Xen project Mailing List

[XEN][PATCH 4/5] x86: pvh: allow to disable 32-bit interface support

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Grygorii Strashko <grygorii_strashko@xxxxxxxx>

Date: Tue, 11 Nov 2025 17:54:18 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3A7OT5/ufNOH81JW5rVPduye4mgGyIZJbGANJBYeD0g=; b=spZvHUtbIkqKEcf51X/JNwFYQQtSkSQ9++f5+pBEEGKCT3BT0iX+7o+iPQWjvZUcJkAiTVi1pvTL/Qn5hVuXkrQxcFJx6vfvjm14qyeX9dlVyH6mHoivTo6rrU1R2jC/oE74qU67mF5/ZUJtR/Q3H7ArbXsop0OvQQKVrykY69MItcwYPxZj3WavSYivMULadZEiVyb3Pa8eXjM+FN0/ZKbEvgkirPgx2tAX6PcCkEkR+mBh0QHpN1GpT4DMnFGILHgK6E45dN4lq/CNVTlQEPWztqG5YF5CYsWXAcfborMS7izx6UDOcMP+6BjpzQALckUAYtL0ItlWqW6flvTB5A==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=OycX37PFSRQ7kEwlQ7PN5S6yrKUfu9K9Kqvn/eGus2MXub8ly13AjXUA4TdH3B41fnXabLQDACYoYLOWb5C71QT9WPtTY0naPtnT6SPfeVzyUlPrZ6RDNNuXCGtNTrhtm9gYhVRLG/MEF6AcU0fkMYTtzVjGmUqU7o+fEOUoexFS8UIpYnsutmbR0S/MJbQQ9S8CXv54YLvMX3DbKIsQIdZQnc/qQiTAIieSwlQhQCMIhh6rKlRoQnxk1QX/I9whgmuXRFX5LUDeA4FJzJbkVLush/d8YNHs6g4wLp3f21zCAAA1idjG1Ufdn+RRe75scH1xI4GaFPXNGlnaj6BfzQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Grygorii Strashko <grygorii_strashko@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>

Delivery-date: Tue, 11 Nov 2025 17:54:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHcUzQz9f1HDJfsFUqvNYpVQZRYUQ==

Thread-topic: [XEN][PATCH 4/5] x86: pvh: allow to disable 32-bit interface support

From: Grygorii Strashko <grygorii_strashko@xxxxxxxx> For x86 Xen safety certification only PVH Gusts are selected to be allowed which are started by using direct Direct Kernel Boot only. There is also an assumption that x86 Guest's (OS) early boot code (which is running not in 64-bit mode) does not access Xen interfaces (hypercalls, shared_info, ..). In this case the Xen HVM 32-bit COMPAT interface become unused and leaves gaps in terms of coverage. Hence now all prerequisite changes are in place, introduce a CONFIG_HVM_COMPAT option through which HVM(PVH) 32-bit interface support on 64-bit Xen can be disabled. By default, CONFIG_HVM_COMPAT is ("y") enabled and accessible only in EXPERT mode. Signed-off-by: Grygorii Strashko <grygorii_strashko@xxxxxxxx> --- xen/arch/x86/hvm/Kconfig | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig index f10a2b374448..33152f2a6bbe 100644 --- a/xen/arch/x86/hvm/Kconfig +++ b/xen/arch/x86/hvm/Kconfig @@ -2,7 +2,6 @@ menuconfig HVM bool "HVM support" depends on !PV_SHIM_EXCLUSIVE default !PV_SHIM - select COMPAT select IOREQ_SERVER select MEM_ACCESS_ALWAYS_ON help @@ -70,4 +69,22 @@ config MEM_PAGING config MEM_SHARING bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED +config HVM_COMPAT + bool "HVM 32-bit interface support on 64-bit Xen" if EXPERT + select COMPAT + default y + help + The HVM 32-bit interface must be enabled for HVM domains to be able to + make hypercalls in 32bit mode. Non-PVH domains unconditionally need this + option so that hvmloader may issue hypercalls in 32bit mode. + + The HVM 32-bit interface can be disabled if: + - Only PVH domains are used + - Guests (OS) are started by using direct Direct Kernel Boot + - Guests (OS) are 64-bit and Guest early boot code, which is running not + in 64-bit mode, does not access Xen interfaces + (hypercalls, shared_info, ..) + + If unsure, say Y. + endif -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.