Xen project Mailing List

Re: [PATCH v2 18/26] xen/domctl: wrap xsm_getdomaininfo() with CONFIG_MGMT_HYPERCALLS

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Penny, Zheng" <penny.zheng@xxxxxxx>

Date: Sun, 28 Sep 2025 16:38:28 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: "Huang, Ray" <Ray.Huang@xxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Stabellini, Stefano" <stefano.stabellini@xxxxxxx>, "Andryuk, Jason" <Jason.Andryuk@xxxxxxx>

Delivery-date: Sun, 28 Sep 2025 14:38:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.09.2025 21:24, Stefano Stabellini wrote: > On Thu, 25 Sep 2025, Penny, Zheng wrote: >>> -----Original Message----- >>> From: Jan Beulich <jbeulich@xxxxxxxx> >>> Sent: Friday, September 26, 2025 2:53 PM >>> To: Penny, Zheng <penny.zheng@xxxxxxx> >>> Cc: Huang, Ray <Ray.Huang@xxxxxxx>; Daniel P. Smith >>> <dpsmith@xxxxxxxxxxxxxxxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx; Stabellini, >>> Stefano <stefano.stabellini@xxxxxxx>; Andryuk, Jason >>> <Jason.Andryuk@xxxxxxx> >>> Subject: Re: [PATCH v2 18/26] xen/domctl: wrap xsm_getdomaininfo() with >>> CONFIG_MGMT_HYPERCALLS >>> >>> On 26.09.2025 06:41, Penny, Zheng wrote: >>>>> -----Original Message----- >>>>> From: Jan Beulich <jbeulich@xxxxxxxx> >>>>> Sent: Thursday, September 25, 2025 10:29 PM >>>>> >>>>> On 25.09.2025 11:41, Penny, Zheng wrote: >>>>>>> -----Original Message----- >>>>>>> From: Jan Beulich <jbeulich@xxxxxxxx> >>>>>>> Sent: Thursday, September 11, 2025 9:30 PM >>>>>>> >>>>>>> On 10.09.2025 09:38, Penny Zheng wrote: >>>>>>>> --- a/xen/include/xsm/xsm.h >>>>>>>> +++ b/xen/include/xsm/xsm.h >>>>>>>> @@ -55,8 +55,8 @@ struct xsm_ops { >>>>>>>> void (*security_domaininfo)(struct domain *d, >>>>>>>> struct xen_domctl_getdomaininfo >>>>>>>> *info); >>>>>>>> int (*domain_create)(struct domain *d, uint32_t ssidref); >>>>>>>> - int (*getdomaininfo)(struct domain *d); >>>>>>>> #ifdef CONFIG_MGMT_HYPERCALLS >>>>>>>> + int (*getdomaininfo)(struct domain *d); >>>>>>>> int (*domctl_scheduler_op)(struct domain *d, int op); >>>>>>>> int (*sysctl_scheduler_op)(int op); >>>>>>>> int (*set_target)(struct domain *d, struct domain *e); @@ >>>>>>>> -234,7 >>>>>>>> +234,11 @@ static inline int xsm_domain_create( >>>>>>>> >>>>>>>> static inline int xsm_getdomaininfo(xsm_default_t def, struct >>>>>>>> domain >>>>>>>> *d) { >>>>>>>> +#ifdef CONFIG_MGMT_HYPERCALLS >>>>>>>> return alternative_call(xsm_ops.getdomaininfo, d); >>>>>>>> +#else >>>>>>>> + return -EOPNOTSUPP; >>>>>>>> +#endif >>>>>>>> } >>>>>>> >>>>>>> This is in use by a Xenstore sysctl and a Xenstore domctl. The >>>>>>> sysctl is hence already broken with the earlier series. Now the >>>>>>> domctl is also being screwed up. I don't think MGMT_HYPERCALLS >>>>>>> really ought to extend to any operations available to other than the >>>>>>> core >>> toolstack. >>>>>>> That's the Xenstore ones here, but also the ones used by qemu >>>>>>> (whether run in >>>>> Dom0 or a stubdom). >>>>>> >>>>>> Maybe not only limited to the core toolstack. In >>>>>> dom0less/hyperlaunched >>>>> scenarios, hypercalls are strictly limited. QEMU is also limited to >>>>> pvh machine type and with very restricted functionality(, only acting >>>>> as a few virtio-pci devices backend). @Andryuk, Jason @Stabellini, >>>>> Stefano Am I understanding correctly and thoroughly about our scenario >>>>> here for >>> upstream? >>>>>> Tracking the codes, if Xenstore is created as a stub domain, it >>>>>> requires >>>>> getdomaininfo-domctl to acquire related info. Sorry, I haven't found >>>>> how it was called in QEMU... >>>>> >>>>> It's not "it"; it's different ones. First and foremost I was thinking >>>>> of >>>>> * XEN_DOMCTL_ioport_mapping >>>>> * XEN_DOMCTL_memory_mapping >>>>> * XEN_DOMCTL_bind_pt_irq >>>>> * XEN_DOMCTL_unbind_pt_irq >>>>> but there may be others (albeit per the dummy xsm_domctl() this is >>>>> the full set). As a general criteria, anything using XSM_DM_PRIV >>>>> checking can in principle be called by qemu. >>>>> >>>> >>>> Understood. >>>> I assume that they are all for device passthrough. We are not accepting >>>> device >>> passthrough via core toolstack in dom0less/hyperlaunch-ed scenarios. Jason >>> has >>> developed device passthrough through device tree to only accept "static >>> configured" passthrough in dom0less/hyperlaunch-ed scenario, while it is >>> still >>> internal , it may be the only accept way to do device passthrough in >>> dom0less/hyperlaunch-ed scenario. >>> >>> Right, but no matter what your goals, the upstream contributions need to be >>> self- >>> consistent. I.e. not (risk to) break other functionality. (Really the four >>> domctl-s >>> mentioned above might better have been put elsewhere, e.g. as dm-ops. Moving >>> them may be an option here.) >> >> Understood. >> I'll move them all to the dm-ops > > Hi Penny, Jan, I advise against this. > > I think it is clear that there are open questions on how to deal with > the safety scenarios. I briefly mentioned some of the issues last week > at Xen Summit. One example is the listdomains hypercall that should be > available to the control domain. We cannot resolve all problems with > this patch series. I think we should follow a simpler plan: > > 1) introduce CONFIG_MGMT_HYPERCALLS the way this patch series does, > removing all domctls and sysctls > > 2) make further adjustments, such as making available the listdomains > hypercall and/or the hypercalls listed by Jan as a second step after > it I'm going to be okay-ish with that as long as the help text of the Kconfig option clearly mentions those extra pitfalls. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.