[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags
Introduce a domain create flag to allow user to set availability of nested virtualization. The flag will be used to disable all reporting and function facilities, improving guest security. Another per vcpu flag is used to indicate whether the vcpu is in L1 or L2 context. Signed-off-by: Qing He <qing.he@xxxxxxxxx> --- arch/x86/domain.c | 4 ++++ common/domctl.c | 5 ++++- include/asm-x86/hvm/domain.h | 1 + include/asm-x86/hvm/vcpu.h | 2 ++ include/public/domctl.h | 3 +++ include/xen/sched.h | 3 +++ 6 files changed, 17 insertions(+), 1 deletion(-) diff -r a0bbec37b529 -r 6f0f41f80285 xen/arch/x86/domain.c --- a/xen/arch/x86/domain.c Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/arch/x86/domain.c Thu Apr 22 22:30:00 2010 +0800 @@ -413,6 +413,10 @@ d->arch.s3_integrity = !!(domcr_flags & DOMCRF_s3_integrity); + d->arch.hvm_domain.nesting_avail = + is_hvm_domain(d) && + (domcr_flags & DOMCRF_nesting); + INIT_LIST_HEAD(&d->arch.pdev_list); d->arch.relmem = RELMEM_not_started; diff -r a0bbec37b529 -r 6f0f41f80285 xen/common/domctl.c --- a/xen/common/domctl.c Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/common/domctl.c Thu Apr 22 22:30:00 2010 +0800 @@ -393,7 +393,8 @@ if ( supervisor_mode_kernel || (op->u.createdomain.flags & ~(XEN_DOMCTL_CDF_hvm_guest | XEN_DOMCTL_CDF_hap | - XEN_DOMCTL_CDF_s3_integrity | XEN_DOMCTL_CDF_oos_off)) ) + XEN_DOMCTL_CDF_s3_integrity | XEN_DOMCTL_CDF_oos_off | + XEN_DOMCTL_CDF_nesting)) ) break; dom = op->domain; @@ -429,6 +430,8 @@ domcr_flags |= DOMCRF_s3_integrity; if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_oos_off ) domcr_flags |= DOMCRF_oos_off; + if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_nesting ) + domcr_flags |= DOMCRF_nesting; ret = -ENOMEM; d = domain_create(dom, domcr_flags, op->u.createdomain.ssidref); diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/asm-x86/hvm/domain.h --- a/xen/include/asm-x86/hvm/domain.h Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/include/asm-x86/hvm/domain.h Thu Apr 22 22:30:00 2010 +0800 @@ -93,6 +93,7 @@ bool_t mem_sharing_enabled; bool_t qemu_mapcache_invalidate; bool_t is_s3_suspended; + bool_t nesting_avail; union { struct vmx_domain vmx; diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/asm-x86/hvm/vcpu.h --- a/xen/include/asm-x86/hvm/vcpu.h Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/include/asm-x86/hvm/vcpu.h Thu Apr 22 22:30:00 2010 +0800 @@ -70,6 +70,8 @@ bool_t debug_state_latch; bool_t single_step; + bool_t in_nesting; + u64 asid_generation; u32 asid; diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/public/domctl.h --- a/xen/include/public/domctl.h Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/include/public/domctl.h Thu Apr 22 22:30:00 2010 +0800 @@ -64,6 +64,9 @@ /* Disable out-of-sync shadow page tables? */ #define _XEN_DOMCTL_CDF_oos_off 3 #define XEN_DOMCTL_CDF_oos_off (1U<<_XEN_DOMCTL_CDF_oos_off) + /* Is nested virtualization allowed */ +#define _XEN_DOMCTL_CDF_nesting 4 +#define XEN_DOMCTL_CDF_nesting (1U<<_XEN_DOMCTL_CDF_nesting) }; typedef struct xen_domctl_createdomain xen_domctl_createdomain_t; DEFINE_XEN_GUEST_HANDLE(xen_domctl_createdomain_t); diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/xen/sched.h --- a/xen/include/xen/sched.h Thu Apr 22 21:49:38 2010 +0800 +++ b/xen/include/xen/sched.h Thu Apr 22 22:30:00 2010 +0800 @@ -393,6 +393,9 @@ /* DOMCRF_oos_off: dont use out-of-sync optimization for shadow page tables */ #define _DOMCRF_oos_off 4 #define DOMCRF_oos_off (1U<<_DOMCRF_oos_off) + /* DOMCRF_nesting: Create a domain that allows nested virtualization . */ +#define _DOMCRF_nesting 5 +#define DOMCRF_nesting (1U<<_DOMCRF_nesting) /* * rcu_lock_domain_by_id() is more efficient than get_domain_by_id(). _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |