[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH V2] x86/altp2m: Hypercall to set altp2m view visibility
Any thoughts on this are appreciated. Thanks, Alex On 30.01.2020 15:07, Alexandru Stefan ISAILA wrote: > At this moment a guest can call vmfunc to change the altp2m view. This > should be limited in order to avoid any unwanted view switch. > > The new xc_altp2m_set_visibility() solves this by making views invisible > to vmfunc. > This is done by having a separate arch.altp2m_working_eptp that is > populated and made invalid in the same places as altp2m_eptp. This is > written to EPTP_LIST_ADDR. > The views are made in/visible by marking them with INVALID_MFN or > copying them back from altp2m_eptp. > To have consistency the visibility also applies to > p2m_switch_domain_altp2m_by_id(). > > Signed-off-by: Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx> > --- > CC: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> > CC: Wei Liu <wl@xxxxxxx> > CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> > CC: Jan Beulich <jbeulich@xxxxxxxx> > CC: Julien Grall <julien@xxxxxxx> > CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> > CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> > CC: "Roger Pau Monné" <roger.pau@xxxxxxxxxx> > CC: Jun Nakajima <jun.nakajima@xxxxxxxxx> > CC: Kevin Tian <kevin.tian@xxxxxxxxx> > CC: George Dunlap <george.dunlap@xxxxxxxxxxxxx> > --- > Changes since V1: > - Drop double view from title. > --- > tools/libxc/include/xenctrl.h | 2 ++ > tools/libxc/xc_altp2m.c | 24 ++++++++++++++++++++++++ > xen/arch/x86/hvm/hvm.c | 25 +++++++++++++++++++++++++ > xen/arch/x86/hvm/vmx/vmx.c | 2 +- > xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++ > xen/arch/x86/mm/p2m-ept.c | 1 + > xen/arch/x86/mm/p2m.c | 5 ++++- > xen/include/asm-x86/domain.h | 1 + > xen/include/public/hvm/hvm_op.h | 10 ++++++++++ > 9 files changed, 83 insertions(+), 2 deletions(-) > > diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h > index cc4eb1e3d3..dbea7861e7 100644 > --- a/tools/libxc/include/xenctrl.h > +++ b/tools/libxc/include/xenctrl.h > @@ -1943,6 +1943,8 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t > domid, > xen_pfn_t new_gfn); > int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid, > uint32_t vcpuid, uint16_t *p2midx); > +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, > + uint16_t view_id, bool visible); > > /** > * Mem paging operations. > diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c > index 46fb725806..6987c9541f 100644 > --- a/tools/libxc/xc_altp2m.c > +++ b/tools/libxc/xc_altp2m.c > @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, > uint32_t domid, > xc_hypercall_buffer_free(handle, arg); > return rc; > } > + > +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, > + uint16_t view_id, bool visible) > +{ > + int rc; > + > + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg); > + > + arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg)); > + if ( arg == NULL ) > + return -1; > + > + arg->version = HVMOP_ALTP2M_INTERFACE_VERSION; > + arg->cmd = HVMOP_altp2m_set_visibility; > + arg->domain = domid; > + arg->u.set_visibility.altp2m_idx = view_id; > + arg->u.set_visibility.visible = visible; > + > + rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m, > + HYPERCALL_BUFFER_AS_ARG(arg)); > + > + xc_hypercall_buffer_free(handle, arg); > + return rc; > +} > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c > index 0b93609a82..a41e9b6356 100644 > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -4537,6 +4537,7 @@ static int do_altp2m_op( > case HVMOP_altp2m_get_mem_access: > case HVMOP_altp2m_change_gfn: > case HVMOP_altp2m_get_p2m_idx: > + case HVMOP_altp2m_set_visibility: > break; > > default: > @@ -4814,6 +4815,30 @@ static int do_altp2m_op( > break; > } > > + case HVMOP_altp2m_set_visibility: > + { > + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx; > + > + if ( a.u.set_visibility.pad || a.u.set_visibility.pad2 ) > + rc = -EINVAL; > + else > + { > + if ( !altp2m_active(d) || !hap_enabled(d) ) > + { > + rc = -EOPNOTSUPP; > + break; > + } > + > + if ( a.u.set_visibility.visible ) > + d->arch.altp2m_working_eptp[altp2m_idx] = > + d->arch.altp2m_eptp[altp2m_idx]; > + else > + d->arch.altp2m_working_eptp[altp2m_idx] = > + mfn_x(INVALID_MFN); > + } > + break; > + } > + > default: > ASSERT_UNREACHABLE(); > } > diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c > index b262d38a7c..65fe75383f 100644 > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -2139,7 +2139,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v) > { > v->arch.hvm.vmx.secondary_exec_control |= mask; > __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING); > - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp)); > + __vmwrite(EPTP_LIST_ADDR, > virt_to_maddr(d->arch.altp2m_working_eptp)); > > if ( cpu_has_vmx_virt_exceptions ) > { > diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c > index 3d93f3451c..5969ec8922 100644 > --- a/xen/arch/x86/mm/hap/hap.c > +++ b/xen/arch/x86/mm/hap/hap.c > @@ -488,8 +488,17 @@ int hap_enable(struct domain *d, u32 mode) > goto out; > } > > + if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL ) > + { > + rv = -ENOMEM; > + goto out; > + } > + > for ( i = 0; i < MAX_EPTP; i++ ) > + { > d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN); > + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN); > + } > > for ( i = 0; i < MAX_ALTP2M; i++ ) > { > @@ -523,6 +532,12 @@ void hap_final_teardown(struct domain *d) > d->arch.altp2m_eptp = NULL; > } > > + if ( d->arch.altp2m_working_eptp ) > + { > + free_xenheap_page(d->arch.altp2m_working_eptp); > + d->arch.altp2m_working_eptp = NULL; > + } > + > for ( i = 0; i < MAX_ALTP2M; i++ ) > p2m_teardown(d->arch.altp2m_p2m[i]); > } > diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c > index 05a5526e08..0e740ed58e 100644 > --- a/xen/arch/x86/mm/p2m-ept.c > +++ b/xen/arch/x86/mm/p2m-ept.c > @@ -1361,6 +1361,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int > i) > ept = &p2m->ept; > ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m)); > d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; > + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; > } > > unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) > diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c > index 49cc138362..008357b761 100644 > --- a/xen/arch/x86/mm/p2m.c > +++ b/xen/arch/x86/mm/p2m.c > @@ -2531,6 +2531,7 @@ void p2m_flush_altp2m(struct domain *d) > { > p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE); > d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN); > + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN); > } > > altp2m_list_unlock(d); > @@ -2651,6 +2652,8 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned > int idx) > p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE); > d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] = > mfn_x(INVALID_MFN); > + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] = > + mfn_x(INVALID_MFN); > rc = 0; > } > } > @@ -2677,7 +2680,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, > unsigned int idx) > rc = -EINVAL; > altp2m_list_lock(d); > > - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) > + if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) ) > { > for_each_vcpu( d, v ) > if ( idx != vcpu_altp2m(v).p2midx ) > diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h > index a3ae5d9a20..9d36f490e4 100644 > --- a/xen/include/asm-x86/domain.h > +++ b/xen/include/asm-x86/domain.h > @@ -326,6 +326,7 @@ struct arch_domain > struct p2m_domain *altp2m_p2m[MAX_ALTP2M]; > mm_lock_t altp2m_list_lock; > uint64_t *altp2m_eptp; > + uint64_t *altp2m_working_eptp; > #endif > > /* NB. protected by d->event_lock and by irq_desc[irq].lock */ > diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h > index 610e020a62..17a29615ed 100644 > --- a/xen/include/public/hvm/hvm_op.h > +++ b/xen/include/public/hvm/hvm_op.h > @@ -317,6 +317,13 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx { > uint16_t altp2m_idx; > }; > > +struct xen_hvm_altp2m_set_visibility { > + uint16_t altp2m_idx; > + uint8_t visible; > + uint8_t pad; > + uint32_t pad2; > +}; > + > struct xen_hvm_altp2m_op { > uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */ > uint32_t cmd; > @@ -349,6 +356,8 @@ struct xen_hvm_altp2m_op { > #define HVMOP_altp2m_get_p2m_idx 14 > /* Set the "Supress #VE" bit for a range of pages */ > #define HVMOP_altp2m_set_suppress_ve_multi 15 > +/* Set visibility for a given altp2m view */ > +#define HVMOP_altp2m_set_visibility 16 > domid_t domain; > uint16_t pad1; > uint32_t pad2; > @@ -366,6 +375,7 @@ struct xen_hvm_altp2m_op { > struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi; > struct xen_hvm_altp2m_vcpu_disable_notify disable_notify; > struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx; > + struct xen_hvm_altp2m_set_visibility set_visibility; > uint8_t pad[64]; > } u; > }; > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |