From xen-changelog-bounces@lists.xenproject.org Tue Oct 03 11:33:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 03 Oct 2023 11:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.612194.952030 (Exim 4.92) (envelope-from ) id 1qndeA-000438-Cg; Tue, 03 Oct 2023 11:33:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 612194.952030; Tue, 03 Oct 2023 11:33:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qndeA-000430-9x; Tue, 03 Oct 2023 11:33:02 +0000 Received: by outflank-mailman (input) for mailman id 612194; Tue, 03 Oct 2023 11:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qnde9-00042u-Ex for xen-changelog@lists.xenproject.org; Tue, 03 Oct 2023 11:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qnde9-000676-CP for xen-changelog@lists.xenproject.org; Tue, 03 Oct 2023 11:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qnde9-0003p4-9S for xen-changelog@lists.xenproject.org; Tue, 03 Oct 2023 11:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=j4CibxMEPsf/7YerCi2F914WILOy0lAwQx6VUyO70wo=; b=Vkdlk94VxlSI3sthEqf94VY/3k Ip4Cp48DvNiWaSIP1PQdBxatgWeIPWJoPjMgHAediLj/l6Csj6j3wuxS0pW4IEwlambVMApQiGw74 FUq1weNfFhCd6h31YVjDWYa3/r22F2Hww5DW3otdArcuCw0ctssplXKSJpajYw3ggVw0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] SUPPORT: downgrade Physical CPU Hotplug to Experimental Message-Id: Date: Tue, 03 Oct 2023 11:33:01 +0000 commit 3d2d9e90224c4f430a7ee1190fd3b871b99b0ba0 Author: Stefano Stabellini AuthorDate: Wed Sep 27 16:20:04 2023 -0700 Commit: Stefano Stabellini CommitDate: Mon Oct 2 15:48:14 2023 -0700 SUPPORT: downgrade Physical CPU Hotplug to Experimental The feature is not commonly used, and we don't have hardware to test it, not in OSSTest, not in Gitlab, and not even ad-hoc manually by community members. We could use QEMU to test it, but even that it is known not to work on our end. Also take the opportunity to rename the feature to "ACPI CPU Hotplug" for clarity. Signed-off-by: Stefano Stabellini Release-acked-by: Henry Wang Reviewed-by: Roger Pau Monné --- CHANGELOG.md | 2 ++ SUPPORT.md | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24636b8eaf..e33cf4e1b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) known user doesn't use it properly, leading to in-guest breakage. - The "dom0" option is now supported on Arm and "sve=" sub-option can be used to enable dom0 guest to use SVE/SVE2 instructions. + - Physical CPU Hotplug downgraded to Experimental and renamed "ACPI CPU + Hotplug" for clarity ### Added - On x86, support for features new in Intel Sapphire Rapids CPUs: diff --git a/SUPPORT.md b/SUPPORT.md index 44dbd4f190..fff4b4c5ba 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -46,9 +46,9 @@ For the Cortex A77 r0p0 - r1p0, see Errata 1508412. ## Host hardware support -### Physical CPU Hotplug +### ACPI CPU Hotplug - Status, x86: Supported + Status, x86: Experimental ### Physical Memory -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 05 23:22:06 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 05 Oct 2023 23:22:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.613177.953527 (Exim 4.92) (envelope-from ) id 1qoXfP-0007PX-1X; Thu, 05 Oct 2023 23:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 613177.953527; Thu, 05 Oct 2023 23:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qoXfO-0007PP-Uu; Thu, 05 Oct 2023 23:22:02 +0000 Received: by outflank-mailman (input) for mailman id 613177; Thu, 05 Oct 2023 23:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qoXfN-0007PJ-Pj for xen-changelog@lists.xenproject.org; Thu, 05 Oct 2023 23:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qoXfN-0003lq-Nt for xen-changelog@lists.xenproject.org; Thu, 05 Oct 2023 23:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qoXfN-00026N-MR for xen-changelog@lists.xenproject.org; Thu, 05 Oct 2023 23:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jCgzYjP2ALh8DBT+aR4qOQI4CgUq68nEMiDw+aI0JCo=; b=KkyqEzRAGY+nsyPT3RU3qRLxv1 R1qM75XlVTz7ML3VnK0wMzceIWexju8v0lbBLHBLWeMGCMX5rR2wqCQS1aDiNxJDTxmUZLkCT9Q7H 6D6Tapr1iLuCoLUHPUYQpzsPGw6XOsjlUeQde8OdvB/MCy9C6bRFz8+kxLdIrEexlhjY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen: arm: procinfo.h: Fixed a typo Message-Id: Date: Thu, 05 Oct 2023 23:22:01 +0000 commit 02c98966360b76052779b0186784437af88f301e Author: Ayan Kumar Halder AuthorDate: Thu Sep 28 13:12:43 2023 +0100 Commit: Julien Grall CommitDate: Thu Oct 5 13:12:17 2023 +0100 xen: arm: procinfo.h: Fixed a typo Change VPCU to vCPU. Also add a space before '*/'. Signed-off-by: Ayan Kumar Halder Acked-by: Julien Grall Release-acked-by: Henry Wang --- xen/arch/arm/include/asm/procinfo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/arm/include/asm/procinfo.h b/xen/arch/arm/include/asm/procinfo.h index 02be56e348..3a05f27784 100644 --- a/xen/arch/arm/include/asm/procinfo.h +++ b/xen/arch/arm/include/asm/procinfo.h @@ -24,7 +24,7 @@ #include struct processor { - /* Initialize specific processor register for the new VPCU*/ + /* Initialize specific processor register for the new vCPU */ void (*vcpu_initialise)(struct vcpu *v); }; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:09 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614052.954909 (Exim 4.92) (envelope-from ) id 1qpVBP-00022H-8U; Sun, 08 Oct 2023 14:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614052.954909; Sun, 08 Oct 2023 14:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBP-000228-5q; Sun, 08 Oct 2023 14:55:03 +0000 Received: by outflank-mailman (input) for mailman id 614052; Sun, 08 Oct 2023 14:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBN-000222-Sh for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBN-0003fx-RV for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVBN-0001lT-QP for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HJmovYsW2wbN2oFDhSGK4CRd8iesRkppWFxY81/+gzo=; b=TUXMfEYHuMstOQVT5ycygrX9OX aaXDYonojnjP24pv9vnw3HJNeVhuHoXfPHIV1LioWAf54hTw1lxB4kS2lJvl9pwPBjRdBoK0CMJ95 pVRU3OnPAS9qzzp2z22xBKbQKGLpPb6YalHzA64lS42/ctTvDY/3uG2wvKSAA6l8TGT4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] mem_sharing/fork: do not attempt to populate vcpu_info page Message-Id: Date: Sun, 08 Oct 2023 14:55:01 +0000 commit 9a499a84a2724757ad59b684e7858dfb60521290 Author: Roger Pau Monne AuthorDate: Mon Oct 2 17:11:18 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:08:14 2023 +0100 mem_sharing/fork: do not attempt to populate vcpu_info page Instead let map_vcpu_info() and it's call to get_page_from_gfn() populate the page in the child as needed. Also remove the bogus copy_domain_page(): should be placed before the call to map_vcpu_info(), as the later can update the contents of the vcpu_info page. Note that this eliminates a bug in copy_vcpu_settings(): The function did allocate a new page regardless of the GFN already having a mapping, thus in particular breaking the case of two vCPU-s having their info areas on the same page. Fixes: 41548c5472a3 ('mem_sharing: VM forking') Signed-off-by: Roger Pau Monné Acked-by: Tamas K Lengyel Release-acked-by: Henry Wang --- xen/arch/x86/mm/mem_sharing.c | 36 ++++++------------------------------ 1 file changed, 6 insertions(+), 30 deletions(-) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index ae5366d447..5f8f1fb4d8 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -1689,48 +1689,24 @@ static int copy_vcpu_settings(struct domain *cd, const struct domain *d) unsigned int i; struct p2m_domain *p2m = p2m_get_hostp2m(cd); int ret = -EINVAL; + mfn_t vcpu_info_mfn; for ( i = 0; i < cd->max_vcpus; i++ ) { struct vcpu *d_vcpu = d->vcpu[i]; struct vcpu *cd_vcpu = cd->vcpu[i]; - mfn_t vcpu_info_mfn; if ( !d_vcpu || !cd_vcpu ) continue; - /* Copy & map in the vcpu_info page if the guest uses one */ + /* Map in the vcpu_info page if the guest uses one */ vcpu_info_mfn = d_vcpu->vcpu_info_mfn; if ( !mfn_eq(vcpu_info_mfn, INVALID_MFN) ) { - mfn_t new_vcpu_info_mfn = cd_vcpu->vcpu_info_mfn; - - /* Allocate & map the page for it if it hasn't been already */ - if ( mfn_eq(new_vcpu_info_mfn, INVALID_MFN) ) - { - gfn_t gfn = mfn_to_gfn(d, vcpu_info_mfn); - unsigned long gfn_l = gfn_x(gfn); - struct page_info *page; - - if ( !(page = alloc_domheap_page(cd, 0)) ) - return -ENOMEM; - - new_vcpu_info_mfn = page_to_mfn(page); - set_gpfn_from_mfn(mfn_x(new_vcpu_info_mfn), gfn_l); - - ret = p2m->set_entry(p2m, gfn, new_vcpu_info_mfn, - PAGE_ORDER_4K, p2m_ram_rw, - p2m->default_access, -1); - if ( ret ) - return ret; - - ret = map_vcpu_info(cd_vcpu, gfn_l, - PAGE_OFFSET(d_vcpu->vcpu_info)); - if ( ret ) - return ret; - } - - copy_domain_page(new_vcpu_info_mfn, vcpu_info_mfn); + ret = map_vcpu_info(cd_vcpu, mfn_to_gfn(d, vcpu_info_mfn), + PAGE_OFFSET(d_vcpu->vcpu_info)); + if ( ret ) + return ret; } ret = copy_vpmu(d_vcpu, cd_vcpu); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614053.954913 (Exim 4.92) (envelope-from ) id 1qpVBZ-00024J-AB; Sun, 08 Oct 2023 14:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614053.954913; Sun, 08 Oct 2023 14:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBZ-00024B-7J; Sun, 08 Oct 2023 14:55:13 +0000 Received: by outflank-mailman (input) for mailman id 614053; Sun, 08 Oct 2023 14:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBX-000243-VO for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBX-0003g2-Ug for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVBX-0001m0-TY for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3s3+fMjDfvTAIwkBRQkFaYC5uDVwVP2vN3PNGHK6v+c=; b=uU0zWm4b2+IpHcHBgVdp/d2eg1 erMCF8ulmSSQI0TpJGgPtgBGFOppvypI3FR1awVVL27IkvDqxrg5ao9lpzhHwAj3v3ddXZGjPWsis /FVIRE+CCcxFXV3Z/77qNHSr7RF204W4oVRrvRrzDayzN6AjnADyU+R/qIbVm8OQ+zik=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/shim: zap runstate and time area handles during shutdown Message-Id: Date: Sun, 08 Oct 2023 14:55:11 +0000 commit 826da6e30cf37a22b3f32dba33477856125df91b Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:19 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:08:26 2023 +0100 x86/shim: zap runstate and time area handles during shutdown While likely the guest would just re-register the same areas after a possible resume, let's not take this for granted and avoid the risk of otherwise corrupting guest memory. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-acked-by: Henry Wang --- xen/arch/x86/pv/shim.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/arch/x86/pv/shim.c b/xen/arch/x86/pv/shim.c index ca0e639db3..7e4bacf7ae 100644 --- a/xen/arch/x86/pv/shim.c +++ b/xen/arch/x86/pv/shim.c @@ -385,6 +385,10 @@ int pv_shim_shutdown(uint8_t reason) /* Unmap guest vcpu_info pages. */ unmap_vcpu_info(v); + /* Zap runstate and time area handles. */ + set_xen_guest_handle(runstate_guest(v), NULL); + set_xen_guest_handle(v->arch.time_info_guest, NULL); + /* Reset the periodic timer to the default value. */ vcpu_set_periodic_timer(v, MILLISECS(10)); /* Stop the singleshot timer. */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614054.954917 (Exim 4.92) (envelope-from ) id 1qpVBj-000271-Bg; Sun, 08 Oct 2023 14:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614054.954917; Sun, 08 Oct 2023 14:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBj-00026p-8o; Sun, 08 Oct 2023 14:55:23 +0000 Received: by outflank-mailman (input) for mailman id 614054; Sun, 08 Oct 2023 14:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBi-00026f-BW for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBi-0003gD-4L for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVBi-0001mP-0y for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7PzbFwG+45K8UcZsTSydoQldXahhzNxZ7ZnAqAymLKs=; b=JRZKU/vCUl0odtCieCJEWO8J89 iLkn+kyqJMb9qKqglIKxLVFvQzWHfMK7SE2GtIRgIRqszjgRAHKLg3t/a9o9HwmNzYISVjGRrj9jo WsUTrBKxsJzSxpm108b3PqcNdNe1ddqwB1HPLAhyyXBgX9ca/wd1F+vxDzrCSILhHUb0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: GADDR based shared guest area registration alternative - teardown Message-Id: Date: Sun, 08 Oct 2023 14:55:22 +0000 commit c4630e316240508f3fb619678adc4cfb47bf13d2 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:20 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:08:44 2023 +0100 domain: GADDR based shared guest area registration alternative - teardown In preparation of the introduction of new vCPU operations allowing to register the respective areas (one of the two is x86-specific) by guest-physical address, add the necessary domain cleanup hooks. Signed-off-by: Jan Beulich Reviewed-by: Julien Grall Acked-by: Roger Pau Monné Release-acked-by: Henry Wang --- xen/arch/x86/domain.c | 5 +++++ xen/arch/x86/include/asm/domain.h | 1 + xen/arch/x86/pv/shim.c | 4 +++- xen/common/domain.c | 17 +++++++++++++++++ xen/include/xen/domain.h | 11 +++++++++++ xen/include/xen/sched.h | 1 + 6 files changed, 38 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 645675d87d..9d352defa2 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1024,7 +1024,10 @@ int arch_domain_soft_reset(struct domain *d) } for_each_vcpu ( d, v ) + { set_xen_guest_handle(v->arch.time_info_guest, NULL); + unmap_guest_area(v, &v->arch.time_guest_area); + } exit_put_gfn: put_gfn(d, gfn_x(gfn)); @@ -2381,6 +2384,8 @@ int domain_relinquish_resources(struct domain *d) if ( ret ) return ret; + unmap_guest_area(v, &v->arch.time_guest_area); + vpmu_destroy(v); } diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index c2d9fc333b..e0bd28e424 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -669,6 +669,7 @@ struct arch_vcpu /* A secondary copy of the vcpu time info. */ XEN_GUEST_HANDLE(vcpu_time_info_t) time_info_guest; + struct guest_area time_guest_area; struct arch_vm_event *vm_event; diff --git a/xen/arch/x86/pv/shim.c b/xen/arch/x86/pv/shim.c index 7e4bacf7ae..f08b16bae2 100644 --- a/xen/arch/x86/pv/shim.c +++ b/xen/arch/x86/pv/shim.c @@ -382,8 +382,10 @@ int pv_shim_shutdown(uint8_t reason) for_each_vcpu ( d, v ) { - /* Unmap guest vcpu_info pages. */ + /* Unmap guest vcpu_info page and runstate/time areas. */ unmap_vcpu_info(v); + unmap_guest_area(v, &v->runstate_guest_area); + unmap_guest_area(v, &v->arch.time_guest_area); /* Zap runstate and time area handles. */ set_xen_guest_handle(runstate_guest(v), NULL); diff --git a/xen/common/domain.c b/xen/common/domain.c index 304aa04fa6..76a4c2072e 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -992,7 +992,10 @@ int domain_kill(struct domain *d) if ( cpupool_move_domain(d, cpupool0) ) return -ERESTART; for_each_vcpu ( d, v ) + { unmap_vcpu_info(v); + unmap_guest_area(v, &v->runstate_guest_area); + } d->is_dying = DOMDYING_dead; /* Mem event cleanup has to go here because the rings * have to be put before we call put_domain. */ @@ -1446,6 +1449,7 @@ int domain_soft_reset(struct domain *d, bool resuming) { set_xen_guest_handle(runstate_guest(v), NULL); unmap_vcpu_info(v); + unmap_guest_area(v, &v->runstate_guest_area); } rc = arch_domain_soft_reset(d); @@ -1597,6 +1601,19 @@ void unmap_vcpu_info(struct vcpu *v) put_page_and_type(mfn_to_page(mfn)); } +/* + * This is only intended to be used for domain cleanup (or more generally only + * with at least the respective vCPU, if it's not the current one, reliably + * paused). + */ +void unmap_guest_area(struct vcpu *v, struct guest_area *area) +{ + struct domain *d = v->domain; + + if ( v != current ) + ASSERT(atomic_read(&v->pause_count) | atomic_read(&d->pause_count)); +} + int default_initialise_vcpu(struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) { struct vcpu_guest_context *ctxt; diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h index 81fb05a642..a6b22fa2ca 100644 --- a/xen/include/xen/domain.h +++ b/xen/include/xen/domain.h @@ -5,6 +5,12 @@ #include #include + +struct guest_area { + struct page_info *pg; + void *map; +}; + #include #include @@ -77,6 +83,11 @@ void arch_vcpu_destroy(struct vcpu *v); int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned int offset); void unmap_vcpu_info(struct vcpu *v); +int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, + struct guest_area *area, + void (*populate)(void *dst, struct vcpu *v)); +void unmap_guest_area(struct vcpu *v, struct guest_area *area); + struct xen_domctl_createdomain; int arch_domain_create(struct domain *d, struct xen_domctl_createdomain *config, diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index d8c8dd85a6..f30f3b0ebe 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -203,6 +203,7 @@ struct vcpu XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t) compat; } runstate_guest; /* guest address */ #endif + struct guest_area runstate_guest_area; unsigned int new_state; /* Has the FPU been initialised? */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614055.954921 (Exim 4.92) (envelope-from ) id 1qpVBt-00029w-D4; Sun, 08 Oct 2023 14:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614055.954921; Sun, 08 Oct 2023 14:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBt-00029o-AJ; Sun, 08 Oct 2023 14:55:33 +0000 Received: by outflank-mailman (input) for mailman id 614055; Sun, 08 Oct 2023 14:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBs-00029e-87 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVBs-0003gK-7T for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVBs-0001mo-6X for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HQq7meqYphZNfI5XAJesU9COo5fzLWoq51rz1v4dQ3A=; b=upa56qPs+4WJ0WfwkSndwlCEeW xhy5Vdkug+QT0KzYrd/0XwInrhC3nnN1aahKCKRQNNKcbv56X4LD3sWWnm/VtTsX07QDnipJihEDq J2LS7FqdYeV+tmfDwBPtftqzyDYQvfwpP/t01QdU0hwmn8OTXBo3dhC51oNQzThMsU4s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: update GADDR based runstate guest area Message-Id: Date: Sun, 08 Oct 2023 14:55:32 +0000 commit e1ddb822ca2e3c332d42d508e2a5fbd7be018815 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:21 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:08:50 2023 +0100 domain: update GADDR based runstate guest area Before adding a new vCPU operation to register the runstate area by guest-physical address, add code to actually keep such areas up-to-date. Note that updating of the area will be done exclusively following the model enabled by VMASST_TYPE_runstate_update_flag for virtual-address based registered areas. Note further that pages aren't marked dirty when written to (matching the handling of space mapped by map_vcpu_info()), on the basis that the registrations are lost anyway across migration (or would need re- populating at the target for transparent migration). Plus the contents of the areas in question have to be deemed volatile in the first place (so saving a "most recent" value is pretty meaningless even for e.g. snapshotting). Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall Release-acked-by: Henry Wang --- xen/common/domain.c | 43 ++++++++++++++++++++++++++++++++++++++++--- xen/include/xen/sched.h | 2 ++ 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 76a4c2072e..d4958ec5e1 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1644,15 +1644,52 @@ bool update_runstate_area(struct vcpu *v) bool rc; struct guest_memory_policy policy = { }; void __user *guest_handle = NULL; - struct vcpu_runstate_info runstate; + struct vcpu_runstate_info runstate = v->runstate; + struct vcpu_runstate_info *map = v->runstate_guest_area.map; + + if ( map ) + { + uint64_t *pset; +#ifdef CONFIG_COMPAT + struct compat_vcpu_runstate_info *cmap = NULL; + + if ( v->runstate_guest_area_compat ) + cmap = (void *)map; +#endif + + /* + * NB: No VM_ASSIST(v->domain, runstate_update_flag) check here. + * Always using that updating model. + */ +#ifdef CONFIG_COMPAT + if ( cmap ) + pset = &cmap->state_entry_time; + else +#endif + pset = &map->state_entry_time; + runstate.state_entry_time |= XEN_RUNSTATE_UPDATE; + write_atomic(pset, runstate.state_entry_time); + smp_wmb(); + +#ifdef CONFIG_COMPAT + if ( cmap ) + XLAT_vcpu_runstate_info(cmap, &runstate); + else +#endif + *map = runstate; + + smp_wmb(); + runstate.state_entry_time &= ~XEN_RUNSTATE_UPDATE; + write_atomic(pset, runstate.state_entry_time); + + return true; + } if ( guest_handle_is_null(runstate_guest(v)) ) return true; update_guest_memory_policy(v, &policy); - memcpy(&runstate, &v->runstate, sizeof(runstate)); - if ( VM_ASSIST(v->domain, runstate_update_flag) ) { #ifdef CONFIG_COMPAT diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index f30f3b0ebe..6e1028785d 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -232,6 +232,8 @@ struct vcpu #ifdef CONFIG_COMPAT /* A hypercall is using the compat ABI? */ bool hcall_compat; + /* Physical runstate area registered via compat ABI? */ + bool runstate_guest_area_compat; #endif #ifdef CONFIG_IOREQ_SERVER -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:43 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614056.954925 (Exim 4.92) (envelope-from ) id 1qpVC3-0002CY-Eb; Sun, 08 Oct 2023 14:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614056.954925; Sun, 08 Oct 2023 14:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVC3-0002CQ-Br; Sun, 08 Oct 2023 14:55:43 +0000 Received: by outflank-mailman (input) for mailman id 614056; Sun, 08 Oct 2023 14:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVC2-0002CI-D1 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVC2-0003gh-CJ for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVC2-0001nW-9c for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=99ZJ2hGhPaiHYkMDL/RY1wBd3O0m8VL3ARHp+6XTvrk=; b=YuyqiHVflYgvBzIKOvSwJKuV6g ZU8C8WRzw+NWRRLzOy3Uv+3hW/oB0Lpb0gglkZHANl8gK8B14DUY2U3ZjmMv7GFuu7gssisCtyyNC F3jzVkkxh2wFoWgs8O2Jxlk9R5VD5K7TVbdPQRPjCYQAAWiWSBeKkgvY82BQwogNV3mU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: update GADDR based secondary time area Message-Id: Date: Sun, 08 Oct 2023 14:55:42 +0000 commit c2e285ea0e6dea9cc6f4578e49d76075a153baa0 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:22 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:08:57 2023 +0100 x86: update GADDR based secondary time area Before adding a new vCPU operation to register the secondary time area by guest-physical address, add code to actually keep such areas up-to- date. Note that pages aren't marked dirty when written to (matching the handling of space mapped by map_vcpu_info()), on the basis that the registrations are lost anyway across migration (or would need re- populating at the target for transparent migration). Plus the contents of the areas in question have to be deemed volatile in the first place (so saving a "most recent" value is pretty meaningless even for e.g. snapshotting). Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-acked-by: Henry Wang --- xen/arch/x86/time.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c index af40a9993c..332d2d79ae 100644 --- a/xen/arch/x86/time.c +++ b/xen/arch/x86/time.c @@ -1566,12 +1566,34 @@ static void __update_vcpu_system_time(struct vcpu *v, int force) v->arch.pv.pending_system_time = _u; } +static void write_time_guest_area(struct vcpu_time_info *map, + const struct vcpu_time_info *src) +{ + /* 1. Update userspace version. */ + write_atomic(&map->version, src->version); + smp_wmb(); + + /* 2. Update all other userspace fields. */ + *map = *src; + + /* 3. Update userspace version again. */ + smp_wmb(); + write_atomic(&map->version, version_update_end(src->version)); +} + bool update_secondary_system_time(struct vcpu *v, struct vcpu_time_info *u) { XEN_GUEST_HANDLE(vcpu_time_info_t) user_u = v->arch.time_info_guest; + struct vcpu_time_info *map = v->arch.time_guest_area.map; struct guest_memory_policy policy = { .nested_guest_mode = false }; + if ( map ) + { + write_time_guest_area(map, u); + return true; + } + if ( guest_handle_is_null(user_u) ) return true; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:55:53 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614057.954928 (Exim 4.92) (envelope-from ) id 1qpVCD-0002FB-Fk; Sun, 08 Oct 2023 14:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614057.954928; Sun, 08 Oct 2023 14:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCD-0002F4-DE; Sun, 08 Oct 2023 14:55:53 +0000 Received: by outflank-mailman (input) for mailman id 614057; Sun, 08 Oct 2023 14:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCC-0002Ex-Gr for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCC-0003gs-G8 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVCC-0001nx-EV for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ydXDluPpmTkI36JQ+6irYWHH8ImBd+OLiHrl0o0coKY=; b=Y8vgx/qTD8tcCA9rE70yCqDIX1 xcdFTfUM3UklsF0dKOmrso7ZIcv4I9LkiUv9Yb4np4E0Se0/ibiKAzTA7WsMlcsLg3i2Yz5Fr3lS8 ZrnVlaB1FsojoBSzUeym0eXWpbptyqZs/tei04SW2kkVyp/J3kQo0ZTpCueqmFsgSDWs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mem-sharing: copy GADDR based shared guest areas Message-Id: Date: Sun, 08 Oct 2023 14:55:52 +0000 commit c4dde71e3e6961f817e2a574ce4918041cb30fb9 Author: Jan Beulich AuthorDate: Wed Oct 4 15:53:31 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:10:37 2023 +0100 x86/mem-sharing: copy GADDR based shared guest areas In preparation of the introduction of new vCPU operations allowing to register the respective areas (one of the two is x86-specific) by guest-physical address, add the necessary fork handling (with the backing function yet to be filled in). Signed-off-by: Jan Beulich Signed-off-by: Roger Pau Monné Acked-by: Tamas K Lengyel Release-acked-by: Henry Wang --- xen/arch/x86/mm/mem_sharing.c | 36 ++++++++++++++++++++++++++++++++++++ xen/common/domain.c | 7 +++++++ 2 files changed, 43 insertions(+) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 5f8f1fb4d8..445947b6a9 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -1641,6 +1641,24 @@ static void copy_vcpu_nonreg_state(struct vcpu *d_vcpu, struct vcpu *cd_vcpu) hvm_set_nonreg_state(cd_vcpu, &nrs); } +static int copy_guest_area(struct guest_area *cd_area, + const struct guest_area *d_area, + struct vcpu *cd_vcpu, + const struct domain *d) +{ + unsigned int offset; + + /* Check if no area to map, or already mapped. */ + if ( !d_area->pg || cd_area->pg ) + return 0; + + offset = PAGE_OFFSET(d_area->map); + return map_guest_area(cd_vcpu, gfn_to_gaddr( + mfn_to_gfn(d, page_to_mfn(d_area->pg))) + + offset, + PAGE_SIZE - offset, cd_area, NULL); +} + static int copy_vpmu(struct vcpu *d_vcpu, struct vcpu *cd_vcpu) { struct vpmu_struct *d_vpmu = vcpu_vpmu(d_vcpu); @@ -1709,6 +1727,16 @@ static int copy_vcpu_settings(struct domain *cd, const struct domain *d) return ret; } + /* Same for the (physically registered) runstate and time info areas. */ + ret = copy_guest_area(&cd_vcpu->runstate_guest_area, + &d_vcpu->runstate_guest_area, cd_vcpu, d); + if ( ret ) + return ret; + ret = copy_guest_area(&cd_vcpu->arch.time_guest_area, + &d_vcpu->arch.time_guest_area, cd_vcpu, d); + if ( ret ) + return ret; + ret = copy_vpmu(d_vcpu, cd_vcpu); if ( ret ) return ret; @@ -1950,7 +1978,15 @@ int mem_sharing_fork_reset(struct domain *d, bool reset_state, state: if ( reset_state ) + { rc = copy_settings(d, pd); + if ( rc == -ERESTART ) + /* + * Translate to -EAGAIN, see TODO comment at top of function about + * hypercall continuations. + */ + rc = -EAGAIN; + } domain_unpause(d); diff --git a/xen/common/domain.c b/xen/common/domain.c index d4958ec5e1..47fc902719 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1601,6 +1601,13 @@ void unmap_vcpu_info(struct vcpu *v) put_page_and_type(mfn_to_page(mfn)); } +int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, + struct guest_area *area, + void (*populate)(void *dst, struct vcpu *v)) +{ + return -EOPNOTSUPP; +} + /* * This is only intended to be used for domain cleanup (or more generally only * with at least the respective vCPU, if it's not the current one, reliably -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:03 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614058.954933 (Exim 4.92) (envelope-from ) id 1qpVCN-0002IF-Iq; Sun, 08 Oct 2023 14:56:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614058.954933; Sun, 08 Oct 2023 14:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCN-0002I7-G4; Sun, 08 Oct 2023 14:56:03 +0000 Received: by outflank-mailman (input) for mailman id 614058; Sun, 08 Oct 2023 14:56:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCM-0002Hx-Jr for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCM-0003hE-JE for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVCM-0001og-IE for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8A3R7dlPqz5JgiLdOTOCH15O8tdPq0bsLX+J3mZSnYY=; b=eGyQfaocUhx6E+hbYLJLtfUQq3 pA88dko3zS2QpBF8xqM1VxGkKFeqbnAMz6EpYY/+vIH8dezsuRyxMYeC+eRtgmkd9E6X+S69yQRZM /Paa01DEQ5ldBEi/0r6+WhCVgORiuQHDjuGyqFtA0FhdmPJbDspLLDVl8YvCyfTuUjJU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: map/unmap GADDR based shared guest areas Message-Id: Date: Sun, 08 Oct 2023 14:56:02 +0000 commit eadc288cbb0ddc432ff8c9c639fb25b7538325de Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:24 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:10:45 2023 +0100 domain: map/unmap GADDR based shared guest areas The registration by virtual/linear address has downsides: At least on x86 the access is expensive for HVM/PVH domains. Furthermore for 64-bit PV domains the areas are inaccessible (and hence cannot be updated by Xen) when in guest-user mode, and for HVM guests they may be inaccessible when Meltdown mitigations are in place. (There are yet more issues.) In preparation of the introduction of new vCPU operations allowing to register the respective areas (one of the two is x86-specific) by guest-physical address, flesh out the map/unmap functions. Noteworthy differences from map_vcpu_info(): - areas can be registered more than once (and de-registered), - remote vCPU-s are paused rather than checked for being down (which in principle can change right after the check), - the domain lock is taken for a much smaller region. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Reviewed-by: Julien Grall Release-acked-by: Henry Wang --- xen/common/domain.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 91 insertions(+), 1 deletion(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 47fc902719..747bf5c87a 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1605,7 +1605,82 @@ int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, struct guest_area *area, void (*populate)(void *dst, struct vcpu *v)) { - return -EOPNOTSUPP; + struct domain *d = v->domain; + void *map = NULL; + struct page_info *pg = NULL; + int rc = 0; + + if ( ~gaddr ) /* Map (i.e. not just unmap)? */ + { + unsigned long gfn = PFN_DOWN(gaddr); + unsigned int align; + p2m_type_t p2mt; + + if ( gfn != PFN_DOWN(gaddr + size - 1) ) + return -ENXIO; + +#ifdef CONFIG_COMPAT + if ( has_32bit_shinfo(d) ) + align = alignof(compat_ulong_t); + else +#endif + align = alignof(xen_ulong_t); + if ( !IS_ALIGNED(gaddr, align) ) + return -ENXIO; + + rc = check_get_page_from_gfn(d, _gfn(gfn), false, &p2mt, &pg); + if ( rc ) + return rc; + + if ( !get_page_type(pg, PGT_writable_page) ) + { + put_page(pg); + return -EACCES; + } + + map = __map_domain_page_global(pg); + if ( !map ) + { + put_page_and_type(pg); + return -ENOMEM; + } + map += PAGE_OFFSET(gaddr); + } + + if ( v != current ) + { + if ( !spin_trylock(&d->hypercall_deadlock_mutex) ) + { + rc = -ERESTART; + goto unmap; + } + + vcpu_pause(v); + + spin_unlock(&d->hypercall_deadlock_mutex); + } + + domain_lock(d); + + if ( map && populate ) + populate(map, v); + + SWAP(area->pg, pg); + SWAP(area->map, map); + + domain_unlock(d); + + if ( v != current ) + vcpu_unpause(v); + + unmap: + if ( pg ) + { + unmap_domain_page_global(map); + put_page_and_type(pg); + } + + return rc; } /* @@ -1616,9 +1691,24 @@ int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, void unmap_guest_area(struct vcpu *v, struct guest_area *area) { struct domain *d = v->domain; + void *map; + struct page_info *pg; if ( v != current ) ASSERT(atomic_read(&v->pause_count) | atomic_read(&d->pause_count)); + + domain_lock(d); + map = area->map; + area->map = NULL; + pg = area->pg; + area->pg = NULL; + domain_unlock(d); + + if ( pg ) + { + unmap_domain_page_global(map); + put_page_and_type(pg); + } } int default_initialise_vcpu(struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614059.954936 (Exim 4.92) (envelope-from ) id 1qpVCX-0002Kz-KL; Sun, 08 Oct 2023 14:56:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614059.954936; Sun, 08 Oct 2023 14:56:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCX-0002Ks-Hb; Sun, 08 Oct 2023 14:56:13 +0000 Received: by outflank-mailman (input) for mailman id 614059; Sun, 08 Oct 2023 14:56:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCW-0002Kl-OC for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCW-0003iu-NY for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVCW-0001p5-LR for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jdAzSq1Bssiw/oiBqTbQZqEkQzWovaVclzIXzEfhDzY=; b=fZEPJOn9mEKszY/7+zwBqlfBVh s7/Htly9rZQckDorTFlrh8Zg+YnMzOiHn020P7GJ3ZS6pGiNxt0CvUgE0BvJ7QHyVousJs2sX/0a1 IIswsdj5Chx45Pl7jLkZj3fA/1yVIcZYb2q8EEpqzCaGiUZxwxqmXDXuFL4JevXOHaPc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: introduce GADDR based runstate area registration alternative Message-Id: Date: Sun, 08 Oct 2023 14:56:12 +0000 commit d5df44275e7af690ef18b56cc58762ce33a37149 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:25 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:10:45 2023 +0100 domain: introduce GADDR based runstate area registration alternative The registration by virtual/linear address has downsides: At least on x86 the access is expensive for HVM/PVH domains. Furthermore for 64-bit PV domains the area is inaccessible (and hence cannot be updated by Xen) when in guest-user mode. Introduce a new vCPU operation allowing to register the runstate area by guest-physical address. An at least theoretical downside to using physically registered areas is that PV then won't see dirty (and perhaps also accessed) bits set in its respective page table entries. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Julien Grall Release-acked-by: Henry Wang --- xen/arch/x86/x86_64/domain.c | 35 +++++++++++++++++++++++++++++++++++ xen/common/domain.c | 39 +++++++++++++++++++++++++++++++++++++++ xen/include/public/vcpu.h | 15 +++++++++++++++ 3 files changed, 89 insertions(+) diff --git a/xen/arch/x86/x86_64/domain.c b/xen/arch/x86/x86_64/domain.c index bfaea17fe7..494b0b54e6 100644 --- a/xen/arch/x86/x86_64/domain.c +++ b/xen/arch/x86/x86_64/domain.c @@ -12,6 +12,22 @@ CHECK_vcpu_get_physid; #undef xen_vcpu_get_physid +static void cf_check +runstate_area_populate(void *map, struct vcpu *v) +{ + if ( is_pv_vcpu(v) ) + v->arch.pv.need_update_runstate_area = false; + + v->runstate_guest_area_compat = true; + + if ( v == current ) + { + struct compat_vcpu_runstate_info *info = map; + + XLAT_vcpu_runstate_info(info, &v->runstate); + } +} + int compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) { @@ -58,6 +74,25 @@ compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) break; } + case VCPUOP_register_runstate_phys_area: + { + struct compat_vcpu_register_runstate_memory_area area; + + rc = -EFAULT; + if ( copy_from_guest(&area.addr.p, arg, 1) ) + break; + + rc = map_guest_area(v, area.addr.p, + sizeof(struct compat_vcpu_runstate_info), + &v->runstate_guest_area, + runstate_area_populate); + if ( rc == -ERESTART ) + rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", + cmd, vcpuid, arg); + + break; + } + case VCPUOP_register_vcpu_time_memory_area: { struct compat_vcpu_register_time_memory_area area = { .addr.p = 0 }; diff --git a/xen/common/domain.c b/xen/common/domain.c index 747bf5c87a..486c1ae3f7 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1830,6 +1830,26 @@ bool update_runstate_area(struct vcpu *v) return rc; } +static void cf_check +runstate_area_populate(void *map, struct vcpu *v) +{ +#ifdef CONFIG_PV + if ( is_pv_vcpu(v) ) + v->arch.pv.need_update_runstate_area = false; +#endif + +#ifdef CONFIG_COMPAT + v->runstate_guest_area_compat = false; +#endif + + if ( v == current ) + { + struct vcpu_runstate_info *info = map; + + *info = v->runstate; + } +} + long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) { long rc = 0; @@ -2012,6 +2032,25 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) break; } + case VCPUOP_register_runstate_phys_area: + { + struct vcpu_register_runstate_memory_area area; + + rc = -EFAULT; + if ( copy_from_guest(&area.addr.p, arg, 1) ) + break; + + rc = map_guest_area(v, area.addr.p, + sizeof(struct vcpu_runstate_info), + &v->runstate_guest_area, + runstate_area_populate); + if ( rc == -ERESTART ) + rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", + cmd, vcpuid, arg); + + break; + } + default: rc = -ENOSYS; break; diff --git a/xen/include/public/vcpu.h b/xen/include/public/vcpu.h index a836b264a9..9dac0f9748 100644 --- a/xen/include/public/vcpu.h +++ b/xen/include/public/vcpu.h @@ -110,6 +110,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_t); * runstate.state will always be RUNSTATE_running and * runstate.state_entry_time will indicate the system time at which the * VCPU was last scheduled to run. + * 3. New code wants to prefer VCPUOP_register_runstate_phys_area, and only + * fall back to the operation here for backwards compatibility. * @extra_arg == pointer to vcpu_register_runstate_memory_area structure. */ #define VCPUOP_register_runstate_memory_area 5 @@ -221,6 +223,19 @@ struct vcpu_register_time_memory_area { typedef struct vcpu_register_time_memory_area vcpu_register_time_memory_area_t; DEFINE_XEN_GUEST_HANDLE(vcpu_register_time_memory_area_t); +/* + * Like the respective VCPUOP_register_*_memory_area, just using the "addr.p" + * field of the supplied struct as a guest physical address (i.e. in GFN space). + * The respective area may not cross a page boundary. Pass ~0 to unregister an + * area. Note that as long as an area is registered by physical address, the + * linear address based area will not be serviced (updated) by the hypervisor. + * + * Note that the area registered via VCPUOP_register_runstate_memory_area will + * be updated in the same manner as the one registered via virtual address PLUS + * VMASST_TYPE_runstate_update_flag engaged by the domain. + */ +#define VCPUOP_register_runstate_phys_area 14 + #endif /* __XEN_PUBLIC_VCPU_H__ */ /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614060.954940 (Exim 4.92) (envelope-from ) id 1qpVCh-0002ND-Lr; Sun, 08 Oct 2023 14:56:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614060.954940; Sun, 08 Oct 2023 14:56:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCh-0002N6-JE; Sun, 08 Oct 2023 14:56:23 +0000 Received: by outflank-mailman (input) for mailman id 614060; Sun, 08 Oct 2023 14:56:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCg-0002Mw-TN for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCg-0003j1-Sh for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVCg-0001pW-Pz for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HK3Yxa9Z9Md3NQ/Tp1P13Kq8RUyuKf9BogixgX0ItNs=; b=VFuFgofQEM7HSrc9xjXPjfiXsH nmOSF+yWi26VNsqjClFrys1uei77elHPecUOnR44nS4kfsGEpw1OVfxEM0lwZCenwRJarbj2+lasY frayijNHVLeK+J1591FZ8jjbAK59wCnOgBX4cMkBKR0ZqP0b0hmvisJ+Tg9BA5zcvRsE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: introduce GADDR based secondary time area registration alternative Message-Id: Date: Sun, 08 Oct 2023 14:56:22 +0000 commit 60e544a8c58fdc720de05f6a721178f9516436d1 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:26 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:10:45 2023 +0100 x86: introduce GADDR based secondary time area registration alternative The registration by virtual/linear address has downsides: The access is expensive for HVM/PVH domains. Furthermore for 64-bit PV domains the area is inaccessible (and hence cannot be updated by Xen) when in guest-user mode. Introduce a new vCPU operation allowing to register the secondary time area by guest-physical address. An at least theoretical downside to using physically registered areas is that PV then won't see dirty (and perhaps also accessed) bits set in its respective page table entries. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Julien Grall Release-acked-by: Henry Wang --- xen/arch/x86/domain.c | 28 ++++++++++++++++++++++++++++ xen/arch/x86/include/asm/domain.h | 2 ++ xen/arch/x86/time.c | 10 ++++++++++ xen/arch/x86/x86_64/domain.c | 1 + xen/include/public/vcpu.h | 4 ++++ 5 files changed, 45 insertions(+) diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 9d352defa2..8e0af22781 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1529,6 +1529,15 @@ int arch_vcpu_reset(struct vcpu *v) return 0; } +static void cf_check +time_area_populate(void *map, struct vcpu *v) +{ + if ( is_pv_vcpu(v) ) + v->arch.pv.pending_system_time.version = 0; + + force_update_secondary_system_time(v, map); +} + long do_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) { long rc = 0; @@ -1567,6 +1576,25 @@ long do_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) break; } + case VCPUOP_register_vcpu_time_phys_area: + { + struct vcpu_register_time_memory_area area; + + rc = -EFAULT; + if ( copy_from_guest(&area.addr.p, arg, 1) ) + break; + + rc = map_guest_area(v, area.addr.p, + sizeof(vcpu_time_info_t), + &v->arch.time_guest_area, + time_area_populate); + if ( rc == -ERESTART ) + rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", + cmd, vcpuid, arg); + + break; + } + case VCPUOP_get_physid: { struct vcpu_get_physid cpu_id; diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index e0bd28e424..619e667938 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -692,6 +692,8 @@ void domain_cpu_policy_changed(struct domain *d); bool update_secondary_system_time(struct vcpu *, struct vcpu_time_info *); +void force_update_secondary_system_time(struct vcpu *, + struct vcpu_time_info *); void vcpu_show_registers(const struct vcpu *); diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c index 332d2d79ae..73df1639a3 100644 --- a/xen/arch/x86/time.c +++ b/xen/arch/x86/time.c @@ -1628,6 +1628,16 @@ void force_update_vcpu_system_time(struct vcpu *v) __update_vcpu_system_time(v, 1); } +void force_update_secondary_system_time(struct vcpu *v, + struct vcpu_time_info *map) +{ + struct vcpu_time_info u; + + collect_time_info(v, &u); + u.version = -1; /* Compensate for version_update_end(). */ + write_time_guest_area(map, &u); +} + static void update_domain_rtc(void) { struct domain *d; diff --git a/xen/arch/x86/x86_64/domain.c b/xen/arch/x86/x86_64/domain.c index 494b0b54e6..a02d4f569e 100644 --- a/xen/arch/x86/x86_64/domain.c +++ b/xen/arch/x86/x86_64/domain.c @@ -115,6 +115,7 @@ compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) case VCPUOP_send_nmi: case VCPUOP_get_physid: + case VCPUOP_register_vcpu_time_phys_area: rc = do_vcpu_op(cmd, vcpuid, arg); break; diff --git a/xen/include/public/vcpu.h b/xen/include/public/vcpu.h index 9dac0f9748..8fb0bd1b6c 100644 --- a/xen/include/public/vcpu.h +++ b/xen/include/public/vcpu.h @@ -209,6 +209,9 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_get_physid_t); * segment limit). It can then apply the normal algorithm to compute * system time from the tsc. * + * New code wants to prefer VCPUOP_register_vcpu_time_phys_area, and only + * fall back to the operation here for backwards compatibility. + * * @extra_arg == pointer to vcpu_register_time_info_memory_area structure. */ #define VCPUOP_register_vcpu_time_memory_area 13 @@ -235,6 +238,7 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_register_time_memory_area_t); * VMASST_TYPE_runstate_update_flag engaged by the domain. */ #define VCPUOP_register_runstate_phys_area 14 +#define VCPUOP_register_vcpu_time_phys_area 15 #endif /* __XEN_PUBLIC_VCPU_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614061.954945 (Exim 4.92) (envelope-from ) id 1qpVCr-0002Pp-OH; Sun, 08 Oct 2023 14:56:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614061.954945; Sun, 08 Oct 2023 14:56:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCr-0002Ph-LC; Sun, 08 Oct 2023 14:56:33 +0000 Received: by outflank-mailman (input) for mailman id 614061; Sun, 08 Oct 2023 14:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCr-0002PW-0o for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVCr-0003j9-05 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVCq-0001pz-VR for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Aqq3QhamTVEsGCTlmTWnXGl7t/GrpxhC3cSyKTZhpKk=; b=eMuOZjOKCRyFzgVMcBL8PdcLHY t5qHn3FBukR5F3N6Ito5CgG+eWESeQSj2FexEiVXHIClFAIsvjSAoQgiig61vF3gNSN3IzlPum3Xu KR60sSbyVq7gLNqKUbCOEC7vSWPxzzEaQYNUvo3Fno/E0MBzrvr2yp9Cd0A25qRXWY3g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] common: convert vCPU info area registration Message-Id: Date: Sun, 08 Oct 2023 14:56:32 +0000 commit 295514ff7550626de4fb5e43b51deb25d9331cd5 Author: Jan Beulich AuthorDate: Mon Oct 2 17:11:27 2023 +0200 Commit: Julien Grall CommitDate: Thu Oct 5 14:10:45 2023 +0100 common: convert vCPU info area registration Switch to using map_guest_area(). Noteworthy differences from map_vcpu_info(): - remote vCPU-s are paused rather than checked for being down (which in principle can change right after the check), - the domain lock is taken for a much smaller region, - the error code for an attempt to re-register the area is now -EBUSY, - we could in principle permit de-registration when no area was previously registered (which would permit "probing", if necessary for anything). Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Acked-by: Julien Grall Release-acked-by: Henry Wang --- xen/arch/x86/include/asm/shared.h | 19 ++-- xen/arch/x86/mm/mem_sharing.c | 20 ++-- xen/arch/x86/pv/shim.c | 2 +- xen/arch/x86/time.c | 2 +- xen/arch/x86/x86_64/asm-offsets.c | 2 +- xen/arch/x86/x86_64/traps.c | 2 +- xen/common/compat/domain.c | 2 +- xen/common/domain.c | 204 ++++++++++++++++---------------------- xen/include/xen/domain.h | 3 - xen/include/xen/sched.h | 5 +- xen/include/xen/shared.h | 3 +- 11 files changed, 112 insertions(+), 152 deletions(-) diff --git a/xen/arch/x86/include/asm/shared.h b/xen/arch/x86/include/asm/shared.h index dd3ae8c263..60b67fa4b4 100644 --- a/xen/arch/x86/include/asm/shared.h +++ b/xen/arch/x86/include/asm/shared.h @@ -26,17 +26,20 @@ static inline void arch_set_##field(struct domain *d, \ #define GET_SET_VCPU(type, field) \ static inline type arch_get_##field(const struct vcpu *v) \ { \ + const vcpu_info_t *vi = v->vcpu_info_area.map; \ + \ return !has_32bit_shinfo(v->domain) ? \ - v->vcpu_info->native.arch.field : \ - v->vcpu_info->compat.arch.field; \ + vi->native.arch.field : vi->compat.arch.field; \ } \ static inline void arch_set_##field(struct vcpu *v, \ type val) \ { \ + vcpu_info_t *vi = v->vcpu_info_area.map; \ + \ if ( !has_32bit_shinfo(v->domain) ) \ - v->vcpu_info->native.arch.field = val; \ + vi->native.arch.field = val; \ else \ - v->vcpu_info->compat.arch.field = val; \ + vi->compat.arch.field = val; \ } #else @@ -57,12 +60,16 @@ static inline void arch_set_##field(struct domain *d, \ #define GET_SET_VCPU(type, field) \ static inline type arch_get_##field(const struct vcpu *v) \ { \ - return v->vcpu_info->arch.field; \ + const vcpu_info_t *vi = v->vcpu_info_area.map; \ + \ + return vi->arch.field; \ } \ static inline void arch_set_##field(struct vcpu *v, \ type val) \ { \ - v->vcpu_info->arch.field = val; \ + vcpu_info_t *vi = v->vcpu_info_area.map; \ + \ + vi->arch.field = val; \ } #endif diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 445947b6a9..5217c755a2 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -1705,7 +1705,6 @@ static int copy_vpmu(struct vcpu *d_vcpu, struct vcpu *cd_vcpu) static int copy_vcpu_settings(struct domain *cd, const struct domain *d) { unsigned int i; - struct p2m_domain *p2m = p2m_get_hostp2m(cd); int ret = -EINVAL; mfn_t vcpu_info_mfn; @@ -1717,17 +1716,14 @@ static int copy_vcpu_settings(struct domain *cd, const struct domain *d) if ( !d_vcpu || !cd_vcpu ) continue; - /* Map in the vcpu_info page if the guest uses one */ - vcpu_info_mfn = d_vcpu->vcpu_info_mfn; - if ( !mfn_eq(vcpu_info_mfn, INVALID_MFN) ) - { - ret = map_vcpu_info(cd_vcpu, mfn_to_gfn(d, vcpu_info_mfn), - PAGE_OFFSET(d_vcpu->vcpu_info)); - if ( ret ) - return ret; - } - - /* Same for the (physically registered) runstate and time info areas. */ + /* + * Map the vcpu_info page and the (physically registered) runstate and + * time info areas. + */ + ret = copy_guest_area(&cd_vcpu->vcpu_info_area, + &d_vcpu->vcpu_info_area, cd_vcpu, d); + if ( ret ) + return ret; ret = copy_guest_area(&cd_vcpu->runstate_guest_area, &d_vcpu->runstate_guest_area, cd_vcpu, d); if ( ret ) diff --git a/xen/arch/x86/pv/shim.c b/xen/arch/x86/pv/shim.c index f08b16bae2..81e4a0516d 100644 --- a/xen/arch/x86/pv/shim.c +++ b/xen/arch/x86/pv/shim.c @@ -383,7 +383,7 @@ int pv_shim_shutdown(uint8_t reason) for_each_vcpu ( d, v ) { /* Unmap guest vcpu_info page and runstate/time areas. */ - unmap_vcpu_info(v); + unmap_guest_area(v, &v->vcpu_info_area); unmap_guest_area(v, &v->runstate_guest_area); unmap_guest_area(v, &v->arch.time_guest_area); diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c index 73df1639a3..d0b0986509 100644 --- a/xen/arch/x86/time.c +++ b/xen/arch/x86/time.c @@ -1542,7 +1542,7 @@ static void __update_vcpu_system_time(struct vcpu *v, int force) struct vcpu_time_info *u = &vcpu_info(v, time), _u; const struct domain *d = v->domain; - if ( v->vcpu_info == NULL ) + if ( !v->vcpu_info_area.map ) return; collect_time_info(v, &_u); diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index fbd6c54188..57b73a4e62 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -53,7 +53,7 @@ void __dummy__(void) OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); - OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); + OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info_area.map); OFFSET(VCPU_trap_bounce, struct vcpu, arch.pv.trap_bounce); OFFSET(VCPU_thread_flags, struct vcpu, arch.flags); OFFSET(VCPU_event_addr, struct vcpu, arch.pv.event_callback_eip); diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c index f4d17b4830..e03e80813e 100644 --- a/xen/arch/x86/x86_64/traps.c +++ b/xen/arch/x86/x86_64/traps.c @@ -96,7 +96,7 @@ static void _show_registers( if ( context == CTXT_hypervisor ) printk(" %pS", _p(regs->rip)); printk("\nRFLAGS: %016lx ", regs->rflags); - if ( (context == CTXT_pv_guest) && v && v->vcpu_info ) + if ( (context == CTXT_pv_guest) && v && v->vcpu_info_area.map ) printk("EM: %d ", !!vcpu_info(v, evtchn_upcall_mask)); printk("CONTEXT: %s", context_names[context]); if ( v && !is_idle_vcpu(v) ) diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c index c425490535..7ff238cc26 100644 --- a/xen/common/compat/domain.c +++ b/xen/common/compat/domain.c @@ -49,7 +49,7 @@ int compat_common_vcpu_op(int cmd, struct vcpu *v, { case VCPUOP_initialise: { - if ( v->vcpu_info == &dummy_vcpu_info ) + if ( v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; #ifdef CONFIG_HVM diff --git a/xen/common/domain.c b/xen/common/domain.c index 486c1ae3f7..b8281d7cff 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -127,10 +127,10 @@ static void vcpu_info_reset(struct vcpu *v) { struct domain *d = v->domain; - v->vcpu_info = ((v->vcpu_id < XEN_LEGACY_MAX_VCPUS) - ? (vcpu_info_t *)&shared_info(d, vcpu_info[v->vcpu_id]) - : &dummy_vcpu_info); - v->vcpu_info_mfn = INVALID_MFN; + v->vcpu_info_area.map = + ((v->vcpu_id < XEN_LEGACY_MAX_VCPUS) + ? (vcpu_info_t *)&shared_info(d, vcpu_info[v->vcpu_id]) + : &dummy_vcpu_info); } static void vmtrace_free_buffer(struct vcpu *v) @@ -993,7 +993,7 @@ int domain_kill(struct domain *d) return -ERESTART; for_each_vcpu ( d, v ) { - unmap_vcpu_info(v); + unmap_guest_area(v, &v->vcpu_info_area); unmap_guest_area(v, &v->runstate_guest_area); } d->is_dying = DOMDYING_dead; @@ -1448,7 +1448,7 @@ int domain_soft_reset(struct domain *d, bool resuming) for_each_vcpu ( d, v ) { set_xen_guest_handle(runstate_guest(v), NULL); - unmap_vcpu_info(v); + unmap_guest_area(v, &v->vcpu_info_area); unmap_guest_area(v, &v->runstate_guest_area); } @@ -1496,111 +1496,6 @@ int vcpu_reset(struct vcpu *v) return rc; } -/* - * Map a guest page in and point the vcpu_info pointer at it. This - * makes sure that the vcpu_info is always pointing at a valid piece - * of memory, and it sets a pending event to make sure that a pending - * event doesn't get missed. - */ -int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned int offset) -{ - struct domain *d = v->domain; - void *mapping; - vcpu_info_t *new_info; - struct page_info *page; - unsigned int align; - - if ( offset > (PAGE_SIZE - sizeof(*new_info)) ) - return -ENXIO; - -#ifdef CONFIG_COMPAT - BUILD_BUG_ON(sizeof(*new_info) != sizeof(new_info->compat)); - if ( has_32bit_shinfo(d) ) - align = alignof(new_info->compat); - else -#endif - align = alignof(*new_info); - if ( offset & (align - 1) ) - return -ENXIO; - - if ( !mfn_eq(v->vcpu_info_mfn, INVALID_MFN) ) - return -EINVAL; - - /* Run this command on yourself or on other offline VCPUS. */ - if ( (v != current) && !(v->pause_flags & VPF_down) ) - return -EINVAL; - - page = get_page_from_gfn(d, gfn, NULL, P2M_UNSHARE); - if ( !page ) - return -EINVAL; - - if ( !get_page_type(page, PGT_writable_page) ) - { - put_page(page); - return -EINVAL; - } - - mapping = __map_domain_page_global(page); - if ( mapping == NULL ) - { - put_page_and_type(page); - return -ENOMEM; - } - - new_info = (vcpu_info_t *)(mapping + offset); - - if ( v->vcpu_info == &dummy_vcpu_info ) - { - memset(new_info, 0, sizeof(*new_info)); -#ifdef XEN_HAVE_PV_UPCALL_MASK - __vcpu_info(v, new_info, evtchn_upcall_mask) = 1; -#endif - } - else - { - memcpy(new_info, v->vcpu_info, sizeof(*new_info)); - } - - v->vcpu_info = new_info; - v->vcpu_info_mfn = page_to_mfn(page); - - /* Set new vcpu_info pointer /before/ setting pending flags. */ - smp_wmb(); - - /* - * Mark everything as being pending just to make sure nothing gets - * lost. The domain will get a spurious event, but it can cope. - */ -#ifdef CONFIG_COMPAT - if ( !has_32bit_shinfo(d) ) - write_atomic(&new_info->native.evtchn_pending_sel, ~0); - else -#endif - write_atomic(&vcpu_info(v, evtchn_pending_sel), ~0); - vcpu_mark_events_pending(v); - - return 0; -} - -/* - * Unmap the vcpu info page if the guest decided to place it somewhere - * else. This is used from domain_kill() and domain_soft_reset(). - */ -void unmap_vcpu_info(struct vcpu *v) -{ - mfn_t mfn = v->vcpu_info_mfn; - - if ( mfn_eq(mfn, INVALID_MFN) ) - return; - - unmap_domain_page_global((void *) - ((unsigned long)v->vcpu_info & PAGE_MASK)); - - vcpu_info_reset(v); /* NB: Clobbers v->vcpu_info_mfn */ - - put_page_and_type(mfn_to_page(mfn)); -} - int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, struct guest_area *area, void (*populate)(void *dst, struct vcpu *v)) @@ -1662,14 +1557,44 @@ int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, domain_lock(d); - if ( map && populate ) - populate(map, v); + /* No re-registration of the vCPU info area. */ + if ( area != &v->vcpu_info_area || !area->pg ) + { + if ( map && populate ) + populate(map, v); - SWAP(area->pg, pg); - SWAP(area->map, map); + SWAP(area->pg, pg); + SWAP(area->map, map); + } + else + rc = -EBUSY; domain_unlock(d); + /* Set pending flags /after/ new vcpu_info pointer was set. */ + if ( area == &v->vcpu_info_area && !rc ) + { + /* + * Mark everything as being pending just to make sure nothing gets + * lost. The domain will get a spurious event, but it can cope. + */ +#ifdef CONFIG_COMPAT + if ( !has_32bit_shinfo(d) ) + { + vcpu_info_t *info = area->map; + + /* For VCPUOP_register_vcpu_info handling in common_vcpu_op(). */ + BUILD_BUG_ON(sizeof(*info) != sizeof(info->compat)); + write_atomic(&info->native.evtchn_pending_sel, ~0); + } + else +#endif + write_atomic(&vcpu_info(v, evtchn_pending_sel), ~0); + vcpu_mark_events_pending(v); + + force_update_vcpu_system_time(v); + } + if ( v != current ) vcpu_unpause(v); @@ -1699,7 +1624,10 @@ void unmap_guest_area(struct vcpu *v, struct guest_area *area) domain_lock(d); map = area->map; - area->map = NULL; + if ( area == &v->vcpu_info_area ) + vcpu_info_reset(v); + else + area->map = NULL; pg = area->pg; area->pg = NULL; domain_unlock(d); @@ -1830,6 +1758,27 @@ bool update_runstate_area(struct vcpu *v) return rc; } +/* + * This makes sure that the vcpu_info is always pointing at a valid piece of + * memory, and it sets a pending event to make sure that a pending event + * doesn't get missed. + */ +static void cf_check +vcpu_info_populate(void *map, struct vcpu *v) +{ + vcpu_info_t *info = map; + + if ( v->vcpu_info_area.map == &dummy_vcpu_info ) + { + memset(info, 0, sizeof(*info)); +#ifdef XEN_HAVE_PV_UPCALL_MASK + __vcpu_info(v, info, evtchn_upcall_mask) = 1; +#endif + } + else + memcpy(info, v->vcpu_info_area.map, sizeof(*info)); +} + static void cf_check runstate_area_populate(void *map, struct vcpu *v) { @@ -1859,7 +1808,7 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) switch ( cmd ) { case VCPUOP_initialise: - if ( v->vcpu_info == &dummy_vcpu_info ) + if ( v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; rc = arch_initialise_vcpu(v, arg); @@ -1990,16 +1939,29 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) case VCPUOP_register_vcpu_info: { struct vcpu_register_vcpu_info info; + paddr_t gaddr; rc = -EFAULT; if ( copy_from_guest(&info, arg, 1) ) break; - domain_lock(d); - rc = map_vcpu_info(v, info.mfn, info.offset); - domain_unlock(d); + rc = -EINVAL; + gaddr = gfn_to_gaddr(_gfn(info.mfn)) + info.offset; + if ( !~gaddr || + gfn_x(gaddr_to_gfn(gaddr)) != info.mfn ) + break; - force_update_vcpu_system_time(v); + /* Preliminary check only; see map_guest_area(). */ + rc = -EBUSY; + if ( v->vcpu_info_area.pg ) + break; + + /* See the BUILD_BUG_ON() in vcpu_info_populate(). */ + rc = map_guest_area(v, gaddr, sizeof(vcpu_info_t), + &v->vcpu_info_area, vcpu_info_populate); + if ( rc == -ERESTART ) + rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih", + cmd, vcpuid, arg); break; } diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h index a6b22fa2ca..54d88bf5e3 100644 --- a/xen/include/xen/domain.h +++ b/xen/include/xen/domain.h @@ -80,9 +80,6 @@ void cf_check free_pirq_struct(void *); int arch_vcpu_create(struct vcpu *v); void arch_vcpu_destroy(struct vcpu *v); -int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned int offset); -void unmap_vcpu_info(struct vcpu *v); - int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, struct guest_area *area, void (*populate)(void *dst, struct vcpu *v)); diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 6e1028785d..3609ef88c4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -176,7 +176,7 @@ struct vcpu int processor; - vcpu_info_t *vcpu_info; + struct guest_area vcpu_info_area; struct domain *domain; @@ -289,9 +289,6 @@ struct vcpu struct waitqueue_vcpu *waitqueue_vcpu; - /* Guest-specified relocation of vcpu_info. */ - mfn_t vcpu_info_mfn; - struct evtchn_fifo_vcpu *evtchn_fifo; /* vPCI per-vCPU area, used to store data for long running operations. */ diff --git a/xen/include/xen/shared.h b/xen/include/xen/shared.h index a411a8a3e3..5b71342cab 100644 --- a/xen/include/xen/shared.h +++ b/xen/include/xen/shared.h @@ -44,6 +44,7 @@ typedef struct vcpu_info vcpu_info_t; extern vcpu_info_t dummy_vcpu_info; #define shared_info(d, field) __shared_info(d, (d)->shared_info, field) -#define vcpu_info(v, field) __vcpu_info(v, (v)->vcpu_info, field) +#define vcpu_info(v, field) \ + __vcpu_info(v, (vcpu_info_t *)(v)->vcpu_info_area.map, field) #endif /* __XEN_SHARED_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614062.954949 (Exim 4.92) (envelope-from ) id 1qpVD2-0002TA-RN; Sun, 08 Oct 2023 14:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614062.954949; Sun, 08 Oct 2023 14:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVD2-0002T2-On; Sun, 08 Oct 2023 14:56:44 +0000 Received: by outflank-mailman (input) for mailman id 614062; Sun, 08 Oct 2023 14:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVD1-0002Sp-5N for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVD1-0003ja-4k for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVD1-0001qS-28 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HNOa0qTP5xR1LjDey75KqPuAcD38qCo/oK7zplHjdPA=; b=AkCUilDILfvP+8ZjUoXFbGubu5 cMnSLXZVn9Gf463VBW6u/y9NZhWTlDTpBfsT7yhKx5+FptoljOxySYWCeLPUyCjTbmRH7R0e4Den/ zegMN2JbgEcQqLl6nw0IKcsK1IRwKNjKumzqkbgLzNvMy1ZArzCCf0iFm656SJ7ORnUQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] arm/ioreq: guard interaction data on read/write operations Message-Id: Date: Sun, 08 Oct 2023 14:56:43 +0000 commit 01343f99de858c7e24bcfcb4ad4fc584559bcc08 Author: Andrii Chepurnyi AuthorDate: Thu Oct 5 13:30:14 2023 +0000 Commit: Julien Grall CommitDate: Fri Oct 6 13:35:25 2023 +0100 arm/ioreq: guard interaction data on read/write operations For read operations, there's a potential issue when the data field of the ioreq struct is partially updated in the response. To address this, zero data field during read operations. This modification serves as a safeguard against implementations that may inadvertently partially update the data field in response to read requests. For instance, consider an 8-bit read operation. In such cases, QEMU, returns the same content of the data field with only 8 bits of updated data. This behavior could potentially result in the propagation of incorrect or unintended data to ioreq clients. During a write access, the Device Model only need to know the content of the bits associated with the access size (e.g. for 8-bit, the lower 8-bits). During a read access, the Device Model don't need to know any value. So restrict the value it can access. Signed-off-by: Andrii Chepurnyi Release-acked-by: Henry Wang Reviewed-by: Julien Grall --- xen/arch/arm/ioreq.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/ioreq.c b/xen/arch/arm/ioreq.c index 3bed0a14c0..5df755b48b 100644 --- a/xen/arch/arm/ioreq.c +++ b/xen/arch/arm/ioreq.c @@ -17,6 +17,8 @@ enum io_state handle_ioserv(struct cpu_user_regs *regs, struct vcpu *v) { const union hsr hsr = { .bits = regs->hsr }; const struct hsr_dabt dabt = hsr.dabt; + const uint8_t access_size = (1U << dabt.size) * 8; + const uint64_t access_mask = GENMASK_ULL(access_size - 1, 0); /* Code is similar to handle_read */ register_t r = v->io.req.data; @@ -26,6 +28,12 @@ enum io_state handle_ioserv(struct cpu_user_regs *regs, struct vcpu *v) if ( dabt.write ) return IO_HANDLED; + /* + * The Arm Arm requires the value to be zero-extended to the size + * of the register. The Device Model is not meant to touch the bits + * outside of the access size, but let's not trust that. + */ + r &= access_mask; r = sign_extend(dabt, r); set_user_reg(regs, dabt.reg, r); @@ -39,6 +47,8 @@ enum io_state try_fwd_ioserv(struct cpu_user_regs *regs, struct vcpu_io *vio = &v->io; const struct instr_details instr = info->dabt_instr; struct hsr_dabt dabt = info->dabt; + const uint8_t access_size = (1U << dabt.size) * 8; + const uint64_t access_mask = GENMASK_ULL(access_size - 1, 0); ioreq_t p = { .type = IOREQ_TYPE_COPY, .addr = info->gpa, @@ -80,7 +90,13 @@ enum io_state try_fwd_ioserv(struct cpu_user_regs *regs, ASSERT(dabt.valid); - p.data = get_user_reg(regs, info->dabt.reg); + /* + * During a write access, the Device Model only need to know the content + * of the bits associated with the access size (e.g. for 8-bit, the lower 8-bits). + * During a read access, the Device Model don't need to know any value. + * So restrict the value it can access. + */ + p.data = p.dir ? 