dgit.raspbian.org Git

libxl: helper function to send commands to traditional qemu

Introduce a helper function to send commands to traditional
qemu. qemu_pci_add_xenstore, qemu_pci_remove_xenstore,
libxl__domain_save_device_model and libxl_domain_unpause have
been refactored to use this function.

Signed-off-by: Shriram Rajagopalan <rshriram@cs.ubc.ca>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: bugfix: create_domain() return to caller if !daemonize

Currently the create_domain function does not honor
the daemonize flag properly. It exits irrespective of
the value of the flag. This patch fixes the issue.

Signed-off-by: Shriram Rajagopalan <rshriram@cs.ubc.ca>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: add reference for vcpu-set command.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

stubdom: update README to reference xl configuration syntax

Remove reference to fsback -- it was removed some time ago.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

mini-os: stop compiler complaint about unused variables

gcc (GCC) 4.6.2 20111027 (Red Hat 4.6.2-1) complains about unused variables
in mini-os drivers

Signed-off-by: John McDermott <john.mcdermott@nrl.navy.mil>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

gnttab: miscellaneous fixes

- _GTF_* constants name bit positions, so binary arithmetic on them is
  wrong
- gnttab_clear_flag() cannot (on x86 and ia64 at least) simply use
  clear_bit(), as that may access more than the two bytes that are
  intended to be accessed

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

arm: copy DTB appended to zImage

When copying a zImage from flash, also copy any appended device tree
blob.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: support zImage format kernels for dom0

Allow a zImage format kernel to be used for dom0. zImages are (by
default) hardcoded with the RAM location so adjust the RAM in the
memory map to match the physical memory map (0x80000000).

Vmlinux ELF images are loaded using a hack to locate the RAM so the
IPA is the same as the kernel's VA so the elf loader does the right
thing. If an ELF image is loaded the RAM will be located at
0xC0000000 (as before).

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: makefiles

Makefile and config options for the ARM architecture.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: define stub arch_dump_shared_mem_info

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <Stefano.Stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: define domain_pirq_to_irq

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <Stefano.Stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Tools: Make xen-access test compile in 32 bits mode

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Keir Fraser <keir@xen.org>

CONFIG: remove #ifdef __ia64__ from the x86 arch tree

__ia64__ really really should not be defined in the x86 arch subtree,
so remove it from xen/include/public/arch-x86/hvm/save.h

This in turn allows the removal of VIOAPIC_IS_IOSAPIC, as x86 does not
use streamlined {IO,L}APICs, allowing for the removal of more code
from the x86 tree.

Changes since v2:
*  Leave the EOI register write protected by VIOAPIC_VERSION_ID >=
    0x20.  Currently, only version 0x11 is emulated, but leave this
    correct code in place in case a decision is make to emulate the
    newer version.

Changes since v1:
*  Refresh patch following the decision not to try emulating a
    version 0x20 IOAPIC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

CONFIG: remove CONFIG_SMP #ifdefs

CONFIG_SMP is always enabled and !CONFIG_SMP is not supported. So
simplify the code a little by removing all #ifdefs.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

tools/python: remove references to removed libflask from setup.py

Build in SLES11 SP1/2 fails after libflask removal.

> building 'flask' extension
> error: ../../tools/flask/libflask/libflask.so: No such file or
> directory
> make[3]: *** [install] Error 1
> make[3]: Leaving directory
> `/usr/src/packages/BUILD/xen-4.2.24701/non-dbg/tools/python'
> make[2]: *** [subdir-install-python] Error 2

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Committed-by: Keir Fraser <keir@xen.org>

vpmu: Rename PASSIVE_DOMAIN_ALLOCATED

This patch renames the define PASSIVE_DOMAIN_ALLOCATED to follow the
same scheme of the other defines.

Signed-off-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Committed-by: Keir Fraser <keir@xen.org>

vpmu: Remove unnecessary spaces at the end of lines

Signed-off-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Committed-by: Keir Fraser <keir@xen.org>

vpmu: Use macros to access struct vpmu_struct.flags

This patch introduces some macros realising the access to the item
'flags' in the struct vpmu_struct (see
xen/include/asm-x86/hvm/vpmu.h). Only bits within 'flags' are
set/reset/checked.

Signed-off-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Committed-by: Keir Fraser <keir@xen.org>

amd iommu: Remove redundant checks from iommu emulation code path

Signed-off-by: Wei Wang <wei.wang2@amd.com>
Committed-by: Keir Fraser <keir@xen.org>

arm: vtimer

Emulation of the generic timer kernel registers.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: vgic emulation

- emulation of the GICD interface for the guest;

- interrupt injection into the guest;

- keep track of inflight irqs using a list, ordered by priority.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: trap handlers

Functions executed exiting from the guest and returning to the guest:
trap and hypercall handlers and leave_hypervisor_tail.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: driver for the generic timer for ARMv7

Driver for the generic timer for ARMv7 with virtualization extensions.
Currently it is based on the kernel timer rather than the hypervisor timer
because the latter does not work correctly on our test environment.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: shutdown, smp and smpboot

Dummy implementation of machine_* and smp_*

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: early setup code

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: pl011 UART driver

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: mm and p2m

Functions to setup pagetables, handle the p2m, map and unmap domain
pages, copy data to/from guest addresses.
The implementation is based on the LPAE extension for ARMv7 and makes
use of the two level transtion mechanism.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: irq

A simple do_IRQ and request_irq implementation for ARM.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: mmio handlers

Basic infrastructure to emulate mmio reads and writes.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: driver for CoreLink GIC-400 Generic Interrupt Controller

- GICC, GICD and GICH initialization;

- interrupts routing, acking and EOI;

- interrupt injection into guests;

- maintenance interrupt handler, that takes care of EOI physical
interrupts on behalf of the guest;

- a function to remap the virtual cpu interface into the guest address
space, where the guest expect the GICC to be.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: domain_build

Functions to build dom0: memory allocation, p2m construction, mappings
of the MMIO regions, ATAG setup.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: domain

Domain creation and destruction, vcpu initialization and destruction,
arch specific scheduling functions called by common code.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: entry.S and head.S

Low level assembly routines, including entry.S and head.S.
Also the linker script and a collection of dummy functions that we plan
to reduce to zero as soon as possible.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: bit manipulation, copy and division libraries

Bit manipulation, division and memcpy & friends implementations for the
ARM architecture, shamelessly taken from Linux.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: header files

A simple implementation of everything under asm-arm and arch-arm.h; some
of these files are shamelessly taken from Linux.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

arm: compile tmem

Include few missing header files; introduce defined(CONFIG_ARM) where
required.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xen/common/Makefile: introduce HAS_{CPUFREQ,PCI,PASSTHROUGH,NS16550,KEXEC}

- make the compilation of ns16550.c depend upon HAS_NS16550;

- make the compilation of cpufreq depend upon HAS_CPUFREQ;

- make the compilation of pci depend upon HAS_PCI;

- make the compilation of passthrough depend upon HAS_PASSTHROUGH;

- make the compilation of kexec depend upon HAS_KEXEC.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
---
xen/arch/ia64/Rules.mk        |    5 +++++
xen/arch/x86/Rules.mk         |    5 +++++
xen/common/Makefile           |    2 +-
xen/common/shutdown.c         |    4 ++++
xen/drivers/Makefile          |    6 +++---
xen/drivers/char/Makefile     |    2 +-
xen/drivers/char/console.c    |    4 ++++
xen/include/asm-ia64/config.h |    1 +
xen/include/asm-x86/config.h  |    1 +
9 files changed, 25 insertions(+), 5 deletions(-)

x86: add Ivy Bridge model numbers to model specific MSR handling

This is model 0x3a (decimal 58) as per the most recent SDM.

In vPMU code, also add a forgotten earlier model.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Xiantao Zhang<xiantao.zhang@intel.com>

libxc: Replace malloc with alloca in hot path

Replace malloc with alloc in hot paths for improved performance.

Signed-off-by: Santosh Jodh <santosh.jodh@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

irq: Add extra debugging to help track down why an assertion is failing

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

pygrub: extlinux parsing correctness

The "in" operator should be used instead of the find method, since
we are only interested in knowing whether the line contains "initrd=",
but we don't care about it's position. Also fixes an error that
happens when initrd= it's at the start of the line, since find returns
0 and is evaluated as False.

Signed-off-by: Roger Pau Monne <roger.pau@entel.upc.edu>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxl: remove shebang from bash_completion helper

Fix rpmlint warning:

xen-tools.x86_64: W: sourced-script-with-shebang
/etc/bash_completion.d/xl.sh /bin/bash
This text file contains a shebang, but is meant to be sourced, not executed.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: use json output by default

Move the sxp producing code off into a separate file. It is supported
for legacy reasons and needn't be updated other than the improve
compatibility with xm.

libxl_domain_config is not currently generated by the IDL (adding the
necessary support for Array types is on my to do list) so hand code
the json generation function for now.

Since this rather directly exposes a libxl data structure it's not
clear what sort of forward compatibility guarantees we can
make. However it seems like it should be as stable as libxl's own API
(which we are looking to stabilise)

(Gratuitous string.h include needed for memset in libxl_util.h)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xl: Drop -l option to xl cpupool-list

The implementation (which was a nop) was removed back in 22838:aab67c1c6b87 but
this now causes "set but not used" warnings from some compilers. Might as well
just nuke the option entirely.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Juergen Gross <juergen.gross@ts.fujitsu.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/AMD: Add support for AMD's OSVW feature in guests.

In some cases guests should not provide workarounds for errata even when the
physical processor is affected. For example, because of erratum 400 on family
10h processors a Linux guest will read an MSR (resulting in VMEXIT) before
going to idle in order to avoid getting stuck in a non-C0 state. This is not
necessary: HLT and IO instructions are intercepted and therefore there is no
reason for erratum 400 workaround in the guest.

This patch allows us to present a guest with certain errata as fixed,
regardless of the state of actual hardware.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
Acked-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

Fix error recovery path in __gnttab_map_grant_ref

In file grant_table.c function __gnttab_map_grant_ref, if
__get_paged_frame failed, the effect of _set_status previously
called should be rollback, so the flag GTF_reading and _GTF_writing
will be recovered.

Signed-off-by: Haoyu Zhang <haoyu.zhang@huawei.com>
Signed-off-by: Liang Wang <hzwangliang.wang@huawei.com>
Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Committed-by: Keir Fraser <keir@xen.org>

IO-APIC: Reformat IO-APIC RTE debug info (v2)

Having the columns aligned makes for much easier reading.  Also remove
the commas which only add to visual clutter in combination with
spaces.

Furthermore, printing fewer characters makes it less likely that the
serial buffer will overflow resulting in loss of critical debugging
information.

Changes since v1:
*  Format vector as hex rather than dec
*  Contract some names
*  destination mode uses 'L' or 'P' instead of full words
*  trigger mode uses 'L' or 'E' instead of full words
*  delivery mode uses short string instead of a number

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

IOMMU: Update the maintainer list of VT-d

Signed-off-by: Xiantao Zhang <xiantao.zhang@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

.hgignore/.gitignore: Add some tools/tests binaries

Signed-off-by: Keir Fraser <keir@xen.org>

Tools: build tests

Build tests as part of the tools build.

