x86/tboot: disable interrupts after map_pages_to_xen() in tboot_shutdown()

Move the point where interrupts are disabled in tboot_shutdown
to slightly later, to after the call to map_pages_to_xen.

This patch originated in OpenXT with the following report:

"Disabling interrupts early causes debug assertions.

This is only seen with debug builds but since it causes assertions it is
probably a bigger problem. It clearly says in map_pages_to_xen that it
should not be called with interrupts disabled. Moved disabling to just
after that call."

The Xen code comment ahead of map_pages_to_xen notes that the CPU cache
flushing in map_pages_to_xen differs depending on whether interrupts are
enabled or not. The flush logic with interrupts enabled is more
conservative, flushing all CPUs' TLBs/caches, rather than just local.
This is just before the tboot memory integrity MAC calculation is performed
in the case of entering S3.

Original patch author credit: Ross Philipson.

Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
index cc268219ffe5ebfff4a541ae40bb5dfd24581e0e..59d7c477f42565dc7a7bf342b6d4ed49f7ed1626 100644 (file)
--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -341,8 +341,6 @@ void tboot_shutdown(uint32_t shutdown_type)
 
     g_tboot_shared->shutdown_type = shutdown_type;
 
-    local_irq_disable();
-
     /* Create identity map for tboot shutdown code. */
     /* do before S3 integrity because mapping tboot may change xenheap */
     map_base = PFN_DOWN(g_tboot_shared->tboot_base);
@@ -357,6 +355,10 @@ void tboot_shutdown(uint32_t shutdown_type)
         return;
     }
 
+    /* Disable interrupts as early as possible but not prior to */
+    /* calling map_pages_to_xen */
+    local_irq_disable();
+
     /* if this is S3 then set regions to MAC */
     if ( shutdown_type == TB_SHUTDOWN_S3 )
     {