[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ping: [PATCH V8] x86/altp2m: Hypercall to set altp2m view visibility


  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • From: Isaila Alexandru <aisaila@xxxxxxxxxxxxxxx>
  • Date: Mon, 13 Apr 2020 10:00:14 +0300
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SafQphNT1Pm3M9lWzNSligRP0oeu4NwqvRmlAwwQqZE=; b=Fpgv5Oa/6pGNxDsRoydOxtQnkeo4gBx5IlTjTR0YiADdRDbUTA54EgdGNo7kBpicO2lxjD0pLaRJKxQSENPXcjYAuFpWuoyPaPeDXv+hI5VM7HHxnGg3YhbgWfzAaGE8Vg5DQ8I85myAxEQ2eFvinpNJfbcNjUFTqO4rfcH30NyFlhuI63x0dHbT5eQJ+ZhMtJqaTcQfLy1DicUSv9YCVb4k6tMzewnrSl26kuQcTW1YS5+168Ev86hRXJjUBaR6aHT/3oD6Fx007PtKiJ1r/PRi0Jel1Ft9XIj8whQEVuiV+a3rzwVDIvMy7VZH7fY+VWkTY/1L9hpyqb1JbB/nlw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WmHsnktGpm/4RtRCqmwPItiFu0h9lQ7xjpp+mhVQlIwS7b/I2oMoN51q1ghyT2HzxyM/3V5UGZrHG5tOU1PF0tGs7j9qo8EQFKopBIRAGcYNT1cC3zWjdQhOsN0BoGTCe21/5vc8+HXIUfxVRNwMBG+JJXp/zrybfD4amy5mGEon52v4IUo37ixJ+IwzIyWAFyvJxUEdAVH187QOdzuG0D2Oab0a+EFJZyCJH2Jq8NFiXi2N4z0BsqApV5IihoXSnTaWKmP3YQGMB9ffD82F4olZjhe/QCslOfSkbHQCVOXBB9vM/Mpr4KFzwaav5/vOWt4t8sZVAmVNS0sazxj0mQ==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;
  • Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Mon, 13 Apr 2020 07:00:27 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

I need a review for the tools bits in this patch.

Thanks,
Alex

On 13.04.2020 09:51, Alexandru Isaila wrote:
At this moment a guest can call vmfunc to change the altp2m view. This
should be limited in order to avoid any unwanted view switch.

The new xc_altp2m_set_visibility() solves this by making views invisible
to vmfunc.
This is done by having a separate arch.altp2m_working_eptp that is
populated and made invalid in the same places as altp2m_eptp. This is
written to EPTP_LIST_ADDR.
The views are made in/visible by marking them with INVALID_MFN or
copying them back from altp2m_eptp.
To have consistency the visibility also applies to
p2m_switch_domain_altp2m_by_id().

The usage of this hypercall is aimed at dom0 having a logic with a number of 
views
created and at some time there is a need to be sure that only some of the views
can be switched, saving the rest and making them visible when the time
is right.

Note: If altp2m mode is set to mixed the guest is able to change the view
visibility and then call vmfunc.

Signed-off-by: Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
---
CC: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
CC: Wei Liu <wl@xxxxxxx>
CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
CC: Jan Beulich <jbeulich@xxxxxxxx>
CC: Julien Grall <julien@xxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: "Roger Pau Monné" <roger.pau@xxxxxxxxxx>
CC: Jun Nakajima <jun.nakajima@xxxxxxxxx>
CC: Kevin Tian <kevin.tian@xxxxxxxxx>
---
Changes since V7:
        - Change altp2m_working_eptp to altp2m_visible_eptp
        - Rebase.

Changes since V6:
        - Update commit message.

Changes since V5:
        - Change idx type from uint16_t to unsigned int
        - Add rc var and dropped the err return from p2m_get_suppress_ve().

Changes since V4:
        - Move p2m specific things from hvm to p2m.c
        - Add comment for altp2m_idx bounds check
        - Add altp2m_list_lock/unlock().

Changes since V3:
        - Change var name form altp2m_idx to idx to shorten line length
        - Add bounds check for idx
        - Update commit message
        - Add comment in xenctrl.h.

Changes since V2:
        - Drop hap_enabled() check
        - Reduce the indentation depth in hvm.c
        - Fix assignment indentation
        - Drop pad2.

