Xen project Mailing List

Re: [PATCH v3 16/16] x86/hyperlaunch: add capabilities to boot domain

To: Alejandro Vallejo <agarciav@xxxxxxx>

Date: Tue, 15 Apr 2025 08:38:36 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Jason Andryuk <jason.andryuk@xxxxxxx>

Delivery-date: Tue, 15 Apr 2025 06:38:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14.04.2025 21:31, Alejandro Vallejo wrote: > On Thu Apr 10, 2025 at 1:18 PM BST, Jan Beulich wrote: >> On 08.04.2025 18:07, Alejandro Vallejo wrote: >>> --- a/xen/arch/x86/domain-builder/fdt.c >>> +++ b/xen/arch/x86/domain-builder/fdt.c >>> @@ -257,6 +257,18 @@ static int __init process_domain_node( >>> bd->max_vcpus = val; >>> printk(" max vcpus: %d\n", bd->max_vcpus); >>> } >>> + else if ( strncmp(prop_name, "capabilities", name_len) == 0 ) >>> + { >>> + if ( fdt_prop_as_u32(prop, &bd->capabilities) != 0 ) >>> + { >>> + printk(" failed processing domain id for domain %s\n", >>> name); >>> + return -EINVAL; >>> + } >>> + printk(" caps: "); >>> + if ( bd->capabilities & BUILD_CAPS_CONTROL ) >>> + printk("c"); >>> + printk("\n"); >>> + } >> >> Like for the other patch: What about other bits being set in the value read? > > I take it that the non-worded suggestion is to have a mask of reserved > bits for each case and check they are not set (giving a warning if they are)? Whether a warning is sufficient I can't tell. I would have expected such to be outright rejected. >>> --- a/xen/arch/x86/setup.c >>> +++ b/xen/arch/x86/setup.c >>> @@ -1006,6 +1006,7 @@ static struct domain *__init create_dom0(struct >>> boot_info *bi) >>> { >>> char *cmdline = NULL; >>> size_t cmdline_size; >>> + unsigned int create_flags = 0; >>> struct xen_domctl_createdomain dom0_cfg = { >>> .flags = IS_ENABLED(CONFIG_TBOOT) ? XEN_DOMCTL_CDF_s3_integrity : >>> 0, >>> .max_evtchn_port = -1, >>> @@ -1037,7 +1038,10 @@ static struct domain *__init create_dom0(struct >>> boot_info *bi) >>> if ( bd->domid == DOMID_INVALID ) >>> /* Create initial domain. Not d0 for pvshim. */ >>> bd->domid = get_initial_domain_id(); >>> - d = domain_create(bd->domid, &dom0_cfg, pv_shim ? 0 : CDF_privileged); >>> + if ( bd->capabilities & BUILD_CAPS_CONTROL ) >>> + create_flags |= CDF_privileged; >> >> Seeing that builder_init() in the non-DT case sets the new bit >> unconditionally, >> isn't the shim's only domain suddenly getting CDF_privileged set this way? >> Oh, >> no, you then ... >> >>> + d = domain_create(bd->domid, &dom0_cfg, >>> + pv_shim ? 0 : create_flags); >> >> ... hide the flag here. Any reason to have the intermediate variable in the >> first place > > Well, the logic would end up fairly convoluted otherwise. As things > stand this can be encoded in an if-else fashion with 2 calls, but > there's 2 capability flags coming that need integrating together. > > This is just avoiding further code motion down the line. Is it? - d = domain_create(bd->domid, &dom0_cfg, pv_shim ? 0 : CDF_privileged); + d = domain_create(bd->domid, &dom0_cfg, + ((bd->capabilities & BUILD_CAPS_CONTROL) && !pv_shim + ? CDF_privileged : 0)); isn't really worse (imo), but is highlighting the problem more clearly: Why would the shim have BUILD_CAPS_CONTROL set in the first place? Without that the statement would remain pretty similar to what it was before. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.