- 17 May, 2019 10 commits
-
-
Jan Beulich authored
This is intentionally not touching hooks used rarely (or not at all) during the lifetime of a VM, unless perhaps sitting on an error path next to a call which gets changed (in which case I think the error path better remains consistent with the respective main path). Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
-
Jan Beulich authored
This looks to be the only frequently executed hook; don't bother patching any other ones. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
For now only the ones used during entering/exiting of idle states are converted. Additionally pm_idle{,_save} and lapic_timer_{on,off} can't be converted, as they may get established rather late (when Dom0 is already active). Note that for patching to be deferred until after the pre-SMP initcalls (from where cpuidle_init_cpu() runs the first time) the pointers need to start out as NULL. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
For (I hope) obvious reasons only the ones used at runtime get converted. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
While not strictly necessary, change the VMX initialization logic to update the function table in start_vmx() from NULL rather than to NULL, to make more obvious that we won't ever change an already (explicitly) initialized function pointer. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
This is intentionally not touching hooks used rarely (or not at all) during the lifetime of a VM, like {domain,vcpu}_initialise or cpu_up, as well as nested, VM event, and altp2m ones (they can all be done later, if so desired). Virtual Interrupt delivery ones will be dealt with in a subsequent patch. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
In a number of cases the targets of indirect calls get determined once at boot time. In such cases we can replace those calls with direct ones via our alternative instruction patching mechanism. Some of the targets (in particular the hvm_funcs ones) get established only in pre-SMP initcalls, making necessary a second passs through the alternative patching code. Therefore some adjustments beyond the recognition of the new special pattern are necessary there. Note that patching such sites more than once is not supported (and the supplied macros also don't provide any means to do so). Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
-
Jan Beulich authored
While we don't mean to run their objtool over our generated code, it still seems desirable to avoid calls to further functions before a function's frame pointer is set up. Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
-
Jan Beulich authored
We don't need bigger alignment except when calling EFI boot or runtime services functions (and we don't guarantee that either, as explained close to the top of xen/common/efi/runtime.c in the struct efi_rs_state declaration). Hence if the compiler supports reducing stack alignment from the ABI compatible 16 bytes (gcc 7 and newer), do so wherever possible. The EFI case itself is largely dealt with already (actually forcing 32-byte alignment) as a result of commit f6b7fedc ("x86/EFI: meet further spec requirements for runtime calls"). However, as explained in the description of that earlier change, without using -mincoming-stack-boundary=3 (which we don't want) we still have to make the compiler assume 16-byte stack boundaries for CUs making EFI calls in order to keep the compiler from aligning the stack, but then placing an odd number of 8-byte objects on it, resulting in a mis-aligned outgoing stack. This as a side effect yields some code size reduction, since for a number of sufficiently simple non-leaf functions the stack adjustment (by 8, when there are no local stack variables at all) gets dropped altogether. I notice exceptions though, for example in guest_cpuid(), where in a release build gcc 8.2 now decides to set up a frame pointer (without ever using %rbp); I consider this a compiler quirk which we should leave to the compiler folks to address eventually. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
-
- 16 May, 2019 7 commits
-
-
Andrii Anisov authored
ARM's schedule_tail() is called from two places: context_switch() and continue_new_vcpu(). Both functions are always called with prev!=current. So replace the correspondent check in schedule_tail() with ASSERT() which is the development (debug) build guard. Signed-off-by: Andrii Anisov <andrii_anisov@epam.com> Reviewed-by: Dario Faggioli <dfaggioli@suse.com> Acked-by: Julien Grall <julien.grall@arm.com>
-
Oleksandr Tyshchenko authored
This patch makes possible to use existing early prink code for Renesas "Stout" board based on R-Car H2 SoC (SCIFA). The "EARLY_PRINTK_VERSION" for that board should be 'A': CONFIG_EARLY_PRINTK=scif,0xe6c40000,A Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> Acked-by: Julien Grall <julien.grall@arm.com>
-
Oleksandr Tyshchenko authored
Extend early prink code to be able to handle other SCIF(X) compatible interfaces as well. These interfaces have lot in common, but mostly differ in offsets and bits for some registers. Introduce "EARLY_PRINTK_VERSION" config option to choose which interface version should be used (to properly apply register offsets). Please note, nothing has been technically changed for Renesas "Lager" and other supported boards (SCIF). The "EARLY_PRINTK_VERSION" option for that board should be empty: CONFIG_EARLY_PRINTK=scif,0xe6e60000 Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> Acked-by: Julien Grall <julien.grall@arm.com>
-
Jan Beulich authored
Log information likely relevant for understanding why the BUG()s were triggering. Requested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citirx.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
Jan Beulich authored
Their pre-AVX512 incarnations have clearly been overlooked during much earlier work. Their memory access pattern is entirely standard, so no specific tests get added to the harness. Reported-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Tested-by: Alexandru Isaila <aisaila@bitdefender.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Jan Beulich authored
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
Wei Liu authored
A few lines were erroneously deleted during rebase which caused domain destruction to fail. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Tested-by: Juergen Gross <jgross@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
- 15 May, 2019 11 commits
-
-
Wei Liu authored
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
Wei Liu authored
Blktap2 is effectively dead for a few years. Notable changes in this patch: 0. Unhook blktap2 from build system 1. libxl no longer supports TAP disk backend, with appropriate assertions added and some code paths now return ERROR_FAIL 2. Tap is no longer a supported backend 3. Remove blktap2 entry from MAINTAINERS A patch to remove blktap2 directory will come later. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
Wei Liu authored
The same sentence is repeated in the next paragraph. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
-
Wei Liu authored
Provide information on what is expected from the build system regarding python. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
-
Wei Liu authored
The directory is created by Visual Studio Code editor to store its local state. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
-
Wei Liu authored
We will soon provide this new capability to humans and automated systems. The default behaviour is retained: tip and base are passed by Gitlab CI. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Doug Goldstein <cardoe@cardoe.com>
-
Roger Pau Monne authored
So a user can decide whether to compile a PV shim as part of the tools build. Note that the default behavior is preserved, which is to build a PV shim when the target or host (if target is unset) architecture is 64bit x86. Requested-by: Olaf Hering <olaf@aepfle.de> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> [ wei: run autogen.s ] Signed-off-by: Wei Liu <wei.liu2@citrix.com>
-
Eslam Elnikety authored
Each HVM guest currently gets a vkbd frontend/backend pair (c/s ebbd2561 ). This consumes host resources unnecessarily for guests that have no use for vkbd. Make this behaviour tunable to allow an administrator to choose. The commit retains the current behaviour -- HVM guests still get vkdb unless specified otherwise. Signed-off-by: Eslam Elnikety <elnikety@amazon.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
-
Olaf Hering authored
If a domU has a qemu-xen instance attached, it is required to call qemus "xen-save-devices-state" method. Without it, the receiving side of a PV or PVH migration may be unable to lock the image: xen be: qdisk-51712: xen be: qdisk-51712: error: Failed to get "write" lock error: Failed to get "write" lock xen be: qdisk-51712: xen be: qdisk-51712: initialise() failed initialise() failed To fix this bug, libxl__domain_suspend_device_model() and libxl__domain_resume_device_model() have to be called not only for HVM, but also if the active device_model is QEMU_XEN. Unfortunately, libxl__domain_build_info_setdefault() used to hardcode b_info->device_model_version to QEMU_XEN if it does not know it any better. As a result libxl__device_model_version_running() will return incorrect values. This breaks domUs without a device_model. libxl__qmp_stop() would wait 10 seconds in qmp_open() for a qemu that will never appear. During this long timeframe the domU remains in state paused on the sending side. As a result network connections may be dropped. Once this bug is fixed as well, by just removing the assumption that every domU has a QEMU_XEN, there is no code to actually initialise b_info->device_model_version. There is a helper function libxl__need_xenpv_qemu(), which is used in various places to decide if a device_model has to be spawned. This function can not be used as is, just to fill device_model_version, because store_libxl_entry() was already called earlier. Introduce LIBXL_DEVICE_MODEL_VERSION_NONE for PV and PVH that have no need for a device_model to make the state explicit. Indicate this new state via LIBXL_HAVE macro in libxl.h. Signed-off-by: Olaf Hering <olaf@aepfle.de> Cc: Roger Pau Monné <roger.pau@citrix.com> Cc: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
-
Olaf Hering authored
An upcoming change will set the value of device_model_version properly also for the non-HVM case. Move existing code to new function libxl__domain_set_device_model. Move also initialization for device_model_stubdomain to that function. Make sure libxl__domain_build_info_setdefault is called with device_model_version set. Update libxl__spawn_stub_dm() and initiate_domain_create() to call the new function prior libxl__domain_build_info_setdefault() because device_mode_version is expected to be initialzed. libxl_domain_need_memory() needs no update because it does not have a d_config available anyway, and the callers provide a populated b_info. The upcoming change needs a full libxl_domain_config, and the existing libxl__domain_build_info_setdefault has just a libxl_domain_build_info to work with. Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com>
-
Razvan Cojocaru authored
All its callers live inside #ifdef CONFIG_HVM sections. Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
-
- 14 May, 2019 8 commits
-
-
Andrew Cooper authored
The Microarchitectural Data Sampling vulnerability is split into categories with subtly different properties: MLPDS - Microarchitectural Load Port Data Sampling MSBDS - Microarchitectural Store Buffer Data Sampling MFBDS - Microarchitectural Fill Buffer Data Sampling MDSUM - Microarchitectural Data Sampling Uncacheable Memory MDSUM is a special case of the other three, and isn't distinguished further. These issues pertain to three microarchitectural buffers. The Load Ports, the Store Buffers and the Fill Buffers. Each of these structures are flushed by the new enhanced VERW functionality, but the conditions under which flushing is necessary vary. For this concise overview of the issues and default logic, the abbreviations SP (Store Port), FB (Fill Buffer), LP (Load Port) and HT (Hyperthreading) are used for brevity: * Vulnerable hardware is divided into two categories - parts which suffer from SP only, and parts with any other combination of vulnerabilities. * SP only has an HT interaction when the thread goes idle, due to the static partitioning of resources. LP and FB have HT interactions at all points, due to the competitive sharing of resources. All issues potentially leak data across the return-to-guest transition. * The microcode which implements VERW flushing also extends MSR_FLUSH_CMD, so we don't need to do both on the HVM return-to-guest path. However, some parts are not vulnerable to L1TF (therefore have no MSR_FLUSH_CMD), but are vulnerable to MDS, so do require VERW on the HVM path. Note that we deliberately support mds=1 even without MD_CLEAR in case the microcode has been updated but the feature bit not exposed. This is part of XSA-297, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
Andrew Cooper authored
Three synthetic features are introduced, as we need individual control of each, depending on circumstances. A later change will enable them at appropriate points. The verw_sel field doesn't strictly need to live in struct cpu_info. It lives there because there is a convenient hole it can fill, and it reduces the complexity of the SPEC_CTRL_EXIT_TO_{PV,HVM} assembly by avoiding the need for any temporary stack maintenance. This is part of XSA-297, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
Andrew Cooper authored
The MD_CLEAR feature can be automatically offered to guests. No infrastructure is needed in Xen to support the guest making use of it. This is part of XSA-297, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
Andrew Cooper authored
* Identify BTI in the spec_ctrl_{enter,exit}_idle() comments, as other mitigations will shortly appear. * Use alternative_input() and cover the lack of memory cobber with a further barrier. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
Jan Beulich authored
Luckily the function currently has no callers - it would have called through NULL for both Arm and x86/AMD. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
-
Jan Beulich authored
The two callers in common/memory.c currently call set_gpfn_from_mfn() themselves, so moving the call into guest_physmap_add_page() helps tidy their code. The two callers in common/grant_table.c fail to make that call alongside the one to guest_physmap_add_page(), so will actually get fixed by the change. Other (x86) callers are HVM only and are hence unaffected by a change to the function's !paging_mode_translate() part. Sadly this isn't enough yet to drop Arm's dummy macro, as there's one more use in page_alloc.c. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Julien Grall <julien.grall@arm.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-
Jan Beulich authored
Lift its !paging_mode_translate() part into guest_physmap_add_page() (which is what common code calls), eliminating the dummy use of a (HVM-only really) P2M type in the PV case. Suggested-by: George Dunlap <George.Dunlap@eu.citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-
Jan Beulich authored
#define-ing them to zero allows better code generation in this case, and paves the way for more DCE, allowing to leave certain functions just declared, but not defined. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-
- 13 May, 2019 4 commits
-
-
Paul Durrant authored
An 'if ( !iommu_enabled )' followed by an 'if ( iommu_enabled )' with only a printk() in between seems a little silly. Move the printk() and use 'else' instead. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com>
-
Jan Beulich authored
The commit re-introducing it (14eb3b41 ["xen: reinstate previously unused XENMEM_remove_from_physmap hypercall"]) as well as the one having originally introduced it (d818f3cb ["hvm: Use main memory for video memory"]) and the one then purging it again (78c3097e ["Remove unused XENMEM_remove_from_physmap"]) make clear that this operation is intended for use on HVM (i.e. translated) guests only. Restrict it at least as much, because for PV guests documentation (in the public header) does not even match the implementation: It talks about GPFN as input, but get_page_from_gfn() assumes a GMFN in the non-translated case (and hands back the value passed in). Also lift the check in XENMEM_add_to_physmap{,_batch} handling up directly into top level hypercall handling, and clarify things in the public header accordingly. Take the liberty and also replace a pointless use of "current" with a more efficient use of an existing local variable (or function parameter to be precise). Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <julien.grall@arm.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-
Jan Beulich authored
While it already has a CONFIG_PV wrapped around its entire body, it is still uselessly invoking mfn_to_gmfn(), which is about to be replaced. Avoid morphing this code into even more suspicious shape and remove the effectively dead code - translated mode has been made impossible for PV quite some time ago. Adjust and extend the assertions at the same time: The original ASSERT(!shadow_mode_refcounts(owner)) really means ASSERT(!shadow_mode_enabled(owner) || !paging_mode_refcounts(owner)), which isn't what we want here. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-
Jan Beulich authored
Dynamically allocated CPU mask objects may be smaller than cpumask_t, so copying has to be restricted to the actual allocation size. This is particulary important since the function doesn't bail early when tracing is not active, so even production builds would be affected by potential misbehavior here. Take the opportunity and also - use initializers instead of assignment + memset(), - constify the cpumask_t input pointer, - u32 -> uint32_t. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com>
-