Changes since V1:
        - Drop double view from title.
---
  tools/libxc/include/xenctrl.h   |  7 +++++++
  tools/libxc/xc_altp2m.c         | 24 +++++++++++++++++++++++
  xen/arch/x86/hvm/hvm.c          | 14 ++++++++++++++
  xen/arch/x86/hvm/vmx/vmx.c      |  2 +-
  xen/arch/x86/mm/hap/hap.c       | 15 +++++++++++++++
  xen/arch/x86/mm/p2m-ept.c       |  1 +
  xen/arch/x86/mm/p2m.c           | 34 +++++++++++++++++++++++++++++++--
  xen/include/asm-x86/domain.h    |  1 +
  xen/include/asm-x86/p2m.h       |  4 ++++
  xen/include/public/hvm/hvm_op.h |  9 +++++++++
  10 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 58fa931de1..5f25c5a6d4 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -1943,6 +1943,13 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t 
domid,
                           xen_pfn_t new_gfn);
  int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
                                 uint32_t vcpuid, uint16_t *p2midx);
+/*
+ * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
+ * Note: If altp2m mode is set to mixed the guest is able to change the view
+ * visibility and then call vmfunc.
+ */
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+                             uint16_t view_id, bool visible);
/**
   * Mem paging operations.
diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
index 46fb725806..6987c9541f 100644
--- a/tools/libxc/xc_altp2m.c
+++ b/tools/libxc/xc_altp2m.c
@@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, 
uint32_t domid,
      xc_hypercall_buffer_free(handle, arg);
      return rc;
  }
+
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+                             uint16_t view_id, bool visible)
+{
+    int rc;
+
+    DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
+
+    arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
+    if ( arg == NULL )
+        return -1;
+
+    arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
+    arg->cmd = HVMOP_altp2m_set_visibility;
+    arg->domain = domid;
+    arg->u.set_visibility.altp2m_idx = view_id;
+    arg->u.set_visibility.visible = visible;
+
+    rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
+                  HYPERCALL_BUFFER_AS_ARG(arg));
+
+    xc_hypercall_buffer_free(handle, arg);
+    return rc;
+}
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 827c5fa89d..6f6f3f73a8 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4509,6 +4509,7 @@ static int do_altp2m_op(
      case HVMOP_altp2m_get_mem_access:
      case HVMOP_altp2m_change_gfn:
      case HVMOP_altp2m_get_p2m_idx:
+    case HVMOP_altp2m_set_visibility:
          break;
default:
@@ -4786,6 +4787,19 @@ static int do_altp2m_op(
          break;
      }
+ case HVMOP_altp2m_set_visibility:
+    {
+        unsigned int idx = a.u.set_visibility.altp2m_idx;
+
+        if ( a.u.set_visibility.pad )
+            rc = -EINVAL;
+        else if ( !altp2m_active(d) )
+            rc = -EOPNOTSUPP;
+        else
+            rc = p2m_set_altp2m_view_visibility(d, idx,
+                                                a.u.set_visibility.visible);
+    }
+
      default:
          ASSERT_UNREACHABLE();
      }
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 1c398fdb6e..869339062b 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
      {
          v->arch.hvm.vmx.secondary_exec_control |= mask;
          __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
-        __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
+        __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_visible_eptp));
if ( cpu_has_vmx_virt_exceptions )
          {
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index 814d0c3253..052ae35c6f 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -492,8 +492,17 @@ int hap_enable(struct domain *d, u32 mode)
              goto out;
          }
+ if ( (d->arch.altp2m_visible_eptp = alloc_xenheap_page()) == NULL )
+        {
+            rv = -ENOMEM;
+            goto out;
+        }
+
          for ( i = 0; i < MAX_EPTP; i++ )
+        {
              d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+            d->arch.altp2m_visible_eptp[i] = mfn_x(INVALID_MFN);
+        }
for ( i = 0; i < MAX_ALTP2M; i++ )
          {
@@ -527,6 +536,12 @@ void hap_final_teardown(struct domain *d)
              d->arch.altp2m_eptp = NULL;
          }
+ if ( d->arch.altp2m_visible_eptp )
+        {
+            free_xenheap_page(d->arch.altp2m_visible_eptp);
+            d->arch.altp2m_visible_eptp = NULL;
+        }
+
          for ( i = 0; i < MAX_ALTP2M; i++ )
              p2m_teardown(d->arch.altp2m_p2m[i]);
      }
diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index eb0f0edfef..293f3e9419 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
      ept = &p2m->ept;
      ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
      d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
+    d->arch.altp2m_visible_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
  }
unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index b8727e267d..4c1507d3a4 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2533,6 +2533,7 @@ void p2m_flush_altp2m(struct domain *d)
      {
          p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
          d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+        d->arch.altp2m_visible_eptp[i] = mfn_x(INVALID_MFN);
      }
altp2m_list_unlock(d);
@@ -2652,7 +2653,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned 
int idx)
          {
              p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
              d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
-            mfn_x(INVALID_MFN);
+                mfn_x(INVALID_MFN);
+            d->arch.altp2m_visible_eptp[array_index_nospec(idx, MAX_EPTP)] =
+                mfn_x(INVALID_MFN);
              rc = 0;
          }
      }
@@ -2679,7 +2682,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, 
unsigned int idx)
      rc = -EINVAL;
      altp2m_list_lock(d);
- if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
+    if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) )
      {
          for_each_vcpu( d, v )
              if ( idx != vcpu_altp2m(v).p2midx )
@@ -3163,6 +3166,33 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, 
bool *suppress_ve,
return rc;
  }
+
+int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int altp2m_idx,
+                                   uint8_t visible)
+{
+    int rc = 0;
+
+    altp2m_list_lock(d);
+
+    /*
+     * Eptp index is correlated with altp2m index and should not exceed
+     * min(MAX_ALTP2M, MAX_EPTP).
+     */
+    if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
+         d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
+         mfn_x(INVALID_MFN) )
+        rc = -EINVAL;
+    else if ( visible )
+        d->arch.altp2m_visible_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
+            d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)];
+    else
+        d->arch.altp2m_visible_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
+            mfn_x(INVALID_MFN);
+
+    altp2m_list_unlock(d);
+
+    return rc;
+}
  #endif
/*
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index 105adf96eb..4192c636b1 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -327,6 +327,7 @@ struct arch_domain
      struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
      mm_lock_t altp2m_list_lock;
      uint64_t *altp2m_eptp;
+    uint64_t *altp2m_visible_eptp;
  #endif
/* NB. protected by d->event_lock and by irq_desc[irq].lock */
diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
index a2c6049834..ace3573ae8 100644
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -898,6 +898,10 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int 
idx,
  int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn,
                                  mfn_t mfn, unsigned int page_order,
                                  p2m_type_t p2mt, p2m_access_t p2ma);
+
+/* Set a specific p2m view visibility */
+int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int idx,
+                                   uint8_t visible);
  #else
  struct p2m_domain *p2m_get_altp2m(struct vcpu *v);
  static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) {}
diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
index b599d3cbd0..870ec52060 100644
--- a/xen/include/public/hvm/hvm_op.h
+++ b/xen/include/public/hvm/hvm_op.h
@@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
      uint16_t altp2m_idx;
  };
+struct xen_hvm_altp2m_set_visibility {
+    uint16_t altp2m_idx;
+    uint8_t visible;
+    uint8_t pad;
+};
+
  struct xen_hvm_altp2m_op {
      uint32_t version;   /* HVMOP_ALTP2M_INTERFACE_VERSION */
      uint32_t cmd;
@@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
  #define HVMOP_altp2m_get_p2m_idx          14
  /* Set the "Supress #VE" bit for a range of pages */
  #define HVMOP_altp2m_set_suppress_ve_multi 15
+/* Set visibility for a given altp2m view */
+#define HVMOP_altp2m_set_visibility       16
      domid_t domain;
      uint16_t pad1;
      uint32_t pad2;
@@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
          struct xen_hvm_altp2m_suppress_ve_multi    suppress_ve_multi;
          struct xen_hvm_altp2m_vcpu_disable_notify  disable_notify;
          struct xen_hvm_altp2m_get_vcpu_p2m_idx     get_vcpu_p2m_idx;
+        struct xen_hvm_altp2m_set_visibility       set_visibility;
          uint8_t pad[64];
      } u;
  };




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.