0 : get_user_reg(regs, info->dabt.reg) & access_mask; vio->req = p; vio->suspended = false; vio->info.dabt_instr = instr; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:56:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:56:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614063.954953 (Exim 4.92) (envelope-from ) id 1qpVDC-0002WA-TA; Sun, 08 Oct 2023 14:56:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614063.954953; Sun, 08 Oct 2023 14:56:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDC-0002W3-QV; Sun, 08 Oct 2023 14:56:54 +0000 Received: by outflank-mailman (input) for mailman id 614063; Sun, 08 Oct 2023 14:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDB-0002Vs-9U for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDB-0003jh-8o for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVDB-0001qr-6m for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DAFIr5L3mVWg8z0ll2xOT23J/af1X0HKLTDy8ulgo5g=; b=RBBIta2KF1iy3ruyVlF5+Gq/g8 PkNgD0zI4yvH3e1oDySnqqyjnQlGa3Ri6H3qhfOlgUz+gcPmgEgQDZYRxpYBjCHecG+5r5JuKOC+K rsjRger9j5Ky0O1vSmgNXYpYpms40Nemf1dNAQwtH0KesmseZMcgWT74i8iQdMUumpwg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: fix misaligned unmap address in {,un}map_guest_area() Message-Id: Date: Sun, 08 Oct 2023 14:56:53 +0000 commit 6ba83845924723f3b354a30f29a3ae18d713d5de Author: Roger Pau Monné AuthorDate: Fri Oct 6 15:00:58 2023 +0200 Commit: Andrew Cooper CommitDate: Fri Oct 6 18:16:31 2023 +0100 domain: fix misaligned unmap address in {,un}map_guest_area() unmap_domain_page_global() expects the provided address to be page aligned, or else some of the called functions will trigger assertions, like modify_xen_mappings() on x86 or destroy_xen_mappings() on Arm. The following assert has been reported by osstest arm 32bit tests: (XEN) Assertion 'IS_ALIGNED(s, PAGE_SIZE)' failed at arch/arm/mm.c:1243 (XEN) ----[ Xen-4.18-rc arm32 debug=y Not tainted ]---- (XEN) CPU: 0 (XEN) PC: 00271a38 destroy_xen_mappings+0x50/0x5c [...] (XEN) Xen call trace: (XEN) [<00271a38>] destroy_xen_mappings+0x50/0x5c (PC) (XEN) [<00235aa8>] vunmap+0x30/0x1a0 (LR) (XEN) [<0026ad88>] unmap_domain_page_global+0x10/0x20 (XEN) [<00208e38>] unmap_guest_area+0x90/0xec (XEN) [<00208f98>] domain_kill+0x104/0x180 (XEN) [<00239e3c>] do_domctl+0x8ac/0x14fc (XEN) [<0027ae34>] do_trap_guest_sync+0x570/0x66c (XEN) [<002019f0>] arch/arm/arm32/entry.o#return_from_trap+0/0x4 Fixes: eadc288cbb0d ('domain: map/unmap GADDR based shared guest areas') Signed-off-by: Roger Pau Monné Release-acked-by: Henry Wang Reviewed-by: Julien Grall --- xen/common/domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index b8281d7cff..1468638ade 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1601,7 +1601,7 @@ int map_guest_area(struct vcpu *v, paddr_t gaddr, unsigned int size, unmap: if ( pg ) { - unmap_domain_page_global(map); + unmap_domain_page_global((void *)((unsigned long)map & PAGE_MASK)); put_page_and_type(pg); } @@ -1634,7 +1634,7 @@ void unmap_guest_area(struct vcpu *v, struct guest_area *area) if ( pg ) { - unmap_domain_page_global(map); + unmap_domain_page_global((void *)((unsigned long)map & PAGE_MASK)); put_page_and_type(pg); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:57:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:57:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614064.954956 (Exim 4.92) (envelope-from ) id 1qpVDM-0002aB-Ui; Sun, 08 Oct 2023 14:57:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614064.954956; Sun, 08 Oct 2023 14:57:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDM-0002a4-SA; Sun, 08 Oct 2023 14:57:04 +0000 Received: by outflank-mailman (input) for mailman id 614064; Sun, 08 Oct 2023 14:57:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDL-0002Zu-Cm for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDL-0003k2-CA for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVDL-0001t3-BF for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+CyVn0JEA/p979KGkq2f1zIt9UaEcWIOGbqCvyQRtEk=; b=tc3KAt7pEkaqePlauYPpq9Nq3u P/8sDzbyrgq/DpXfNwxM2+mjqgo8ydr+tfkHBBNeWZ5yLuraVuAHRe3/1dD5loQRDNvo5wGmU4SeO JNe8SRIA2+JneylcjB93RHFiifJWkYGISQkJ7K2AHpJ3pQrU12dGxF2+G9egTw3jsltg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] domain: expose newly introduced hypercalls as XENFEAT Message-Id: Date: Sun, 08 Oct 2023 14:57:03 +0000 commit 48a3fd14327fba9692bc458825de8328c6faa399 Author: Roger Pau Monné AuthorDate: Fri Oct 6 15:00:59 2023 +0200 Commit: Andrew Cooper CommitDate: Fri Oct 6 18:16:31 2023 +0100 domain: expose newly introduced hypercalls as XENFEAT XENFEAT_runstate_phys_area is exposed to all architectures, while XENFEAT_vcpu_time_phys_area is currently only implemented for x86, and hence the feature flag is also only exposed on x86. Additionally add dummy guards with TODOs in the respective hypercall implementations, to signal the intention to control the availability of those hypercalls on a guest-by-guest basis from the toolstack. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper Release-acked-by: Henry Wang --- CHANGELOG.md | 2 ++ xen/arch/x86/domain.c | 4 ++++ xen/common/domain.c | 4 ++++ xen/common/kernel.c | 6 +++++- xen/include/public/features.h | 9 +++++++++ xen/include/public/vcpu.h | 3 +++ 6 files changed, 27 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e33cf4e1b1..47ea9e2754 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Add Intel Hardware P-States (HWP) cpufreq driver. - On Arm, experimental support for dynamic addition/removal of Xen device tree nodes using a device tree overlay binary (.dtbo). + - Introduce two new hypercalls to map the vCPU runstate and time areas by + physical rather than linear/virtual addresses. ### Removed - On x86, the "pku" command line option has been removed. It has never diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 8e0af22781..8d3d52034a 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1580,6 +1580,10 @@ long do_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) { struct vcpu_register_time_memory_area area; + rc = -ENOSYS; + if ( 0 /* TODO: Dom's XENFEAT_vcpu_time_phys_area setting */ ) + break; + rc = -EFAULT; if ( copy_from_guest(&area.addr.p, arg, 1) ) break; diff --git a/xen/common/domain.c b/xen/common/domain.c index 1468638ade..8f9ab01c0c 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1998,6 +1998,10 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) { struct vcpu_register_runstate_memory_area area; + rc = -ENOSYS; + if ( 0 /* TODO: Dom's XENFEAT_runstate_phys_area setting */ ) + break; + rc = -EFAULT; if ( copy_from_guest(&area.addr.p, arg, 1) ) break; diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 52aa287627..b6302e44b3 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -607,7 +607,11 @@ long do_xen_version(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) switch ( fi.submap_idx ) { case 0: - fi.submap = (1U << XENFEAT_memory_op_vnode_supported); + fi.submap = (1U << XENFEAT_memory_op_vnode_supported) | +#ifdef CONFIG_X86 + (1U << XENFEAT_vcpu_time_phys_area) | +#endif + (1U << XENFEAT_runstate_phys_area); if ( VM_ASSIST(d, pae_extended_cr3) ) fi.submap |= (1U << XENFEAT_pae_pgdir_above_4gb); if ( paging_mode_translate(d) ) diff --git a/xen/include/public/features.h b/xen/include/public/features.h index d2a9175aae..36936f6a4e 100644 --- a/xen/include/public/features.h +++ b/xen/include/public/features.h @@ -111,6 +111,15 @@ #define XENFEAT_not_direct_mapped 16 #define XENFEAT_direct_mapped 17 +/* + * Signal whether the domain is able to use the following hypercalls: + * + * VCPUOP_register_runstate_phys_area + * VCPUOP_register_vcpu_time_phys_area + */ +#define XENFEAT_runstate_phys_area 18 +#define XENFEAT_vcpu_time_phys_area 19 + #define XENFEAT_NR_SUBMAPS 1 #endif /* __XEN_PUBLIC_FEATURES_H__ */ diff --git a/xen/include/public/vcpu.h b/xen/include/public/vcpu.h index 8fb0bd1b6c..f7445ac0b0 100644 --- a/xen/include/public/vcpu.h +++ b/xen/include/public/vcpu.h @@ -236,6 +236,9 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_register_time_memory_area_t); * Note that the area registered via VCPUOP_register_runstate_memory_area will * be updated in the same manner as the one registered via virtual address PLUS * VMASST_TYPE_runstate_update_flag engaged by the domain. + * + * XENFEAT_{runstate,vcpu_time}_phys_area feature bits signal the availability + * of these ops. */ #define VCPUOP_register_runstate_phys_area 14 #define VCPUOP_register_vcpu_time_phys_area 15 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:57:15 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:57:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614065.954962 (Exim 4.92) (envelope-from ) id 1qpVDX-0002dB-0a; Sun, 08 Oct 2023 14:57:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614065.954962; Sun, 08 Oct 2023 14:57:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDW-0002d2-Tg; Sun, 08 Oct 2023 14:57:14 +0000 Received: by outflank-mailman (input) for mailman id 614065; Sun, 08 Oct 2023 14:57:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDV-0002cr-FW for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDV-0003k9-F0 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVDV-0001tU-EH for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BOkeC/usSqCTctuiAai83XHNwCI+HtRi5fYC9RXzSZE=; b=aS99iLrPyp9SV7ZyL2UsQOGyNE MnOOfhJf5Q/Ug2gq/8BnsqDdgCUrUv6c9tUvYpPMMiNZfyS+8a/6LJJ320v8tNtQdpA93lv+EKycv IAgK1WzkuCb4ghN3EPBMwd1JBvQ0FdzxrrL86D1HkNAy2eQZ/2fWPc7ag7p8wwVtLw6o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/memshr: Fix build in copy_vcpu_settings() Message-Id: Date: Sun, 08 Oct 2023 14:57:13 +0000 commit baf5d78766718a6c0a0b0dc9910c34977b7023a0 Author: Andrew Cooper AuthorDate: Fri Oct 6 14:53:20 2023 +0100 Commit: Andrew Cooper CommitDate: Fri Oct 6 18:16:31 2023 +0100 x86/memshr: Fix build in copy_vcpu_settings() The last user of this variable was dropped. Fixes: 295514ff7550 ("common: convert vCPU info area registration") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-acked-by: Henry Wang --- xen/arch/x86/mm/mem_sharing.c | 1 - 1 file changed, 1 deletion(-) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 5217c755a2..94b6b782ef 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -1706,7 +1706,6 @@ static int copy_vcpu_settings(struct domain *cd, const struct domain *d) { unsigned int i; int ret = -EINVAL; - mfn_t vcpu_info_mfn; for ( i = 0; i < cd->max_vcpus; i++ ) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sun Oct 08 14:57:25 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sun, 08 Oct 2023 14:57:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.614066.954965 (Exim 4.92) (envelope-from ) id 1qpVDh-0002fm-2d; Sun, 08 Oct 2023 14:57:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 614066.954965; Sun, 08 Oct 2023 14:57:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDg-0002fe-VI; Sun, 08 Oct 2023 14:57:24 +0000 Received: by outflank-mailman (input) for mailman id 614066; Sun, 08 Oct 2023 14:57:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDf-0002fQ-IR for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qpVDf-0003kI-Hn for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qpVDf-0001tt-H1 for xen-changelog@lists.xenproject.org; Sun, 08 Oct 2023 14:57:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aNZz69K13Z6pJWPQf8rb7zbYqVYP42NHyiUqamNJpB4=; b=cBKdaUgrQV53mFfeoif8hUlbdM zqbIeU35shhKoVCPk9HVMj7FMWs/CNZZ2MHhZZRVHC5ESzoaA8svM4C3oDGwxW21roumSWr9Aq4b/ iPp+xTV7JeV1ytJ/ehWVS5VtzHeZYYcHkMc/0+asc5BzyyViI3T+JKMR4GTNGACoCs1A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenpvboot: remove as unable to convert to Python 3 Message-Id: Date: Sun, 08 Oct 2023 14:57:23 +0000 commit ffa1437686712045953c33c5e77a4ebdd9973916 Author: Roger Pau Monné AuthorDate: Fri Oct 6 16:50:46 2023 +0200 Commit: Andrew Cooper CommitDate: Fri Oct 6 18:17:42 2023 +0100 tools/xenpvboot: remove as unable to convert to Python 3 The script heavily relies on the urlgrabber python module, which doesn't seem to be packaged by all distros; it's missing from newer Debian versions at least. Also the usage of the commands module has been deprecated since Python 2.6, and removed in Python 3, so the code would need to be re-written to not rely on urlgrabber and the commands modules. Arguably the purpose of the xenpvnetboot bootloader can also be achieved with an isolated script that fetches the kernel and ramdisk before attempting to launch the domain, without having to run in libxl context. There are no xl.cfg options consumed by the bootloader apart from the base location and the subpaths of the kernel and ramdisk to fetch. Any interested parties in keeping such functionality are free to submit an updated script that works with Python 3. Resolves: xen-project/xen#172 Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper Release-acked-by: Henry Wang --- CHANGELOG.md | 1 + tools/misc/Makefile | 8 +- tools/misc/xenpvnetboot | 291 ------------------------------------------------ 3 files changed, 2 insertions(+), 298 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47ea9e2754..165c5caf9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - On x86, the "pku" command line option has been removed. It has never behaved precisely as described, and was redundant with the unsupported "cpuid=no-pku". Visibility of PKU to guests should be via its vm.cfg file. + - xenpvnetboot removed as unable to convert to Python 3. ## [4.17.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.17.0) - 2022-12-12 diff --git a/tools/misc/Makefile b/tools/misc/Makefile index 233a7948c0..66d0d6b090 100644 --- a/tools/misc/Makefile +++ b/tools/misc/Makefile @@ -36,15 +36,11 @@ INSTALL_SBIN += xen-livepatch INSTALL_SBIN += xen-diag INSTALL_SBIN += $(INSTALL_SBIN-y) -# Everything to be installed in a private bin/ -INSTALL_PRIVBIN += xenpvnetboot - # Everything to be installed -TARGETS_ALL := $(INSTALL_BIN) $(INSTALL_SBIN) $(INSTALL_PRIVBIN) +TARGETS_ALL := $(INSTALL_BIN) $(INSTALL_SBIN) # Everything which only needs copying to install TARGETS_COPY += xencov_split -TARGETS_COPY += xenpvnetboot # Everything which needs to be built TARGETS := $(filter-out $(TARGETS_COPY),$(TARGETS_ALL)) @@ -59,11 +55,9 @@ install: all $(INSTALL_DIR) $(DESTDIR)$(LIBEXEC_BIN) $(INSTALL_PYTHON_PROG) $(INSTALL_BIN) $(DESTDIR)$(bindir) $(INSTALL_PYTHON_PROG) $(INSTALL_SBIN) $(DESTDIR)$(sbindir) - $(INSTALL_PYTHON_PROG) $(INSTALL_PRIVBIN) $(DESTDIR)$(LIBEXEC_BIN) .PHONY: uninstall uninstall: - rm -f $(addprefix $(DESTDIR)$(LIBEXEC_BIN)/, $(INSTALL_PRIVBIN)) rm -f $(addprefix $(DESTDIR)$(sbindir)/, $(INSTALL_SBIN)) rm -f $(addprefix $(DESTDIR)$(bindir)/, $(INSTALL_BIN)) diff --git a/tools/misc/xenpvnetboot b/tools/misc/xenpvnetboot deleted file mode 100755 index be972b9e19..0000000000 --- a/tools/misc/xenpvnetboot +++ /dev/null @@ -1,291 +0,0 @@ -#!/usr/bin/env python -# -# Copyright (C) 2010 Oracle. All rights reserved. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation, version 2. This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. You should have received a copy of the GNU -# General Public License along with this program; If not, see . - -import sys -import os -import stat -import time -import string -import random -import tempfile -import commands -import subprocess -import urlgrabber -from optparse import OptionParser - - -XEN_PATHS = [ - ('images/xen/vmlinuz', 'images/xen/initrd.img'), # Fedora <= 10 and OL = 5 - ('boot/i386/vmlinuz-xen', 'boot/i386/initrd-xen'), # openSUSE >= 10.2 and SLES >= 10 - ('boot/x86_64/vmlinuz-xen', 'boot/x86_64/initrd-xen'), # openSUSE >= 10.2 and SLES >= 10 - ('current/images/netboot/xen/vmlinuz', 'current/images/netboot/xen/initrd.gz'), # Debian - ('images/pxeboot/vmlinuz', 'images/pxeboot/initrd.img'), # Fedora >=10 and OL >= 6 - ('isolinux/vmlinuz', 'isolinux/initrd.img'), # Fedora >= 10 and OL >= 6 -] - - -def format_sxp(kernel, ramdisk, args): - s = 'linux (kernel %s)' % kernel - if ramdisk: - s += '(ramdisk %s)' % ramdisk - if args: - s += '(args "%s")' % args - return s - - -def format_simple(kernel, ramdisk, args, sep): - s = ('kernel %s' % kernel) + sep - if ramdisk: - s += ('ramdisk %s' % ramdisk) + sep - if args: - s += ('args %s' % args) + sep - s += sep - return s - - -def mount(dev, path, option=''): - if os.uname()[0] == 'SunOS': - mountcmd = '/usr/sbin/mount' - else: - mountcmd = '/bin/mount' - cmd = ' '.join([mountcmd, option, dev, path]) - (status, output) = commands.getstatusoutput(cmd) - if status != 0: - raise RuntimeError('Command: (%s) failed: (%s) %s' % (cmd, status, output)) - - -def umount(path): - if os.uname()[0] == 'SunOS': - cmd = ['/usr/sbin/umount', path] - else: - cmd = ['/bin/umount', path] - subprocess.call(cmd) - - -class Fetcher: - def __init__(self, location, tmpdir): - self.location = location - self.tmpdir = tmpdir - self.srcdir = location - - def prepare(self): - if not os.path.exists(self.tmpdir): - os.makedirs(self.tmpdir, 0750) - - def cleanup(self): - pass - - def get_file(self, filename): - url = os.path.join(self.srcdir, filename) - suffix = ''.join(random.sample(string.ascii_letters, 6)) - local_name = os.path.join(self.tmpdir, 'xenpvboot.%s.%s' % (os.path.basename(filename), suffix)) - try: - return urlgrabber.urlgrab(url, local_name, copy_local=1) - except Exception, err: - raise RuntimeError('Cannot get file %s: %s' % (url, err)) - - -class MountedFetcher(Fetcher): - def prepare(self): - Fetcher.prepare(self) - self.srcdir = tempfile.mkdtemp(prefix='xenpvboot.', dir=self.tmpdir) - if self.location.startswith('nfs:'): - mount(self.location[4:], self.srcdir, '-o ro') - else: - if stat.S_ISBLK(os.stat(self.location)[stat.ST_MODE]): - option = '-o ro' - else: - option = '-o ro,loop' - if os.uname()[0] == 'SunOS': - option += ' -F hsfs' - mount(self.location, self.srcdir, option) - - def cleanup(self): - umount(self.srcdir) - try: - os.rmdir(self.srcdir) - except: - pass - - -class NFSISOFetcher(MountedFetcher): - def __init__(self, location, tmpdir): - self.nfsdir = None - MountedFetcher.__init__(self, location, tmpdir) - - def prepare(self): - Fetcher.prepare(self) - self.nfsdir = tempfile.mkdtemp(prefix='xenpvboot.', dir=self.tmpdir) - self.srcdir = tempfile.mkdtemp(prefix='xenpvboot.', dir=self.tmpdir) - nfs = os.path.dirname(self.location[8:]) - iso = os.path.basename(self.location[8:]) - mount(nfs, self.nfsdir, '-o ro') - option = '-o ro,loop' - if os.uname()[0] == 'SunOS': - option += ' -F hsfs' - mount(os.path.join(self.nfsdir, iso), self.srcdir, option) - - def cleanup(self): - MountedFetcher.cleanup(self) - time.sleep(1) - umount(self.nfsdir) - try: - os.rmdir(self.nfsdir) - except: - pass - - -class TFTPFetcher(Fetcher): - def get_file(self, filename): - if '/' in self.location[7:]: - host = self.location[7:].split('/', 1)[0].replace(':', ' ') - basedir = self.location[7:].split('/', 1)[1] - else: - host = self.location[7:].replace(':', ' ') - basedir = '' - suffix = ''.join(random.sample(string.ascii_letters, 6)) - local_name = os.path.join(self.tmpdir, 'xenpvboot.%s.%s' % (os.path.basename(filename), suffix)) - cmd = '/usr/bin/tftp %s -c get %s %s' % (host, os.path.join(basedir, filename), local_name) - (status, output) = commands.getstatusoutput(cmd) - if status != 0: - raise RuntimeError('Command: (%s) failed: (%s) %s' % (cmd, status, output)) - return local_name - - -def main(): - usage = '''%prog [option] - -Get boot images from the given location and prepare for Xen to use. - -Supported locations: - - - http://host/path - - https://host/path - - ftp://host/path - - file:///path - - tftp://host/path - - nfs:host:/path - - /path - - /path/file.iso - - /path/filesystem.img - - /dev/sda1 - - nfs+iso:host:/path/file.iso - - nfs+iso:host:/path/filesystem.img''' - version = '%prog version 0.1' - parser = OptionParser(usage=usage, version=version) - parser.add_option('', '--location', - help='The base url for kernel and ramdisk files.') - parser.add_option('', '--kernel', - help='The kernel image file.') - parser.add_option('', '--ramdisk', - help='The initial ramdisk file.') - parser.add_option('', '--args', - help='Arguments pass to the kernel.') - parser.add_option('', '--output', - help='Redirect output to this file instead of stdout.') - parser.add_option('', '--output-directory', default='/var/run/libxl', - help='Output directory.') - parser.add_option('', '--output-format', default='sxp', - help='Output format: sxp, simple or simple0.') - parser.add_option('-q', '--quiet', action='store_true', - help='Be quiet.') - (opts, args) = parser.parse_args() - - if not opts.location and not opts.kernel and not opts.ramdisk: - if not opts.quiet: - print >> sys.stderr, 'You should at least specify a location or kernel/ramdisk.' - parser.print_help(sys.stderr) - sys.exit(1) - - if not opts.output or opts.output == '-': - fd = sys.stdout.fileno() - else: - fd = os.open(opts.output, os.O_WRONLY) - - if opts.location: - location = opts.location - else: - location = '' - if (location == '' - or location.startswith('http://') or location.startswith('https://') - or location.startswith('ftp://') or location.startswith('file://') - or (os.path.exists(location) and os.path.isdir(location))): - fetcher = Fetcher(location, opts.output_directory) - elif location.startswith('nfs:') or (os.path.exists(location) and not os.path.isdir(location)): - fetcher = MountedFetcher(location, opts.output_directory) - elif location.startswith('nfs+iso:'): - fetcher = NFSISOFetcher(location, opts.output_directory) - elif location.startswith('tftp://'): - fetcher = TFTPFetcher(location, opts.output_directory) - else: - if not opts.quiet: - print >> sys.stderr, 'Unsupported location: %s' % location - sys.exit(1) - - try: - fetcher.prepare() - except Exception, err: - if not opts.quiet: - print >> sys.stderr, str(err) - fetcher.cleanup() - sys.exit(1) - - try: - kernel = None - if opts.kernel: - kernel = fetcher.get_file(opts.kernel) - else: - for (kernel_path, _) in XEN_PATHS: - try: - kernel = fetcher.get_file(kernel_path) - except Exception, err: - if not opts.quiet: - print >> sys.stderr, str(err) - continue - break - - if not kernel: - if not opts.quiet: - print >> sys.stderr, 'Cannot get kernel from loacation: %s' % location - sys.exit(1) - - ramdisk = None - if opts.ramdisk: - ramdisk = fetcher.get_file(opts.ramdisk) - else: - for (_, ramdisk_path) in XEN_PATHS: - try: - ramdisk = fetcher.get_file(ramdisk_path) - except Exception, err: - if not opts.quiet: - print >> sys.stderr, str(err) - continue - break - finally: - fetcher.cleanup() - - if opts.output_format == 'sxp': - output = format_sxp(kernel, ramdisk, opts.args) - elif opts.output_format == 'simple': - output = format_simple(kernel, ramdisk, opts.args, '\n') - elif opts.output_format == 'simple0': - output = format_simple(kernel, ramdisk, opts.args, '\0') - else: - print >> sys.stderr, 'Unknown output format: %s' % opts.output_format - sys.exit(1) - - sys.stdout.flush() - os.write(fd, output) - - -if __name__ == '__main__': - main() -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 02:33:07 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 02:33:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615211.956481 (Exim 4.92) (envelope-from ) id 1qqP1z-00009q-F7; Wed, 11 Oct 2023 02:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615211.956481; Wed, 11 Oct 2023 02:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP1z-00009f-CH; Wed, 11 Oct 2023 02:33:03 +0000 Received: by outflank-mailman (input) for mailman id 615211; Wed, 11 Oct 2023 02:33:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP1x-00009X-IN for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP1x-0003fL-G5 for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqP1x-0007xr-F4 for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M1PAj+J7C1oRK1HxTYOjP1fx3TGbyg4bOcwwA5nc8+4=; b=zHa2EAcN191+o2/zqZd5lpqAmP 6nuRS4reeck8EsOKL86Os89Au6Xjw6XTv7fWbfK8LM3XEa+DvlHaETgkty+6w4PGwIasx4XeRu8lH gEi3HbqGEIrTSzHfK6HcddWmnl457iUNe0LXRqRapF4AWfL1OqlpmOyNxiEw9vYXBzuU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/sphinx: Switch hypercall-abi.rst to named footnotes Message-Id: Date: Wed, 11 Oct 2023 02:33:01 +0000 commit 1357f1fa588f1523423861ea5eca2a894e0d6617 Author: Andrew Cooper AuthorDate: Fri Oct 6 19:08:28 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Oct 10 10:03:49 2023 +0100 docs/sphinx: Switch hypercall-abi.rst to named footnotes This will simplify inserting a new one in the middle. Signed-off-by: Andrew Cooper Release-acked-by: Henry Wang --- docs/guest-guide/x86/hypercall-abi.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/guest-guide/x86/hypercall-abi.rst b/docs/guest-guide/x86/hypercall-abi.rst index 14c48929d7..42a820386b 100644 --- a/docs/guest-guide/x86/hypercall-abi.rst +++ b/docs/guest-guide/x86/hypercall-abi.rst @@ -6,7 +6,7 @@ Hypercall ABI Hypercalls are system calls to Xen. Two modes of guest operation are supported, and up to 6 individual parameters are supported. -Hypercalls may only be issued by kernel-level software [1]_. +Hypercalls may only be issued by kernel-level software [#kern]_. Registers --------- @@ -33,7 +33,7 @@ The registers used for hypercalls depends on the operating mode of the guest. 32 and 64bit PV guests have an ABI fixed by their guest type. The ABI for an HVM guest depends on whether the vCPU is operating in a 64bit segment or not -[2]_. +[#mode]_. Parameters @@ -87,7 +87,7 @@ written by Xen, is mapped with executable permissions so it may be used. Multiple hypercall pages may be created by the guest, if it wishes. The stubs are arranged by hypercall index, and start on 32-byte boundaries. -To invoke a specific hypercall, ``call`` the relevant stub [3]_: +To invoke a specific hypercall, ``call`` the relevant stub [#iret]_: .. code-block:: none @@ -116,14 +116,14 @@ means. .. rubric:: Footnotes -.. [1] For HVM guests, ``HVMOP_guest_request_vm_event`` may be configured to - be usable from userspace, but this behaviour is not default. +.. [#kern] For HVM guests, ``HVMOP_guest_request_vm_event`` may be configured + to be usable from userspace, but this behaviour is not default. -.. [2] While it is possible to use compatibility mode segments in a 64bit - kernel, hypercalls issues from such a mode will be interpreted with the - 32bit ABI. Such a setup is not expected in production scenarios. +.. [#mode] While it is possible to use compatibility mode segments in a 64bit + kernel, hypercalls issues from such a mode will be interpreted with the + 32bit ABI. Such a setup is not expected in production scenarios. -.. [3] ``HYPERCALL_iret`` is special. It is only implemented for PV guests - and takes all its parameters on the stack. This stub should be - ``jmp``'d to, rather than ``call``'d. HVM guests have this stub - implemented as ``ud2a`` to prevent accidental use. +.. [#iret] ``HYPERCALL_iret`` is special. It is only implemented for PV + guests and takes all its parameters on the stack. This stub should be + ``jmp``'d to, rather than ``call``'d. HVM guests have this stub + implemented as ``ud2a`` to prevent accidental use. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 02:33:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 02:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615212.956485 (Exim 4.92) (envelope-from ) id 1qqP29-0000Bx-GK; Wed, 11 Oct 2023 02:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615212.956485; Wed, 11 Oct 2023 02:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP29-0000Bp-Dg; Wed, 11 Oct 2023 02:33:13 +0000 Received: by outflank-mailman (input) for mailman id 615212; Wed, 11 Oct 2023 02:33:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP27-0000Bb-LD for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqP27-0003fg-JF for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqP27-0007yN-IC for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 02:33:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sLHHd1qfS0zAc3Lwqx/r3t/KvUqNB9ACE98H+HkKc68=; b=f9URoa8vhQVsPIIcD2HbgClUGG geb3YbR1V6C5kWz+dUzgxOnFYDDyzU4kPBU6I6QZcfLg1RqiCxtiFg4GtHyVMY/gCphO68c1//dQd 8dnTxMwvEWKU2yeVJg1/DI8mqfgvxqfA5jq00vYXAYxwC4IfD3fKvDJuLir6DtlrVyGA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: Clarify that only 5 hypercall parameters are supported Message-Id: Date: Wed, 11 Oct 2023 02:33:11 +0000 commit c035151902689aa5a3765aeb16fa52755917b9ca Author: Michal Orzel AuthorDate: Fri Oct 6 09:51:41 2023 +0200 Commit: Andrew Cooper CommitDate: Tue Oct 10 10:03:49 2023 +0100 x86: Clarify that only 5 hypercall parameters are supported The x86 hypercall ABI really used to have 6-argument hypercalls. V4V, the downstream predecessor to Argo did take 6th args. However, the 6th arg being %ebp in the 32bit ABI makes it unusable in practice, because that's the frame pointer in builds with frame pointers enabled. Therefore Argo was altered to being a 5-arg hypercall when it was upstreamed. c/s 2f531c122e95 ("x86: limit number of hypercall parameters to 5") removed the ability for hypercalls to take 6 arguments. Update the documentation to match reality. Signed-off-by: Michal Orzel Signed-off-by: Andrew Cooper Reviewed-by: Jason Andryuk Release-acked-by: Henry Wang --- docs/guest-guide/x86/hypercall-abi.rst | 15 +++++++++++---- xen/include/public/arch-x86/xen-x86_32.h | 2 +- xen/include/public/arch-x86/xen-x86_64.h | 2 +- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/guest-guide/x86/hypercall-abi.rst b/docs/guest-guide/x86/hypercall-abi.rst index 42a820386b..83890e1cb6 100644 --- a/docs/guest-guide/x86/hypercall-abi.rst +++ b/docs/guest-guide/x86/hypercall-abi.rst @@ -4,7 +4,7 @@ Hypercall ABI ============= Hypercalls are system calls to Xen. Two modes of guest operation are -supported, and up to 6 individual parameters are supported. +supported, and up to 5 individual parameters are supported. Hypercalls may only be issued by kernel-level software [#kern]_. @@ -18,17 +18,17 @@ The registers used for hypercalls depends on the operating mode of the guest. * - ABI - Hypercall Index - - Parameters (1 - 6) + - Parameters (1 - 5) [#params]_ - Result * - 64bit - RAX - - RDI RSI RDX R10 R8 R9 + - RDI RSI RDX R10 R8 - RAX * - 32bit - EAX - - EBX ECX EDX ESI EDI EBP + - EBX ECX EDX ESI EDI - EAX 32 and 64bit PV guests have an ABI fixed by their guest type. The ABI for an @@ -119,6 +119,13 @@ means. .. [#kern] For HVM guests, ``HVMOP_guest_request_vm_event`` may be configured to be usable from userspace, but this behaviour is not default. +.. [#params] Xen's ABI used to declare support for 6 hypercall arguments, + using ``r9`` and ``ebp``. However, such an ABI clobbers the frame pointer + in the 32bit code and does not interact nicely with guest-side debugging. + ``V4V``, the predecessor to ``HYPERCALL_argo_op`` was a 6-argument + hypercall, but the ABI was intentionally altered when Argo was upstreamed + (Xen 4.13) to be the 5-argument hypercall it now is. + .. [#mode] While it is possible to use compatibility mode segments in a 64bit kernel, hypercalls issues from such a mode will be interpreted with the 32bit ABI. Such a setup is not expected in production scenarios. diff --git a/xen/include/public/arch-x86/xen-x86_32.h b/xen/include/public/arch-x86/xen-x86_32.h index 139438e835..9e3bf06b12 100644 --- a/xen/include/public/arch-x86/xen-x86_32.h +++ b/xen/include/public/arch-x86/xen-x86_32.h @@ -12,7 +12,7 @@ /* * Hypercall interface: - * Input: %ebx, %ecx, %edx, %esi, %edi, %ebp (arguments 1-6) + * Input: %ebx, %ecx, %edx, %esi, %edi (arguments 1-5) * Output: %eax * Access is via hypercall page (set up by guest loader or via a Xen MSR): * call hypercall_page + hypercall-number * 32 diff --git a/xen/include/public/arch-x86/xen-x86_64.h b/xen/include/public/arch-x86/xen-x86_64.h index 5d9035ed22..43f6e3d220 100644 --- a/xen/include/public/arch-x86/xen-x86_64.h +++ b/xen/include/public/arch-x86/xen-x86_64.h @@ -12,7 +12,7 @@ /* * Hypercall interface: - * Input: %rdi, %rsi, %rdx, %r10, %r8, %r9 (arguments 1-6) + * Input: %rdi, %rsi, %rdx, %r10, %r8 (arguments 1-5) * Output: %rax * Access is via hypercall page (set up by guest loader or via a Xen MSR): * call hypercall_page + hypercall-number * 32 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 19:55:12 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 19:55:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615627.956901 (Exim 4.92) (envelope-from ) id 1qqfIN-00043l-IU; Wed, 11 Oct 2023 19:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615627.956901; Wed, 11 Oct 2023 19:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqfIN-00043Z-Fd; Wed, 11 Oct 2023 19:55:03 +0000 Received: by outflank-mailman (input) for mailman id 615627; Wed, 11 Oct 2023 19:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqfIL-00043Q-SC for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 19:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqfIL-0006wD-OK for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 19:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqfIL-0001b1-NL for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 19:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=We432BVr5W+cObLaOiwXBXz6ki85Cy8JGLn/y5IXBB4=; b=UbR6IiiIClg0LHfJkFBt7+HBV4 3Gjuqtl764PCSe53gLMb2gEa6AzOUARX0AnZFmf0E+Koc8P6/YEt5E7R1PNH4gbhImFRuV6EZOQwU liXSb41ukiRaDi8Uul9sb5hJJVZw9qydKYntmd04EU0cnxKRJZqSLNAPWa8OrIYOhG3k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/public: arch-arm: Update list of supported hypercalls Message-Id: Date: Wed, 11 Oct 2023 19:55:01 +0000 commit 9713423a06225bcf0f22cab15e8d04870200af7a Author: Michal Orzel AuthorDate: Fri Oct 6 14:52:20 2023 +0200 Commit: Julien Grall CommitDate: Tue Oct 10 15:41:12 2023 +0100 xen/public: arch-arm: Update list of supported hypercalls The list is out of date and does not specify all the hypercalls/sub-ops we support, so update it. Signed-off-by: Michal Orzel Release-acked-by: Henry Wang Acked-by: Julien Grall --- xen/include/public/arch-arm.h | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h index 6a4467e8f5..a25e87dbda 100644 --- a/xen/include/public/arch-arm.h +++ b/xen/include/public/arch-arm.h @@ -104,6 +104,7 @@ * Exactly these sub-operations are supported: * * HVMOP_set_param * * HVMOP_get_param + * * HVMOP_guest_request_vm_event * * HYPERVISOR_grant_table_op * All generic sub-operations @@ -116,6 +117,32 @@ * HYPERVISOR_argo_op * All generic sub-operations * + * HYPERVISOR_hypfs_op + * All generic sub-operations + * + * HYPERVISOR_platform_op + * Exactly these sub-operations are supported: + * * XENPF_settime64 + * + * HYPERVISOR_vm_assist + * All generic sub-operations + * + * HYPERVISOR_dm_op + * Exactly these sub-operations are supported: + * * XEN_DMOP_create_ioreq_server + * * XEN_DMOP_get_ioreq_server_info + * * XEN_DMOP_map_io_range_to_ioreq_server + * * XEN_DMOP_unmap_io_range_from_ioreq_server + * * XEN_DMOP_set_ioreq_server_state + * * XEN_DMOP_destroy_ioreq_server + * * XEN_DMOP_set_irq_level + * * XEN_DMOP_nr_vcpus + * + * HYPERVISOR_xsm_op + * All generic sub-operations + * + * HYPERVISOR_multicall + * * Other notes on the ARM ABI: * * - struct start_info is not exported to ARM guests. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:05 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615646.956925 (Exim 4.92) (envelope-from ) id 1qqgpD-0008RS-1y; Wed, 11 Oct 2023 21:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615646.956925; Wed, 11 Oct 2023 21:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpC-0008RK-VW; Wed, 11 Oct 2023 21:33:02 +0000 Received: by outflank-mailman (input) for mailman id 615646; Wed, 11 Oct 2023 21:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpC-0008RE-GL for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpC-0000iM-EQ for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgpC-0005Vb-CH for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BJNylOj/nRTLq1IIExI6UbvYXzOFW/a/yuLtJMVUyuI=; b=EkzbQd8FCuxHXMny3/t9fZlNW0 nf2g7jnmbXYCqwmtzkapr3xepJ6WaHN8rwdM4ZM4MEhsTw8rc+Fo3qGoRS9n8jHObvuV67J6CNDw9 /Ed43eyXzT1uvHksT6bsXytuX74Mr8y0LQBiIytdSOr6Ape6BdvuMxVk2FGOD6jK6uT8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/xenstored: domain_entry_fix(): Handle conflicting transaction Message-Id: Date: Wed, 11 Oct 2023 21:33:02 +0000 commit 0a70ce96deebbe3074708b618bab11cd802491c8 Author: Julien Grall AuthorDate: Fri Sep 22 11:32:16 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/xenstored: domain_entry_fix(): Handle conflicting transaction The function domain_entry_fix() will be initially called to check if the quota is correct before attempt to commit any nodes. So it would be possible that accounting is temporarily negative. This is the case in the following sequence: 1) Create 50 nodes 2) Start two transactions 3) Delete all the nodes in each transaction 4) Commit the two transactions Because the first transaction will have succeed and updated the accounting, there is no guarantee that 'd->nbentry + num' will still be above 0. So the assert() would be triggered. The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") with the assumption that the value can't be negative. As this is not true revert to the original check but restricted to the path where we don't update. Take the opportunity to explain the rationale behind the check. This CVE-2023-34323 / XSA-440. Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") Signed-off-by: Julien Grall Reviewed-by: Juergen Gross (cherry picked from commit c4e05c97f57d236040d1da5c1fbf6e3699dc86ea) --- tools/xenstore/xenstored_domain.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c index 8cc36ee44c..697a7cfe64 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -1068,10 +1068,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update) } cnt = d->nbentry + num; - assert(cnt >= 0); - if (update) + if (update) { + assert(cnt >= 0); d->nbentry = cnt; + } else if (cnt < 0) { + /* + * In a transaction when a node is being added/removed AND + * the same node has been added/removed outside the + * transaction in parallel, the result value may be negative. + * This is no problem, as the transaction will fail due to + * the resulting conflict. So override 'cnt'. + */ + cnt = 0; + } return domid_is_unprivileged(domid) ? cnt : 0; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615647.956930 (Exim 4.92) (envelope-from ) id 1qqgpN-0008TE-3R; Wed, 11 Oct 2023 21:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615647.956930; Wed, 11 Oct 2023 21:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpN-0008T6-0e; Wed, 11 Oct 2023 21:33:13 +0000 Received: by outflank-mailman (input) for mailman id 615647; Wed, 11 Oct 2023 21:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpM-0008T0-JT for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpM-0000iW-Ig for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgpM-0005W7-Gh for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VXbvwW9Kx46jQfbPL/AX/nhYEaWbdSPq75T+G9X562w=; b=FtSRyDAOdLOhKjYfbBD3j8yPiV XU89P9pCV/czkMZhSH2S504WL2fB2qX0zKM3KUipytSOnWR3lAQwWHquT9KHHz0ETkO7AZtc2Oh0t SGPD4rHeV/490sBLei47sdQsy2jOGaNptdMW4+ZNkQaNn9veH5mQ/89Tsnhh6i3m4/z0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] iommu/amd-vi: flush IOMMU TLB when flushing the DTE Message-Id: Date: Wed, 11 Oct 2023 21:33:12 +0000 commit 1b8dbe48d6ff0b1db1cc641424e9ac1b4402b7b1 Author: Roger Pau Monne AuthorDate: Tue Jun 13 15:01:05 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 iommu/amd-vi: flush IOMMU TLB when flushing the DTE The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. This has been observed in practice on AMD systems. Due to the lack of guidance from the currently published specification this patch aims to increase the flushing done in order to prevent device malfunction. In order to fix, issue an INVALIDATE_IOMMU_PAGES command from amd_iommu_flush_device(), flushing all the address space. Note this requires callers to be adjusted in order to pass the DomID on the DTE previous to the modification. Some call sites don't provide a valid DomID to amd_iommu_flush_device() in order to avoid the flush. That's because the device had address translations disabled and hence the previous DomID on the DTE is not valid. Note the current logic relies on the entity disabling address translations to also flush the TLB of the in use DomID. Device I/O TLB flushing when ATS are enabled is not covered by the current change, as ATS usage is not security supported. This is XSA-442 / CVE-2023-34326 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 5fc98b97084a46884acef9320e643faf40d42212) --- xen/drivers/passthrough/amd/iommu.h | 3 ++- xen/drivers/passthrough/amd/iommu_cmd.c | 10 +++++++++- xen/drivers/passthrough/amd/iommu_guest.c | 5 +++-- xen/drivers/passthrough/amd/iommu_init.c | 6 +++++- xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++---- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 0d9d976faa..4e355ef4c1 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -265,7 +265,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn, unsigned int order); void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev, uint64_t gaddr, unsigned int order); -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf); +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid); void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf); void amd_iommu_flush_all_caches(struct amd_iommu *iommu); diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index dfb8b1c860..196e3dce3a 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -362,12 +362,20 @@ void amd_iommu_flush_pages(struct domain *d, _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order); } -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf) +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid) { ASSERT( spin_is_locked(&iommu->lock) ); invalidate_dev_table_entry(iommu, bdf); flush_command_buffer(iommu, 0); + + /* Also invalidate IOMMU TLB entries when flushing the DTE. */ + if ( domid != DOMID_INVALID ) + { + invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0); + flush_command_buffer(iommu, 0); + } } void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf) diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 00c5ccd7b5..f404e382f0 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) { - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id; + uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; struct amd_iommu_dte *gdte, *mdte, *dte_base; struct amd_iommu *iommu = NULL; struct guest_iommu *g_iommu; @@ -445,11 +445,12 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) req_id = get_dma_requestor_id(iommu->seg, mbdf); dte_base = iommu->dev_table.buffer; mdte = &dte_base[req_id]; + prev_domid = mdte->domain_id; spin_lock_irqsave(&iommu->lock, flags); dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); spin_unlock_irqrestore(&iommu->lock, flags); return 0; diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index bb52c181f8..4a96f7fbec 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -1554,7 +1554,11 @@ static int _invalidate_all_devices( if ( iommu ) { spin_lock_irqsave(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + /* + * IOMMU TLB flush performed separately (see + * invalidate_all_domain_pages()). + */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); amd_iommu_flush_intremap(iommu, req_id); spin_unlock_irqrestore(&iommu->lock, flags); } diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index e804fdc34f..8729555666 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -183,10 +183,13 @@ static int __must_check amd_iommu_setup_domain_device( iommu_has_cap(iommu, PCI_CAP_IOTLB_SHIFT) ) dte->i = ats_enabled; - amd_iommu_flush_device(iommu, req_id); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); } else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) ) { + domid_t prev_domid = dte->domain_id; + /* * Strictly speaking if the device is the only one with this requestor * ID, it could be allowed to be re-assigned regardless of unity map @@ -240,7 +243,7 @@ static int __must_check amd_iommu_setup_domain_device( iommu_has_cap(iommu, PCI_CAP_IOTLB_SHIFT) ) ASSERT(dte->i == ats_enabled); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); } spin_unlock_irqrestore(&iommu->lock, flags); @@ -389,6 +392,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_lock_irqsave(&iommu->lock, flags); if ( dte->tv || dte->v ) { + domid_t prev_domid = dte->domain_id; + /* See the comment in amd_iommu_setup_device_table(). */ dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED; smp_wmb(); @@ -405,7 +410,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, smp_wmb(); dte->v = true; - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); AMD_IOMMU_DEBUG("Disable: device id = %#x, " "domain = %d, paging mode = %d\n", @@ -578,7 +583,8 @@ static int amd_iommu_add_device(u8 devfn, struct pci_dev *pdev) iommu->dev_table.buffer + (bdf * IOMMU_DEV_TABLE_ENTRY_SIZE), ivrs_mappings[bdf].intremap_table, iommu, iommu_intremap); - amd_iommu_flush_device(iommu, bdf); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, bdf, DOMID_INVALID); spin_unlock_irqrestore(&iommu->lock, flags); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615648.956933 (Exim 4.92) (envelope-from ) id 1qqgpY-00006Z-5W; Wed, 11 Oct 2023 21:33:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615648.956933; Wed, 11 Oct 2023 21:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpY-00006R-25; Wed, 11 Oct 2023 21:33:24 +0000 Received: by outflank-mailman (input) for mailman id 615648; Wed, 11 Oct 2023 21:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpW-00006C-OY for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpW-0000id-Nj for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgpW-0005WW-Ks for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wv7dvpdryeSsfJfF4IaHh34THnJkD2lrmci7W8Td/iQ=; b=sX+JOpa5wH+7DIaHEsAqHR+c9P N3DvLZyIDy392NjZlu4ZrjepD+jNQT9UqtDBHZ9Exd7wlagYOo0ZTKsJ2fRmDBwwjopje16kFYjWF t6tel8t/E1+B0OMBvH76LnHqqEvGa30tOaPoYyzitKXCo69sVHTq6HlxBqPlCV0VUFG4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libfsimage/xfs: Remove dead code Message-Id: Date: Wed, 11 Oct 2023 21:33:22 +0000 commit 60aed4c82c7a1eab806e68c8cabd10d4b8011eb7 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:50 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 libfsimage/xfs: Remove dead code xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code that serve no purpose. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 37fc1e6c1c5c63aafd9cfd76a37728d5baea7d71) --- tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index d735a88e55..2800699f59 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -37,7 +37,6 @@ struct xfs_info { int blklog; int inopblog; int agblklog; - int agnolog; unsigned int nextents; xfs_daddr_t next; xfs_daddr_t daddr; @@ -65,9 +64,7 @@ static struct xfs_info xfs; #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -#define XFS_INO_AGBNO_BITS xfs.agblklog #define XFS_INO_AGINO_BITS (xfs.agblklog + xfs.inopblog) -#define XFS_INO_AGNO_BITS xfs.agnolog static inline xfs_agblock_t agino2agbno (xfs_agino_t agino) @@ -149,20 +146,6 @@ xt_len (xfs_bmbt_rec_32_t *r) return le32(r->l3) & mask32lo(21); } -static inline int -xfs_highbit32(xfs_uint32_t v) -{ - int i; - - if (--v) { - for (i = 0; i < 31; i++, v >>= 1) { - if (v == 0) - return i; - } - } - return 0; -} - static int isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len) { @@ -472,7 +455,6 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.inopblog = super.sb_inopblog; xfs.agblklog = super.sb_agblklog; - xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount)); xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:34 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615649.956936 (Exim 4.92) (envelope-from ) id 1qqgpi-0000A6-6L; Wed, 11 Oct 2023 21:33:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615649.956936; Wed, 11 Oct 2023 21:33:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpi-00009w-3e; Wed, 11 Oct 2023 21:33:34 +0000 Received: by outflank-mailman (input) for mailman id 615649; Wed, 11 Oct 2023 21:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpg-00009f-Re for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpg-0000is-Qi for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgpg-0005X3-Pn for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ze4tLMWzhks8kCYF4UGr+R/1KKUAl7fXSAAptSsfqk8=; b=ya8SLl0yIXx52N2Z/7r1HITo06 b4v5DMhCUVzzlgxfjiS6Cd3519YCQqGYSNPlUPN2OmR6UoYUI4DMo22nxRXH6DmYhawepGiAUGFkW Wb/+zDvJXXw1zxYo9vNb0kDwJjXC85IKddwp7/k+o3wX2i4C9e9qntBXdEDNhwNEVwco=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libfsimage/xfs: Amend mask32lo() to allow the value 32 Message-Id: Date: Wed, 11 Oct 2023 21:33:32 +0000 commit 8c1075d1edd2b9ef43357eef55daa5af03f25155 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:51 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 libfsimage/xfs: Amend mask32lo() to allow the value 32 agblklog could plausibly be 32, but that would overflow this shift. Perform the shift as ULL and cast to u32 at the end instead. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Acked-by: Jan Beulich (cherry picked from commit ddc45e4eea946bb373a4b4a60c84bf9339cf413b) --- tools/libfsimage/xfs/fsys_xfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 2800699f59..4720bb4505 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -60,7 +60,7 @@ static struct xfs_info xfs; #define inode ((xfs_dinode_t *)((char *)FSYS_BUF + 8192)) #define icore (inode->di_core) -#define mask32lo(n) (((xfs_uint32_t)1 << (n)) - 1) +#define mask32lo(n) ((xfs_uint32_t)((1ull << (n)) - 1)) #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615650.956941 (Exim 4.92) (envelope-from ) id 1qqgps-0000Cz-8H; Wed, 11 Oct 2023 21:33:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615650.956941; Wed, 11 Oct 2023 21:33:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgps-0000Cr-54; Wed, 11 Oct 2023 21:33:44 +0000 Received: by outflank-mailman (input) for mailman id 615650; Wed, 11 Oct 2023 21:33:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpr-0000Cj-0S for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgpq-0000jM-Vj for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgpq-0005Xx-Sz for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=453H3cXwJqS+AGshTem13x61Os2zJTcNFnx4DCgleT0=; b=f8E5txxeXjdvJnJUfU4CdsBUKG 7xPBm8mnTxli995K9hevRycRv3gLQYypyNI1LwNNmq42nR1WzE5XBrZnSAgAyMjWKht8YsQiAHgiQ +zTEg5s/xT+OLNWPH+XaUY4JasHfqqSJUITbZE9860pYwDSDqnRYARU0CCDMqJo8s9nI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libfsimage/xfs: Sanity-check the superblock during mounts Message-Id: Date: Wed, 11 Oct 2023 21:33:42 +0000 commit 964840afc1b74b547bf0fe5bd339ae1462f2b2f1 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:52 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 libfsimage/xfs: Sanity-check the superblock during mounts Sanity-check the XFS superblock for wellformedness at the mount handler. This forces pygrub to abort parsing a potentially malformed filesystem and ensures the invariants assumed throughout the rest of the code hold. Also, derive parameters from previously sanitized parameters where possible (rather than reading them off the superblock) The code doesn't try to avoid overflowing the end of the disk, because that's an unlikely and benign error. Parameters used in calculations of xfs_daddr_t (like the root inode index) aren't in critical need of being sanitized. The sanitization of agblklog is basically checking that no obvious overflows happen on agblklog, and then ensuring agblocks is contained in the range (2^(sb_agblklog-1), 2^sb_agblklog]. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 620500dd1baf33347dfde5e7fde7cf7fe347da5c) --- tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++++++++--------- tools/libfsimage/xfs/xfs.h | 12 +++++++++++ 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 4720bb4505..e4eb7e1ee2 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -17,6 +17,7 @@ * along with this program; If not, see . */ +#include #include #include "xfs.h" @@ -433,29 +434,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino) return next_dentry (ffi, ino); } +static bool +xfs_sb_is_invalid (const xfs_sb_t *super) +{ + return (le32(super->sb_magicnum) != XFS_SB_MAGIC) + || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) != + XFS_SB_VERSION_4) + || (super->sb_inodelog < XFS_SB_INODELOG_MIN) + || (super->sb_inodelog > XFS_SB_INODELOG_MAX) + || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN) + || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX) + || (super->sb_blocklog < super->sb_inodelog) + || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX) + || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks)) + || (((1ull << super->sb_agblklog) >> 1) >= + le32(super->sb_agblocks)) + || ((super->sb_blocklog + super->sb_dirblklog) >= + XFS_SB_DIRBLK_NUMBITS); +} + static int xfs_mount (fsi_file_t *ffi, const char *options) { xfs_sb_t super; if (!devread (ffi, 0, 0, sizeof(super), (char *)&super) - || (le32(super.sb_magicnum) != XFS_SB_MAGIC) - || ((le16(super.sb_versionnum) - & XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) { + || xfs_sb_is_invalid(&super)) { return 0; } - xfs.bsize = le32 (super.sb_blocksize); - xfs.blklog = super.sb_blocklog; - xfs.bdlog = xfs.blklog - SECTOR_BITS; + /* + * Not sanitized. It's exclusively used to generate disk addresses, + * so it's not important from a security standpoint. + */ xfs.rootino = le64 (super.sb_rootino); - xfs.isize = le16 (super.sb_inodesize); - xfs.agblocks = le32 (super.sb_agblocks); - xfs.dirbsize = xfs.bsize << super.sb_dirblklog; - xfs.inopblog = super.sb_inopblog; + /* + * Sanitized to be consistent with each other, only used to + * generate disk addresses, so it's safe + */ + xfs.agblocks = le32 (super.sb_agblocks); xfs.agblklog = super.sb_agblklog; + /* Derived from sanitized parameters */ + xfs.bsize = 1 << super.sb_blocklog; + xfs.blklog = super.sb_blocklog; + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; + xfs.isize = 1 << super.sb_inodelog; + xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); + xfs.inopblog = super.sb_blocklog - super.sb_inodelog; + xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / (sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t))) diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h index 40699281e4..b87e37d3d7 100644 --- a/tools/libfsimage/xfs/xfs.h +++ b/tools/libfsimage/xfs/xfs.h @@ -134,6 +134,18 @@ typedef struct xfs_sb xfs_uint8_t sb_dummy[7]; /* padding */ } xfs_sb_t; +/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */ +#define XFS_SB_DIRBLK_NUMBITS 27 +/* Implied by the XFS specification. The minimum block size is 512 octets */ +#define XFS_SB_BLOCKLOG_MIN 9 +/* Implied by the XFS specification. The maximum block size is 65536 octets */ +#define XFS_SB_BLOCKLOG_MAX 16 +/* Implied by the XFS specification. The minimum inode size is 256 octets */ +#define XFS_SB_INODELOG_MIN 8 +/* Implied by the XFS specification. The maximum inode size is 2048 octets */ +#define XFS_SB_INODELOG_MAX 11 +/* High bound for sb_agblklog */ +#define XFS_SB_AGBLKLOG_MAX 32 /* those are from xfs_btree.h */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:33:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:33:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615651.956945 (Exim 4.92) (envelope-from ) id 1qqgq2-0000Ht-As; Wed, 11 Oct 2023 21:33:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615651.956945; Wed, 11 Oct 2023 21:33:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgq2-0000Hm-8M; Wed, 11 Oct 2023 21:33:54 +0000 Received: by outflank-mailman (input) for mailman id 615651; Wed, 11 Oct 2023 21:33:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgq1-0000GY-3T for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgq1-0000jU-2b for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgq1-0005YO-1e for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:33:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wTuxZQuXLELnosMRKlJcujw8QF1RZtu1NPLETNghIKo=; b=1V72neTp0VPdZPUCRYJ+cJnr6/ jGE4UmZepUCpcbjoDv64PrUMYpZJKuGwI17C8jHCiFY8xea/Lt1FFUbhxvtmYlS7VYPsRowvnKyDZ iBY3WlK1cy8TrSRpqhO9P3P0fY5NqhUWsg+FvxbkdTYcApERR8FjDxow0HOmQW5IBYNU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libfsimage/xfs: Add compile-time check to libfsimage Message-Id: Date: Wed, 11 Oct 2023 21:33:53 +0000 commit 586aab25bbc2e42b97cba514b50280526a870296 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:53 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 libfsimage/xfs: Add compile-time check to libfsimage Adds the common tools include folder to the -I compile flags of libfsimage. This allows us to use: xen-tools/common-macros.h:BUILD_BUG_ON() With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot underflow. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 7d85c70431593550e32022e3a19a37f306f49e00) --- tools/libfsimage/Rules.mk | 2 +- tools/libfsimage/xfs/fsys_xfs.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/Rules.mk b/tools/libfsimage/Rules.mk index bb6d42abb4..80598fb70a 100644 --- a/tools/libfsimage/Rules.mk +++ b/tools/libfsimage/Rules.mk @@ -1,6 +1,6 @@ include $(XEN_ROOT)/tools/Rules.mk -CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\" +CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\" CFLAGS += -Werror -D_GNU_SOURCE LDFLAGS += -L../common/ diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index e4eb7e1ee2..4a8dd6f239 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -19,6 +19,7 @@ #include #include +#include #include "xfs.h" #define MAX_LINK_COUNT 8 @@ -477,9 +478,10 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.agblklog = super.sb_agblklog; /* Derived from sanitized parameters */ + BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS); + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.bsize = 1 << super.sb_blocklog; xfs.blklog = super.sb_blocklog; - xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.isize = 1 << super.sb_inodelog; xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); xfs.inopblog = super.sb_blocklog - super.sb_inodelog; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615652.956948 (Exim 4.92) (envelope-from ) id 1qqgqC-0000Kb-CS; Wed, 11 Oct 2023 21:34:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615652.956948; Wed, 11 Oct 2023 21:34:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqC-0000KU-9v; Wed, 11 Oct 2023 21:34:04 +0000 Received: by outflank-mailman (input) for mailman id 615652; Wed, 11 Oct 2023 21:34:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqB-0000KD-6b for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqB-0000tL-5h for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqB-0005Yw-4l for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JTJfc2GoRN8qoEXtpaMVeiBCAufYMNbUtzCDwHfuDqs=; b=P+QDFRNRdbNtD9P1Zfd/juT0rG pQPZz2UsC3U4HOn1faKr+A4GCSO3cXG4wwfORu/JX2UthYWv4G/SxNqDxpgHiAmtydHBlsY2ftmPa nFkXcz+6gUDauD/D5hRNXW1X9nlb3tBo9nwHmFpu7pRPBL1Qk3Q03bymxwh0Xz5/ADpA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/pygrub: Remove unnecessary hypercall Message-Id: Date: Wed, 11 Oct 2023 21:34:03 +0000 commit ff2ba13b6242843e07e77196f9671c0efb0219fe Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:21 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/pygrub: Remove unnecessary hypercall There's a hypercall being issued in order to determine whether PV64 is supported, but since Xen 4.3 that's strictly true so it's not required. Plus, this way we can avoid mapping the privcmd interface altogether in the depriv pygrub. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper (cherry picked from commit f4b504c6170c446e61055cbd388ae4e832a9deca) --- tools/pygrub/src/pygrub | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce7ab0eb8c..ce4e07d3e8 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -18,7 +18,6 @@ import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy import logging import platform -import xen.lowlevel.xc import curses, _curses, curses.textpad, curses.ascii import getopt @@ -668,14 +667,6 @@ def run_grub(file, entry, fs, cfg_args): return grubcfg -def supports64bitPVguest(): - xc = xen.lowlevel.xc.xc() - caps = xc.xeninfo()['xen_caps'].split(" ") - for cap in caps: - if cap == "xen-3.0-x86_64": - return True - return False - # If nothing has been specified, look for a Solaris domU. If found, perform the # necessary tweaks. def sniff_solaris(fs, cfg): @@ -684,8 +675,7 @@ def sniff_solaris(fs, cfg): return cfg if not cfg["kernel"]: - if supports64bitPVguest() and \ - fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): + if fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): cfg["kernel"] = "/platform/i86xpv/kernel/amd64/unix" cfg["ramdisk"] = "/platform/i86pc/amd64/boot_archive" elif fs.file_exists("/platform/i86xpv/kernel/unix"): -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615653.956953 (Exim 4.92) (envelope-from ) id 1qqgqM-0000NU-EC; Wed, 11 Oct 2023 21:34:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615653.956953; Wed, 11 Oct 2023 21:34:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqM-0000NM-BS; Wed, 11 Oct 2023 21:34:14 +0000 Received: by outflank-mailman (input) for mailman id 615653; Wed, 11 Oct 2023 21:34:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqL-0000NE-9W for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqL-0000tU-8g for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqL-0005Zj-7q for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NElUgdcOSUFP+OQg9KbooZmpM5eRvOSjF8ag1prM1gg=; b=SCdwr7NAD1t7szs60XMEdFUHYn IwhzHXH7smU5L7UcAFDLVniHcBDvegbV7Ewf6kcAeLJVPR1BIAxHbJXncjBp8r0pN2y3dtija7s6Z BOIcZA794DGTBQ5dd/qrLzybzI7DMKQ/FarrVlhRQZh9KAp2IupXwdwAiv8ESRwGx/Y0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/pygrub: Small refactors Message-Id: Date: Wed, 11 Oct 2023 21:34:13 +0000 commit 844bcf0274938489caa8e431915c93f01b61b443 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:22 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/pygrub: Small refactors Small tidy up to ensure output_directory always has a trailing '/' to ease concatenating paths and that `output` can only be a filename or None. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 9f2ff9a7c9b3ac734ae99f17f0134ed0343dcccf) --- tools/pygrub/src/pygrub | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce4e07d3e8..1042c05b86 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -793,7 +793,7 @@ if __name__ == "__main__": debug = False not_really = False output_format = "sxp" - output_directory = "/var/run/xen/pygrub" + output_directory = "/var/run/xen/pygrub/" # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -815,7 +815,8 @@ if __name__ == "__main__": usage() sys.exit() elif o in ("--output",): - output = a + if a != "-": + output = a elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -847,12 +848,11 @@ if __name__ == "__main__": if not os.path.isdir(a): print("%s is not an existing directory" % a) sys.exit(1) - output_directory = a + output_directory = a + '/' if debug: logging.basicConfig(level=logging.DEBUG) - try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -861,7 +861,7 @@ if __name__ == "__main__": else: raise - if output is None or output == "-": + if output is None: fd = sys.stdout.fileno() else: fd = os.open(output, os.O_WRONLY) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615654.956957 (Exim 4.92) (envelope-from ) id 1qqgqW-0000QS-FZ; Wed, 11 Oct 2023 21:34:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615654.956957; Wed, 11 Oct 2023 21:34:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqW-0000QK-Co; Wed, 11 Oct 2023 21:34:24 +0000 Received: by outflank-mailman (input) for mailman id 615654; Wed, 11 Oct 2023 21:34:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqV-0000Q5-CM for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqV-0000tb-Ba for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqV-0005aS-Ak for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UjrEwWjlQxb1HHgkOvIfErY9CElFF1LENwyCGgKkEK4=; b=jEzLzSqTJj2WbxaHRT/4iilMpE oKvh6jiREl1YsiyxmVIicqj8p3xh/ele/1gLFpU5JF9i2ibOX1b59fqHI094NgvPyxLv+Z+hvPRmd VYrDgcqsSePTAocOhQl0y7MsTRHDREddwWcR8CStDPIPmkUP6KAehsH0vILAsWUTFHFk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/pygrub: Open the output files earlier Message-Id: Date: Wed, 11 Oct 2023 21:34:23 +0000 commit 609b76c89d84f6c2139abdce459d2363d0c5c2e2 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/pygrub: Open the output files earlier This patch allows pygrub to get ahold of every RW file descriptor it needs early on. A later patch will clamp the filesystem it can access so it can't obtain any others. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 0710d7d44586251bfca9758890616dc3d6de8a74) --- tools/pygrub/src/pygrub | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 1042c05b86..91e2ec2ab1 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -738,8 +738,7 @@ if __name__ == "__main__": def usage(): print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) - def copy_from_image(fs, file_to_read, file_type, output_directory, - not_really): + def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: if fs.file_exists(file_to_read): return "<%s:%s>" % (file_type, file_to_read) @@ -750,21 +749,18 @@ if __name__ == "__main__": except Exception as e: print(e, file=sys.stderr) sys.exit("Error opening %s in guest" % file_to_read) - (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".", - dir=output_directory) dataoff = 0 while True: data = datafile.read(FS_READ_MAX, dataoff) if len(data) == 0: - os.close(tfd) + os.close(fd_dst) del datafile - return ret + return try: - os.write(tfd, data) + os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.close(tfd) - os.unlink(ret) + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -861,6 +857,14 @@ if __name__ == "__main__": else: raise + if not_really: + fd_kernel = path_kernel = fd_ramdisk = path_ramdisk = None + else: + (fd_kernel, path_kernel) = tempfile.mkstemp(prefix="boot_kernel.", + dir=output_directory) + (fd_ramdisk, path_ramdisk) = tempfile.mkstemp(prefix="boot_ramdisk.", + dir=output_directory) + if output is None: fd = sys.stdout.fileno() else: @@ -920,20 +924,23 @@ if __name__ == "__main__": if fs is None: raise RuntimeError("Unable to find partition containing kernel") - bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel", - output_directory, not_really) + copy_from_image(fs, chosencfg["kernel"], "kernel", + fd_kernel, path_kernel, not_really) + bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: - bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"], - "ramdisk", output_directory, - not_really) + copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", + fd_ramdisk, path_ramdisk, not_really) except: if not not_really: - os.unlink(bootcfg["kernel"]) + os.unlink(path_kernel) raise + bootcfg["ramdisk"] = path_ramdisk else: initrd = None + if not not_really: + os.unlink(path_ramdisk) args = None if chosencfg["args"]: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:34 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615655.956961 (Exim 4.92) (envelope-from ) id 1qqgqg-0000XA-Gt; Wed, 11 Oct 2023 21:34:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615655.956961; Wed, 11 Oct 2023 21:34:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqg-0000X3-EE; Wed, 11 Oct 2023 21:34:34 +0000 Received: by outflank-mailman (input) for mailman id 615655; Wed, 11 Oct 2023 21:34:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqf-0000Wt-GD for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqf-0000tj-EP for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqf-0005bE-Dk for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZRenLm7wBIGD2K3lEYzvrjqeRoGERL1yHe7JI+EFWtQ=; b=CXZauYUGYQ83Pkjatqr5jT4v3x c846ZsjwJMRGohcoblHdJAnjlt+XmrNbnIOwGdlHV2Wj86rbTkKaayFsFtT6tIlo2RFcdjddpetF4 Wa+eoNZQLMceCsi+sUSxptnfMnOZW07lLHz3ZgrvZY7xPsG2N7Vf2BHjFigYKyv21PEM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/libfsimage: Export a new function to preload all plugins Message-Id: Date: Wed, 11 Oct 2023 21:34:33 +0000 commit 3ab7e4a4fa0d3cc9dca3e21769938f09e5d62097 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:24 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/libfsimage: Export a new function to preload all plugins This is work required in order to let pygrub operate in highly deprivileged chroot mode. This patch adds a function that preloads every plugin, hence ensuring that a on function exit, every shared library is loaded in memory. The new "init" function is supposed to be used before depriv, but that's fine because it's not acting on untrusted data. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 990e65c3ad9ac08642ce62a92852c80be6c83e96) --- tools/libfsimage/common/fsimage_plugin.c | 4 ++-- tools/libfsimage/common/mapfile-GNU | 1 + tools/libfsimage/common/mapfile-SunOS | 1 + tools/libfsimage/common/xenfsimage.h | 8 ++++++++ tools/pygrub/src/fsimage/fsimage.c | 15 +++++++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c index de1412b423..d0cb9e96a6 100644 --- a/tools/libfsimage/common/fsimage_plugin.c +++ b/tools/libfsimage/common/fsimage_plugin.c @@ -119,7 +119,7 @@ fail: return (-1); } -static int load_plugins(void) +int fsi_init(void) { const char *fsdir = getenv("XEN_FSIMAGE_FSDIR"); struct dirent *dp = NULL; @@ -180,7 +180,7 @@ int find_plugin(fsi_t *fsi, const char *path, const char *options) fsi_plugin_t *fp; int ret = 0; - if (plugins == NULL && (ret = load_plugins()) != 0) + if (plugins == NULL && (ret = fsi_init()) != 0) goto out; for (fp = plugins; fp != NULL; fp = fp->fp_next) { diff --git a/tools/libfsimage/common/mapfile-GNU b/tools/libfsimage/common/mapfile-GNU index 26d4d7a69e..2d54d527d7 100644 --- a/tools/libfsimage/common/mapfile-GNU +++ b/tools/libfsimage/common/mapfile-GNU @@ -1,6 +1,7 @@ VERSION { libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/mapfile-SunOS b/tools/libfsimage/common/mapfile-SunOS index e99b90b650..48deedb425 100644 --- a/tools/libfsimage/common/mapfile-SunOS +++ b/tools/libfsimage/common/mapfile-SunOS @@ -1,5 +1,6 @@ libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/xenfsimage.h b/tools/libfsimage/common/xenfsimage.h index 201abd54f2..341883b2d7 100644 --- a/tools/libfsimage/common/xenfsimage.h +++ b/tools/libfsimage/common/xenfsimage.h @@ -35,6 +35,14 @@ extern C { typedef struct fsi fsi_t; typedef struct fsi_file fsi_file_t; +/* + * Optional initialization function. If invoked it loads the associated + * dynamic libraries for the backends ahead of time. This is required if + * the library is to run as part of a highly deprivileged executable, as + * the libraries may not be reachable after depriv. + */ +int fsi_init(void); + fsi_t *fsi_open_fsimage(const char *, uint64_t, const char *); void fsi_close_fsimage(fsi_t *); diff --git a/tools/pygrub/src/fsimage/fsimage.c b/tools/pygrub/src/fsimage/fsimage.c index 2ebbbe35df..92fbf2851f 100644 --- a/tools/pygrub/src/fsimage/fsimage.c +++ b/tools/pygrub/src/fsimage/fsimage.c @@ -286,6 +286,15 @@ fsimage_getbootstring(PyObject *o, PyObject *args) return Py_BuildValue("s", bootstring); } +static PyObject * +fsimage_init(PyObject *o, PyObject *args) +{ + if (!PyArg_ParseTuple(args, "")) + return (NULL); + + return Py_BuildValue("i", fsi_init()); +} + PyDoc_STRVAR(fsimage_open__doc__, "open(name, [offset=off]) - Open the given file as a filesystem image.\n" "\n" @@ -297,7 +306,13 @@ PyDoc_STRVAR(fsimage_getbootstring__doc__, "getbootstring(fs) - Return the boot string needed for this file system " "or NULL if none is needed.\n"); +PyDoc_STRVAR(fsimage_init__doc__, + "init() - Loads every dynamic library contained in xenfsimage " + "into memory so that it can be used in chrooted environments.\n"); + static struct PyMethodDef fsimage_module_methods[] = { + { "init", (PyCFunction)fsimage_init, + METH_VARARGS, fsimage_init__doc__ }, { "open", (PyCFunction)fsimage_open, METH_VARARGS|METH_KEYWORDS, fsimage_open__doc__ }, { "getbootstring", (PyCFunction)fsimage_getbootstring, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615656.956965 (Exim 4.92) (envelope-from ) id 1qqgqq-0000ap-Ib; Wed, 11 Oct 2023 21:34:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615656.956965; Wed, 11 Oct 2023 21:34:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqq-0000ah-Fj; Wed, 11 Oct 2023 21:34:44 +0000 Received: by outflank-mailman (input) for mailman id 615656; Wed, 11 Oct 2023 21:34:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqp-0000aX-I7 for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqp-0000uB-HO for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqp-0005bz-GZ for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uzmhAURuDKnGPDd4g1MrKsm2JdWwbIyEqpTFm+cNSqw=; b=FrgEmBENN3A/ol88mJEMDivkMd ZjKYnavp6By4+ZPUuWEL6cHgSUI7sokOVltiHbF/9RK4K+kmmo3bmMVarLLLfwvGfPvdu3f+XuBcv AWyj7IpRgOyI+fF5A+mmA8crnYgrX5iD2YKcM+BRKUDfjnBkvfhrqtxp4ziSc2SR+sUY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] tools/pygrub: Deprivilege pygrub Message-Id: Date: Wed, 11 Oct 2023 21:34:43 +0000 commit 9a502b6b71665e0a876c33f49cd3e81ee0b0a935 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:25 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:30:18 2023 +0100 tools/pygrub: Deprivilege pygrub Introduce a --runas= flag to deprivilege pygrub on Linux and *BSDs. It also implicitly creates a chroot env where it drops a deprivileged forked process. The chroot itself is cleaned up at the end. If the --runas arg is present, then pygrub forks, leaving the child to deprivilege itself, and waiting for it to complete. When the child exists, the parent performs cleanup and exits with the same error code. This is roughly what the child does: 1. Initialize libfsimage (this loads every .so in memory so the chroot can avoid bind-mounting /{,usr}/lib* 2. Create a temporary empty chroot directory 3. Mount tmpfs in it 4. Bind mount the disk inside, because libfsimage expects a path, not a file descriptor. 5. Remount the root tmpfs to be stricter (ro,nosuid,nodev) 6. Set RLIMIT_FSIZE to a sensibly high amount (128 MiB) 7. Depriv gid, groups and uid With this scheme in place, the "output" files are writable (up to RLIMIT_FSIZE octets) and the exposed filesystem is immutable and contains the single only file we can't easily get rid of (the disk). If running on Linux, the child process also unshares mount, IPC, and network namespaces before dropping its privileges. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit e0342ae5556f2b6e2db50701b8a0679a45822ca6) --- tools/pygrub/setup.py | 2 +- tools/pygrub/src/pygrub | 162 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 154 insertions(+), 10 deletions(-) diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py index b8f1dc4590..f16187b6d1 100644 --- a/tools/pygrub/setup.py +++ b/tools/pygrub/setup.py @@ -17,7 +17,7 @@ xenfsimage = Extension("xenfsimage", pkgs = [ 'grub' ] setup(name='pygrub', - version='0.6', + version='0.7', description='Boot loader that looks a lot like grub for Xen', author='Jeremy Katz', author_email='katzj@redhat.com', diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 91e2ec2ab1..7cea496ade 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -16,8 +16,11 @@ from __future__ import print_function import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy +import ctypes, ctypes.util import logging import platform +import resource +import subprocess import curses, _curses, curses.textpad, curses.ascii import getopt @@ -27,10 +30,135 @@ import grub.GrubConf import grub.LiloConf import grub.ExtLinuxConf -PYGRUB_VER = 0.6 +PYGRUB_VER = 0.7 FS_READ_MAX = 1024 * 1024 SECTOR_SIZE = 512 +# Unless provided through the env variable PYGRUB_MAX_FILE_SIZE_MB, then +# this is the maximum filesize allowed for files written by the depriv +# pygrub +LIMIT_FSIZE = 128 << 20 + +CLONE_NEWNS = 0x00020000 # mount namespace +CLONE_NEWNET = 0x40000000 # network namespace +CLONE_NEWIPC = 0x08000000 # IPC namespace + +def unshare(flags): + if not sys.platform.startswith("linux"): + print("skip_unshare reason=not_linux platform=%s", sys.platform, file=sys.stderr) + return + + libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True) + unshare_prototype = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, use_errno=True) + unshare = unshare_prototype(('unshare', libc)) + + if unshare(flags) < 0: + raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno())) + +def bind_mount(src, dst, options): + open(dst, "a").close() # touch + + rc = subprocess.call(["mount", "--bind", "-o", options, src, dst]) + if rc != 0: + raise RuntimeError("bad_mount: src=%s dst=%s opts=%s" % + (src, dst, options)) + +def downgrade_rlimits(): + # Wipe the authority to use unrequired resources + resource.setrlimit(resource.RLIMIT_NPROC, (0, 0)) + resource.setrlimit(resource.RLIMIT_CORE, (0, 0)) + resource.setrlimit(resource.RLIMIT_MEMLOCK, (0, 0)) + + # py2's resource module doesn't know about resource.RLIMIT_MSGQUEUE + # + # TODO: Use resource.RLIMIT_MSGQUEUE after python2 is deprecated + if sys.platform.startswith('linux'): + RLIMIT_MSGQUEUE = 12 + resource.setrlimit(RLIMIT_MSGQUEUE, (0, 0)) + + # The final look of the filesystem for this process is fully RO, but + # note we have some file descriptor already open (notably, kernel and + # ramdisk). In order to avoid a compromised pygrub from filling up the + # filesystem we set RLIMIT_FSIZE to a high bound, so that the file + # write permissions are bound. + fsize = LIMIT_FSIZE + if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): + fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 + + resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize)) + +def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk): + # The only point of this call is to force the loading of libfsimage. + # That way, we don't need to bind-mount it into the chroot + rc = xenfsimage.init() + if rc != 0: + os.unlink(path_ramdisk) + os.unlink(path_kernel) + raise RuntimeError("bad_xenfsimage: rc=%d" % rc) + + # Create a temporary directory for the chroot + chroot = tempfile.mkdtemp(prefix=str(uid)+'-', dir=output_directory) + '/' + device_path = '/device' + + pid = os.fork() + if pid: + # parent + _, rc = os.waitpid(pid, 0) + + for path in [path_kernel, path_ramdisk]: + # If the child didn't write anything, just get rid of it, + # otherwise we end up consuming a 0-size file when parsing + # systems without a ramdisk that the ultimate caller of pygrub + # may just be unaware of + if rc != 0 or os.path.getsize(path) == 0: + os.unlink(path) + + # Normally, unshare(CLONE_NEWNS) will ensure this is not required. + # However, this syscall doesn't exist in *BSD systems and doesn't + # auto-unmount everything on older Linux kernels (At least as of + # Linux 4.19, but it seems fixed in 5.15). Either way, + # recursively unmount everything if needed. Quietly. + with open('/dev/null', 'w') as devnull: + subprocess.call(["umount", "-f", chroot + device_path], + stdout=devnull, stderr=devnull) + subprocess.call(["umount", "-f", chroot], + stdout=devnull, stderr=devnull) + os.rmdir(chroot) + + sys.exit(rc) + + # By unsharing the namespace we're making sure it's all bulk-released + # at the end, when the namespaces disappear. This means the kernel does + # (almost) all the cleanup for us and the parent just has to remove the + # temporary directory. + unshare(CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWNET) + + # Set sensible limits using the setrlimit interface + downgrade_rlimits() + + # We'll mount tmpfs on the chroot to ensure the deprivileged child + # cannot affect the persistent state. It's RW now in order to + # bind-mount the device, but note it's remounted RO after that. + rc = subprocess.call(["mount", "-t", "tmpfs", "none", chroot]) + if rc != 0: + raise RuntimeError("mount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Bind the untrusted device RO + bind_mount(device, chroot + device_path, "ro,nosuid,noexec") + + rc = subprocess.call(["mount", "-t", "tmpfs", "-o", "remount,ro,nosuid,noexec,nodev", "none", chroot]) + if rc != 0: + raise RuntimeError("remount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Drop superpowers! + os.chroot(chroot) + os.chdir('/') + os.setgid(uid) + os.setgroups([uid]) + os.setuid(uid) + + return device_path + def read_size_roundup(fd, size): if platform.system() != 'FreeBSD': return size @@ -736,7 +864,7 @@ if __name__ == "__main__": sel = None def usage(): - print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) + print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--runas=] [--offset=] " %(sys.argv[0],), file=sys.stderr) def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: @@ -760,7 +888,8 @@ if __name__ == "__main__": os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.unlink(path_dst) + if path_dst: + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -769,7 +898,7 @@ if __name__ == "__main__": opts, args = getopt.gnu_getopt(sys.argv[1:], 'qilnh::', ["quiet", "interactive", "list-entries", "not-really", "help", "output=", "output-format=", "output-directory=", "offset=", - "entry=", "kernel=", + "runas=", "entry=", "kernel=", "ramdisk=", "args=", "isconfig", "debug"]) except getopt.GetoptError: usage() @@ -790,6 +919,7 @@ if __name__ == "__main__": not_really = False output_format = "sxp" output_directory = "/var/run/xen/pygrub/" + uid = None # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -813,6 +943,13 @@ if __name__ == "__main__": elif o in ("--output",): if a != "-": output = a + elif o in ("--runas",): + try: + uid = int(a) + except ValueError: + print("runas value must be an integer user id") + usage() + sys.exit(1) elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -849,6 +986,10 @@ if __name__ == "__main__": if debug: logging.basicConfig(level=logging.DEBUG) + if interactive and uid: + print("In order to use --runas, you must also set --entry or -q", file=sys.stderr) + sys.exit(1) + try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -870,6 +1011,9 @@ if __name__ == "__main__": else: fd = os.open(output, os.O_WRONLY) + if uid: + file = depriv(output_directory, output, file, uid, path_kernel, path_ramdisk) + # debug if isconfig: chosencfg = run_grub(file, entry, fs, incfg["args"]) @@ -925,21 +1069,21 @@ if __name__ == "__main__": raise RuntimeError("Unable to find partition containing kernel") copy_from_image(fs, chosencfg["kernel"], "kernel", - fd_kernel, path_kernel, not_really) + fd_kernel, None if uid else path_kernel, not_really) bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", - fd_ramdisk, path_ramdisk, not_really) + fd_ramdisk, None if uid else path_ramdisk, not_really) except: - if not not_really: - os.unlink(path_kernel) + if not uid and not not_really: + os.unlink(path_kernel) raise bootcfg["ramdisk"] = path_ramdisk else: initrd = None - if not not_really: + if not uid and not not_really: os.unlink(path_ramdisk) args = None -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:34:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:34:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615657.956968 (Exim 4.92) (envelope-from ) id 1qqgr0-0000eK-LL; Wed, 11 Oct 2023 21:34:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615657.956968; Wed, 11 Oct 2023 21:34:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgr0-0000eD-Io; Wed, 11 Oct 2023 21:34:54 +0000 Received: by outflank-mailman (input) for mailman id 615657; Wed, 11 Oct 2023 21:34:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqz-0000dk-Lk for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgqz-0000uI-Ks for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgqz-0005cq-K6 for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:34:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=v8zWbmWvzRLmoWxztAccfW+KW8CQjmgMeZFRygBcN3I=; b=vLMlxTKXi1r7fsZNHuANBHgDVQ 4LlIcajWDxZx/6cOF7RXKsOTthVVOtMVsVy/aLvByjTCN3i+kTD5zYu52lm6U6mHWakfmGP2Ty5Jf zy3OX0jIifAFP7zxigGDRku1re7uk45FfbcUXqCZb5Vmnyfg0AJo3QHfhxaYQ1brYDNc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libxl: add support for running bootloader in restricted mode Message-Id: Date: Wed, 11 Oct 2023 21:34:53 +0000 commit 75aa1c977d116acb16dc3715864f92681f86cfb9 Author: Roger Pau Monne AuthorDate: Mon Sep 25 14:30:20 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:57:07 2023 +0200 libxl: add support for running bootloader in restricted mode Much like the device model depriv mode, add the same kind of support for the bootloader. Such feature allows passing a UID as a parameter for the bootloader to run as, together with the bootloader itself taking the necessary actions to isolate. Note that the user to run the bootloader as must have the right permissions to access the guest disk image (in read mode only), and that the bootloader will be run in non-interactive mode when restricted. If enabled bootloader restrict mode will attempt to re-use the user(s) from the QEMU depriv implementation if no user is provided on the configuration file or the environment. See docs/features/qemu-deprivilege.pandoc for more information about how to setup those users. Bootloader restrict mode is not enabled by default as it requires certain setup to be done first (setup of the user(s) to use in restrict mode). This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 1f762642d2cad1a40634e3280361928109d902f1) --- docs/man/xl.1.pod.in | 33 ++++++++++++++ tools/libs/light/libxl_bootloader.c | 89 +++++++++++++++++++++++++++++++++++-- tools/libs/light/libxl_dm.c | 8 ++-- tools/libs/light/libxl_internal.h | 8 ++++ 4 files changed, 131 insertions(+), 7 deletions(-) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 45e1430aeb..96e6fb1c32 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1976,6 +1976,39 @@ ignored: =back +=head1 ENVIRONMENT VARIABLES + +The following environment variables shall affect the execution of xl: + +=over 4 + +=item LIBXL_BOOTLOADER_RESTRICT + +Attempt to restrict the bootloader after startup, to limit the +consequences of security vulnerabilities due to parsing guest +owned image files. + +See docs/features/qemu-deprivilege.pandoc for more information +on how to setup the unprivileged users. + +Note that running the bootloader in restricted mode also implies using +non-interactive mode, and the disk image must be readable by the +restricted user. + +Having this variable set is equivalent to enabling the option, even if the +value is 0. + +=item LIBXL_BOOTLOADER_USER + +When using bootloader_restrict, run the bootloader as this user. If +not set the default QEMU restrict users will be used. + +NOTE: Each domain MUST have a SEPARATE username. + +See docs/features/qemu-deprivilege.pandoc for more information. + +=back + =head1 SEE ALSO The following man pages: diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 18e9ebd714..97d9bf4ddc 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -14,6 +14,7 @@ #include "libxl_osdeps.h" /* must come before any other headers */ +#include #include #ifdef HAVE_UTMP_H #include @@ -46,8 +47,71 @@ static void bootloader_arg(libxl__bootloader_state *bl, const char *arg) bl->args[bl->nargs++] = arg; } -static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, - const char *bootloader_path) +static int bootloader_uid(libxl__gc *gc, domid_t guest_domid, + const char *user, uid_t *intended_uid) +{ + struct passwd *user_base, user_pwbuf; + int rc; + + if (user) { + rc = userlookup_helper_getpwnam(gc, user, &user_pwbuf, &user_base); + if (rc) return rc; + + if (!user_base) { + LOGD(ERROR, guest_domid, "Couldn't find user %s", user); + return ERROR_INVAL; + } + + *intended_uid = user_base->pw_uid; + return 0; + } + + /* Re-use QEMU user range for the bootloader. */ + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE, + &user_pwbuf, &user_base); + if (rc) return rc; + + if (user_base) { + struct passwd *user_clash, user_clash_pwbuf; + uid_t temp_uid = user_base->pw_uid + guest_domid; + + rc = userlookup_helper_getpwuid(gc, temp_uid, &user_clash_pwbuf, + &user_clash); + if (rc) return rc; + + if (user_clash) { + LOGD(ERROR, guest_domid, + "wanted to use uid %ld (%s + %d) but that is user %s !", + (long)temp_uid, LIBXL_QEMU_USER_RANGE_BASE, + guest_domid, user_clash->pw_name); + return ERROR_INVAL; + } + + *intended_uid = temp_uid; + return 0; + } + + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_SHARED, &user_pwbuf, + &user_base); + if (rc) return rc; + + if (user_base) { + LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s", + LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED); + *intended_uid = user_base->pw_uid; + + return 0; + } + + LOGD(ERROR, guest_domid, + "Could not find user %s or range base pseudo-user %s, cannot restrict", + LIBXL_QEMU_USER_SHARED, LIBXL_QEMU_USER_RANGE_BASE); + + return ERROR_INVAL; +} + +static int make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, + const char *bootloader_path) { const libxl_domain_build_info *info = bl->info; @@ -65,6 +129,23 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, ARG(GCSPRINTF("--ramdisk=%s", info->ramdisk)); if (info->cmdline && *info->cmdline != '\0') ARG(GCSPRINTF("--args=%s", info->cmdline)); + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + uid_t uid = -1; + int rc = bootloader_uid(gc, bl->domid, getenv("LIBXL_BOOTLOADER_USER"), + &uid); + + if (rc) return rc; + + assert(uid != -1); + if (!uid) { + LOGD(ERROR, bl->domid, "bootloader restrict UID is 0 (root)!"); + return ERROR_INVAL; + } + LOGD(DEBUG, bl->domid, "using uid %ld", (long)uid); + ARG(GCSPRINTF("--runas=%ld", (long)uid)); + ARG("--quiet"); + } ARG(GCSPRINTF("--output=%s", bl->outputpath)); ARG("--output-format=simple0"); @@ -83,6 +164,7 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, /* Sentinel for execv */ ARG(NULL); + return 0; #undef ARG } @@ -447,7 +529,8 @@ static void bootloader_disk_attached_cb(libxl__egc *egc, bootloader = bltmp; } - make_bootloader_args(gc, bl, bootloader); + rc = make_bootloader_args(gc, bl, bootloader); + if (rc) goto out; bl->openpty.ao = ao; bl->openpty.callback = bootloader_gotptys; diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index b86e8ccc85..59de5c1ae2 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -80,10 +80,10 @@ static int libxl__create_qemu_logfile(libxl__gc *gc, char *name) * On error, return a libxl-style error code. */ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF) \ - static int userlookup_helper_##NAME(libxl__gc *gc, \ - SPEC_TYPE spec, \ - struct STRUCTNAME *resultbuf, \ - struct STRUCTNAME **out) \ + int userlookup_helper_##NAME(libxl__gc *gc, \ + SPEC_TYPE spec, \ + struct STRUCTNAME *resultbuf, \ + struct STRUCTNAME **out) \ { \ struct STRUCTNAME *resultp = NULL; \ char *buf = NULL; \ diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index cc27c72ecf..8415d1feed 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -4864,6 +4864,14 @@ struct libxl__cpu_policy { struct xc_msr *msr; }; +struct passwd; +_hidden int userlookup_helper_getpwnam(libxl__gc*, const char *user, + struct passwd *res, + struct passwd **out); +_hidden int userlookup_helper_getpwuid(libxl__gc*, uid_t uid, + struct passwd *res, + struct passwd **out); + #endif /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:35:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:35:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615658.956973 (Exim 4.92) (envelope-from ) id 1qqgrA-0000hO-Mx; Wed, 11 Oct 2023 21:35:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615658.956973; Wed, 11 Oct 2023 21:35:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrA-0000hG-KJ; Wed, 11 Oct 2023 21:35:04 +0000 Received: by outflank-mailman (input) for mailman id 615658; Wed, 11 Oct 2023 21:35:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgr9-0000h9-PH for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgr9-0000uh-OS for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgr9-0005dv-NZ for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QBsmhfsIpVUvs2wgnT40PJnCGG1ZcHk/8uHJyWXSEv4=; b=LqTk6Sho9NCk2FQtZWkC3wPGR3 Ym8zsqKNsHFwBSq2FaAGKQqipbtqNsrJX0SHgsxe95tfphuzrtyV55RYHZV8T1qhs5tLPMbR/lz48 ac53WzLj/J2I4yKQD1eqsvHN1JAsdYz1yPbeKtmo43o+j9+hYKYQraeY9dJHXPR59/t0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] libxl: limit bootloader execution in restricted mode Message-Id: Date: Wed, 11 Oct 2023 21:35:03 +0000 commit c84412457d3507816b5f8e988a9c8dcc4010e984 Author: Roger Pau Monne AuthorDate: Thu Sep 28 12:22:35 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:57:07 2023 +0200 libxl: limit bootloader execution in restricted mode Introduce a timeout for bootloader execution when running in restricted mode. Allow overwriting the default time out with an environment provided value. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 9c114178ffd700112e91f5ec66cf5151b9c9a8cc) --- docs/man/xl.1.pod.in | 8 ++++++++ tools/libs/light/libxl_bootloader.c | 40 +++++++++++++++++++++++++++++++++++++ tools/libs/light/libxl_internal.h | 2 ++ 3 files changed, 50 insertions(+) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 96e6fb1c32..8f056450a7 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -2007,6 +2007,14 @@ NOTE: Each domain MUST have a SEPARATE username. See docs/features/qemu-deprivilege.pandoc for more information. +=item LIBXL_BOOTLOADER_TIMEOUT + +Timeout in seconds for bootloader execution when running in restricted mode. +Otherwise the build time default in LIBXL_BOOTLOADER_TIMEOUT will be used. + +If defined the value must be an unsigned integer between 0 and INT_MAX, +otherwise behavior is undefined. Setting to 0 disables the timeout. + =back =head1 SEE ALSO diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 97d9bf4ddc..3ca6463e5f 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -34,6 +34,8 @@ static void bootloader_keystrokes_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); static void bootloader_display_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc); static void bootloader_domaindeath(libxl__egc*, libxl__domaindeathcheck *dc, int rc); static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, @@ -301,6 +303,7 @@ void libxl__bootloader_init(libxl__bootloader_state *bl) bl->ptys[0].master = bl->ptys[0].slave = 0; bl->ptys[1].master = bl->ptys[1].slave = 0; libxl__ev_child_init(&bl->child); + libxl__ev_time_init(&bl->time); libxl__domaindeathcheck_init(&bl->deathcheck); bl->keystrokes.ao = bl->ao; libxl__datacopier_init(&bl->keystrokes); bl->display.ao = bl->ao; libxl__datacopier_init(&bl->display); @@ -318,6 +321,7 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl) libxl__domaindeathcheck_stop(gc,&bl->deathcheck); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); for (i=0; i<2; i++) { libxl__carefd_close(bl->ptys[i].master); libxl__carefd_close(bl->ptys[i].slave); @@ -379,6 +383,7 @@ static void bootloader_stop(libxl__egc *egc, libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); if (libxl__ev_child_inuse(&bl->child)) { r = kill(bl->child.pid, SIGTERM); if (r) LOGED(WARN, bl->domid, "%sfailed to kill bootloader [%lu]", @@ -641,6 +646,25 @@ static void bootloader_gotptys(libxl__egc *egc, libxl__openpty_state *op) struct termios termattr; + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + const char *timeout_env = getenv("LIBXL_BOOTLOADER_TIMEOUT"); + int timeout = timeout_env ? atoi(timeout_env) + : LIBXL_BOOTLOADER_TIMEOUT; + + if (timeout) { + /* Set execution timeout */ + rc = libxl__ev_time_register_rel(ao, &bl->time, + bootloader_timeout, + timeout * 1000); + if (rc) { + LOGED(ERROR, bl->domid, + "unable to register timeout for bootloader execution"); + goto out; + } + } + } + pid_t pid = libxl__ev_child_fork(gc, &bl->child, bootloader_finished); if (pid == -1) { rc = ERROR_FAIL; @@ -706,6 +730,21 @@ static void bootloader_display_copyfail(libxl__egc *egc, libxl__bootloader_state *bl = CONTAINER_OF(dc, *bl, display); bootloader_copyfail(egc, "bootloader output", bl, 1, rc,onwrite,errnoval); } +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc) +{ + libxl__bootloader_state *bl = CONTAINER_OF(ev, *bl, time); + STATE_AO_GC(bl->ao); + + libxl__ev_time_deregister(gc, &bl->time); + + assert(libxl__ev_child_inuse(&bl->child)); + LOGD(ERROR, bl->domid, "killing bootloader because of timeout"); + + libxl__ev_child_kill_deregister(ao, &bl->child, SIGKILL); + + bootloader_callback(egc, bl, rc); +} static void bootloader_domaindeath(libxl__egc *egc, libxl__domaindeathcheck *dc, @@ -722,6 +761,7 @@ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, STATE_AO_GC(bl->ao); int rc; + libxl__ev_time_deregister(gc, &bl->time); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index 8415d1feed..a9581289f4 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -103,6 +103,7 @@ #define LIBXL_QMP_CMD_TIMEOUT 10 #define LIBXL_STUBDOM_START_TIMEOUT 30 #define LIBXL_QEMU_BODGE_TIMEOUT 2 +#define LIBXL_BOOTLOADER_TIMEOUT 120 #define LIBXL_XENCONSOLE_LIMIT 1048576 #define LIBXL_XENCONSOLE_PROTOCOL "vt100" #define LIBXL_MAXMEM_CONSTANT 1024 @@ -3738,6 +3739,7 @@ struct libxl__bootloader_state { libxl__openpty_state openpty; libxl__openpty_result ptys[2]; /* [0] is for bootloader */ libxl__ev_child child; + libxl__ev_time time; libxl__domaindeathcheck deathcheck; int nargs, argsspace; const char **args; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:35:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:35:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615659.956976 (Exim 4.92) (envelope-from ) id 1qqgrK-0000ld-OR; Wed, 11 Oct 2023 21:35:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615659.956976; Wed, 11 Oct 2023 21:35:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrK-0000lV-Lm; Wed, 11 Oct 2023 21:35:14 +0000 Received: by outflank-mailman (input) for mailman id 615659; Wed, 11 Oct 2023 21:35:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrJ-0000lM-SW for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrJ-0000up-Rn for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgrJ-0005eu-R2 for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SIHjY1O3Rqop5etshfPbr1ZwLi+28UKuphlsN7iBZgA=; b=Aca0kZlQ6ClAHS/LN9dgQp+8mP fvC7rJTHlvrfuEAzbBAY5c/Zi98NpcFe9oJS47izsv8f1O/So03ly7jsRdrRc+piMQ3W58xt5UdCj gtFHAO3Agm3mSgGL8pjFzQnq9wMglsvhEUijczJxh4LQwHkguWlQbh34CudeeYRKpT3w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/svm: Fix asymmetry with AMD DR MASK context switching Message-Id: Date: Wed, 11 Oct 2023 21:35:13 +0000 commit 1f0d217f054b4b9f2d2990dc8721488ca550c5a4 Author: Andrew Cooper AuthorDate: Tue Sep 26 20:15:50 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:57:09 2023 +0200 x86/svm: Fix asymmetry with AMD DR MASK context switching The handling of MSR_DR{0..3}_MASK is asymmetric between PV and HVM guests. HVM guests context switch in based on the guest view of DBEXT, whereas PV guest switch in base on the host capability. Both guest types leave the context dirty for the next vCPU. This leads to the following issue: * PV or HVM vCPU has debugging active (%dr7 + mask) * Switch out deactivates %dr7 but leaves other state stale in hardware * HVM vCPU with debugging activate but can't see DBEXT is switched in * Switch in loads %dr7 but leaves the mask MSRs alone Now, the HVM vCPU is operating in the context of the prior vCPU's mask MSR, and furthermore in a case where it genuinely expects there to be no masking MSRs. As a stopgap, adjust the HVM path to switch in/out the masks based on host capabilities rather than guest visibility (i.e. like the PV path). Adjustment of the of the intercepts still needs to be dependent on the guest visibility of DBEXT. This is part of XSA-444 / CVE-2023-34327 Fixes: c097f54912d3 ("x86/SVM: support data breakpoint extension registers") Signed-off-by: Andrew Cooper (cherry picked from commit 5d54282f984bb9a7a65b3d12208584f9fdf1c8e1) --- xen/arch/x86/hvm/svm/svm.c | 24 ++++++++++++++++++------ xen/arch/x86/traps.c | 5 +++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 1c5c086fb8..ba17bfe97a 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -185,6 +185,10 @@ static void svm_save_dr(struct vcpu *v) v->arch.hvm.flag_dr_dirty = 0; vmcb_set_dr_intercepts(vmcb, ~0u); + /* + * The guest can only have changed the mask MSRs if we previous dropped + * intercepts. Re-read them from hardware. + */ if ( v->domain->arch.cpuid->extd.dbext ) { svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_RW); @@ -216,17 +220,25 @@ static void __restore_debug_registers(struct vmcb_struct *vmcb, struct vcpu *v) ASSERT(v == current); - if ( v->domain->arch.cpuid->extd.dbext ) + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ + if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { - svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); - wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, v->arch.msrs->dr_mask[0]); wrmsrl(MSR_AMD64_DR1_ADDRESS_MASK, v->arch.msrs->dr_mask[1]); wrmsrl(MSR_AMD64_DR2_ADDRESS_MASK, v->arch.msrs->dr_mask[2]); wrmsrl(MSR_AMD64_DR3_ADDRESS_MASK, v->arch.msrs->dr_mask[3]); + + if ( v->domain->arch.cpuid->extd.dbext ) + { + svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); + } } write_debugreg(0, v->arch.dr[0]); diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 71dae00428..df97ee6c4f 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2202,6 +2202,11 @@ void activate_debugregs(const struct vcpu *curr) if ( curr->arch.dr7 & DR7_ACTIVE_MASK ) write_debugreg(7, curr->arch.dr7); + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, curr->arch.msrs->dr_mask[0]); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Oct 11 21:35:25 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Oct 2023 21:35:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615660.956980 (Exim 4.92) (envelope-from ) id 1qqgrV-0000oX-QI; Wed, 11 Oct 2023 21:35:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615660.956980; Wed, 11 Oct 2023 21:35:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrV-0000oP-NQ; Wed, 11 Oct 2023 21:35:25 +0000 Received: by outflank-mailman (input) for mailman id 615660; Wed, 11 Oct 2023 21:35:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrT-0000oA-VT for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqgrT-0000uw-Uh for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqgrT-0005fb-Ty for xen-changelog@lists.xenproject.org; Wed, 11 Oct 2023 21:35:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TIJ45z43BXkUUCUgW64lCWdy0/ipZ5cQNMPTMCwPIPc=; b=fjNaRiCr6jix04iB+TCJU6dzz8 QgZgklldyJzftUQM3st/ZH8tj4zMjx9A008ywCTDlTPViu3+TlVMeZ5f0l/xc6yxV+9872gaGEcp6 LkwbdjusjKbFsDsdwSWtO326b9WI0pMUjEK7ZrwnMC1lwKBFDSYReyeY41ByC3CDrs+k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/pv: Correct the auditing of guest breakpoint addresses Message-Id: Date: Wed, 11 Oct 2023 21:35:23 +0000 commit 4a4daf6bddbe8a741329df5cc8768f7dec664aed Author: Andrew Cooper AuthorDate: Tue Sep 26 20:15:50 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:57:09 2023 +0200 x86/pv: Correct the auditing of guest breakpoint addresses The use of access_ok() is buggy, because it permits access to the compat translation area. 64bit PV guests don't use the XLAT area, but on AMD hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned region, allowing the breakpoint to reach outside of the XLAT area. Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for 32-bit PV"), the live GDT was within 4G of the XLAT area. All together, this allowed a malicious 64bit PV guest on AMD hardware to place a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104). Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an appropriate check in this case. For Xen 4.14 and later, this is a latent bug because the XLAT area has moved to be on its own with nothing interesting adjacent. For Xen 4.13 and older on AMD hardware, this fixes a PV-trigger-able DoS. This is part of XSA-444 / CVE-2023-34328. Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit dc9d9aa62ddeb14abd5672690d30789829f58f7e) --- xen/arch/x86/pv/misc-hypercalls.c | 2 +- xen/include/asm-x86/debugreg.h | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/pv/misc-hypercalls.c b/xen/arch/x86/pv/misc-hypercalls.c index 3a4e4aa460..afdcd8f5d8 100644 --- a/xen/arch/x86/pv/misc-hypercalls.c +++ b/xen/arch/x86/pv/misc-hypercalls.c @@ -68,7 +68,7 @@ long set_debugreg(struct vcpu *v, unsigned int reg, unsigned long value) switch ( reg ) { case 0 ... 3: - if ( !access_ok(value, sizeof(long)) ) + if ( !breakpoint_addr_ok(value) ) return -EPERM; v->arch.dr[reg] = value; diff --git a/xen/include/asm-x86/debugreg.h b/xen/include/asm-x86/debugreg.h index c57914efc6..cc29826524 100644 --- a/xen/include/asm-x86/debugreg.h +++ b/xen/include/asm-x86/debugreg.h @@ -77,6 +77,26 @@ asm volatile ( "mov %%db" #reg ",%0" : "=r" (__val) ); \ __val; \ }) + +/* + * Architecturally, %dr{0..3} can have any arbitrary value. However, Xen + * can't allow the guest to breakpoint the Xen address range, so we limit the + * guest to the lower canonical half, or above the Xen range in the higher + * canonical half. + * + * Breakpoint lengths are specified to mask the low order address bits, + * meaning all breakpoints are naturally aligned. With %dr7, the widest + * breakpoint is 8 bytes. With DBEXT, the widest breakpoint is 4G. Both of + * the Xen boundaries have >4G alignment. + * + * In principle we should account for HYPERVISOR_COMPAT_VIRT_START(d), but + * 64bit Xen has never enforced this for compat guests, and there's no problem + * (to Xen) if the guest breakpoints it's alias of the M2P. Skipping this + * aspect simplifies the logic, and causes us not to reject a migrating guest + * which operated fine on prior versions of Xen. + */ +#define breakpoint_addr_ok(a) __addr_ok(a) + long set_debugreg(struct vcpu *, unsigned int reg, unsigned long value); void activate_debugregs(const struct vcpu *); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:11 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615701.957037 (Exim 4.92) (envelope-from ) id 1qqo95-00071Z-Ez; Thu, 12 Oct 2023 05:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615701.957037; Thu, 12 Oct 2023 05:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo95-00071R-CN; Thu, 12 Oct 2023 05:22:03 +0000 Received: by outflank-mailman (input) for mailman id 615701; Thu, 12 Oct 2023 05:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo94-00071L-C4 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo94-0003Hw-5W for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo94-0007it-43 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4avwH0W/XnwV34ij+21aDw02nN8u3ViTQ9VqPfv2Lmg=; b=2pZBu22eN2QMLL6e8fsYbKhZQ/ y/gE0hFvWdvFFnae3oX+yMRsIm0b+f56Db3z9+IQOK1q4+tMMAsUc2bOZG/vV0AgaD5XtL4hEPorc w9T/Bl+yw3x4npfJ2SgM8hJ8MuMgDMrc1puGe22yvp24yuAFfQrGoqElBuaOD6kXyO2E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/xenstored: domain_entry_fix(): Handle conflicting transaction Message-Id: Date: Thu, 12 Oct 2023 05:22:02 +0000 commit c4e05c97f57d236040d1da5c1fbf6e3699dc86ea Author: Julien Grall AuthorDate: Fri Sep 22 11:32:16 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/xenstored: domain_entry_fix(): Handle conflicting transaction The function domain_entry_fix() will be initially called to check if the quota is correct before attempt to commit any nodes. So it would be possible that accounting is temporarily negative. This is the case in the following sequence: 1) Create 50 nodes 2) Start two transactions 3) Delete all the nodes in each transaction 4) Commit the two transactions Because the first transaction will have succeed and updated the accounting, there is no guarantee that 'd->nbentry + num' will still be above 0. So the assert() would be triggered. The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") with the assumption that the value can't be negative. As this is not true revert to the original check but restricted to the path where we don't update. Take the opportunity to explain the rationale behind the check. This CVE-2023-34323 / XSA-440. Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") Signed-off-by: Julien Grall Reviewed-by: Juergen Gross --- tools/xenstore/xenstored_domain.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c index aa86892fed..6074df210c 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -1094,10 +1094,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update) } cnt = d->nbentry + num; - assert(cnt >= 0); - if (update) + if (update) { + assert(cnt >= 0); d->nbentry = cnt; + } else if (cnt < 0) { + /* + * In a transaction when a node is being added/removed AND + * the same node has been added/removed outside the + * transaction in parallel, the result value may be negative. + * This is no problem, as the transaction will fail due to + * the resulting conflict. So override 'cnt'. + */ + cnt = 0; + } return domid_is_unprivileged(domid) ? cnt : 0; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615702.957042 (Exim 4.92) (envelope-from ) id 1qqo9F-000734-Gh; Thu, 12 Oct 2023 05:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615702.957042; Thu, 12 Oct 2023 05:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9F-00072w-Ds; Thu, 12 Oct 2023 05:22:13 +0000 Received: by outflank-mailman (input) for mailman id 615702; Thu, 12 Oct 2023 05:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9E-00072l-AR for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9E-0003I0-9W for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo9E-0007jM-7g for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NCUke1Gb0eMsezgwpEqdvbVMCfWGL7QwBP2nfPHRHOA=; b=QVilqhRlgrVdwMGvvdRy5AvJLL t/e+vgjx4vHAf5ydlPJGtzuuLF86kg43beQblfJEQdqoLfm0mZLTjX9tU/3wP1Ma9Z6MZoVO5k7ks JFvdta3iFnyH5KdgGKV9B0/EIFsUH3aQfSkYXrQ7+l7//wIi5jWEA2vuNM2A5bnT4ReE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] iommu/amd-vi: flush IOMMU TLB when flushing the DTE Message-Id: Date: Thu, 12 Oct 2023 05:22:12 +0000 commit 0d8f9f7f2706e8ad8dfff203173693b631339b86 Author: Roger Pau Monne AuthorDate: Tue Jun 13 15:01:05 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 iommu/amd-vi: flush IOMMU TLB when flushing the DTE The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. This has been observed in practice on AMD systems. Due to the lack of guidance from the currently published specification this patch aims to increase the flushing done in order to prevent device malfunction. In order to fix, issue an INVALIDATE_IOMMU_PAGES command from amd_iommu_flush_device(), flushing all the address space. Note this requires callers to be adjusted in order to pass the DomID on the DTE previous to the modification. Some call sites don't provide a valid DomID to amd_iommu_flush_device() in order to avoid the flush. That's because the device had address translations disabled and hence the previous DomID on the DTE is not valid. Note the current logic relies on the entity disabling address translations to also flush the TLB of the in use DomID. Device I/O TLB flushing when ATS are enabled is not covered by the current change, as ATS usage is not security supported. This is XSA-442 / CVE-2023-34326 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 5fc98b97084a46884acef9320e643faf40d42212) --- xen/drivers/passthrough/amd/iommu.h | 3 ++- xen/drivers/passthrough/amd/iommu_cmd.c | 10 +++++++++- xen/drivers/passthrough/amd/iommu_guest.c | 5 +++-- xen/drivers/passthrough/amd/iommu_init.c | 6 +++++- xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++---- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 5429ada58e..a58be28bf9 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -283,7 +283,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn, unsigned int order); void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev, uint64_t gaddr, unsigned int order); -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf); +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid); void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf); void amd_iommu_flush_all_caches(struct amd_iommu *iommu); diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index 40ddf366bb..cb28b36abc 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -363,10 +363,18 @@ void amd_iommu_flush_pages(struct domain *d, _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order); } -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf) +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid) { invalidate_dev_table_entry(iommu, bdf); flush_command_buffer(iommu, 0); + + /* Also invalidate IOMMU TLB entries when flushing the DTE. */ + if ( domid != DOMID_INVALID ) + { + invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0); + flush_command_buffer(iommu, 0); + } } void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf) diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 80a331f546..be86bce6fb 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) { - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id; + uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; struct amd_iommu_dte *gdte, *mdte, *dte_base; struct amd_iommu *iommu = NULL; struct guest_iommu *g_iommu; @@ -445,13 +445,14 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) req_id = get_dma_requestor_id(iommu->seg, mbdf); dte_base = iommu->dev_table.buffer; mdte = &dte_base[req_id]; + prev_domid = mdte->domain_id; spin_lock_irqsave(&iommu->lock, flags); dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); return 0; } diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index 166570648d..101a60ce17 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -1547,7 +1547,11 @@ static int cf_check _invalidate_all_devices( req_id = ivrs_mappings[bdf].dte_requestor_id; if ( iommu ) { - amd_iommu_flush_device(iommu, req_id); + /* + * IOMMU TLB flush performed separately (see + * invalidate_all_domain_pages()). + */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); amd_iommu_flush_intremap(iommu, req_id); } } diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index 94e3775506..8641b84712 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -192,10 +192,13 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); } else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) ) { + domid_t prev_domid = dte->domain_id; + /* * Strictly speaking if the device is the only one with this requestor * ID, it could be allowed to be re-assigned regardless of unity map @@ -252,7 +255,7 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); } else spin_unlock_irqrestore(&iommu->lock, flags); @@ -421,6 +424,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_lock_irqsave(&iommu->lock, flags); if ( dte->tv || dte->v ) { + domid_t prev_domid = dte->domain_id; + /* See the comment in amd_iommu_setup_device_table(). */ dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED; smp_wmb(); @@ -439,7 +444,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); AMD_IOMMU_DEBUG("Disable: device id = %#x, " "domain = %d, paging mode = %d\n", @@ -610,7 +615,8 @@ static int cf_check amd_iommu_add_device(u8 devfn, struct pci_dev *pdev) spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, bdf); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, bdf, DOMID_INVALID); } if ( amd_iommu_reserve_domain_unity_map( -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615703.957045 (Exim 4.92) (envelope-from ) id 1qqo9P-00075I-Hk; Thu, 12 Oct 2023 05:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615703.957045; Thu, 12 Oct 2023 05:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9P-00075A-FG; Thu, 12 Oct 2023 05:22:23 +0000 Received: by outflank-mailman (input) for mailman id 615703; Thu, 12 Oct 2023 05:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9O-00074w-Di for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9O-0003IC-CX for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo9O-0007jl-BY for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NNLG4Yma9R4GJJPqSRCB8+T6fIzcmzzdPplP8Ods7KQ=; b=nBjtSd1rUm6mAR407Pus83Nf8P AUhaM298IifOPlQPeRukyKM9FthrCozJU+wtyCVCkwHjqC2qq6jbbhb1wwUTNc+cqnfnW6FUjx4Y5 bcLZqk1GqTyCVTlZ75mcid6vugrViNHnJSWmCZGiRkK19vM+HLsEbCwloMN4D6OUu7mo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libfsimage/xfs: Remove dead code Message-Id: Date: Thu, 12 Oct 2023 05:22:22 +0000 commit d665c6690eb3c2c86cb2c7dac09804211481f926 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:50 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 libfsimage/xfs: Remove dead code xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code that serve no purpose. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 37fc1e6c1c5c63aafd9cfd76a37728d5baea7d71) --- tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index d735a88e55..2800699f59 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -37,7 +37,6 @@ struct xfs_info { int blklog; int inopblog; int agblklog; - int agnolog; unsigned int nextents; xfs_daddr_t next; xfs_daddr_t daddr; @@ -65,9 +64,7 @@ static struct xfs_info xfs; #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -#define XFS_INO_AGBNO_BITS xfs.agblklog #define XFS_INO_AGINO_BITS (xfs.agblklog + xfs.inopblog) -#define XFS_INO_AGNO_BITS xfs.agnolog static inline xfs_agblock_t agino2agbno (xfs_agino_t agino) @@ -149,20 +146,6 @@ xt_len (xfs_bmbt_rec_32_t *r) return le32(r->l3) & mask32lo(21); } -static inline int -xfs_highbit32(xfs_uint32_t v) -{ - int i; - - if (--v) { - for (i = 0; i < 31; i++, v >>= 1) { - if (v == 0) - return i; - } - } - return 0; -} - static int isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len) { @@ -472,7 +455,6 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.inopblog = super.sb_inopblog; xfs.agblklog = super.sb_agblklog; - xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount)); xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615704.957050 (Exim 4.92) (envelope-from ) id 1qqo9Z-00078Y-JZ; Thu, 12 Oct 2023 05:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615704.957050; Thu, 12 Oct 2023 05:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9Z-00078Q-Ge; Thu, 12 Oct 2023 05:22:33 +0000 Received: by outflank-mailman (input) for mailman id 615704; Thu, 12 Oct 2023 05:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9Y-000780-GG for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9Y-0003IL-FQ for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo9Y-0007kA-EY for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=z5gLyeeoQygEbL2DfCW3AouiCfYeublXmHoPbkkmjpA=; b=ZuqryLV9FLBNmqkFSwIYuWKyuc IuAfWZSpr7YyNxzaiqo4wUSpkoePTQqDvDzOWdGuPK70F5untaHNDk62HScxoUYZMQpwc5VI3vfLD cmbasoW2WB1W+iS3XYAElXX/wx00k4K6gpEUynckKh+0JBmSWbDQRxTGj8wEjYiXnUfQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libfsimage/xfs: Amend mask32lo() to allow the value 32 Message-Id: Date: Thu, 12 Oct 2023 05:22:32 +0000 commit f1cd620cc3572c858e276463e05f695d949362c5 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:51 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 libfsimage/xfs: Amend mask32lo() to allow the value 32 agblklog could plausibly be 32, but that would overflow this shift. Perform the shift as ULL and cast to u32 at the end instead. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Acked-by: Jan Beulich (cherry picked from commit ddc45e4eea946bb373a4b4a60c84bf9339cf413b) --- tools/libfsimage/xfs/fsys_xfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 2800699f59..4720bb4505 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -60,7 +60,7 @@ static struct xfs_info xfs; #define inode ((xfs_dinode_t *)((char *)FSYS_BUF + 8192)) #define icore (inode->di_core) -#define mask32lo(n) (((xfs_uint32_t)1 << (n)) - 1) +#define mask32lo(n) ((xfs_uint32_t)((1ull << (n)) - 1)) #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615708.957063 (Exim 4.92) (envelope-from ) id 1qqo9j-0007Rh-U7; Thu, 12 Oct 2023 05:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615708.957063; Thu, 12 Oct 2023 05:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9j-0007RZ-RE; Thu, 12 Oct 2023 05:22:43 +0000 Received: by outflank-mailman (input) for mailman id 615708; Thu, 12 Oct 2023 05:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9i-0007R8-JD for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9i-0003KN-IW for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo9i-0007ky-HU for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bFUFAuCcyCUmy+0azotCWurbufyaqq1U+yrSvP3u7Vw=; b=w8hLulFDcRdyCC1/J+8n0xNqto ONXKizPvn5f01CXAsdbDCWxEC+jQE1B4zurCijiuZmsawVHatxAFnmDRohEErm51cokKEashliP1h 1WPZGQQtpQgARLvCUryDQ2aytBBaqcaPA8JlsmwhMQuvMSnE+8jTAlV3X40kozwA1PPk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libfsimage/xfs: Sanity-check the superblock during mounts Message-Id: Date: Thu, 12 Oct 2023 05:22:42 +0000 commit 78143c5336c8316bcc648e964d65a07f216cf77f Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:52 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 libfsimage/xfs: Sanity-check the superblock during mounts Sanity-check the XFS superblock for wellformedness at the mount handler. This forces pygrub to abort parsing a potentially malformed filesystem and ensures the invariants assumed throughout the rest of the code hold. Also, derive parameters from previously sanitized parameters where possible (rather than reading them off the superblock) The code doesn't try to avoid overflowing the end of the disk, because that's an unlikely and benign error. Parameters used in calculations of xfs_daddr_t (like the root inode index) aren't in critical need of being sanitized. The sanitization of agblklog is basically checking that no obvious overflows happen on agblklog, and then ensuring agblocks is contained in the range (2^(sb_agblklog-1), 2^sb_agblklog]. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 620500dd1baf33347dfde5e7fde7cf7fe347da5c) --- tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++++++++--------- tools/libfsimage/xfs/xfs.h | 12 +++++++++++ 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 4720bb4505..e4eb7e1ee2 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -17,6 +17,7 @@ * along with this program; If not, see . */ +#include #include #include "xfs.h" @@ -433,29 +434,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino) return next_dentry (ffi, ino); } +static bool +xfs_sb_is_invalid (const xfs_sb_t *super) +{ + return (le32(super->sb_magicnum) != XFS_SB_MAGIC) + || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) != + XFS_SB_VERSION_4) + || (super->sb_inodelog < XFS_SB_INODELOG_MIN) + || (super->sb_inodelog > XFS_SB_INODELOG_MAX) + || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN) + || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX) + || (super->sb_blocklog < super->sb_inodelog) + || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX) + || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks)) + || (((1ull << super->sb_agblklog) >> 1) >= + le32(super->sb_agblocks)) + || ((super->sb_blocklog + super->sb_dirblklog) >= + XFS_SB_DIRBLK_NUMBITS); +} + static int xfs_mount (fsi_file_t *ffi, const char *options) { xfs_sb_t super; if (!devread (ffi, 0, 0, sizeof(super), (char *)&super) - || (le32(super.sb_magicnum) != XFS_SB_MAGIC) - || ((le16(super.sb_versionnum) - & XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) { + || xfs_sb_is_invalid(&super)) { return 0; } - xfs.bsize = le32 (super.sb_blocksize); - xfs.blklog = super.sb_blocklog; - xfs.bdlog = xfs.blklog - SECTOR_BITS; + /* + * Not sanitized. It's exclusively used to generate disk addresses, + * so it's not important from a security standpoint. + */ xfs.rootino = le64 (super.sb_rootino); - xfs.isize = le16 (super.sb_inodesize); - xfs.agblocks = le32 (super.sb_agblocks); - xfs.dirbsize = xfs.bsize << super.sb_dirblklog; - xfs.inopblog = super.sb_inopblog; + /* + * Sanitized to be consistent with each other, only used to + * generate disk addresses, so it's safe + */ + xfs.agblocks = le32 (super.sb_agblocks); xfs.agblklog = super.sb_agblklog; + /* Derived from sanitized parameters */ + xfs.bsize = 1 << super.sb_blocklog; + xfs.blklog = super.sb_blocklog; + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; + xfs.isize = 1 << super.sb_inodelog; + xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); + xfs.inopblog = super.sb_blocklog - super.sb_inodelog; + xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / (sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t))) diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h index 40699281e4..b87e37d3d7 100644 --- a/tools/libfsimage/xfs/xfs.h +++ b/tools/libfsimage/xfs/xfs.h @@ -134,6 +134,18 @@ typedef struct xfs_sb xfs_uint8_t sb_dummy[7]; /* padding */ } xfs_sb_t; +/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */ +#define XFS_SB_DIRBLK_NUMBITS 27 +/* Implied by the XFS specification. The minimum block size is 512 octets */ +#define XFS_SB_BLOCKLOG_MIN 9 +/* Implied by the XFS specification. The maximum block size is 65536 octets */ +#define XFS_SB_BLOCKLOG_MAX 16 +/* Implied by the XFS specification. The minimum inode size is 256 octets */ +#define XFS_SB_INODELOG_MIN 8 +/* Implied by the XFS specification. The maximum inode size is 2048 octets */ +#define XFS_SB_INODELOG_MAX 11 +/* High bound for sb_agblklog */ +#define XFS_SB_AGBLKLOG_MAX 32 /* those are from xfs_btree.h */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:22:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:22:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615709.957067 (Exim 4.92) (envelope-from ) id 1qqo9t-0007YV-VP; Thu, 12 Oct 2023 05:22:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615709.957067; Thu, 12 Oct 2023 05:22:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9t-0007YM-Sm; Thu, 12 Oct 2023 05:22:53 +0000 Received: by outflank-mailman (input) for mailman id 615709; Thu, 12 Oct 2023 05:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9s-0007Wh-Ly for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqo9s-0003KU-LD for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqo9s-0007lf-KX for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=k2H0UtfvopPvkbfastyrc1Mosf+MHMfYnHXSHlM3JFY=; b=IytwULJDkBNu6GxWqsgylyd05V rNuNPEpC3RtzOyoYUZVjOUMSmo3+Z3obT8pGPMU1p+bI/m3SkYJzwjRRNW9O11EPvPEb0lKEpKJaI Ob6GmR9jRqVcf4Q/J93JCGVe0wYWSnKbJcypX4LZA5u5RK2+r/oLr+l9aF4gYaWM9CZY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libfsimage/xfs: Add compile-time check to libfsimage Message-Id: Date: Thu, 12 Oct 2023 05:22:52 +0000 commit eb4efdac4cc7121f832ee156f39761312878f3a5 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:53 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 libfsimage/xfs: Add compile-time check to libfsimage Adds the common tools include folder to the -I compile flags of libfsimage. This allows us to use: xen-tools/common-macros.h:BUILD_BUG_ON() With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot underflow. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 7d85c70431593550e32022e3a19a37f306f49e00) --- tools/libfsimage/common.mk | 2 +- tools/libfsimage/xfs/fsys_xfs.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common.mk b/tools/libfsimage/common.mk index 4fc8c66795..e4336837d0 100644 --- a/tools/libfsimage/common.mk +++ b/tools/libfsimage/common.mk @@ -1,7 +1,7 @@ include $(XEN_ROOT)/tools/Rules.mk FSDIR := $(libdir)/xenfsimage -CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\" +CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\" CFLAGS += -D_GNU_SOURCE LDFLAGS += -L../common/ diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index e4eb7e1ee2..4a8dd6f239 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -19,6 +19,7 @@ #include #include +#include #include "xfs.h" #define MAX_LINK_COUNT 8 @@ -477,9 +478,10 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.agblklog = super.sb_agblklog; /* Derived from sanitized parameters */ + BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS); + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.bsize = 1 << super.sb_blocklog; xfs.blklog = super.sb_blocklog; - xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.isize = 1 << super.sb_inodelog; xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); xfs.inopblog = super.sb_blocklog - super.sb_inodelog; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615710.957071 (Exim 4.92) (envelope-from ) id 1qqoA4-0007gf-1s; Thu, 12 Oct 2023 05:23:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615710.957071; Thu, 12 Oct 2023 05:23:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoA3-0007gY-Vf; Thu, 12 Oct 2023 05:23:03 +0000 Received: by outflank-mailman (input) for mailman id 615710; Thu, 12 Oct 2023 05:23:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoA2-0007gI-Ou for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoA2-0003Kr-OC for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoA2-0007mD-NK for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=e7bVcJA4eUnozXqbhtKqhmkGNWd5ymVlBNf+WunDzPc=; b=3LULgveKX+RkWMpkRifiaCQ/AR 55fY/7iX7yxfxdev67/K49K7Y0K+7ZRFxyTTs5SupFYKOhaaVFhm0DQpP2FXv/qqqwGi6JLRfslnk pdlgIjsEeyFp6rQfBMFsnjGvMhUh6HjbQK5cnAbrAeXv5AdW8UNAHfJO44qiV2lnEIVw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/pygrub: Remove unnecessary hypercall Message-Id: Date: Thu, 12 Oct 2023 05:23:02 +0000 commit 8a584126eae53a44cefb0acdbca201233a557fa5 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:21 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/pygrub: Remove unnecessary hypercall There's a hypercall being issued in order to determine whether PV64 is supported, but since Xen 4.3 that's strictly true so it's not required. Plus, this way we can avoid mapping the privcmd interface altogether in the depriv pygrub. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper (cherry picked from commit f4b504c6170c446e61055cbd388ae4e832a9deca) --- tools/pygrub/src/pygrub | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce7ab0eb8c..ce4e07d3e8 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -18,7 +18,6 @@ import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy import logging import platform -import xen.lowlevel.xc import curses, _curses, curses.textpad, curses.ascii import getopt @@ -668,14 +667,6 @@ def run_grub(file, entry, fs, cfg_args): return grubcfg -def supports64bitPVguest(): - xc = xen.lowlevel.xc.xc() - caps = xc.xeninfo()['xen_caps'].split(" ") - for cap in caps: - if cap == "xen-3.0-x86_64": - return True - return False - # If nothing has been specified, look for a Solaris domU. If found, perform the # necessary tweaks. def sniff_solaris(fs, cfg): @@ -684,8 +675,7 @@ def sniff_solaris(fs, cfg): return cfg if not cfg["kernel"]: - if supports64bitPVguest() and \ - fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): + if fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): cfg["kernel"] = "/platform/i86xpv/kernel/amd64/unix" cfg["ramdisk"] = "/platform/i86pc/amd64/boot_archive" elif fs.file_exists("/platform/i86xpv/kernel/unix"): -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615712.957075 (Exim 4.92) (envelope-from ) id 1qqoAE-0007mN-3Z; Thu, 12 Oct 2023 05:23:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615712.957075; Thu, 12 Oct 2023 05:23:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAE-0007mF-0s; Thu, 12 Oct 2023 05:23:14 +0000 Received: by outflank-mailman (input) for mailman id 615712; Thu, 12 Oct 2023 05:23:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAC-0007lz-SG for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAC-0003Ky-R4 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoAC-0007mh-QE for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qV/t6cZBhHKDsYXDMmS2YMSeZI4AhrWAEPbKt5YKdGU=; b=NYYLnY0K15NJpbtn1mP7WFRHu0 /vx9JHgKDHiU2AZjKCJbRdLT54utIVqUbR5xonJDcz1BhcgcRjXPZA5tDTxOCKCHhHWZ3R8stGxr2 J/Tz+tMw05ZuB76/xAOuGm4JglN0s6tcV6MvOB+1xPwoHCg7cigsn7AR/ZIObjemOJDg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/pygrub: Small refactors Message-Id: Date: Thu, 12 Oct 2023 05:23:12 +0000 commit e7059f16f7c2b99fea30b9671fec74c0375eee8f Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:22 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/pygrub: Small refactors Small tidy up to ensure output_directory always has a trailing '/' to ease concatenating paths and that `output` can only be a filename or None. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 9f2ff9a7c9b3ac734ae99f17f0134ed0343dcccf) --- tools/pygrub/src/pygrub | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce4e07d3e8..1042c05b86 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -793,7 +793,7 @@ if __name__ == "__main__": debug = False not_really = False output_format = "sxp" - output_directory = "/var/run/xen/pygrub" + output_directory = "/var/run/xen/pygrub/" # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -815,7 +815,8 @@ if __name__ == "__main__": usage() sys.exit() elif o in ("--output",): - output = a + if a != "-": + output = a elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -847,12 +848,11 @@ if __name__ == "__main__": if not os.path.isdir(a): print("%s is not an existing directory" % a) sys.exit(1) - output_directory = a + output_directory = a + '/' if debug: logging.basicConfig(level=logging.DEBUG) - try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -861,7 +861,7 @@ if __name__ == "__main__": else: raise - if output is None or output == "-": + if output is None: fd = sys.stdout.fileno() else: fd = os.open(output, os.O_WRONLY) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615714.957080 (Exim 4.92) (envelope-from ) id 1qqoAO-0007qa-56; Thu, 12 Oct 2023 05:23:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615714.957080; Thu, 12 Oct 2023 05:23:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAO-0007qS-2K; Thu, 12 Oct 2023 05:23:24 +0000 Received: by outflank-mailman (input) for mailman id 615714; Thu, 12 Oct 2023 05:23:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAM-0007qE-V8 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAM-0003L5-UH for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoAM-0007n6-TM for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hqA/pvJXEqPx7F8xM00zd+8Q/c1hTgJIIaOiI5xlWU0=; b=471wKpb4FhJOibkNQbpixXMPGO HZsS3cKtdQ5eCyJsIJTLhcqxg7fmNElUryk7FCxXCXz2AhgUx0GasSL7ZLNPW4THVWUVmdkB4Z2cE tH0tnTYlgI7Ee+9kzuakqEou7aFErYP0jKHj7/jLVEiUcoS0hnvpKMHibJ+bnX21a6Ts=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/pygrub: Open the output files earlier Message-Id: Date: Thu, 12 Oct 2023 05:23:22 +0000 commit 37977420670c65db220349510599d3fe47600ad8 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/pygrub: Open the output files earlier This patch allows pygrub to get ahold of every RW file descriptor it needs early on. A later patch will clamp the filesystem it can access so it can't obtain any others. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 0710d7d44586251bfca9758890616dc3d6de8a74) --- tools/pygrub/src/pygrub | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 1042c05b86..91e2ec2ab1 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -738,8 +738,7 @@ if __name__ == "__main__": def usage(): print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) - def copy_from_image(fs, file_to_read, file_type, output_directory, - not_really): + def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: if fs.file_exists(file_to_read): return "<%s:%s>" % (file_type, file_to_read) @@ -750,21 +749,18 @@ if __name__ == "__main__": except Exception as e: print(e, file=sys.stderr) sys.exit("Error opening %s in guest" % file_to_read) - (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".", - dir=output_directory) dataoff = 0 while True: data = datafile.read(FS_READ_MAX, dataoff) if len(data) == 0: - os.close(tfd) + os.close(fd_dst) del datafile - return ret + return try: - os.write(tfd, data) + os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.close(tfd) - os.unlink(ret) + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -861,6 +857,14 @@ if __name__ == "__main__": else: raise + if not_really: + fd_kernel = path_kernel = fd_ramdisk = path_ramdisk = None + else: + (fd_kernel, path_kernel) = tempfile.mkstemp(prefix="boot_kernel.", + dir=output_directory) + (fd_ramdisk, path_ramdisk) = tempfile.mkstemp(prefix="boot_ramdisk.", + dir=output_directory) + if output is None: fd = sys.stdout.fileno() else: @@ -920,20 +924,23 @@ if __name__ == "__main__": if fs is None: raise RuntimeError("Unable to find partition containing kernel") - bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel", - output_directory, not_really) + copy_from_image(fs, chosencfg["kernel"], "kernel", + fd_kernel, path_kernel, not_really) + bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: - bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"], - "ramdisk", output_directory, - not_really) + copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", + fd_ramdisk, path_ramdisk, not_really) except: if not not_really: - os.unlink(bootcfg["kernel"]) + os.unlink(path_kernel) raise + bootcfg["ramdisk"] = path_ramdisk else: initrd = None + if not not_really: + os.unlink(path_ramdisk) args = None if chosencfg["args"]: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:34 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615716.957083 (Exim 4.92) (envelope-from ) id 1qqoAY-00080s-6T; Thu, 12 Oct 2023 05:23:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615716.957083; Thu, 12 Oct 2023 05:23:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAY-00080k-3r; Thu, 12 Oct 2023 05:23:34 +0000 Received: by outflank-mailman (input) for mailman id 615716; Thu, 12 Oct 2023 05:23:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAX-000808-27 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAX-0003LI-17 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoAX-0007nf-0D for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iW92CoEVe+nb7I+TCqzJNIDbIEyp/wxj7s78UrSTr8o=; b=g6dB+kfcInAfjj9qA5diwms+34 2/XtQNHUbgtPWaW9Fj/kutLDYW5+tJ3j05KPG1ZEXubDynGkF1fxPDPvXk0121IC9Zl7BYFHyo9Zo m0dJ6RwnZ1RHOolt65tRfiUw4LaiLmoqekGKfbwM99A8OBc0N2UZqxAd3Q6tnqNC6YYY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/libfsimage: Export a new function to preload all plugins Message-Id: Date: Thu, 12 Oct 2023 05:23:33 +0000 commit 8ee19246ad2c1d0ce241a52683f56b144a4f0b0e Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:24 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/libfsimage: Export a new function to preload all plugins This is work required in order to let pygrub operate in highly deprivileged chroot mode. This patch adds a function that preloads every plugin, hence ensuring that a on function exit, every shared library is loaded in memory. The new "init" function is supposed to be used before depriv, but that's fine because it's not acting on untrusted data. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 990e65c3ad9ac08642ce62a92852c80be6c83e96) --- tools/libfsimage/common/fsimage_plugin.c | 4 ++-- tools/libfsimage/common/mapfile-GNU | 1 + tools/libfsimage/common/mapfile-SunOS | 1 + tools/libfsimage/common/xenfsimage.h | 8 ++++++++ tools/pygrub/src/fsimage/fsimage.c | 15 +++++++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c index de1412b423..d0cb9e96a6 100644 --- a/tools/libfsimage/common/fsimage_plugin.c +++ b/tools/libfsimage/common/fsimage_plugin.c @@ -119,7 +119,7 @@ fail: return (-1); } -static int load_plugins(void) +int fsi_init(void) { const char *fsdir = getenv("XEN_FSIMAGE_FSDIR"); struct dirent *dp = NULL; @@ -180,7 +180,7 @@ int find_plugin(fsi_t *fsi, const char *path, const char *options) fsi_plugin_t *fp; int ret = 0; - if (plugins == NULL && (ret = load_plugins()) != 0) + if (plugins == NULL && (ret = fsi_init()) != 0) goto out; for (fp = plugins; fp != NULL; fp = fp->fp_next) { diff --git a/tools/libfsimage/common/mapfile-GNU b/tools/libfsimage/common/mapfile-GNU index 26d4d7a69e..2d54d527d7 100644 --- a/tools/libfsimage/common/mapfile-GNU +++ b/tools/libfsimage/common/mapfile-GNU @@ -1,6 +1,7 @@ VERSION { libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/mapfile-SunOS b/tools/libfsimage/common/mapfile-SunOS index e99b90b650..48deedb425 100644 --- a/tools/libfsimage/common/mapfile-SunOS +++ b/tools/libfsimage/common/mapfile-SunOS @@ -1,5 +1,6 @@ libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/xenfsimage.h b/tools/libfsimage/common/xenfsimage.h index 201abd54f2..341883b2d7 100644 --- a/tools/libfsimage/common/xenfsimage.h +++ b/tools/libfsimage/common/xenfsimage.h @@ -35,6 +35,14 @@ extern C { typedef struct fsi fsi_t; typedef struct fsi_file fsi_file_t; +/* + * Optional initialization function. If invoked it loads the associated + * dynamic libraries for the backends ahead of time. This is required if + * the library is to run as part of a highly deprivileged executable, as + * the libraries may not be reachable after depriv. + */ +int fsi_init(void); + fsi_t *fsi_open_fsimage(const char *, uint64_t, const char *); void fsi_close_fsimage(fsi_t *); diff --git a/tools/pygrub/src/fsimage/fsimage.c b/tools/pygrub/src/fsimage/fsimage.c index 2ebbbe35df..92fbf2851f 100644 --- a/tools/pygrub/src/fsimage/fsimage.c +++ b/tools/pygrub/src/fsimage/fsimage.c @@ -286,6 +286,15 @@ fsimage_getbootstring(PyObject *o, PyObject *args) return Py_BuildValue("s", bootstring); } +static PyObject * +fsimage_init(PyObject *o, PyObject *args) +{ + if (!PyArg_ParseTuple(args, "")) + return (NULL); + + return Py_BuildValue("i", fsi_init()); +} + PyDoc_STRVAR(fsimage_open__doc__, "open(name, [offset=off]) - Open the given file as a filesystem image.\n" "\n" @@ -297,7 +306,13 @@ PyDoc_STRVAR(fsimage_getbootstring__doc__, "getbootstring(fs) - Return the boot string needed for this file system " "or NULL if none is needed.\n"); +PyDoc_STRVAR(fsimage_init__doc__, + "init() - Loads every dynamic library contained in xenfsimage " + "into memory so that it can be used in chrooted environments.\n"); + static struct PyMethodDef fsimage_module_methods[] = { + { "init", (PyCFunction)fsimage_init, + METH_VARARGS, fsimage_init__doc__ }, { "open", (PyCFunction)fsimage_open, METH_VARARGS|METH_KEYWORDS, fsimage_open__doc__ }, { "getbootstring", (PyCFunction)fsimage_getbootstring, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615717.957090 (Exim 4.92) (envelope-from ) id 1qqoAi-00084B-9u; Thu, 12 Oct 2023 05:23:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615717.957090; Thu, 12 Oct 2023 05:23:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAi-000843-5X; Thu, 12 Oct 2023 05:23:44 +0000 Received: by outflank-mailman (input) for mailman id 615717; Thu, 12 Oct 2023 05:23:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAh-00083l-4x for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAh-0003Ll-46 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoAh-0007o4-3G for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QbGDojVvH6v6v+C80x5RWPnmEzi4li+EVqrzHatJjiQ=; b=o+NO5kw/lxwJ21YlspKiKKTEIX VBcFjoe6EF98f+DlLtRZBZAfBa6K1zeovyUVhBs3UDFWcAzXmaxtwKEjt5TjgHrgztH+wv/ydly2b 0CMUen2s8rF0zOLn/gbAVEh4Hk9ZJjOtJOl/0SmsYKnMmL3dZUgsEDZ1j3iHFvBPyRi8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/pygrub: Deprivilege pygrub Message-Id: Date: Thu, 12 Oct 2023 05:23:43 +0000 commit f5e211654e5fbb7f1fc5cfea7f9c7ab525edb9e7 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:25 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:27 2023 +0100 tools/pygrub: Deprivilege pygrub Introduce a --runas= flag to deprivilege pygrub on Linux and *BSDs. It also implicitly creates a chroot env where it drops a deprivileged forked process. The chroot itself is cleaned up at the end. If the --runas arg is present, then pygrub forks, leaving the child to deprivilege itself, and waiting for it to complete. When the child exists, the parent performs cleanup and exits with the same error code. This is roughly what the child does: 1. Initialize libfsimage (this loads every .so in memory so the chroot can avoid bind-mounting /{,usr}/lib* 2. Create a temporary empty chroot directory 3. Mount tmpfs in it 4. Bind mount the disk inside, because libfsimage expects a path, not a file descriptor. 5. Remount the root tmpfs to be stricter (ro,nosuid,nodev) 6. Set RLIMIT_FSIZE to a sensibly high amount (128 MiB) 7. Depriv gid, groups and uid With this scheme in place, the "output" files are writable (up to RLIMIT_FSIZE octets) and the exposed filesystem is immutable and contains the single only file we can't easily get rid of (the disk). If running on Linux, the child process also unshares mount, IPC, and network namespaces before dropping its privileges. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit e0342ae5556f2b6e2db50701b8a0679a45822ca6) --- tools/pygrub/setup.py | 2 +- tools/pygrub/src/pygrub | 162 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 154 insertions(+), 10 deletions(-) diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py index 0e4e3d02d3..06b96733d0 100644 --- a/tools/pygrub/setup.py +++ b/tools/pygrub/setup.py @@ -17,7 +17,7 @@ xenfsimage = Extension("xenfsimage", pkgs = [ 'grub' ] setup(name='pygrub', - version='0.6', + version='0.7', description='Boot loader that looks a lot like grub for Xen', author='Jeremy Katz', author_email='katzj@redhat.com', diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 91e2ec2ab1..7cea496ade 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -16,8 +16,11 @@ from __future__ import print_function import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy +import ctypes, ctypes.util import logging import platform +import resource +import subprocess import curses, _curses, curses.textpad, curses.ascii import getopt @@ -27,10 +30,135 @@ import grub.GrubConf import grub.LiloConf import grub.ExtLinuxConf -PYGRUB_VER = 0.6 +PYGRUB_VER = 0.7 FS_READ_MAX = 1024 * 1024 SECTOR_SIZE = 512 +# Unless provided through the env variable PYGRUB_MAX_FILE_SIZE_MB, then +# this is the maximum filesize allowed for files written by the depriv +# pygrub +LIMIT_FSIZE = 128 << 20 + +CLONE_NEWNS = 0x00020000 # mount namespace +CLONE_NEWNET = 0x40000000 # network namespace +CLONE_NEWIPC = 0x08000000 # IPC namespace + +def unshare(flags): + if not sys.platform.startswith("linux"): + print("skip_unshare reason=not_linux platform=%s", sys.platform, file=sys.stderr) + return + + libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True) + unshare_prototype = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, use_errno=True) + unshare = unshare_prototype(('unshare', libc)) + + if unshare(flags) < 0: + raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno())) + +def bind_mount(src, dst, options): + open(dst, "a").close() # touch + + rc = subprocess.call(["mount", "--bind", "-o", options, src, dst]) + if rc != 0: + raise RuntimeError("bad_mount: src=%s dst=%s opts=%s" % + (src, dst, options)) + +def downgrade_rlimits(): + # Wipe the authority to use unrequired resources + resource.setrlimit(resource.RLIMIT_NPROC, (0, 0)) + resource.setrlimit(resource.RLIMIT_CORE, (0, 0)) + resource.setrlimit(resource.RLIMIT_MEMLOCK, (0, 0)) + + # py2's resource module doesn't know about resource.RLIMIT_MSGQUEUE + # + # TODO: Use resource.RLIMIT_MSGQUEUE after python2 is deprecated + if sys.platform.startswith('linux'): + RLIMIT_MSGQUEUE = 12 + resource.setrlimit(RLIMIT_MSGQUEUE, (0, 0)) + + # The final look of the filesystem for this process is fully RO, but + # note we have some file descriptor already open (notably, kernel and + # ramdisk). In order to avoid a compromised pygrub from filling up the + # filesystem we set RLIMIT_FSIZE to a high bound, so that the file + # write permissions are bound. + fsize = LIMIT_FSIZE + if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): + fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 + + resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize)) + +def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk): + # The only point of this call is to force the loading of libfsimage. + # That way, we don't need to bind-mount it into the chroot + rc = xenfsimage.init() + if rc != 0: + os.unlink(path_ramdisk) + os.unlink(path_kernel) + raise RuntimeError("bad_xenfsimage: rc=%d" % rc) + + # Create a temporary directory for the chroot + chroot = tempfile.mkdtemp(prefix=str(uid)+'-', dir=output_directory) + '/' + device_path = '/device' + + pid = os.fork() + if pid: + # parent + _, rc = os.waitpid(pid, 0) + + for path in [path_kernel, path_ramdisk]: + # If the child didn't write anything, just get rid of it, + # otherwise we end up consuming a 0-size file when parsing + # systems without a ramdisk that the ultimate caller of pygrub + # may just be unaware of + if rc != 0 or os.path.getsize(path) == 0: + os.unlink(path) + + # Normally, unshare(CLONE_NEWNS) will ensure this is not required. + # However, this syscall doesn't exist in *BSD systems and doesn't + # auto-unmount everything on older Linux kernels (At least as of + # Linux 4.19, but it seems fixed in 5.15). Either way, + # recursively unmount everything if needed. Quietly. + with open('/dev/null', 'w') as devnull: + subprocess.call(["umount", "-f", chroot + device_path], + stdout=devnull, stderr=devnull) + subprocess.call(["umount", "-f", chroot], + stdout=devnull, stderr=devnull) + os.rmdir(chroot) + + sys.exit(rc) + + # By unsharing the namespace we're making sure it's all bulk-released + # at the end, when the namespaces disappear. This means the kernel does + # (almost) all the cleanup for us and the parent just has to remove the + # temporary directory. + unshare(CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWNET) + + # Set sensible limits using the setrlimit interface + downgrade_rlimits() + + # We'll mount tmpfs on the chroot to ensure the deprivileged child + # cannot affect the persistent state. It's RW now in order to + # bind-mount the device, but note it's remounted RO after that. + rc = subprocess.call(["mount", "-t", "tmpfs", "none", chroot]) + if rc != 0: + raise RuntimeError("mount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Bind the untrusted device RO + bind_mount(device, chroot + device_path, "ro,nosuid,noexec") + + rc = subprocess.call(["mount", "-t", "tmpfs", "-o", "remount,ro,nosuid,noexec,nodev", "none", chroot]) + if rc != 0: + raise RuntimeError("remount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Drop superpowers! + os.chroot(chroot) + os.chdir('/') + os.setgid(uid) + os.setgroups([uid]) + os.setuid(uid) + + return device_path + def read_size_roundup(fd, size): if platform.system() != 'FreeBSD': return size @@ -736,7 +864,7 @@ if __name__ == "__main__": sel = None def usage(): - print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) + print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--runas=] [--offset=] " %(sys.argv[0],), file=sys.stderr) def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: @@ -760,7 +888,8 @@ if __name__ == "__main__": os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.unlink(path_dst) + if path_dst: + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -769,7 +898,7 @@ if __name__ == "__main__": opts, args = getopt.gnu_getopt(sys.argv[1:], 'qilnh::', ["quiet", "interactive", "list-entries", "not-really", "help", "output=", "output-format=", "output-directory=", "offset=", - "entry=", "kernel=", + "runas=", "entry=", "kernel=", "ramdisk=", "args=", "isconfig", "debug"]) except getopt.GetoptError: usage() @@ -790,6 +919,7 @@ if __name__ == "__main__": not_really = False output_format = "sxp" output_directory = "/var/run/xen/pygrub/" + uid = None # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -813,6 +943,13 @@ if __name__ == "__main__": elif o in ("--output",): if a != "-": output = a + elif o in ("--runas",): + try: + uid = int(a) + except ValueError: + print("runas value must be an integer user id") + usage() + sys.exit(1) elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -849,6 +986,10 @@ if __name__ == "__main__": if debug: logging.basicConfig(level=logging.DEBUG) + if interactive and uid: + print("In order to use --runas, you must also set --entry or -q", file=sys.stderr) + sys.exit(1) + try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -870,6 +1011,9 @@ if __name__ == "__main__": else: fd = os.open(output, os.O_WRONLY) + if uid: + file = depriv(output_directory, output, file, uid, path_kernel, path_ramdisk) + # debug if isconfig: chosencfg = run_grub(file, entry, fs, incfg["args"]) @@ -925,21 +1069,21 @@ if __name__ == "__main__": raise RuntimeError("Unable to find partition containing kernel") copy_from_image(fs, chosencfg["kernel"], "kernel", - fd_kernel, path_kernel, not_really) + fd_kernel, None if uid else path_kernel, not_really) bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", - fd_ramdisk, path_ramdisk, not_really) + fd_ramdisk, None if uid else path_ramdisk, not_really) except: - if not not_really: - os.unlink(path_kernel) + if not uid and not not_really: + os.unlink(path_kernel) raise bootcfg["ramdisk"] = path_ramdisk else: initrd = None - if not not_really: + if not uid and not not_really: os.unlink(path_ramdisk) args = None -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:23:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:23:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615718.957092 (Exim 4.92) (envelope-from ) id 1qqoAs-00087r-Bn; Thu, 12 Oct 2023 05:23:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615718.957092; Thu, 12 Oct 2023 05:23:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAs-00087k-8v; Thu, 12 Oct 2023 05:23:54 +0000 Received: by outflank-mailman (input) for mailman id 615718; Thu, 12 Oct 2023 05:23:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAr-00087b-8V for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoAr-0003M5-7T for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoAr-0007oV-6l for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:23:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=187Q5XK/5XmOXXX193pXmggp1oTjmqSNy9eJbBvbrsU=; b=x4fie8TWI2+38WZXSyVd7pr+ru 7vmtZO7Q8TjFbryjDCbxlsVmXUlI2T+h6vXN0d0uuKLOHOTi+2CngwhXi8XNvsCiECMAAabA7CGJT b11jI1ZWX0lRvpcLYJZ0U1m5ufM5ZzolEVWP6Jexg2Q9iJvaPblmQESjd1E0WkdL/pe0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libxl: add support for running bootloader in restricted mode Message-Id: Date: Thu, 12 Oct 2023 05:23:53 +0000 commit 42bf49d74b711ca7fef37bcde12928220c8e9700 Author: Roger Pau Monne AuthorDate: Mon Sep 25 14:30:20 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:54:00 2023 +0200 libxl: add support for running bootloader in restricted mode Much like the device model depriv mode, add the same kind of support for the bootloader. Such feature allows passing a UID as a parameter for the bootloader to run as, together with the bootloader itself taking the necessary actions to isolate. Note that the user to run the bootloader as must have the right permissions to access the guest disk image (in read mode only), and that the bootloader will be run in non-interactive mode when restricted. If enabled bootloader restrict mode will attempt to re-use the user(s) from the QEMU depriv implementation if no user is provided on the configuration file or the environment. See docs/features/qemu-deprivilege.pandoc for more information about how to setup those users. Bootloader restrict mode is not enabled by default as it requires certain setup to be done first (setup of the user(s) to use in restrict mode). This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 1f762642d2cad1a40634e3280361928109d902f1) --- docs/man/xl.1.pod.in | 33 ++++++++++++++ tools/libs/light/libxl_bootloader.c | 89 +++++++++++++++++++++++++++++++++++-- tools/libs/light/libxl_dm.c | 8 ++-- tools/libs/light/libxl_internal.h | 8 ++++ 4 files changed, 131 insertions(+), 7 deletions(-) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 101e14241d..4831e12242 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1957,6 +1957,39 @@ ignored: =back +=head1 ENVIRONMENT VARIABLES + +The following environment variables shall affect the execution of xl: + +=over 4 + +=item LIBXL_BOOTLOADER_RESTRICT + +Attempt to restrict the bootloader after startup, to limit the +consequences of security vulnerabilities due to parsing guest +owned image files. + +See docs/features/qemu-deprivilege.pandoc for more information +on how to setup the unprivileged users. + +Note that running the bootloader in restricted mode also implies using +non-interactive mode, and the disk image must be readable by the +restricted user. + +Having this variable set is equivalent to enabling the option, even if the +value is 0. + +=item LIBXL_BOOTLOADER_USER + +When using bootloader_restrict, run the bootloader as this user. If +not set the default QEMU restrict users will be used. + +NOTE: Each domain MUST have a SEPARATE username. + +See docs/features/qemu-deprivilege.pandoc for more information. + +=back + =head1 SEE ALSO The following man pages: diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 108329b4a5..23c0ef3e89 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -14,6 +14,7 @@ #include "libxl_osdeps.h" /* must come before any other headers */ +#include #include #ifdef HAVE_UTMP_H #include @@ -42,8 +43,71 @@ static void bootloader_arg(libxl__bootloader_state *bl, const char *arg) bl->args[bl->nargs++] = arg; } -static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, - const char *bootloader_path) +static int bootloader_uid(libxl__gc *gc, domid_t guest_domid, + const char *user, uid_t *intended_uid) +{ + struct passwd *user_base, user_pwbuf; + int rc; + + if (user) { + rc = userlookup_helper_getpwnam(gc, user, &user_pwbuf, &user_base); + if (rc) return rc; + + if (!user_base) { + LOGD(ERROR, guest_domid, "Couldn't find user %s", user); + return ERROR_INVAL; + } + + *intended_uid = user_base->pw_uid; + return 0; + } + + /* Re-use QEMU user range for the bootloader. */ + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE, + &user_pwbuf, &user_base); + if (rc) return rc; + + if (user_base) { + struct passwd *user_clash, user_clash_pwbuf; + uid_t temp_uid = user_base->pw_uid + guest_domid; + + rc = userlookup_helper_getpwuid(gc, temp_uid, &user_clash_pwbuf, + &user_clash); + if (rc) return rc; + + if (user_clash) { + LOGD(ERROR, guest_domid, + "wanted to use uid %ld (%s + %d) but that is user %s !", + (long)temp_uid, LIBXL_QEMU_USER_RANGE_BASE, + guest_domid, user_clash->pw_name); + return ERROR_INVAL; + } + + *intended_uid = temp_uid; + return 0; + } + + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_SHARED, &user_pwbuf, + &user_base); + if (rc) return rc; + + if (user_base) { + LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s", + LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED); + *intended_uid = user_base->pw_uid; + + return 0; + } + + LOGD(ERROR, guest_domid, + "Could not find user %s or range base pseudo-user %s, cannot restrict", + LIBXL_QEMU_USER_SHARED, LIBXL_QEMU_USER_RANGE_BASE); + + return ERROR_INVAL; +} + +static int make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, + const char *bootloader_path) { const libxl_domain_build_info *info = bl->info; @@ -61,6 +125,23 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, ARG(GCSPRINTF("--ramdisk=%s", info->ramdisk)); if (info->cmdline && *info->cmdline != '\0') ARG(GCSPRINTF("--args=%s", info->cmdline)); + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + uid_t uid = -1; + int rc = bootloader_uid(gc, bl->domid, getenv("LIBXL_BOOTLOADER_USER"), + &uid); + + if (rc) return rc; + + assert(uid != -1); + if (!uid) { + LOGD(ERROR, bl->domid, "bootloader restrict UID is 0 (root)!"); + return ERROR_INVAL; + } + LOGD(DEBUG, bl->domid, "using uid %ld", (long)uid); + ARG(GCSPRINTF("--runas=%ld", (long)uid)); + ARG("--quiet"); + } ARG(GCSPRINTF("--output=%s", bl->outputpath)); ARG("--output-format=simple0"); @@ -79,6 +160,7 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, /* Sentinel for execv */ ARG(NULL); + return 0; #undef ARG } @@ -443,7 +525,8 @@ static void bootloader_disk_attached_cb(libxl__egc *egc, bootloader = bltmp; } - make_bootloader_args(gc, bl, bootloader); + rc = make_bootloader_args(gc, bl, bootloader); + if (rc) goto out; bl->openpty.ao = ao; bl->openpty.callback = bootloader_gotptys; diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index fc264a3a13..14b593110f 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -80,10 +80,10 @@ static int libxl__create_qemu_logfile(libxl__gc *gc, char *name) * On error, return a libxl-style error code. */ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF) \ - static int userlookup_helper_##NAME(libxl__gc *gc, \ - SPEC_TYPE spec, \ - struct STRUCTNAME *resultbuf, \ - struct STRUCTNAME **out) \ + int userlookup_helper_##NAME(libxl__gc *gc, \ + SPEC_TYPE spec, \ + struct STRUCTNAME *resultbuf, \ + struct STRUCTNAME **out) \ { \ struct STRUCTNAME *resultp = NULL; \ char *buf = NULL; \ diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index 7ad38de30e..f1e3a9a15b 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -4873,6 +4873,14 @@ struct libxl__cpu_policy { struct xc_msr *msr; }; +struct passwd; +_hidden int userlookup_helper_getpwnam(libxl__gc*, const char *user, + struct passwd *res, + struct passwd **out); +_hidden int userlookup_helper_getpwuid(libxl__gc*, uid_t uid, + struct passwd *res, + struct passwd **out); + #endif /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:24:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:24:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615719.957095 (Exim 4.92) (envelope-from ) id 1qqoB2-0008AZ-D4; Thu, 12 Oct 2023 05:24:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615719.957095; Thu, 12 Oct 2023 05:24:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoB2-0008AR-AN; Thu, 12 Oct 2023 05:24:04 +0000 Received: by outflank-mailman (input) for mailman id 615719; Thu, 12 Oct 2023 05:24:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoB1-0008AJ-BZ for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoB1-0003MQ-Ai for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoB1-0007p9-9y for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dpQgwL/0MrrydwJTXylJdR+vwZ1SgLTjAwz19QamL8I=; b=wQ9zeRZY7fjD1WsJ/6hbjX8HZp APPdRsXzWCx4j2RyKuUTCS0LnTDWiMWeeOS5gPeX6m4OqfYzXLW1RU+WLTyDZ/uMxx3dn4pNTK8bw 1vc/vNEHx2x8EHm/Gd/4ZwiA1VdZ/3jGMat68REFURo1k2GKEdBlhkv6Zvt5hjqapRFU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libxl: limit bootloader execution in restricted mode Message-Id: Date: Thu, 12 Oct 2023 05:24:03 +0000 commit 46d00dbf4c22b28910f73f66a03e5cabe50b5395 Author: Roger Pau Monne AuthorDate: Thu Sep 28 12:22:35 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:54:00 2023 +0200 libxl: limit bootloader execution in restricted mode Introduce a timeout for bootloader execution when running in restricted mode. Allow overwriting the default time out with an environment provided value. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 9c114178ffd700112e91f5ec66cf5151b9c9a8cc) --- docs/man/xl.1.pod.in | 8 ++++++++ tools/libs/light/libxl_bootloader.c | 40 +++++++++++++++++++++++++++++++++++++ tools/libs/light/libxl_internal.h | 2 ++ 3 files changed, 50 insertions(+) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 4831e12242..c3eb6570ab 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1988,6 +1988,14 @@ NOTE: Each domain MUST have a SEPARATE username. See docs/features/qemu-deprivilege.pandoc for more information. +=item LIBXL_BOOTLOADER_TIMEOUT + +Timeout in seconds for bootloader execution when running in restricted mode. +Otherwise the build time default in LIBXL_BOOTLOADER_TIMEOUT will be used. + +If defined the value must be an unsigned integer between 0 and INT_MAX, +otherwise behavior is undefined. Setting to 0 disables the timeout. + =back =head1 SEE ALSO diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 23c0ef3e89..ee26d08f37 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -30,6 +30,8 @@ static void bootloader_keystrokes_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); static void bootloader_display_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc); static void bootloader_domaindeath(libxl__egc*, libxl__domaindeathcheck *dc, int rc); static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, @@ -297,6 +299,7 @@ void libxl__bootloader_init(libxl__bootloader_state *bl) bl->ptys[0].master = bl->ptys[0].slave = 0; bl->ptys[1].master = bl->ptys[1].slave = 0; libxl__ev_child_init(&bl->child); + libxl__ev_time_init(&bl->time); libxl__domaindeathcheck_init(&bl->deathcheck); bl->keystrokes.ao = bl->ao; libxl__datacopier_init(&bl->keystrokes); bl->display.ao = bl->ao; libxl__datacopier_init(&bl->display); @@ -314,6 +317,7 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl) libxl__domaindeathcheck_stop(gc,&bl->deathcheck); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); for (i=0; i<2; i++) { libxl__carefd_close(bl->ptys[i].master); libxl__carefd_close(bl->ptys[i].slave); @@ -375,6 +379,7 @@ static void bootloader_stop(libxl__egc *egc, libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); if (libxl__ev_child_inuse(&bl->child)) { r = kill(bl->child.pid, SIGTERM); if (r) LOGED(WARN, bl->domid, "%sfailed to kill bootloader [%lu]", @@ -637,6 +642,25 @@ static void bootloader_gotptys(libxl__egc *egc, libxl__openpty_state *op) struct termios termattr; + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + const char *timeout_env = getenv("LIBXL_BOOTLOADER_TIMEOUT"); + int timeout = timeout_env ? atoi(timeout_env) + : LIBXL_BOOTLOADER_TIMEOUT; + + if (timeout) { + /* Set execution timeout */ + rc = libxl__ev_time_register_rel(ao, &bl->time, + bootloader_timeout, + timeout * 1000); + if (rc) { + LOGED(ERROR, bl->domid, + "unable to register timeout for bootloader execution"); + goto out; + } + } + } + pid_t pid = libxl__ev_child_fork(gc, &bl->child, bootloader_finished); if (pid == -1) { rc = ERROR_FAIL; @@ -702,6 +726,21 @@ static void bootloader_display_copyfail(libxl__egc *egc, libxl__bootloader_state *bl = CONTAINER_OF(dc, *bl, display); bootloader_copyfail(egc, "bootloader output", bl, 1, rc,onwrite,errnoval); } +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc) +{ + libxl__bootloader_state *bl = CONTAINER_OF(ev, *bl, time); + STATE_AO_GC(bl->ao); + + libxl__ev_time_deregister(gc, &bl->time); + + assert(libxl__ev_child_inuse(&bl->child)); + LOGD(ERROR, bl->domid, "killing bootloader because of timeout"); + + libxl__ev_child_kill_deregister(ao, &bl->child, SIGKILL); + + bootloader_callback(egc, bl, rc); +} static void bootloader_domaindeath(libxl__egc *egc, libxl__domaindeathcheck *dc, @@ -718,6 +757,7 @@ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, STATE_AO_GC(bl->ao); int rc; + libxl__ev_time_deregister(gc, &bl->time); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index f1e3a9a15b..d05783617f 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -102,6 +102,7 @@ #define LIBXL_QMP_CMD_TIMEOUT 10 #define LIBXL_STUBDOM_START_TIMEOUT 30 #define LIBXL_QEMU_BODGE_TIMEOUT 2 +#define LIBXL_BOOTLOADER_TIMEOUT 120 #define LIBXL_XENCONSOLE_LIMIT 1048576 #define LIBXL_XENCONSOLE_PROTOCOL "vt100" #define LIBXL_MAXMEM_CONSTANT 1024 @@ -3744,6 +3745,7 @@ struct libxl__bootloader_state { libxl__openpty_state openpty; libxl__openpty_result ptys[2]; /* [0] is for bootloader */ libxl__ev_child child; + libxl__ev_time time; libxl__domaindeathcheck deathcheck; int nargs, argsspace; const char **args; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:24:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:24:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615720.957100 (Exim 4.92) (envelope-from ) id 1qqoBC-0008Di-EV; Thu, 12 Oct 2023 05:24:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615720.957100; Thu, 12 Oct 2023 05:24:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBC-0008Da-Bo; Thu, 12 Oct 2023 05:24:14 +0000 Received: by outflank-mailman (input) for mailman id 615720; Thu, 12 Oct 2023 05:24:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBB-0008DN-F1 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBB-0003Mb-EF for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoBB-0007pj-DH for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M51KzfVSBhnfYZFOPYPRQq7rLD4y2U8+uP1eBnEDwKg=; b=VRKDMUb1mhYpfjfNJAGQh/V/cr 7/x0pfwHTFxEWGTdkMCTfbYG+uyRVhZxJf9sF3fhuHUZ34zeMiLsgj8GsYDnQDaYCINsWfoJXPhvX TbmDlVAMV/ReTYUYG8eIL+ACc0+IbIOcHPNBdjMYHcc3UyiMLe95H6AeBy378DiynNK8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/svm: Fix asymmetry with AMD DR MASK context switching Message-Id: Date: Thu, 12 Oct 2023 05:24:13 +0000 commit 3f8b444072fd8615288d9d11e53fbf0b6a8a7750 Author: Andrew Cooper AuthorDate: Tue Sep 26 20:03:36 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:54:03 2023 +0200 x86/svm: Fix asymmetry with AMD DR MASK context switching The handling of MSR_DR{0..3}_MASK is asymmetric between PV and HVM guests. HVM guests context switch in based on the guest view of DBEXT, whereas PV guest switch in base on the host capability. Both guest types leave the context dirty for the next vCPU. This leads to the following issue: * PV or HVM vCPU has debugging active (%dr7 + mask) * Switch out deactivates %dr7 but leaves other state stale in hardware * HVM vCPU with debugging activate but can't see DBEXT is switched in * Switch in loads %dr7 but leaves the mask MSRs alone Now, the HVM vCPU is operating in the context of the prior vCPU's mask MSR, and furthermore in a case where it genuinely expects there to be no masking MSRs. As a stopgap, adjust the HVM path to switch in/out the masks based on host capabilities rather than guest visibility (i.e. like the PV path). Adjustment of the of the intercepts still needs to be dependent on the guest visibility of DBEXT. This is part of XSA-444 / CVE-2023-34327 Fixes: c097f54912d3 ("x86/SVM: support data breakpoint extension registers") Signed-off-by: Andrew Cooper (cherry picked from commit 5d54282f984bb9a7a65b3d12208584f9fdf1c8e1) --- xen/arch/x86/hvm/svm/svm.c | 24 ++++++++++++++++++------ xen/arch/x86/traps.c | 5 +++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index e8f50e7c5e..fd32600ae3 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -339,6 +339,10 @@ static void svm_save_dr(struct vcpu *v) v->arch.hvm.flag_dr_dirty = 0; vmcb_set_dr_intercepts(vmcb, ~0u); + /* + * The guest can only have changed the mask MSRs if we previous dropped + * intercepts. Re-read them from hardware. + */ if ( v->domain->arch.cpuid->extd.dbext ) { svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_RW); @@ -370,17 +374,25 @@ static void __restore_debug_registers(struct vmcb_struct *vmcb, struct vcpu *v) ASSERT(v == current); - if ( v->domain->arch.cpuid->extd.dbext ) + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ + if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { - svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); - wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, v->arch.msrs->dr_mask[0]); wrmsrl(MSR_AMD64_DR1_ADDRESS_MASK, v->arch.msrs->dr_mask[1]); wrmsrl(MSR_AMD64_DR2_ADDRESS_MASK, v->arch.msrs->dr_mask[2]); wrmsrl(MSR_AMD64_DR3_ADDRESS_MASK, v->arch.msrs->dr_mask[3]); + + if ( v->domain->arch.cpuid->extd.dbext ) + { + svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); + } } write_debugreg(0, v->arch.dr[0]); diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index e65cc60041..06c4f3868b 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2281,6 +2281,11 @@ void activate_debugregs(const struct vcpu *curr) if ( curr->arch.dr7 & DR7_ACTIVE_MASK ) write_debugreg(7, curr->arch.dr7); + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, curr->arch.msrs->dr_mask[0]); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 05:24:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 05:24:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615721.957103 (Exim 4.92) (envelope-from ) id 1qqoBM-0008GS-Fy; Thu, 12 Oct 2023 05:24:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615721.957103; Thu, 12 Oct 2023 05:24:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBM-0008GK-DD; Thu, 12 Oct 2023 05:24:24 +0000 Received: by outflank-mailman (input) for mailman id 615721; Thu, 12 Oct 2023 05:24:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBL-0008G8-IA for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqoBL-0003Mi-HL for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqoBL-0007q8-GZ for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 05:24:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7NwfloswKrTuL8p43XtXEnf6GYMyMF8cA0K4H1ud3II=; b=e9JWZzmBaTgxUA8s2BpucU4n5/ VAdDSsCFwXXvPmgpILscrl8iSP+fod+QS6aWLCERTS91kA8Y2Pte5u8KKXpxfmPnJ9RB/t8YsENvs vsszZkq+x4SEDO4VMoY9Jr864h0n9GKFHuTZmd6CGY7/5CR1Nt4fvpc+Xt7T7/+XVEWo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/pv: Correct the auditing of guest breakpoint addresses Message-Id: Date: Thu, 12 Oct 2023 05:24:23 +0000 commit 0b56bed864ca9b572473957f0254aefa797216f2 Author: Andrew Cooper AuthorDate: Tue Sep 26 20:03:36 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:54:03 2023 +0200 x86/pv: Correct the auditing of guest breakpoint addresses The use of access_ok() is buggy, because it permits access to the compat translation area. 64bit PV guests don't use the XLAT area, but on AMD hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned region, allowing the breakpoint to reach outside of the XLAT area. Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for 32-bit PV"), the live GDT was within 4G of the XLAT area. All together, this allowed a malicious 64bit PV guest on AMD hardware to place a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104). Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an appropriate check in this case. For Xen 4.14 and later, this is a latent bug because the XLAT area has moved to be on its own with nothing interesting adjacent. For Xen 4.13 and older on AMD hardware, this fixes a PV-trigger-able DoS. This is part of XSA-444 / CVE-2023-34328. Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit dc9d9aa62ddeb14abd5672690d30789829f58f7e) --- xen/arch/x86/include/asm/debugreg.h | 20 ++++++++++++++++++++ xen/arch/x86/pv/misc-hypercalls.c | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/include/asm/debugreg.h b/xen/arch/x86/include/asm/debugreg.h index c57914efc6..cc29826524 100644 --- a/xen/arch/x86/include/asm/debugreg.h +++ b/xen/arch/x86/include/asm/debugreg.h @@ -77,6 +77,26 @@ asm volatile ( "mov %%db" #reg ",%0" : "=r" (__val) ); \ __val; \ }) + +/* + * Architecturally, %dr{0..3} can have any arbitrary value. However, Xen + * can't allow the guest to breakpoint the Xen address range, so we limit the + * guest to the lower canonical half, or above the Xen range in the higher + * canonical half. + * + * Breakpoint lengths are specified to mask the low order address bits, + * meaning all breakpoints are naturally aligned. With %dr7, the widest + * breakpoint is 8 bytes. With DBEXT, the widest breakpoint is 4G. Both of + * the Xen boundaries have >4G alignment. + * + * In principle we should account for HYPERVISOR_COMPAT_VIRT_START(d), but + * 64bit Xen has never enforced this for compat guests, and there's no problem + * (to Xen) if the guest breakpoints it's alias of the M2P. Skipping this + * aspect simplifies the logic, and causes us not to reject a migrating guest + * which operated fine on prior versions of Xen. + */ +#define breakpoint_addr_ok(a) __addr_ok(a) + long set_debugreg(struct vcpu *, unsigned int reg, unsigned long value); void activate_debugregs(const struct vcpu *); diff --git a/xen/arch/x86/pv/misc-hypercalls.c b/xen/arch/x86/pv/misc-hypercalls.c index aaaf70eb63..f8636de907 100644 --- a/xen/arch/x86/pv/misc-hypercalls.c +++ b/xen/arch/x86/pv/misc-hypercalls.c @@ -72,7 +72,7 @@ long set_debugreg(struct vcpu *v, unsigned int reg, unsigned long value) switch ( reg ) { case 0 ... 3: - if ( !access_ok(value, sizeof(long)) ) + if ( !breakpoint_addr_ok(value) ) return -EPERM; v->arch.dr[reg] = value; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:10 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615816.957256 (Exim 4.92) (envelope-from ) id 1qqwP1-0004Vt-Ej; Thu, 12 Oct 2023 14:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615816.957256; Thu, 12 Oct 2023 14:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwP1-0004Vm-CG; Thu, 12 Oct 2023 14:11:03 +0000 Received: by outflank-mailman (input) for mailman id 615816; Thu, 12 Oct 2023 14:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwP0-0004Vg-1d for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwP0-00087V-0k for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwOz-00087m-Vy for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tvR2aSQvYqZKeAmzi0qP6NL8b3CCTOoOr30Q8nhSrMw=; b=ZKssUoItAh9HIOPlVFdBkC7Vu4 rKzg9oWbMa6Bfuf3VrgMFhGAeN5tVaPD/83NQ+Pl9LWIXDWMhWgJnXk+xoUUHDCyDg3gIPlUWXXmB pIAvfoJwr8X3Gavt7iCaROrLPsYeHKqDiKMfAug9Mb8RkTgRcJrW7lz1qOMEuSXqWpnI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] iommu/amd-vi: flush IOMMU TLB when flushing the DTE Message-Id: Date: Thu, 12 Oct 2023 14:11:01 +0000 commit 5fc98b97084a46884acef9320e643faf40d42212 Author: Roger Pau Monne AuthorDate: Tue Jun 13 15:01:05 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:49 2023 +0100 iommu/amd-vi: flush IOMMU TLB when flushing the DTE The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. This has been observed in practice on AMD systems. Due to the lack of guidance from the currently published specification this patch aims to increase the flushing done in order to prevent device malfunction. In order to fix, issue an INVALIDATE_IOMMU_PAGES command from amd_iommu_flush_device(), flushing all the address space. Note this requires callers to be adjusted in order to pass the DomID on the DTE previous to the modification. Some call sites don't provide a valid DomID to amd_iommu_flush_device() in order to avoid the flush. That's because the device had address translations disabled and hence the previous DomID on the DTE is not valid. Note the current logic relies on the entity disabling address translations to also flush the TLB of the in use DomID. Device I/O TLB flushing when ATS are enabled is not covered by the current change, as ATS usage is not security supported. This is XSA-442 / CVE-2023-34326 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/drivers/passthrough/amd/iommu.h | 3 ++- xen/drivers/passthrough/amd/iommu_cmd.c | 10 +++++++++- xen/drivers/passthrough/amd/iommu_guest.c | 5 +++-- xen/drivers/passthrough/amd/iommu_init.c | 6 +++++- xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++---- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 02111d23df..d4416ebc43 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -283,7 +283,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn, unsigned int order); void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev, daddr_t daddr, unsigned int order); -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf); +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid); void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf); void amd_iommu_flush_all_caches(struct amd_iommu *iommu); diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index 40ddf366bb..cb28b36abc 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -363,10 +363,18 @@ void amd_iommu_flush_pages(struct domain *d, _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order); } -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf) +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid) { invalidate_dev_table_entry(iommu, bdf); flush_command_buffer(iommu, 0); + + /* Also invalidate IOMMU TLB entries when flushing the DTE. */ + if ( domid != DOMID_INVALID ) + { + invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0); + flush_command_buffer(iommu, 0); + } } void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf) diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 80d289b8bf..4c4252eea1 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) { - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id; + uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; struct amd_iommu_dte *gdte, *mdte, *dte_base; struct amd_iommu *iommu = NULL; struct guest_iommu *g_iommu; @@ -445,13 +445,14 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) req_id = get_dma_requestor_id(iommu->seg, mbdf); dte_base = iommu->dev_table.buffer; mdte = &dte_base[req_id]; + prev_domid = mdte->domain_id; spin_lock_irqsave(&iommu->lock, flags); dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); return 0; } diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index 41ec38bb72..9c01a49435 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -1551,7 +1551,11 @@ static int cf_check _invalidate_all_devices( req_id = ivrs_mappings[bdf].dte_requestor_id; if ( iommu ) { - amd_iommu_flush_device(iommu, req_id); + /* + * IOMMU TLB flush performed separately (see + * invalidate_all_domain_pages()). + */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); amd_iommu_flush_intremap(iommu, req_id); } } diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index 836c24b02e..6bc73dc210 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -192,10 +192,13 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); } else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) ) { + domid_t prev_domid = dte->domain_id; + /* * Strictly speaking if the device is the only one with this requestor * ID, it could be allowed to be re-assigned regardless of unity map @@ -252,7 +255,7 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); } else spin_unlock_irqrestore(&iommu->lock, flags); @@ -421,6 +424,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_lock_irqsave(&iommu->lock, flags); if ( dte->tv || dte->v ) { + domid_t prev_domid = dte->domain_id; + /* See the comment in amd_iommu_setup_device_table(). */ dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED; smp_wmb(); @@ -439,7 +444,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); AMD_IOMMU_DEBUG("Disable: device id = %#x, " "domain = %d, paging mode = %d\n", @@ -610,7 +615,8 @@ static int cf_check amd_iommu_add_device(u8 devfn, struct pci_dev *pdev) spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, bdf); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, bdf, DOMID_INVALID); } if ( amd_iommu_reserve_domain_unity_map( -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615817.957261 (Exim 4.92) (envelope-from ) id 1qqwPB-0004Xv-GR; Thu, 12 Oct 2023 14:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615817.957261; Thu, 12 Oct 2023 14:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPB-0004Xn-Dh; Thu, 12 Oct 2023 14:11:13 +0000 Received: by outflank-mailman (input) for mailman id 615817; Thu, 12 Oct 2023 14:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPA-0004XY-6S for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPA-00087Z-3q for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPA-0008A6-2t for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zT4xseRcdIPlTrf+eLaPvR7Lae/k//mAh8h/Qybkwpw=; b=bLttHf/ZK2U6dB2SnvN0LxCdJA NMNrJElO1cpkFdiIPtjSm0Dsj+I6T2kTVO6HdO0SDmngNfDDixs1PKDTymTcAn5NMQP0QvEpLiRgf RSgmP0SEMQeAj5CaGDNrVFiez42FT42on5pf+pPMALYB+Qo0mZzBwXxBfujn6yCBI4Ao=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libfsimage/xfs: Remove dead code Message-Id: Date: Thu, 12 Oct 2023 14:11:12 +0000 commit 37fc1e6c1c5c63aafd9cfd76a37728d5baea7d71 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:50 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:49 2023 +0100 libfsimage/xfs: Remove dead code xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code that serve no purpose. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich --- tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index b8b4ca928c..245ae9a18b 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -38,7 +38,6 @@ struct xfs_info { int blklog; int inopblog; int agblklog; - int agnolog; unsigned int nextents; xfs_daddr_t next; xfs_daddr_t daddr; @@ -66,9 +65,7 @@ static struct xfs_info xfs; #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -#define XFS_INO_AGBNO_BITS xfs.agblklog #define XFS_INO_AGINO_BITS (xfs.agblklog + xfs.inopblog) -#define XFS_INO_AGNO_BITS xfs.agnolog static inline xfs_agblock_t agino2agbno (xfs_agino_t agino) @@ -150,20 +147,6 @@ xt_len (xfs_bmbt_rec_32_t *r) return le32(r->l3) & mask32lo(21); } -static inline int -xfs_highbit32(xfs_uint32_t v) -{ - int i; - - if (--v) { - for (i = 0; i < 31; i++, v >>= 1) { - if (v == 0) - return i; - } - } - return 0; -} - static int isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len) { @@ -470,7 +453,6 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.inopblog = super.sb_inopblog; xfs.agblklog = super.sb_agblklog; - xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount)); xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615818.957265 (Exim 4.92) (envelope-from ) id 1qqwPM-0004aV-Hq; Thu, 12 Oct 2023 14:11:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615818.957265; Thu, 12 Oct 2023 14:11:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPM-0004aJ-FF; Thu, 12 Oct 2023 14:11:24 +0000 Received: by outflank-mailman (input) for mailman id 615818; Thu, 12 Oct 2023 14:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPK-0004a6-BQ for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPK-00087p-8n for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPK-0008Ak-5z for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vQK6YGAe7B4CU4ABXKUjHiHOlN2XS0Za6pZpvNDxIq4=; b=y4zbMtZlIxZ9521PZG+eyhh4TZ KnIaEZnfcN+Mtkj0JUOvO3fltwA3P/hzNoT6qSZg8TyimLIQAVoDn+rGjbLzm60BPQWCdbdFzbYXk OvMOVuHfu4YebkqkcGyl3O4bDsLkWm3M1RNrjJ/ldjV2f4/q5PImEpji6AGb3U4jDGLI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libfsimage/xfs: Amend mask32lo() to allow the value 32 Message-Id: Date: Thu, 12 Oct 2023 14:11:22 +0000 commit ddc45e4eea946bb373a4b4a60c84bf9339cf413b Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:51 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:49 2023 +0100 libfsimage/xfs: Amend mask32lo() to allow the value 32 agblklog could plausibly be 32, but that would overflow this shift. Perform the shift as ULL and cast to u32 at the end instead. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Acked-by: Jan Beulich --- tools/libfsimage/xfs/fsys_xfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 245ae9a18b..dbdb21d156 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -61,7 +61,7 @@ static struct xfs_info xfs; #define inode ((xfs_dinode_t *)((char *)FSYS_BUF + 8192)) #define icore (inode->di_core) -#define mask32lo(n) (((xfs_uint32_t)1 << (n)) - 1) +#define mask32lo(n) ((xfs_uint32_t)((1ull << (n)) - 1)) #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615819.957268 (Exim 4.92) (envelope-from ) id 1qqwPV-0004cd-JK; Thu, 12 Oct 2023 14:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615819.957268; Thu, 12 Oct 2023 14:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPV-0004cV-Gf; Thu, 12 Oct 2023 14:11:33 +0000 Received: by outflank-mailman (input) for mailman id 615819; Thu, 12 Oct 2023 14:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPU-0004cJ-Dr for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPU-00087y-Bt for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPU-0008B9-Av for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+zTD3bbDxOiyhajS3Sqrwl6uZwEbFBMcJKxkryb4HAQ=; b=lmSYkqWk4Lud+UdcwgncV6Me2Z DrAxKHvlVA6Bnqh+17dHlu26Ic+fQ1vqXDchAI94owMpJS5A/M9YF4WQPQEEWsxNiozssZZfKqRCl 4Veo1J0mAGmTBEahaP9AQ7v2MTsr/ahPl3PoubV6q9IlUDZH/A6JzhZ0NX0WqTKP4nQE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libfsimage/xfs: Sanity-check the superblock during mounts Message-Id: Date: Thu, 12 Oct 2023 14:11:32 +0000 commit 620500dd1baf33347dfde5e7fde7cf7fe347da5c Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:52 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 libfsimage/xfs: Sanity-check the superblock during mounts Sanity-check the XFS superblock for wellformedness at the mount handler. This forces pygrub to abort parsing a potentially malformed filesystem and ensures the invariants assumed throughout the rest of the code hold. Also, derive parameters from previously sanitized parameters where possible (rather than reading them off the superblock) The code doesn't try to avoid overflowing the end of the disk, because that's an unlikely and benign error. Parameters used in calculations of xfs_daddr_t (like the root inode index) aren't in critical need of being sanitized. The sanitization of agblklog is basically checking that no obvious overflows happen on agblklog, and then ensuring agblocks is contained in the range (2^(sb_agblklog-1), 2^sb_agblklog]. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich --- tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++++++++--------- tools/libfsimage/xfs/xfs.h | 12 +++++++++++ 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index dbdb21d156..b5c53d3d22 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -18,6 +18,7 @@ */ #include +#include #include #include "xfs.h" @@ -431,29 +432,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino) return next_dentry (ffi, ino); } +static bool +xfs_sb_is_invalid (const xfs_sb_t *super) +{ + return (le32(super->sb_magicnum) != XFS_SB_MAGIC) + || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) != + XFS_SB_VERSION_4) + || (super->sb_inodelog < XFS_SB_INODELOG_MIN) + || (super->sb_inodelog > XFS_SB_INODELOG_MAX) + || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN) + || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX) + || (super->sb_blocklog < super->sb_inodelog) + || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX) + || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks)) + || (((1ull << super->sb_agblklog) >> 1) >= + le32(super->sb_agblocks)) + || ((super->sb_blocklog + super->sb_dirblklog) >= + XFS_SB_DIRBLK_NUMBITS); +} + static int xfs_mount (fsi_file_t *ffi, const char *options) { xfs_sb_t super; if (!devread (ffi, 0, 0, sizeof(super), (char *)&super) - || (le32(super.sb_magicnum) != XFS_SB_MAGIC) - || ((le16(super.sb_versionnum) - & XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) { + || xfs_sb_is_invalid(&super)) { return 0; } - xfs.bsize = le32 (super.sb_blocksize); - xfs.blklog = super.sb_blocklog; - xfs.bdlog = xfs.blklog - SECTOR_BITS; + /* + * Not sanitized. It's exclusively used to generate disk addresses, + * so it's not important from a security standpoint. + */ xfs.rootino = le64 (super.sb_rootino); - xfs.isize = le16 (super.sb_inodesize); - xfs.agblocks = le32 (super.sb_agblocks); - xfs.dirbsize = xfs.bsize << super.sb_dirblklog; - xfs.inopblog = super.sb_inopblog; + /* + * Sanitized to be consistent with each other, only used to + * generate disk addresses, so it's safe + */ + xfs.agblocks = le32 (super.sb_agblocks); xfs.agblklog = super.sb_agblklog; + /* Derived from sanitized parameters */ + xfs.bsize = 1 << super.sb_blocklog; + xfs.blklog = super.sb_blocklog; + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; + xfs.isize = 1 << super.sb_inodelog; + xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); + xfs.inopblog = super.sb_blocklog - super.sb_inodelog; + xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / (sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t))) diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h index 40699281e4..b87e37d3d7 100644 --- a/tools/libfsimage/xfs/xfs.h +++ b/tools/libfsimage/xfs/xfs.h @@ -134,6 +134,18 @@ typedef struct xfs_sb xfs_uint8_t sb_dummy[7]; /* padding */ } xfs_sb_t; +/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */ +#define XFS_SB_DIRBLK_NUMBITS 27 +/* Implied by the XFS specification. The minimum block size is 512 octets */ +#define XFS_SB_BLOCKLOG_MIN 9 +/* Implied by the XFS specification. The maximum block size is 65536 octets */ +#define XFS_SB_BLOCKLOG_MAX 16 +/* Implied by the XFS specification. The minimum inode size is 256 octets */ +#define XFS_SB_INODELOG_MIN 8 +/* Implied by the XFS specification. The maximum inode size is 2048 octets */ +#define XFS_SB_INODELOG_MAX 11 +/* High bound for sb_agblklog */ +#define XFS_SB_AGBLKLOG_MAX 32 /* those are from xfs_btree.h */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:43 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615820.957274 (Exim 4.92) (envelope-from ) id 1qqwPf-0004ey-LO; Thu, 12 Oct 2023 14:11:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615820.957274; Thu, 12 Oct 2023 14:11:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPf-0004eq-I5; Thu, 12 Oct 2023 14:11:43 +0000 Received: by outflank-mailman (input) for mailman id 615820; Thu, 12 Oct 2023 14:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPe-0004eg-Fd for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPe-00088B-Ep for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPe-0008Bi-Dy for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cK8YS6VC3BBr1FMcMtuzhHQiCAc+Cv/0SZXaPHHBA7Q=; b=KrbnU2k2m6d2KTxoL0JexxDJTr yBzegWOA753yFjzHQcqfEGOikRu4j1yKFhv/lLob8e9l2hx/30AzGB7bip2c1sXuYPrTbE0602XiD SBuuWtm8wCoyUKV7fPMU1lmUt7zuksn4enXnrRRsYp22qnGn4Dl5ibmZ6M40syGM784o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libfsimage/xfs: Add compile-time check to libfsimage Message-Id: Date: Thu, 12 Oct 2023 14:11:42 +0000 commit 7d85c70431593550e32022e3a19a37f306f49e00 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:53 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 libfsimage/xfs: Add compile-time check to libfsimage Adds the common tools include folder to the -I compile flags of libfsimage. This allows us to use: xen-tools/common-macros.h:BUILD_BUG_ON() With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot underflow. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich --- tools/libfsimage/common.mk | 2 +- tools/libfsimage/xfs/fsys_xfs.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common.mk b/tools/libfsimage/common.mk index 4fc8c66795..e4336837d0 100644 --- a/tools/libfsimage/common.mk +++ b/tools/libfsimage/common.mk @@ -1,7 +1,7 @@ include $(XEN_ROOT)/tools/Rules.mk FSDIR := $(libdir)/xenfsimage -CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\" +CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\" CFLAGS += -D_GNU_SOURCE LDFLAGS += -L../common/ diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index b5c53d3d22..e98b367901 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "xfs.h" #define MAX_LINK_COUNT 8 @@ -475,9 +476,10 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.agblklog = super.sb_agblklog; /* Derived from sanitized parameters */ + BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS); + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.bsize = 1 << super.sb_blocklog; xfs.blklog = super.sb_blocklog; - xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.isize = 1 << super.sb_inodelog; xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); xfs.inopblog = super.sb_blocklog - super.sb_inodelog; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:11:53 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:11:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615821.957277 (Exim 4.92) (envelope-from ) id 1qqwPp-0004hB-MC; Thu, 12 Oct 2023 14:11:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615821.957277; Thu, 12 Oct 2023 14:11:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPp-0004h4-JZ; Thu, 12 Oct 2023 14:11:53 +0000 Received: by outflank-mailman (input) for mailman id 615821; Thu, 12 Oct 2023 14:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPo-0004gw-Id for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPo-00088c-Hh for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPo-0008CF-Gv for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wiSO4QtHSoR5FX/rOihJD2lHtZcQ2bjD0jCxSS2005M=; b=TN9dvrAuiMd+DSl7E4LP2K25lM 2n7HLcXlQrC9xBrcRdnTtO5MYp+WxjaPog9qexqRTapS6lxUrDTfp9gdJScm48gsx0PV2zUAHg2l7 rzdaS0fsri1+MkuvX1UrxTurs18z4PgxW8KZ2azPDzjylOTHKsV5LssxrOipcbrGctZY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/pygrub: Remove unnecessary hypercall Message-Id: Date: Thu, 12 Oct 2023 14:11:52 +0000 commit f4b504c6170c446e61055cbd388ae4e832a9deca Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:21 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 tools/pygrub: Remove unnecessary hypercall There's a hypercall being issued in order to determine whether PV64 is supported, but since Xen 4.3 that's strictly true so it's not required. Plus, this way we can avoid mapping the privcmd interface altogether in the depriv pygrub. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper --- tools/pygrub/src/pygrub | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index a759d90ade..0be6720ce0 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -18,7 +18,6 @@ import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy import logging import platform -import xen.lowlevel.xc import curses, _curses, curses.textpad, curses.ascii import getopt @@ -668,14 +667,6 @@ def run_grub(file, entry, fs, cfg_args): return grubcfg -def supports64bitPVguest(): - xc = xen.lowlevel.xc.xc() - caps = xc.xeninfo()['xen_caps'].split(" ") - for cap in caps: - if cap == "xen-3.0-x86_64": - return True - return False - # If nothing has been specified, look for a Solaris domU. If found, perform the # necessary tweaks. def sniff_solaris(fs, cfg): @@ -684,8 +675,7 @@ def sniff_solaris(fs, cfg): return cfg if not cfg["kernel"]: - if supports64bitPVguest() and \ - fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): + if fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): cfg["kernel"] = "/platform/i86xpv/kernel/amd64/unix" cfg["ramdisk"] = "/platform/i86pc/amd64/boot_archive" elif fs.file_exists("/platform/i86xpv/kernel/unix"): -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:03 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615822.957281 (Exim 4.92) (envelope-from ) id 1qqwPz-0004kw-PJ; Thu, 12 Oct 2023 14:12:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615822.957281; Thu, 12 Oct 2023 14:12:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPz-0004ko-Ma; Thu, 12 Oct 2023 14:12:03 +0000 Received: by outflank-mailman (input) for mailman id 615822; Thu, 12 Oct 2023 14:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPy-0004ka-MC for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwPy-00088w-LV for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwPy-0008Cn-Jw for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KTrpe9Ut4FrRnT6kat+p3FPXhnIus2Zuaug/zu2qOcM=; b=AzV/NBLmAowrsOH21jYuWZnpb8 s/mEWL88AvlmmRP1Py0mn5W+yalyN4XsSB/IaAkCPlWPRu59LR+9/gLjMLGqTG5xxR35CtzeLotO0 e23ttgClrNnMK8pgJ9ficBmqDgAloEH6gYkEiRkM9YLUU3EXo3YLn75AThU4ilMeNs0k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/pygrub: Small refactors Message-Id: Date: Thu, 12 Oct 2023 14:12:02 +0000 commit 9f2ff9a7c9b3ac734ae99f17f0134ed0343dcccf Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:22 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 tools/pygrub: Small refactors Small tidy up to ensure output_directory always has a trailing '/' to ease concatenating paths and that `output` can only be a filename or None. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo --- tools/pygrub/src/pygrub | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 0be6720ce0..d31ac01878 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -793,7 +793,7 @@ if __name__ == "__main__": debug = False not_really = False output_format = "sxp" - output_directory = "/var/run/xen/pygrub" + output_directory = "/var/run/xen/pygrub/" # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -815,7 +815,8 @@ if __name__ == "__main__": usage() sys.exit() elif o in ("--output",): - output = a + if a != "-": + output = a elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -847,12 +848,11 @@ if __name__ == "__main__": if not os.path.isdir(a): print("%s is not an existing directory" % a) sys.exit(1) - output_directory = a + output_directory = a + '/' if debug: logging.basicConfig(level=logging.DEBUG) - try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -861,7 +861,7 @@ if __name__ == "__main__": else: raise - if output is None or output == "-": + if output is None: fd = sys.stdout.fileno() else: fd = os.open(output, os.O_WRONLY) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615823.957284 (Exim 4.92) (envelope-from ) id 1qqwQ9-0004nZ-Qu; Thu, 12 Oct 2023 14:12:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615823.957284; Thu, 12 Oct 2023 14:12:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQ9-0004nR-O6; Thu, 12 Oct 2023 14:12:13 +0000 Received: by outflank-mailman (input) for mailman id 615823; Thu, 12 Oct 2023 14:12:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQ8-0004nF-PD for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQ8-000895-OU for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQ8-0008DC-Nf for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XXJevLqhnMbxHoGt9gqivNr/ZxNKdpPJRL5DaTbmytw=; b=O5GaejuDZMbf/olSaRxZrntxcR po1iQA49okJpuHU4IMp6lb9vwRyGZop05Ency2tl5gWmQd/Qv+G5JJtKUBTQVpgt1fhcA9DJBkIxd 0CCjgslhLbTqHUkaGTqmb75wFuaLG/di+UbNQAzzlDMd+D4VMg4cIQpR+V3Z+LH/UnPY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/pygrub: Open the output files earlier Message-Id: Date: Thu, 12 Oct 2023 14:12:12 +0000 commit 0710d7d44586251bfca9758890616dc3d6de8a74 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 tools/pygrub: Open the output files earlier This patch allows pygrub to get ahold of every RW file descriptor it needs early on. A later patch will clamp the filesystem it can access so it can't obtain any others. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo --- tools/pygrub/src/pygrub | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index d31ac01878..b0ef5da387 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -738,8 +738,7 @@ if __name__ == "__main__": def usage(): print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) - def copy_from_image(fs, file_to_read, file_type, output_directory, - not_really): + def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: if fs.file_exists(file_to_read): return "<%s:%s>" % (file_type, file_to_read) @@ -750,21 +749,18 @@ if __name__ == "__main__": except Exception as e: print(e, file=sys.stderr) sys.exit("Error opening %s in guest" % file_to_read) - (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".", - dir=output_directory) dataoff = 0 while True: data = datafile.read(FS_READ_MAX, dataoff) if len(data) == 0: - os.close(tfd) + os.close(fd_dst) del datafile - return ret + return try: - os.write(tfd, data) + os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.close(tfd) - os.unlink(ret) + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -861,6 +857,14 @@ if __name__ == "__main__": else: raise + if not_really: + fd_kernel = path_kernel = fd_ramdisk = path_ramdisk = None + else: + (fd_kernel, path_kernel) = tempfile.mkstemp(prefix="boot_kernel.", + dir=output_directory) + (fd_ramdisk, path_ramdisk) = tempfile.mkstemp(prefix="boot_ramdisk.", + dir=output_directory) + if output is None: fd = sys.stdout.fileno() else: @@ -920,20 +924,23 @@ if __name__ == "__main__": if fs is None: raise RuntimeError("Unable to find partition containing kernel") - bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel", - output_directory, not_really) + copy_from_image(fs, chosencfg["kernel"], "kernel", + fd_kernel, path_kernel, not_really) + bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: - bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"], - "ramdisk", output_directory, - not_really) + copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", + fd_ramdisk, path_ramdisk, not_really) except: if not not_really: - os.unlink(bootcfg["kernel"]) + os.unlink(path_kernel) raise + bootcfg["ramdisk"] = path_ramdisk else: initrd = None + if not not_really: + os.unlink(path_ramdisk) args = None if chosencfg["args"]: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615824.957289 (Exim 4.92) (envelope-from ) id 1qqwQJ-0004pw-SO; Thu, 12 Oct 2023 14:12:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615824.957289; Thu, 12 Oct 2023 14:12:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQJ-0004pn-Pb; Thu, 12 Oct 2023 14:12:23 +0000 Received: by outflank-mailman (input) for mailman id 615824; Thu, 12 Oct 2023 14:12:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQI-0004pX-SH for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQI-00089C-RR for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQI-0008Db-Qd for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F1RcOjT8zAkpxgFnrlIWsrZJwW/uwxgKwD19LIJEXQ0=; b=e/dbNVlBaHR/nuByLZRwmodgF7 Blh0SBoXp0IJPea89VDKNxcQG5hUbuiB/zIS2O187BPMlSBeGObmUUeT9G5DInG5ixyh2ILhvpUIa fMB7uin8fsJ7uoDyGtC6PDiGQhFootQ3NF8vvYJ9q1ZtMVCHX6yT1TgJEOhKyoKfkccg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/libfsimage: Export a new function to preload all plugins Message-Id: Date: Thu, 12 Oct 2023 14:12:22 +0000 commit 990e65c3ad9ac08642ce62a92852c80be6c83e96 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:24 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 tools/libfsimage: Export a new function to preload all plugins This is work required in order to let pygrub operate in highly deprivileged chroot mode. This patch adds a function that preloads every plugin, hence ensuring that a on function exit, every shared library is loaded in memory. The new "init" function is supposed to be used before depriv, but that's fine because it's not acting on untrusted data. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo --- tools/libfsimage/common/fsimage_plugin.c | 4 ++-- tools/libfsimage/common/mapfile-GNU | 1 + tools/libfsimage/common/mapfile-SunOS | 1 + tools/libfsimage/common/xenfsimage.h | 8 ++++++++ tools/pygrub/src/fsimage/fsimage.c | 15 +++++++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c index de1412b423..d0cb9e96a6 100644 --- a/tools/libfsimage/common/fsimage_plugin.c +++ b/tools/libfsimage/common/fsimage_plugin.c @@ -119,7 +119,7 @@ fail: return (-1); } -static int load_plugins(void) +int fsi_init(void) { const char *fsdir = getenv("XEN_FSIMAGE_FSDIR"); struct dirent *dp = NULL; @@ -180,7 +180,7 @@ int find_plugin(fsi_t *fsi, const char *path, const char *options) fsi_plugin_t *fp; int ret = 0; - if (plugins == NULL && (ret = load_plugins()) != 0) + if (plugins == NULL && (ret = fsi_init()) != 0) goto out; for (fp = plugins; fp != NULL; fp = fp->fp_next) { diff --git a/tools/libfsimage/common/mapfile-GNU b/tools/libfsimage/common/mapfile-GNU index 26d4d7a69e..2d54d527d7 100644 --- a/tools/libfsimage/common/mapfile-GNU +++ b/tools/libfsimage/common/mapfile-GNU @@ -1,6 +1,7 @@ VERSION { libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/mapfile-SunOS b/tools/libfsimage/common/mapfile-SunOS index e99b90b650..48deedb425 100644 --- a/tools/libfsimage/common/mapfile-SunOS +++ b/tools/libfsimage/common/mapfile-SunOS @@ -1,5 +1,6 @@ libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/xenfsimage.h b/tools/libfsimage/common/xenfsimage.h index 201abd54f2..341883b2d7 100644 --- a/tools/libfsimage/common/xenfsimage.h +++ b/tools/libfsimage/common/xenfsimage.h @@ -35,6 +35,14 @@ extern C { typedef struct fsi fsi_t; typedef struct fsi_file fsi_file_t; +/* + * Optional initialization function. If invoked it loads the associated + * dynamic libraries for the backends ahead of time. This is required if + * the library is to run as part of a highly deprivileged executable, as + * the libraries may not be reachable after depriv. + */ +int fsi_init(void); + fsi_t *fsi_open_fsimage(const char *, uint64_t, const char *); void fsi_close_fsimage(fsi_t *); diff --git a/tools/pygrub/src/fsimage/fsimage.c b/tools/pygrub/src/fsimage/fsimage.c index fdcfa1a3c0..12dfcff6e3 100644 --- a/tools/pygrub/src/fsimage/fsimage.c +++ b/tools/pygrub/src/fsimage/fsimage.c @@ -286,6 +286,15 @@ fsimage_getbootstring(PyObject *o, PyObject *args) return Py_BuildValue("s", bootstring); } +static PyObject * +fsimage_init(PyObject *o, PyObject *args) +{ + if (!PyArg_ParseTuple(args, "")) + return (NULL); + + return Py_BuildValue("i", fsi_init()); +} + PyDoc_STRVAR(fsimage_open__doc__, "open(name, [offset=off]) - Open the given file as a filesystem image.\n" "\n" @@ -297,7 +306,13 @@ PyDoc_STRVAR(fsimage_getbootstring__doc__, "getbootstring(fs) - Return the boot string needed for this file system " "or NULL if none is needed.\n"); +PyDoc_STRVAR(fsimage_init__doc__, + "init() - Loads every dynamic library contained in xenfsimage " + "into memory so that it can be used in chrooted environments.\n"); + static struct PyMethodDef fsimage_module_methods[] = { + { "init", (PyCFunction)fsimage_init, + METH_VARARGS, fsimage_init__doc__ }, { "open", (PyCFunction)fsimage_open, METH_VARARGS|METH_KEYWORDS, fsimage_open__doc__ }, { "getbootstring", (PyCFunction)fsimage_getbootstring, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615825.957293 (Exim 4.92) (envelope-from ) id 1qqwQT-0004t2-U0; Thu, 12 Oct 2023 14:12:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615825.957293; Thu, 12 Oct 2023 14:12:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQT-0004su-RB; Thu, 12 Oct 2023 14:12:33 +0000 Received: by outflank-mailman (input) for mailman id 615825; Thu, 12 Oct 2023 14:12:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQS-0004sW-V8 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQS-00089N-UK for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQS-0008EA-TX for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=a1SwKwryLAMfowPhHn4gWS9HpjkGGQN8/QPUG//6qTk=; b=Xzvr0pKgDZkgV/qwBwcrNNPrpk J2CGHdgtD9Zv/ncTd2RKYRRQimo8T+7gOXoyyGdqtyzjLGExnC7JR85jdMTFK/oY6eTRdccEDwQAO tV3bYky4SMJGrLIq2IM5ZP/4zauBvVCcGRPv73Onzn1QoGQiZESmSyWy9Trm6T/B9yKs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/pygrub: Deprivilege pygrub Message-Id: Date: Thu, 12 Oct 2023 14:12:32 +0000 commit e0342ae5556f2b6e2db50701b8a0679a45822ca6 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:25 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 tools/pygrub: Deprivilege pygrub Introduce a --runas= flag to deprivilege pygrub on Linux and *BSDs. It also implicitly creates a chroot env where it drops a deprivileged forked process. The chroot itself is cleaned up at the end. If the --runas arg is present, then pygrub forks, leaving the child to deprivilege itself, and waiting for it to complete. When the child exists, the parent performs cleanup and exits with the same error code. This is roughly what the child does: 1. Initialize libfsimage (this loads every .so in memory so the chroot can avoid bind-mounting /{,usr}/lib* 2. Create a temporary empty chroot directory 3. Mount tmpfs in it 4. Bind mount the disk inside, because libfsimage expects a path, not a file descriptor. 5. Remount the root tmpfs to be stricter (ro,nosuid,nodev) 6. Set RLIMIT_FSIZE to a sensibly high amount (128 MiB) 7. Depriv gid, groups and uid With this scheme in place, the "output" files are writable (up to RLIMIT_FSIZE octets) and the exposed filesystem is immutable and contains the single only file we can't easily get rid of (the disk). If running on Linux, the child process also unshares mount, IPC, and network namespaces before dropping its privileges. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo --- tools/pygrub/setup.py | 2 +- tools/pygrub/src/pygrub | 162 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 154 insertions(+), 10 deletions(-) diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py index c9cac47eee..be5d3ffd04 100644 --- a/tools/pygrub/setup.py +++ b/tools/pygrub/setup.py @@ -20,7 +20,7 @@ xenfsimage = Extension("xenfsimage", pkgs = [ 'grub' ] setup(name='pygrub', - version='0.6', + version='0.7', description='Boot loader that looks a lot like grub for Xen', author='Jeremy Katz', author_email='katzj@redhat.com', diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index b0ef5da387..dcdfc04ff0 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -16,8 +16,11 @@ from __future__ import print_function import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy +import ctypes, ctypes.util import logging import platform +import resource +import subprocess import curses, _curses, curses.textpad, curses.ascii import getopt @@ -27,10 +30,135 @@ import grub.GrubConf import grub.LiloConf import grub.ExtLinuxConf -PYGRUB_VER = 0.6 +PYGRUB_VER = 0.7 FS_READ_MAX = 1024 * 1024 SECTOR_SIZE = 512 +# Unless provided through the env variable PYGRUB_MAX_FILE_SIZE_MB, then +# this is the maximum filesize allowed for files written by the depriv +# pygrub +LIMIT_FSIZE = 128 << 20 + +CLONE_NEWNS = 0x00020000 # mount namespace +CLONE_NEWNET = 0x40000000 # network namespace +CLONE_NEWIPC = 0x08000000 # IPC namespace + +def unshare(flags): + if not sys.platform.startswith("linux"): + print("skip_unshare reason=not_linux platform=%s", sys.platform, file=sys.stderr) + return + + libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True) + unshare_prototype = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, use_errno=True) + unshare = unshare_prototype(('unshare', libc)) + + if unshare(flags) < 0: + raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno())) + +def bind_mount(src, dst, options): + open(dst, "a").close() # touch + + rc = subprocess.call(["mount", "--bind", "-o", options, src, dst]) + if rc != 0: + raise RuntimeError("bad_mount: src=%s dst=%s opts=%s" % + (src, dst, options)) + +def downgrade_rlimits(): + # Wipe the authority to use unrequired resources + resource.setrlimit(resource.RLIMIT_NPROC, (0, 0)) + resource.setrlimit(resource.RLIMIT_CORE, (0, 0)) + resource.setrlimit(resource.RLIMIT_MEMLOCK, (0, 0)) + + # py2's resource module doesn't know about resource.RLIMIT_MSGQUEUE + # + # TODO: Use resource.RLIMIT_MSGQUEUE after python2 is deprecated + if sys.platform.startswith('linux'): + RLIMIT_MSGQUEUE = 12 + resource.setrlimit(RLIMIT_MSGQUEUE, (0, 0)) + + # The final look of the filesystem for this process is fully RO, but + # note we have some file descriptor already open (notably, kernel and + # ramdisk). In order to avoid a compromised pygrub from filling up the + # filesystem we set RLIMIT_FSIZE to a high bound, so that the file + # write permissions are bound. + fsize = LIMIT_FSIZE + if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): + fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 + + resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize)) + +def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk): + # The only point of this call is to force the loading of libfsimage. + # That way, we don't need to bind-mount it into the chroot + rc = xenfsimage.init() + if rc != 0: + os.unlink(path_ramdisk) + os.unlink(path_kernel) + raise RuntimeError("bad_xenfsimage: rc=%d" % rc) + + # Create a temporary directory for the chroot + chroot = tempfile.mkdtemp(prefix=str(uid)+'-', dir=output_directory) + '/' + device_path = '/device' + + pid = os.fork() + if pid: + # parent + _, rc = os.waitpid(pid, 0) + + for path in [path_kernel, path_ramdisk]: + # If the child didn't write anything, just get rid of it, + # otherwise we end up consuming a 0-size file when parsing + # systems without a ramdisk that the ultimate caller of pygrub + # may just be unaware of + if rc != 0 or os.path.getsize(path) == 0: + os.unlink(path) + + # Normally, unshare(CLONE_NEWNS) will ensure this is not required. + # However, this syscall doesn't exist in *BSD systems and doesn't + # auto-unmount everything on older Linux kernels (At least as of + # Linux 4.19, but it seems fixed in 5.15). Either way, + # recursively unmount everything if needed. Quietly. + with open('/dev/null', 'w') as devnull: + subprocess.call(["umount", "-f", chroot + device_path], + stdout=devnull, stderr=devnull) + subprocess.call(["umount", "-f", chroot], + stdout=devnull, stderr=devnull) + os.rmdir(chroot) + + sys.exit(rc) + + # By unsharing the namespace we're making sure it's all bulk-released + # at the end, when the namespaces disappear. This means the kernel does + # (almost) all the cleanup for us and the parent just has to remove the + # temporary directory. + unshare(CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWNET) + + # Set sensible limits using the setrlimit interface + downgrade_rlimits() + + # We'll mount tmpfs on the chroot to ensure the deprivileged child + # cannot affect the persistent state. It's RW now in order to + # bind-mount the device, but note it's remounted RO after that. + rc = subprocess.call(["mount", "-t", "tmpfs", "none", chroot]) + if rc != 0: + raise RuntimeError("mount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Bind the untrusted device RO + bind_mount(device, chroot + device_path, "ro,nosuid,noexec") + + rc = subprocess.call(["mount", "-t", "tmpfs", "-o", "remount,ro,nosuid,noexec,nodev", "none", chroot]) + if rc != 0: + raise RuntimeError("remount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Drop superpowers! + os.chroot(chroot) + os.chdir('/') + os.setgid(uid) + os.setgroups([uid]) + os.setuid(uid) + + return device_path + def read_size_roundup(fd, size): if platform.system() != 'FreeBSD': return size @@ -736,7 +864,7 @@ if __name__ == "__main__": sel = None def usage(): - print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) + print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--runas=] [--offset=] " %(sys.argv[0],), file=sys.stderr) def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: @@ -760,7 +888,8 @@ if __name__ == "__main__": os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.unlink(path_dst) + if path_dst: + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -769,7 +898,7 @@ if __name__ == "__main__": opts, args = getopt.gnu_getopt(sys.argv[1:], 'qilnh::', ["quiet", "interactive", "list-entries", "not-really", "help", "output=", "output-format=", "output-directory=", "offset=", - "entry=", "kernel=", + "runas=", "entry=", "kernel=", "ramdisk=", "args=", "isconfig", "debug"]) except getopt.GetoptError: usage() @@ -790,6 +919,7 @@ if __name__ == "__main__": not_really = False output_format = "sxp" output_directory = "/var/run/xen/pygrub/" + uid = None # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -813,6 +943,13 @@ if __name__ == "__main__": elif o in ("--output",): if a != "-": output = a + elif o in ("--runas",): + try: + uid = int(a) + except ValueError: + print("runas value must be an integer user id") + usage() + sys.exit(1) elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -849,6 +986,10 @@ if __name__ == "__main__": if debug: logging.basicConfig(level=logging.DEBUG) + if interactive and uid: + print("In order to use --runas, you must also set --entry or -q", file=sys.stderr) + sys.exit(1) + try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -870,6 +1011,9 @@ if __name__ == "__main__": else: fd = os.open(output, os.O_WRONLY) + if uid: + file = depriv(output_directory, output, file, uid, path_kernel, path_ramdisk) + # debug if isconfig: chosencfg = run_grub(file, entry, fs, incfg["args"]) @@ -925,21 +1069,21 @@ if __name__ == "__main__": raise RuntimeError("Unable to find partition containing kernel") copy_from_image(fs, chosencfg["kernel"], "kernel", - fd_kernel, path_kernel, not_really) + fd_kernel, None if uid else path_kernel, not_really) bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", - fd_ramdisk, path_ramdisk, not_really) + fd_ramdisk, None if uid else path_ramdisk, not_really) except: - if not not_really: - os.unlink(path_kernel) + if not uid and not not_really: + os.unlink(path_kernel) raise bootcfg["ramdisk"] = path_ramdisk else: initrd = None - if not not_really: + if not uid and not not_really: os.unlink(path_ramdisk) args = None -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615826.957297 (Exim 4.92) (envelope-from ) id 1qqwQe-0004w8-0h; Thu, 12 Oct 2023 14:12:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615826.957297; Thu, 12 Oct 2023 14:12:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQd-0004vy-UA; Thu, 12 Oct 2023 14:12:43 +0000 Received: by outflank-mailman (input) for mailman id 615826; Thu, 12 Oct 2023 14:12:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQd-0004vn-2s for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQd-0008B5-1y for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQd-0008F2-1F for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=noS+bLrrZOyaJb5Y3B+RaH7CMWky5BIMaOwthA1mb24=; b=yed/HjbxoYcqmSiQWZDZ+WGXeW P6LgbqLulSjciqtIj6QwEpbey3EH24A7X98+1kDJ1cdxzrhzwOS241l+CIn5inpT6uzFm3ILNsIJh yt1YKMjQUecr03HStGLjv7ul1foFZTI9N20mJBwwUaLg8UfSuyVZSqyyENlIpYTSgA6o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libxl: add support for running bootloader in restricted mode Message-Id: Date: Thu, 12 Oct 2023 14:12:43 +0000 commit 1f762642d2cad1a40634e3280361928109d902f1 Author: Roger Pau Monne AuthorDate: Mon Sep 25 14:30:20 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 libxl: add support for running bootloader in restricted mode Much like the device model depriv mode, add the same kind of support for the bootloader. Such feature allows passing a UID as a parameter for the bootloader to run as, together with the bootloader itself taking the necessary actions to isolate. Note that the user to run the bootloader as must have the right permissions to access the guest disk image (in read mode only), and that the bootloader will be run in non-interactive mode when restricted. If enabled bootloader restrict mode will attempt to re-use the user(s) from the QEMU depriv implementation if no user is provided on the configuration file or the environment. See docs/features/qemu-deprivilege.pandoc for more information about how to setup those users. Bootloader restrict mode is not enabled by default as it requires certain setup to be done first (setup of the user(s) to use in restrict mode). This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD --- docs/man/xl.1.pod.in | 24 ++++++++++ docs/man/xl.cfg.5.pod.in | 43 ++++++++++++++++++ docs/man/xl.conf.5.pod.in | 6 +++ tools/include/libxl.h | 8 ++++ tools/libs/light/libxl_bootloader.c | 88 +++++++++++++++++++++++++++++++++++-- tools/libs/light/libxl_create.c | 11 +++++ tools/libs/light/libxl_dm.c | 8 ++-- tools/libs/light/libxl_internal.h | 8 ++++ tools/libs/light/libxl_types.idl | 2 + tools/xl/xl.c | 4 ++ tools/xl/xl.h | 1 + tools/xl/xl_parse.c | 7 +++ 12 files changed, 203 insertions(+), 7 deletions(-) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 9ba22a8fa2..73e2b3b611 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1963,6 +1963,30 @@ ignored: =back +=head1 ENVIRONMENT VARIABLES + +The following environment variables shall affect the execution of xl: + +=over 4 + +=item LIBXL_BOOTLOADER_RESTRICT + +Equivalent to L B option. Provided for +compatibility reasons. Having this variable set is equivalent to enabling +the option, even if the value is 0. + +If set takes precedence over L and L +B options. + +=item LIBXL_BOOTLOADER_USER + +Equivalent to L B option. Provided for +compatibility reasons. + +If set takes precedence over L B option. + +=back + =head1 SEE ALSO The following man pages: diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in index ec4864958e..2e234b450e 100644 --- a/docs/man/xl.cfg.5.pod.in +++ b/docs/man/xl.cfg.5.pod.in @@ -1694,6 +1694,28 @@ Append Bs to the arguments to the B program. Alternatively if the argument is a simple string then it will be split into words at whitespace B<(this second option is deprecated)>. +=item B + +Attempt to restrict the bootloader after startup, to limit the +consequences of security vulnerabilities due to parsing guest +owned image files. + +See docs/features/qemu-deprivilege.pandoc for more information +on how to setup the unprivileged users. + +Note that running the bootloader in restricted mode also implies using +non-interactive mode, and the disk image must be readable by the +restricted user. + +=item B + +When using bootloader_restrict, run the bootloader as this user. If not +set the default QEMU restrict users will be used. + +NOTE: Each domain MUST have a SEPARATE username. + +See docs/features/qemu-deprivilege.pandoc for more information. + =item B Selects whether to expose the host e820 (memory map) to the guest via @@ -2736,6 +2758,27 @@ Append Bs to the arguments to the B program. Alternatively if the argument is a simple string then it will be split into words at whitespace B<(this second option is deprecated)>. +=item B + +Attempt to restrict the bootloader after startup, to limit the +consequences of security vulnerabilities due to parsing guest +owned image files. + +See docs/features/qemu-deprivilege.pandoc for more information +on how to setup the unprivileged users. + +Note that running the bootloader in restricted mode also implies using +non-interactive mode, and the disk image must be readable by the +restricted user. + +=item B + +When using bootloader_restrict, run the bootloader as this user. + +NOTE: Each domain MUST have a SEPARATE username. + +See docs/features/qemu-deprivilege.pandoc for more information. + =item B Specifies the mode for Virtual Timers. The valid values are as follows: diff --git a/docs/man/xl.conf.5.pod.in b/docs/man/xl.conf.5.pod.in index df20c08137..44738b80bf 100644 --- a/docs/man/xl.conf.5.pod.in +++ b/docs/man/xl.conf.5.pod.in @@ -220,6 +220,12 @@ Due to bug(s), these options may not interact well with other options concerning CPU affinity. One example is CPU pools. Users should always double check that the required affinity has taken effect. +=item B + +System wide default for whether the bootloader should be run in a restricted +environment. See L B for more information on +how to setup and use the option. + =back =head1 SEE ALSO diff --git a/tools/include/libxl.h b/tools/include/libxl.h index abc5fd52da..907aa0a330 100644 --- a/tools/include/libxl.h +++ b/tools/include/libxl.h @@ -600,6 +600,14 @@ * first ABI incompatible change in a development branch. */ +#define LIBXL_HAVE_BOOTLOADER_RESTRICT 1 +/* + * LIBXL_HAVE_BOOTLOADER_RESTRICT indicates the presence of the + * bootloader_restrict and bootloader_user fields in libxl_domain_build_info. + * Such fields signal the need to pass a --runas parameter to the bootloader + * executable in order to not run it as the same user as libxl. + */ + /* * libxl memory management * diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 108329b4a5..d732367fc0 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -14,6 +14,7 @@ #include "libxl_osdeps.h" /* must come before any other headers */ +#include #include #ifdef HAVE_UTMP_H #include @@ -42,8 +43,71 @@ static void bootloader_arg(libxl__bootloader_state *bl, const char *arg) bl->args[bl->nargs++] = arg; } -static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, - const char *bootloader_path) +static int bootloader_uid(libxl__gc *gc, domid_t guest_domid, + const char *user, uid_t *intended_uid) +{ + struct passwd *user_base, user_pwbuf; + int rc; + + if (user) { + rc = userlookup_helper_getpwnam(gc, user, &user_pwbuf, &user_base); + if (rc) return rc; + + if (!user_base) { + LOGD(ERROR, guest_domid, "Couldn't find user %s", user); + return ERROR_INVAL; + } + + *intended_uid = user_base->pw_uid; + return 0; + } + + /* Re-use QEMU user range for the bootloader. */ + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE, + &user_pwbuf, &user_base); + if (rc) return rc; + + if (user_base) { + struct passwd *user_clash, user_clash_pwbuf; + uid_t temp_uid = user_base->pw_uid + guest_domid; + + rc = userlookup_helper_getpwuid(gc, temp_uid, &user_clash_pwbuf, + &user_clash); + if (rc) return rc; + + if (user_clash) { + LOGD(ERROR, guest_domid, + "wanted to use uid %ld (%s + %d) but that is user %s !", + (long)temp_uid, LIBXL_QEMU_USER_RANGE_BASE, + guest_domid, user_clash->pw_name); + return ERROR_INVAL; + } + + *intended_uid = temp_uid; + return 0; + } + + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_SHARED, &user_pwbuf, + &user_base); + if (rc) return rc; + + if (user_base) { + LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s", + LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED); + *intended_uid = user_base->pw_uid; + + return 0; + } + + LOGD(ERROR, guest_domid, + "Could not find user %s or range base pseudo-user %s, cannot restrict", + LIBXL_QEMU_USER_SHARED, LIBXL_QEMU_USER_RANGE_BASE); + + return ERROR_INVAL; +} + +static int make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, + const char *bootloader_path) { const libxl_domain_build_info *info = bl->info; @@ -61,6 +125,22 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, ARG(GCSPRINTF("--ramdisk=%s", info->ramdisk)); if (info->cmdline && *info->cmdline != '\0') ARG(GCSPRINTF("--args=%s", info->cmdline)); + if (libxl_defbool_val(info->bootloader_restrict)) { + uid_t uid = -1; + int rc = bootloader_uid(gc, bl->domid, info->bootloader_user, + &uid); + + if (rc) return rc; + + assert(uid != -1); + if (!uid) { + LOGD(ERROR, bl->domid, "bootloader restrict UID is 0 (root)!"); + return ERROR_INVAL; + } + LOGD(DEBUG, bl->domid, "using uid %ld", (long)uid); + ARG(GCSPRINTF("--runas=%ld", (long)uid)); + ARG("--quiet"); + } ARG(GCSPRINTF("--output=%s", bl->outputpath)); ARG("--output-format=simple0"); @@ -79,6 +159,7 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, /* Sentinel for execv */ ARG(NULL); + return 0; #undef ARG } @@ -443,7 +524,8 @@ static void bootloader_disk_attached_cb(libxl__egc *egc, bootloader = bltmp; } - make_bootloader_args(gc, bl, bootloader); + rc = make_bootloader_args(gc, bl, bootloader); + if (rc) goto out; bl->openpty.ao = ao; bl->openpty.callback = bootloader_gotptys; diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c index c91059d713..ce1d431103 100644 --- a/tools/libs/light/libxl_create.c +++ b/tools/libs/light/libxl_create.c @@ -482,6 +482,17 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc, return -ERROR_INVAL; } + /* Assume that providing a bootloader user implies enabling restrict. */ + libxl_defbool_setdefault(&b_info->bootloader_restrict, + !!b_info->bootloader_user); + /* ENV takes precedence over provided domain_build_info. */ + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) + libxl_defbool_set(&b_info->bootloader_restrict, true); + if(getenv("LIBXL_BOOTLOADER_USER")) + b_info->bootloader_user = + libxl__strdup(gc, getenv("LIBXL_BOOTLOADER_USER")); + return 0; } diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index fc264a3a13..14b593110f 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -80,10 +80,10 @@ static int libxl__create_qemu_logfile(libxl__gc *gc, char *name) * On error, return a libxl-style error code. */ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF) \ - static int userlookup_helper_##NAME(libxl__gc *gc, \ - SPEC_TYPE spec, \ - struct STRUCTNAME *resultbuf, \ - struct STRUCTNAME **out) \ + int userlookup_helper_##NAME(libxl__gc *gc, \ + SPEC_TYPE spec, \ + struct STRUCTNAME *resultbuf, \ + struct STRUCTNAME **out) \ { \ struct STRUCTNAME *resultp = NULL; \ char *buf = NULL; \ diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index b1a7cd9f61..1219ff8dbd 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -4874,6 +4874,14 @@ struct libxl__cpu_policy { struct xc_msr *msr; }; +struct passwd; +_hidden int userlookup_helper_getpwnam(libxl__gc*, const char *user, + struct passwd *res, + struct passwd **out); +_hidden int userlookup_helper_getpwuid(libxl__gc*, uid_t uid, + struct passwd *res, + struct passwd **out); + #endif /* diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl index 3bd66291af..7d8bd5d216 100644 --- a/tools/libs/light/libxl_types.idl +++ b/tools/libs/light/libxl_types.idl @@ -624,6 +624,8 @@ libxl_domain_build_info = Struct("domain_build_info",[ ("acpi", libxl_defbool), ("bootloader", string), ("bootloader_args", libxl_string_list), + ("bootloader_restrict", libxl_defbool), + ("bootloader_user", string), ("timer_mode", libxl_timer_mode), ("nested_hvm", libxl_defbool), ("apic", libxl_defbool), diff --git a/tools/xl/xl.c b/tools/xl/xl.c index 2d1ec18ea3..ec72ca60c3 100644 --- a/tools/xl/xl.c +++ b/tools/xl/xl.c @@ -57,6 +57,7 @@ int max_grant_frames = -1; int max_maptrack_frames = -1; int max_grant_version = LIBXL_MAX_GRANT_DEFAULT; libxl_domid domid_policy = INVALID_DOMID; +libxl_defbool bootloader_restrict; xentoollog_level minmsglevel = minmsglevel_default; @@ -253,6 +254,9 @@ static void parse_global_config(const char *configfile, fprintf(stderr, "invalid domid_policy option"); } + xlu_cfg_get_defbool(config, "bootloader_restrict", + &bootloader_restrict, 0); + xlu_cfg_destroy(config); } diff --git a/tools/xl/xl.h b/tools/xl/xl.h index 3045b5a8e3..9c86bb1d98 100644 --- a/tools/xl/xl.h +++ b/tools/xl/xl.h @@ -288,6 +288,7 @@ extern libxl_bitmap global_vm_affinity_mask; extern libxl_bitmap global_hvm_affinity_mask; extern libxl_bitmap global_pv_affinity_mask; extern libxl_domid domid_policy; +extern libxl_defbool bootloader_restrict; enum output_format { OUTPUT_FORMAT_JSON, diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index 0e8c604bbf..ed983200c3 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -1700,6 +1700,13 @@ void parse_config_data(const char *config_source, exit(-ERROR_FAIL); } #endif + xlu_cfg_get_defbool(config, "bootloader_restrict", + &b_info->bootloader_restrict, 0); + if (!libxl_defbool_is_default(bootloader_restrict)) + libxl_defbool_setdefault(&b_info->bootloader_restrict, + libxl_defbool_val(bootloader_restrict)); + xlu_cfg_replace_string(config, "bootloader_user", + &b_info->bootloader_user, 0); switch (xlu_cfg_get_list_as_string_list(config, "bootloader_args", &b_info->bootloader_args, 1)) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:12:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:12:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615827.957301 (Exim 4.92) (envelope-from ) id 1qqwQo-0004ya-29; Thu, 12 Oct 2023 14:12:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615827.957301; Thu, 12 Oct 2023 14:12:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQn-0004yS-Vb; Thu, 12 Oct 2023 14:12:53 +0000 Received: by outflank-mailman (input) for mailman id 615827; Thu, 12 Oct 2023 14:12:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQn-0004yH-5w for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQn-0008BX-5A for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQn-0008FX-4N for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:12:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ntuOT5mQZlSh4PXaj9hEMPj7gGeLQWq6bspop2W0wsA=; b=dixqE5Kl9bbqMzlw7rxEXIemUc EBa2QjeFoimrl5UkCOIb24eDgEix7f5ir5ordygP2KxMYODQYt5wJRQktC8QHHnZU8z3d1ch7EqIt bFbRWcDBAEWWHg6OCwaJbiGiwHRgMnBLy7Ha2AOVw8mmQurrf9hQ0RAXnn+f/mN0A16k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libxl: limit bootloader execution in restricted mode Message-Id: Date: Thu, 12 Oct 2023 14:12:53 +0000 commit 9c114178ffd700112e91f5ec66cf5151b9c9a8cc Author: Roger Pau Monne AuthorDate: Thu Sep 28 12:22:35 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 libxl: limit bootloader execution in restricted mode Introduce a timeout for bootloader execution when running in restricted mode. Allow overwriting the default time out with an environment provided value. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD --- docs/man/xl.1.pod.in | 8 ++++++++ tools/libs/light/libxl_bootloader.c | 40 +++++++++++++++++++++++++++++++++++++ tools/libs/light/libxl_internal.h | 2 ++ 3 files changed, 50 insertions(+) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 73e2b3b611..bed8393473 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1985,6 +1985,14 @@ compatibility reasons. If set takes precedence over L B option. +=item LIBXL_BOOTLOADER_TIMEOUT + +Timeout in seconds for bootloader execution when running in restricted mode. +Otherwise the build time default in LIBXL_BOOTLOADER_TIMEOUT will be used. + +If defined the value must be an unsigned integer between 0 and INT_MAX, +otherwise behavior is undefined. Setting to 0 disables the timeout. + =back =head1 SEE ALSO diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index d732367fc0..279a9cdf91 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -30,6 +30,8 @@ static void bootloader_keystrokes_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); static void bootloader_display_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc); static void bootloader_domaindeath(libxl__egc*, libxl__domaindeathcheck *dc, int rc); static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, @@ -296,6 +298,7 @@ void libxl__bootloader_init(libxl__bootloader_state *bl) bl->ptys[0].master = bl->ptys[0].slave = 0; bl->ptys[1].master = bl->ptys[1].slave = 0; libxl__ev_child_init(&bl->child); + libxl__ev_time_init(&bl->time); libxl__domaindeathcheck_init(&bl->deathcheck); bl->keystrokes.ao = bl->ao; libxl__datacopier_init(&bl->keystrokes); bl->display.ao = bl->ao; libxl__datacopier_init(&bl->display); @@ -313,6 +316,7 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl) libxl__domaindeathcheck_stop(gc,&bl->deathcheck); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); for (i=0; i<2; i++) { libxl__carefd_close(bl->ptys[i].master); libxl__carefd_close(bl->ptys[i].slave); @@ -374,6 +378,7 @@ static void bootloader_stop(libxl__egc *egc, libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); if (libxl__ev_child_inuse(&bl->child)) { r = kill(bl->child.pid, SIGTERM); if (r) LOGED(WARN, bl->domid, "%sfailed to kill bootloader [%lu]", @@ -635,6 +640,25 @@ static void bootloader_gotptys(libxl__egc *egc, libxl__openpty_state *op) LOGD(DEBUG, bl->domid, " bootloader arg: %s", *blarg); struct termios termattr; + const libxl_domain_build_info *info = bl->info; + + if (libxl_defbool_val(info->bootloader_restrict)) { + const char *timeout_env = getenv("LIBXL_BOOTLOADER_TIMEOUT"); + int timeout = timeout_env ? atoi(timeout_env) + : LIBXL_BOOTLOADER_TIMEOUT; + + if (timeout) { + /* Set execution timeout */ + rc = libxl__ev_time_register_rel(ao, &bl->time, + bootloader_timeout, + timeout * 1000); + if (rc) { + LOGED(ERROR, bl->domid, + "unable to register timeout for bootloader execution"); + goto out; + } + } + } pid_t pid = libxl__ev_child_fork(gc, &bl->child, bootloader_finished); if (pid == -1) { @@ -701,6 +725,21 @@ static void bootloader_display_copyfail(libxl__egc *egc, libxl__bootloader_state *bl = CONTAINER_OF(dc, *bl, display); bootloader_copyfail(egc, "bootloader output", bl, 1, rc,onwrite,errnoval); } +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc) +{ + libxl__bootloader_state *bl = CONTAINER_OF(ev, *bl, time); + STATE_AO_GC(bl->ao); + + libxl__ev_time_deregister(gc, &bl->time); + + assert(libxl__ev_child_inuse(&bl->child)); + LOGD(ERROR, bl->domid, "killing bootloader because of timeout"); + + libxl__ev_child_kill_deregister(ao, &bl->child, SIGKILL); + + bootloader_callback(egc, bl, rc); +} static void bootloader_domaindeath(libxl__egc *egc, libxl__domaindeathcheck *dc, @@ -717,6 +756,7 @@ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, STATE_AO_GC(bl->ao); int rc; + libxl__ev_time_deregister(gc, &bl->time); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index 1219ff8dbd..d5732d1c37 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -102,6 +102,7 @@ #define LIBXL_QMP_CMD_TIMEOUT 10 #define LIBXL_STUBDOM_START_TIMEOUT 30 #define LIBXL_QEMU_BODGE_TIMEOUT 2 +#define LIBXL_BOOTLOADER_TIMEOUT 120 #define LIBXL_XENCONSOLE_LIMIT 1048576 #define LIBXL_XENCONSOLE_PROTOCOL "vt100" #define LIBXL_MAXMEM_CONSTANT 1024 @@ -3744,6 +3745,7 @@ struct libxl__bootloader_state { libxl__openpty_state openpty; libxl__openpty_result ptys[2]; /* [0] is for bootloader */ libxl__ev_child child; + libxl__ev_time time; libxl__domaindeathcheck deathcheck; int nargs, argsspace; const char **args; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:13:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:13:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615828.957305 (Exim 4.92) (envelope-from ) id 1qqwQy-00051A-3t; Thu, 12 Oct 2023 14:13:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615828.957305; Thu, 12 Oct 2023 14:13:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQy-000513-0r; Thu, 12 Oct 2023 14:13:04 +0000 Received: by outflank-mailman (input) for mailman id 615828; Thu, 12 Oct 2023 14:13:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQx-00050p-8x for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwQx-0008Bs-84 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwQx-0008G9-7O for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ebXA2zpupKjgpxIznklSo5Tz1RPQq11TcPTmy3kOhe8=; b=P4NausIxOsn0p9o84y+db2jT5t o62PtSiQzY2wzBqC/HmDwDjZ11E2qQ2HrXDMVw0j+yIz5moLorvHi+/1DUgew3VN4q5LhL8fZdoGi Fx9fYlJ7aJQ/zY3VLtmKPOWPGxSQkHH3XAuWABML+cqiP1qCfwXs/uRJ7bO8onovBRfo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/svm: Fix asymmetry with AMD DR MASK context switching Message-Id: Date: Thu, 12 Oct 2023 14:13:03 +0000 commit 5d54282f984bb9a7a65b3d12208584f9fdf1c8e1 Author: Andrew Cooper AuthorDate: Thu Sep 21 17:26:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 x86/svm: Fix asymmetry with AMD DR MASK context switching The handling of MSR_DR{0..3}_MASK is asymmetric between PV and HVM guests. HVM guests context switch in based on the guest view of DBEXT, whereas PV guest switch in base on the host capability. Both guest types leave the context dirty for the next vCPU. This leads to the following issue: * PV or HVM vCPU has debugging active (%dr7 + mask) * Switch out deactivates %dr7 but leaves other state stale in hardware * HVM vCPU with debugging activate but can't see DBEXT is switched in * Switch in loads %dr7 but leaves the mask MSRs alone Now, the HVM vCPU is operating in the context of the prior vCPU's mask MSR, and furthermore in a case where it genuinely expects there to be no masking MSRs. As a stopgap, adjust the HVM path to switch in/out the masks based on host capabilities rather than guest visibility (i.e. like the PV path). Adjustment of the of the intercepts still needs to be dependent on the guest visibility of DBEXT. This is part of XSA-444 / CVE-2023-34327 Fixes: c097f54912d3 ("x86/SVM: support data breakpoint extension registers") Signed-off-by: Andrew Cooper --- xen/arch/x86/hvm/svm/svm.c | 24 ++++++++++++++++++------ xen/arch/x86/traps.c | 5 +++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index beb076ea8d..24c417ca71 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -317,6 +317,10 @@ static void svm_save_dr(struct vcpu *v) v->arch.hvm.flag_dr_dirty = 0; vmcb_set_dr_intercepts(vmcb, ~0u); + /* + * The guest can only have changed the mask MSRs if we previous dropped + * intercepts. Re-read them from hardware. + */ if ( v->domain->arch.cpuid->extd.dbext ) { svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_RW); @@ -348,17 +352,25 @@ static void __restore_debug_registers(struct vmcb_struct *vmcb, struct vcpu *v) ASSERT(v == current); - if ( v->domain->arch.cpuid->extd.dbext ) + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ + if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { - svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); - wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, v->arch.msrs->dr_mask[0]); wrmsrl(MSR_AMD64_DR1_ADDRESS_MASK, v->arch.msrs->dr_mask[1]); wrmsrl(MSR_AMD64_DR2_ADDRESS_MASK, v->arch.msrs->dr_mask[2]); wrmsrl(MSR_AMD64_DR3_ADDRESS_MASK, v->arch.msrs->dr_mask[3]); + + if ( v->domain->arch.cpuid->extd.dbext ) + { + svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); + } } write_debugreg(0, v->arch.dr[0]); diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 0a005f088b..e1356f696a 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2225,6 +2225,11 @@ void activate_debugregs(const struct vcpu *curr) if ( curr->arch.dr7 & DR7_ACTIVE_MASK ) write_debugreg(7, curr->arch.dr7); + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, curr->arch.msrs->dr_mask[0]); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 14:13:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 14:13:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615829.957309 (Exim 4.92) (envelope-from ) id 1qqwR8-00054J-6v; Thu, 12 Oct 2023 14:13:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615829.957309; Thu, 12 Oct 2023 14:13:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwR8-00054B-4H; Thu, 12 Oct 2023 14:13:14 +0000 Received: by outflank-mailman (input) for mailman id 615829; Thu, 12 Oct 2023 14:13:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwR7-00053x-Br for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qqwR7-0008C3-B8 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qqwR7-0008Gd-AL for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 14:13:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iBwwYS5TUqUgxUQ7BBw6RVVIAqlbpNX4ojRFwSu/mxo=; b=ROvjFJkS2URxPJVce6MCSUTkZ9 Hl165kwz2v4KvRzSjngpjdj4+TjxHtEPeBX+GEZtVBqA21vRets8pmOdiXVdUuMj9tpyQlgG8aJxR lP3OYct1Y8NqpsflyxDsZnMwVR8+GyaLS6J4b/Rr09QIwjmSDKfOnErmaU9hUjmeNGQU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/pv: Correct the auditing of guest breakpoint addresses Message-Id: Date: Thu, 12 Oct 2023 14:13:13 +0000 commit dc9d9aa62ddeb14abd5672690d30789829f58f7e Author: Andrew Cooper AuthorDate: Tue Sep 19 12:13:50 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 11 06:36:50 2023 +0100 x86/pv: Correct the auditing of guest breakpoint addresses The use of access_ok() is buggy, because it permits access to the compat translation area. 64bit PV guests don't use the XLAT area, but on AMD hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned region, allowing the breakpoint to reach outside of the XLAT area. Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for 32-bit PV"), the live GDT was within 4G of the XLAT area. All together, this allowed a malicious 64bit PV guest on AMD hardware to place a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104). Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an appropriate check in this case. For Xen 4.14 and later, this is a latent bug because the XLAT area has moved to be on its own with nothing interesting adjacent. For Xen 4.13 and older on AMD hardware, this fixes a PV-trigger-able DoS. This is part of XSA-444 / CVE-2023-34328. Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/domain.c | 2 +- xen/arch/x86/include/asm/debugreg.h | 19 +++++++++++++++++++ xen/arch/x86/pv/misc-hypercalls.c | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 8d3d52034a..d05ee0da55 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1088,7 +1088,7 @@ int arch_set_info_guest( if ( is_pv_domain(d) ) { for ( i = 0; i < ARRAY_SIZE(v->arch.dr); i++ ) - if ( !access_ok(c(debugreg[i]), sizeof(long)) ) + if ( !breakpoint_addr_ok(c(debugreg[i])) ) return -EINVAL; /* * Prior to Xen 4.11, dr5 was used to hold the emulated-only diff --git a/xen/arch/x86/include/asm/debugreg.h b/xen/arch/x86/include/asm/debugreg.h index 39ba312b84..b6454cc04e 100644 --- a/xen/arch/x86/include/asm/debugreg.h +++ b/xen/arch/x86/include/asm/debugreg.h @@ -76,6 +76,25 @@ __val; \ }) +/* + * Architecturally, %dr{0..3} can have any arbitrary value. However, Xen + * can't allow the guest to breakpoint the Xen address range, so we limit the + * guest to the lower canonical half, or above the Xen range in the higher + * canonical half. + * + * Breakpoint lengths are specified to mask the low order address bits, + * meaning all breakpoints are naturally aligned. With %dr7, the widest + * breakpoint is 8 bytes. With DBEXT, the widest breakpoint is 4G. Both of + * the Xen boundaries have >4G alignment. + * + * In principle we should account for HYPERVISOR_COMPAT_VIRT_START(d), but + * 64bit Xen has never enforced this for compat guests, and there's no problem + * (to Xen) if the guest breakpoints it's alias of the M2P. Skipping this + * aspect simplifies the logic, and causes us not to reject a migrating guest + * which operated fine on prior versions of Xen. + */ +#define breakpoint_addr_ok(a) __addr_ok(a) + struct vcpu; long set_debugreg(struct vcpu *, unsigned int reg, unsigned long value); void activate_debugregs(const struct vcpu *); diff --git a/xen/arch/x86/pv/misc-hypercalls.c b/xen/arch/x86/pv/misc-hypercalls.c index 99f5028128..b529f00ea1 100644 --- a/xen/arch/x86/pv/misc-hypercalls.c +++ b/xen/arch/x86/pv/misc-hypercalls.c @@ -61,7 +61,7 @@ long set_debugreg(struct vcpu *v, unsigned int reg, unsigned long value) switch ( reg ) { case 0 ... 3: - if ( !access_ok(value, sizeof(long)) ) + if ( !breakpoint_addr_ok(value) ) return -EPERM; v->arch.dr[reg] = value; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:10 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615974.957573 (Exim 4.92) (envelope-from ) id 1qr1lw-0002In-41; Thu, 12 Oct 2023 19:55:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615974.957573; Thu, 12 Oct 2023 19:55:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1lw-0002If-1O; Thu, 12 Oct 2023 19:55:04 +0000 Received: by outflank-mailman (input) for mailman id 615974; Thu, 12 Oct 2023 19:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1lu-0002IW-HT for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1lu-0008Jd-F6 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1lu-0002sh-E3 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yRjlQVL5OYcFbws5/UMvsq0UhRf1h7uwQVcen1oSjAE=; b=YVnUhfzolKH/RFVVgQVc5e/9rd wGLOudfZgfzd6Z7PYza/a/sroJfwVsCvjJKmKOAZEhjW8C7N/1IutKoq8nBO9QSTAfA+zMPxxipmV VG/KPAnscRr3nRu5Lp/h9rbZ7lNc5jihBosNsj4TejcZZEIcL1+GxESNzmrPIgClZl3w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/xenstored: domain_entry_fix(): Handle conflicting transaction Message-Id: Date: Thu, 12 Oct 2023 19:55:02 +0000 commit 3382512b9f5e0d8cf37709d7cb47389d2ce8e624 Author: Julien Grall AuthorDate: Fri Sep 22 11:32:16 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/xenstored: domain_entry_fix(): Handle conflicting transaction The function domain_entry_fix() will be initially called to check if the quota is correct before attempt to commit any nodes. So it would be possible that accounting is temporarily negative. This is the case in the following sequence: 1) Create 50 nodes 2) Start two transactions 3) Delete all the nodes in each transaction 4) Commit the two transactions Because the first transaction will have succeed and updated the accounting, there is no guarantee that 'd->nbentry + num' will still be above 0. So the assert() would be triggered. The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") with the assumption that the value can't be negative. As this is not true revert to the original check but restricted to the path where we don't update. Take the opportunity to explain the rationale behind the check. This CVE-2023-34323 / XSA-440. Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting") Signed-off-by: Julien Grall Reviewed-by: Juergen Gross (cherry picked from commit c4e05c97f57d236040d1da5c1fbf6e3699dc86ea) --- tools/xenstore/xenstored_domain.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c index ddd49eddfa..a3475284ea 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -1062,10 +1062,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update) } cnt = d->nbentry + num; - assert(cnt >= 0); - if (update) + if (update) { + assert(cnt >= 0); d->nbentry = cnt; + } else if (cnt < 0) { + /* + * In a transaction when a node is being added/removed AND + * the same node has been added/removed outside the + * transaction in parallel, the result value may be negative. + * This is no problem, as the transaction will fail due to + * the resulting conflict. So override 'cnt'. + */ + cnt = 0; + } return domid_is_unprivileged(domid) ? cnt : 0; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615975.957577 (Exim 4.92) (envelope-from ) id 1qr1m5-0002MA-5E; Thu, 12 Oct 2023 19:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615975.957577; Thu, 12 Oct 2023 19:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1m5-0002M3-2m; Thu, 12 Oct 2023 19:55:13 +0000 Received: by outflank-mailman (input) for mailman id 615975; Thu, 12 Oct 2023 19:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1m4-0002Lv-JS for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1m4-0008Ji-IS for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1m4-0002t8-Hb for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=o2ZatE0WLW4V1dTz5i/n3jcYGPItQaRixId8DZo4Uno=; b=GkNY4WmQpLek/7RTDuxtapWBad xjm1Qz8cdSuKOJ2B0XaHqqnrk7fs1O4TAkEq/BL/5CYoqVUNx7Q2KOo0pC7lXf1W/awlr3qS40xMb iyRh4ozpzDHAlE/roDyfd4ktxf9GnrkWFC8K1OuDeD7/ppOiQWs8mgHWd4C4sAebPLME=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] iommu/amd-vi: flush IOMMU TLB when flushing the DTE Message-Id: Date: Thu, 12 Oct 2023 19:55:12 +0000 commit 35217b78048e91a0f4d0f14b31a474cc59ec1388 Author: Roger Pau Monne AuthorDate: Tue Jun 13 15:01:05 2023 +0200 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 iommu/amd-vi: flush IOMMU TLB when flushing the DTE The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) seem to be misleading on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. This has been observed in practice on AMD systems. Due to the lack of guidance from the currently published specification this patch aims to increase the flushing done in order to prevent device malfunction. In order to fix, issue an INVALIDATE_IOMMU_PAGES command from amd_iommu_flush_device(), flushing all the address space. Note this requires callers to be adjusted in order to pass the DomID on the DTE previous to the modification. Some call sites don't provide a valid DomID to amd_iommu_flush_device() in order to avoid the flush. That's because the device had address translations disabled and hence the previous DomID on the DTE is not valid. Note the current logic relies on the entity disabling address translations to also flush the TLB of the in use DomID. Device I/O TLB flushing when ATS are enabled is not covered by the current change, as ATS usage is not security supported. This is XSA-442 / CVE-2023-34326 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 5fc98b97084a46884acef9320e643faf40d42212) --- xen/drivers/passthrough/amd/iommu.h | 3 ++- xen/drivers/passthrough/amd/iommu_cmd.c | 10 +++++++++- xen/drivers/passthrough/amd/iommu_guest.c | 5 +++-- xen/drivers/passthrough/amd/iommu_init.c | 6 +++++- xen/drivers/passthrough/amd/pci_amd_iommu.c | 14 ++++++++++---- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 3c702eb517..6dd24593a0 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -280,7 +280,8 @@ void amd_iommu_flush_pages(struct domain *d, unsigned long dfn, unsigned int order); void amd_iommu_flush_iotlb(u8 devfn, const struct pci_dev *pdev, uint64_t gaddr, unsigned int order); -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf); +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid); void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf); void amd_iommu_flush_all_caches(struct amd_iommu *iommu); diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index 809d93b89f..41a32c757b 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -362,10 +362,18 @@ void amd_iommu_flush_pages(struct domain *d, _amd_iommu_flush_pages(d, __dfn_to_daddr(dfn), order); } -void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf) +void amd_iommu_flush_device(struct amd_iommu *iommu, uint16_t bdf, + domid_t domid) { invalidate_dev_table_entry(iommu, bdf); flush_command_buffer(iommu, 0); + + /* Also invalidate IOMMU TLB entries when flushing the DTE. */ + if ( domid != DOMID_INVALID ) + { + invalidate_iommu_pages(iommu, INV_IOMMU_ALL_PAGES_ADDRESS, domid, 0); + flush_command_buffer(iommu, 0); + } } void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf) diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 85828490ff..38c7b4d979 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -385,7 +385,7 @@ static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) { - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id; + uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; struct amd_iommu_dte *gdte, *mdte, *dte_base; struct amd_iommu *iommu = NULL; struct guest_iommu *g_iommu; @@ -445,13 +445,14 @@ static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) req_id = get_dma_requestor_id(iommu->seg, mbdf); dte_base = iommu->dev_table.buffer; mdte = &dte_base[req_id]; + prev_domid = mdte->domain_id; spin_lock_irqsave(&iommu->lock, flags); dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); return 0; } diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index ca791d4e54..7dfe4b15dc 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -1556,7 +1556,11 @@ static int _invalidate_all_devices( req_id = ivrs_mappings[bdf].dte_requestor_id; if ( iommu ) { - amd_iommu_flush_device(iommu, req_id); + /* + * IOMMU TLB flush performed separately (see + * invalidate_all_domain_pages()). + */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); amd_iommu_flush_intremap(iommu, req_id); } } diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index e5e0f00402..7b6dbf546a 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -192,10 +192,13 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, req_id, DOMID_INVALID); } else if ( dte->pt_root != mfn_x(page_to_mfn(root_pg)) ) { + domid_t prev_domid = dte->domain_id; + /* * Strictly speaking if the device is the only one with this requestor * ID, it could be allowed to be re-assigned regardless of unity map @@ -252,7 +255,7 @@ static int __must_check amd_iommu_setup_domain_device( spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); } else spin_unlock_irqrestore(&iommu->lock, flags); @@ -421,6 +424,8 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_lock_irqsave(&iommu->lock, flags); if ( dte->tv || dte->v ) { + domid_t prev_domid = dte->domain_id; + /* See the comment in amd_iommu_setup_device_table(). */ dte->int_ctl = IOMMU_DEV_TABLE_INT_CONTROL_ABORTED; smp_wmb(); @@ -439,7 +444,7 @@ static void amd_iommu_disable_domain_device(const struct domain *domain, spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, req_id); + amd_iommu_flush_device(iommu, req_id, prev_domid); AMD_IOMMU_DEBUG("Disable: device id = %#x, " "domain = %d, paging mode = %d\n", @@ -611,7 +616,8 @@ static int amd_iommu_add_device(u8 devfn, struct pci_dev *pdev) spin_unlock_irqrestore(&iommu->lock, flags); - amd_iommu_flush_device(iommu, bdf); + /* DTE didn't have DMA translations enabled, do not flush the TLB. */ + amd_iommu_flush_device(iommu, bdf, DOMID_INVALID); } if ( amd_iommu_reserve_domain_unity_map( -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615976.957581 (Exim 4.92) (envelope-from ) id 1qr1mF-0002Oe-6n; Thu, 12 Oct 2023 19:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615976.957581; Thu, 12 Oct 2023 19:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mF-0002OW-4G; Thu, 12 Oct 2023 19:55:23 +0000 Received: by outflank-mailman (input) for mailman id 615976; Thu, 12 Oct 2023 19:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mE-0002OO-Mp for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mE-0008Jv-M2 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1mE-0002tX-Kh for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gLQRxklkREk0cmj3y1jyzmpiVVQlfAPQ6EJkh6avf2E=; b=10gCIirulGLJg1/Kfxm/y+iA24 P+Rz4kvlr1fg+OnZ/yFWi7kjH7qnteI3wZjQtG6NSfSH5XiNOjD8J5n1WlgxT5WbdIo1j801FwDzX uGdYxTvJOCxawpvVVVopzC11sHyVekjdtgI5jQ05yvMMUQPwZ5STME6WTBnUMsa+99sI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libfsimage/xfs: Remove dead code Message-Id: Date: Thu, 12 Oct 2023 19:55:22 +0000 commit d51a2a1843b612b03f764703159a0946fe026750 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:50 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 libfsimage/xfs: Remove dead code xfs_info.agnolog (and related code) and XFS_INO_AGBNO_BITS are dead code that serve no purpose. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 37fc1e6c1c5c63aafd9cfd76a37728d5baea7d71) --- tools/libfsimage/xfs/fsys_xfs.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index d735a88e55..2800699f59 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -37,7 +37,6 @@ struct xfs_info { int blklog; int inopblog; int agblklog; - int agnolog; unsigned int nextents; xfs_daddr_t next; xfs_daddr_t daddr; @@ -65,9 +64,7 @@ static struct xfs_info xfs; #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -#define XFS_INO_AGBNO_BITS xfs.agblklog #define XFS_INO_AGINO_BITS (xfs.agblklog + xfs.inopblog) -#define XFS_INO_AGNO_BITS xfs.agnolog static inline xfs_agblock_t agino2agbno (xfs_agino_t agino) @@ -149,20 +146,6 @@ xt_len (xfs_bmbt_rec_32_t *r) return le32(r->l3) & mask32lo(21); } -static inline int -xfs_highbit32(xfs_uint32_t v) -{ - int i; - - if (--v) { - for (i = 0; i < 31; i++, v >>= 1) { - if (v == 0) - return i; - } - } - return 0; -} - static int isinxt (xfs_fileoff_t key, xfs_fileoff_t offset, xfs_filblks_t len) { @@ -472,7 +455,6 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.inopblog = super.sb_inopblog; xfs.agblklog = super.sb_agblklog; - xfs.agnolog = xfs_highbit32 (le32(super.sb_agcount)); xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615977.957585 (Exim 4.92) (envelope-from ) id 1qr1mP-0002RJ-8P; Thu, 12 Oct 2023 19:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615977.957585; Thu, 12 Oct 2023 19:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mP-0002RC-5f; Thu, 12 Oct 2023 19:55:33 +0000 Received: by outflank-mailman (input) for mailman id 615977; Thu, 12 Oct 2023 19:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mO-0002R6-Ra for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mO-0008KE-QK for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1mO-0002ty-OD for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FPNBzElwNNoM5Nxt5NI9R01EBll7LvJRTFGi3+8oeU8=; b=5tkeLn0nEqgYk/EFOnmiPlLCFA zVVmvKonZo1cT2AaS8n24zIaILYz+R56iiSI6tfHKRHgH1w89O9fuOZRmEhr10GkiWnLETafbphER fpG93DcA7kglEVAtRVBEvv6JVEzuza2KGpuOdJewgr17htkRA3K9pXYalj48Yqd11nss=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libfsimage/xfs: Amend mask32lo() to allow the value 32 Message-Id: Date: Thu, 12 Oct 2023 19:55:32 +0000 commit 7d520b8d4ec7495f1ef1e4343a4f705a363e0c9c Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:51 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 libfsimage/xfs: Amend mask32lo() to allow the value 32 agblklog could plausibly be 32, but that would overflow this shift. Perform the shift as ULL and cast to u32 at the end instead. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Acked-by: Jan Beulich (cherry picked from commit ddc45e4eea946bb373a4b4a60c84bf9339cf413b) --- tools/libfsimage/xfs/fsys_xfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 2800699f59..4720bb4505 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -60,7 +60,7 @@ static struct xfs_info xfs; #define inode ((xfs_dinode_t *)((char *)FSYS_BUF + 8192)) #define icore (inode->di_core) -#define mask32lo(n) (((xfs_uint32_t)1 << (n)) - 1) +#define mask32lo(n) ((xfs_uint32_t)((1ull << (n)) - 1)) #define XFS_INO_MASK(k) ((xfs_uint32_t)((1ULL << (k)) - 1)) #define XFS_INO_OFFSET_BITS xfs.inopblog -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615979.957589 (Exim 4.92) (envelope-from ) id 1qr1ma-0002UD-A3; Thu, 12 Oct 2023 19:55:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615979.957589; Thu, 12 Oct 2023 19:55:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1ma-0002U3-7O; Thu, 12 Oct 2023 19:55:44 +0000 Received: by outflank-mailman (input) for mailman id 615979; Thu, 12 Oct 2023 19:55:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mY-0002Tr-VS for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mY-0008KR-UY for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1mY-0002uN-SV for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5MLU6rmfmlpAKjJnhvah/kR5IKJ0qyPLIEUTTbOM7Ps=; b=OHn3FhsvVqOjjgjwPHOFivEJ94 9WpUqntIiq6xzT7kdPXlKytbTG1qDFu1WfsAFwtos2GoQuLVRSkeooxjFjClO2P9mFJecWKc7H2SS b6ECvoToa4FtwolOGQPYj6lYLptTDTwKmjoMagPyx0H3yt3tglHAPu322OKMFOU64fiI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libfsimage/xfs: Sanity-check the superblock during mounts Message-Id: Date: Thu, 12 Oct 2023 19:55:42 +0000 commit 2de503f8fd0d07401e92abed1097ceb5fd1801f6 Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:52 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 libfsimage/xfs: Sanity-check the superblock during mounts Sanity-check the XFS superblock for wellformedness at the mount handler. This forces pygrub to abort parsing a potentially malformed filesystem and ensures the invariants assumed throughout the rest of the code hold. Also, derive parameters from previously sanitized parameters where possible (rather than reading them off the superblock) The code doesn't try to avoid overflowing the end of the disk, because that's an unlikely and benign error. Parameters used in calculations of xfs_daddr_t (like the root inode index) aren't in critical need of being sanitized. The sanitization of agblklog is basically checking that no obvious overflows happen on agblklog, and then ensuring agblocks is contained in the range (2^(sb_agblklog-1), 2^sb_agblklog]. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 620500dd1baf33347dfde5e7fde7cf7fe347da5c) --- tools/libfsimage/xfs/fsys_xfs.c | 48 ++++++++++++++++++++++++++++++++--------- tools/libfsimage/xfs/xfs.h | 12 +++++++++++ 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index 4720bb4505..e4eb7e1ee2 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -17,6 +17,7 @@ * along with this program; If not, see . */ +#include #include #include "xfs.h" @@ -433,29 +434,56 @@ first_dentry (fsi_file_t *ffi, xfs_ino_t *ino) return next_dentry (ffi, ino); } +static bool +xfs_sb_is_invalid (const xfs_sb_t *super) +{ + return (le32(super->sb_magicnum) != XFS_SB_MAGIC) + || ((le16(super->sb_versionnum) & XFS_SB_VERSION_NUMBITS) != + XFS_SB_VERSION_4) + || (super->sb_inodelog < XFS_SB_INODELOG_MIN) + || (super->sb_inodelog > XFS_SB_INODELOG_MAX) + || (super->sb_blocklog < XFS_SB_BLOCKLOG_MIN) + || (super->sb_blocklog > XFS_SB_BLOCKLOG_MAX) + || (super->sb_blocklog < super->sb_inodelog) + || (super->sb_agblklog > XFS_SB_AGBLKLOG_MAX) + || ((1ull << super->sb_agblklog) < le32(super->sb_agblocks)) + || (((1ull << super->sb_agblklog) >> 1) >= + le32(super->sb_agblocks)) + || ((super->sb_blocklog + super->sb_dirblklog) >= + XFS_SB_DIRBLK_NUMBITS); +} + static int xfs_mount (fsi_file_t *ffi, const char *options) { xfs_sb_t super; if (!devread (ffi, 0, 0, sizeof(super), (char *)&super) - || (le32(super.sb_magicnum) != XFS_SB_MAGIC) - || ((le16(super.sb_versionnum) - & XFS_SB_VERSION_NUMBITS) != XFS_SB_VERSION_4) ) { + || xfs_sb_is_invalid(&super)) { return 0; } - xfs.bsize = le32 (super.sb_blocksize); - xfs.blklog = super.sb_blocklog; - xfs.bdlog = xfs.blklog - SECTOR_BITS; + /* + * Not sanitized. It's exclusively used to generate disk addresses, + * so it's not important from a security standpoint. + */ xfs.rootino = le64 (super.sb_rootino); - xfs.isize = le16 (super.sb_inodesize); - xfs.agblocks = le32 (super.sb_agblocks); - xfs.dirbsize = xfs.bsize << super.sb_dirblklog; - xfs.inopblog = super.sb_inopblog; + /* + * Sanitized to be consistent with each other, only used to + * generate disk addresses, so it's safe + */ + xfs.agblocks = le32 (super.sb_agblocks); xfs.agblklog = super.sb_agblklog; + /* Derived from sanitized parameters */ + xfs.bsize = 1 << super.sb_blocklog; + xfs.blklog = super.sb_blocklog; + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; + xfs.isize = 1 << super.sb_inodelog; + xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); + xfs.inopblog = super.sb_blocklog - super.sb_inodelog; + xfs.btnode_ptr0_off = ((xfs.bsize - sizeof(xfs_btree_block_t)) / (sizeof (xfs_bmbt_key_t) + sizeof (xfs_bmbt_ptr_t))) diff --git a/tools/libfsimage/xfs/xfs.h b/tools/libfsimage/xfs/xfs.h index 40699281e4..b87e37d3d7 100644 --- a/tools/libfsimage/xfs/xfs.h +++ b/tools/libfsimage/xfs/xfs.h @@ -134,6 +134,18 @@ typedef struct xfs_sb xfs_uint8_t sb_dummy[7]; /* padding */ } xfs_sb_t; +/* Bound taken from xfs.c in GRUB2. It doesn't exist in the spec */ +#define XFS_SB_DIRBLK_NUMBITS 27 +/* Implied by the XFS specification. The minimum block size is 512 octets */ +#define XFS_SB_BLOCKLOG_MIN 9 +/* Implied by the XFS specification. The maximum block size is 65536 octets */ +#define XFS_SB_BLOCKLOG_MAX 16 +/* Implied by the XFS specification. The minimum inode size is 256 octets */ +#define XFS_SB_INODELOG_MIN 8 +/* Implied by the XFS specification. The maximum inode size is 2048 octets */ +#define XFS_SB_INODELOG_MAX 11 +/* High bound for sb_agblklog */ +#define XFS_SB_AGBLKLOG_MAX 32 /* those are from xfs_btree.h */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:55:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:55:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615981.957593 (Exim 4.92) (envelope-from ) id 1qr1mk-0002Xk-Cy; Thu, 12 Oct 2023 19:55:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615981.957593; Thu, 12 Oct 2023 19:55:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mk-0002Xc-AA; Thu, 12 Oct 2023 19:55:54 +0000 Received: by outflank-mailman (input) for mailman id 615981; Thu, 12 Oct 2023 19:55:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mj-0002XT-4J for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mj-0008Ks-3S for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1mj-0002v3-0h for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:55:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=E0rY3b57WMFtdINch3f0HvM4bVozX6DfRPioqRv5Haw=; b=QjkgJeMI5jBELGIOk8wXFedps4 USxmwGUnOM3QrldPW3DqKep8s54F8e6pNhHDR23lQjR0xntDnUCbSFZz5IXdsclJo5dM2Tic1alfi x/UwCSTb5u8v0Tdfxfj+RFB0jVIq3dWPLxE5tA0Zi18EW1QZQh23PrgpJ5QxwB1yHF9I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libfsimage/xfs: Add compile-time check to libfsimage Message-Id: Date: Thu, 12 Oct 2023 19:55:53 +0000 commit 766126159ee963cdc16ba9cb2b0ca54b98bc148f Author: Alejandro Vallejo AuthorDate: Thu Sep 14 13:22:53 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 libfsimage/xfs: Add compile-time check to libfsimage Adds the common tools include folder to the -I compile flags of libfsimage. This allows us to use: xen-tools/common-macros.h:BUILD_BUG_ON() With it, statically assert a sanitized "blocklog - SECTOR_BITS" cannot underflow. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich (cherry picked from commit 7d85c70431593550e32022e3a19a37f306f49e00) --- tools/libfsimage/Rules.mk | 2 +- tools/libfsimage/xfs/fsys_xfs.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/Rules.mk b/tools/libfsimage/Rules.mk index bb6d42abb4..80598fb70a 100644 --- a/tools/libfsimage/Rules.mk +++ b/tools/libfsimage/Rules.mk @@ -1,6 +1,6 @@ include $(XEN_ROOT)/tools/Rules.mk -CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\" +CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ $(CFLAGS_xeninclude) -DFSIMAGE_FSDIR=\"$(FSDIR)\" CFLAGS += -Werror -D_GNU_SOURCE LDFLAGS += -L../common/ diff --git a/tools/libfsimage/xfs/fsys_xfs.c b/tools/libfsimage/xfs/fsys_xfs.c index e4eb7e1ee2..4a8dd6f239 100644 --- a/tools/libfsimage/xfs/fsys_xfs.c +++ b/tools/libfsimage/xfs/fsys_xfs.c @@ -19,6 +19,7 @@ #include #include +#include #include "xfs.h" #define MAX_LINK_COUNT 8 @@ -477,9 +478,10 @@ xfs_mount (fsi_file_t *ffi, const char *options) xfs.agblklog = super.sb_agblklog; /* Derived from sanitized parameters */ + BUILD_BUG_ON(XFS_SB_BLOCKLOG_MIN < SECTOR_BITS); + xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.bsize = 1 << super.sb_blocklog; xfs.blklog = super.sb_blocklog; - xfs.bdlog = super.sb_blocklog - SECTOR_BITS; xfs.isize = 1 << super.sb_inodelog; xfs.dirbsize = 1 << (super.sb_blocklog + super.sb_dirblklog); xfs.inopblog = super.sb_blocklog - super.sb_inodelog; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615982.957597 (Exim 4.92) (envelope-from ) id 1qr1mu-0002aH-EU; Thu, 12 Oct 2023 19:56:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615982.957597; Thu, 12 Oct 2023 19:56:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mu-0002a7-Bl; Thu, 12 Oct 2023 19:56:04 +0000 Received: by outflank-mailman (input) for mailman id 615982; Thu, 12 Oct 2023 19:56:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mt-0002a1-7a for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1mt-0008LC-6j for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1mt-0002vt-5k for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ASCQeKcCxW58W+6g1RWIxGLAzcf2rPy9IeO3I5C7Hcs=; b=gQN1PTvDcV3pkWUecWhNvPpoKs 3Zv07mVh0RdsFESrC4tgS5TigJvhL9WjXCG4tRg4C7ia/G2bpSy0GGGXVtKtWiNJH2xTbD4RSq5M0 YxkH2W4gVZ8sMF2I8IZ7LCS4V+Ct2ioS4IZHeV//YoqlVueK21fUjZ86CV0vTYRItYm0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/pygrub: Remove unnecessary hypercall Message-Id: Date: Thu, 12 Oct 2023 19:56:03 +0000 commit 3d760a3bb9b55e5dd45534cac3cdb561a57f2ee0 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:21 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/pygrub: Remove unnecessary hypercall There's a hypercall being issued in order to determine whether PV64 is supported, but since Xen 4.3 that's strictly true so it's not required. Plus, this way we can avoid mapping the privcmd interface altogether in the depriv pygrub. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper (cherry picked from commit f4b504c6170c446e61055cbd388ae4e832a9deca) --- tools/pygrub/src/pygrub | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce7ab0eb8c..ce4e07d3e8 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -18,7 +18,6 @@ import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy import logging import platform -import xen.lowlevel.xc import curses, _curses, curses.textpad, curses.ascii import getopt @@ -668,14 +667,6 @@ def run_grub(file, entry, fs, cfg_args): return grubcfg -def supports64bitPVguest(): - xc = xen.lowlevel.xc.xc() - caps = xc.xeninfo()['xen_caps'].split(" ") - for cap in caps: - if cap == "xen-3.0-x86_64": - return True - return False - # If nothing has been specified, look for a Solaris domU. If found, perform the # necessary tweaks. def sniff_solaris(fs, cfg): @@ -684,8 +675,7 @@ def sniff_solaris(fs, cfg): return cfg if not cfg["kernel"]: - if supports64bitPVguest() and \ - fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): + if fs.file_exists("/platform/i86xpv/kernel/amd64/unix"): cfg["kernel"] = "/platform/i86xpv/kernel/amd64/unix" cfg["ramdisk"] = "/platform/i86pc/amd64/boot_archive" elif fs.file_exists("/platform/i86xpv/kernel/unix"): -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615983.957601 (Exim 4.92) (envelope-from ) id 1qr1n4-0002dL-Fx; Thu, 12 Oct 2023 19:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615983.957601; Thu, 12 Oct 2023 19:56:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1n4-0002dD-DD; Thu, 12 Oct 2023 19:56:14 +0000 Received: by outflank-mailman (input) for mailman id 615983; Thu, 12 Oct 2023 19:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1n3-0002d5-BB for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1n3-0008LL-9v for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1n3-0002y5-8x for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GZF72esA1jhb7CZF+02xvWnPCinksLI29DU6xy1OQaY=; b=Qa2P77JtSodwFizFFRdgC8097X CY3qefIaLOy33Wo1Ps/QW6If9lJgaOsgTVpwL0UkyCP+ai2MaSWxQIuEbWsizRVCV+CbiiSQQNicP xfCkmJUDb9FrKzWvc4VV6PSI/Os0+3sYnb9TOlsxSJZTfw/jh6eKGRCiCP6sDK0URHgc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/pygrub: Small refactors Message-Id: Date: Thu, 12 Oct 2023 19:56:13 +0000 commit 4f46a077fde520dcdc466da611d7abd124f260f8 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:22 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/pygrub: Small refactors Small tidy up to ensure output_directory always has a trailing '/' to ease concatenating paths and that `output` can only be a filename or None. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 9f2ff9a7c9b3ac734ae99f17f0134ed0343dcccf) --- tools/pygrub/src/pygrub | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index ce4e07d3e8..1042c05b86 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -793,7 +793,7 @@ if __name__ == "__main__": debug = False not_really = False output_format = "sxp" - output_directory = "/var/run/xen/pygrub" + output_directory = "/var/run/xen/pygrub/" # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -815,7 +815,8 @@ if __name__ == "__main__": usage() sys.exit() elif o in ("--output",): - output = a + if a != "-": + output = a elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -847,12 +848,11 @@ if __name__ == "__main__": if not os.path.isdir(a): print("%s is not an existing directory" % a) sys.exit(1) - output_directory = a + output_directory = a + '/' if debug: logging.basicConfig(level=logging.DEBUG) - try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -861,7 +861,7 @@ if __name__ == "__main__": else: raise - if output is None or output == "-": + if output is None: fd = sys.stdout.fileno() else: fd = os.open(output, os.O_WRONLY) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615984.957605 (Exim 4.92) (envelope-from ) id 1qr1nE-0002fX-HZ; Thu, 12 Oct 2023 19:56:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615984.957605; Thu, 12 Oct 2023 19:56:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nE-0002fN-Em; Thu, 12 Oct 2023 19:56:24 +0000 Received: by outflank-mailman (input) for mailman id 615984; Thu, 12 Oct 2023 19:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nD-0002fB-Do for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nD-0008LX-D1 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1nD-0002yt-CC for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EyKUdw8zasKu5G2RgsjkSd5ddkHLtIysRDKuI3EKeY8=; b=2D3swVNlmMQPt0WPB4ZvnMUGZF gPrxz/RYgmq0M5VVnVsycEnsFWlxKoVE8/AXEpSGrDWchdvKf2juew1b1ye5lZWjdizIr9ie7Isj9 VGqT93XNBvlMi8s/URhtmM/xf3LKxl46ZQLzAo+zSkNsHM4R1PPxfHQUSnig7lINdZLs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/pygrub: Open the output files earlier Message-Id: Date: Thu, 12 Oct 2023 19:56:23 +0000 commit d01f651da05b77714f0f172501993121b77039a7 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/pygrub: Open the output files earlier This patch allows pygrub to get ahold of every RW file descriptor it needs early on. A later patch will clamp the filesystem it can access so it can't obtain any others. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 0710d7d44586251bfca9758890616dc3d6de8a74) --- tools/pygrub/src/pygrub | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 1042c05b86..91e2ec2ab1 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -738,8 +738,7 @@ if __name__ == "__main__": def usage(): print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) - def copy_from_image(fs, file_to_read, file_type, output_directory, - not_really): + def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: if fs.file_exists(file_to_read): return "<%s:%s>" % (file_type, file_to_read) @@ -750,21 +749,18 @@ if __name__ == "__main__": except Exception as e: print(e, file=sys.stderr) sys.exit("Error opening %s in guest" % file_to_read) - (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".", - dir=output_directory) dataoff = 0 while True: data = datafile.read(FS_READ_MAX, dataoff) if len(data) == 0: - os.close(tfd) + os.close(fd_dst) del datafile - return ret + return try: - os.write(tfd, data) + os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.close(tfd) - os.unlink(ret) + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -861,6 +857,14 @@ if __name__ == "__main__": else: raise + if not_really: + fd_kernel = path_kernel = fd_ramdisk = path_ramdisk = None + else: + (fd_kernel, path_kernel) = tempfile.mkstemp(prefix="boot_kernel.", + dir=output_directory) + (fd_ramdisk, path_ramdisk) = tempfile.mkstemp(prefix="boot_ramdisk.", + dir=output_directory) + if output is None: fd = sys.stdout.fileno() else: @@ -920,20 +924,23 @@ if __name__ == "__main__": if fs is None: raise RuntimeError("Unable to find partition containing kernel") - bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel", - output_directory, not_really) + copy_from_image(fs, chosencfg["kernel"], "kernel", + fd_kernel, path_kernel, not_really) + bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: - bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"], - "ramdisk", output_directory, - not_really) + copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", + fd_ramdisk, path_ramdisk, not_really) except: if not not_really: - os.unlink(bootcfg["kernel"]) + os.unlink(path_kernel) raise + bootcfg["ramdisk"] = path_ramdisk else: initrd = None + if not not_really: + os.unlink(path_ramdisk) args = None if chosencfg["args"]: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:34 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615985.957608 (Exim 4.92) (envelope-from ) id 1qr1nO-0002hq-Ik; Thu, 12 Oct 2023 19:56:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615985.957608; Thu, 12 Oct 2023 19:56:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nO-0002hi-GD; Thu, 12 Oct 2023 19:56:34 +0000 Received: by outflank-mailman (input) for mailman id 615985; Thu, 12 Oct 2023 19:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nN-0002hY-Gy for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nN-0008Li-G8 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1nN-0002zI-FH for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K3os3MAoSw3pJfh/HG9YWpFI8zXPF4mQUYjTVahEJRY=; b=T7evX6RQlXjnwllv6+PTacerGa e35McGgGSnheesXMiw8xeBtDCNpvFqvglr6eVpTPx2ltfR9tEDtvxiK/QzO43F0l+5l81UJ5/O91L I3pIN/bkKc5abm+0rlUjQVfRKCF7W2UrKY5gphLUJEVudan56s4fC1pjzWrf/TvrOSUg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/libfsimage: Export a new function to preload all plugins Message-Id: Date: Thu, 12 Oct 2023 19:56:33 +0000 commit c1159b5ed4ad7fadc5c650f749b072da9a78fb13 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:24 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/libfsimage: Export a new function to preload all plugins This is work required in order to let pygrub operate in highly deprivileged chroot mode. This patch adds a function that preloads every plugin, hence ensuring that a on function exit, every shared library is loaded in memory. The new "init" function is supposed to be used before depriv, but that's fine because it's not acting on untrusted data. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit 990e65c3ad9ac08642ce62a92852c80be6c83e96) --- tools/libfsimage/common/fsimage_plugin.c | 4 ++-- tools/libfsimage/common/mapfile-GNU | 1 + tools/libfsimage/common/mapfile-SunOS | 1 + tools/libfsimage/common/xenfsimage.h | 8 ++++++++ tools/pygrub/src/fsimage/fsimage.c | 15 +++++++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c index de1412b423..d0cb9e96a6 100644 --- a/tools/libfsimage/common/fsimage_plugin.c +++ b/tools/libfsimage/common/fsimage_plugin.c @@ -119,7 +119,7 @@ fail: return (-1); } -static int load_plugins(void) +int fsi_init(void) { const char *fsdir = getenv("XEN_FSIMAGE_FSDIR"); struct dirent *dp = NULL; @@ -180,7 +180,7 @@ int find_plugin(fsi_t *fsi, const char *path, const char *options) fsi_plugin_t *fp; int ret = 0; - if (plugins == NULL && (ret = load_plugins()) != 0) + if (plugins == NULL && (ret = fsi_init()) != 0) goto out; for (fp = plugins; fp != NULL; fp = fp->fp_next) { diff --git a/tools/libfsimage/common/mapfile-GNU b/tools/libfsimage/common/mapfile-GNU index 26d4d7a69e..2d54d527d7 100644 --- a/tools/libfsimage/common/mapfile-GNU +++ b/tools/libfsimage/common/mapfile-GNU @@ -1,6 +1,7 @@ VERSION { libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/mapfile-SunOS b/tools/libfsimage/common/mapfile-SunOS index e99b90b650..48deedb425 100644 --- a/tools/libfsimage/common/mapfile-SunOS +++ b/tools/libfsimage/common/mapfile-SunOS @@ -1,5 +1,6 @@ libfsimage.so.1.0 { global: + fsi_init; fsi_open_fsimage; fsi_close_fsimage; fsi_file_exists; diff --git a/tools/libfsimage/common/xenfsimage.h b/tools/libfsimage/common/xenfsimage.h index 201abd54f2..341883b2d7 100644 --- a/tools/libfsimage/common/xenfsimage.h +++ b/tools/libfsimage/common/xenfsimage.h @@ -35,6 +35,14 @@ extern C { typedef struct fsi fsi_t; typedef struct fsi_file fsi_file_t; +/* + * Optional initialization function. If invoked it loads the associated + * dynamic libraries for the backends ahead of time. This is required if + * the library is to run as part of a highly deprivileged executable, as + * the libraries may not be reachable after depriv. + */ +int fsi_init(void); + fsi_t *fsi_open_fsimage(const char *, uint64_t, const char *); void fsi_close_fsimage(fsi_t *); diff --git a/tools/pygrub/src/fsimage/fsimage.c b/tools/pygrub/src/fsimage/fsimage.c index 2ebbbe35df..92fbf2851f 100644 --- a/tools/pygrub/src/fsimage/fsimage.c +++ b/tools/pygrub/src/fsimage/fsimage.c @@ -286,6 +286,15 @@ fsimage_getbootstring(PyObject *o, PyObject *args) return Py_BuildValue("s", bootstring); } +static PyObject * +fsimage_init(PyObject *o, PyObject *args) +{ + if (!PyArg_ParseTuple(args, "")) + return (NULL); + + return Py_BuildValue("i", fsi_init()); +} + PyDoc_STRVAR(fsimage_open__doc__, "open(name, [offset=off]) - Open the given file as a filesystem image.\n" "\n" @@ -297,7 +306,13 @@ PyDoc_STRVAR(fsimage_getbootstring__doc__, "getbootstring(fs) - Return the boot string needed for this file system " "or NULL if none is needed.\n"); +PyDoc_STRVAR(fsimage_init__doc__, + "init() - Loads every dynamic library contained in xenfsimage " + "into memory so that it can be used in chrooted environments.\n"); + static struct PyMethodDef fsimage_module_methods[] = { + { "init", (PyCFunction)fsimage_init, + METH_VARARGS, fsimage_init__doc__ }, { "open", (PyCFunction)fsimage_open, METH_VARARGS|METH_KEYWORDS, fsimage_open__doc__ }, { "getbootstring", (PyCFunction)fsimage_getbootstring, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615986.957613 (Exim 4.92) (envelope-from ) id 1qr1nY-0002kZ-L9; Thu, 12 Oct 2023 19:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615986.957613; Thu, 12 Oct 2023 19:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nY-0002kS-Hd; Thu, 12 Oct 2023 19:56:44 +0000 Received: by outflank-mailman (input) for mailman id 615986; Thu, 12 Oct 2023 19:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nX-0002kH-K4 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nX-0008Lr-JJ for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1nX-0002zh-IM for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0U/uL8zr7jc8/U1V30kfN5/K2+vNHnIkMsf3YMQkdYk=; b=qCxbS/F9Ais/MbGGTCX6j7ZIgE LtZnHJS+VOmUlrqdHaegQ+yvLXjxC3/CC5QN92g8jd19lFQDA8je0ogD7eZoMyNQGphYlc3O6Ce1y YhXEV15wvYMGXe53iHmuhRi/DYapVsmNhwkM5Q1YOhdzknUTPdg2ZJJpKrRlSho3aE4E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] tools/pygrub: Deprivilege pygrub Message-Id: Date: Thu, 12 Oct 2023 19:56:43 +0000 commit 1395852e1bc352bf727d18ebe33426e279cdc967 Author: Alejandro Vallejo AuthorDate: Mon Sep 25 18:32:25 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Sep 27 16:29:50 2023 +0100 tools/pygrub: Deprivilege pygrub Introduce a --runas= flag to deprivilege pygrub on Linux and *BSDs. It also implicitly creates a chroot env where it drops a deprivileged forked process. The chroot itself is cleaned up at the end. If the --runas arg is present, then pygrub forks, leaving the child to deprivilege itself, and waiting for it to complete. When the child exists, the parent performs cleanup and exits with the same error code. This is roughly what the child does: 1. Initialize libfsimage (this loads every .so in memory so the chroot can avoid bind-mounting /{,usr}/lib* 2. Create a temporary empty chroot directory 3. Mount tmpfs in it 4. Bind mount the disk inside, because libfsimage expects a path, not a file descriptor. 5. Remount the root tmpfs to be stricter (ro,nosuid,nodev) 6. Set RLIMIT_FSIZE to a sensibly high amount (128 MiB) 7. Depriv gid, groups and uid With this scheme in place, the "output" files are writable (up to RLIMIT_FSIZE octets) and the exposed filesystem is immutable and contains the single only file we can't easily get rid of (the disk). If running on Linux, the child process also unshares mount, IPC, and network namespaces before dropping its privileges. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Alejandro Vallejo (cherry picked from commit e0342ae5556f2b6e2db50701b8a0679a45822ca6) --- tools/pygrub/setup.py | 2 +- tools/pygrub/src/pygrub | 162 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 154 insertions(+), 10 deletions(-) diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py index b8f1dc4590..f16187b6d1 100644 --- a/tools/pygrub/setup.py +++ b/tools/pygrub/setup.py @@ -17,7 +17,7 @@ xenfsimage = Extension("xenfsimage", pkgs = [ 'grub' ] setup(name='pygrub', - version='0.6', + version='0.7', description='Boot loader that looks a lot like grub for Xen', author='Jeremy Katz', author_email='katzj@redhat.com', diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 91e2ec2ab1..7cea496ade 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -16,8 +16,11 @@ from __future__ import print_function import os, sys, string, struct, tempfile, re, traceback, stat, errno import copy +import ctypes, ctypes.util import logging import platform +import resource +import subprocess import curses, _curses, curses.textpad, curses.ascii import getopt @@ -27,10 +30,135 @@ import grub.GrubConf import grub.LiloConf import grub.ExtLinuxConf -PYGRUB_VER = 0.6 +PYGRUB_VER = 0.7 FS_READ_MAX = 1024 * 1024 SECTOR_SIZE = 512 +# Unless provided through the env variable PYGRUB_MAX_FILE_SIZE_MB, then +# this is the maximum filesize allowed for files written by the depriv +# pygrub +LIMIT_FSIZE = 128 << 20 + +CLONE_NEWNS = 0x00020000 # mount namespace +CLONE_NEWNET = 0x40000000 # network namespace +CLONE_NEWIPC = 0x08000000 # IPC namespace + +def unshare(flags): + if not sys.platform.startswith("linux"): + print("skip_unshare reason=not_linux platform=%s", sys.platform, file=sys.stderr) + return + + libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True) + unshare_prototype = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, use_errno=True) + unshare = unshare_prototype(('unshare', libc)) + + if unshare(flags) < 0: + raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno())) + +def bind_mount(src, dst, options): + open(dst, "a").close() # touch + + rc = subprocess.call(["mount", "--bind", "-o", options, src, dst]) + if rc != 0: + raise RuntimeError("bad_mount: src=%s dst=%s opts=%s" % + (src, dst, options)) + +def downgrade_rlimits(): + # Wipe the authority to use unrequired resources + resource.setrlimit(resource.RLIMIT_NPROC, (0, 0)) + resource.setrlimit(resource.RLIMIT_CORE, (0, 0)) + resource.setrlimit(resource.RLIMIT_MEMLOCK, (0, 0)) + + # py2's resource module doesn't know about resource.RLIMIT_MSGQUEUE + # + # TODO: Use resource.RLIMIT_MSGQUEUE after python2 is deprecated + if sys.platform.startswith('linux'): + RLIMIT_MSGQUEUE = 12 + resource.setrlimit(RLIMIT_MSGQUEUE, (0, 0)) + + # The final look of the filesystem for this process is fully RO, but + # note we have some file descriptor already open (notably, kernel and + # ramdisk). In order to avoid a compromised pygrub from filling up the + # filesystem we set RLIMIT_FSIZE to a high bound, so that the file + # write permissions are bound. + fsize = LIMIT_FSIZE + if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): + fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 + + resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize)) + +def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk): + # The only point of this call is to force the loading of libfsimage. + # That way, we don't need to bind-mount it into the chroot + rc = xenfsimage.init() + if rc != 0: + os.unlink(path_ramdisk) + os.unlink(path_kernel) + raise RuntimeError("bad_xenfsimage: rc=%d" % rc) + + # Create a temporary directory for the chroot + chroot = tempfile.mkdtemp(prefix=str(uid)+'-', dir=output_directory) + '/' + device_path = '/device' + + pid = os.fork() + if pid: + # parent + _, rc = os.waitpid(pid, 0) + + for path in [path_kernel, path_ramdisk]: + # If the child didn't write anything, just get rid of it, + # otherwise we end up consuming a 0-size file when parsing + # systems without a ramdisk that the ultimate caller of pygrub + # may just be unaware of + if rc != 0 or os.path.getsize(path) == 0: + os.unlink(path) + + # Normally, unshare(CLONE_NEWNS) will ensure this is not required. + # However, this syscall doesn't exist in *BSD systems and doesn't + # auto-unmount everything on older Linux kernels (At least as of + # Linux 4.19, but it seems fixed in 5.15). Either way, + # recursively unmount everything if needed. Quietly. + with open('/dev/null', 'w') as devnull: + subprocess.call(["umount", "-f", chroot + device_path], + stdout=devnull, stderr=devnull) + subprocess.call(["umount", "-f", chroot], + stdout=devnull, stderr=devnull) + os.rmdir(chroot) + + sys.exit(rc) + + # By unsharing the namespace we're making sure it's all bulk-released + # at the end, when the namespaces disappear. This means the kernel does + # (almost) all the cleanup for us and the parent just has to remove the + # temporary directory. + unshare(CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWNET) + + # Set sensible limits using the setrlimit interface + downgrade_rlimits() + + # We'll mount tmpfs on the chroot to ensure the deprivileged child + # cannot affect the persistent state. It's RW now in order to + # bind-mount the device, but note it's remounted RO after that. + rc = subprocess.call(["mount", "-t", "tmpfs", "none", chroot]) + if rc != 0: + raise RuntimeError("mount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Bind the untrusted device RO + bind_mount(device, chroot + device_path, "ro,nosuid,noexec") + + rc = subprocess.call(["mount", "-t", "tmpfs", "-o", "remount,ro,nosuid,noexec,nodev", "none", chroot]) + if rc != 0: + raise RuntimeError("remount_tmpfs rc=%d dst=\"%s\"" % (rc, chroot)) + + # Drop superpowers! + os.chroot(chroot) + os.chdir('/') + os.setgid(uid) + os.setgroups([uid]) + os.setuid(uid) + + return device_path + def read_size_roundup(fd, size): if platform.system() != 'FreeBSD': return size @@ -736,7 +864,7 @@ if __name__ == "__main__": sel = None def usage(): - print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--offset=] " %(sys.argv[0],), file=sys.stderr) + print("Usage: %s [-q|--quiet] [-i|--interactive] [-l|--list-entries] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] [--runas=] [--offset=] " %(sys.argv[0],), file=sys.stderr) def copy_from_image(fs, file_to_read, file_type, fd_dst, path_dst, not_really): if not_really: @@ -760,7 +888,8 @@ if __name__ == "__main__": os.write(fd_dst, data) except Exception as e: print(e, file=sys.stderr) - os.unlink(path_dst) + if path_dst: + os.unlink(path_dst) del datafile sys.exit("Error writing temporary copy of "+file_type) dataoff += len(data) @@ -769,7 +898,7 @@ if __name__ == "__main__": opts, args = getopt.gnu_getopt(sys.argv[1:], 'qilnh::', ["quiet", "interactive", "list-entries", "not-really", "help", "output=", "output-format=", "output-directory=", "offset=", - "entry=", "kernel=", + "runas=", "entry=", "kernel=", "ramdisk=", "args=", "isconfig", "debug"]) except getopt.GetoptError: usage() @@ -790,6 +919,7 @@ if __name__ == "__main__": not_really = False output_format = "sxp" output_directory = "/var/run/xen/pygrub/" + uid = None # what was passed in incfg = { "kernel": None, "ramdisk": None, "args": "" } @@ -813,6 +943,13 @@ if __name__ == "__main__": elif o in ("--output",): if a != "-": output = a + elif o in ("--runas",): + try: + uid = int(a) + except ValueError: + print("runas value must be an integer user id") + usage() + sys.exit(1) elif o in ("--kernel",): incfg["kernel"] = a elif o in ("--ramdisk",): @@ -849,6 +986,10 @@ if __name__ == "__main__": if debug: logging.basicConfig(level=logging.DEBUG) + if interactive and uid: + print("In order to use --runas, you must also set --entry or -q", file=sys.stderr) + sys.exit(1) + try: os.makedirs(output_directory, 0o700) except OSError as e: @@ -870,6 +1011,9 @@ if __name__ == "__main__": else: fd = os.open(output, os.O_WRONLY) + if uid: + file = depriv(output_directory, output, file, uid, path_kernel, path_ramdisk) + # debug if isconfig: chosencfg = run_grub(file, entry, fs, incfg["args"]) @@ -925,21 +1069,21 @@ if __name__ == "__main__": raise RuntimeError("Unable to find partition containing kernel") copy_from_image(fs, chosencfg["kernel"], "kernel", - fd_kernel, path_kernel, not_really) + fd_kernel, None if uid else path_kernel, not_really) bootcfg["kernel"] = path_kernel if chosencfg["ramdisk"]: try: copy_from_image(fs, chosencfg["ramdisk"], "ramdisk", - fd_ramdisk, path_ramdisk, not_really) + fd_ramdisk, None if uid else path_ramdisk, not_really) except: - if not not_really: - os.unlink(path_kernel) + if not uid and not not_really: + os.unlink(path_kernel) raise bootcfg["ramdisk"] = path_ramdisk else: initrd = None - if not not_really: + if not uid and not not_really: os.unlink(path_ramdisk) args = None -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:56:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:56:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615987.957616 (Exim 4.92) (envelope-from ) id 1qr1ni-0002nj-NB; Thu, 12 Oct 2023 19:56:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615987.957616; Thu, 12 Oct 2023 19:56:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1ni-0002nc-Kj; Thu, 12 Oct 2023 19:56:54 +0000 Received: by outflank-mailman (input) for mailman id 615987; Thu, 12 Oct 2023 19:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nh-0002nT-NV for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nh-0008Me-Mi for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1nh-000308-M2 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PbiLspbll+wwyahat6O+GiwcgdYBtrn87d3IIwFMxx4=; b=lh1hruz/lyTMTTh5oxw6dalEqh jSOXOAW9QX/FlXCul7wYm29NmiwlQld6FQMmv9m28L85i7KF6JR6PXfkQNH6HhoiMqFzwKH+91G8k qxMm+nQgNJfUCsG1IngffzlwTp4KP/Ma3QRzce/iTKDINWV66ruMiS0EEpEh4yZn7sJk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libxl: add support for running bootloader in restricted mode Message-Id: Date: Thu, 12 Oct 2023 19:56:53 +0000 commit 5182683fffa6b1d4c940203bbb85bb054558c137 Author: Roger Pau Monne AuthorDate: Mon Sep 25 14:30:20 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:55:56 2023 +0200 libxl: add support for running bootloader in restricted mode Much like the device model depriv mode, add the same kind of support for the bootloader. Such feature allows passing a UID as a parameter for the bootloader to run as, together with the bootloader itself taking the necessary actions to isolate. Note that the user to run the bootloader as must have the right permissions to access the guest disk image (in read mode only), and that the bootloader will be run in non-interactive mode when restricted. If enabled bootloader restrict mode will attempt to re-use the user(s) from the QEMU depriv implementation if no user is provided on the configuration file or the environment. See docs/features/qemu-deprivilege.pandoc for more information about how to setup those users. Bootloader restrict mode is not enabled by default as it requires certain setup to be done first (setup of the user(s) to use in restrict mode). This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 1f762642d2cad1a40634e3280361928109d902f1) --- docs/man/xl.1.pod.in | 33 ++++++++++++++ tools/libs/light/libxl_bootloader.c | 89 +++++++++++++++++++++++++++++++++++-- tools/libs/light/libxl_dm.c | 8 ++-- tools/libs/light/libxl_internal.h | 8 ++++ 4 files changed, 131 insertions(+), 7 deletions(-) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 45e1430aeb..96e6fb1c32 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -1976,6 +1976,39 @@ ignored: =back +=head1 ENVIRONMENT VARIABLES + +The following environment variables shall affect the execution of xl: + +=over 4 + +=item LIBXL_BOOTLOADER_RESTRICT + +Attempt to restrict the bootloader after startup, to limit the +consequences of security vulnerabilities due to parsing guest +owned image files. + +See docs/features/qemu-deprivilege.pandoc for more information +on how to setup the unprivileged users. + +Note that running the bootloader in restricted mode also implies using +non-interactive mode, and the disk image must be readable by the +restricted user. + +Having this variable set is equivalent to enabling the option, even if the +value is 0. + +=item LIBXL_BOOTLOADER_USER + +When using bootloader_restrict, run the bootloader as this user. If +not set the default QEMU restrict users will be used. + +NOTE: Each domain MUST have a SEPARATE username. + +See docs/features/qemu-deprivilege.pandoc for more information. + +=back + =head1 SEE ALSO The following man pages: diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index 1bc6e51827..d3a8a4a9ba 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -14,6 +14,7 @@ #include "libxl_osdeps.h" /* must come before any other headers */ +#include #include #ifdef HAVE_UTMP_H #include @@ -42,8 +43,71 @@ static void bootloader_arg(libxl__bootloader_state *bl, const char *arg) bl->args[bl->nargs++] = arg; } -static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, - const char *bootloader_path) +static int bootloader_uid(libxl__gc *gc, domid_t guest_domid, + const char *user, uid_t *intended_uid) +{ + struct passwd *user_base, user_pwbuf; + int rc; + + if (user) { + rc = userlookup_helper_getpwnam(gc, user, &user_pwbuf, &user_base); + if (rc) return rc; + + if (!user_base) { + LOGD(ERROR, guest_domid, "Couldn't find user %s", user); + return ERROR_INVAL; + } + + *intended_uid = user_base->pw_uid; + return 0; + } + + /* Re-use QEMU user range for the bootloader. */ + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE, + &user_pwbuf, &user_base); + if (rc) return rc; + + if (user_base) { + struct passwd *user_clash, user_clash_pwbuf; + uid_t temp_uid = user_base->pw_uid + guest_domid; + + rc = userlookup_helper_getpwuid(gc, temp_uid, &user_clash_pwbuf, + &user_clash); + if (rc) return rc; + + if (user_clash) { + LOGD(ERROR, guest_domid, + "wanted to use uid %ld (%s + %d) but that is user %s !", + (long)temp_uid, LIBXL_QEMU_USER_RANGE_BASE, + guest_domid, user_clash->pw_name); + return ERROR_INVAL; + } + + *intended_uid = temp_uid; + return 0; + } + + rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_SHARED, &user_pwbuf, + &user_base); + if (rc) return rc; + + if (user_base) { + LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s", + LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED); + *intended_uid = user_base->pw_uid; + + return 0; + } + + LOGD(ERROR, guest_domid, + "Could not find user %s or range base pseudo-user %s, cannot restrict", + LIBXL_QEMU_USER_SHARED, LIBXL_QEMU_USER_RANGE_BASE); + + return ERROR_INVAL; +} + +static int make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, + const char *bootloader_path) { const libxl_domain_build_info *info = bl->info; @@ -61,6 +125,23 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, ARG(GCSPRINTF("--ramdisk=%s", info->ramdisk)); if (info->cmdline && *info->cmdline != '\0') ARG(GCSPRINTF("--args=%s", info->cmdline)); + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + uid_t uid = -1; + int rc = bootloader_uid(gc, bl->domid, getenv("LIBXL_BOOTLOADER_USER"), + &uid); + + if (rc) return rc; + + assert(uid != -1); + if (!uid) { + LOGD(ERROR, bl->domid, "bootloader restrict UID is 0 (root)!"); + return ERROR_INVAL; + } + LOGD(DEBUG, bl->domid, "using uid %ld", (long)uid); + ARG(GCSPRINTF("--runas=%ld", (long)uid)); + ARG("--quiet"); + } ARG(GCSPRINTF("--output=%s", bl->outputpath)); ARG("--output-format=simple0"); @@ -79,6 +160,7 @@ static void make_bootloader_args(libxl__gc *gc, libxl__bootloader_state *bl, /* Sentinel for execv */ ARG(NULL); + return 0; #undef ARG } @@ -443,7 +525,8 @@ static void bootloader_disk_attached_cb(libxl__egc *egc, bootloader = bltmp; } - make_bootloader_args(gc, bl, bootloader); + rc = make_bootloader_args(gc, bl, bootloader); + if (rc) goto out; bl->openpty.ao = ao; bl->openpty.callback = bootloader_gotptys; diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index fc264a3a13..14b593110f 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -80,10 +80,10 @@ static int libxl__create_qemu_logfile(libxl__gc *gc, char *name) * On error, return a libxl-style error code. */ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF) \ - static int userlookup_helper_##NAME(libxl__gc *gc, \ - SPEC_TYPE spec, \ - struct STRUCTNAME *resultbuf, \ - struct STRUCTNAME **out) \ + int userlookup_helper_##NAME(libxl__gc *gc, \ + SPEC_TYPE spec, \ + struct STRUCTNAME *resultbuf, \ + struct STRUCTNAME **out) \ { \ struct STRUCTNAME *resultp = NULL; \ char *buf = NULL; \ diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index cc27c72ecf..8415d1feed 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -4864,6 +4864,14 @@ struct libxl__cpu_policy { struct xc_msr *msr; }; +struct passwd; +_hidden int userlookup_helper_getpwnam(libxl__gc*, const char *user, + struct passwd *res, + struct passwd **out); +_hidden int userlookup_helper_getpwuid(libxl__gc*, uid_t uid, + struct passwd *res, + struct passwd **out); + #endif /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:57:04 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:57:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615988.957621 (Exim 4.92) (envelope-from ) id 1qr1ns-0002qW-P4; Thu, 12 Oct 2023 19:57:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615988.957621; Thu, 12 Oct 2023 19:57:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1ns-0002qN-MH; Thu, 12 Oct 2023 19:57:04 +0000 Received: by outflank-mailman (input) for mailman id 615988; Thu, 12 Oct 2023 19:57:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nr-0002qF-Ql for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1nr-0008N6-Py for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1nr-00030g-PF for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fPdPLVemK/5gqihCLzI57O+DfgDtiS5Gn9d7NDH8/ME=; b=I4AqDa+BoZuR4hq3GnvLz0Ddlr Q/pJp76R4O1thTPrEvUxKCOuVLZC1nOpNYRteaYAloxYD8SjqtITZ0aKfMWebVNiWVcV0QZJI/rMH a6L9gQDWmbtODQLfbeJxfAVr7CEDjQeg3KQMxYxSGvykUrTnEmxKiVdWWHbGl3ae6OQU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] libxl: limit bootloader execution in restricted mode Message-Id: Date: Thu, 12 Oct 2023 19:57:03 +0000 commit a157b71cf530603d794d16eca3dd92ce83d4d55f Author: Roger Pau Monne AuthorDate: Thu Sep 28 12:22:35 2023 +0200 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:55:56 2023 +0200 libxl: limit bootloader execution in restricted mode Introduce a timeout for bootloader execution when running in restricted mode. Allow overwriting the default time out with an environment provided value. This is part of XSA-443 / CVE-2023-34325 Signed-off-by: Roger Pau Monné Reviewed-by: Anthony PERARD (cherry picked from commit 9c114178ffd700112e91f5ec66cf5151b9c9a8cc) --- docs/man/xl.1.pod.in | 8 ++++++++ tools/libs/light/libxl_bootloader.c | 40 +++++++++++++++++++++++++++++++++++++ tools/libs/light/libxl_internal.h | 2 ++ 3 files changed, 50 insertions(+) diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in index 96e6fb1c32..8f056450a7 100644 --- a/docs/man/xl.1.pod.in +++ b/docs/man/xl.1.pod.in @@ -2007,6 +2007,14 @@ NOTE: Each domain MUST have a SEPARATE username. See docs/features/qemu-deprivilege.pandoc for more information. +=item LIBXL_BOOTLOADER_TIMEOUT + +Timeout in seconds for bootloader execution when running in restricted mode. +Otherwise the build time default in LIBXL_BOOTLOADER_TIMEOUT will be used. + +If defined the value must be an unsigned integer between 0 and INT_MAX, +otherwise behavior is undefined. Setting to 0 disables the timeout. + =back =head1 SEE ALSO diff --git a/tools/libs/light/libxl_bootloader.c b/tools/libs/light/libxl_bootloader.c index d3a8a4a9ba..a4beff4265 100644 --- a/tools/libs/light/libxl_bootloader.c +++ b/tools/libs/light/libxl_bootloader.c @@ -30,6 +30,8 @@ static void bootloader_keystrokes_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); static void bootloader_display_copyfail(libxl__egc *egc, libxl__datacopier_state *dc, int rc, int onwrite, int errnoval); +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc); static void bootloader_domaindeath(libxl__egc*, libxl__domaindeathcheck *dc, int rc); static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, @@ -297,6 +299,7 @@ void libxl__bootloader_init(libxl__bootloader_state *bl) bl->ptys[0].master = bl->ptys[0].slave = 0; bl->ptys[1].master = bl->ptys[1].slave = 0; libxl__ev_child_init(&bl->child); + libxl__ev_time_init(&bl->time); libxl__domaindeathcheck_init(&bl->deathcheck); bl->keystrokes.ao = bl->ao; libxl__datacopier_init(&bl->keystrokes); bl->display.ao = bl->ao; libxl__datacopier_init(&bl->display); @@ -314,6 +317,7 @@ static void bootloader_cleanup(libxl__egc *egc, libxl__bootloader_state *bl) libxl__domaindeathcheck_stop(gc,&bl->deathcheck); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); for (i=0; i<2; i++) { libxl__carefd_close(bl->ptys[i].master); libxl__carefd_close(bl->ptys[i].slave); @@ -375,6 +379,7 @@ static void bootloader_stop(libxl__egc *egc, libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); + libxl__ev_time_deregister(gc, &bl->time); if (libxl__ev_child_inuse(&bl->child)) { r = kill(bl->child.pid, SIGTERM); if (r) LOGED(WARN, bl->domid, "%sfailed to kill bootloader [%lu]", @@ -637,6 +642,25 @@ static void bootloader_gotptys(libxl__egc *egc, libxl__openpty_state *op) struct termios termattr; + if (getenv("LIBXL_BOOTLOADER_RESTRICT") || + getenv("LIBXL_BOOTLOADER_USER")) { + const char *timeout_env = getenv("LIBXL_BOOTLOADER_TIMEOUT"); + int timeout = timeout_env ? atoi(timeout_env) + : LIBXL_BOOTLOADER_TIMEOUT; + + if (timeout) { + /* Set execution timeout */ + rc = libxl__ev_time_register_rel(ao, &bl->time, + bootloader_timeout, + timeout * 1000); + if (rc) { + LOGED(ERROR, bl->domid, + "unable to register timeout for bootloader execution"); + goto out; + } + } + } + pid_t pid = libxl__ev_child_fork(gc, &bl->child, bootloader_finished); if (pid == -1) { rc = ERROR_FAIL; @@ -702,6 +726,21 @@ static void bootloader_display_copyfail(libxl__egc *egc, libxl__bootloader_state *bl = CONTAINER_OF(dc, *bl, display); bootloader_copyfail(egc, "bootloader output", bl, 1, rc,onwrite,errnoval); } +static void bootloader_timeout(libxl__egc *egc, libxl__ev_time *ev, + const struct timeval *requested_abs, int rc) +{ + libxl__bootloader_state *bl = CONTAINER_OF(ev, *bl, time); + STATE_AO_GC(bl->ao); + + libxl__ev_time_deregister(gc, &bl->time); + + assert(libxl__ev_child_inuse(&bl->child)); + LOGD(ERROR, bl->domid, "killing bootloader because of timeout"); + + libxl__ev_child_kill_deregister(ao, &bl->child, SIGKILL); + + bootloader_callback(egc, bl, rc); +} static void bootloader_domaindeath(libxl__egc *egc, libxl__domaindeathcheck *dc, @@ -718,6 +757,7 @@ static void bootloader_finished(libxl__egc *egc, libxl__ev_child *child, STATE_AO_GC(bl->ao); int rc; + libxl__ev_time_deregister(gc, &bl->time); libxl__datacopier_kill(&bl->keystrokes); libxl__datacopier_kill(&bl->display); diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h index 8415d1feed..a9581289f4 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -103,6 +103,7 @@ #define LIBXL_QMP_CMD_TIMEOUT 10 #define LIBXL_STUBDOM_START_TIMEOUT 30 #define LIBXL_QEMU_BODGE_TIMEOUT 2 +#define LIBXL_BOOTLOADER_TIMEOUT 120 #define LIBXL_XENCONSOLE_LIMIT 1048576 #define LIBXL_XENCONSOLE_PROTOCOL "vt100" #define LIBXL_MAXMEM_CONSTANT 1024 @@ -3738,6 +3739,7 @@ struct libxl__bootloader_state { libxl__openpty_state openpty; libxl__openpty_result ptys[2]; /* [0] is for bootloader */ libxl__ev_child child; + libxl__ev_time time; libxl__domaindeathcheck deathcheck; int nargs, argsspace; const char **args; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:57:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:57:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615989.957624 (Exim 4.92) (envelope-from ) id 1qr1o2-0002tY-Qc; Thu, 12 Oct 2023 19:57:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615989.957624; Thu, 12 Oct 2023 19:57:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1o2-0002tQ-Nw; Thu, 12 Oct 2023 19:57:14 +0000 Received: by outflank-mailman (input) for mailman id 615989; Thu, 12 Oct 2023 19:57:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1o1-0002tI-Tb for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1o1-0008NF-Sw for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1o1-00031B-SD for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sI65ffOpT5kkyV+veCXgKOmx9NBt5/f7nikSdg784Q8=; b=Gl2J3t4cm0MVY2HLNNuMc7Qfk/ 6mUUmRZonYaZwVI0/gc5Tjedgoza+ZrTFCz/LdDeSZrB0lam/I7EQcUd+AKmTWC81WrazkU1O/rzn ifixO3wL5lkesN0x+Q69uvFe1lp53au+7Kd4jEs7QnGt2x2xaSKlbBOqg6O9fgMmzI7c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/svm: Fix asymmetry with AMD DR MASK context switching Message-Id: Date: Thu, 12 Oct 2023 19:57:13 +0000 commit 3c22a9bf8703a297431ac5ad110e6d523758eae1 Author: Andrew Cooper AuthorDate: Tue Sep 26 20:06:57 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:55:58 2023 +0200 x86/svm: Fix asymmetry with AMD DR MASK context switching The handling of MSR_DR{0..3}_MASK is asymmetric between PV and HVM guests. HVM guests context switch in based on the guest view of DBEXT, whereas PV guest switch in base on the host capability. Both guest types leave the context dirty for the next vCPU. This leads to the following issue: * PV or HVM vCPU has debugging active (%dr7 + mask) * Switch out deactivates %dr7 but leaves other state stale in hardware * HVM vCPU with debugging activate but can't see DBEXT is switched in * Switch in loads %dr7 but leaves the mask MSRs alone Now, the HVM vCPU is operating in the context of the prior vCPU's mask MSR, and furthermore in a case where it genuinely expects there to be no masking MSRs. As a stopgap, adjust the HVM path to switch in/out the masks based on host capabilities rather than guest visibility (i.e. like the PV path). Adjustment of the of the intercepts still needs to be dependent on the guest visibility of DBEXT. This is part of XSA-444 / CVE-2023-34327 Fixes: c097f54912d3 ("x86/SVM: support data breakpoint extension registers") Signed-off-by: Andrew Cooper (cherry picked from commit 5d54282f984bb9a7a65b3d12208584f9fdf1c8e1) --- xen/arch/x86/hvm/svm/svm.c | 24 ++++++++++++++++++------ xen/arch/x86/traps.c | 5 +++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index a019d196e0..ba4069f910 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -185,6 +185,10 @@ static void svm_save_dr(struct vcpu *v) v->arch.hvm.flag_dr_dirty = 0; vmcb_set_dr_intercepts(vmcb, ~0u); + /* + * The guest can only have changed the mask MSRs if we previous dropped + * intercepts. Re-read them from hardware. + */ if ( v->domain->arch.cpuid->extd.dbext ) { svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_RW); @@ -216,17 +220,25 @@ static void __restore_debug_registers(struct vmcb_struct *vmcb, struct vcpu *v) ASSERT(v == current); - if ( v->domain->arch.cpuid->extd.dbext ) + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ + if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { - svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); - svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); - wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, v->arch.msrs->dr_mask[0]); wrmsrl(MSR_AMD64_DR1_ADDRESS_MASK, v->arch.msrs->dr_mask[1]); wrmsrl(MSR_AMD64_DR2_ADDRESS_MASK, v->arch.msrs->dr_mask[2]); wrmsrl(MSR_AMD64_DR3_ADDRESS_MASK, v->arch.msrs->dr_mask[3]); + + if ( v->domain->arch.cpuid->extd.dbext ) + { + svm_intercept_msr(v, MSR_AMD64_DR0_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR1_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR2_ADDRESS_MASK, MSR_INTERCEPT_NONE); + svm_intercept_msr(v, MSR_AMD64_DR3_ADDRESS_MASK, MSR_INTERCEPT_NONE); + } } write_debugreg(0, v->arch.dr[0]); diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index f7992ff230..a142a63dd8 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2314,6 +2314,11 @@ void activate_debugregs(const struct vcpu *curr) if ( curr->arch.dr7 & DR7_ACTIVE_MASK ) write_debugreg(7, curr->arch.dr7); + /* + * Both the PV and HVM paths leave stale DR_MASK values in hardware on + * context-switch-out. If we're activating %dr7 for the guest, we must + * sync the DR_MASKs too, whether or not the guest can see them. + */ if ( boot_cpu_has(X86_FEATURE_DBEXT) ) { wrmsrl(MSR_AMD64_DR0_ADDRESS_MASK, curr->arch.msrs->dr_mask[0]); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Thu Oct 12 19:57:24 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Oct 2023 19:57:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.615990.957629 (Exim 4.92) (envelope-from ) id 1qr1oC-0002w0-Sa; Thu, 12 Oct 2023 19:57:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 615990.957629; Thu, 12 Oct 2023 19:57:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1oC-0002vp-PY; Thu, 12 Oct 2023 19:57:24 +0000 Received: by outflank-mailman (input) for mailman id 615990; Thu, 12 Oct 2023 19:57:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1oC-0002vj-1y for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qr1oC-0008NN-1E for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qr1oB-00031a-V3 for xen-changelog@lists.xenproject.org; Thu, 12 Oct 2023 19:57:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VRbQj7NlvjDrO7IXCFwfmDQCDs3gDdo/sY3HGK7QiJY=; b=1wQx0+dar+QkMK/ULJHPUsF3+F ooYZ74A5Wx2lbhSdTgCx/w740IgHBH9e896cOWprkZ5xQNQBp+N54VcG19MrPT+e414iCfE3hauVZ FUE9dbFiEPYJRYT9Q87R41QoaXn3Mxsm8bQMinpJUB0bgzOWBZNpy1uRPVjmN8QmKEfI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/pv: Correct the auditing of guest breakpoint addresses Message-Id: Date: Thu, 12 Oct 2023 19:57:23 +0000 commit 29efce0f8f10e381417a61f2f9988b40d4f6bcf0 Author: Andrew Cooper AuthorDate: Tue Sep 26 20:06:57 2023 +0100 Commit: Roger Pau Monne CommitDate: Fri Sep 29 15:55:58 2023 +0200 x86/pv: Correct the auditing of guest breakpoint addresses The use of access_ok() is buggy, because it permits access to the compat translation area. 64bit PV guests don't use the XLAT area, but on AMD hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned region, allowing the breakpoint to reach outside of the XLAT area. Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for 32-bit PV"), the live GDT was within 4G of the XLAT area. All together, this allowed a malicious 64bit PV guest on AMD hardware to place a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104). Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an appropriate check in this case. For Xen 4.14 and later, this is a latent bug because the XLAT area has moved to be on its own with nothing interesting adjacent. For Xen 4.13 and older on AMD hardware, this fixes a PV-trigger-able DoS. This is part of XSA-444 / CVE-2023-34328. Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit dc9d9aa62ddeb14abd5672690d30789829f58f7e) --- xen/arch/x86/pv/misc-hypercalls.c | 2 +- xen/include/asm-x86/debugreg.h | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/pv/misc-hypercalls.c b/xen/arch/x86/pv/misc-hypercalls.c index 5dade24726..681c16108f 100644 --- a/xen/arch/x86/pv/misc-hypercalls.c +++ b/xen/arch/x86/pv/misc-hypercalls.c @@ -68,7 +68,7 @@ long set_debugreg(struct vcpu *v, unsigned int reg, unsigned long value) switch ( reg ) { case 0 ... 3: - if ( !access_ok(value, sizeof(long)) ) + if ( !breakpoint_addr_ok(value) ) return -EPERM; v->arch.dr[reg] = value; diff --git a/xen/include/asm-x86/debugreg.h b/xen/include/asm-x86/debugreg.h index c57914efc6..cc29826524 100644 --- a/xen/include/asm-x86/debugreg.h +++ b/xen/include/asm-x86/debugreg.h @@ -77,6 +77,26 @@ asm volatile ( "mov %%db" #reg ",%0" : "=r" (__val) ); \ __val; \ }) + +/* + * Architecturally, %dr{0..3} can have any arbitrary value. However, Xen + * can't allow the guest to breakpoint the Xen address range, so we limit the + * guest to the lower canonical half, or above the Xen range in the higher + * canonical half. + * + * Breakpoint lengths are specified to mask the low order address bits, + * meaning all breakpoints are naturally aligned. With %dr7, the widest + * breakpoint is 8 bytes. With DBEXT, the widest breakpoint is 4G. Both of + * the Xen boundaries have >4G alignment. + * + * In principle we should account for HYPERVISOR_COMPAT_VIRT_START(d), but + * 64bit Xen has never enforced this for compat guests, and there's no problem + * (to Xen) if the guest breakpoints it's alias of the M2P. Skipping this + * aspect simplifies the logic, and causes us not to reject a migrating guest + * which operated fine on prior versions of Xen. + */ +#define breakpoint_addr_ok(a) __addr_ok(a) + long set_debugreg(struct vcpu *, unsigned int reg, unsigned long value); void activate_debugregs(const struct vcpu *); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Sat Oct 14 02:00:10 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 14 Oct 2023 02:00:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.617007.959447 (Exim 4.92) (envelope-from ) id 1qrTwh-00054A-6B; Sat, 14 Oct 2023 02:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 617007.959447; Sat, 14 Oct 2023 02:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrTwh-00053m-39; Sat, 14 Oct 2023 02:00:03 +0000 Received: by outflank-mailman (input) for mailman id 617007; Sat, 14 Oct 2023 02:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrTwf-0004hu-FU for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 02:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrTwf-0002iB-CF for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 02:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qrTwf-00056o-9M for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 02:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rnrs7t8qYS4P6CwQn/OIIuhALuTmJEgtZk88Q4HJajA=; b=hVHyUO6JeK56SyzKSnQfAFHNi/ VEmLAulJWFkm66dttT5h/FESAy2Ij+haxEPo1pkVB7XDmrd/rUwVYhueSjHAPRfF/4MWWQwObaaZ8 pl2Ca1oK9K02YlVIE4PWhF+uJsiaLfoOPJgzn4HFu60rceLw2XbFLOy/tnhYx4bVrcAs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Validate generic timer frequency Message-Id: Date: Sat, 14 Oct 2023 02:00:01 +0000 commit 9a5bbb2d34ef90ab7d146f11c9c2c0a23fb08035 Author: Michal Orzel AuthorDate: Thu Sep 28 14:34:35 2023 +0200 Commit: Julien Grall CommitDate: Fri Oct 13 09:46:58 2023 +0100 xen/arm: Validate generic timer frequency Generic timer dt node property "clock-frequency" (refer Linux dt binding Documentation/devicetree/bindings/timer/arm,arch_timer.yaml) is used to override the incorrect value set by firmware in CNTFRQ_EL0. If the value of this property is 0 (i.e. by mistake), Xen would continue to work and use the value from the sysreg instead. The logic is thus incorrect and results in inconsistency when creating timer node for domUs: - libxl domUs: clock_frequency member of struct xen_arch_domainconfig is set to 0 and libxl ignores setting the "clock-frequency" property, - dom0less domUs: "clock-frequency" property is taken from dt_host and thus set to 0. Property "clock-frequency" is used to override the value from sysreg, so if it is also invalid, there is nothing we can do and we shall panic to let user know about incorrect setting. Going even further, we operate under assumption that the frequency must be at least 1KHz (i.e. cpu_khz not 0) in order for Xen to boot. Therefore, introduce a new helper validate_timer_frequency() to verify this assumption and use it to check the frequency obtained either from dt property or from sysreg. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Release-acked-by: Henry Wang Acked-by: Julien Grall Reviewed-by: Stefano Stabellini --- xen/arch/arm/time.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/xen/arch/arm/time.c b/xen/arch/arm/time.c index 3535bd8ac7..04b07096b1 100644 --- a/xen/arch/arm/time.c +++ b/xen/arch/arm/time.c @@ -101,6 +101,17 @@ static void __init preinit_acpi_xen_time(void) static void __init preinit_acpi_xen_time(void) { } #endif +static void __init validate_timer_frequency(void) +{ + /* + * ARM ARM does not impose any strict limit on the range of allowable + * system counter frequencies. However, we operate under the assumption + * that cpu_khz must not be 0. + */ + if ( !cpu_khz ) + panic("Timer frequency is less than 1 KHz\n"); +} + /* Set up the timer on the boot CPU (early init function) */ static void __init preinit_dt_xen_time(void) { @@ -122,6 +133,7 @@ static void __init preinit_dt_xen_time(void) if ( res ) { cpu_khz = rate / 1000; + validate_timer_frequency(); timer_dt_clock_frequency = rate; } } @@ -137,7 +149,10 @@ void __init preinit_xen_time(void) preinit_acpi_xen_time(); if ( !cpu_khz ) + { cpu_khz = (READ_SYSREG(CNTFRQ_EL0) & CNTFRQ_MASK) / 1000; + validate_timer_frequency(); + } res = platform_init_time(); if ( res ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Oct 14 21:44:10 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 14 Oct 2023 21:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.617094.959523 (Exim 4.92) (envelope-from ) id 1qrmQV-0000Pq-Lc; Sat, 14 Oct 2023 21:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 617094.959523; Sat, 14 Oct 2023 21:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrmQV-0000Pi-HM; Sat, 14 Oct 2023 21:44:03 +0000 Received: by outflank-mailman (input) for mailman id 617094; Sat, 14 Oct 2023 21:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrmQU-0000Pc-6e for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 21:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qrmQU-0008Ig-4h for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 21:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qrmQU-0007M3-3L for xen-changelog@lists.xenproject.org; Sat, 14 Oct 2023 21:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EQp0oUEPkDVrPgh+OoTFQ2Dd5tma6YPmN1KDpuOdF2I=; b=PNWJo0ikyQ5ucwTsM/xIfCa4ey X7XHOIqNB2QrMRaKg/ozRP5IciIKMs7Ay0bevI4PL7zSGA4zIhKFukx+UFsGBQIFi8aOi2jqa49Du i2Ih+cCH1d6WmHddUokzJzyjFZndz1p4tUl4A/Ufpipgy0Y31H99T1jw/wovyTM8ILUA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/misra: add deviations.rst to document additional deviations. Message-Id: Date: Sat, 14 Oct 2023 21:44:02 +0000 commit 730406ab81094115d9fb5ca00ba8d53cec1279b3 Author: Nicola Vetrini AuthorDate: Fri Oct 13 12:14:53 2023 +0200 Commit: Stefano Stabellini CommitDate: Fri Oct 13 16:25:38 2023 -0700 docs/misra: add deviations.rst to document additional deviations. This file contains the deviation that are not marked by a deviation comment, as specified in docs/misra/documenting-violations.rst. Signed-off-by: Nicola Vetrini Release-acked-by: Henry Wang Reviewed-by: Stefano Stabellini --- docs/index.rst | 1 + docs/misra/deviations.rst | 236 ++++++++++++++++++++++++++++++++++++++++++++++ docs/misra/rules.rst | 2 +- 3 files changed, 238 insertions(+), 1 deletion(-) diff --git a/docs/index.rst b/docs/index.rst index 2c47cfa999..f3f779f89c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -63,6 +63,7 @@ Xen hypervisor code. :maxdepth: 2 misra/rules + misra/deviations Miscellanea diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst new file mode 100644 index 0000000000..8511a18925 --- /dev/null +++ b/docs/misra/deviations.rst @@ -0,0 +1,236 @@ +.. SPDX-License-Identifier: CC-BY-4.0 + +MISRA C deviations for Xen +========================== + +The following is the list of MISRA C:2012 deviations for the Xen codebase that +are not covered by a `SAF-x-safe` or `SAF-x-false-positive-` comment, as +specified in docs/misra/documenting-violations.rst; the lack of +such comments is usually due to the excessive clutter they would bring to the +codebase or the impossibility to express such a deviation (e.g., if it's +composed of several conditions). + +Deviations related to MISRA C:2012 Directives: +---------------------------------------------- + +.. list-table:: + :header-rows: 1 + + * - Directive identifier + - Justification + - Notes + + * - D4.3 + - Accepted for the ARM64 codebase + - Tagged as `disapplied` for ECLAIR on any other violation report. + + * - D4.3 + - The inline asm in 'xen/arch/arm/arm64/lib/bitops.c' is tightly coupled + with the surronding C code that acts as a wrapper, so it has been decided + not to add an additional encapsulation layer. + - Tagged as `deliberate` for ECLAIR. + +Deviations related to MISRA C:2012 Rules: +----------------------------------------- + +.. list-table:: + :header-rows: 1 + + * - Rule identifier + - Justification + - Notes + + * - R2.1 + - The compiler implementation guarantees that the unreachable code is + removed. Constant expressions and unreachable branches of if and switch + statements are expected. + - Tagged as `safe` for ECLAIR. + + * - R2.1 + - Unreachability caused by calls to the following functions or macros is + deliberate and there is no risk of code being unexpectedly left out. + - Tagged as `deliberate` for ECLAIR. Such macros are: + - BUG + - assert_failed + - __builtin_unreachable + - ASSERT_UNREACHABLE + + * - R2.1 + - Pure declarations, that is, declarations without initializations are not + executable, and therefore it is safe for them to be unreachable. The most + notable example of such a pattern being used in the codebase is that of + a variable declaration that should be available in all the clauses of a + switch statement. + - ECLAIR has been configured to ignore those statements. + + * - R2.2 + - Proving compliance with respect to Rule 2.2 is generally impossible: + see ``_ for details. Moreover, peer + review gives us confidence that no evidence of errors in the program's + logic has been missed due to undetected violations of Rule 2.2, if any. + Testing on time behavior gives us confidence on the fact that, should the + program contain dead code that is not removed by the compiler, the + resulting slowdown is negligible. + - Project-wide deviation, tagged as `disapplied` for ECLAIR. + + * - R3.1 + - Comments starting with '/\*' and containing hyperlinks are safe as they + are not instances of commented-out code. + - Tagged as `safe` for ECLAIR. + + * - R5.3 + - As specified in rules.rst, shadowing due to macros being used as macro + arguments is allowed, as it's deemed not at risk of causing developer + confusion. + - Tagged as `safe` for ECLAIR. So far, the following macros are deviated: + - READ_SYSREG and WRITE_SYSREG + - max_{t}? and min_{t}? + - read_[bwlq] and read_[bwlq]_relaxed + - per_cpu and this_cpu + - __emulate_2op and __emulate_2op_nobyte + - read_debugreg and write_debugreg + + * - R7.2 + - Violations caused by __HYPERVISOR_VIRT_START are related to the + particular use of it done in xen_mk_ulong. + - Tagged as `deliberate` for ECLAIR. + + * - R7.4 + - Allow pointers of non-character type as long as the pointee is + const-qualified. + - ECLAIR has been configured to ignore these assignments. + + * - R8.3 + - The type ret_t is deliberately used and defined as int or long depending + on the architecture. + - Tagged as `deliberate` for ECLAIR. + + * - R8.3 + - Some files are not subject to respect MISRA rules at + the moment, but some entity from a file in scope is used; therefore + ECLAIR does report a violation, since not all the files involved in the + violation are excluded from the analysis. + - Tagged as `deliberate` for ECLAIR. Such excluded files are: + - xen/arch/x86/time.c + - xen/arch/x86/acpi/cpu_idle.c + - xen/arch/x86/mpparse.c + - xen/common/bunzip2.c + - xen/common/unlz4.c + - xen/common/unlzma.c + - xen/common/unlzo.c + - xen/common/unxz.c + - xen/common/unzstd.c + + * - R8.4 + - The definitions present in the files 'asm-offsets.c' for any architecture + are used to generate definitions for asm modules, and are not called by + C code. Therefore the absence of prior declarations is safe. + - Tagged as `safe` for ECLAIR. + + * - R8.4 + - The functions defined in the file xen/common/coverage/gcov_base.c are + meant to be called from gcc-generated code in a non-release build + configuration. Therefore, the absence of prior declarations is safe. + - Tagged as `safe` for ECLAIR. + + * - R8.6 + - The following variables are compiled in multiple translation units + belonging to different executables and therefore are safe. + + - current_stack_pointer + - bsearch + - sort + - Tagged as `safe` for ECLAIR. + + * - R8.6 + - Declarations without definitions are allowed (specifically when the + definition is compiled-out or optimized-out by the compiler). + - Tagged as `deliberate` in ECLAIR. + + * - R8.10 + - The gnu_inline attribute without static is deliberately allowed. + - Tagged as `deliberate` for ECLAIR. + + * - R9.5 + - The possibility of committing mistakes by specifying an explicit + dimension is higher than omitting the dimension, therefore all such + instances of violations are deviated. + - Project-wide deviation, tagged as `deliberate` for ECLAIR. + + * - R10.1, R10.3, R10.4 + - The value-preserving conversions of integer constants are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Shifting non-negative integers to the right is safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Shifting non-negative integers to the left is safe if the result is still + non-negative. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Bitwise logical operations on non-negative integers are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - The implicit conversion to Boolean for logical operator arguments is + well-known to all Xen developers to be a comparison with 0. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Xen only supports architectures where signed integers are representend + using two's complement and all the Xen developers are aware of this. For + this reason, bitwise operations are safe. + - Tagged as `safe` for ECLAIR. + + * - R10.1 + - Given the assumptions on the toolchain detailed in + docs/misra/C-language-toolchain.rst and the build flags used by the + project, it is deemed safe to use bitwise shift operators. + See automation/eclair_analysis/deviations.ecl for the full explanation. + - Tagged as `safe` for ECLAIR. + + * - R13.5 + - All developers and reviewers can be safely assumed to be well aware of + the short-circuit evaluation strategy for logical operators. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R14.2 + - The severe restrictions imposed by this rule on the use of 'for' + statements are not counterbalanced by the presumed facilitation of the + peer review activity. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R14.3 + - The Xen team relies on the fact that invariant conditions of 'if' + statements are deliberate. + - Project-wide deviation; tagged as `disapplied` for ECLAIR. + + * - R20.7 + - Code violating Rule 20.7 is safe when macro parameters are used: + (1) as function arguments; + (2) as macro arguments; + (3) as array indices; + (4) as lhs in assignments. + - Tagged as `safe` for ECLAIR. + +Other deviations: +----------------- + +.. list-table:: + :header-rows: 1 + + * - Deviation + - Justification + + * - do-while-0 loops + - The do-while-0 is a well-recognized loop idiom used by the Xen community + and can therefore be used, even though it would cause a number of + violations in some instances. + + * - while-0 and while-1 loops + - while-0 and while-1 are well-recognized loop idioms used by the Xen + community and can therefore be used, even though they would cause a + number of violations in some instances. diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index a2fe01464e..b423580b23 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -18,7 +18,7 @@ It is possible that in specific circumstances it is best not to follow a rule because it is not possible or because the alternative leads to better code quality. Those cases are called "deviations". They are permissible as long as they are documented. For details, please refer to -docs/misra/documenting-violations.rst +docs/misra/documenting-violations.rst and docs/misra/deviations.rst Other documentation mechanisms are work-in-progress. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 01:00:06 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 01:00:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.617959.961115 (Exim 4.92) (envelope-from ) id 1qsYRG-0004xU-Ey; Tue, 17 Oct 2023 01:00:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 617959.961115; Tue, 17 Oct 2023 01:00:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsYRG-0004wv-C1; Tue, 17 Oct 2023 01:00:02 +0000 Received: by outflank-mailman (input) for mailman id 617959; Tue, 17 Oct 2023 01:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsYRF-0004Sb-PB for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 01:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsYRF-0003dC-B7 for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 01:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qsYRF-0007uf-AA for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 01:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=y6AyFM/mY8a/Um/9H6zXdSOjNPDAUUcSqBYvJ0ettj4=; b=fgvhgbebokMYinwjtatjQJAAwn 7txfWNl2HHjrLnhrlbA/sdJ5Meu7hwjUxEWYAyXlN0X8WmGXqeXG/rQXQpcnHPFaiMZN9V0k2JcUV zOgG4axOwhFyo6nwDw9s1I6l6tUZM3TaHkmBhm/g7nWITSM66ioPTcL2WqldE6pJSt00=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: vtimer: Don't read/use the secure physical timer interrupt for ACPI Message-Id: Date: Tue, 17 Oct 2023 01:00:01 +0000 commit 6432228fb5808150d3c5c14affb3d46af81b3878 Author: Julien Grall AuthorDate: Thu Oct 5 17:52:41 2023 +0100 Commit: Julien Grall CommitDate: Mon Oct 16 10:36:16 2023 +0100 xen/arm: vtimer: Don't read/use the secure physical timer interrupt for ACPI Per ACPI 6.5 section 5.2.25 ("Generic Timer Description Table (GTDT)"), the fields "Secure EL1 Timer GSIV/Flags" are optional and an OS running in non-secure world is meant to ignore the values. However, Xen is trying to reserve the value. The ACPI tables for Graviton 2 metal instances will provide the value 0 which is not a correct PPI (PPIs start at 16) and would have in fact been already reserved by Xen as this is an SGI. Xen will hit the BUG() and panic(). For the Device-Tree case, I couldn't find a statement suggesting that the secure physical timer interrupt is ignored. In fact, I have found some code in Linux using it as a fallback. That said, it should never be used. As I am not aware of any issue when booting using Device-Tree, the physical timer interrupt is only ignored for ACPI. Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Reviewed-by: Stefano Stabellini Release-acked-by: Henry Wang --- xen/arch/arm/time.c | 4 ---- xen/arch/arm/vtimer.c | 17 +++++++++++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/xen/arch/arm/time.c b/xen/arch/arm/time.c index 04b07096b1..09cae8138e 100644 --- a/xen/arch/arm/time.c +++ b/xen/arch/arm/time.c @@ -78,10 +78,6 @@ static int __init arch_timer_acpi_init(struct acpi_table_header *header) irq_set_type(gtdt->non_secure_el1_interrupt, irq_type); timer_irq[TIMER_PHYS_NONSECURE_PPI] = gtdt->non_secure_el1_interrupt; - irq_type = acpi_get_timer_irq_type(gtdt->secure_el1_flags); - irq_set_type(gtdt->secure_el1_interrupt, irq_type); - timer_irq[TIMER_PHYS_SECURE_PPI] = gtdt->secure_el1_interrupt; - irq_type = acpi_get_timer_irq_type(gtdt->virtual_timer_flags); irq_set_type(gtdt->virtual_timer_interrupt, irq_type); timer_irq[TIMER_VIRT_PPI] = gtdt->virtual_timer_interrupt; diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c index c54360e202..d2124b1755 100644 --- a/xen/arch/arm/vtimer.c +++ b/xen/arch/arm/vtimer.c @@ -8,6 +8,7 @@ * Copyright (c) 2011 Citrix Systems. */ +#include #include #include #include @@ -61,10 +62,22 @@ int domain_vtimer_init(struct domain *d, struct xen_arch_domainconfig *config) config->clock_frequency = timer_dt_clock_frequency; - /* At this stage vgic_reserve_virq can't fail */ + /* + * Per the ACPI specification, providing a secure EL1 timer + * interrupt is optional and will be ignored by non-secure OS. + * Therefore don't reserve the interrupt number for the HW domain + * and ACPI. + * + * Note that we should still reserve it when using the Device-Tree + * because the interrupt is not optional. That said, we are not + * expecting any OS to use it when running on top of Xen. + * + * At this stage vgic_reserve_virq() is not meant to fail. + */ if ( is_hardware_domain(d) ) { - if ( !vgic_reserve_virq(d, timer_get_irq(TIMER_PHYS_SECURE_PPI)) ) + if ( acpi_disabled && + !vgic_reserve_virq(d, timer_get_irq(TIMER_PHYS_SECURE_PPI)) ) BUG(); if ( !vgic_reserve_virq(d, timer_get_irq(TIMER_PHYS_NONSECURE_PPI)) ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:07 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618212.961597 (Exim 4.92) (envelope-from ) id 1qshyZ-0002xO-RG; Tue, 17 Oct 2023 11:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618212.961597; Tue, 17 Oct 2023 11:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyZ-0002xG-Of; Tue, 17 Oct 2023 11:11:03 +0000 Received: by outflank-mailman (input) for mailman id 618212; Tue, 17 Oct 2023 11:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyY-0002xA-Cy for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyY-0001vs-AG for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshyY-0000wu-9K for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=h+e1znMwGV0hNDZ+iRXxDBVFr8mGewWaKwOoLlpZwa4=; b=2HUC8GwHpUlVdx/eWuDjb4/Wpc uEry5wx3JC3LYsQOjck1tvLfG7qA8L6HPCB0Bw9qQ2HD+xsYE4oIP/QrNGHvgndnoODB1th0luqoz NnBnTvrh2WcqqmGZvLl1PpI/+hDczr9UlVq3YUCC0NJ8qzWPvxJt5F6/nr4z8MN1Sk30=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: Make Bob Eschleman a reviewer Message-Id: Date: Tue, 17 Oct 2023 11:11:02 +0000 commit 618826f67306c32b2799e84ded9a8203f4109ccf Author: George Dunlap AuthorDate: Wed Oct 4 16:12:41 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 11:52:37 2023 +0100 MAINTAINERS: Make Bob Eschleman a reviewer Following a conversation with Bob Eschleman, it was agreed that Bobby would prefer to return to being a Reviewer. Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Julien Grall --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 22034bf6e3..f61b5a32a1 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -499,8 +499,8 @@ F: tools/hotplug/Linux/remus-netbuf-setup F: tools/hotplug/Linux/block-drbd-probe RISCV -M: Bob Eshleman R: Alistair Francis +R: Bob Eshleman R: Connor Davis S: Supported F: config/riscv64.mk -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618213.961603 (Exim 4.92) (envelope-from ) id 1qshyj-0002zS-Tn; Tue, 17 Oct 2023 11:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618213.961603; Tue, 17 Oct 2023 11:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyj-0002zK-Q3; Tue, 17 Oct 2023 11:11:13 +0000 Received: by outflank-mailman (input) for mailman id 618213; Tue, 17 Oct 2023 11:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyi-0002z8-Hh for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyi-0001wJ-Gq for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshyi-0000yq-Cs for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QTqSExIV5cIXPFnR+v/O6zjhQrb6/g2TbEGbwq+ByKs=; b=s2kvyUGgmbS1vnqxGB5j+FGdAx ACyvrDgD5b9UhyfZNWNeazX80PFL7G4xeJqx8GTqf403ViX2Vl6rI5lxtpRtqe4svoYQcYUZlXpnM nPTndBxio38T4T0LmhYoHT//ezPzXsVrII1r5z4coTFwBFKYnv97jPZ/4iBpcrwb9s88=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xenalyze: Only accumulate data from one vmexit without a handler Message-Id: Date: Tue, 17 Oct 2023 11:11:12 +0000 commit ea6f4cd304fa2b1db554865a229c61015819779f Author: George Dunlap AuthorDate: Fri Oct 6 15:55:02 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 15:01:47 2023 +0100 xenalyze: Only accumulate data from one vmexit without a handler If a vmentry/exit arc unexpectedly doesn't have a handler, we throw an error, and then log the information under HVM event 0; thus those particular traces within the vmexit reason will have stats gathered, and will show up with "(no handler)". This is useful in the event that there are unusual paths through the hypervisor which don't have trace points. However, if there are more than one of these, then although we detect and warn that this is happening, we subsequently continue to stuff data about all exits into that one exit, even though we only show it in one place. Instead, refator things to only allow a single exit reason to be accumulated into any given event. Also put a comment explaining what's going on, and how to fix it. Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Anthony PERARD --- tools/xentrace/xenalyze.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 4cb67062c9..1359e096f9 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -4652,6 +4652,19 @@ void hvm_generic_postprocess(struct hvm_data *h) ? "[clipped]" : h->exit_reason_name[h->exit_reason]); warned[h->exit_reason]=1; + + /* + * NB that we don't return here; the result will be that `evt` + * will be "0", and there will be a "(no handler)" entry for the + * given VMEXIT. + * + * This does mean that if two different exits have no HVM + * handlers, that only the first one will accumulate data; + * if accumulating a separate "(no handler)" data for more + * than one exit reason is needed, we'll have to make Yet + * Another Array. But for now, since we try to avoid + * it happening, just tolerate it. + */ } } @@ -4664,18 +4677,19 @@ void hvm_generic_postprocess(struct hvm_data *h) } if(opt.summary_info) { - update_cycles(&h->summary.generic[evt], - h->arc_cycles); - /* NB that h->exit_reason may be 0, so we offset by 1 */ if ( registered[evt] ) { static unsigned warned[HVM_EXIT_REASON_MAX] = { 0 }; - if ( registered[evt] != h->exit_reason+1 && !warned[h->exit_reason]) + if ( registered[evt] != h->exit_reason+1 ) { - fprintf(warn, "%s: HVM evt %lx in %x and %x!\n", - __func__, evt, registered[evt]-1, h->exit_reason); - warned[h->exit_reason]=1; + if ( !warned[h->exit_reason] ) + { + fprintf(warn, "%s: HVM evt %lx in %x and %x!\n", + __func__, evt, registered[evt]-1, h->exit_reason); + warned[h->exit_reason]=1; + } + return; } } else @@ -4686,7 +4700,11 @@ void hvm_generic_postprocess(struct hvm_data *h) __func__, ret); registered[evt]=h->exit_reason+1; } - /* HLT checked at hvm_vmexit_close() */ + + update_cycles(&h->summary.generic[evt], + h->arc_cycles); + + /* HLT checked at hvm_vmexit_close() */ } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618214.961605 (Exim 4.92) (envelope-from ) id 1qshyt-00032E-UI; Tue, 17 Oct 2023 11:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618214.961605; Tue, 17 Oct 2023 11:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshyt-00032A-Rh; Tue, 17 Oct 2023 11:11:23 +0000 Received: by outflank-mailman (input) for mailman id 618214; Tue, 17 Oct 2023 11:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshys-00031v-LB for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshys-0001wW-KK for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshys-0000zI-JP for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kn4vmfe/MxJEMRg48HOmS0bZmRcaYQgVC1KQPR/nXM0=; b=bLw7XNAVH8pyEeaGvWs/JunvJH UnuyhMXO2WdrhvZhWukSHi6MyOCvQ4gKk5C7v4A7ahiJ8EYnOPxAn519Znkqg/LKvQirfKiPNK+no Q8qlQAy6s3bUjgkRSN9d/ZX479rQT+i8cZRqVctO2JD9zrFE2iEsSkpk4ZhGyM6xKSuA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xenalyze: AMD's VMEXIT_VINTR doesn't need a trace record Message-Id: Date: Tue, 17 Oct 2023 11:11:22 +0000 commit 4ef752733bd7cfb13b55ed8a01499ffe3f1f4ef5 Author: George Dunlap AuthorDate: Thu Oct 5 17:26:38 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 15:01:48 2023 +0100 xenalyze: AMD's VMEXIT_VINTR doesn't need a trace record Just like Intel's PENDING_VIRT_INTR, AMD's VINTR doesn't need an HVM trace record. Expect that. Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Anthony PERARD --- tools/xentrace/xenalyze.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 1359e096f9..fc25ac3589 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -4628,6 +4628,13 @@ void hvm_generic_postprocess(struct hvm_data *h) /* Some exits we don't expect a handler; just return */ if(opt.svm_mode) { + switch(h->exit_reason) + { + case VMEXIT_VINTR: /* Equivalent of PENDING_VIRT_INTR */ + return; + default: + break; + } } else { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:34 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618215.961610 (Exim 4.92) (envelope-from ) id 1qshz3-00034W-WB; Tue, 17 Oct 2023 11:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618215.961610; Tue, 17 Oct 2023 11:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshz3-00034P-TR; Tue, 17 Oct 2023 11:11:33 +0000 Received: by outflank-mailman (input) for mailman id 618215; Tue, 17 Oct 2023 11:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshz2-00034F-QX for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshz2-0001wj-Ny for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshz2-0000zy-Mw for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nXC2+EIuVfZgHKX/YjHTxgAbQWsDNDjl9bEeIp3eBVQ=; b=pGpG/FH3M7T8r8zNYqkB6OvvXv 7OS2b9zJ1sO4r7xJlRITEoyouPZTgU7CvMeURwWhVrs7xd0xB4kJDgEmDIWwOkpeU8i/hrrgtvQmv qTXRhjM9NwERj8pLnyJ/3kH2dgp48wI5Nund3J9mC/RJiaOv0pEQDMuqrH0U5a6quUNw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xenalyze: Don't expect an HVM_HANDLER trace for PAUSE vmexits Message-Id: Date: Tue, 17 Oct 2023 11:11:32 +0000 commit 4292c5454545238774b4e300f6eea3c58f4d323c Author: George Dunlap AuthorDate: Fri Oct 6 16:22:34 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 15:01:50 2023 +0100 xenalyze: Don't expect an HVM_HANDLER trace for PAUSE vmexits Neither vmx nor svm trace anything, nor is there anything obvious worth tracing. Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Anthony PERARD --- tools/xentrace/xenalyze.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index fc25ac3589..2faf66500d 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -4631,6 +4631,7 @@ void hvm_generic_postprocess(struct hvm_data *h) switch(h->exit_reason) { case VMEXIT_VINTR: /* Equivalent of PENDING_VIRT_INTR */ + case VMEXIT_PAUSE: return; default: break; @@ -4643,6 +4644,7 @@ void hvm_generic_postprocess(struct hvm_data *h) /* These just need us to go through the return path */ case EXIT_REASON_PENDING_VIRT_INTR: case EXIT_REASON_TPR_BELOW_THRESHOLD: + case EXIT_REASON_PAUSE_INSTRUCTION: /* Not much to log now; may need later */ case EXIT_REASON_WBINVD: return; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:44 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618216.961614 (Exim 4.92) (envelope-from ) id 1qshzE-000379-1H; Tue, 17 Oct 2023 11:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618216.961614; Tue, 17 Oct 2023 11:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzD-000371-Ut; Tue, 17 Oct 2023 11:11:43 +0000 Received: by outflank-mailman (input) for mailman id 618216; Tue, 17 Oct 2023 11:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzC-00036r-SC for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzC-0001ws-RM for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshzC-00010l-QX for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=N8p0WQUy6JxB8biVHPpD0QOqMHvExuwqdlj4KQw1UM8=; b=0AgBXLLeacyMcRkkcUrEv8E7Qd 6O/j6ICJPxeF4iZhQ902QTilSYSD7k5EC0J90K+BUwFquwt8TJALVINdVOaacMtKLEG4T9nBVipLO uCnypzJmAvrAn+h2ldoQWE7fOPbFHZ3hLWAwkZfbpd0HmbGdVlNYS22lB9rOHbbpsw/o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xenalyze: Fix interrupt EIP reporting Message-Id: Date: Tue, 17 Oct 2023 11:11:42 +0000 commit b26a2341357f4b7b9e96a67c81e939d952984698 Author: George Dunlap AuthorDate: Fri Oct 6 16:54:10 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 15:01:51 2023 +0100 xenalyze: Fix interrupt EIP reporting EIP lists are generalized across several use cases. For many of them, it make sense to have a cycle per sample; but not really for interrupt EIP lists. For this reason, it normally just passes 0 as for the tsc value, which will in turn down at the bottom of update_cycles(), update only the summary.event_count, but nothing else. The dump_eip() function attempted to handle this by calling the generic cycle print handler if the summary contained *any* cycles, and by collecting and printing its own stats, based solely on counts, if not. Unfortunately, it used the wrong element for this: it collected the total from samples.count rather samples.event_count; in the case that there are no cycles, this will always be zero. It then divided by this zero value. This results in output that looked like this: ``` ffff89d29656 : 0 -nan% ffff89d298b6 : 0 -nan% ffff89d298c0 : 0 -nan% ``` It's better than nothing, but a lot less informative than one would like. Use event_count rather than count for collecting the total, and the reporting when there are no cycles in the summary information. This results in output that looks like this: ``` ffff89d29656 : 2 1.21% ffff89d298b6 : 1 0.61% ffff89d298c0 : 1 0.61% ``` Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Anthony PERARD --- tools/xentrace/xenalyze.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 2faf66500d..4b6db59d87 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -2866,7 +2866,7 @@ void dump_eip(struct eip_list_struct *head) { for(p=head; p; p=p->next) { - total += p->summary.count; + total += p->summary.event_count; N++; } @@ -2901,8 +2901,8 @@ void dump_eip(struct eip_list_struct *head) { p->eip, find_symbol(p->eip)); printf(" %7d %5.2lf%%\n", - p->summary.count, - ((double)p->summary.count*100)/total); + p->summary.event_count, + ((double)p->summary.event_count*100)/total); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 17 11:11:54 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Oct 2023 11:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618217.961618 (Exim 4.92) (envelope-from ) id 1qshzO-0003AS-2d; Tue, 17 Oct 2023 11:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618217.961618; Tue, 17 Oct 2023 11:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzO-0003AL-04; Tue, 17 Oct 2023 11:11:54 +0000 Received: by outflank-mailman (input) for mailman id 618217; Tue, 17 Oct 2023 11:11:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzM-0003A5-Vi for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qshzM-0001x2-Us for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qshzM-00011V-Tx for xen-changelog@lists.xenproject.org; Tue, 17 Oct 2023 11:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Z0uyQxZojA54z8aitykv+sfq/7AukC/Bsssiezn7c00=; b=ZAfhECAq4T4jnZdpPmwl/r/TOz o+UxtQoKvK/FueJ6tLfMNgkCQGvy/wqY6utlXJGrodeCF2B6MRlfSuqDy5dWDZ/kY6n9xTVPM64Ih Hfq+xJogexz8ek9dLhHzOXPF3yQbP6LWWuRcJHwusxBdt3Z6u90L8e8q5uRCXKjygzSQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xenalyze: Reduce warnings about leaving a vcpu in INIT Message-Id: Date: Tue, 17 Oct 2023 11:11:52 +0000 commit 0ce2ee7a16f2886c32b3f070bba3172f4a577aa4 Author: George Dunlap AuthorDate: Mon Oct 9 11:19:57 2023 +0100 Commit: George Dunlap CommitDate: Mon Oct 16 15:01:52 2023 +0100 xenalyze: Reduce warnings about leaving a vcpu in INIT We warn when we see data for a vcpu moving into a non-RUNNING state, just so that people know why we're ignoring it. On full traces, this happens only once. However, if the trace was limited to a subset of pcpus, then this will happen every time the domain in question is woken on that pcpu. Add a 'delayed_init' flag to the vcpu struct to indicate when a vcpu has experienced a delayed init. Print a warning message once when entering the state, and once when leaving it. Signed-off-by: George Dunlap Release-acked-by: Henry Wang Acked-by: Anthony PERARD --- tools/xentrace/xenalyze.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tools/xentrace/xenalyze.c b/tools/xentrace/xenalyze.c index 4b6db59d87..ce6a85d50b 100644 --- a/tools/xentrace/xenalyze.c +++ b/tools/xentrace/xenalyze.c @@ -1625,7 +1625,7 @@ struct vlapic_struct { struct vcpu_data { int vid; struct domain_data *d; /* up-pointer */ - unsigned activated:1; + unsigned activated:1, delayed_init:1; int guest_paging_levels; @@ -6979,10 +6979,17 @@ void vcpu_start(struct pcpu_info *p, struct vcpu_data *v, * bring a vcpu out of INIT until it's seen to be actually * running somewhere. */ if ( new_runstate != RUNSTATE_RUNNING ) { - fprintf(warn, "First schedule for d%dv%d doesn't take us into a running state; leaving INIT\n", - v->d->did, v->vid); + if ( !v->delayed_init ) { + fprintf(warn, "First schedule for d%dv%d doesn't take us into a running state; leaving in INIT\n", + v->d->did, v->vid); + v->delayed_init = 1; + } return; + } else if ( v->delayed_init ) { + fprintf(warn, "d%dv%d RUNSTATE_RUNNING detected, leaving INIT", + v->d->did, v->vid); + v->delayed_init = 0; } tsc = ri_tsc; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 05:11:09 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 05:11:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618402.962002 (Exim 4.92) (envelope-from ) id 1qsypj-0000Ua-EZ; Wed, 18 Oct 2023 05:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618402.962002; Wed, 18 Oct 2023 05:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsypj-0000US-C0; Wed, 18 Oct 2023 05:11:03 +0000 Received: by outflank-mailman (input) for mailman id 618402; Wed, 18 Oct 2023 05:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsypi-0000UK-DO for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsypi-0002k3-BI for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qsypi-0000UW-A8 for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WdUC+FdSZofrtSbszI7jOmlO8Q7z8XUmAg8lSRf9e+A=; b=Zsl8x7sLbsLws605rUuoFfaWu7 Pd79O92fVqm9/brE4+30RjHxYxlT5w34QFRhChT4uBrs8RVs3GxtvjnMN5AUYNJQ7Xsz1YVhvVL1z cpVytuxrTzjbVGqaprBo3RMRQvN0nicVnnETPgzsoRybDmquCD/D9hhgJ7NU3Xx9kTiQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mem_access: address violations of MISRA C:2012 Rule 8.3 Message-Id: Date: Wed, 18 Oct 2023 05:11:02 +0000 commit 4a106e1fb15bba48aaa06f62a21eabebe6057d4b Author: Federico Serafini AuthorDate: Tue Oct 17 09:51:07 2023 +0200 Commit: Jan Beulich CommitDate: Tue Oct 17 09:51:07 2023 +0200 x86/mem_access: address violations of MISRA C:2012 Rule 8.3 Make function declarations and definitions consistent. No functional change. Signed-off-by: Federico Serafini Acked-by: Tamas K Lengyel Release-acked-by: Henry Wang --- xen/arch/x86/include/asm/mem_access.h | 2 +- xen/arch/x86/mm/mem_access.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mem_access.h b/xen/arch/x86/include/asm/mem_access.h index 8957e1181c..1a52a10322 100644 --- a/xen/arch/x86/include/asm/mem_access.h +++ b/xen/arch/x86/include/asm/mem_access.h @@ -39,7 +39,7 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, struct xen_hvm_altp2m_suppress_ve_multi; int p2m_set_suppress_ve_multi(struct domain *d, - struct xen_hvm_altp2m_suppress_ve_multi *suppress_ve); + struct xen_hvm_altp2m_suppress_ve_multi *sve); int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, unsigned int altp2m_idx); diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index c472fa1ee5..3449e0ee85 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -70,7 +70,7 @@ static int _p2m_get_mem_access(struct p2m_domain *p2m, gfn_t gfn, } bool p2m_mem_access_emulate_check(struct vcpu *v, - const vm_event_response_t *rsp) + const struct vm_event_st *rsp) { xenmem_access_t access; bool violation = true; @@ -129,7 +129,7 @@ bool p2m_mem_access_emulate_check(struct vcpu *v, bool p2m_mem_access_check(paddr_t gpa, unsigned long gla, struct npfec npfec, - vm_event_request_t **req_ptr) + struct vm_event_st **req_ptr) { struct vcpu *v = current; gfn_t gfn = gaddr_to_gfn(gpa); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 05:11:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 05:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618403.962006 (Exim 4.92) (envelope-from ) id 1qsypt-0000Xm-GO; Wed, 18 Oct 2023 05:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618403.962006; Wed, 18 Oct 2023 05:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsypt-0000Xe-DP; Wed, 18 Oct 2023 05:11:13 +0000 Received: by outflank-mailman (input) for mailman id 618403; Wed, 18 Oct 2023 05:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyps-0000WQ-Gg for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyps-0002kD-Fv for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qsyps-0000WY-DO for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=maSM9+9tsFy2Mpt1yy0uU042Pkt7xxzCnR0iTN2d6PA=; b=zFHC8YiD2/zuHeMmyDGAibET2x 8kTQis3V7I4qbC9J3Of2UsUHBwQ6zjG5Rn1lOLKR0kt66IGyECECMKjC4kNAypZ907FGe00TRGrHB vVsCz+CMUBiLuDebsPXBFiNL7bPyMJ7XhHM4UE+tbXwoqR3wxfAEh6j7qeIyeg7M6WO0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/paging: address a violation of MISRA C:2012 Rule 8.3 Message-Id: Date: Wed, 18 Oct 2023 05:11:12 +0000 commit bef218208cbcbc9db6e7126b16316102c39518f8 Author: Federico Serafini AuthorDate: Tue Oct 17 09:52:18 2023 +0200 Commit: Jan Beulich CommitDate: Tue Oct 17 09:52:18 2023 +0200 x86/paging: address a violation of MISRA C:2012 Rule 8.3 Make function declaration and definition consistent. No functional change. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/include/asm/paging.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h index f291f2f9a2..62605d7697 100644 --- a/xen/arch/x86/include/asm/paging.h +++ b/xen/arch/x86/include/asm/paging.h @@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cpu_user_regs *regs) } /* Handle invlpg requests on vcpus. */ -void paging_invlpg(struct vcpu *v, unsigned long va); +void paging_invlpg(struct vcpu *v, unsigned long linear); /* * Translate a guest virtual address to the frame number that the -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 05:11:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 05:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618404.962010 (Exim 4.92) (envelope-from ) id 1qsyq3-0000aT-He; Wed, 18 Oct 2023 05:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618404.962010; Wed, 18 Oct 2023 05:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyq3-0000aL-Er; Wed, 18 Oct 2023 05:11:23 +0000 Received: by outflank-mailman (input) for mailman id 618404; Wed, 18 Oct 2023 05:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyq2-0000a7-Jx for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyq2-0002ka-JH for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qsyq2-0000X0-IF for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uxK01H5bb2xhRK51OJgYlNJuOPxlfT9jmwli1WhNnqY=; b=2iqEJ2o0LgtMyPgGElLxgikqDG qcIxUFcZXZESYOIVjZa+b+doFDfsPTkUULk9+ewcesANu0/xMtiLCJS3baGISD4ii4kJnldhYZcVQ KIup4X2L+OFajtDL7GCtbbb062KSYq7hOi9nIJjlNoarqjAHp67FiarVRbi4v6dxdnYU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/irq: address violations of MISRA C:2012 Rule 8.2 Message-Id: Date: Wed, 18 Oct 2023 05:11:22 +0000 commit dcaec96ac0d48571a1fc99e34fa28f99fe016886 Author: Federico Serafini AuthorDate: Tue Oct 17 09:52:51 2023 +0200 Commit: Jan Beulich CommitDate: Tue Oct 17 09:52:51 2023 +0200 xen/irq: address violations of MISRA C:2012 Rule 8.2 Add missing parameter names. No functional change. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/arm/irq.c | 3 ++- xen/arch/x86/include/asm/irq.h | 4 ++-- xen/arch/x86/irq.c | 8 ++++---- xen/include/xen/irq.h | 21 +++++++++++---------- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c index 09648db17a..1f05ecdee5 100644 --- a/xen/arch/arm/irq.c +++ b/xen/arch/arm/irq.c @@ -182,7 +182,8 @@ void irq_set_affinity(struct irq_desc *desc, const cpumask_t *mask) } int request_irq(unsigned int irq, unsigned int irqflags, - void (*handler)(int, void *, struct cpu_user_regs *), + void (*handler)(int irq, void *dev_id, + struct cpu_user_regs *regs), const char *devname, void *dev_id) { struct irqaction *action; diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index ad907fc97f..a87af47ece 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -101,9 +101,9 @@ void cf_check irq_move_cleanup_interrupt(struct cpu_user_regs *regs); uint8_t alloc_hipriority_vector(void); void set_direct_apic_vector( - uint8_t vector, void (*handler)(struct cpu_user_regs *)); + uint8_t vector, void (*handler)(struct cpu_user_regs *regs)); void alloc_direct_apic_vector( - uint8_t *vector, void (*handler)(struct cpu_user_regs *)); + uint8_t *vector, void (*handler)(struct cpu_user_regs *regs)); void do_IRQ(struct cpu_user_regs *regs); diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c index 6abfd81621..f42ad539dc 100644 --- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -915,16 +915,16 @@ uint8_t alloc_hipriority_vector(void) return next++; } -static void (*direct_apic_vector[X86_NR_VECTORS])(struct cpu_user_regs *); +static void (*direct_apic_vector[X86_NR_VECTORS])(struct cpu_user_regs *regs); void set_direct_apic_vector( - uint8_t vector, void (*handler)(struct cpu_user_regs *)) + uint8_t vector, void (*handler)(struct cpu_user_regs *regs)) { BUG_ON(direct_apic_vector[vector] != NULL); direct_apic_vector[vector] = handler; } void alloc_direct_apic_vector( - uint8_t *vector, void (*handler)(struct cpu_user_regs *)) + uint8_t *vector, void (*handler)(struct cpu_user_regs *regs)) { static DEFINE_SPINLOCK(lock); @@ -964,7 +964,7 @@ static int __init cf_check irq_ratelimit_init(void) __initcall(irq_ratelimit_init); int __init request_irq(unsigned int irq, unsigned int irqflags, - void (*handler)(int, void *, struct cpu_user_regs *), + void (*handler)(int irq, void *dev_id, struct cpu_user_regs *regs), const char * devname, void *dev_id) { struct irqaction * action; diff --git a/xen/include/xen/irq.h b/xen/include/xen/irq.h index 9747e818f7..58d462e8e6 100644 --- a/xen/include/xen/irq.h +++ b/xen/include/xen/irq.h @@ -18,7 +18,7 @@ ASSERT(!in_irq() && (local_irq_is_enabled() || num_online_cpus() <= 1)) struct irqaction { - void (*handler)(int, void *, struct cpu_user_regs *); + void (*handler)(int irq, void *dev_id, struct cpu_user_regs *regs); const char *name; void *dev_id; bool_t free_on_release; @@ -62,17 +62,17 @@ struct irq_desc; */ struct hw_interrupt_type { const char *typename; - unsigned int (*startup)(struct irq_desc *); - void (*shutdown)(struct irq_desc *); - void (*enable)(struct irq_desc *); - void (*disable)(struct irq_desc *); - void (*ack)(struct irq_desc *); + unsigned int (*startup)(struct irq_desc *desc); + void (*shutdown)(struct irq_desc *desc); + void (*enable)(struct irq_desc *desc); + void (*disable)(struct irq_desc *desc); + void (*ack)(struct irq_desc *desc); #ifdef CONFIG_X86 - void (*end)(struct irq_desc *, u8 vector); + void (*end)(struct irq_desc *desc, u8 vector); #else - void (*end)(struct irq_desc *); + void (*end)(struct irq_desc *desc); #endif - void (*set_affinity)(struct irq_desc *, const cpumask_t *); + void (*set_affinity)(struct irq_desc *desc, const cpumask_t *mask); }; typedef const struct hw_interrupt_type hw_irq_controller; @@ -119,7 +119,8 @@ extern int setup_irq(unsigned int irq, unsigned int irqflags, struct irqaction *new); extern void release_irq(unsigned int irq, const void *dev_id); extern int request_irq(unsigned int irq, unsigned int irqflags, - void (*handler)(int, void *, struct cpu_user_regs *), + void (*handler)(int irq, void *dev_id, + struct cpu_user_regs *regs), const char *devname, void *dev_id); extern hw_irq_controller no_irq_type; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 05:11:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 05:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618405.962015 (Exim 4.92) (envelope-from ) id 1qsyqD-0000di-JK; Wed, 18 Oct 2023 05:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618405.962015; Wed, 18 Oct 2023 05:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyqD-0000da-GL; Wed, 18 Oct 2023 05:11:33 +0000 Received: by outflank-mailman (input) for mailman id 618405; Wed, 18 Oct 2023 05:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyqC-0000dS-N0 for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qsyqC-0002l5-MD for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qsyqC-0000XR-LS for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 05:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EDfoGLmv06h9kXno9D+/cKbXn6g2DK6mrtRre25bygA=; b=eBID7Zd2Sj7rZBTsd2OsmF654l /UsEkK31CxzXsTV4eb0sdpHYFE39vPVzPiv3y6pKknjxSKZJgDtNuznYroibZEkoMI0p+HgZUgGl9 AreMqmIAt4nkbcgMhkjyWKldYNncBv/ccFGAZBI2NOA6EGVDr14ypO7Syw0HeS1/wd/I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] get_maintainer: Add THE REST for sections with reviewers only Message-Id: Date: Wed, 18 Oct 2023 05:11:32 +0000 commit 7114bbfc8424ee467c6c8c82f077764ca4fa799b Author: Anthony PERARD AuthorDate: Tue Oct 17 09:53:34 2023 +0200 Commit: Jan Beulich CommitDate: Tue Oct 17 09:53:34 2023 +0200 get_maintainer: Add THE REST for sections with reviewers only Sometime, a contributer would like to be CCed on part of the changes, and it could happen that we end-up with a section that doesn't have any maintainer, but a Ack from a maintainer would still be needed. Rework get_maintainer so if there's no maintainers beside THE REST, it doesn't drop THE REST emails. Signed-off-by: Anthony PERARD Reviewed-by: Julien Grall Release-acked-by: Henry Wang --- scripts/get_maintainer.pl | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl index cf629cdf3c..533d0df72a 100755 --- a/scripts/get_maintainer.pl +++ b/scripts/get_maintainer.pl @@ -732,8 +732,15 @@ sub get_maintainers { my @email_new; my $do_replace = 0; foreach my $email (@email_to) { - if ($email->[1] ne 'supporter:THE REST') { + # Replace @email_to list with a list which drop "THE REST" if + # there's a role other than "reviewer", that is if there's a + # maintainer/supporter in a section other than THE REST. + if ($email->[1] ne 'supporter:THE REST' and $email->[1] ne 'reviewer') { $do_replace = 1; + } + # Prepare a new list without "THE REST", to be used if $do_replace + # is true. + if ($email->[1] ne 'supporter:THE REST') { push @email_new, $email; } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 16:00:07 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 16:00:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618705.962713 (Exim 4.92) (envelope-from ) id 1qt8xn-0007Pd-Al; Wed, 18 Oct 2023 16:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618705.962713; Wed, 18 Oct 2023 16:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xn-0007PC-7h; Wed, 18 Oct 2023 16:00:03 +0000 Received: by outflank-mailman (input) for mailman id 618705; Wed, 18 Oct 2023 16:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xl-0006yr-TZ for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xl-00028x-Rh for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qt8xl-0004B8-Qf for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QtOhN3aH5J0B2rH5kdWj6aheC2HGTXdfQL5p7Ou12CA=; b=OPI5HKF1D1F52pyOMP9cPARv7B /0z5jVoekiPfUMHgW6kzyC6r0XIafdas9zxkCHYrVtmGeLTX/WpdiU0ER+Of5fgBKcIR82NuggRzi 0Dy/4Tcf03lwahg9T19dwDsJvDW/2Lolii4Yg3elMoL/BuFIEAD1LNC+NW+q4SaJNhPc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] cxenstored: wait until after reset to notify dom0less domains Message-Id: Date: Wed, 18 Oct 2023 16:00:01 +0000 commit e58bd71c097d04f001e0c6c2868a0aec03d25c63 Author: George Dunlap AuthorDate: Fri Oct 13 16:06:24 2023 -0700 Commit: Stefano Stabellini CommitDate: Tue Oct 17 13:56:55 2023 -0700 cxenstored: wait until after reset to notify dom0less domains Commit fc2b57c9a ("xenstored: send an evtchn notification on introduce_domain") introduced the sending of an event channel to the guest when first introduced, so that dom0less domains waiting for the connection would know that xenstore was ready to use. Unfortunately, it was introduced in introduce_domain(), which 1) is called by other functions, where such functionality is unneeded, and 2) after the main XS_INTRODUCE call, calls domain_conn_reset(). This introduces a race condition, whereby if xenstored is delayed, a domain can wake up, send messages to the buffer, only to have them deleted by xenstore before finishing its processing of the XS_INTRODUCE message. Move the connect-and-notfy call into do_introduce() instead, after the domain_conn_rest(); predicated on the state being in the XENSTORE_RECONNECT state. (We don't need to check for "restoring", since that value is always passed as "false" from do_domain_introduce()). Also take the opportunity to add a missing wmb barrier after resetting the indexes of the ring in domain_conn_reset. This change will also remove an extra event channel notification for dom0 (because the notification is now done by do_introduce which is not called for dom0.) The extra dom0 event channel notification was only introduced by fc2b57c9a and was never present before. It is not needed because dom0 is the one to tell xenstored the connection parameters, so dom0 has to know that the ring page is setup correctly by the time xenstored starts looking at it. It is dom0 that performs the ring page init. Signed-off-by: George Dunlap Signed-off-by: Stefano Stabellini Reviewed-by: Juergen Gross Release-acked-by: Henry Wang CC: jgross@suse.com CC: julien@xen.org CC: wl@xen.org --- tools/xenstored/domain.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index a6cd199fdc..409b53acf9 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -923,6 +923,7 @@ static void domain_conn_reset(struct domain *domain) domain->interface->req_cons = domain->interface->req_prod = 0; domain->interface->rsp_cons = domain->interface->rsp_prod = 0; + xen_wmb(); } /* @@ -988,12 +989,6 @@ static struct domain *introduce_domain(const void *ctx, /* Now domain belongs to its connection. */ talloc_steal(domain->conn, domain); - if (!restore) { - /* Notify the domain that xenstore is available */ - interface->connection = XENSTORE_CONNECTED; - xenevtchn_notify(xce_handle, domain->port); - } - if (!is_master_domain && !restore) fire_special_watches("@introduceDomain"); } else { @@ -1033,6 +1028,13 @@ int do_introduce(const void *ctx, struct connection *conn, domain_conn_reset(domain); + if (domain->interface != NULL && + domain->interface->connection == XENSTORE_RECONNECT) { + /* Notify the domain that xenstore is available */ + domain->interface->connection = XENSTORE_CONNECTED; + xenevtchn_notify(xce_handle, domain->port); + } + send_ack(conn, XS_INTRODUCE); return 0; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 18 16:00:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 18 Oct 2023 16:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618706.962716 (Exim 4.92) (envelope-from ) id 1qt8xx-0007uS-CZ; Wed, 18 Oct 2023 16:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618706.962716; Wed, 18 Oct 2023 16:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xx-0007uK-9F; Wed, 18 Oct 2023 16:00:13 +0000 Received: by outflank-mailman (input) for mailman id 618706; Wed, 18 Oct 2023 16:00:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xw-0007u8-05 for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qt8xv-0002cp-VS for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qt8xv-0004CN-U4 for xen-changelog@lists.xenproject.org; Wed, 18 Oct 2023 16:00:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HJKoLzLCWoD3A6GcTZd+gUQEqFQplbL05rYJWe0/WSM=; b=cUeMDIDMVW2W8N0do4Ir5vuKYF qCjWZjP3NyERnyToiVYEZxxLKCe9p6XV8fEPXdsAg3+TKWDgUlF+RrwHaYvFBqnIAc/kJ66L6aWP8 YdsPmUOZZ8+869uuT2NJF272e+R7cNvYmCH7vROktwvPlyrwyRox8BjTGX1PpUSoFz4k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Check return code from recursive calls to scan_pfdt_node() Message-Id: Date: Wed, 18 Oct 2023 16:00:11 +0000 commit f51c92383b8dc76233481e2814aa2e905fb9b501 Author: Michal Orzel AuthorDate: Mon Oct 16 14:45:59 2023 +0200 Commit: Stefano Stabellini CommitDate: Tue Oct 17 14:01:03 2023 -0700 xen/arm: Check return code from recursive calls to scan_pfdt_node() At the moment, we do not check a return code from scan_pfdt_node() called recursively. This means that any issue that may occur while parsing and copying the passthrough nodes is hidden and Xen continues to boot a domain despite errors. This may lead to incorrect device tree generation and various guest issues (e.g. trap on attempt to access MMIO not mapped in P2M). Fix it. Fixes: 669ecdf8d6cd ("xen/arm: copy dtb fragment to guest dtb") Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Reviewed-by: Bertrand Marquis Release-acked-by: Henry Wang --- xen/arch/arm/domain_build.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 24c9019cc4..49792dd590 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -2872,8 +2872,11 @@ static int __init scan_pfdt_node(struct kernel_info *kinfo, const void *pfdt, node_next = fdt_first_subnode(pfdt, nodeoff); while ( node_next > 0 ) { - scan_pfdt_node(kinfo, pfdt, node_next, address_cells, size_cells, - scan_passthrough_prop); + rc = scan_pfdt_node(kinfo, pfdt, node_next, address_cells, size_cells, + scan_passthrough_prop); + if ( rc ) + return rc; + node_next = fdt_next_subnode(pfdt, node_next); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:09 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618932.963261 (Exim 4.92) (envelope-from ) id 1qtNM2-0000xD-AB; Thu, 19 Oct 2023 07:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618932.963261; Thu, 19 Oct 2023 07:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNM2-0000x5-6M; Thu, 19 Oct 2023 07:22:02 +0000 Received: by outflank-mailman (input) for mailman id 618932; Thu, 19 Oct 2023 07:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNM1-0000wz-Lc for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNM1-0007U7-KV for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNM1-0006CN-JT for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aRHsEnS6YPWYchl9mBFB55IOU9H02ek/FP/DMtT+p5U=; b=VVJl+9+QJ3mWoHpeKjtHpMSCRN +PZ0G7RmsRAVttP15zf+5s1BpYiCY63pe1SRRHRyNTTXt3E1Ec5fkWhmxuRnEMZREZCo1PmNUnipZ U7w1n/xOUDSWkSeI7QdzNQtCI3KRo6SmZHvQe5w8XuD4Oy/VgZvwUtZfT3iWQlgdNIaM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/pdx: Make CONFIG_PDX_COMPRESSION a common Kconfig option Message-Id: Date: Thu, 19 Oct 2023 07:22:01 +0000 commit 141db3325bf2b4b7efabcd5cd3f90fc8245fc34b Author: Alejandro Vallejo AuthorDate: Tue Aug 8 14:02:20 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 15:44:31 2023 +0100 xen/pdx: Make CONFIG_PDX_COMPRESSION a common Kconfig option Adds a new compile-time flag to allow disabling PDX compression and compiles out compression-related code/data. It also shorts the pdx<->pfn conversion macros and creates stubs for masking functions. While at it, removes the old arch-defined CONFIG_HAS_PDX flag. Despite the illusion of choice, it was not optional. There are ARM and PPC platforms with sparse RAM banks - leave compression active by default there. However, there are no known production x86 systems with sparse RAM banks, so disable compression. RISC-V platforms are unknown right now. These decisions can be revisited if our understanding changes. Signed-off-by: Alejandro Vallejo Reviewed-by: Julien Grall Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Release-acked-by: Henry Wang --- xen/arch/arm/Kconfig | 1 - xen/arch/ppc/Kconfig | 1 - xen/arch/x86/Kconfig | 1 - xen/arch/x86/domain.c | 19 +++++++++++++------ xen/common/Kconfig | 18 +++++++++++++++--- xen/common/Makefile | 2 +- xen/common/pdx.c | 16 ++++++++++++---- xen/include/xen/pdx.h | 38 +++++++++++++++++++++++++++++++++++--- 8 files changed, 76 insertions(+), 20 deletions(-) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 632dd9792e..2939db429b 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -14,7 +14,6 @@ config ARM select HAS_ALTERNATIVE select HAS_DEVICE_TREE select HAS_PASSTHROUGH - select HAS_PDX select HAS_PMAP select HAS_UBSAN select IOMMU_FORCE_PT_SHARE diff --git a/xen/arch/ppc/Kconfig b/xen/arch/ppc/Kconfig index a6eae597af..ab116ffb2a 100644 --- a/xen/arch/ppc/Kconfig +++ b/xen/arch/ppc/Kconfig @@ -1,7 +1,6 @@ config PPC def_bool y select HAS_DEVICE_TREE - select HAS_PDX config PPC64 def_bool y diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 92f3a627da..30df085d96 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -24,7 +24,6 @@ config X86 select HAS_PASSTHROUGH select HAS_PCI select HAS_PCI_MSI - select HAS_PDX select HAS_SCHED_GRANULARITY select HAS_UBSAN select HAS_VPCI if HVM diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index d05ee0da55..3712e36df9 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -458,7 +458,7 @@ void domain_cpu_policy_changed(struct domain *d) } } -#ifndef CONFIG_BIGMEM +#if !defined(CONFIG_BIGMEM) && defined(CONFIG_PDX_COMPRESSION) /* * The hole may be at or above the 44-bit boundary, so we need to determine * the total bit count until reaching 32 significant (not squashed out) bits @@ -485,13 +485,20 @@ static unsigned int __init noinline _domain_struct_bits(void) struct domain *alloc_domain_struct(void) { struct domain *d; -#ifdef CONFIG_BIGMEM - const unsigned int bits = 0; -#else + /* - * We pack the PDX of the domain structure into a 32-bit field within - * the page_info structure. Hence the MEMF_bits() restriction. + * Without CONFIG_BIGMEM, we pack the PDX of the domain structure into + * a 32-bit field within the page_info structure. Hence the MEMF_bits() + * restriction. With PDX compression in place the number of bits must + * be calculated at runtime, but it's fixed otherwise. + * + * On systems with CONFIG_BIGMEM there's no packing, and so there's no + * such restriction. */ +#if defined(CONFIG_BIGMEM) || !defined(CONFIG_PDX_COMPRESSION) + const unsigned int bits = IS_ENABLED(CONFIG_BIGMEM) ? 0 : + 32 + PAGE_SHIFT; +#else static unsigned int __read_mostly bits; if ( unlikely(!bits) ) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 0d248ab941..407b7b1cd6 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -23,6 +23,21 @@ config GRANT_TABLE If unsure, say Y. +config PDX_COMPRESSION + bool "PDX (Page inDeX) compression" if EXPERT && !X86 && !RISCV + default ARM || PPC + help + PDX compression is a technique designed to reduce the memory + overhead of physical memory management on platforms with sparse RAM + banks. + + If your platform does have sparse RAM banks, enabling PDX + compression may reduce the memory overhead of Xen, but does carry a + runtime performance cost. + + If your platform does not have sparse RAM banks, do not enable PDX + compression. + config ALTERNATIVE_CALL bool @@ -53,9 +68,6 @@ config HAS_IOPORTS config HAS_KEXEC bool -config HAS_PDX - bool - config HAS_PMAP bool diff --git a/xen/common/Makefile b/xen/common/Makefile index e7e96b1087..69d6aa626c 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -30,7 +30,7 @@ obj-y += multicall.o obj-y += notifier.o obj-$(CONFIG_NUMA) += numa.o obj-y += page_alloc.o -obj-$(CONFIG_HAS_PDX) += pdx.o +obj-y += pdx.o obj-$(CONFIG_PERF_COUNTERS) += perfc.o obj-bin-$(CONFIG_HAS_PMAP) += pmap.init.o obj-y += preempt.o diff --git a/xen/common/pdx.c b/xen/common/pdx.c index d3d38965bd..d3d63b0750 100644 --- a/xen/common/pdx.c +++ b/xen/common/pdx.c @@ -31,11 +31,16 @@ unsigned long __read_mostly pdx_group_valid[BITS_TO_LONGS( bool __mfn_valid(unsigned long mfn) { - if ( unlikely(evaluate_nospec(mfn >= max_page)) ) + bool invalid = mfn >= max_page; + +#ifdef CONFIG_PDX_COMPRESSION + invalid |= mfn & pfn_hole_mask; +#endif + + if ( unlikely(evaluate_nospec(invalid)) ) return false; - return likely(!(mfn & pfn_hole_mask)) && - likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT, - pdx_group_valid)); + + return test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT, pdx_group_valid); } void set_pdx_range(unsigned long smfn, unsigned long emfn) @@ -49,6 +54,8 @@ void set_pdx_range(unsigned long smfn, unsigned long emfn) __set_bit(idx, pdx_group_valid); } +#ifdef CONFIG_PDX_COMPRESSION + /* * Diagram to make sense of the following variables. The masks and shifts * are done on mfn values in order to convert to/from pdx: @@ -176,6 +183,7 @@ void __init pfn_pdx_hole_setup(unsigned long mask) ma_top_mask = pfn_top_mask << PAGE_SHIFT; } +#endif /* CONFIG_PDX_COMPRESSION */ /* * Local variables: diff --git a/xen/include/xen/pdx.h b/xen/include/xen/pdx.h index f3fbc4273a..bd535009ea 100644 --- a/xen/include/xen/pdx.h +++ b/xen/include/xen/pdx.h @@ -67,8 +67,6 @@ * region involved. */ -#ifdef CONFIG_HAS_PDX - extern unsigned long max_pdx; #define PDX_GROUP_COUNT ((1 << PDX_GROUP_SHIFT) / \ @@ -100,6 +98,8 @@ bool __mfn_valid(unsigned long mfn); #define mfn_to_pdx(mfn) pfn_to_pdx(mfn_x(mfn)) #define pdx_to_mfn(pdx) _mfn(pdx_to_pfn(pdx)) +#ifdef CONFIG_PDX_COMPRESSION + extern unsigned long pfn_pdx_bottom_mask, ma_va_bottom_mask; extern unsigned int pfn_pdx_hole_shift; extern unsigned long pfn_hole_mask; @@ -206,7 +206,39 @@ static inline paddr_t directmapoff_to_maddr(unsigned long offset) */ void pfn_pdx_hole_setup(unsigned long mask); -#endif /* HAS_PDX */ +#else /* !CONFIG_PDX_COMPRESSION */ + +/* Without PDX compression we can skip some computations */ + +/* pdx<->pfn == identity */ +#define pdx_to_pfn(x) (x) +#define pfn_to_pdx(x) (x) + +/* directmap is indexed by by maddr */ +#define maddr_to_directmapoff(x) (x) +#define directmapoff_to_maddr(x) (x) + +static inline bool pdx_is_region_compressible(paddr_t base, + unsigned long npages) +{ + return true; +} + +static inline uint64_t pdx_init_mask(uint64_t base_addr) +{ + return 0; +} + +static inline uint64_t pdx_region_mask(uint64_t base, uint64_t len) +{ + return 0; +} + +static inline void pfn_pdx_hole_setup(unsigned long mask) +{ +} + +#endif /* CONFIG_PDX_COMPRESSION */ #endif /* __XEN_PDX_H__ */ /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618933.963264 (Exim 4.92) (envelope-from ) id 1qtNMD-0000z3-Am; Thu, 19 Oct 2023 07:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618933.963264; Thu, 19 Oct 2023 07:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMD-0000yw-7u; Thu, 19 Oct 2023 07:22:13 +0000 Received: by outflank-mailman (input) for mailman id 618933; Thu, 19 Oct 2023 07:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMB-0000ym-Pn for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMB-0007UC-Os for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNMB-0006Co-Ml for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ku3ng1BAIWKytuMr203zAcPfCRtjGmCk+ttn0JgLydE=; b=FirloFovVbwHJV9xulhznUpi3b PEiSXDr4O+2yoWHO5K+c5U4N+noZ71HRmkK7WtXeruWiNT/njjBofqLge8pk+Sj9IBDu/oI6UvYMH zZiaLnwqmkkQteKomIqMtu5dhvEPdAairG+a16+k8kq9X3jlUdhPxHXvj0MgMC2YUTD8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/amd: Address AMD erratum #1485 Message-Id: Date: Thu, 19 Oct 2023 07:22:11 +0000 commit 26ea12d940b47689f0eab315afd84f8c6eb5bd81 Author: Alejandro Vallejo AuthorDate: Fri Oct 13 16:38:01 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 15:44:31 2023 +0100 x86/amd: Address AMD erratum #1485 This erratum has been observed to cause #UD exceptions. Fix adapted off Linux's mailing list: https://lore.kernel.org/lkml/D99589F4-BC5D-430B-87B2-72C20370CF57@exactcode.com/T/#u Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper Release-acked-by: Henry Wang --- xen/arch/x86/cpu/amd.c | 22 ++++++++++++++++++++++ xen/arch/x86/include/asm/amd.h | 5 +++++ xen/arch/x86/include/asm/msr-index.h | 1 + 3 files changed, 28 insertions(+) diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index 4f27187f92..0f305312ff 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -1004,6 +1004,27 @@ static void cf_check zen2_disable_c6(void *arg) wrmsrl(MSR_AMD_CSTATE_CFG, val & mask); } +static void amd_check_erratum_1485(void) +{ + uint64_t val, chickenbit = (1 << 5); + + if (cpu_has_hypervisor || boot_cpu_data.x86 != 0x19 || !is_zen4_uarch()) + return; + + rdmsrl(MSR_AMD64_BP_CFG, val); + + if (val & chickenbit) + return; + + /* + * BP_CFG is a core-scoped MSR. There's a benign race on this write + * on the case where 2 threads perform the previous check at the + * same time before the chickenbit is set. It's benign because the + * value being written is the same on both. + */ + wrmsrl(MSR_AMD64_BP_CFG, val | chickenbit); +} + static void cf_check init_amd(struct cpuinfo_x86 *c) { u32 l, h; @@ -1271,6 +1292,7 @@ static void cf_check init_amd(struct cpuinfo_x86 *c) disable_c1_ramping(); amd_check_zenbleed(); + amd_check_erratum_1485(); if (zen2_c6_disabled) zen2_disable_c6(NULL); diff --git a/xen/arch/x86/include/asm/amd.h b/xen/arch/x86/include/asm/amd.h index d862cb7972..0700827561 100644 --- a/xen/arch/x86/include/asm/amd.h +++ b/xen/arch/x86/include/asm/amd.h @@ -145,11 +145,16 @@ * Hygon (Fam18h) but without simple model number rules. Instead, use STIBP * as a heuristic that distinguishes the two. * + * For Zen3 and Zen4 (Fam19h) the heuristic is the presence of AutoIBRS, as + * it's Zen4-specific. + * * The caller is required to perform the appropriate vendor/family checks * first. */ #define is_zen1_uarch() (!boot_cpu_has(X86_FEATURE_AMD_STIBP)) #define is_zen2_uarch() boot_cpu_has(X86_FEATURE_AMD_STIBP) +#define is_zen3_uarch() (!boot_cpu_has(X86_FEATURE_AUTO_IBRS)) +#define is_zen4_uarch() boot_cpu_has(X86_FEATURE_AUTO_IBRS) struct cpuinfo_x86; int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...); diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 11ffed543a..7b3490bfb1 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -403,6 +403,7 @@ #define MSR_AMD64_DE_CFG 0xc0011029 #define AMD64_DE_CFG_LFENCE_SERIALISE (_AC(1, ULL) << 1) #define MSR_AMD64_EX_CFG 0xc001102c +#define MSR_AMD64_BP_CFG 0xc001102e #define MSR_AMD64_DE_CFG2 0xc00110e3 #define MSR_AMD64_DR0_ADDRESS_MASK 0xc0011027 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618934.963268 (Exim 4.92) (envelope-from ) id 1qtNMN-00011n-CO; Thu, 19 Oct 2023 07:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618934.963268; Thu, 19 Oct 2023 07:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMN-00011e-9d; Thu, 19 Oct 2023 07:22:23 +0000 Received: by outflank-mailman (input) for mailman id 618934; Thu, 19 Oct 2023 07:22:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNML-00011R-Tz for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNML-0007UN-TB for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNML-0006DD-R6 for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9ZsgME03KI4cKNkMGEIO5yRHK2mR/u4df/zWnNSaJwY=; b=5Yj69kYwaLTsOJh1mPc36X8kJf 4ryZ7T3T2zVzkyqah0Ckc6wD/SwRQSIZ0c6dFkWlXDQDYJXjgIqE5pYZOFanwWbPkEO3L3lHVm1qq /6CMKkz0hOh0E7XBEPHN0z+1er9uR62/MBHavy9srMQEiAR+wpDAu5qXvch8EcyIRDAE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/pygrub: Fix pygrub's --entry flag for python3 Message-Id: Date: Thu, 19 Oct 2023 07:22:21 +0000 commit 40387f62061c4b9c780cda78b4ac0e29d478f648 Author: Alejandro Vallejo AuthorDate: Wed Oct 11 13:25:20 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 15:44:31 2023 +0100 tools/pygrub: Fix pygrub's --entry flag for python3 string.atoi() has been deprecated since Python 2.0, has a big scary warning in the python2.7 docs and is absent from python3 altogether. int() does the same thing and is compatible with both. See https://docs.python.org/2/library/string.html#string.atoi: Signed-off-by: Alejandro Vallejo Reviewed-by: Andrew Cooper Release-acked-by: Henry Wang --- tools/pygrub/src/pygrub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index dcdfc04ff0..541e562327 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -731,7 +731,7 @@ class Grub: def get_entry_idx(cf, entry): # first, see if the given entry is numeric try: - idx = string.atoi(entry) + idx = int(entry) return idx except ValueError: pass -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618935.963271 (Exim 4.92) (envelope-from ) id 1qtNMX-00014R-DW; Thu, 19 Oct 2023 07:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618935.963271; Thu, 19 Oct 2023 07:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMX-00014K-B3; Thu, 19 Oct 2023 07:22:33 +0000 Received: by outflank-mailman (input) for mailman id 618935; Thu, 19 Oct 2023 07:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMW-000149-2p for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMW-0007UU-20 for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNMV-0006Di-VK for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oQBjjGVqqgeoqE51+yJ42jdMArFd5W2PlduCZLxUyLs=; b=FFnMrPLiObsQ8UWie9CzStn/bI UvyA1hilj3cLU80HbfLVgwym1KtioiZzjyWOKxwJwXh/9IVeu4HgCg0SOIeJ9bsAsDFf90pcV3lVI /RTXPyjpQHMQdFapqgmGzvvaLUJpVgrfXvPA0mpzILBOhV+NK0uKW4UhbVif3hDPR6PY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/microcode: WARN->INFO for the "no ucode loading" log message Message-Id: Date: Thu, 19 Oct 2023 07:22:31 +0000 commit f11cb1c247f849a68bb39722bc5d603352333200 Author: Alejandro Vallejo AuthorDate: Wed Aug 30 16:53:23 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 16:03:26 2023 +0100 x86/microcode: WARN->INFO for the "no ucode loading" log message Currently there's a printk statement triggered when no ucode loading facilities are discovered. This statement should have severity INFO rather than WARNING because it's not reporting anything wrong. Warnings ought to be reserved for recoverable system errors. Signed-off-by: Alejandro Vallejo Acked-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/cpu/microcode/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index 9fcb9c1c3a..e5e03cad34 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -863,7 +863,7 @@ int __init early_microcode_init(unsigned long *module_map, if ( !ucode_ops.apply_microcode ) { - printk(XENLOG_WARNING "Microcode loading not available\n"); + printk(XENLOG_INFO "Microcode loading not available\n"); return -ENODEV; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:43 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618936.963276 (Exim 4.92) (envelope-from ) id 1qtNMh-00017l-GL; Thu, 19 Oct 2023 07:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618936.963276; Thu, 19 Oct 2023 07:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMh-00017d-Dk; Thu, 19 Oct 2023 07:22:43 +0000 Received: by outflank-mailman (input) for mailman id 618936; Thu, 19 Oct 2023 07:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMg-00017P-5q for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMg-0007WS-51 for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNMg-0006EI-48 for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fVA0MRMMcSBSbHrLwRjzgVzAgW5zIIkdHgJW3vFpmx0=; b=ad2OqJdoeKU9JtRf6LrTcJlJAY UOF6TaX8hU/hpjrNOSX8FGDfJ5FtmDj4mDRmwxRUcW4nze+1xp8lc89NzThw5FQakIB4oZXF1bXSy pYq7W6tB+LViVNCqpXlZSTHY//FeUh5G2pXy0ld9f9r+DsaJArnfnddhPSujj5Qxa8j0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/microcode: Ignore microcode loading interface for revision = -1 Message-Id: Date: Thu, 19 Oct 2023 07:22:42 +0000 commit 0df74ee09b605918530680b4d90e36b6c2e1dc9f Author: Alejandro Vallejo AuthorDate: Wed Aug 30 16:53:24 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 16:03:33 2023 +0100 x86/microcode: Ignore microcode loading interface for revision = -1 Some hypervisors report ~0 as the microcode revision to mean "don't issue microcode updates". Ignore the microcode loading interface in that case. Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/cpu/microcode/core.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index e5e03cad34..01f1dd4710 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -867,10 +867,23 @@ int __init early_microcode_init(unsigned long *module_map, return -ENODEV; } - microcode_grab_module(module_map, mbi); - ucode_ops.collect_cpu_info(); + /* + * Some hypervisors deliberately report a microcode revision of -1 to + * mean that they will not accept microcode updates. We take the hint + * and ignore the microcode interface in that case. + */ + if ( this_cpu(cpu_sig).rev == ~0 ) + { + printk(XENLOG_INFO "Microcode loading disabled due to: %s\n", + "rev = ~0"); + ucode_ops.apply_microcode = NULL; + return -ENODEV; + } + + microcode_grab_module(module_map, mbi); + if ( ucode_mod.mod_end || ucode_blob.size ) rc = early_microcode_update_cpu(); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:22:53 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:22:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618937.963281 (Exim 4.92) (envelope-from ) id 1qtNMr-0001AT-IN; Thu, 19 Oct 2023 07:22:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618937.963281; Thu, 19 Oct 2023 07:22:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMr-0001AI-FE; Thu, 19 Oct 2023 07:22:53 +0000 Received: by outflank-mailman (input) for mailman id 618937; Thu, 19 Oct 2023 07:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMq-0001A8-Ak for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNMq-0007Wc-8R for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNMq-0006El-7J for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kLn9EOQEkWUie3c59fMt/+UGZI+CpsqKrlHC2Gach4k=; b=GqVkNm2+rt9Taj50h7iqVlves5 ZGH/niocn8x4HQ6luvc6Cq4SEclyJDUeRxgPLmdGgrFidul8gyFe8xkTBTF9gRXpfe+7vMF7F7Rew msPktpA0eJprwAbUQofhx23hxvfW7EDFWxvu0NLmc1m8MZRblu5QWrvGZh7RGYtoVe4k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: Read MSR_ARCH_CAPS immediately after early_microcode_init() Message-Id: Date: Thu, 19 Oct 2023 07:22:52 +0000 commit 001e8678dc2a9afcd8af8151b1ce162ac0c0fcc3 Author: Alejandro Vallejo AuthorDate: Wed Aug 30 16:53:25 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 16:03:33 2023 +0100 x86: Read MSR_ARCH_CAPS immediately after early_microcode_init() Move MSR_ARCH_CAPS read code from tsx_init() to early_cpu_init(). Because microcode updates might make them that MSR to appear/have different values we also must reload it after a microcode update in early_microcode_init(). Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/cpu/common.c | 20 +++++++++++++++----- xen/arch/x86/cpu/microcode/core.c | 9 +++++++++ xen/arch/x86/include/asm/setup.h | 2 +- xen/arch/x86/setup.c | 2 +- xen/arch/x86/tsx.c | 16 ++++------------ 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index 6fada384a1..3fd4fd0654 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -299,7 +299,7 @@ static inline u32 phys_pkg_id(u32 cpuid_apic, int index_msb) WARNING: this function is only called on the BP. Don't add code here that is supposed to run on all CPUs. */ -void __init early_cpu_init(void) +void __init early_cpu_init(bool verbose) { struct cpuinfo_x86 *c = &boot_cpu_data; u32 eax, ebx, ecx, edx; @@ -320,6 +320,8 @@ void __init early_cpu_init(void) case X86_VENDOR_SHANGHAI: this_cpu = &shanghai_cpu_dev; break; case X86_VENDOR_HYGON: this_cpu = &hygon_cpu_dev; break; default: + if (!verbose) + break; printk(XENLOG_ERR "Unrecognised or unsupported CPU vendor '%.12s'\n", c->x86_vendor_id); @@ -336,10 +338,13 @@ void __init early_cpu_init(void) c->x86_capability[FEATURESET_1d] = edx; c->x86_capability[FEATURESET_1c] = ecx; - printk(XENLOG_INFO - "CPU Vendor: %s, Family %u (%#x), Model %u (%#x), Stepping %u (raw %08x)\n", - x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, c->x86, - c->x86_model, c->x86_model, c->x86_mask, eax); + if (verbose) + printk(XENLOG_INFO + "CPU Vendor: %s, Family %u (%#x), " + "Model %u (%#x), Stepping %u (raw %08x)\n", + x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, + c->x86, c->x86_model, c->x86_model, c->x86_mask, + eax); if (c->cpuid_level >= 7) { uint32_t max_subleaf; @@ -348,6 +353,11 @@ void __init early_cpu_init(void) &c->x86_capability[FEATURESET_7c0], &c->x86_capability[FEATURESET_7d0]); + if (test_bit(X86_FEATURE_ARCH_CAPS, c->x86_capability)) + rdmsr(MSR_ARCH_CAPABILITIES, + c->x86_capability[FEATURESET_m10Al], + c->x86_capability[FEATURESET_m10Ah]); + if (max_subleaf >= 1) cpuid_count(7, 1, &eax, &ebx, &ecx, &c->x86_capability[FEATURESET_7d1]); diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index 01f1dd4710..b3df4d40e6 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -887,5 +887,14 @@ int __init early_microcode_init(unsigned long *module_map, if ( ucode_mod.mod_end || ucode_blob.size ) rc = early_microcode_update_cpu(); + /* + * Some CPUID leaves and MSRs are only present after microcode updates + * on some processors. We take the chance here to make sure what little + * state we have already probed is re-probed in order to ensure we do + * not use stale values. tsx_init() in particular needs to have up to + * date MSR_ARCH_CAPS. + */ + early_cpu_init(false); + return rc; } diff --git a/xen/arch/x86/include/asm/setup.h b/xen/arch/x86/include/asm/setup.h index dfdd9e5551..9a460e4db8 100644 --- a/xen/arch/x86/include/asm/setup.h +++ b/xen/arch/x86/include/asm/setup.h @@ -15,7 +15,7 @@ extern uint64_t boot_tsc_stamp; extern void *stack_start; -void early_cpu_init(void); +void early_cpu_init(bool verbose); void early_time_init(void); void set_nr_cpu_ids(unsigned int max_cpus); diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 08ba1f95d6..a3d3f797bb 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -1214,7 +1214,7 @@ void __init noreturn __start_xen(unsigned long mbi_p) panic("Bootloader provided no memory information\n"); /* This must come before e820 code because it sets paddr_bits. */ - early_cpu_init(); + early_cpu_init(true); /* Choose shadow stack early, to set infrastructure up appropriately. */ if ( !boot_cpu_has(X86_FEATURE_CET_SS) ) diff --git a/xen/arch/x86/tsx.c b/xen/arch/x86/tsx.c index 80c6f4cedd..50d8059f23 100644 --- a/xen/arch/x86/tsx.c +++ b/xen/arch/x86/tsx.c @@ -39,9 +39,10 @@ void tsx_init(void) static bool __read_mostly once; /* - * This function is first called between microcode being loaded, and CPUID - * being scanned generally. Read into boot_cpu_data.x86_capability[] for - * the cpu_has_* bits we care about using here. + * This function is first called between microcode being loaded, and + * CPUID being scanned generally. early_cpu_init() has already prepared + * the feature bits needed here. And early_microcode_init() has ensured + * they are not stale after the microcode update. */ if ( unlikely(!once) ) { @@ -49,15 +50,6 @@ void tsx_init(void) once = true; - if ( boot_cpu_data.cpuid_level >= 7 ) - boot_cpu_data.x86_capability[FEATURESET_7d0] - = cpuid_count_edx(7, 0); - - if ( cpu_has_arch_caps ) - rdmsr(MSR_ARCH_CAPABILITIES, - boot_cpu_data.x86_capability[FEATURESET_m10Al], - boot_cpu_data.x86_capability[FEATURESET_m10Ah]); - has_rtm_always_abort = cpu_has_rtm_always_abort; if ( cpu_has_tsx_ctrl && cpu_has_srbds_ctrl ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 07:23:03 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 07:23:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.618938.963283 (Exim 4.92) (envelope-from ) id 1qtNN1-0001Cz-JD; Thu, 19 Oct 2023 07:23:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 618938.963283; Thu, 19 Oct 2023 07:23:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNN1-0001Cr-Gg; Thu, 19 Oct 2023 07:23:03 +0000 Received: by outflank-mailman (input) for mailman id 618938; Thu, 19 Oct 2023 07:23:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNN0-0001Ck-CR for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:23:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtNN0-0007Wz-Bf for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtNN0-0006FR-Ak for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 07:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EjXF3VMiKwGT5PZpyF0YiX0/od0Sv6Q6rRoKE04WF4I=; b=CqUqBRykIyTg4SYm7ePfyhQdJd V9l2Bzp/Ie3VEj9IuJhG3oD8bvTN2mcH6xYxuI7AGQavH2Xg12L/TjrUGk+b2mh9+L4t+Vhhw4Tc4 6NgC+2Ze+adwNApNqZB/Qjj/kSnJpOsV8vho9DrPHVhNezRm9kslano0jMwSu7s2xgGs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/microcode: Disable microcode update handler if DIS_MCU_UPDATE is set Message-Id: Date: Thu, 19 Oct 2023 07:23:02 +0000 commit 7c3616e6f1aa541884410c6430e3c8986cf0973c Author: Alejandro Vallejo AuthorDate: Wed Aug 30 16:53:26 2023 +0100 Commit: Andrew Cooper CommitDate: Wed Oct 18 16:03:33 2023 +0100 x86/microcode: Disable microcode update handler if DIS_MCU_UPDATE is set If IA32_MSR_MCU_CONTROL exists then it's possible a CPU may be unable to perform microcode updates. This is controlled through the DIS_MCU_LOAD bit and is intended for baremetal clouds where the owner may not trust the tenant to choose the microcode version in use. If we notice that bit being set then simply disable the "apply_microcode" handler so we can't even try to perform update (as it's known to be silently dropped). While at it, remove the Intel family check, as microcode loading is supported on every Intel64 CPU. Signed-off-by: Alejandro Vallejo Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/cpu/microcode/core.c | 20 ++++++++++++++------ xen/arch/x86/cpu/microcode/intel.c | 13 +++++++++++++ xen/arch/x86/cpu/microcode/private.h | 7 +++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/arch/x86/include/asm/msr-index.h | 5 +++++ 5 files changed, 40 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index b3df4d40e6..65ebeb50de 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -847,17 +847,21 @@ int __init early_microcode_init(unsigned long *module_map, { const struct cpuinfo_x86 *c = &boot_cpu_data; int rc = 0; + bool can_load = false; switch ( c->x86_vendor ) { case X86_VENDOR_AMD: if ( c->x86 >= 0x10 ) + { ucode_ops = amd_ucode_ops; + can_load = true; + } break; case X86_VENDOR_INTEL: - if ( c->x86 >= 6 ) - ucode_ops = intel_ucode_ops; + ucode_ops = intel_ucode_ops; + can_load = intel_can_load_microcode(); break; } @@ -871,13 +875,17 @@ int __init early_microcode_init(unsigned long *module_map, /* * Some hypervisors deliberately report a microcode revision of -1 to - * mean that they will not accept microcode updates. We take the hint - * and ignore the microcode interface in that case. + * mean that they will not accept microcode updates. + * + * It's also possible the hardware might have built-in support to disable + * updates and someone (e.g: a baremetal cloud provider) disabled them. + * + * Take the hint in either case and ignore the microcode interface. */ - if ( this_cpu(cpu_sig).rev == ~0 ) + if ( this_cpu(cpu_sig).rev == ~0 || !can_load ) { printk(XENLOG_INFO "Microcode loading disabled due to: %s\n", - "rev = ~0"); + can_load ? "rev = ~0" : "HW toggle"); ucode_ops.apply_microcode = NULL; return -ENODEV; } diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcode/intel.c index 8d4d6574aa..060c529a6e 100644 --- a/xen/arch/x86/cpu/microcode/intel.c +++ b/xen/arch/x86/cpu/microcode/intel.c @@ -385,6 +385,19 @@ static struct microcode_patch *cf_check cpu_request_microcode( return patch; } +bool __init intel_can_load_microcode(void) +{ + uint64_t mcu_ctrl; + + if ( !cpu_has_mcu_ctrl ) + return true; + + rdmsrl(MSR_MCU_CONTROL, mcu_ctrl); + + /* If DIS_MCU_LOAD is set applying microcode updates won't work */ + return !(mcu_ctrl & MCU_CONTROL_DIS_MCU_LOAD); +} + const struct microcode_ops __initconst_cf_clobber intel_ucode_ops = { .cpu_request_microcode = cpu_request_microcode, .collect_cpu_info = collect_cpu_info, diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microcode/private.h index 626aeb4d08..d80787205a 100644 --- a/xen/arch/x86/cpu/microcode/private.h +++ b/xen/arch/x86/cpu/microcode/private.h @@ -60,6 +60,13 @@ struct microcode_ops { const struct microcode_patch *new, const struct microcode_patch *old); }; +/** + * Checks whether we can perform microcode updates on this Intel system + * + * @return True iff the microcode update facilities are enabled + */ +bool intel_can_load_microcode(void); + extern const struct microcode_ops amd_ucode_ops, intel_ucode_ops; #endif /* ASM_X86_MICROCODE_PRIVATE_H */ diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 0825343945..213c184b1c 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -201,6 +201,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_if_pschange_mc_no boot_cpu_has(X86_FEATURE_IF_PSCHANGE_MC_NO) #define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL) #define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO) +#define cpu_has_mcu_ctrl boot_cpu_has(X86_FEATURE_MCU_CTRL) #define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 7b3490bfb1..82a81bd0a2 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -183,6 +183,11 @@ #define MSR_PM_CTL1 0x00000db1 #define PM_CTL1_HDC_ALLOW_BLOCK BIT(0, ULL) +#define MSR_MCU_CONTROL 0x00001406 +#define MCU_CONTROL_LOCK (_AC(1, ULL) << 0) +#define MCU_CONTROL_DIS_MCU_LOAD (_AC(1, ULL) << 1) +#define MCU_CONTROL_EN_SMM_BYPASS (_AC(1, ULL) << 2) + #define MSR_UARCH_MISC_CTRL 0x00001b01 #define UARCH_CTRL_DOITM (_AC(1, ULL) << 0) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 23:11:08 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 23:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.619597.964940 (Exim 4.92) (envelope-from ) id 1qtcAR-0000Ig-80; Thu, 19 Oct 2023 23:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 619597.964940; Thu, 19 Oct 2023 23:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAR-0000IX-5I; Thu, 19 Oct 2023 23:11:03 +0000 Received: by outflank-mailman (input) for mailman id 619597; Thu, 19 Oct 2023 23:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAQ-0000IR-27 for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAP-0007E5-VU for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtcAP-0002MJ-UN for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nOHPSg2+YzWbta7KcyasOhpIp9LKp8pdMagQj4ageZg=; b=YYeq4cOknn+87R3h0zRuqAMyMj rXAArmZTL/IvJKHTymxbGjT22KcYzTKTJ1aaLIbde8AGXTYWEkwrB8BASl08vOP9t4Df+J8qirv5J 45SwQlVYGwBfAfWVN7x6lOShaL4lfu9Ksz/tY6wM1hfLIXhkczm8f7aJaiG0eclcHLp4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/pvh: fix identity mapping of low 1MB Message-Id: Date: Thu, 19 Oct 2023 23:11:01 +0000 commit 4bb882fe6e4430782101fe06379649df1bbd458a Author: Roger Pau Monné AuthorDate: Thu Oct 19 09:52:43 2023 +0200 Commit: Jan Beulich CommitDate: Thu Oct 19 09:52:43 2023 +0200 x86/pvh: fix identity mapping of low 1MB The mapping of memory regions below the 1MB mark was all done by the PVH dom0 builder code, causing the region to be avoided by the arch specific IOMMU hardware domain initialization code. That lead to the IOMMU being enabled without reserved regions in the low 1MB identity mapped in the p2m for PVH hardware domains. Firmware which happens to be missing RMRR/IVMD ranges describing E820 reserved regions in the low 1MB would transiently trigger IOMMU faults until the p2m is populated by the PVH dom0 builder: AMD-Vi: IO_PAGE_FAULT: 0000:00:13.1 d0 addr 00000000000eb380 flags 0x20 RW AMD-Vi: IO_PAGE_FAULT: 0000:00:13.1 d0 addr 00000000000eb340 flags 0 AMD-Vi: IO_PAGE_FAULT: 0000:00:13.2 d0 addr 00000000000ea1c0 flags 0 AMD-Vi: IO_PAGE_FAULT: 0000:00:14.5 d0 addr 00000000000eb480 flags 0x20 RW AMD-Vi: IO_PAGE_FAULT: 0000:00:12.0 d0 addr 00000000000eb080 flags 0x20 RW AMD-Vi: IO_PAGE_FAULT: 0000:00:14.5 d0 addr 00000000000eb400 flags 0 AMD-Vi: IO_PAGE_FAULT: 0000:00:12.0 d0 addr 00000000000eb040 flags 0 Those errors have been observed on the osstest pinot{0,1} boxes (AMD Fam15h Opteron(tm) Processor 3350 HE). Rely on the IOMMU arch init code to create any identity mappings for reserved regions in the low 1MB range (like it already does for reserved regions elsewhere), and leave the mapping of any holes to be performed by the dom0 builder code. Fixes: 6b4f6a31ace1 ('x86/PVH: de-duplicate mappings for first Mb of Dom0 memory') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/arch/x86/hvm/dom0_build.c | 7 ++++--- xen/drivers/passthrough/x86/iommu.c | 8 +------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c index bc0e290db6..c7d47d0d4c 100644 --- a/xen/arch/x86/hvm/dom0_build.c +++ b/xen/arch/x86/hvm/dom0_build.c @@ -449,7 +449,7 @@ static int __init pvh_populate_p2m(struct domain *d) } } - /* Non-RAM regions of space below 1MB get identity mapped. */ + /* Identity map everything below 1MB that's not already mapped. */ for ( i = rc = 0; i < MB1_PAGES; ++i ) { p2m_type_t p2mt; @@ -459,8 +459,9 @@ static int __init pvh_populate_p2m(struct domain *d) rc = set_mmio_p2m_entry(d, _gfn(i), _mfn(i), PAGE_ORDER_4K); else /* - * If the p2m entry is already set it must belong to a RMRR and - * already be identity mapped, or be a RAM region. + * If the p2m entry is already set it must belong to a reserved + * region (e.g. RMRR/IVMD) and be identity mapped, or else be a + * RAM region. */ ASSERT(p2mt == p2m_ram_rw || mfn_eq(mfn, _mfn(i))); put_gfn(d, i); diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c index c85549ccad..857dccb6a4 100644 --- a/xen/drivers/passthrough/x86/iommu.c +++ b/xen/drivers/passthrough/x86/iommu.c @@ -400,13 +400,7 @@ void __hwdom_init arch_iommu_hwdom_init(struct domain *d) max_pfn = (GB(4) >> PAGE_SHIFT) - 1; top = max(max_pdx, pfn_to_pdx(max_pfn) + 1); - /* - * First Mb will get mapped in one go by pvh_populate_p2m(). Avoid - * setting up potentially conflicting mappings here. - */ - start = paging_mode_translate(d) ? PFN_DOWN(MB(1)) : 0; - - for ( i = pfn_to_pdx(start), count = 0; i < top; ) + for ( i = 0, start = 0, count = 0; i < top; ) { unsigned long pfn = pdx_to_pfn(i); unsigned int perms = hwdom_iommu_map(d, pfn, max_pfn); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 19 23:11:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 19 Oct 2023 23:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.619598.964945 (Exim 4.92) (envelope-from ) id 1qtcAb-0000Kq-9o; Thu, 19 Oct 2023 23:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 619598.964945; Thu, 19 Oct 2023 23:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAb-0000Ki-6j; Thu, 19 Oct 2023 23:11:13 +0000 Received: by outflank-mailman (input) for mailman id 619598; Thu, 19 Oct 2023 23:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAa-0000KX-3b for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtcAa-0007EH-2O for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtcAa-0002OP-1Q for xen-changelog@lists.xenproject.org; Thu, 19 Oct 2023 23:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ozWKS9Z3i675BUOwo3DZEzQ3S38Zflmp9epGfeP/Uek=; b=FLAyAgY8RkkmOdBbsEcZGJfNFh GQtbGFo+jr+h1Q57hl5S20sn713zTnep5YnuvydZbfdf1au4ASxvYfJt31nZikY2r1IlqxkBuuoOh AHU3GHVUisS/WlIlp5HHn1VSR1H0fj7G1Mv6ooNF7wtHmroH6xmBwH6x7bXI2cj9YTDw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] console: make input work again for pv-shim Message-Id: Date: Thu, 19 Oct 2023 23:11:12 +0000 commit 698b0f5031c6083401234a9b9415175cc5855a0a Author: Manuel Bouyer AuthorDate: Thu Oct 19 09:54:50 2023 +0200 Commit: Jan Beulich CommitDate: Thu Oct 19 09:54:50 2023 +0200 console: make input work again for pv-shim The use of rcu_lock_domain_by_id() right in switch_serial_input() makes assumptions about domain IDs which don't hold when in shim mode: The sole (initial) domain there has a non-zero ID. Obtain the real domain ID in that case (generalized as get_initial_domain_id() returns zero when not in shim mode). Note that console_input_domain() isn't altered, for not being used when in shim mode (or more generally on x86). Fixes: c2581c58bec9 ("xen/console: skip switching serial input to non existing domains") Signed-off-by: Manuel Bouyer Signed-off-by: Jan Beulich Reviewed-by: Julien Grall Release-acked-by: Henry Wang --- xen/drivers/char/console.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index f81b8b6b47..6b679c5eac 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -468,7 +468,7 @@ static void cf_check dump_console_ring_key(unsigned char key) #define switch_code (opt_conswitch[0]-'a'+1) /* * console_rx=0 => input to xen - * console_rx=1 => input to dom0 + * console_rx=1 => input to dom0 (or the sole shim domain) * console_rx=N => input to dom(N-1) */ static unsigned int __read_mostly console_rx = 0; @@ -493,6 +493,7 @@ static void switch_serial_input(void) */ for ( ; ; ) { + domid_t domid; struct domain *d; if ( next_rx++ >= max_console_rx ) @@ -502,12 +503,18 @@ static void switch_serial_input(void) break; } - d = rcu_lock_domain_by_id(next_rx - 1); +#ifdef CONFIG_PV_SHIM + if ( next_rx == 1 ) + domid = get_initial_domain_id(); + else +#endif + domid = next_rx - 1; + d = rcu_lock_domain_by_id(domid); if ( d ) { rcu_unlock_domain(d); console_rx = next_rx; - printk("*** Serial input to DOM%u", next_rx - 1); + printk("*** Serial input to DOM%u", domid); break; } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:08 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620443.965870 (Exim 4.92) (envelope-from ) id 1qtyDr-0006ZQ-Vn; Fri, 20 Oct 2023 22:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620443.965870; Fri, 20 Oct 2023 22:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyDr-0006ZI-T0; Fri, 20 Oct 2023 22:44:03 +0000 Received: by outflank-mailman (input) for mailman id 620443; Fri, 20 Oct 2023 22:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyDq-0006Z8-1C for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyDq-0000LK-0M for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyDp-0000Mo-Tu for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3N0ZqibTtMLLF4le15X6Az4FnkhPaMMpwZdYrncxTH0=; b=D+NoJb1PuBd8zUb7avri/Ommmt W27dC5tvkCg8guDALMdN6+UFHWSjSE2wtoQZbzgQCVBZj5MgyY3Jv3ZQGbKahyoRE+BlqCM+uVtb6 X+1McC6W/rZHzhzKvhyDacxemi5e3PKUnFNj+PHMFuUij/2KuPcM6mS8FxsiYUE4qJsU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation: include real-time view of the domU console log too Message-Id: Date: Fri, 20 Oct 2023 22:44:01 +0000 commit dfe5bfc3d55811e285c9198febf3230eecc7f837 Author: Marek Marczykowski-Górecki AuthorDate: Fri Oct 6 04:05:15 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 automation: include real-time view of the domU console log too Passthrough domU console log to the serial console in real time, not only after the test. First of all, this gives domU console also in case of test failure. But also, allows correlation between domU and dom0 or Xen messages. To avoid ambiguity, add log prefix with 'sed'. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Stefano Stabellini Acked-by: Andrew Cooper Release-acked-by: Henry Wang --- automation/scripts/qubes-x86-64.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/automation/scripts/qubes-x86-64.sh b/automation/scripts/qubes-x86-64.sh index 5f6052eef0..1e84e40a4a 100755 --- a/automation/scripts/qubes-x86-64.sh +++ b/automation/scripts/qubes-x86-64.sh @@ -33,8 +33,6 @@ echo \"${passed}\" until grep -q \"${passed}\" /var/log/xen/console/guest-domU.log; do sleep 1 done -# get domU console content into test log -tail -n 100 /var/log/xen/console/guest-domU.log echo \"${passed}\" " if [ "${test_variant}" = "dom0pvh" ]; then @@ -59,8 +57,6 @@ echo deep > /sys/power/mem_sleep echo mem > /sys/power/state # now wait for resume sleep 5 -# get domU console content into test log -tail -n 100 /var/log/xen/console/guest-domU.log xl list xl dmesg | grep 'Finishing wakeup from ACPI S3 state' || exit 1 # check if domU is still alive @@ -121,7 +117,6 @@ echo \"${passed}\" until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do sleep 1 done -tail -n 100 /var/log/xen/console/guest-domU.log " fi @@ -169,6 +164,8 @@ ifconfig eth0 up ifconfig xenbr0 up ifconfig xenbr0 192.168.0.1 +# get domU console content into test log +tail -F /var/log/xen/console/guest-domU.log 2>/dev/null | sed -e \"s/^/(domU) /\" & xl create /etc/xen/domU.cfg ${dom0_check} " > etc/local.d/xen.start -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:14 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620444.965873 (Exim 4.92) (envelope-from ) id 1qtyE2-0006bS-0a; Fri, 20 Oct 2023 22:44:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620444.965873; Fri, 20 Oct 2023 22:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyE1-0006bL-UO; Fri, 20 Oct 2023 22:44:13 +0000 Received: by outflank-mailman (input) for mailman id 620444; Fri, 20 Oct 2023 22:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyE0-0006b6-4i for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyE0-0000Li-3w for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyE0-0000Nf-2R for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tLvFniMyXSofGeA5oxmw2BwgS/6YLiG+UyXiJgzuoV4=; b=oihU8bieyjTeKJBZ7Ncfn9qwg8 C+nYE3Sg77DFxWUIPs14ei0cNHsDPCRsRnFNYldzyR5KFsss0rwvsmnRbcx5NE92/SIjiHsJ7WbpT T6+TVhH2OabbnsBOrsAL7ONmruNh+CjmnO8VWcAltebb236ndFgiTMkl/X2hMopBMQ6k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation: hide timeout countdown in log Message-Id: Date: Fri, 20 Oct 2023 22:44:12 +0000 commit 052813b1d23b0d148da1c39f2b7e4aacdba06bca Author: Marek Marczykowski-Górecki AuthorDate: Fri Oct 6 04:05:16 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 automation: hide timeout countdown in log grep+sleep message every 1s makes job log unnecessary hard to read. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Stefano Stabellini Acked-by: Andrew Cooper Release-acked-by: Henry Wang --- automation/scripts/qubes-x86-64.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/automation/scripts/qubes-x86-64.sh b/automation/scripts/qubes-x86-64.sh index 1e84e40a4a..cfe9247a26 100755 --- a/automation/scripts/qubes-x86-64.sh +++ b/automation/scripts/qubes-x86-64.sh @@ -30,9 +30,11 @@ done echo \"${passed}\" " dom0_check=" +set +x until grep -q \"${passed}\" /var/log/xen/console/guest-domU.log; do sleep 1 done +set -x echo \"${passed}\" " if [ "${test_variant}" = "dom0pvh" ]; then @@ -222,10 +224,12 @@ if [ -n "$wait_and_wakeup" ]; then ssh $CONTROLLER wake fi +set +x until grep "^Welcome to Alpine Linux" smoke.serial || [ $timeout -le 0 ]; do sleep 1; : $((--timeout)) done +set -x tail -n 100 smoke.serial -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620446.965878 (Exim 4.92) (envelope-from ) id 1qtyEB-0006e5-23; Fri, 20 Oct 2023 22:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620446.965878; Fri, 20 Oct 2023 22:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEA-0006dx-Vp; Fri, 20 Oct 2023 22:44:22 +0000 Received: by outflank-mailman (input) for mailman id 620446; Fri, 20 Oct 2023 22:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEA-0006dn-8C for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEA-0000Lp-7M for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEA-0000OA-5v for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=57Y+h38hBxzt7rxMN2UmBI1PhR9hpAYu1F7oRuw55EI=; b=jUq47aZUO9AlJgTkJgD2M3dk9E gF3HDu3C4O2Pap74FiTlPj8BkBy1+Lyk/qxcwvBDiWoAYttaPSVhx/AdVCPGfYHBexduIBnRz9CXb a6kUnsV1rJ497lKY46ygevHGbBViwRxx3FDwwnGgYvoQVHUJwYHzYZFoG8kfHS4uH8sc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation: cleanup test alpine install Message-Id: Date: Fri, 20 Oct 2023 22:44:22 +0000 commit 9c34956b1916b2fcc2de8022b4d94202e46f1026 Author: Marek Marczykowski-Górecki AuthorDate: Fri Oct 6 04:05:17 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 automation: cleanup test alpine install Remove parts of initramfs for the test system (domU, and in few tests dom0 too) that are not not working and are not really needed in this simple system. This makes the test log much lighter on misleading error messages. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Stefano Stabellini Acked-by: Andrew Cooper Release-acked-by: Henry Wang --- automation/tests-artifacts/alpine/3.18.dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/automation/tests-artifacts/alpine/3.18.dockerfile b/automation/tests-artifacts/alpine/3.18.dockerfile index 32aa8e1778..333951d05e 100644 --- a/automation/tests-artifacts/alpine/3.18.dockerfile +++ b/automation/tests-artifacts/alpine/3.18.dockerfile @@ -40,7 +40,6 @@ RUN \ rc-update add udev && \ rc-update add udev-trigger && \ rc-update add udev-settle && \ - rc-update add networking sysinit && \ rc-update add loopback sysinit && \ rc-update add bootmisc boot && \ rc-update add devfs sysinit && \ @@ -48,18 +47,17 @@ RUN \ rc-update add hostname boot && \ rc-update add hwclock boot && \ rc-update add hwdrivers sysinit && \ - rc-update add killprocs shutdown && \ - rc-update add modloop sysinit && \ rc-update add modules boot && \ + rc-update add killprocs shutdown && \ rc-update add mount-ro shutdown && \ rc-update add savecache shutdown && \ - rc-update add sysctl boot && \ rc-update add local default && \ cp -a /sbin/init /init && \ echo "ttyS0" >> /etc/securetty && \ echo "hvc0" >> /etc/securetty && \ echo "ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100" >> /etc/inittab && \ echo "hvc0::respawn:/sbin/getty -L hvc0 115200 vt100" >> /etc/inittab && \ + echo > /etc/modules && \ passwd -d "root" root && \ \ # Create rootfs -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:33 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620447.965882 (Exim 4.92) (envelope-from ) id 1qtyEL-0006gQ-3U; Fri, 20 Oct 2023 22:44:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620447.965882; Fri, 20 Oct 2023 22:44:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEL-0006gI-0w; Fri, 20 Oct 2023 22:44:33 +0000 Received: by outflank-mailman (input) for mailman id 620447; Fri, 20 Oct 2023 22:44:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEK-0006gA-BG for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEK-0000M0-AO for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEK-0000Od-9N for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kg+q2/vtd4mLpMFU0TMge9VnxQZRs6kmhPJJJ98+iCk=; b=x1FiR6nPqRjPBS/2Tq/SWZsfn3 Wx0ZhZtconf1Cde61k2aWudVuRpvubBdCIZ2qQZ3/tmzaVuKMmOtfDBO/8vJKO0ITN2Rq8sPRbIjC YeooDt20BnpJMnOpYgSm9F45SiZHylzXeNH5RgLBqd8/I+fFM2Siz1bZD5zm8CkbPcvU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation: improve checking for MSI/MSI-X in PCI passthrough tests Message-Id: Date: Fri, 20 Oct 2023 22:44:32 +0000 commit cbb0fdc0d7b7321d9293e974ea975999be1a3053 Author: Marek Marczykowski-Górecki AuthorDate: Fri Oct 6 04:05:18 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 automation: improve checking for MSI/MSI-X in PCI passthrough tests Checking /proc/interrupts is unreliable because different drivers set different names there. Install pciutils and use lspci instead. In fact, the /proc/interrupts content was confusing enough that adl-pci-hvm had it wrong (MSI-X is in use there). Fix this too. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Stefano Stabellini Acked-by: Andrew Cooper Release-acked-by: Henry Wang --- automation/gitlab-ci/test.yaml | 2 -- automation/scripts/qubes-x86-64.sh | 19 +++++++------------ automation/tests-artifacts/alpine/3.18.dockerfile | 1 + 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 4b836bf047..61e642cce0 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -195,8 +195,6 @@ adl-pci-pv-x86-64-gcc-debug: adl-pci-hvm-x86-64-gcc-debug: extends: .adl-x86-64 - variables: - PCIDEV_INTR: "MSI" script: - ./automation/scripts/qubes-x86-64.sh pci-hvm 2>&1 | tee ${LOGFILE} needs: diff --git a/automation/scripts/qubes-x86-64.sh b/automation/scripts/qubes-x86-64.sh index cfe9247a26..4aeb3fc50e 100755 --- a/automation/scripts/qubes-x86-64.sh +++ b/automation/scripts/qubes-x86-64.sh @@ -92,23 +92,18 @@ on_reboot = "destroy" domU_check=" set -x -e -ip link set eth0 up -timeout 30s udhcpc -i eth0 +interface=eth0 +ip link set \"\$interface\" up +timeout 30s udhcpc -i \"\$interface\" pingip=\$(ip -o -4 r show default|cut -f 3 -d ' ') ping -c 10 \"\$pingip\" echo domU started -cat /proc/interrupts +pcidevice=\$(basename \$(readlink /sys/class/net/\$interface/device)) +lspci -vs \$pcidevice " - if [ "$PCIDEV_INTR" = "MSI-X" ]; then + if [ -n "$PCIDEV_INTR" ]; then domU_check="$domU_check -grep -- '\\(-msi-x\\|PCI-MSI-X\\).*eth0' /proc/interrupts -" - elif [ "$PCIDEV_INTR" = "MSI" ]; then - # depending on the kernel version and domain type, the MSI can be - # marked as '-msi', 'PCI-MSI', or 'PCI-MSI-'; be careful to not match - # -msi-x nor PCI-MSI-X - domU_check="$domU_check -grep -- '\\(-msi \\|PCI-MSI\\( \\|-[^X]\\)\\).*eth0' /proc/interrupts +lspci -vs \$pcidevice | fgrep '$PCIDEV_INTR: Enable+' " fi domU_check="$domU_check diff --git a/automation/tests-artifacts/alpine/3.18.dockerfile b/automation/tests-artifacts/alpine/3.18.dockerfile index 333951d05e..5f521572b8 100644 --- a/automation/tests-artifacts/alpine/3.18.dockerfile +++ b/automation/tests-artifacts/alpine/3.18.dockerfile @@ -33,6 +33,7 @@ RUN \ apk add pixman && \ apk add curl && \ apk add udev && \ + apk add pciutils && \ \ # Xen cd / && \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:43 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620448.965886 (Exim 4.92) (envelope-from ) id 1qtyEV-0006j2-4n; Fri, 20 Oct 2023 22:44:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620448.965886; Fri, 20 Oct 2023 22:44:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEV-0006iu-2H; Fri, 20 Oct 2023 22:44:43 +0000 Received: by outflank-mailman (input) for mailman id 620448; Fri, 20 Oct 2023 22:44:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEU-0006im-E8 for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEU-0000MI-DM for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEU-0000P3-CT for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hqiEL5gejaFzJjREo/M6y4XAJ/GPpILcuz7f7I33waE=; b=FeSCmOEEmwLZrkh22FZLK8oJsI 62Y0u3v8E9RQUQiG/tU8vbKphY0Mlo80RX7kvNkvsiLGImSJ7rI2ADuXvoEwMjthCN0skr/F0NUBU aYDerrYTnyFkNd8JGsgh9SsecAFp6/jv/L2mWM/Q1evEu1DWErBr/ZBpXP8KKmFSQBPw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation: extract QEMU log in relevant hardware tests Message-Id: Date: Fri, 20 Oct 2023 22:44:42 +0000 commit 196a8fac1cb5df44214c255420d465be8bff1040 Author: Marek Marczykowski-Górecki AuthorDate: Fri Oct 6 04:05:19 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 automation: extract QEMU log in relevant hardware tests Let it be printed to the console too. QEMU and Linux messages have different enough format that it should be possible to distinguish them. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Stefano Stabellini Acked-by: Andrew Cooper Release-acked-by: Henry Wang --- automation/scripts/qubes-x86-64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/automation/scripts/qubes-x86-64.sh b/automation/scripts/qubes-x86-64.sh index 4aeb3fc50e..f5dae82358 100755 --- a/automation/scripts/qubes-x86-64.sh +++ b/automation/scripts/qubes-x86-64.sh @@ -111,6 +111,7 @@ echo \"${passed}\" " dom0_check=" +tail -F /var/log/xen/qemu-dm-domU.log & until grep -q \"^domU Welcome to Alpine Linux\" /var/log/xen/console/guest-domU.log; do sleep 1 done -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:44:53 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:44:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620449.965889 (Exim 4.92) (envelope-from ) id 1qtyEf-0006m2-6D; Fri, 20 Oct 2023 22:44:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620449.965889; Fri, 20 Oct 2023 22:44:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEf-0006lu-3h; Fri, 20 Oct 2023 22:44:53 +0000 Received: by outflank-mailman (input) for mailman id 620449; Fri, 20 Oct 2023 22:44:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEe-0006lm-H5 for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEe-0000MU-GM for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEe-0000Pd-FU for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:44:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kjxGUQIV8sUOPfMTxe0KCWGDCeggGlJkdJRlQUBlRZU=; b=bx2710ffuVat5x8fGqQDfAJMRD 5ucEN2j/4xnX11t0bmC39RNZGK4BLu8qTdJlMaNelzl5ZctM2qghjrxCNXMEmin6/bu66h/OkIiLA OZ4Gl6YdAJtexwCt0YIljidOoKFeRw8QtdlwK0bfiZLrWEZdwy/KYtUl7X8f2n02yVHY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] EFI: reduce memory map logging level Message-Id: Date: Fri, 20 Oct 2023 22:44:52 +0000 commit 11f81a5a2c74d021d34bd5d4a0f02a210df21b1c Author: Jan Beulich AuthorDate: Thu Oct 19 14:08:22 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 EFI: reduce memory map logging level With the release build default now being INFO, the typically long EFI memory map will want logging at DEBUG level only. Signed-off-by: Jan Beulich --- xen/common/efi/boot.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index a1bd4c3d60..e5e86f22b2 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -1677,7 +1677,7 @@ void __init efi_init_memory(void) if ( !efi_enabled(EFI_BOOT) ) return; - printk(XENLOG_INFO "EFI memory map:%s\n", + printk(XENLOG_DEBUG "EFI memory map:%s\n", map_bs ? " (mapping BootServices)" : ""); for ( i = 0; i < efi_memmap_size; i += efi_mdesc_size ) { @@ -1688,8 +1688,8 @@ void __init efi_init_memory(void) paddr_t mem_base; unsigned long mem_npages; - printk(XENLOG_INFO " %013" PRIx64 "-%013" PRIx64 - " type=%u attr=%016" PRIx64 "\n", + printk(XENLOG_DEBUG " %013" PRIx64 "-%013" PRIx64 + " type=%u attr=%016" PRIx64 "\n", desc->PhysicalStart, desc->PhysicalStart + len - 1, desc->Type, desc->Attribute); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:45:03 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:45:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620450.965893 (Exim 4.92) (envelope-from ) id 1qtyEp-0006oD-7z; Fri, 20 Oct 2023 22:45:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620450.965893; Fri, 20 Oct 2023 22:45:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEp-0006o5-57; Fri, 20 Oct 2023 22:45:03 +0000 Received: by outflank-mailman (input) for mailman id 620450; Fri, 20 Oct 2023 22:45:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEo-0006nv-M0 for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEo-0000N1-Jf for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEo-0000QL-Id for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M+TzlB/DvXrB5BSXvcfO/X9ZXtVP7UREKchkdEg/p7A=; b=cjCqrhidjoHfydNXro2GrdaAyO +t8jwS+01rOTiKfc0N4mVkP9EUYTnS3tsHJVLev3E9SCm5NbBanh6q9LCtpS/dtUS98MLUd6e0CKH gnjK79oH+HmX+4vrQMQ+gkB65Eyr+blE2PE41eSHyv++IXe/8VABfSt8rvpAcM+20Mnk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] iommu: fix quarantine mode command line documentation Message-Id: Date: Fri, 20 Oct 2023 22:45:02 +0000 commit 94a5127ebeb4a005f128150909ca78bfea50206a Author: Roger Pau Monne AuthorDate: Thu Oct 19 12:45:51 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 iommu: fix quarantine mode command line documentation With the addition of per-device quarantine page tables the sink page is now exclusive for each device, and thus writable. Update the documentation to reflect the current implementation. Fixes: 14dd241aad8a ('IOMMU/x86: use per-device page tables for quarantining') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- docs/misc/xen-command-line.pandoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 604650aaee..9121d8a294 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1520,15 +1520,14 @@ boolean (e.g. `iommu=no`) can override this and leave the IOMMUs disabled. should be enabled. Quarantining can be done in two ways: In its basic form, all in-flight DMA will simply be forced to encounter IOMMU faults. Since there are systems where doing so can cause host lockup, - an alternative form is available where writes to memory will be made - fault, but reads will be directed to a scratch page. The implication - here is that such reads will go unnoticed, i.e. an admin may not - become aware of the underlying problem. + an alternative form is available where accesses to memory will be directed + to a scratch page. The implication here is that such accesses will go + unnoticed, i.e. an admin may not become aware of the underlying problem. Therefore, if this option is set to true (the default), Xen always quarantines such devices; they must be explicitly assigned back to Dom0 before they can be used there again. If set to "scratch-page", still - active DMA reads will additionally be directed to a "scratch" page. If + active DMA operations will additionally be directed to a "scratch" page. If set to false, Xen will only quarantine devices the toolstack has arranged for getting quarantined, and only in the "basic" form. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Oct 20 22:45:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 20 Oct 2023 22:45:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620451.965897 (Exim 4.92) (envelope-from ) id 1qtyEz-0006qX-9H; Fri, 20 Oct 2023 22:45:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620451.965897; Fri, 20 Oct 2023 22:45:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEz-0006qP-6i; Fri, 20 Oct 2023 22:45:13 +0000 Received: by outflank-mailman (input) for mailman id 620451; Fri, 20 Oct 2023 22:45:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEy-0006qF-NZ for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qtyEy-0000NW-Mo for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qtyEy-0000Qk-Lt for xen-changelog@lists.xenproject.org; Fri, 20 Oct 2023 22:45:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tAMRcNOPBT5pHkaQeDmLfTBryesx+St6Fy9WPsTbsQ4=; b=jEZCnPqUh6goISorC1yQYE40YM vnSvms2h0EcvxM5xxWtJltY1WhLxMHrzWYRh+ZSKFo72KT+YqQIbb0N3WYrklOBDaoVAUb34Zu1+7 6J7gZHdgCrlBEZ2AQGzV6/H2hF//5yAjdiTTcv8S3tM3+ob1BhDp2yrituKH38REtKHQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] iommu/vt-d: fix SAGAW capability parsing Message-Id: Date: Fri, 20 Oct 2023 22:45:12 +0000 commit 474fc7d3c6525e209bd2fe1e6ef0bbb34de86bb4 Author: Roger Pau Monne AuthorDate: Wed Oct 18 18:07:33 2023 +0200 Commit: Andrew Cooper CommitDate: Thu Oct 19 21:52:52 2023 +0100 iommu/vt-d: fix SAGAW capability parsing SAGAW is a bitmap field, with bits 1, 2 and 3 signaling support for 3, 4 and 5 level page tables respectively. According to the Intel VT-d specification, an IOMMU can report multiple SAGAW bits being set. Commit 859d11b27912 claims to replace the open-coded find_first_set_bit(), but it's actually replacing an open coded implementation to find the last set bit. The change forces the used AGAW to the lowest supported by the IOMMU instead of the highest one between 1 and 2. Restore the previous SAGAW parsing by using fls() instead of find_first_set_bit(), in order to get the highest (supported) AGAW to be used. However there's a caveat related to the value the AW context entry field must be set to when using passthrough mode: "When the Translation-type (TT) field indicates pass-through processing (10b), this field must be programmed to indicate the largest AGAW value supported by hardware." [0] Newer Intel IOMMU implementations support 5 level page tables for the IOMMU, and signal such support in SAGAW bit 3. Enabling 5 level paging support (AGAW 3) is too risky at this point in the Xen 4.18 release, so instead put a bodge to unconditionally disable passthough mode if SAGAW has any bits greater than 2 set. Ignore bit 0; it's reserved in current specifications, but had a meaning in the past and is unlikely to be reused in the future. Note the message about unhandled SAGAW bits being set is printed unconditionally, regardless of whether passthrough mode is enabled. This is done in order to easily notice IOMMU implementations with not yet supported SAGAW values. [0] Intel VT Directed Spec Rev 4.1 Fixes: 859d11b27912 ('VT-d: prune SAGAW recognition') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/drivers/passthrough/vtd/iommu.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c index d34c98d9c7..e13b7d99db 100644 --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -1327,15 +1327,25 @@ int __init iommu_alloc(struct acpi_drhd_unit *drhd) /* Calculate number of pagetable levels: 3 or 4. */ sagaw = cap_sagaw(iommu->cap); - if ( sagaw & 6 ) - agaw = find_first_set_bit(sagaw & 6); - if ( !agaw ) + agaw = fls(sagaw & 6) - 1; + if ( agaw <= 0 ) { printk(XENLOG_ERR VTDPREFIX "IOMMU: unsupported sagaw %x\n", sagaw); print_iommu_regs(drhd); rc = -ENODEV; goto free; } + + if ( sagaw >> 3 ) + { + printk_once(XENLOG_WARNING VTDPREFIX + " Unhandled bits in SAGAW %#x%s\n", + sagaw, + iommu_hwdom_passthrough ? ", disabling passthrough" : ""); + + iommu_hwdom_passthrough = false; + } + iommu->nr_pt_levels = agaw_to_level(agaw); if ( min_pt_levels > iommu->nr_pt_levels ) min_pt_levels = iommu->nr_pt_levels; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Oct 21 22:22:11 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 21 Oct 2023 22:22:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620588.966160 (Exim 4.92) (envelope-from ) id 1quKM7-00074p-R9; Sat, 21 Oct 2023 22:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620588.966160; Sat, 21 Oct 2023 22:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKM7-00074h-OK; Sat, 21 Oct 2023 22:22:03 +0000 Received: by outflank-mailman (input) for mailman id 620588; Sat, 21 Oct 2023 22:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKM6-00074b-Cw for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKM5-0000q9-Ss for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1quKM5-00024x-QI for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K+SPiivXY72v8VTlOxXahd3iPsIotvc0Yh46IFvkQZw=; b=7ORelkpdi9fFwlOIxfAADrfy54 sbx+BTMklwZaIbqk2UCPeHmFQnfax0LO4kDt20RPHTH19x3KKN6hYpR6LIqKi4zrLYfwmN/D6JwwV sKDImVdA5p3I0cw/QK7r20QGWKTXJfW7SD7zvi3egsomX1u+PdE/xh0IMwEMKPuZsVNs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CI: (More) Always pull base image when building a container Message-Id: Date: Sat, 21 Oct 2023 22:22:01 +0000 commit 8a5ef972bab3ad57bf017a42601943aa05811536 Author: Andrew Cooper AuthorDate: Thu Oct 19 14:56:26 2023 +0100 Commit: Andrew Cooper CommitDate: Fri Oct 20 11:55:46 2023 +0100 CI: (More) Always pull base image when building a container Repeat c/s 26ecc08b98fc ("automation: Always pull base image when building a container") for the other makefile we've got building containers. Signed-off-by: Andrew Cooper Reviewed-by: Anthony PERARD Acked-by: Stefano Stabellini Release-acked-by: Henry Wang --- automation/tests-artifacts/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/tests-artifacts/Makefile b/automation/tests-artifacts/Makefile index 8ca71b78ad..d055cd696b 100644 --- a/automation/tests-artifacts/Makefile +++ b/automation/tests-artifacts/Makefile @@ -10,7 +10,7 @@ help: @echo "To push container builds, set the env var PUSH" %: %.dockerfile ## Builds containers - docker build -t $(REGISTRY)/$(@D):$(@F) -f $< $( Envelope-to: archives@lists.xen.org Delivery-date: Sat, 21 Oct 2023 22:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.620589.966163 (Exim 4.92) (envelope-from ) id 1quKMH-00076O-SW; Sat, 21 Oct 2023 22:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 620589.966163; Sat, 21 Oct 2023 22:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKMH-00076H-Pz; Sat, 21 Oct 2023 22:22:13 +0000 Received: by outflank-mailman (input) for mailman id 620589; Sat, 21 Oct 2023 22:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKMG-000763-3b for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1quKMG-0000qD-11 for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1quKMF-00025i-Vi for xen-changelog@lists.xenproject.org; Sat, 21 Oct 2023 22:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4xtAq9MgTqE907Nfmgbun0EB9R9Tdn2IhRHhIK9O6KQ=; b=19JuWwSuSZcyyT33TA4Q8tcvyy rE2Grv/lezRKXR748xfa/JriKk9vdO5AbwG2bo6yy6xtsbwUNMd9o+5REikzfU+T/ntl2RZgqjd2v 6eqZH9i1Y/ZHWru9VrLTxvyD6BHi8xOyGBLAUlBSF+mhWdVJbN4sUJ4YH2cKBGysA34Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: support data operand independent timing mode Message-Id: Date: Sat, 21 Oct 2023 22:22:11 +0000 commit bad1ac345b1910b820b8a703ad1b9f66412ea844 Author: Jan Beulich AuthorDate: Fri Oct 20 15:50:05 2023 +0200 Commit: Jan Beulich CommitDate: Fri Oct 20 15:50:05 2023 +0200 x86: support data operand independent timing mode [1] specifies a long list of instructions which are intended to exhibit timing behavior independent of the data they operate on. On certain hardware this independence is optional, controlled by a bit in a new MSR. Provide a command line option to control the mode Xen and its guests are to operate in, with a build time control over the default. Longer term we may want to allow guests to control this. Since Arm64 supposedly also has such a control, put command line option and Kconfig control in common files. [1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html Requested-by: Demi Marie Obenour Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné Release-acked-by: Henry Wang --- CHANGELOG.md | 2 ++ docs/misc/xen-command-line.pandoc | 11 +++++++++++ xen/arch/x86/Kconfig | 1 + xen/arch/x86/cpu/common.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/common/Kconfig | 18 ++++++++++++++++++ xen/common/kernel.c | 5 +++++ xen/include/xen/param.h | 2 ++ 8 files changed, 64 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 165c5caf9b..5f2694afbe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) nodes using a device tree overlay binary (.dtbo). - Introduce two new hypercalls to map the vCPU runstate and time areas by physical rather than linear/virtual addresses. + - On x86, support for enforcing system-wide operation in Data Operand + Independent Timing Mode. ### Removed - On x86, the "pku" command line option has been removed. It has never diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 9121d8a294..6b07d0f3a1 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -788,6 +788,17 @@ Specify the size of the console debug trace buffer. By specifying `cpu:` additionally a trace buffer of the specified size is allocated per cpu. The debug trace feature is only enabled in debugging builds of Xen. +### dit (x86/Intel) +> `= ` + +> Default: `CONFIG_DIT_DEFAULT` + +Specify whether Xen and guests should operate in Data Independent Timing +mode (Intel calls this DOITM, Data Operand Independent Timing Mode). Note +that enabling this option cannot guarantee anything beyond what underlying +hardware guarantees (with, where available and known to Xen, respective +tweaks applied). + ### dma_bits > `= ` diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 30df085d96..eac77573bd 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -15,6 +15,7 @@ config X86 select HAS_ALTERNATIVE select HAS_COMPAT select HAS_CPUFREQ + select HAS_DIT select HAS_EHCI select HAS_EX_TABLE select HAS_FAST_MULTIPLY diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index 3fd4fd0654..51509fece0 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -204,6 +204,28 @@ void ctxt_switch_levelling(const struct vcpu *next) alternative_vcall(ctxt_switch_masking, next); } +static void setup_doitm(void) +{ + uint64_t msr; + + if ( !cpu_has_doitm ) + return; + + /* + * We don't currently enumerate DOITM to guests. As a conseqeuence, guest + * kernels will believe they're safe even when they are not. + * + * For now, set it unilaterally. This prevents otherwise-correct crypto + * code from becoming vulnerable to timing sidechannels. + */ + + rdmsrl(MSR_UARCH_MISC_CTRL, msr); + msr |= UARCH_CTRL_DOITM; + if ( !opt_dit ) + msr &= ~UARCH_CTRL_DOITM; + wrmsrl(MSR_UARCH_MISC_CTRL, msr); +} + bool opt_cpu_info; boolean_param("cpuinfo", opt_cpu_info); @@ -599,6 +621,8 @@ void identify_cpu(struct cpuinfo_x86 *c) mtrr_bp_init(); } + + setup_doitm(); } /* leaf 0xb SMT level */ diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 213c184b1c..06e1dd7f33 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -202,6 +202,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL) #define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO) #define cpu_has_mcu_ctrl boot_cpu_has(X86_FEATURE_MCU_CTRL) +#define cpu_has_doitm boot_cpu_has(X86_FEATURE_DOITM) #define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 407b7b1cd6..4d6fe05164 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -56,6 +56,9 @@ config HAS_COMPAT config HAS_DEVICE_TREE bool +config HAS_DIT # Data Independent Timing + bool + config HAS_EX_TABLE bool @@ -187,6 +190,21 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS endmenu +config DIT_DEFAULT + bool "Data Independent Timing default" + depends on HAS_DIT + help + Hardware often surfaces instructions the timing of which is dependent + on the data they process. Some of these instructions may be used in + timing sensitive environments, e.g. cryptography. When such + instructions exist, hardware may further surface a control allowing + to make the behavior of such instructions independent of the data + they act upon. Note the build time value can be overridden at runtime + using the "dit" command line option. + + NB: Intel calls the feature DOITM (Data Operand Independent Timing + Mode). + config HYPFS bool "Hypervisor file system support" default y diff --git a/xen/common/kernel.c b/xen/common/kernel.c index b6302e44b3..e928d0b231 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -28,6 +28,11 @@ CHECK_feature_info; enum system_state system_state = SYS_STATE_early_boot; +#ifdef CONFIG_HAS_DIT +bool __ro_after_init opt_dit = IS_ENABLED(CONFIG_DIT_DEFAULT); +boolean_param("dit", opt_dit); +#endif + static xen_commandline_t saved_cmdline; static const char __initconst opt_builtin_cmdline[] = CONFIG_CMDLINE; diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h index 1b2c7db954..93c3fe7cb7 100644 --- a/xen/include/xen/param.h +++ b/xen/include/xen/param.h @@ -184,6 +184,8 @@ extern struct param_hypfs __paramhypfs_start[], __paramhypfs_end[]; string_param(_name, _var); \ string_runtime_only_param(_name, _var) +extern bool opt_dit; + static inline void no_config_param(const char *cfg, const char *param, const char *s, const char *e) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 25 08:22:09 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Oct 2023 08:22:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.622680.969718 (Exim 4.92) (envelope-from ) id 1qvZ9O-0001PU-WF; Wed, 25 Oct 2023 08:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 622680.969718; Wed, 25 Oct 2023 08:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9O-0001PM-TV; Wed, 25 Oct 2023 08:22:02 +0000 Received: by outflank-mailman (input) for mailman id 622680; Wed, 25 Oct 2023 08:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9N-0001PE-J0 for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9N-0002ww-Eb for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qvZ9N-00017i-Dh for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VPOjbL0FjxXve3pj8r/yQUVqLCUqCLsWI1TWoZR5Ams=; b=fXRrDdEPEkJxRLpDPHpLkRQkSV 15CSj7XizY1JzuVTpPreOv6Ig+vJD/WryvM8MWqUNYQAE2J2TYEswa4fN7RF3FTPOAQCHBNbQrlGr tknnqxjdkS9zyKTTPwi1TU00G3lRZ5JMAjAyLBWp3M0bzJiFFVUuoOl6r+mHGMY1FvJo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CHANGELOG.md: Mention the MISRA-C improvement in 4.18 dev cycle Message-Id: Date: Wed, 25 Oct 2023 08:22:01 +0000 commit da444feb23a63c5f8c6f48ddf18ef1964729109e Author: Henry Wang AuthorDate: Mon Oct 23 17:21:20 2023 +0800 Commit: Julien Grall CommitDate: Tue Oct 24 19:19:54 2023 +0100 CHANGELOG.md: Mention the MISRA-C improvement in 4.18 dev cycle Signed-off-by: Henry Wang Acked-by: Stefano Stabellini --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f2694afbe..394a92400a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) physical rather than linear/virtual addresses. - On x86, support for enforcing system-wide operation in Data Operand Independent Timing Mode. + - The project has now officially adopted 6 directives and 65 rules of MISRA-C. ### Removed - On x86, the "pku" command line option has been removed. It has never -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 25 08:22:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Oct 2023 08:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.622681.969722 (Exim 4.92) (envelope-from ) id 1qvZ9Z-0001RZ-1O; Wed, 25 Oct 2023 08:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 622681.969722; Wed, 25 Oct 2023 08:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9Y-0001RR-Uv; Wed, 25 Oct 2023 08:22:12 +0000 Received: by outflank-mailman (input) for mailman id 622681; Wed, 25 Oct 2023 08:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9X-0001RD-Iz for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9X-0002x4-IJ for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qvZ9X-00018L-Gg for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=L4QKAGd1otquWSJPQjGyTUPgiWomYtev4xLj/q/nKKE=; b=ExIzaibrbL/t5D9tQ/ChbdZPBZ AtoxTtySSUGokNpqTXkepCKnMyNDs1W+6AqlZK6Jd+JZMWeT8ROhF4Om1lL2LwgGAsbgCatRKlRw6 ELW1ISq7rw0qU7xQViI5PfHepiasrBg1kVM6xwncGn55YIQ0vyn4jH5W6GhEWpEx2fFM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CHANGELOG.md: Use "xenbits.xenproject.org" in links Message-Id: Date: Wed, 25 Oct 2023 08:22:11 +0000 commit 00314e0b357fa7c2928963c5ead5d7b6782e1e50 Author: Henry Wang AuthorDate: Mon Oct 23 17:21:21 2023 +0800 Commit: Julien Grall CommitDate: Tue Oct 24 19:19:54 2023 +0100 CHANGELOG.md: Use "xenbits.xenproject.org" in links Compared to "xenbits.xen.org", "xenbits.xenproject.org" appeared later as a name, with the intention of becoming the canonical one. Therefore, this commit unifies all the links to use "xenproject" in the links. Signed-off-by: Henry Wang Acked-by: Jan Beulich --- CHANGELOG.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 394a92400a..25d29fe59d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Notable changes to Xen will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) -## [unstable UNRELEASED](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=staging) - TBD +## [unstable UNRELEASED](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=staging) - TBD ### Changed - Repurpose command line gnttab_max_{maptrack_,}frames options so they don't @@ -43,7 +43,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) "cpuid=no-pku". Visibility of PKU to guests should be via its vm.cfg file. - xenpvnetboot removed as unable to convert to Python 3. -## [4.17.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.17.0) - 2022-12-12 +## [4.17.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.17.0) - 2022-12-12 ### Changed - On x86 "vga=current" can now be used together with GrUB2's gfxpayload setting. Note that @@ -89,7 +89,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### Removed / support downgraded - dropped support for the (x86-only) "vesa-mtrr" and "vesa-remap" command line options -## [4.16.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.16.0) - 2021-12-02 +## [4.16.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.16.0) - 2021-12-02 ### Removed - XENSTORED_ROOTDIR environment variable from configuartion files and @@ -132,7 +132,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Support of generic DT IOMMU bindings for Arm SMMU v2. - Limit grant table version on a per-domain basis. -## [4.15.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.15.0) - 2021-04-08 +## [4.15.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.15.0) - 2021-04-08 ### Added / support upgraded - ARM IOREQ servers (device emulation etc.) (Tech Preview) @@ -166,7 +166,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) support, not recommended". (Use as stub domain device model is still supported - see SUPPORT.md.) -## [4.14.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.14.0) - 2020-07-23 +## [4.14.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.14.0) - 2020-07-23 ### Added - This file and MAINTAINERS entry. @@ -193,6 +193,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) An administrator still needs to take care to ensure the features visible to the guest at boot are compatible with anywhere it might migrate. -## [4.13.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.13.0) - 2019-12-17 +## [4.13.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.13.0) - 2019-12-17 > Pointer to release from which CHANGELOG tracking starts -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Oct 25 08:22:23 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Oct 2023 08:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.622683.969726 (Exim 4.92) (envelope-from ) id 1qvZ9j-0001Tx-2i; Wed, 25 Oct 2023 08:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 622683.969726; Wed, 25 Oct 2023 08:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9j-0001Tn-0E; Wed, 25 Oct 2023 08:22:23 +0000 Received: by outflank-mailman (input) for mailman id 622683; Wed, 25 Oct 2023 08:22:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9h-0001TZ-Mo for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvZ9h-0002xJ-M5 for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qvZ9h-00018m-KK for xen-changelog@lists.xenproject.org; Wed, 25 Oct 2023 08:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mU94SzyJzJWjLIv95PuKA+DBu1VQ+Irxqyt/OB9EXag=; b=eVtnOYUz9u591+XEbbfdx+r131 dAIRbkQ7xBfYjjDdvholcGe1HX8zttlPDUuhJJAA7rOs468WOQSK5c5pJYDt4nYwfH8fB9jC1iSCJ XA3HAqz960WiODl8c3f6UnJQC/aQEiEJ05f969YepuVzbq+jGf5xhQQtDKBJRdjgy7Q8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CHANGELOG.md: Set 4.18 release date and tag Message-Id: Date: Wed, 25 Oct 2023 08:22:21 +0000 commit d9f07b06cfc967e128371c11f56699cf5ee40b43 Author: Henry Wang AuthorDate: Mon Oct 23 17:21:22 2023 +0800 Commit: Julien Grall CommitDate: Tue Oct 24 19:20:52 2023 +0100 CHANGELOG.md: Set 4.18 release date and tag Signed-off-by: Henry Wang Acked-by: Julien Grall --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25d29fe59d..3ca7969699 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Notable changes to Xen will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) -## [unstable UNRELEASED](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=staging) - TBD +## [4.18.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.18.0) - 2023-XX-XX ### Changed - Repurpose command line gnttab_max_{maptrack_,}frames options so they don't -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Oct 26 03:22:07 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 26 Oct 2023 03:22:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.623456.971295 (Exim 4.92) (envelope-from ) id 1qvqwd-0007JT-HD; Thu, 26 Oct 2023 03:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 623456.971295; Thu, 26 Oct 2023 03:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvqwd-0007JM-En; Thu, 26 Oct 2023 03:22:03 +0000 Received: by outflank-mailman (input) for mailman id 623456; Thu, 26 Oct 2023 03:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvqwb-0007JG-SO for xen-changelog@lists.xenproject.org; Thu, 26 Oct 2023 03:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qvqwb-0005Ou-N5 for xen-changelog@lists.xenproject.org; Thu, 26 Oct 2023 03:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qvqwb-0005Jh-M9 for xen-changelog@lists.xenproject.org; Thu, 26 Oct 2023 03:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IBsvP0cwhQQFk7DiDnNIn+Zcj1GLtyM78+YxWUPOeOM=; b=EQW8+GkPT7L6H0LM/RhHJLZShu BD/3+JIWHmtGMMTp/VCrE68ZXQw/DPMnmjLFGjLlDWKTGYdpuZfkY8bcmpTiTuzClN+t01PnOpCMF D5a1C+7lPrX4mqb+sb9AsdxboiJheM39+SLcFzdRf0VoCJBSYiQHPSQWD4XhMitIKSDE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/arm: Document where Xen should be loaded in memory Message-Id: Date: Thu, 26 Oct 2023 03:22:01 +0000 commit 5415b2b2118bd78d8a04f276a8312f7f0cb1a466 Author: Julien Grall AuthorDate: Tue Oct 24 11:28:58 2023 +0100 Commit: Julien Grall CommitDate: Wed Oct 25 11:02:33 2023 +0100 docs/arm: Document where Xen should be loaded in memory In commit 9d267c049d92 ("xen/arm64: Rework the memory layout"), we decided to require Xen to be loaded below 2 TiB to simplify the logic to enable the MMU. The limit was decided based on how known platform boot plus some slack. We had a recent report that this is not sufficient on the AVA platform with a old firmware [1]. But the restriction is not going to change in Xen 4.18. So document the limit clearly in docs/misc/arm/booting.txt. [1] https://lore.kernel.org/20231013122658.1270506-3-leo.yan@linaro.org Signed-off-by: Julien Grall Reviewed-by: Michal Orzel Reviewed-by: Bertrand Marquis Release-acked-by: Henry Wang --- docs/misc/arm/booting.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/misc/arm/booting.txt b/docs/misc/arm/booting.txt index 02f7bb65ec..547f58a7d9 100644 --- a/docs/misc/arm/booting.txt +++ b/docs/misc/arm/booting.txt @@ -21,7 +21,9 @@ The exceptions to this on 32-bit ARM are as follows: zImage protocol should still be used and not the stricter "raw (non-zImage)" protocol described in arm/Booting. -There are no exception on 64-bit ARM. +The exceptions to this on 64-bit ARM are as follows: + + Xen binary should be loaded in memory below 2 TiB. Booting Guests -------------- -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Oct 31 09:55:07 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Oct 2023 09:55:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.625567.974962 (Exim 4.92) (envelope-from ) id 1qxlSg-0005mW-VX; Tue, 31 Oct 2023 09:55:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 625567.974962; Tue, 31 Oct 2023 09:55:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSg-0005mO-Sq; Tue, 31 Oct 2023 09:55:02 +0000 Received: by outflank-mailman (input) for mailman id 625567; Tue, 31 Oct 2023 09:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSf-0005mI-DP for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSf-0006ym-CZ for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qxlSf-0004xN-Bf for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5Fm/iXtMEouHwnkXfsAoosmndfcgEGNwhpjISs3UX5Y=; b=5kaN+Z9OzaaOir7FPUvsfRbYek 52z0rD0vA48JqekBzWR+9SeUsua4JBMmN0iryHDwbFiiqkMGDBSaHdG66OIKzF9P7sbBZOY+ufx8Q Q0ut75yP3tRqMdoCnXY+T8rn0hx28e4UG85tfrjhDJ9v4rDs+uW8BH5w3BCdHEa7MHwU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] Config.mk: switch to named tags (for stable branch) Message-Id: Date: Tue, 31 Oct 2023 09:55:01 +0000 commit f17e9d7459f4d4c6e078cbf15e7e0591c8b5f43e Author: Julien Grall AuthorDate: Fri Oct 27 14:07:09 2023 +0100 Commit: Julien Grall CommitDate: Fri Oct 27 14:07:24 2023 +0100 Config.mk: switch to named tags (for stable branch) Signed-off-by: Julien Grall --- Config.mk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Config.mk b/Config.mk index 000cf06d41..5f12c91da0 100644 --- a/Config.mk +++ b/Config.mk @@ -223,10 +223,10 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= 0df9387c8983e1b1e72d8c574356f572342c03e6 +QEMU_UPSTREAM_REVISION ?= qemu-xen-4.18.0-rc5 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git -MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3 +MINIOS_UPSTREAM_REVISION ?= xen-4.18.0-rc5 SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git SEABIOS_UPSTREAM_REVISION ?= rel-1.16.2 @@ -235,7 +235,7 @@ ETHERBOOT_NICS ?= rtl8139 8086100e QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git -QEMU_TRADITIONAL_REVISION ?= 3d273dd05e51e5a1ffba3d98c7437ee84e8f8764 +QEMU_TRADITIONAL_REVISION ?= xen-4.18.0-rc5 # Wed Jul 15 10:01:40 2020 +0100 # qemu-trad: remove Xen path dependencies -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Oct 31 09:55:13 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Oct 2023 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.625569.974966 (Exim 4.92) (envelope-from ) id 1qxlSr-0005oT-0m; Tue, 31 Oct 2023 09:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 625569.974966; Tue, 31 Oct 2023 09:55:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSq-0005oL-UM; Tue, 31 Oct 2023 09:55:12 +0000 Received: by outflank-mailman (input) for mailman id 625569; Tue, 31 Oct 2023 09:55:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSp-0005oC-Gv for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qxlSp-0006zE-G2 for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1qxlSp-0004xx-Ee for xen-changelog@lists.xenproject.org; Tue, 31 Oct 2023 09:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r5Z7mVPEG1+ukEo648GBEd3tdRksZVTrZz+URKtcMBY=; b=lrtWILRKGpYNwIXeopb6X7Ep7L l1b8HX+dzBwCcJbFoQ+r0hE5tBJ4CkrdBTp5eQz70fUD2OcFkeACohlGFO9k3HHZ/FkCsBIrFwBRB GLLoP1HiFmD9q79dpgO+iyl8vYUngRGeHT6kc0wepKCAxb8bo+GEpF3Fh7SQY0SIET9g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] Turn off debug by default Message-Id: Date: Tue, 31 Oct 2023 09:55:11 +0000 commit b6cf4f81b5ff43a05b199c3eb8c78059d03d9485 Author: Julien Grall AuthorDate: Fri Oct 27 14:08:16 2023 +0100 Commit: Julien Grall CommitDate: Fri Oct 27 14:08:16 2023 +0100 Turn off debug by default Signed-off-by: Julien Grall --- tools/Rules.mk | 2 +- xen/Kconfig.debug | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/Rules.mk b/tools/Rules.mk index 18cf83f5be..cb3fd82c1f 100644 --- a/tools/Rules.mk +++ b/tools/Rules.mk @@ -25,7 +25,7 @@ CFLAGS_xeninclude = -I$(XEN_INCLUDE) XENSTORE_XENSTORED ?= y # A debug build of tools? -debug ?= y +debug ?= n debug_symbols ?= $(debug) XEN_GOCODE_URL = golang.xenproject.org diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug index 94e818ee09..c533ddf75f 100644 --- a/xen/Kconfig.debug +++ b/xen/Kconfig.debug @@ -3,7 +3,7 @@ menu "Debugging Options" config DEBUG bool "Developer Checks" - default y + default n ---help--- If you say Y here this will enable developer checks such as asserts and extra printks. This option is intended for development purposes -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18