domain capability Date: Tue, 1 Aug 2023 16:20:04 -0400 Message-Id: <20230801202006.20322-5-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External The field `is_console` suggests that the field represents a state of being or posession, not that it reflects the privilege to access the console. In this patch the field is renamed to capabilities to encapsulate the capabilities a domain has been granted. The first capability being the ability to read/write the Xen console. Signed-off-by: Daniel P. Smith --- xen/arch/arm/domain_build.c | 4 +++- xen/include/xen/sched.h | 25 +++++++++++++++++++++++-- xen/include/xsm/dummy.h | 2 +- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 51b4daefe1..ad7432b029 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -4076,7 +4076,9 @@ void __init create_domUs(void) panic("Error creating domain %s (rc = %ld)\n", dt_node_name(node), PTR_ERR(d)); - d->is_console = true; + if ( ! domain_set_cap(d, CAP_CONSOLE_IO) ) + printk("failed setting console_io on %pd\n", d); + dt_device_set_used_by(node, d->domain_id); rc = construct_domU(d, node); diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index ec0f9baff6..b04fbe0565 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -472,8 +472,8 @@ struct domain #define ROLE_HARDWARE_DOMAIN (1U<<2) #define ROLE_XENSTORE_DOMAIN (1U<<3) uint8_t role; - /* Can this guest access the Xen console? */ - bool is_console; +#define CAP_CONSOLE_IO (1U<<0) + uint8_t capabilities; /* Is this guest being debugged by dom0? */ bool debugger_attached; /* @@ -1146,6 +1146,27 @@ static always_inline bool is_hvm_vcpu(const struct vcpu *v) return is_hvm_domain(v->domain); } +static always_inline bool domain_has_cap( + const struct domain *d, uint8_t cap) +{ + return d->capabilities & cap; +} + +static always_inline bool domain_set_cap( + struct domain *d, uint8_t cap) +{ + switch ( cap ) + { + case CAP_CONSOLE_IO: + d->capabilities |= cap; + break; + default: + return false; + } + + return domain_has_cap(d, cap); +} + static always_inline bool hap_enabled(const struct domain *d) { /* sanitise_domain_config() rejects HAP && !HVM */ diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 18f1ddd127..067ff1d111 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -268,7 +268,7 @@ static XSM_INLINE int cf_check xsm_console_io( XSM_DEFAULT_ARG struct domain *d, int cmd) { XSM_ASSERT_ACTION(XSM_OTHER); - if ( d->is_console ) + if ( domain_has_cap(d, CAP_CONSOLE_IO) ) return xsm_default_action(XSM_HOOK, d, NULL); #ifdef CONFIG_VERBOSE_DEBUG if ( cmd == CONSOLEIO_write ) From patchwork Tue Aug 1 20:20:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337224 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 99F7DC00528 for ; Tue, 1 Aug 2023 20:21:34 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574505.899855 (Exim 4.92) (envelope-from ) id 1qQvry-0001rM-Oz; Tue, 01 Aug 2023 20:21:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574505.899855; Tue, 01 Aug 2023 20:21:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvry-0001rF-MO; Tue, 01 Aug 2023 20:21:26 +0000 Received: by outflank-mailman (input) for mailman id 574505; Tue, 01 Aug 2023 20:21:25 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvrx-0000Vh-8u for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:21:25 +0000 Received: from sender4-of-o50.zoho.com (sender4-of-o50.zoho.com [136.143.188.50]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id fbb9076f-30a8-11ee-b25c-6b7b168915f2; Tue, 01 Aug 2023 22:21:24 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1690921224303856.0970233237165; Tue, 1 Aug 2023 13:20:24 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: fbb9076f-30a8-11ee-b25c-6b7b168915f2 ARC-Seal: i=1; a=rsa-sha256; t=1690921226; cv=none; d=zohomail.com; s=zohoarc; b=g2IEczmY3ijXZ1YHho3IZfu6YTmF4eaEB/eX7H499qCJcVzbN3siHaE30Z50NywMmdX/UUQyM1pQ5ROIMmims1eH4GYG8VXFEO9w7f8zeCKV0lco35/iZ/zJVOi5VlhNlVOhrh1rib2T/ymt43cWzxAKPJ90RIO2/H3BilYHwN4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921226; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=7ND+sooMpw5YPJbP1s16uk5VZG1QVw0bGyicpPO6T2Q=; b=iDypGFFju+iorCRbCu1v6Vydraf2VoFooKlXDnMMoCxatBohmqq7MLXRYZ6EvtmVhIRCYTY0IcJB5IJDGRDlxn7kLmSvzMRBSzc+ny80UReQAQhMEadFq6EkpXbM3vmFzBt76dVh+RKHgwoft2HdbzBhIW79uR/xA9iFW29V51E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921226; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=7ND+sooMpw5YPJbP1s16uk5VZG1QVw0bGyicpPO6T2Q=; b=oCTDWLjidEWDIMQf7q7AdaFYNGMNs8thaCk/9VpBUqfOOxXI0I0yoAZywHIrnxPJ /NSZn9/wo5V2ec8POU4XZMIsUtO7/uVT7+PXa+8UhtGVTcJzYgtjmXssgOfK9VEc+Hx Q/5HXKNq+cQNyRErpZBxGle0x/6EUtFtv67tOfdc= From: "Daniel P. Smith" To: Wei Liu , xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , Jan Beulich , Andrew Cooper , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , George Dunlap , Julien Grall , Stefano Stabellini Subject: [RFC 5/6] capabilities: add dom0 cpu faulting disable Date: Tue, 1 Aug 2023 16:20:05 -0400 Message-Id: <20230801202006.20322-6-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External This encapsulates disableing cpu faulting for PV dom0 as a capability. Signed-off-by: Daniel P. Smith --- xen/arch/x86/cpu-policy.c | 2 +- xen/arch/x86/cpu/common.c | 82 +++++++++++++++++++-------------------- xen/arch/x86/setup.c | 4 ++ xen/include/xen/sched.h | 8 +++- 4 files changed, 52 insertions(+), 44 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 1f954d4e59..42c3193938 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -912,7 +912,7 @@ void __init init_dom0_cpuid_policy(struct domain *d) * If the domain is getting unfiltered CPUID, don't let the guest kernel * play with CPUID faulting either, as Xen's CPUID path won't cope. */ - if ( !opt_dom0_cpuid_faulting && is_control_domain(d) && is_pv_domain(d) ) + if ( domain_has_cap(d, CAP_DISABLE_CPU_FAULT) ) p->platform_info.cpuid_faulting = false; recalculate_cpuid_policy(d); diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index cfcdaace12..937581e353 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -164,48 +164,46 @@ static void set_cpuid_faulting(bool enable) void ctxt_switch_levelling(const struct vcpu *next) { - const struct domain *nextd = next ? next->domain : NULL; - bool enable_cpuid_faulting; - - if (cpu_has_cpuid_faulting || - boot_cpu_has(X86_FEATURE_CPUID_USER_DIS)) { - /* - * No need to alter the faulting setting if we are switching - * to idle; it won't affect any code running in idle context. - */ - if (nextd && is_idle_domain(nextd)) - return; - /* - * We *should* be enabling faulting for PV control domains. - * - * The domain builder has now been updated to not depend on - * seeing host CPUID values. This makes it compatible with - * PVH toolstack domains, and lets us enable faulting by - * default for all PV domains. - * - * However, as PV control domains have never had faulting - * enforced on them before, there might plausibly be other - * dependenices on host CPUID data. Therefore, we have left - * an interim escape hatch in the form of - * `dom0=no-cpuid-faulting` to restore the older behaviour. - */ - enable_cpuid_faulting = nextd && (opt_dom0_cpuid_faulting || - !is_control_domain(nextd) || - !is_pv_domain(nextd)) && - (is_pv_domain(nextd) || - next->arch.msrs-> - misc_features_enables.cpuid_faulting); - - if (cpu_has_cpuid_faulting) - set_cpuid_faulting(enable_cpuid_faulting); - else - amd_set_cpuid_user_dis(enable_cpuid_faulting); - - return; - } - - if (ctxt_switch_masking) - alternative_vcall(ctxt_switch_masking, next); + const struct domain *nextd = next ? next->domain : NULL; + bool enable_cpuid_faulting; + + if ( cpu_has_cpuid_faulting || + boot_cpu_has(X86_FEATURE_CPUID_USER_DIS) ) { + /* + * No need to alter the faulting setting if we are switching + * to idle; it won't affect any code running in idle context. + */ + if (nextd && is_idle_domain(nextd)) + return; + /* + * We *should* be enabling faulting for PV control domains. + * + * The domain builder has now been updated to not depend on + * seeing host CPUID values. This makes it compatible with + * PVH toolstack domains, and lets us enable faulting by + * default for all PV domains. + * + * However, as PV control domains have never had faulting + * enforced on them before, there might plausibly be other + * dependenices on host CPUID data. Therefore, we have left + * an interim escape hatch in the form of + * `dom0=no-cpuid-faulting` to restore the older behaviour. + */ + enable_cpuid_faulting = nextd && + domain_has_cap(nextd, CAP_DISABLE_CPU_FAULT) && + (is_pv_domain(nextd) || + next->arch.msrs->misc_features_enables.cpuid_faulting); + + if (cpu_has_cpuid_faulting) + set_cpuid_faulting(enable_cpuid_faulting); + else + amd_set_cpuid_user_dis(enable_cpuid_faulting); + + return; + } + + if (ctxt_switch_masking) + alternative_vcall(ctxt_switch_masking, next); } bool_t opt_cpu_info; diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 4e20edc3bf..d65144da01 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -907,6 +907,10 @@ static struct domain *__init create_dom0(const module_t *image, d->role |= ROLE_UNBOUNDED_DOMAIN; + if ( !opt_dom0_cpuid_faulting && + !domain_set_cap(d, CAP_DISABLE_CPU_FAULT) ) + printk(XENLOG_WARNING "failed to set CPU faulting on Dom %pd\n", d); + init_dom0_cpuid_policy(d); if ( alloc_dom0_vcpu0(d) == NULL ) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index b04fbe0565..ebfe65cd73 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -472,7 +472,8 @@ struct domain #define ROLE_HARDWARE_DOMAIN (1U<<2) #define ROLE_XENSTORE_DOMAIN (1U<<3) uint8_t role; -#define CAP_CONSOLE_IO (1U<<0) +#define CAP_CONSOLE_IO (1U<<0) +#define CAP_DISABLE_CPU_FAULT (1U<<1) uint8_t capabilities; /* Is this guest being debugged by dom0? */ bool debugger_attached; @@ -1160,6 +1161,11 @@ static always_inline bool domain_set_cap( case CAP_CONSOLE_IO: d->capabilities |= cap; break; + case CAP_DISABLE_CPU_FAULT: + /* Disabling cpu faulting is only allowed for a PV control domain. */ + if ( is_pv_domain(d) && is_control_domain(d) ) + d->capabilities |= cap; + break; default: return false; } From patchwork Tue Aug 1 20:20:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 13337225 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 491A8C04A6A for ; Tue, 1 Aug 2023 20:21:45 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.574506.899866 (Exim 4.92) (envelope-from ) id 1qQvs8-0002HV-1j; Tue, 01 Aug 2023 20:21:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 574506.899866; Tue, 01 Aug 2023 20:21:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvs7-0002HO-Ub; Tue, 01 Aug 2023 20:21:35 +0000 Received: by outflank-mailman (input) for mailman id 574506; Tue, 01 Aug 2023 20:21:34 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qQvs6-0000Vh-NB for xen-devel@lists.xenproject.org; Tue, 01 Aug 2023 20:21:34 +0000 Received: from sender4-of-o50.zoho.com (sender4-of-o50.zoho.com [136.143.188.50]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 015545d7-30a9-11ee-b25c-6b7b168915f2; Tue, 01 Aug 2023 22:21:33 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 169092122567987.94507889080217; Tue, 1 Aug 2023 13:20:25 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 015545d7-30a9-11ee-b25c-6b7b168915f2 ARC-Seal: i=1; a=rsa-sha256; t=1690921227; cv=none; d=zohomail.com; s=zohoarc; b=eG/Jtj2jjhormLMJ8XaVecZkgDIqh8gVxgA4QY1AJ284PvyjA8JAMQ69PlgD5dj/o9HsZPzDydB1/djt8Thmj1SFXlXELhLph/E0r+BOpyOpze+/57pFXGJiTTCuJiSMro+AHiwzn8HiqoGm0mej89q49uEMansFfQ9fQbqinp8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1690921227; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=svZfhnzIdfl7IZVzuYzxJG9861EfU+6CgnykhTEOAGo=; b=gcq3ynDrvoMA+5ma7mE1tahSxRik03zdp5XIFeYhwZzhONbzcKcZrrHpTDpDTLdQUTLhEWHWSQNSyuIT6hBV8NSIr6hjnnfKnc1VLTpsYm9n7dop2JP9rxGvnT0MkXYHP+pFQrciwPLrXKsc2tsEM1ozQnTMqZvklB+yGqUtZxg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1690921227; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=svZfhnzIdfl7IZVzuYzxJG9861EfU+6CgnykhTEOAGo=; b=mSptNUuNqsChDAreussuY050V7fWTUHVOlYiNTMjMZt9oOuskamL7WrMR6aEMIG+ PLxoMKPl1sBCkvGqp4KDDSrCfqo39vlF7GSYF8CO+SuFfjIe+yVW3iTXp4vRApmrDve ZVg5vjrZFJ6bog455l770X5d1NuIuTfiohv1dQBg= From: "Daniel P. Smith" To: Wei Liu , xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" , Jan Beulich , Andrew Cooper , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , George Dunlap , Julien Grall , Stefano Stabellini , Jun Nakajima , Kevin Tian Subject: [RFC 6/6] capabilities: convert attach debugger into a capability Date: Tue, 1 Aug 2023 16:20:06 -0400 Message-Id: <20230801202006.20322-7-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20230801202006.20322-1-dpsmith@apertussolutions.com> References: <20230801202006.20322-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External Expresses the ability to attach a debugger as a capability that a domain can be provisioned. Signed-off-by: Daniel P. Smith --- xen/arch/x86/hvm/svm/svm.c | 8 ++++---- xen/arch/x86/hvm/vmx/realmode.c | 2 +- xen/arch/x86/hvm/vmx/vmcs.c | 2 +- xen/arch/x86/hvm/vmx/vmx.c | 10 +++++----- xen/arch/x86/traps.c | 6 ++++-- xen/common/domctl.c | 6 ++++-- xen/include/xen/sched.h | 9 ++++++--- 7 files changed, 25 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 27170213ae..9872804d39 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -999,7 +999,7 @@ static void noreturn cf_check svm_do_resume(void) { struct vcpu *v = current; struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; - bool debug_state = (v->domain->debugger_attached || + bool debug_state = (domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) || v->domain->arch.monitor.software_breakpoint_enabled || v->domain->arch.monitor.debug_exception_enabled); bool_t vcpu_guestmode = 0; @@ -1335,7 +1335,7 @@ static void cf_check svm_inject_event(const struct x86_event *event) } /* fall through */ case X86_EXC_BP: - if ( curr->domain->debugger_attached ) + if ( domain_has_cap(curr->domain, CAP_DEBUGGER_ATTACH) ) { /* Debug/Int3: Trap to debugger. */ domain_pause_for_debugger(); @@ -2732,7 +2732,7 @@ void svm_vmexit_handler(void) case VMEXIT_ICEBP: case VMEXIT_EXCEPTION_DB: - if ( !v->domain->debugger_attached ) + if ( !domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) { unsigned int trap_type; @@ -2769,7 +2769,7 @@ void svm_vmexit_handler(void) if ( insn_len == 0 ) break; - if ( v->domain->debugger_attached ) + if ( domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) { /* AMD Vol2, 15.11: INT3, INTO, BOUND intercepts do not update RIP. */ __update_guest_eip(regs, insn_len); diff --git a/xen/arch/x86/hvm/vmx/realmode.c b/xen/arch/x86/hvm/vmx/realmode.c index ff44ddcfa6..f761026a9d 100644 --- a/xen/arch/x86/hvm/vmx/realmode.c +++ b/xen/arch/x86/hvm/vmx/realmode.c @@ -121,7 +121,7 @@ void vmx_realmode_emulate_one(struct hvm_emulate_ctxt *hvmemul_ctxt) if ( rc == X86EMUL_EXCEPTION ) { - if ( unlikely(curr->domain->debugger_attached) && + if ( unlikely(domain_has_cap(curr->domain, CAP_DEBUGGER_ATTACH)) && ((hvmemul_ctxt->ctxt.event.vector == X86_EXC_DB) || (hvmemul_ctxt->ctxt.event.vector == X86_EXC_BP)) ) { diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 13719cc923..9474869018 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -1912,7 +1912,7 @@ void cf_check vmx_do_resume(void) hvm_asid_flush_vcpu(v); } - debug_state = v->domain->debugger_attached + debug_state = domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) || v->domain->arch.monitor.software_breakpoint_enabled || v->domain->arch.monitor.singlestep_enabled; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 7ec44018d4..5069e3cbf3 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2041,7 +2041,7 @@ static void cf_check vmx_inject_event(const struct x86_event *event) break; /* fall through */ case X86_EXC_BP: - if ( curr->domain->debugger_attached ) + if ( domain_has_cap(curr->domain, CAP_DEBUGGER_ATTACH) ) { /* Debug/Int3: Trap to debugger. */ domain_pause_for_debugger(); @@ -2121,7 +2121,7 @@ static void cf_check vmx_set_info_guest(struct vcpu *v) * immediately vmexit and hence make no progress. */ __vmread(GUEST_INTERRUPTIBILITY_INFO, &intr_shadow); - if ( v->domain->debugger_attached && + if ( domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) && (v->arch.user_regs.eflags & X86_EFLAGS_TF) && (intr_shadow & VMX_INTR_SHADOW_STI) ) { @@ -4283,7 +4283,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) } } - if ( !v->domain->debugger_attached ) + if ( !domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) { unsigned long insn_len = 0; int rc; @@ -4307,7 +4307,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) break; case X86_EXC_BP: HVMTRACE_1D(TRAP, vector); - if ( !v->domain->debugger_attached ) + if ( !domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) { unsigned long insn_len; int rc; @@ -4647,7 +4647,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) HVM_MONITOR_SINGLESTEP_BREAKPOINT, 0, 0, 0); - if ( v->domain->debugger_attached ) + if ( domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) domain_pause_for_debugger(); } diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 4229bda159..041ced35ea 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -1214,7 +1214,8 @@ void do_int3(struct cpu_user_regs *regs) return; } - if ( guest_kernel_mode(curr, regs) && curr->domain->debugger_attached ) + if ( guest_kernel_mode(curr, regs) && + domain_has_cap(curr->domain, CAP_DEBUGGER_ATTACH) ) { curr->arch.gdbsx_vcpu_event = X86_EXC_BP; domain_pause_for_debugger(); @@ -1995,7 +1996,8 @@ void do_debug(struct cpu_user_regs *regs) v->arch.dr6 |= (dr6 & ~X86_DR6_DEFAULT); v->arch.dr6 &= (dr6 | ~X86_DR6_DEFAULT); - if ( guest_kernel_mode(v, regs) && v->domain->debugger_attached ) + if ( guest_kernel_mode(v, regs) && + domain_has_cap(v->domain, CAP_DEBUGGER_ATTACH) ) { domain_pause_for_debugger(); return; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 505e29c0dc..895ddf0600 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -99,7 +99,8 @@ void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info) ((d->is_dying == DOMDYING_dead) ? XEN_DOMINF_dying : 0) | (d->is_shut_down ? XEN_DOMINF_shutdown : 0) | (d->controller_pause_count > 0 ? XEN_DOMINF_paused : 0) | - (d->debugger_attached ? XEN_DOMINF_debugged : 0) | + (domain_has_cap(d, CAP_DEBUGGER_ATTACH) ? + XEN_DOMINF_debugged : 0) | (is_xenstore_domain(d) ? XEN_DOMINF_xs_domain : 0) | (is_hvm_domain(d) ? XEN_DOMINF_hvm_guest : 0) | d->shutdown_code << XEN_DOMINF_shutdownshift; @@ -643,7 +644,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) else { domain_pause(d); - d->debugger_attached = !!op->u.setdebugging.enable; + if ( !!op->u.setdebugging.enable ) + domain_set_cap(d, CAP_DEBUGGER_ATTACH); domain_unpause(d); /* causes guest to latch new status */ } break; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index ebfe65cd73..47eadb5008 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -474,9 +474,8 @@ struct domain uint8_t role; #define CAP_CONSOLE_IO (1U<<0) #define CAP_DISABLE_CPU_FAULT (1U<<1) - uint8_t capabilities; - /* Is this guest being debugged by dom0? */ - bool debugger_attached; +#define CAP_DEBUGGER_ATTACH (1U<<2) + uint16_t capabilities; /* * Set to true at the very end of domain creation, when the domain is * unpaused for the first time by the systemcontroller. @@ -1166,6 +1165,10 @@ static always_inline bool domain_set_cap( if ( is_pv_domain(d) && is_control_domain(d) ) d->capabilities |= cap; break; + case CAP_DEBUGGER_ATTACH: + if ( !is_control_domain(d) ) + d->capabilities |= cap; + break; default: return false; }