All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 00/10]  xsm: refactoring xsm hooks
@ 2021-07-12 20:32 Daniel P. Smith
  2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
                   ` (10 more replies)
  0 siblings, 11 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith

Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
patch set is being split into two separate patch sets. This is the first
patch set and is focused purely on the clean up and refactoring of the
XSM hooks.

This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
infrastructure. Then proceeds to move and realign the headers to remove the
psuedo is/is not enable implementation. The remainder of the changes are clean up
and removing no longer necessary abstractions.

v2:
 - restructured the patches, breaking them up as needed
 - incorporate Andrew Cooper's alternative call common code
 - change XSM module registration, removing register_xsm
 - incoporate KConfig recommendations
 - reworded commit messages
 - incorporate macro expansion recommendations
 - misc clean-up fallout from recommendations

Andrew Cooper (1):
  xen: Implement xen/alternative-call.h for use in common code

Daniel P. Smith (9):
  xsm: refactor xsm_ops handling
  xsm: remove the ability to disable flask
  xsm: convert xsm_ops hook calls to alternative call
  xsm: decouple xsm header inclusion selection
  xsm: enable xsm to always be included
  xsm: drop generic event channel labeling
  xsm: remove xsm_default_t from hook definitions
  xsm: expand the function related macros in dummy.h
  xsm: removing the XSM_ASSERT_ACTION macro

 xen/arch/arm/dm.c                     |   2 +-
 xen/arch/arm/domctl.c                 |   6 +-
 xen/arch/arm/hvm.c                    |   2 +-
 xen/arch/arm/mm.c                     |   2 +-
 xen/arch/arm/platform_hypercall.c     |   2 +-
 xen/arch/x86/Kconfig                  |   1 +
 xen/arch/x86/cpu/mcheck/mce.c         |   2 +-
 xen/arch/x86/cpu/vpmu.c               |   2 +-
 xen/arch/x86/domctl.c                 |   8 +-
 xen/arch/x86/hvm/dm.c                 |   2 +-
 xen/arch/x86/hvm/hvm.c                |  12 +-
 xen/arch/x86/irq.c                    |   5 +-
 xen/arch/x86/mm.c                     |  20 +-
 xen/arch/x86/mm/mem_paging.c          |   2 +-
 xen/arch/x86/mm/mem_sharing.c         |   9 +-
 xen/arch/x86/mm/p2m.c                 |   2 +-
 xen/arch/x86/mm/paging.c              |   4 +-
 xen/arch/x86/mm/shadow/set.c          |   2 +-
 xen/arch/x86/msi.c                    |   3 +-
 xen/arch/x86/pci.c                    |   2 +-
 xen/arch/x86/physdev.c                |  17 +-
 xen/arch/x86/platform_hypercall.c     |  10 +-
 xen/arch/x86/pv/emul-priv-op.c        |   2 +-
 xen/arch/x86/sysctl.c                 |   4 +-
 xen/common/Kconfig                    |  48 +-
 xen/common/domain.c                   |   4 +-
 xen/common/domctl.c                   |  12 +-
 xen/common/event_channel.c            |  12 +-
 xen/common/grant_table.c              |  16 +-
 xen/common/hypfs.c                    |   2 +-
 xen/common/kernel.c                   |   2 +-
 xen/common/kexec.c                    |   2 +-
 xen/common/mem_access.c               |   2 +-
 xen/common/memory.c                   |  16 +-
 xen/common/monitor.c                  |   2 +-
 xen/common/sched/core.c               |   6 +-
 xen/common/sysctl.c                   |   8 +-
 xen/common/vm_event.c                 |   2 +-
 xen/common/xenoprof.c                 |   2 +-
 xen/drivers/char/console.c            |   2 +-
 xen/drivers/passthrough/device_tree.c |   4 +-
 xen/drivers/passthrough/pci.c         |  12 +-
 xen/include/xen/alternative-call.h    |  65 +++
 xen/include/xen/sched.h               |   9 -
 xen/include/xsm/dummy.h               | 774 --------------------------
 xen/include/xsm/xsm-core.h            | 237 ++++++++
 xen/include/xsm/xsm.h                 | 623 +++++++--------------
 xen/xsm/Makefile                      |   4 +-
 xen/xsm/dummy.c                       |   7 +-
 xen/xsm/dummy.h                       | 696 +++++++++++++++++++++++
 xen/xsm/flask/flask_op.c              |  30 -
 xen/xsm/flask/hooks.c                 |  11 +-
 xen/xsm/silo.c                        |  23 +-
 xen/xsm/xsm_core.c                    |  76 +--
 54 files changed, 1381 insertions(+), 1451 deletions(-)
 create mode 100644 xen/include/xen/alternative-call.h
 delete mode 100644 xen/include/xsm/dummy.h
 create mode 100644 xen/include/xsm/xsm-core.h
 create mode 100644 xen/xsm/dummy.h

