xen/arm: Create dom0less domUs earlier

In a follow-up patch we will need to unallocate the boot modules
before heap_init_late() is called.

The modules will contain the domUs kernel and initramfs. Therefore Xen
will need to create extra domUs (used by dom0less) before heap_init_late().

This has two consequences on dom0less:
    1) Domains will not be unpaused as soon as they are created but
    once all have been created. However, Xen doesn't guarantee an order
    to unpause, so this is not something one could rely on.

    2) The memory allocated for a domU will not be scrubbed anymore when an
    admin select bootscrub=on. This is not something we advertised, but if
    this is a concern we can introduce either force scrub for all domUs or
    a per-domain flag in the DT. The behavior for bootscrub=off and
    bootscrub=idle (default) has not changed.

This is part of XSA-372 / CVE-2021-28693.

Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Tested-by: Stefano Stabellini <sstabellini@kernel.org>

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 282416e74da452d5d06f95ed69712e7dbb6f2aae..6c86d527810fe63137378fdbfd22ee401143da1a 100644 (file)
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -2521,8 +2521,6 @@ void __init create_domUs(void)
 
         if ( construct_domU(d, node) != 0 )
             panic("Could not set up domain %s\n", dt_node_name(node));
-
-        domain_unpause_by_systemcontroller(d);
     }
 }
 
@@ -2584,7 +2582,7 @@ static int __init construct_dom0(struct domain *d)
     return construct_domain(d, &kinfo);
 }
 
-struct domain* __init create_dom0(void)
+void __init create_dom0(void)
 {
     struct domain *dom0;
     struct xen_domctl_createdomain dom0_cfg = {
@@ -2615,8 +2613,6 @@ struct domain* __init create_dom0(void)
 
     if ( construct_dom0(dom0) != 0)
         panic("Could not set up DOM0 guest OS\n");
-
-    return dom0;
 }
 
 /*

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 00aad1c194b9a7231d1f20d282057a85e80667ef..e17532c132cf16eb71d39e94da99dd1a8467411e 100644 (file)
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -836,7 +836,7 @@ void __init start_xen(unsigned long boot_phys_offset,
     int cpus, i;
     const char *cmdline;
     struct bootmodule *xen_bootmodule;
-    struct domain *dom0 = NULL;
+    struct domain *d;
     int rc;
 
     dcache_line_bytes = read_dcache_line_bytes();
@@ -992,10 +992,13 @@ void __init start_xen(unsigned long boot_phys_offset,
 
     /* Create initial domain 0. */
     if ( !is_dom0less_mode() )
-        dom0 = create_dom0();
+        create_dom0();
     else
         printk(XENLOG_INFO "Xen dom0less mode detected\n");
 
+    if ( acpi_disabled )
+        create_domUs();
+
     heap_init_late();
 
     init_trace_bufs();
@@ -1009,11 +1012,8 @@ void __init start_xen(unsigned long boot_phys_offset,
 
     system_state = SYS_STATE_active;
 
-    if ( acpi_disabled )
-        create_domUs();
-
-    if ( dom0 )
-        domain_unpause_by_systemcontroller(dom0);
+    for_each_domain( d )
+        domain_unpause_by_systemcontroller(d);
 
     /* Switch on to the dynamically allocated stack for the idle vcpu
      * since the static one we're running on is about to be freed. */

diff --git a/xen/include/asm-arm/setup.h b/xen/include/asm-arm/setup.h
index 5283244015118f4bd24cef0e38b28cb82b64320e..c4b6af602995edeaa94b8a606ab329b1940c3dd4 100644 (file)
--- a/xen/include/asm-arm/setup.h
+++ b/xen/include/asm-arm/setup.h
@@ -94,7 +94,7 @@ void acpi_create_efi_mmap_table(struct domain *d,
 int acpi_make_efi_nodes(void *fdt, struct membank tbl_add[]);
 
 void create_domUs(void);
-struct domain* create_dom0(void);
+void create_dom0(void);
 
 void discard_initial_modules(void);
 void fw_unreserved_regions(paddr_t s, paddr_t e,