}
+int xc_domain_irq_permission(int xc_handle,
+ uint32_t domid,
+ uint8_t pirq,
+ uint8_t allow_access)
+{
+ dom0_op_t op;
+
+ op.cmd = DOM0_IRQ_PERMISSION;
+ op.u.irq_permission.domain = domid;
+ op.u.irq_permission.pirq = pirq;
+ op.u.irq_permission.allow_access = allow_access;
+
+ return do_dom0_op(xc_handle, &op);
+}
+
+int xc_domain_iomem_permission(int xc_handle,
+ uint32_t domid,
+ unsigned long first_pfn,
+ unsigned long nr_pfns,
+ uint8_t allow_access)
+{
+ dom0_op_t op;
+
+ op.cmd = DOM0_IOMEM_PERMISSION;
+ op.u.iomem_permission.domain = domid;
+ op.u.iomem_permission.first_pfn = first_pfn;
+ op.u.iomem_permission.nr_pfns = nr_pfns;
+ op.u.iomem_permission.allow_access = allow_access;
+
+ return do_dom0_op(xc_handle, &op);
+}
+
/*
* Local variables:
* mode: C
uint32_t nr_ports,
uint32_t allow_access);
+int xc_domain_irq_permission(int xc_handle,
+ uint32_t domid,
+ uint8_t pirq,
+ uint8_t allow_access);
+
+int xc_domain_iomem_permission(int xc_handle,
+ uint32_t domid,
+ unsigned long first_pfn,
+ unsigned long nr_pfns,
+ uint8_t allow_access);
+
unsigned long xc_make_page_below_4G(int xc_handle, uint32_t domid,
unsigned long mfn);
return zero;
}
+static PyObject *pyxc_domain_irq_permission(PyObject *self,
+ PyObject *args,
+ PyObject *kwds)
+{
+ XcObject *xc = (XcObject *)self;
+ uint32_t dom;
+ int pirq, allow_access, ret;
+
+ static char *kwd_list[] = { "dom", "pirq", "allow_access", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "iii", kwd_list,
+ &dom, &pirq, &allow_access) )
+ return NULL;
+
+ ret = xc_domain_irq_permission(
+ xc->xc_handle, dom, pirq, allow_access);
+ if ( ret != 0 )
+ return PyErr_SetFromErrno(xc_error);
+
+ Py_INCREF(zero);
+ return zero;
+}
+
+static PyObject *pyxc_domain_iomem_permission(PyObject *self,
+ PyObject *args,
+ PyObject *kwds)
+{
+ XcObject *xc = (XcObject *)self;
+ uint32_t dom;
+ unsigned long first_pfn, nr_pfns, allow_access, ret;
+
+ static char *kwd_list[] = { "dom", "first_pfn", "nr_pfns", "allow_access", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "illi", kwd_list,
+ &dom, &first_pfn, &nr_pfns, &allow_access) )
+ return NULL;
+
+ ret = xc_domain_iomem_permission(
+ xc->xc_handle, dom, first_pfn, nr_pfns, allow_access);
+ if ( ret != 0 )
+ return PyErr_SetFromErrno(xc_error);
+
+ Py_INCREF(zero);
+ return zero;
+}
+
static PyObject *dom_op(XcObject *self, PyObject *args,
int (*fn)(int, uint32_t))
" allow_access [int]: Non-zero means enable access; else disable access\n\n"
"Returns: [int] 0 on success; -1 on error.\n" },
+ { "domain_irq_permission",
+ (PyCFunction)pyxc_domain_irq_permission,
+ METH_VARARGS | METH_KEYWORDS, "\n"
+ "Allow a domain access to a physical IRQ\n"
+ " dom [int]: Identifier of domain to be allowed access.\n"
+ " pirq [int]: The Physical IRQ\n"
+ " allow_access [int]: Non-zero means enable access; else disable access\n\n"
+ "Returns: [int] 0 on success; -1 on error.\n" },
+
+ { "domain_iomem_permission",
+ (PyCFunction)pyxc_domain_iomem_permission,
+ METH_VARARGS | METH_KEYWORDS, "\n"
+ "Allow a domain access to a range of IO memory pages\n"
+ " dom [int]: Identifier of domain to be allowed access.\n"
+ " first_pfn [long]: First page of I/O Memory\n"
+ " nr_pfns [long]: Number of pages of I/O Memory (>0)\n"
+ " allow_access [int]: Non-zero means enable access; else disable access\n\n"
+ "Returns: [int] 0 on success; -1 on error.\n" },
+
{ "pages_to_kib",
(PyCFunction)pyxc_pages_to_kib,
METH_VARARGS, "\n"
*/
void physdev_init_dom0(struct domain *d)