-- 
2.20.1



^ permalink raw reply	[flat|nested] 44+ messages in thread

* [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:48   ` Andrew Cooper
  2021-07-14 15:35   ` Jan Beulich
  2021-07-12 20:32 ` [PATCH v2 02/10] xsm: refactor xsm_ops handling Daniel P. Smith
                   ` (9 subsequent siblings)
  10 siblings, 2 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: Wei Liu, xen-devel
  Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini

From: Andrew Cooper <andrew.cooper3@citrix.com>

The alternative call infrastructure is x86-only for now, but the common iommu
code has a variant and more common code wants to use the infrastructure.

Introduce CONFIG_ALTERNATIVE_CALL and a conditional implemetnation so common
code can use the optimisation when available, without requiring all
architectures to implement no-op stubs.

Write some documentation, which was thus far entirely absent, covering the
requirements for an architecture to implement this optimsiation, and how to
use the infrastructure in general code.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/arch/x86/Kconfig               |  1 +
 xen/common/Kconfig                 |  3 ++
 xen/include/xen/alternative-call.h | 65 ++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 xen/include/xen/alternative-call.h

diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index 9b164db641..c91cdd83dc 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -9,6 +9,7 @@ config X86
 	select ARCH_SUPPORTS_INT128
 	select CORE_PARKING
 	select HAS_ALTERNATIVE
+	select ALTERNATIVE_CALL
 	select HAS_COMPAT
 	select HAS_CPUFREQ
 	select HAS_EHCI
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 0ddd18e11a..1594ce4e73 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -25,6 +25,9 @@ config GRANT_TABLE
 config HAS_ALTERNATIVE
 	bool
 
+config ALTERNATIVE_CALL
+	bool
+
 config HAS_COMPAT
 	bool
 
diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
new file mode 100644
index 0000000000..11d1c26068
--- /dev/null
+++ b/xen/include/xen/alternative-call.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef XEN_ALTERNATIVE_CALL
+#define XEN_ALTERNATIVE_CALL
+
+/*
+ * Some subsystems in Xen may have multiple implementions, which can be
+ * resolved to a single implementation at boot time.  By default, this will
+ * result in the use of function pointers.
+ *
+ * Some architectures may have mechanisms for dynamically modifying .text.
+ * Using this mechnaism, function pointers can be converted to direct calls
+ * which are typically more efficient at runtime.
+ *
+ * For architectures to support:
+ *
+ * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
+ *   requirements are to emit a function pointer call at build time, and stash
+ *   enough metadata to simplify the call at boot once the implementation has
+ *   been resolved.
+ * - Select ALTERNATIVE_CALL in Kconfig.
+ *
+ * To use:
+ *
+ * Consider the following simplified example.
+ *
+ *  1) struct foo_ops __alt_call_maybe_initdata ops;
+ *
+ *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
+ *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
+ *
+ *     void foo_init(void)
+ *     {
+ *         ...
+ *         if ( use_impl_a )
+ *             ops = *foo_a_ops;
+ *         else if ( use_impl_b )
+ *             ops = *foo_b_ops;
+ *         ...
+ *     }
+ *
+ *  3) alternative_call(ops.bar, ...);
+ *
+ * There needs to a single ops object (1) which will eventually contain the
+ * function pointers.  This should be populated in foo's init() function (2)
+ * by one of the available implementations.  To call functions, use
+ * alternative_{,v}call() referencing the main ops object (3).
+ */
+
+#ifdef CONFIG_ALTERNATIVE_CALL
+
+#include <asm/alternative.h>
+
+#define __alt_call_maybe_initdata  __initdata
+#define __alt_call_maybe_initconst __initconst
+
+#else
+
+#define alternative_call(func, args...)  (func)(args)
+#define alternative_vcall(func, args...) (func)(args)
+
+#define __alt_call_maybe_initdata
+#define __alt_call_maybe_initconst
+
+#endif /* !CONFIG_ALTERNATIVE_CALL */
+#endif /* XEN_ALTERNATIVE_CALL */
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 02/10] xsm: refactor xsm_ops handling
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
  2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:39   ` Andrew Cooper
  2021-07-12 20:32 ` [PATCH v2 03/10] xsm: remove the ability to disable flask Daniel P. Smith
                   ` (8 subsequent siblings)
  10 siblings, 1 reply; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