It is enabled with CONFIG_TESTS in Config.mk

Currently disabled build of tests/regressions and tests/xen-access (in
32-bit mode) as they fail.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xen: Remove unused vsscanf/sscanf functions

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask: Update flask_op hypercall structure

Instead of placing string parsing inside the hypervisor, use binary
structures like other Xen hypercalls do.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

.gitignore/.hgignore: add missing output files

- extras/mini-os/include/list.h (already in .hgignore)
- tools/flask/flask-{get,set}-bool
- tools/flask/loadpolicy no longer exists
- tools/xenstore/init-xenstore-domain

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

tools/flask: remove libflask

This library has been deprecated since July 2010; remove the in-tree
users and library.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

ia64: fix build (next instance)

A number of build problems crept in once again. Fix them.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

Fix x86_32 build

Signed-off-by: Tim Deegan <tim@xen.org>

x86: avoid deadlock after a PCI SERR NMI

If a PCI System Error (SERR) is asserted it causes an NMI. If this NMI
occurs while the CPU is in printk() then Xen may deadlock as
pci_serr_error() calls console_force_unlock() which screws up the
console lock.

printk() isn't safe to call from NMI context so defer the diagnostic
message to a softirq.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Tested-by: George Dunlap <george.dunlap@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

xsm/flask: Improve domain ID auditing in AVCs

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask/policy: Add boolean example

This shows an example boolean (prot_doms_locked) which can be set at
runtime to prevent dom0 from mapping memory of domains of type
prot_domU_t.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask: add flask-{get,set}-bool tools

These utilities can be used to modify policy booleans, which allow
minor policy changes without reloading the security policy. This can
be used to make security policy change based on external information
such as time of day, user physical presence, completion of system
boot, or other relevant variables.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

libflask: Add boolean manipulation functions

Add wrappers for getting and setting policy booleans by name or ID.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm/flask: allow policy booleans to be addressed by name

Booleans are currently only addressable by using a sequence number
that is not easily accessible to tools. Add new FLASK operations to
get/set booleans by name, and to get the name of a boolean given its
ID.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xen/xsm: fix incorrect handling of XSM hook return

If the XSM hook denied access, the execution incorrectly continued on
after an extra unlock domain.

Reported-by: John McDermott <john.mcdermott@nrl.navy.mil>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask/policy: use declare_domain for dom0_t

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask/policy: Add user and constraint examples

These examples show how to use constraints and the user field of the
security label to prevent communication between virtual machines of
different customers in a multi-tenant environment.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

flask/policy: Policy build updates

Eliminate temporary files used in creating FLASK policy to improve
error reporting during policy build. Syntax errors now point to the
file and line number visible to the user, not the intermediate
temporary file.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm/flask: Remove useless back pointers

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm/flask: Improve error reporting for ocontexts

Instead of returning -EINVAL for all errors, return -EEXIST if adding
an entry that overlaps with an existing entry, and -ENOENT if
attempting to remove an entry that does not exist. Adding an ocontext
that already exists with the same SID is no longer an error.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: Use mapped IRQ not PIRQ in unmap_domain_pirq

XSM permissions are defined in terms of IRQs, not PIRQs; use the
correct number when checking permission in unmap_domain_pirq.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: Add xsm_map_domain_pirq hook

When checking permissions in map_domain_pirq, the msi_desc field of
the irq_desc is not yet populated with the PCI device being used. Pass
in the msi_info structure which contains the intended PCI device whose
label will be used in the security check.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm/flask: Use PCI device label for PCI-MSI IRQs

Because the PCI-MSI IRQ numbers are allocated dynamically, labeling
them by number is not useful. Instead, for all IRQs beyond
nr_irqs_gsi, use the associated msi_desc to find the PCI device and
use the label of the PCI device for the IRQ.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: Add security label to IRQ debug output

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

xsm: Add security labels to event-channel dump

In FLASK, event channel labels are distinct from the labels of the
domain using them. When debugging policy issues, it is useful to be
able to view the current label of event channels; add this label to
the event channel dump.

This patch also adds the IRQ associated with a PIRQ for event channels
bound to a PIRQ, and moves the xen_consumer flag to the front to
create more consistent alignment in the output.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

Update QEMU_TAG, for CVE-2012-0029

x86/mm: Fix balooning+sharing

Never mind that ballooning a shared page makes no sense. We still fix it
because it may be exercised.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Make debug_{gfn, mfn, gref} calls to sharing more useful and correct

Have them used locked accesors to the gfn and the underlying shared mfn.

