Xen project Mailing List

Re: [PATCH v2 4/6] arm/mpu: Destroy an existing entry in Xen MPU memory mapping table

To: Hari Limaye <hari.limaye@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: "Orzel, Michal" <michal.orzel@xxxxxxx>

Date: Wed, 9 Jul 2025 10:03:35 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XBPbCObKd41Y8/NGu9mx8laYVJscCrnQJRfHXoz8O/A=; b=wgPNYtD2TCCpA4QixtME7as1z7uRqoO4UYiK4K4ecLhZMzBidjlWeNVbX4G+ixqOabnDRatEY2WjlBv8m6yr10Pj+93WEr0+0UPlNw9fznR54rnyEjjWcRhi20d1rISNfBkq27Xp1EgmTMSIKPaTE7obvll/jVxxqcEXF5N3ZGK+Jw6ZsdVEVn+oFRn6NivJhp3UAz86ZK767xyHGYoQ09BVPa0t698ZlqPa4XblDDECtC7CivmnaRlUEOccPy+2hWVIAPpOdUhWd7PBxz4eEtxI+1z2y4zMjf7ry0dFN+nEco0ks731U/9f+kp+cnpOPKIuJEQUpP3VffPaEVeU0Q==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=t7juVyS+MSK7HvFuNlAvx+IHQ2x1esGgrhfKmybr+VRvyULx96p7w5QJqss57ZITA7ZmxsQ6j7YBCGxRFQabhEal27Y5YrphvPZROWW22o/tpl7xt3AvGjarw0ExmIgGK352U7maUfA4hwUvPxXx/nedA7W5EBASkxI0Oz126WLNdhqY06+iK99HU/PiJyCO4naCVNhZ1TSjp3j5N736BhaA7A+EL2YV3i0vZTjBJDseLTsIX+6R2ejMzTC3y4ffDNQ9MBSOF4QNaXchBNkHw6ye4CkPEG9viLtGYgb35FH0u4VLVT/AhglGebHM8KxS9E+ZDSj2THAQz2dvhtLyDA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com;

Cc: luca.fancellu@xxxxxxx, Penny Zheng <Penny.Zheng@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Chen <wei.chen@xxxxxxx>