This converts the global xsm_ops from being a pointer to a struct xsm_ops to being an
explicit instance. It then reworks the XSM modules init function to
return their xsm_ops struct which is copied in to the global xsm_ops.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/include/xsm/xsm.h    | 215 ++++++++++++++++++++-------------------
 xen/xsm/dummy.c          |   2 -
 xen/xsm/flask/flask_op.c |   4 +-
 xen/xsm/flask/hooks.c    |  11 +-
 xen/xsm/silo.c           |   5 +-
 xen/xsm/xsm_core.c       |  72 +++++++------
 6 files changed, 158 insertions(+), 151 deletions(-)

diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index ad3cddbf7d..a8805f514b 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -191,295 +191,295 @@ struct xsm_operations {
 
 #ifdef CONFIG_XSM
 
-extern struct xsm_operations *xsm_ops;
+extern struct xsm_operations xsm_ops;
 
 #ifndef XSM_NO_WRAPPERS
 
 static inline void xsm_security_domaininfo (struct domain *d,
                                         struct xen_domctl_getdomaininfo *info)
 {
-    xsm_ops->security_domaininfo(d, info);
+    xsm_ops.security_domaininfo(d, info);
 }
 
 static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
 {
-    return xsm_ops->domain_create(d, ssidref);
+    return xsm_ops.domain_create(d, ssidref);
 }
 
 static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->getdomaininfo(d);
+    return xsm_ops.getdomaininfo(d);
 }
 
 static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops->domctl_scheduler_op(d, cmd);
+    return xsm_ops.domctl_scheduler_op(d, cmd);
 }
 
 static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
 {
-    return xsm_ops->sysctl_scheduler_op(cmd);
+    return xsm_ops.sysctl_scheduler_op(cmd);
 }
 
 static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
 {
-    return xsm_ops->set_target(d, e);
+    return xsm_ops.set_target(d, e);
 }
 
 static inline int xsm_domctl (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops->domctl(d, cmd);
+    return xsm_ops.domctl(d, cmd);
 }
 
 static inline int xsm_sysctl (xsm_default_t def, int cmd)
 {
-    return xsm_ops->sysctl(cmd);
+    return xsm_ops.sysctl(cmd);
 }
 
 static inline int xsm_readconsole (xsm_default_t def, uint32_t clear)
 {
-    return xsm_ops->readconsole(clear);
+    return xsm_ops.readconsole(clear);
 }
 
 static inline int xsm_evtchn_unbound (xsm_default_t def, struct domain *d1, struct evtchn *chn,
                                                                     domid_t id2)
 {
-    return xsm_ops->evtchn_unbound(d1, chn, id2);
+    return xsm_ops.evtchn_unbound(d1, chn, id2);
 }
 
 static inline int xsm_evtchn_interdomain (xsm_default_t def, struct domain *d1,
                 struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
 {
-    return xsm_ops->evtchn_interdomain(d1, chan1, d2, chan2);
+    return xsm_ops.evtchn_interdomain(d1, chan1, d2, chan2);
 }
 
 static inline void xsm_evtchn_close_post (struct evtchn *chn)
 {
-    xsm_ops->evtchn_close_post(chn);
+    xsm_ops.evtchn_close_post(chn);
 }
 
 static inline int xsm_evtchn_send (xsm_default_t def, struct domain *d, struct evtchn *chn)
 {
-    return xsm_ops->evtchn_send(d, chn);
+    return xsm_ops.evtchn_send(d, chn);
 }
 
 static inline int xsm_evtchn_status (xsm_default_t def, struct domain *d, struct evtchn *chn)
 {
-    return xsm_ops->evtchn_status(d, chn);
+    return xsm_ops.evtchn_status(d, chn);
 }
 
 static inline int xsm_evtchn_reset (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->evtchn_reset(d1, d2);
+    return xsm_ops.evtchn_reset(d1, d2);
 }
 
 static inline int xsm_grant_mapref (xsm_default_t def, struct domain *d1, struct domain *d2,
                                                                 uint32_t flags)
 {
-    return xsm_ops->grant_mapref(d1, d2, flags);
+    return xsm_ops.grant_mapref(d1, d2, flags);
 }
 
 static inline int xsm_grant_unmapref (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->grant_unmapref(d1, d2);
+    return xsm_ops.grant_unmapref(d1, d2);
 }
 
 static inline int xsm_grant_setup (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->grant_setup(d1, d2);
+    return xsm_ops.grant_setup(d1, d2);
 }
 
 static inline int xsm_grant_transfer (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->grant_transfer(d1, d2);
+    return xsm_ops.grant_transfer(d1, d2);
 }
 
 static inline int xsm_grant_copy (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->grant_copy(d1, d2);
+    return xsm_ops.grant_copy(d1, d2);
 }
 
 static inline int xsm_grant_query_size (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->grant_query_size(d1, d2);
+    return xsm_ops.grant_query_size(d1, d2);
 }
 