{
- set_bit(_DOMF_physdev_access, &d->domain_flags);
+ if (iomem_permit_access(d, 0UL, ~0UL))
+ BUG();
+ if (irqs_permit_access(d, 0, NR_PIRQS-1))
+ BUG();
}
unsigned int vmx_dom0 = 0;
unsigned long flags;
int rc = 0;
- if ( !IS_CAPABLE_PHYSDEV(d->domain) )
- return -EPERM;
-
spin_lock_irqsave(&desc->lock, flags);
action = (irq_guest_action_t *)desc->action;
op->u.ioport_permission.domain)) == NULL) )
break;
- ret = 0;
- if ( np > 0 )
- {
- if ( op->u.ioport_permission.allow_access )
- ioport_range_permit(d, fp, fp + np - 1);
- else
- ioport_range_deny(d, fp, fp + np - 1);
- }
+ if ( np == 0 )
+ ret = 0;
+ else if ( op->u.ioport_permission.allow_access )
+ ret = ioports_permit_access(d, fp, fp + np - 1);
+ else
+ ret = ioports_deny_access(d, fp, fp + np - 1);
put_domain(d);
}
return page;
}
-static void process_dom0_ioports_disable()
+static void process_dom0_ioports_disable(void)
{
unsigned long io_from, io_to;
char *t, *u, *s = opt_dom0_ioports_disable;
printk("Disabling dom0 access to ioport range %04lx-%04lx\n",
io_from, io_to);
- ioport_range_deny(dom0, io_from, io_to);
+ if ( ioports_deny_access(dom0, io_from, io_to) != 0 )
+ BUG();
}
}
printk("dom0: shadow setup done\n");
}
+ i = 0;
+
/* DOM0 is permitted full I/O capabilities. */
- ioport_range_permit(dom0, 0, 0xFFFF);
- set_bit(_DOMF_physdev_access, &dom0->domain_flags);
+ i |= ioports_permit_access(dom0, 0, 0xFFFF);
+ i |= iomem_permit_access(dom0, 0UL, ~0UL);
+ i |= irqs_permit_access(dom0, 0, NR_PIRQS-1);
/*
* Modify I/O port access permissions.
*/
/* Master Interrupt Controller (PIC). */
- ioport_range_deny(dom0, 0x20, 0x21);
+ i |= ioports_deny_access(dom0, 0x20, 0x21);
/* Slave Interrupt Controller (PIC). */
- ioport_range_deny(dom0, 0xA0, 0xA1);
+ i |= ioports_deny_access(dom0, 0xA0, 0xA1);
/* Interval Timer (PIT). */
- ioport_range_deny(dom0, 0x40, 0x43);
+ i |= ioports_deny_access(dom0, 0x40, 0x43);
/* PIT Channel 2 / PC Speaker Control. */
- ioport_range_deny(dom0, 0x61, 0x61);
+ i |= ioports_deny_access(dom0, 0x61, 0x61);
/* Command-line I/O ranges. */
process_dom0_ioports_disable();
+ BUG_ON(i != 0);
+
return 0;
}
int pirq_guest_bind(struct vcpu *v, int irq, int will_share)
{
unsigned int vector = irq_to_vector(irq);
- struct domain *d = v->domain;
irq_desc_t *desc = &irq_desc[vector];
irq_guest_action_t *action;
unsigned long flags;
int rc = 0;
cpumask_t cpumask = CPU_MASK_NONE;
- if ( !IS_CAPABLE_PHYSDEV(d) )
- return -EPERM;
-
if ( vector == 0 )
return -EBUSY;
#include <xen/softirq.h>
#include <xen/domain_page.h>
#include <xen/event.h>
+#include <xen/iocap.h>
#include <asm/shadow.h>
#include <asm/page.h>
#include <asm/flushtlb.h>
unsigned long mfn = l1e_get_pfn(l1e);
struct pfn_info *page = pfn_to_page(mfn);
int okay;
- extern int domain_iomem_in_pfn(struct domain *d, unsigned long pfn);
if ( !(l1e_get_flags(l1e) & _PAGE_PRESENT) )
return 1;
if ( d == dom_io )
d = current->domain;
- if ( (!IS_PRIV(d)) &&
- (!IS_CAPABLE_PHYSDEV(d) || !domain_iomem_in_pfn(d, mfn)) )
+ if ( !iomem_access_permitted(d, mfn, mfn) )
{
MEM_LOG("Non-privileged attempt to map I/O space %08lx", mfn);
return 0;
break;
case MMUEXT_FLUSH_CACHE:
- if ( unlikely(!IS_CAPABLE_PHYSDEV(d)) )
+ if ( unlikely(!cache_flush_permitted(d)) )
{
MEM_LOG("Non-physdev domain tried to FLUSH_CACHE.");
okay = 0;
extern int ioapic_guest_read(int apicid, int address, u32 *pval);
extern int ioapic_guest_write(int apicid, int address, u32 pval);
-/* Check if a domain controls a device with IO memory within frame @pfn.
