dgit.raspbian.org Git

xen: make clear gcov support limitation in Kconfig

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen: replace TEST_COVERAGE with CONFIG_GCOV

The sole purpose of TEST_COVERAGE macro is to guard the availability of
gcov sysctl. Now we have a proper CONFIG_GCOV, use it.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

gcov: collect more sections to constructor list

The version of gcc (4.9.2) I use put constructors into .init_array*
section(s). Collect those sections into constructor list as well.

Modify both arm and x86 scripts to keep them in sync.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Julien Grall <julien.grall@arm.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen: indicate gcov in log messages

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

docs: document old SUSE/Novell unplug for HVM

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

x86/hypercall: Reduce the size of the hypercall tables

The highest populated entry in each hypercall table is currently at index 49.
There is no need to extend both to tables to 64 entries.

Range check eax against the hypercall table array size, and use a
BUILD_BUG_ON() to ensure that the hypercall tables don't grow larger than the
args table.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hypercall: Merge the hypercall arg tables

For the same reason as c/s 33a231e3f "x86/HVM: fold hypercall tables" and
c/s d6d67b047 "x86/pv: Merge the pv hypercall tables", this removes the
risk of accidentally updating only one of the tables.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/pv: Merge the pv hypercall tables

For the same reason as c/s 33a231e3f "x86/HVM: fold hypercall tables", this
removes the risk of accidentally updating only one of the tables.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/multicall: Rework arch multicall handling

The x86 multicall handling was previously some very hairy inline assembly, and
is hard to follow and maintain.

Replace the existing do_multicall_call() with arch_do_multicall_call(). The
x86 side needs to handle both compat and non-compat calls, so pass the full
multicall state, rather than just the multicall_entry sub-structure.

On the ARM side, alter the prototype to match, but there is no resulting
functional change. On the x86 side, the implementation is now in plain C.

This allows the removal of both asm/multicall.h header files.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hypercall: Move the hypercall tables into C

Editing (and indeed, finding) the hypercall tables can be tricky, especially
towards the end where .rept's are used to maintain the correct layout.

Move this all into C, and let the compiler do the hard work.

To do this, xen/hypercall.h and asm-x86/hypercall.h need to contain prototypes
for all the hypercalls; some were previously missing. This in turn requires
some shuffling of definitions and includes.

One difference is that NULL function pointers are used instead of
{,compat_}do_ni_hypercall(), which pv_hypercall() handles correctly. All
ni_hypercall() infrastructure is therefore dropped.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/pv: Implement pv_hypercall() in C

In a similar style to hvm_do_hypercall().  The C version is far easier to
understand and edit than the assembly versions.

There are a few small differences however.  The register clobbering values
have changed (to match the HVM side), and in particular clobber the upper
32bits of 64bit arguments.  The hypercall and performance counter record are
reordered to increase code sharing between the 32bit and 64bit cases.

The sole callers of __trace_hypercall_entry() were the assembly code.  Given
the new C layout, it is more convenient to fold __trace_hypercall_entry() into
pv_hypercall(), and call __trace_hypercall() directly.

Finally, pv_hypercall() will treat a NULL hypercall function pointer as
-ENOSYS, allowing further cleanup.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hypercall: Move the hypercall arg tables into C

Editing (and indeed, finding) the hypercall args tables can be tricky,
especially towards the end where .rept's are used to maintain the correct
layout.

Move this all into C, and let the compiler do the hard work. As 0 is the
default value, drop all explicit 0's.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/pv: Support do_set_segment_base() for compat guests

set_segment_base is the only hypercall exists in only one of the two modes
guests might run in; all other hypercalls are either implemented, or
unimplemented in both modes.

Remove this split, by allowing do_set_segment_base() to be called in the
compat hypercall path. This change will simplify the verification logic in a
later change.

No behavioural change from a guests point of view.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>

x86/hypercall: Move some of the hvm hypercall infrastructure into hypercall.h

It will be reused for PV hypercalls in subsequent changes.