Delivery-date: Wed, 09 Jul 2025 08:03:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 02/07/2025 16:13, Hari Limaye wrote: > From: Penny Zheng <Penny.Zheng@xxxxxxx> > > This commit expands xen_mpumap_update/xen_mpumap_update_entry to include > destroying an existing entry. > > We define a new helper "disable_mpu_region_from_index" to disable the MPU > region based on index. If region is within [0, 31], we could quickly > disable the MPU region through PRENR_EL2 which provides direct access to the > PRLAR_EL2.EN bits of EL2 MPU regions. > > Rignt now, we only support destroying a *WHOLE* MPU memory region, > part-region removing is not supported, as in worst case, it will > leave two fragments behind. > > Signed-off-by: Penny Zheng <penny.zheng@xxxxxxx> > Signed-off-by: Wei Chen <wei.chen@xxxxxxx> > Signed-off-by: Luca Fancellu <luca.fancellu@xxxxxxx> > Signed-off-by: Hari Limaye <hari.limaye@xxxxxxx> > --- > Changes from v1: > - Move check for part-region removal outside if condition > - Use normal printk > --- > xen/arch/arm/include/asm/mpu.h | 2 + > xen/arch/arm/include/asm/mpu/cpregs.h | 4 ++ > xen/arch/arm/mpu/mm.c | 69 ++++++++++++++++++++++++++- > 3 files changed, 73 insertions(+), 2 deletions(-) > > diff --git a/xen/arch/arm/include/asm/mpu.h b/xen/arch/arm/include/asm/mpu.h > index 63560c613b..5053edaf63 100644 > --- a/xen/arch/arm/include/asm/mpu.h > +++ b/xen/arch/arm/include/asm/mpu.h > @@ -23,6 +23,8 @@ > #define NUM_MPU_REGIONS_MASK (NUM_MPU_REGIONS - 1) > #define MAX_MPU_REGION_NR NUM_MPU_REGIONS_MASK > > +#define PRENR_MASK GENMASK(31, 0) > + > #ifndef __ASSEMBLY__ > > /* > diff --git a/xen/arch/arm/include/asm/mpu/cpregs.h > b/xen/arch/arm/include/asm/mpu/cpregs.h > index bb15e02df6..9f3b32acd7 100644 > --- a/xen/arch/arm/include/asm/mpu/cpregs.h > +++ b/xen/arch/arm/include/asm/mpu/cpregs.h > @@ -6,6 +6,9 @@ > /* CP15 CR0: MPU Type Register */ > #define HMPUIR p15,4,c0,c0,4 > > +/* CP15 CR6: Protection Region Enable Register */ > +#define HPRENR p15,4,c6,c1,1 > + > /* CP15 CR6: MPU Protection Region Base/Limit/Select Address Register */ > #define HPRSELR p15,4,c6,c2,1 > #define HPRBAR p15,4,c6,c3,0 > @@ -82,6 +85,7 @@ > /* Alphabetically... */ > #define MPUIR_EL2 HMPUIR > #define PRBAR_EL2 HPRBAR > +#define PRENR_EL2 HPRENR > #define PRLAR_EL2 HPRLAR > #define PRSELR_EL2 HPRSELR > #endif /* CONFIG_ARM_32 */ > diff --git a/xen/arch/arm/mpu/mm.c b/xen/arch/arm/mpu/mm.c > index dd54b66901..2e88c467d5 100644 > --- a/xen/arch/arm/mpu/mm.c > +++ b/xen/arch/arm/mpu/mm.c > @@ -185,6 +185,42 @@ static int xen_mpumap_alloc_entry(uint8_t *idx) > return 0; > } > > +/* > + * Disable and remove an MPU region from the data structure and MPU > registers. > + * > + * @param index Index of the MPU region to be disabled. > + */ > +static void disable_mpu_region_from_index(uint8_t index) > +{ > + ASSERT(spin_is_locked(&xen_mpumap_lock)); > + ASSERT(index != INVALID_REGION_IDX); > + > + if ( !region_is_valid(&xen_mpumap[index]) ) > + { > + printk(XENLOG_WARNING > + "mpu: MPU memory region[%u] is already disabled\n", index); > + return; > + } > + > + /* Zeroing the region will also zero the region enable */ > + memset(&xen_mpumap[index], 0, sizeof(pr_t)); Is it ok that for a fast case (i.e. 0-31) our representation of prbar/prlar will be different from the HW i.e. xen_mpumap[index] is 0 vs only .en bit of prlar being 0 in HW? > + clear_bit(index, xen_mpumap_mask); > + > + /* > + * Both Armv8-R AArch64 and AArch32 have direct access to the enable bit > for > + * MPU regions numbered from 0 to 31. > + */ > + if ( (index & PRENR_MASK) != 0 ) > + { > + /* Clear respective bit */ > + uint64_t val = READ_SYSREG(PRENR_EL2) & (~(1UL << index)); On AArch32 the register is 32bit, so I think you should use register_t type. > + > + WRITE_SYSREG(val, PRENR_EL2); > + } > + else > + write_protection_region(&xen_mpumap[index], index); > +} > + > /* > * Update the entry in the MPU memory region mapping table (xen_mpumap) for > the > * given memory range and flags, creating one if none exists. > @@ -203,11 +239,11 @@ static int xen_mpumap_update_entry(paddr_t base, > paddr_t limit, > ASSERT(spin_is_locked(&xen_mpumap_lock)); > > rc = mpumap_contains_region(xen_mpumap, max_mpu_regions, base, limit, > &idx); > - if ( !(rc == MPUMAP_REGION_NOTFOUND) ) > + if ( rc < 0 ) > return -EINVAL; > > /* We are inserting a mapping => Create new region. */ > - if ( flags & _PAGE_PRESENT ) > + if ( (flags & _PAGE_PRESENT) && (MPUMAP_REGION_NOTFOUND == rc) ) I think we need more sanity checking. What if flags has _PAGE_PRESENT but rc != MPUMAP_REGION_NOTFOUND, e.g. function called to modify existing entry? You will silently return success. Maybe a similar function as for MMU is needed to perform some sanity checks depending on the reason of the call? > { > rc = xen_mpumap_alloc_entry(&idx); > if ( rc ) > @@ -218,6 +254,20 @@ static int xen_mpumap_update_entry(paddr_t base, paddr_t > limit, > write_protection_region(&xen_mpumap[idx], idx); > } > > + /* > + * Currently, we only support destroying a *WHOLE* MPU memory region. > + * Part-region removal is not supported as in the worst case it will > leave > + * two fragments behind. > + */ > + if ( rc == MPUMAP_REGION_INCLUSIVE ) > + { > + printk("mpu: part-region removal is not supported\n"); You mention removal but why do you limit this place to removal only? You don't have any checks making sure that flags is 0 at this point. > + return -EINVAL; > + } > + > + if ( !(flags & _PAGE_PRESENT) && (rc >= MPUMAP_REGION_FOUND) ) > + disable_mpu_region_from_index(idx); > + > return 0; > } > > @@ -251,6 +301,21 @@ int xen_mpumap_update(paddr_t base, paddr_t limit, > unsigned int flags) > return rc; > } > > +int destroy_xen_mappings(unsigned long s, unsigned long e) > +{ > + int rc; > + > + ASSERT(IS_ALIGNED(s, PAGE_SIZE)); > + ASSERT(IS_ALIGNED(e, PAGE_SIZE)); > + ASSERT(s <= e); > + > + rc = xen_mpumap_update(virt_to_maddr(s), virt_to_maddr(e), 0); > + if ( !rc ) > + context_sync_mpu(); > + > + return rc; > +} > + > int map_pages_to_xen(unsigned long virt, mfn_t mfn, unsigned long nr_mfns, > unsigned int flags) > { ~Michal

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.