 static inline int xsm_alloc_security_domain (struct domain *d)
 {
-    return xsm_ops->alloc_security_domain(d);
+    return xsm_ops.alloc_security_domain(d);
 }
 
 static inline void xsm_free_security_domain (struct domain *d)
 {
-    xsm_ops->free_security_domain(d);
+    xsm_ops.free_security_domain(d);
 }
 
 static inline int xsm_alloc_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
-    return xsm_ops->alloc_security_evtchns(chn, nr);
+    return xsm_ops.alloc_security_evtchns(chn, nr);
 }
 
 static inline void xsm_free_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
-    xsm_ops->free_security_evtchns(chn, nr);
+    xsm_ops.free_security_evtchns(chn, nr);
 }
 
 static inline char *xsm_show_security_evtchn (struct domain *d, const struct evtchn *chn)
 {
-    return xsm_ops->show_security_evtchn(d, chn);
+    return xsm_ops.show_security_evtchn(d, chn);
 }
 
 static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->init_hardware_domain(d);
+    return xsm_ops.init_hardware_domain(d);
 }
 
 static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->get_pod_target(d);
+    return xsm_ops.get_pod_target(d);
 }
 
 static inline int xsm_set_pod_target (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->set_pod_target(d);
+    return xsm_ops.set_pod_target(d);
 }
 
 static inline int xsm_memory_exchange (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->memory_exchange(d);
+    return xsm_ops.memory_exchange(d);
 }
 
 static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct domain *d1, struct
                                                                     domain *d2)
 {
-    return xsm_ops->memory_adjust_reservation(d1, d2);
+    return xsm_ops.memory_adjust_reservation(d1, d2);
 }
 
 static inline int xsm_memory_stat_reservation (xsm_default_t def, struct domain *d1,
                                                             struct domain *d2)
 {
-    return xsm_ops->memory_stat_reservation(d1, d2);
+    return xsm_ops.memory_stat_reservation(d1, d2);
 }
 
 static inline int xsm_memory_pin_page(xsm_default_t def, struct domain *d1, struct domain *d2,
                                       struct page_info *page)
 {
-    return xsm_ops->memory_pin_page(d1, d2, page);
+    return xsm_ops.memory_pin_page(d1, d2, page);
 }
 
 static inline int xsm_add_to_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->add_to_physmap(d1, d2);
+    return xsm_ops.add_to_physmap(d1, d2);
 }
 
 static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->remove_from_physmap(d1, d2);
+    return xsm_ops.remove_from_physmap(d1, d2);
 }
 
 static inline int xsm_map_gmfn_foreign (xsm_default_t def, struct domain *d, struct domain *t)
 {
-    return xsm_ops->map_gmfn_foreign(d, t);
+    return xsm_ops.map_gmfn_foreign(d, t);
 }
 
 static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->claim_pages(d);
+    return xsm_ops.claim_pages(d);
 }
 
 static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops->console_io(d, cmd);
+    return xsm_ops.console_io(d, cmd);
 }
 
 static inline int xsm_profile (xsm_default_t def, struct domain *d, int op)
 {
-    return xsm_ops->profile(d, op);
+    return xsm_ops.profile(d, op);
 }
 
 static inline int xsm_kexec (xsm_default_t def)
 {
-    return xsm_ops->kexec();
+    return xsm_ops.kexec();
 }
 
 static inline int xsm_schedop_shutdown (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops->schedop_shutdown(d1, d2);
+    return xsm_ops.schedop_shutdown(d1, d2);
 }
 
 static inline char *xsm_show_irq_sid (int irq)
 {
-    return xsm_ops->show_irq_sid(irq);
+    return xsm_ops.show_irq_sid(irq);
 }
 
 static inline int xsm_map_domain_pirq (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->map_domain_pirq(d);
+    return xsm_ops.map_domain_pirq(d);
 }
 
 static inline int xsm_map_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
 {
-    return xsm_ops->map_domain_irq(d, irq, data);
+    return xsm_ops.map_domain_irq(d, irq, data);
 }
 
 static inline int xsm_unmap_domain_pirq (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->unmap_domain_pirq(d);
+    return xsm_ops.unmap_domain_pirq(d);
 }
 
 static inline int xsm_unmap_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
 {
-    return xsm_ops->unmap_domain_irq(d, irq, data);
+    return xsm_ops.unmap_domain_irq(d, irq, data);
 }
 
 static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d,
                                   struct xen_domctl_bind_pt_irq *bind)
 {
-    return xsm_ops->bind_pt_irq(d, bind);
+    return xsm_ops.bind_pt_irq(d, bind);
 }
 
 static inline int xsm_unbind_pt_irq(xsm_default_t def, struct domain *d,
                                     struct xen_domctl_bind_pt_irq *bind)
 {
-    return xsm_ops->unbind_pt_irq(d, bind);
+    return xsm_ops.unbind_pt_irq(d, bind);
 }
 