- * Returns: 1 if the domain should be allowed to map @pfn, 0 otherwise. */
-int domain_iomem_in_pfn(struct domain *p, unsigned long pfn)
-{
- return 0;
-}
-
/*
* Demuxing hypercall.
*/
unsigned int port, unsigned int bytes,
struct vcpu *v, struct cpu_user_regs *regs)
{
- return ioport_range_access_permitted(v->domain, port, port + bytes - 1);
+ return ioports_access_permitted(v->domain, port, port + bytes - 1);
}
/* Check admin limits. Silently fail the access if it is disallowed. */
case 0x09: /* WBINVD */
/* Ignore the instruction if unprivileged. */
- if ( !IS_CAPABLE_PHYSDEV(v->domain) )
+ if ( !cache_flush_permitted(v->domain) )
DPRINTK("Non-physdev domain attempted WBINVD.\n");
else
wbinvd();
#include <xen/domain_page.h>
#include <xen/trace.h>
#include <xen/console.h>
+#include <xen/iocap.h>
#include <asm/current.h>
#include <public/dom0_ops.h>
#include <public/sched_ctl.h>
}
}
break;
+
case DOM0_SETDEBUGGING:
{
struct domain *d;
}
break;
+ case DOM0_IRQ_PERMISSION:
+ {
+ struct domain *d;
+ unsigned int pirq = op->u.irq_permission.pirq;
+
+ ret = -EINVAL;
+ if ( pirq >= NR_PIRQS )
+ break;
+
+ ret = -ESRCH;
+ d = find_domain_by_id(op->u.irq_permission.domain);
+ if ( d == NULL )
+ break;
+
+ if ( op->u.irq_permission.allow_access )
+ ret = irq_permit_access(d, pirq);
+ else
+ ret = irq_deny_access(d, pirq);
+
+ put_domain(d);
+ }
+ break;
+
+ case DOM0_IOMEM_PERMISSION:
+ {
+ struct domain *d;
+ unsigned long pfn = op->u.iomem_permission.first_pfn;
+ unsigned long nr_pfns = op->u.iomem_permission.nr_pfns;
+
+ ret = -EINVAL;
+ if ( (pfn + nr_pfns - 1) < pfn ) /* wrap? */
+ break;
+
+ ret = -ESRCH;
+ d = find_domain_by_id(op->u.iomem_permission.domain);
+ if ( d == NULL )
+ break;
+
+ if ( op->u.iomem_permission.allow_access )
+ ret = iomem_permit_access(d, pfn, pfn + nr_pfns - 1);
+ else
+ ret = iomem_deny_access(d, pfn, pfn + nr_pfns - 1);
+
+ put_domain(d);
+ }
+ break;
+
#ifdef PERF_COUNTERS
case DOM0_PERFCCONTROL:
{
rangeset_domain_initialise(d);
- if ( arch_do_createdomain(v) != 0 )
+ d->iomem_caps = rangeset_new(d, "I/O Memory", RANGESETF_prettyprint_hex);
+ d->irq_caps = rangeset_new(d, "Interrupts", 0);
+
+ if ( (d->iomem_caps == NULL) ||
+ (d->irq_caps == NULL) ||
+ (arch_do_createdomain(v) != 0) )
goto fail3;
if ( !is_idle_task(d) )
#include <xen/sched.h>
#include <xen/event.h>
#include <xen/irq.h>
+#include <xen/iocap.h>
#include <asm/current.h>
#include <public/xen.h>
if ( pirq >= ARRAY_SIZE(d->pirq_to_evtchn) )
return -EINVAL;
+ if ( !irq_access_permitted(d, pirq) )
+ return -EPERM;
+
spin_lock(&d->evtchn_lock);
if ( d->pirq_to_evtchn[pirq] != 0 )
#include <xen/sched.h>
#include <xen/event.h>
#include <xen/shadow.h>
+#include <xen/iocap.h>
#include <asm/current.h>
#include <asm/hardirq.h>
#include <public/memory.h>
!array_access_ok(extent_list, nr_extents, sizeof(*extent_list)) )
return 0;
- if ( (extent_order != 0) && !IS_CAPABLE_PHYSDEV(current->domain) )
+ if ( (extent_order != 0) &&
+ !multipage_allocation_permitted(current->domain) )
{
DPRINTK("Only I/O-capable domains may allocate multi-page extents.\n");
return 0;
return rangeset_contains_range(r, s, s);
}
+int rangeset_is_empty(
+ struct rangeset *r)
+{
+ return list_empty(&r->range_list);
+}
+
struct rangeset *rangeset_new(
struct domain *d, char *name, unsigned int flags)
{
static void ns16550_endboot(struct serial_port *port)
{
struct ns16550 *uart = port->uart;
- ioport_range_deny(dom0, uart->io_base, uart->io_base + 7);
+ if ( ioports_deny_access(dom0, uart->io_base, uart->io_base + 7) != 0 )
+ BUG();
}
#else
#define ns16550_endboot NULL
#ifndef __X86_IOCAP_H__
#define __X86_IOCAP_H__
-#define ioport_range_permit(d, s, e) \
+#define ioports_permit_access(d, s, e) \
rangeset_add_range((d)->arch.ioport_caps, s, e)
-#define ioport_range_deny(d, s, e) \
+#define ioports_deny_access(d, s, e) \
rangeset_remove_range((d)->arch.ioport_caps, s, e)
-#define ioport_range_access_permitted(d, s, e) \
+#define ioports_access_permitted(d, s, e) \
rangeset_contains_range((d)->arch.ioport_caps, s, e)
+#define cache_flush_permitted(d) \
+ (!rangeset_is_empty((d)->iomem_caps))
+
#endif /* __X86_IOCAP_H__ */
uint8_t enable;
} dom0_setdebugging_t;
+#define DOM0_IRQ_PERMISSION 46
+typedef struct {
+ domid_t domain; /* domain to be affected */
+ uint8_t pirq;
+ uint8_t allow_access; /* flag to specify enable/disable of IRQ access */
+} dom0_irq_permission_t;
+
+#define DOM0_IOMEM_PERMISSION 47
+typedef struct {
+ domid_t domain; /* domain to be affected */
+ unsigned long first_pfn; /* first page (physical page number) in range */
+ unsigned long nr_pfns; /* number of pages in range (>0) */
+ uint8_t allow_access; /* allow (!0) or deny (0) access to range? */
+} dom0_iomem_permission_t;
+
typedef struct {
uint32_t cmd;
uint32_t interface_version; /* DOM0_INTERFACE_VERSION */
dom0_max_vcpus_t max_vcpus;
dom0_setdomainhandle_t setdomainhandle;
dom0_setdebugging_t setdebugging;
+ dom0_irq_permission_t irq_permission;
+ dom0_iomem_permission_t iomem_permission;
uint8_t pad[128];
} u;
} dom0_op_t;
#define __attribute_used__ __attribute__((__unused__))
#endif
+#if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
+#define __must_check __attribute__((warn_unused_result))
+#else
+#define __must_check
+#endif
+
#endif /* __LINUX_COMPILER_H */
#include <xen/rangeset.h>
#include <asm/iocap.h>
+#define iomem_permit_access(d, s, e) \
+ rangeset_add_range((d)->iomem_caps, s, e)
+#define iomem_deny_access(d, s, e) \
+ rangeset_remove_range((d)->iomem_caps, s, e)
+#define iomem_access_permitted(d, s, e) \
+ rangeset_contains_range((d)->iomem_caps, s, e)
+
+#define irq_permit_access(d, i) \
+ rangeset_add_singleton((d)->irq_caps, i)
+#define irq_deny_access(d, i) \
+ rangeset_remove_singleton((d)->irq_caps, i)
+#define irqs_permit_access(d, s, e) \
+ rangeset_add_range((d)->irq_caps, s, e)