* Rename hvm_hypercall_t to hypercall_fn_t
* Introduce hypercall_table_t

Finally, rework the #includes for hypercall.h so it may be included in
isolation.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>

Config.mk: update OVMF commit

Signed-off-by: Wei Liu <wei.liu2@citrix.com>

Config.mk: update seabios to 1.9.3 release

Signed-off-by: Wei Liu <wei.liu2@citrix.com>

tools: add config parameter for maximum memory of xenstore domain

Add a parameter to xencommons configuration file for specifying the
maximum memory size of the xenstore domain.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

stubdom: add CONFIG_BALLOON to xenstore config

Compile xenstore stubdom with ballooning support.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: add --maxmem parameter to init-xenstore-domain

Add a parameter to specify the maximum memory size of the xenstore
domain. In case the xenstore domain supports ballooning it will be
capable to adjust its own size according to its memory needs.

The maximum memory size can be specified as an absolute value in
MiB, as a fraction of the host's memory, or as a combination of
both (the maximum of the absolute and the fraction value):

--maxmem <m>             maxmem is <m> MiB
--maxmem <a>/<b>         maxmem is hostmem * a / b
--maxmem <m>:<a>/<b>     maxmem is max(<m> MiB, hostmem * a / b)

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: remove blktap2 source code

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: remove blktap2 related code and documentation

Blktap2 is effectively dead code for a few years.

Notable changes in this patch:

0. Unhook blktap2 from build system
1. Now libxl no longer supports TAP disk backend, appropriate assertions
are added and some code paths now return ERROR_FAIL
2. Tap is no longer a supported backend in doc
3. Remove relevant entries in MAINTAINERS

A patch to actually remove blktap2 directory will come later.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: George Dunlap <George.Dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86: correct CPUID output for out of bounds input

Another place where we should try to behave sufficiently close to how
real hardware does; see the code comments.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

mem_access: sanitize code around sending vm_event request

The two functions monitor_traps and mem_access_send_req duplicate some of the
same functionality. The mem_access_send_req however leaves a lot of the
standard vm_event fields to be filled by other functions.

Remove mem_access_send_req() completely, making use of monitor_traps() to put
requests into the monitor ring. This in turn causes some cleanup around the
old callsites of mem_access_send_req(). We also update monitor_traps to now
include setting the common vcpu_id field so that all other call-sites can ommit
this step.

Finally, this change identifies that errors from mem_access_send_req() were
never checked. As errors constitute a problem with the monitor ring,
crashing the domain is the most appropriate action to take.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

Revert "x86: allow disabling sm{e,a}p for Xen itself"

This reverts commit 5fdea6577098eda065c794c79e1ae23f33f103af,
which is still buggy.

libxl: do not assume Dom0 backend while getting nic info

Fill backend_domid field based on backend path.

Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

tools/firmware: Rename bios.bin to seabios.bin

bios.bin as a name is far too generic. Rename it to seabios.bin.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: fix up conflict, rerun autogen.sh ]
Signed-off-by: Wei Liu <wei.liu2@citrix.com>

libxl: update flex output files for DSA 3653-2

We updated flex output files in 4b314c89 ("libxl: update flex output
files") for DSA 3653-1 / CVE-2016-6354. But Debian security team
discovered the fix to flex was incomplete and issued DSA 3653-2. We need
to update our flex output files accordingly.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86: allow disabling sm{e,a}p for Xen itself

SMEP/SMAP is a security feature to prevent kernel executing/accessing
user address involuntarily, any such behavior will lead to a page fault.

SMEP/SMAP is open (in CR4) for both Xen and HVM guest in earlier code.
SMEP/SMAP bit set in Xen CR4 would enforce security checking for 32-bit
PV guest which will suffer unknown SMEP/SMAP page fault when guest
kernel attempt to access user address although SMEP/SMAP is close for
PV guests.

This patch introduces a new boot option value "hvm" for "sm{e,a}p", it
is going to diable SMEP/SMAP for Xen hypervisor while enable them for
HVM. In this way, 32-bit PV guest will not suffer SMEP/SMAP security
issue. Users can choose whether open SMEP/SMAP for Xen itself,
especially when they are going to run 32-bit PV guests.

Signed-off-by: He Chen <he.chen@linux.intel.com>
[jbeulich: doc and style adjustments]
Reviewed-by: Jan Beulich <jbeulich@suse.com>

have __DEFINE_COMPAT_HANDLE() generate const versions

Both DEFINE_XEN_GUEST_HANDLE() and __DEFINE_XEN_GUEST_HANDLE()
each produce both const and non-const handles,
only DEFINE_COMPAT_HANDLE() does (__DEFINE_COMPAT_HANDLE()
does not). This patch has __DEFINE_COMPAT_HANDLE() also
produce a const handle.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86/monitor: include EAX/ECX in CPUID monitor events

Extend the CPUID monitor event to include EAX and ECX values that were used
when CPUID was executed. This is useful in identifying which leaf was queried.
We also adjust the xen-access output format to more closely resemble the output
of the Linux cpuid tool's raw format.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@zentific.com>
Acked-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/cpuid: AVX-512 feature detection

AVX512 is an extention of AVX2. Its spec can be found at:
https://software.intel.com/sites/default/files/managed/b4/3a/319433-024.pdf
This patch detects AVX512 features by CPUID.

Signed-off-by: Luwei Kang <luwei.kang@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

tools: delete gtraceview and gtracestat

There has not been any substantial update to them since 2011. My quick
check shows that they don't work.

Just delete them. It would be easy to resurrect them from git log should
people still need them.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/mm: drop pointless use of __FUNCTION__

Non-debugging message text should be (and is here) distinguishable
without also logging function names.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>

x86emul: check alignment of SSE and AVX memory operands

It only now occurred to me that there's no new hook needed to do so.
Eliminate the two work item comments.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

memory: fix compat handling of XENMEM_access_op

Within compat_memory_op() this needs to be placed in the first switch()
statement, or it ends up being dead code (as that first switch() has a
default case chaining to compat_arch_memory_op()).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/PV: make PMU MSR handling consistent

So far accesses to Intel MSRs on an AMD system fall through to the
default case, while accesses to AMD MSRs on an Intel system bail (in
the RDMSR case without updating EAX and EDX). Make the "AMD MSRs on
Intel" case match the "Intel MSR on AMD" one.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: correct PT_NOTE file position

Program and section headers disagreed about the file offset at which
the build ID note lives.

Reported-by: Sylvain Munaut <s.munaut@whatever-company.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

credit1: fix a race when picking initial pCPU for a vCPU

In the Credit1 hunk of 9f358ddd69463 ("xen: Have
schedulers revise initial placement") csched_cpu_pick()
is called without taking the runqueue lock of the
(temporary) pCPU that the vCPU has been assigned to
(e.g., in XEN_DOMCTL_max_vcpus).

However, although 'hidden' in the IS_RUNQ_IDLE() macro,
that function does access the runq (for doing load
balancing calculations). Two scenarios are possible:
1) we are on cpu X, and IS_RUNQ_IDLE() peeks at cpu's
X own runq;
2) we are on cpu X, but IS_RUNQ_IDLE() peeks at some
other cpu's runq.

Scenario 2) absolutely requies that the appropriate
runq lock is taken. Scenario 1) works even without
taking the cpu's own runq lock. That is actually what
happens when when _csched_pick_cpu() is called from
csched_vcpu_acct() (in turn, called by csched_tick()).

Races have been observed and reported (by both XenServer
own testing and OSSTest [1]), in the form of
IS_RUNQ_IDLE() falling over LIST_POISON, because we're
not currently holding the proper lock, in
csched_vcpu_insert(), when scenario 1) occurs.