Have them return the number of shared refs to the underlying mfn.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Make sharing ASSERT check more accurate

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Fix paging stats

There are several corner cases in which a page is paged back in, not by paging,
and the stats are not properly updated.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Reorder locks used by shadow code in anticipation of synchronized p2m lookups

Currently, mm-locks.h enforces a strict ordering between locks in the mm
layer lest there be an inversion in the order locks are taken and thus
the risk of deadlock.

Once p2m lookups becoming synchronized, get_gfn* calls take the p2m lock, and a
new set of inversion arises. Reorder some of the locks in the shadow code so
that even in this case no deadlocks happen.

After this, synchronized p2m lookups are in principle ready to be enabled in
shadow mode.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Don't fail to nominate for paging on type flag, rather look at type count

Xen doesn't clean the type flag when dropping the type count for a page to
zero. So, looking at the type flag when nominating a page for paging it's
incorrect. Look at the type count instead.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Adin Scannell <adin@scannell.ca>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

x86/mm: Remove p2m_ram_paging_in

This state in the paging state machine became unnecessary after the last
few updates.

Once eliminated, rename p2m_ram_paging_in_start to p2m_ram_paging_in.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>

xl: allow enable automatic fallback to ACPI events if PV control not available.

Add a -F (fallbacks) option to xl destroy|reboot to cause an ACPI shutdown or
reset event to be sent to the guest in the event that the guest does not
support the PV control interface.

This is not the default because the response to these triggers is an
guest-internal configuration.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

docs: document /etc/xen/xl.conf

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: add named enum for timer mode.

Unlike previous iterations of this patch the enum values now match the
underlying domctl values.

I looked at updating xl.cfg(5) for these while I was here but frankly, even
after reading the comment in xen/include/public/hvm/params.h, I don't have a
clue what they mean, no_missed_ticks_pending in particular might as well be
written in klingon...

For the same reason I didn't try and give the enum more user-friendly names.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: drop libxl_cpuarray -- topology was the only user.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: expose cpu topology as a single list of cpu->{node,core,socket} maps.

Rather than the previous tripple list which is more complicated to work with
and harder for language bindings.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

ocaml: Topology.get returns an array not a single element.

The stub implementation appears to already be correct.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

ocaml: add helpers for Some/None option types.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: remove libxl_button_press in favour of libxl_send_trigger.

send_trigger already included all the operations covered by button_press.

Rework send_trigger to take an enum instead of a string.

I stopped short at removing the xl "button-press" command but instead have
marked it as deprecated.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: de-hard-tabbify idl.txt

Hard tabs were in the minority, nuke them.

Also we no longer supply the inaddr_ip builtin.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Rename libxl IDL infrastructure.

Originally libxltypes.py provided the infrastructure and libxl.idl provided the
specific types.

In 23887:a543e10211f7 libxl.idl became libxl_types.idl (to allow for
libxl_types_internal.idl) which means we now have libxl_types.FOO and
libxltypes.FOO providing different things and annoying people in tab
completion.

Rename the infrastructure as idl.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: only write "disable_pf" key to xenstore when it makes sense

This key is only used by the traditional qemu-dm when servicing an HVM domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: remove libxl_device_model_info.

All that is left here is the target domain's domid which we can pass around as
a parameter.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: move "saved_state" to libxl__domain_build_state.

This is internal to the library and need not be exposed to the user.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: move device model selection variables to b_info.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: remove uuid from device model info.

This should be managed by libxl and need not be exposed to the user.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: Remove libxl_device_model_info.type.

This is the type of the target guest which is part of the guest config.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: move gfx_passthru setting to b_info->u.hvm

Although xl parsed this value for both PV and HVM domains (and then a second
time for HVM domains) inside libxl it only impacts HVM guests so I think this
is the right place for it.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

libxl: HVM device configuration info build_info->u.hvm

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>