+#define irqs_deny_access(d, s, e) \
+ rangeset_remove_range((d)->irq_caps, s, e)
+#define irq_access_permitted(d, i) \
+ rangeset_contains_singleton((d)->irq_caps, i)
+
+#define multipage_allocation_permitted(d) \
+ (!rangeset_is_empty((d)->iomem_caps))
+
#endif /* __XEN_IOCAP_H__ */
#define _RANGESETF_prettyprint_hex 0
#define RANGESETF_prettyprint_hex (1U << _RANGESETF_prettyprint_hex)
+int __must_check rangeset_is_empty(
+ struct rangeset *r);
+
/* Add/remove/query a numeric range. */
-int rangeset_add_range(
+int __must_check rangeset_add_range(
struct rangeset *r, unsigned long s, unsigned long e);
-int rangeset_remove_range(
+int __must_check rangeset_remove_range(
struct rangeset *r, unsigned long s, unsigned long e);
-int rangeset_contains_range(
+int __must_check rangeset_contains_range(
struct rangeset *r, unsigned long s, unsigned long e);
/* Add/remove/query a single number. */
-int rangeset_add_singleton(
+int __must_check rangeset_add_singleton(
struct rangeset *r, unsigned long s);
-int rangeset_remove_singleton(
+int __must_check rangeset_remove_singleton(
struct rangeset *r, unsigned long s);
-int rangeset_contains_singleton(
+int __must_check rangeset_contains_singleton(
struct rangeset *r, unsigned long s);
/* Rangeset pretty printing. */
#include <xen/time.h>
#include <xen/ac_timer.h>
#include <xen/grant_table.h>
+#include <xen/rangeset.h>
#include <asm/domain.h>
extern unsigned long volatile jiffies;
u16 pirq_to_evtchn[NR_PIRQS];
u32 pirq_mask[NR_PIRQS/32];
+ /* I/O capabilities (access to IRQs and memory-mapped I/O). */
+ struct rangeset *iomem_caps;
+ struct rangeset *irq_caps;
+
unsigned long domain_flags;
unsigned long vm_assist;
/* Is this domain privileged? */
#define _DOMF_privileged 1
#define DOMF_privileged (1UL<<_DOMF_privileged)
- /* May this domain do IO to physical devices? */
-#define _DOMF_physdev_access 2
-#define DOMF_physdev_access (1UL<<_DOMF_physdev_access)
/* Guest shut itself down for some reason. */
-#define _DOMF_shutdown 3
+#define _DOMF_shutdown 2
#define DOMF_shutdown (1UL<<_DOMF_shutdown)
/* Guest is in process of shutting itself down (becomes DOMF_shutdown). */
-#define _DOMF_shuttingdown 4
+#define _DOMF_shuttingdown 3
#define DOMF_shuttingdown (1UL<<_DOMF_shuttingdown)
/* Death rattle. */
-#define _DOMF_dying 5
+#define _DOMF_dying 4
#define DOMF_dying (1UL<<_DOMF_dying)
/* Domain is paused by controller software. */
-#define _DOMF_ctrl_pause 6
+#define _DOMF_ctrl_pause 5
#define DOMF_ctrl_pause (1UL<<_DOMF_ctrl_pause)
/* Domain is being debugged by controller software. */
-#define _DOMF_debugging 7
+#define _DOMF_debugging 6
#define DOMF_debugging (1UL<<_DOMF_debugging)
#define IS_PRIV(_d) \
(test_bit(_DOMF_privileged, &(_d)->domain_flags))
-#define IS_CAPABLE_PHYSDEV(_d) \
- (test_bit(_DOMF_physdev_access, &(_d)->domain_flags))
#define VM_ASSIST(_d,_t) (test_bit((_t), &(_d)->vm_assist))
projects / xen.git / commitdiff