However, for better robustness, from now on we always
ask for the proper runq lock to be held when calling
IS_RUNQ_IDLE() (which is also becoming a static inline
function instead of macro).

In order to comply with that, we take the lock around
the call to _csched_cpu_pick() in csched_vcpu_acct().

[1] https://lists.xen.org/archives/html/xen-devel/2016-08/msg02144.html

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>

xen/trace: Turn the stub debugtrace_{dump,printk}() macros into functions

This allows printf format checking to be performed, and for
debugtrace_printk() to evaluate its arguments, even if debugtrace is disabled
at compile time.

No intended change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86/shadow: More consistent printing for debug messages

* Use %pv or just d%d in preference to the multiple current ways of
   presenting the same information.
* Use PRI_mfn instead of opencoding it.
* Drop all explicit use of __func__ from SHADOW_{PRINTK,DEBUG}() calls.  The
   wrappers already include it.
* Use hex rather than decimal for printing a pagefault error code.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>

stubdom: support Mini-OS config for Mini-OS apps

Mini-OS apps need to be compiled with the appropriate config settings
of Mini-OS, as there are various dependencies on those settings in
header files included by the apps.

Enhance stubdom Makefile to set the appropriate CPPFLAGS when calling
the apps' make.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: fold in change to Config.mk to update mini-os commit ]

libxl: fix libxl_device_usbdev_list()

Commit 03814de1d2ecdabedabceb8e728d934a632a43b9 ("libxl: Do not trust
frontend for vusb") introduced an error in libxl_device_usbdev_list().
Fix it.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

doc: fix some typos

Fix some typos in docs/man/xl.cfg.pod.5.in

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

tools/migrate: Prevent PTE truncation from being fatal duing the live phase

It is possible, when normalising a PV pagetable that the table has been freed
and reused for something else by the guest.

In such a case, data read might no longer be a pagetable, and fail the
truncation check. However, this should only be fatal if we encounter such a
page in the paused phase.

This check is now consistent with all other checks in the same area.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

x86/levelling: fix breakage on older Intel boxes from c/s 08e7738

cpufeat_mask() yields an unsigned integer constant. As a result, taking its
complement causes zero extention rather than sign extention.

The result is that, when a guest OS has OXSAVE disabled, all features in 1d
are hidden from native CPUID. Amongst other things, this causes the early
code in Linux to find no LAPIC, but for everything to appear fine later when
userspace is up and running.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Jan Beulich <jbeulich@suse.com>

x86: drop leftover uses of regparm attribute

These were relevant only for 32-bit builds on Xen.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/32on64: misc adjustments to call gate emulation

- There's no 32-bit displacement in 16-bit addressing mode.
- It is wrong to ASSERT() anything on parts of an instruction fetched
from guest memory.
- The two scaling bits of a SIB byte don't affect whether there is a
scaled index register or not.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: drop pointless uses of __func__ / __FUNCTION__

Non-debugging message text should be (and is in the cases here)
distinguishable without also logging function names. Debugging message
text, otoh, already includes file name and line number, so also
logging function names is redundant. One relatively pointless debugging
message gets removed altogether. In another case a missing log level
specifier gets added at once.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/EFI: use less crude a way of generating the build ID

Recent enough binutils (2.25 onwards) support --build-id also for
COFF/PE output, and hence we should use that in favor of the original
hack when possible.

This gets complicated by the linker requiring at least one COFF object
file to attach the .buildid section to. Hence the patch introduces a
buildid.ihex (in order to avoid introducing binary files into the repo)
which then gets converted to a binary minimal COFF object (no sections,
no symbols).

Also (to avoid both code fragment going out of sync) remove an unneeded
ALIGN() from xen.lds.S: Adding an equivalent of it to the .buildid
section would cause the _erodata symbol to become associated with the
wrong section again (see commit 0970299de5 ["x86/EFI + Live Patch:
avoid symbol address truncation"]). And it's pointless because the
alignment already gets properly set by the input section(s).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/levelling: Provide architectural OSXSAVE handling to masked native CPUID

Contrary to c/s b2507fe7 "x86/domctl: Update PV domain cpumasks when setting
cpuid policy", Intel CPUID masks are applied after fast forwarding hardware
state, rather than before. (All behaviour in this regard appears completely
undocumented by both Intel and AMD).

Therefore, a set bit in the MSR causes hardware to be fast-forwarded, while a
clear bit forces the guests view to 0, even if Xen's CR4.OSXSAVE is actually
set.

This allows Xen to provide an architectural view of a guest kernels
CR4.OSXSAVE setting to any native CPUID instruction issused by guest kernel or
userspace, even when masking is used.

The masking value defaults to 1 (if the guest has XSAVE available) to cause
fast-forwarding to occur for the HVM and idle vcpus.

When setting the MSRs, a PV guest kernel's choice of OXSAVE is taken into
account, and clobbered from the MSR if not set. This causes the
fast-forwarding of Xen's CR4 state not to happen.

As a side effect however, levelling potentially need updating on all PV CR4
changes.

Reported-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/levelling: Pass a vcpu rather than a domain to ctxt_switch_levelling()

A subsequent change needs to special-case OSXSAVE handling, which is per-vcpu
rather than per-domain.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/levelling: Restrict non-architectural OSXSAVE handling to emulated CPUID

There is no need to extend the workaround to the faulted CPUID view, as
Linux's dependence on the workaround is stricly via the emulated view.

This causes a guest kernel faulted CPUID to observe architectural behaviour
with respect to its CR4.OSXSAVE setting.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/Kconfig: Misc tweaks

* Drop one piece of trailing whitespace
* Reposition LATE_HWDOM so it sits properly nested inside XSM in menuconfig

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

xen/Kconfig: Drop redundant comments from Kconfig files

Most of the comments are duplicated from the help text, and those without help
provide no useful additional input.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

x86/PV: remove read_descriptor()'s regs parameter

As of commit a35dc6ccbb ("x86: remove the use of vm86_mode()") it is
unused.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

passthrough: fix a BUG_ON issue

The 'idx' can equal to the max number of vCPUs, fix it.

Signed-off-by: Feng Wu <feng.wu@intel.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen: add a gcov Kconfig option

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

xen: fix gcov compilation

Currently enabling gcov in hypervisor won't build because although
26c9d03d ("gcov: Adding support for coverage information") claimed that
%.init.o files were excluded from applying compilation options, it was
in fact not true.

Fix that by filtering out the options correctly. Because the dependency
of stub.o in x86 EFI build can't be eliminated easily and we prefer a
generalised method going forward, we introduce nogcov-y to explicitly
mark objects that don't need to build with gcov support.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

arm64: use "b" to branch to start_xen

The cbz instruction has range limitation. When compiled with gcov
support the object is larger so cbz can't handle that anymore. The error
message is like:

aarch64-linux-gnu-ld -EL -T xen.lds -N prelink.o \
/local/work/xen.git/xen/common/symbols-dummy.o -o /local/work/xen.git/xen/.xen-syms.0
prelink.o: In function `launch':
/local/work/xen.git/xen/arch/arm/arm64/head.S:602:(.text+0x408): relocation truncated to fit: R_AARCH64_CONDBR19 against symbol `start_xen' defined in .init.text section in prelink.o

Use "b" instead.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>

arm: acpi/boot.c is only used during initialisation

That file should contain code and data used during initialisation only.

Mark it as such in build system and correctly annotate enabled_cpus.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>

libxl: update flex output files

Libxl ships output files from flex (libxlu_*_l.{c,h}). We use the flex
shipped in Debian to generate those files. Debian just patched their
flex (DSA 3653-1) to fix CVE-2016-6354, which is a buffer overrun bug.

Note that libxl is _NOT_ vulnerable to that CVE. See below for Ian's
analysis to security@xen.

It would still be nice that we update our shipped flex output files to
avoid confusion.

===QUOTE===

The bug is that with input >16K[1] flex would usually fail to resize
the input buffer, and then overrun it.

I have read the code in libxlu_cfg_l.c to try to understand the
implications for libxl.

AFAICT
- libxl always does config file reading _from the file_ itself, and
   provides flex with a string or buffer.
- so we always call whatever_yy_scan_bytes, not any other flex setup
   function to set up a `buffer' (as flex calls it)
- yy_scan_bytes calls yy_scan_buffer to set up the buffer
- yy_scan_buffer sets b->yy_fill_buffer
- The effect of this is that yy_get_next_buffer will always
   return early, rather than continuing on to the vulnerable code.

So I think libxl is not vulnerable, regardless of the contents of the
configuration file.

[1] the default buffer size, or whatever other buffer size is
configured (but we don't change it)

===ENDQUOTE===

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

libxc: correct max_pfn calculation for saving domain

Commit 91e204d37f44913913776d0a89279721694f8b32 ("libxc: try to find
last used pfn when migrating") introduced a bug for the case of a
domain supporting the virtual mapped linear p2m list: the maximum pfn
of the domain calculated from the p2m memory allocation might be too
low.

Correct this.

Reported-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: add guarding logic for VMX specific code

The struct hvm_domain.vmx is defined in a union along with the svm.
This can causes issue for SVM since this code is used in the common
scheduling code for x86. The logic must check for cpu_has_vmx before
accessing the hvm_domain.vmx sturcture.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

pass-through: drop pointless uses of __func__

Non-debugging message text should be (and is in the cases here)
distinguishable without also logging function names. Additionally log
the PCI device coordinates for alloc_pdev() failure.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

x86/boot: use %ecx instead of %eax

Use %ecx instead of %eax to store low memory upper limit from EBDA.
This way we do not wipe multiboot protocol identifier. It is needed
in reloc() to differentiate between multiboot (v1) and
multiboot2 protocol.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

x86/boot: call reloc() using stdcall calling convention

Current reloc() call method makes confusion and does not scale well
for more arguments. And subsequent patch adding multiboot2 protocol
support have to pass 3 arguments instead of 2. Hence, move reloc()
call to stdcall calling convention. One may argue that we should use
standard cdecl calling convention. However, stdcall is better here
than cdecl because we do not need to remove "manually" arguments from
stack in xen/arch/x86/boot/head.S assembly file.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86/boot/reloc: reduce assembly usage as much as possible

..to increase code readability and ease its maintenance.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/boot: create *.lnk files with linker script

Newer GCC (e.g. gcc version 5.1.1 20150618 (Red Hat 5.1.1-4) (GCC)) does
some code optimizations by creating data sections (e.g. jump addresses
for C switch/case are calculated using data in .rodata section). This
thing is not accepted by *.lnk build recipe which requires that only .text
section lives in output. Potentially we can inhibit this GCC behavior by
using special options, e.g. -fno-tree-switch-conversion. However, this
does not guarantee that in the future new similar optimizations or anything
else which creates not accepted sections will not break our build recipes
again. I do not mention that probably this is not good idea to just disable
random optimizations. So, take over full control on *.lnk linking process
by using linker script and merge all text and data sections into one
.text section.

Additionally, remove .got.plt section which is not used in our final code.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

VT-d: drop pointless uses of __func__

Debugging message text already includes file name and line number, so
also logging function names is redundant.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

XSM: drop pointless uses of __FUNCTION__

Non-debugging message text should be (and is in the cases here)
distinguishable without also logging function names.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

ns16550: mask transmit holding register empty interrupt when tx is stopped

The uart generates an interrupt whenever the transmit holding register is
empty and UART_IER_ETHREI is set in UART_IER.  Currently, Xen's ns16550
driver does not currently mask this interrupt when transmit is stopped,
unlike other platforms such as Linux [1].

Toggle UART_IER_ETHREI flag in the UART_IER according to the state dictated
by stop_tx and start_tx hooks.

On the Tegra platform (forthcoming series), the reset via reading IIR does not
prevent re-assertion of THRE.  This causes Xen to hang in the interrupt
handler's while loop whenever there is no data to transmit.  This behavior (bug?)
is addressed by utilizing the start & stop tx hooks.

This has been tested on various x86 PCs for any obvious signs of regressions.

[1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/serial/8250/8250_port.c?id=refs/tags/v4.8-rc2#n1518

Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

libxl: only return {OVMF,SEABIOS}_PATH if available

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

tools: only define {OVMF,SEABIOS}_PATH when they are enabled

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Added source of ax_compare_version.m4 to import log

In addition:
- fixed a reference, which was incorrect

Signed-off-by: Lars Kurth <lars.kurth@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
[ wei: remove one trailing space while committing ]

hvmloader: use bound checking in get_module_entry

Coverity complains:

overflow_before_widen: Potentially overflowing expression
info->nr_modules * 32U with type unsigned int (32 bits, unsigned) is
evaluated using 32-bit arithmetic, and then used in a context that
expects an expression of type uint64_t (64 bits, unsigned).

The overflow is unlikely to happen in reality because we only expect a
few modules.

Fix that by converting the check to use bound checking to placate
Coverity.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

hvmloader: correctly copy signature to info structures

The original code used sizeof(info->signature) as the size parameter for
memcpy, which was wrong.

Fix that by using structure assignment.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/physmap: Do not permit a guest to populate PoD pages for itself

PoD is supposed to be entirely transparent to guest, but this interface has
been left exposed for a long time.

The use of PoD requires careful co-ordination by the toolstack with the
XENMEM_{get,set}_pod_target hypercalls, and xenstore ballooning target. The
best a guest can do without toolstack cooperation crash.

Furthermore, there are combinations of features (e.g. c/s c63868ff "libxl:
disallow PCI device assignment for HVM guest when PoD is enabled") which a
toolstack might wish to explicitly prohibit (in this case, because the two
simply don't function in combination). In such cases, the guest mustn't be
able to subvert the configuration chosen by the toolstack.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/memop: Latch current->domain in a local variable

It is more efficient.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

x86: don't needlessly globalize page table labels

Neither l1_identmap[] nor l3_identmap[] get referenced from outside
their defining source file; the latter didn't even have an extern
declaration for use from C sources.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/EFI: be cautious about being handed control with CR4.PGE enabled

To effect proper TLB flushing in that case we should clear CR4.PGE
before loading the new page tables.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/EFI: don't apply relocations to l{2,3}_bootmap

Other than claimed in commit 2ce5963727's ("x86: construct the
{l2,l3}_bootmap at compile time") the initialization of the two page
tables doesn't take care of everything without furher adjustment: The
compile time initialization obviously requires base relocations, and
those get processed after efi_arch_memory_setup(). Hence without
additional care the correctly initialized values may then get wrongly
"adjusted" again. Except the two table from being subject to base
relocation.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper@citrix.com>

x86: add a tboot Kconfig option

Allows for the conditional inclusion of tboot related functionality
via Kconfig

The default configuration for the new CONFIG_TBOOT option is 'y', so the
behavior out of the box remains unchanged. The addition of the option allows
advanced users to disable system behaviors associated with tboot at compile
time rather than relying on the run-time detection and configuration.

The CONFIG_CRYPTO option is 'n' by default and selected by the individual users
that require the functionality. Currently, the only user is tboot.

Signed-off-by: Derek Straka <derek@asterius.io>
Acked-by: Jan Beulich <jbeulich@suse.com>

docs/misc/hvmlite: Point to the canonical definition of hvm_start_info

The C struct in the document is no more in sync with the actual
definition of the PVHv2 boot start info.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

configure: do not depend on SEABIOS_PATH or OVMF_PATH ...

... to compile SeaBIOS and OVMF. Only depend on CONFIG_*.

If --with-system-* configure option is used, then set *_CONFIG=n to not
compile SEABIOS and OVMF.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

hvmloader: Always build-in SeaBIOS and OVMF loader

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

hvmloader: bios->bios_load() now needs to be defined

All BIOSes but ROMBIOS needs to be loaded via modules.

ROMBIOS is handled as a special case.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

hvmloader: Load OVMF from modules

... and do not include the OVMF ROM into hvmloader anymore.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

hvmloader: Load SeaBIOS from hvm_start_info modules

... and do not include the SeaBIOS ROM into hvmloader anymore.

This also fix the dependency on roms.inc, hvmloader.o does not include it.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

hvmloader: Locate the BIOS blob

The BIOS blob can be found an entry called "firmware" of the modlist of
the hvm_start_info struct.

The found BIOS blob is not loaded by this patch, but only passed as
argument to bios_load() function.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

hvmloader: Grab the hvm_start_info pointer

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

libxl: Load guest BIOS from file

The path to the BIOS blob can be overriden by the xl's
bios_path_override option, or provided by u.hvm.bios_firmware in the
domain_build_info struct by other libxl user.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

firmware/Makefile: install BIOS blob ...

... into the firmware directory, along with hvmloader.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

configure: #define SEABIOS_PATH and OVMF_PATH

Those paths are to be used by libxl, in order to load the firmware in
memory. If a system path is not defined via --with-system-seabios or
--with-system-ovmf, then default to the Xen firmware directory.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

libxc: Prepare a start info structure for hvmloader

... and load BIOS/UEFI firmware into guest memory.

This adds a new firmware module, system_firmware_module. It is loaded in
the guest memory and final location is provided to hvmloader via the
hvm_start_info struct.

This patch create the hvm_start_info struct for HVM guest that have a
device model, so this is now common code with HVM guest without device
model.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

libxc: Rework extra module initialisation

This patch use xc_dom_alloc_segment() to allocate the memory space for the
ACPI modules and the SMBIOS modules. This is to replace the arbitrary
placement of 1MB (+ extra for MB alignement) after the hvmloader image.

This patch can help if one add extra ACPI table and hvmloader contain
OVMF (OVMF is a 2MB binary), as in that case the extra ACPI table could
easily be loaded past the address 4MB, but hvmloader use a range of
memory from 4MB to 10MB to perform tests and in the process, clears the
memory, before loading the modules.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

tools/xenalyze: append argp LD flags if needed

This is a side-effect of commit c36e1c, which currently prevents compiling
xenalyze with libcs that don't have argp built-in.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

xen: Move the hvm_start_info C representation to the public headers

Instead of having several representation of hvm_start_info in C, define
it in public/arch-x86/hvm/start_info.h so both libxc and hvmloader can
use it.

Also move the comment describing the binary format to be alongside the
C struct.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

Add information on sources for vmac.* and rijndael.*

I added these, as I came across the sources during
a license scan.

Signed-off-by: Lars Kurth <lars.kurth@citrix.com>

x86emul: improve LOCK handling

Certain opcodes would so far not have got #UD when a LOCK prefix was
present. Adjust this by
- moving the too early generic check into destination operand decoding,
  where DstNone and DstReg already have respective handling
- switching source and destination of TEST r,r/m, for it to be taken
  care of by aforementioned generic checks
- explicitly dealing with all forms of CMP, SHLD, SHRD, as well as
  TEST $imm,r/m

To make the handling of opcodes F6 and F7 more obvious, reduce the
amount of state set in the table, and adjust the respective switch()
statement accordingly.

Also eliminate the latent bug of the check in DstNone handling not
considering the opcode extension set.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86emul: introduce SrcEax for XCHG

Just like said in commit c0bc0adf24 ("x86emul: use DstEax where
possible"): While it avoids just a few instructions, we should
nevertheless make use of generic code as much as possible. Here we can
arrange for that by simply introducing SrcEax (which requires no other
code adjustments).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>