 static inline int xsm_irq_permission (xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
 {
-    return xsm_ops->irq_permission(d, pirq, allow);
+    return xsm_ops.irq_permission(d, pirq, allow);
 }
 
 static inline int xsm_iomem_permission (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
-    return xsm_ops->iomem_permission(d, s, e, allow);
+    return xsm_ops.iomem_permission(d, s, e, allow);
 }
 
 static inline int xsm_iomem_mapping (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
-    return xsm_ops->iomem_mapping(d, s, e, allow);
+    return xsm_ops.iomem_mapping(d, s, e, allow);
 }
 
 static inline int xsm_pci_config_permission (xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
 {
-    return xsm_ops->pci_config_permission(d, machine_bdf, start, end, access);
+    return xsm_ops.pci_config_permission(d, machine_bdf, start, end, access);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
 static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops->get_device_group(machine_bdf);
+    return xsm_ops.get_device_group(machine_bdf);
 }
 
 static inline int xsm_assign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
 {
-    return xsm_ops->assign_device(d, machine_bdf);
+    return xsm_ops.assign_device(d, machine_bdf);
 }
 
 static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
 {
-    return xsm_ops->deassign_device(d, machine_bdf);
+    return xsm_ops.deassign_device(d, machine_bdf);
 }
 #endif /* HAS_PASSTHROUGH && HAS_PCI) */
 
@@ -487,240 +487,240 @@ static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint3
 static inline int xsm_assign_dtdevice(xsm_default_t def, struct domain *d,
                                       const char *dtpath)
 {
-    return xsm_ops->assign_dtdevice(d, dtpath);
+    return xsm_ops.assign_dtdevice(d, dtpath);
 }
 
 static inline int xsm_deassign_dtdevice(xsm_default_t def, struct domain *d,
                                         const char *dtpath)
 {
-    return xsm_ops->deassign_dtdevice(d, dtpath);
+    return xsm_ops.deassign_dtdevice(d, dtpath);
 }
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
 static inline int xsm_resource_plug_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops->resource_plug_pci(machine_bdf);
+    return xsm_ops.resource_plug_pci(machine_bdf);
 }
 
 static inline int xsm_resource_unplug_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops->resource_unplug_pci(machine_bdf);
+    return xsm_ops.resource_unplug_pci(machine_bdf);
 }
 
 static inline int xsm_resource_plug_core (xsm_default_t def)
 {
-    return xsm_ops->resource_plug_core();
+    return xsm_ops.resource_plug_core();
 }
 
 static inline int xsm_resource_unplug_core (xsm_default_t def)
 {
-    return xsm_ops->resource_unplug_core();
+    return xsm_ops.resource_unplug_core();
 }
 
 static inline int xsm_resource_setup_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops->resource_setup_pci(machine_bdf);
+    return xsm_ops.resource_setup_pci(machine_bdf);
 }
 
 static inline int xsm_resource_setup_gsi (xsm_default_t def, int gsi)
 {
-    return xsm_ops->resource_setup_gsi(gsi);
+    return xsm_ops.resource_setup_gsi(gsi);
 }
 
 static inline int xsm_resource_setup_misc (xsm_default_t def)
 {
-    return xsm_ops->resource_setup_misc();
+    return xsm_ops.resource_setup_misc();
 }
 
 static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
 {
-    return xsm_ops->page_offline(cmd);
+    return xsm_ops.page_offline(cmd);
 }
 
 static inline int xsm_hypfs_op(xsm_default_t def)
 {
-    return xsm_ops->hypfs_op();
+    return xsm_ops.hypfs_op();
 }
 
 static inline long xsm_do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
-    return xsm_ops->do_xsm_op(op);
+    return xsm_ops.do_xsm_op(op);
 }
 
 #ifdef CONFIG_COMPAT
 static inline int xsm_do_compat_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
-    return xsm_ops->do_compat_op(op);
+    return xsm_ops.do_compat_op(op);
 }
 #endif
 
 static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned long op)
 {
-    return xsm_ops->hvm_param(d, op);
+    return xsm_ops.hvm_param(d, op);
 }
 
 static inline int xsm_hvm_control(xsm_default_t def, struct domain *d, unsigned long op)
 {
-    return xsm_ops->hvm_control(d, op);
+    return xsm_ops.hvm_control(d, op);
 }
 
 static inline int xsm_hvm_param_altp2mhvm (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->hvm_param_altp2mhvm(d);
+    return xsm_ops.hvm_param_altp2mhvm(d);
 }
 
 static inline int xsm_hvm_altp2mhvm_op (xsm_default_t def, struct domain *d, uint64_t mode, uint32_t op)
 {
-    return xsm_ops->hvm_altp2mhvm_op(d, mode, op);
+    return xsm_ops.hvm_altp2mhvm_op(d, mode, op);
 }
 
 static inline int xsm_get_vnumainfo (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->get_vnumainfo(d);
+    return xsm_ops.get_vnumainfo(d);
 }
 
 static inline int xsm_vm_event_control (xsm_default_t def, struct domain *d, int mode, int op)
 {
-    return xsm_ops->vm_event_control(d, mode, op);
+    return xsm_ops.vm_event_control(d, mode, op);
 }
 
 #ifdef CONFIG_MEM_ACCESS
 static inline int xsm_mem_access (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->mem_access(d);
+    return xsm_ops.mem_access(d);
 }
 #endif
 
 #ifdef CONFIG_MEM_PAGING
 static inline int xsm_mem_paging (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->mem_paging(d);
+    return xsm_ops.mem_paging(d);
 }
 #endif
 
 #ifdef CONFIG_MEM_SHARING
 static inline int xsm_mem_sharing (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->mem_sharing(d);
+    return xsm_ops.mem_sharing(d);
 }
 #endif
 
 static inline int xsm_platform_op (xsm_default_t def, uint32_t op)
 {
-    return xsm_ops->platform_op(op);
+    return xsm_ops.platform_op(op);
 }
 
 #ifdef CONFIG_X86
 static inline int xsm_do_mca(xsm_default_t def)
 {
-    return xsm_ops->do_mca();
+    return xsm_ops.do_mca();
 }
 
 static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
 {
-    return xsm_ops->shadow_control(d, op);
+    return xsm_ops.shadow_control(d, op);
 }
 
 static inline int xsm_mem_sharing_op (xsm_default_t def, struct domain *d, struct domain *cd, int op)
 {
-    return xsm_ops->mem_sharing_op(d, cd, op);
+    return xsm_ops.mem_sharing_op(d, cd, op);
 }
 
 static inline int xsm_apic (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops->apic(d, cmd);
+    return xsm_ops.apic(d, cmd);
 }
 
 static inline int xsm_memtype (xsm_default_t def, uint32_t access)
 {
-    return xsm_ops->memtype(access);
+    return xsm_ops.memtype(access);
 }
 
 static inline int xsm_machine_memory_map(xsm_default_t def)
 {
-    return xsm_ops->machine_memory_map();
+    return xsm_ops.machine_memory_map();
 }
 
 static inline int xsm_domain_memory_map(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->domain_memory_map(d);
+    return xsm_ops.domain_memory_map(d);
 }
 
 static inline int xsm_mmu_update (xsm_default_t def, struct domain *d, struct domain *t,
                                   struct domain *f, uint32_t flags)
 {
-    return xsm_ops->mmu_update(d, t, f, flags);
+    return xsm_ops.mmu_update(d, t, f, flags);
 }
 
 static inline int xsm_mmuext_op (xsm_default_t def, struct domain *d, struct domain *f)
 {
-    return xsm_ops->mmuext_op(d, f);
+    return xsm_ops.mmuext_op(d, f);
 }
 
 static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, struct domain *f,
                                                             l1_pgentry_t pte)
 {
-    return xsm_ops->update_va_mapping(d, f, pte);
+    return xsm_ops.update_va_mapping(d, f, pte);
 }
 
 static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t)
 {
-    return xsm_ops->priv_mapping(d, t);
+    return xsm_ops.priv_mapping(d, t);
 }
 
 static inline int xsm_ioport_permission (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
-    return xsm_ops->ioport_permission(d, s, e, allow);
+    return xsm_ops.ioport_permission(d, s, e, allow);
 }
 
 static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
-    return xsm_ops->ioport_mapping(d, s, e, allow);
+    return xsm_ops.ioport_mapping(d, s, e, allow);
 }
 
 static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int op)
 {
-    return xsm_ops->pmu_op(d, op);
+    return xsm_ops.pmu_op(d, op);
 }
 
 #endif /* CONFIG_X86 */
 
 static inline int xsm_dm_op(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->dm_op(d);
+    return xsm_ops.dm_op(d);
 }
 
 static inline int xsm_xen_version (xsm_default_t def, uint32_t op)
 {
-    return xsm_ops->xen_version(op);
+    return xsm_ops.xen_version(op);
 }
 
 static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops->domain_resource_map(d);
+    return xsm_ops.domain_resource_map(d);
 }
 
 #ifdef CONFIG_ARGO
 static inline int xsm_argo_enable(const struct domain *d)
 {
-    return xsm_ops->argo_enable(d);
+    return xsm_ops.argo_enable(d);
 }
 
 static inline int xsm_argo_register_single_source(const struct domain *d,
                                                   const struct domain *t)
 {
-    return xsm_ops->argo_register_single_source(d, t);
+    return xsm_ops.argo_register_single_source(d, t);
 }
 
 static inline int xsm_argo_register_any_source(const struct domain *d)
 {
-    return xsm_ops->argo_register_any_source(d);
+    return xsm_ops.argo_register_any_source(d);
 }
 
 static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
 {
-    return xsm_ops->argo_send(d, t);
+    return xsm_ops.argo_send(d, t);
 }
 
 #endif /* CONFIG_ARGO */
@@ -747,16 +747,14 @@ extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
 extern bool has_xsm_magic(paddr_t);
 #endif
 
-extern int register_xsm(struct xsm_operations *ops);
-
-extern struct xsm_operations dummy_xsm_ops;
 extern void xsm_fixup_ops(struct xsm_operations *ops);
 
 #ifdef CONFIG_XSM_FLASK
-extern void flask_init(const void *policy_buffer, size_t policy_size);
+extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
 #else
-static inline void flask_init(const void *policy_buffer, size_t policy_size)
+static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
 {
+    return NULL;
 }
 #endif
 
@@ -766,9 +764,12 @@ extern const unsigned int xsm_flask_init_policy_size;
 #endif
 
 #ifdef CONFIG_XSM_SILO
-extern void silo_init(void);
+extern struct xsm_operations *silo_init(void);
 #else
-static inline void silo_init(void) {}
+static inline struct xsm_operations *silo_init(void)
+{
+    return NULL;
+}
 #endif
 
 #else /* CONFIG_XSM */
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index de44b10130..066694763a 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -13,8 +13,6 @@
 #define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
 
-struct xsm_operations dummy_xsm_ops;
-
 #define set_to_dummy_if_null(ops, function)                            \
     do {                                                               \
         if ( !ops->function )                                          \
diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index 01e52138a1..32e079d676 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -226,6 +226,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
 static int flask_disable(void)
 {
     static int flask_disabled = 0;
+    struct xsm_operations default_ops;
 
     if ( ss_initialized )
     {
@@ -244,7 +245,8 @@ static int flask_disable(void)
     flask_disabled = 1;
 
     /* Reset xsm_ops to the original module. */
-    xsm_ops = &dummy_xsm_ops;
+    xsm_fixup_ops(&default_ops);
+    xsm_ops = default_ops;
 
     return 0;
 }
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index f1a1217c98..a3a88aa8ed 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1883,7 +1883,8 @@ static struct xsm_operations flask_ops = {
 #endif
 };
 
-void __init flask_init(const void *policy_buffer, size_t policy_size)
+struct xsm_operations __init *flask_init(const void *policy_buffer,
+					 size_t policy_size)
 {
     int ret = -ENOENT;
 
@@ -1891,7 +1892,7 @@ void __init flask_init(const void *policy_buffer, size_t policy_size)
     {
     case FLASK_BOOTPARAM_DISABLED:
         printk(XENLOG_INFO "Flask: Disabled at boot.\n");
-        return;
+        return NULL;
 
     case FLASK_BOOTPARAM_PERMISSIVE:
         flask_enforcing = 0;
@@ -1908,9 +1909,6 @@ void __init flask_init(const void *policy_buffer, size_t policy_size)
 
     avc_init();
 
-    if ( register_xsm(&flask_ops) )
-        panic("Flask: Unable to register with XSM\n");
-
     if ( policy_size && flask_bootparam != FLASK_BOOTPARAM_LATELOAD )
         ret = security_load_policy(policy_buffer, policy_size);
 
@@ -1923,6 +1921,9 @@ void __init flask_init(const void *policy_buffer, size_t policy_size)
         printk(XENLOG_INFO "Flask:  Starting in enforcing mode.\n");
     else
         printk(XENLOG_INFO "Flask:  Starting in permissive mode.\n");
+
+    return &flask_ops;
+
 }
 
 /*
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index fc2ca5cd2d..808350f122 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -112,12 +112,11 @@ static struct xsm_operations silo_xsm_ops = {
 #endif
 };
 
-void __init silo_init(void)
+struct xsm_operations __init *silo_init(void)
 {
     printk("Initialising XSM SILO mode\n");
 
-    if ( register_xsm(&silo_xsm_ops) )
-        panic("SILO: Unable to register with XSM\n");
+    return &silo_xsm_ops;
 }
 
 /*
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 5eab21e1b1..7265f742e9 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -28,9 +28,17 @@
 #include <asm/setup.h>
 #endif
 
-#define XSM_FRAMEWORK_VERSION    "1.0.0"
+#define XSM_FRAMEWORK_VERSION    "1.0.1"
 
-struct xsm_operations *xsm_ops;
+struct xsm_operations xsm_ops;
+
+enum xsm_ops_state {
+    XSM_OPS_UNREGISTERED,
+    XSM_OPS_REG_FAILED,
+    XSM_OPS_REGISTERED,
+};
+
+static enum xsm_ops_state xsm_ops_registered = XSM_OPS_UNREGISTERED;
 
 enum xsm_bootparam {
     XSM_BOOTPARAM_DUMMY,
@@ -68,17 +76,10 @@ static int __init parse_xsm_param(const char *s)
 }
 custom_param("xsm", parse_xsm_param);
 
-static inline int verify(struct xsm_operations *ops)
-{
-    /* verify the security_operations structure exists */
-    if ( !ops )
-        return -EINVAL;
-    xsm_fixup_ops(ops);
-    return 0;
-}
-
 static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
 {
+	struct xsm_operations *mod_ops;
+
 #ifdef CONFIG_XSM_FLASK_POLICY
     if ( policy_size == 0 )
     {
@@ -87,25 +88,35 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
     }
 #endif
 
-    if ( verify(&dummy_xsm_ops) )
+    if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
     {
-        printk(XENLOG_ERR "Could not verify dummy_xsm_ops structure\n");
+        printk(XENLOG_ERR
+               "Could not init XSM, xsm_ops register already attempted\n");
         return -EIO;
     }
 
-    xsm_ops = &dummy_xsm_ops;
-
     switch ( xsm_bootparam )
     {
     case XSM_BOOTPARAM_DUMMY:
+        xsm_ops_registered = XSM_OPS_REGISTERED;
         break;
 
     case XSM_BOOTPARAM_FLASK:
-        flask_init(policy_buffer, policy_size);
+        mod_ops = flask_init(policy_buffer, policy_size);
+	if ( mod_ops )
+	{
+		xsm_ops_registered = XSM_OPS_REGISTERED;
+		xsm_ops = *mod_ops;
+	}
         break;
 
     case XSM_BOOTPARAM_SILO:
-        silo_init();
+        mod_ops = silo_init();
+	if ( mod_ops )
+	{
+		xsm_ops_registered = XSM_OPS_REGISTERED;
+		xsm_ops = *mod_ops;
+	}
         break;
 
     default:
@@ -113,6 +124,17 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
         break;
     }
 
+    /*
+     * This handles three cases,
+     *   - dummy policy module was selected
+     *   - a policy module  does not provide all handlers
+     *   - a policy module failed to init
+     */
+    xsm_fixup_ops(&xsm_ops);
+
+    if ( xsm_ops_registered != XSM_OPS_REGISTERED )
+        xsm_ops_registered = XSM_OPS_REG_FAILED;
+
     return 0;
 }
 
@@ -195,22 +217,6 @@ bool __init has_xsm_magic(paddr_t start)
 }
 #endif
 
-int __init register_xsm(struct xsm_operations *ops)
-{
-    if ( verify(ops) )
-    {
-        printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
-        return -EINVAL;
-    }
-
-    if ( xsm_ops != &dummy_xsm_ops )
-        return -EAGAIN;
-
-    xsm_ops = ops;
-
-    return 0;
-}
-
 #endif
 
 long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 03/10] xsm: remove the ability to disable flask
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
  2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
  2021-07-12 20:32 ` [PATCH v2 02/10] xsm: refactor xsm_ops handling Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:22   ` Andrew Cooper
  2021-07-14 15:58   ` Jan Beulich
  2021-07-12 20:32 ` [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call Daniel P. Smith
                   ` (7 subsequent siblings)
  10 siblings, 2 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

The flask XSM module provided the ability to switch from flask back to
the dummy XSM module during runtime. With this removal the only way to
switch between XSM modules is at boot time.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/xsm/flask/flask_op.c | 32 --------------------------------
 1 file changed, 32 deletions(-)

diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index 32e079d676..f41c025391 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -223,34 +223,6 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
 
 #ifndef COMPAT
 
-static int flask_disable(void)
-{
-    static int flask_disabled = 0;
-    struct xsm_operations default_ops;
-
-    if ( ss_initialized )
-    {
-        /* Not permitted after initial policy load. */
-        return -EINVAL;
-    }
-
-    if ( flask_disabled )
-    {
-        /* Only do this once. */
-        return -EINVAL;
-    }
-
-    printk("Flask:  Disabled at runtime.\n");
-
-    flask_disabled = 1;
-
-    /* Reset xsm_ops to the original module. */
-    xsm_fixup_ops(&default_ops);
-    xsm_ops = default_ops;
-
-    return 0;
-}
-
 static int flask_security_setavc_threshold(struct xen_flask_setavc_threshold *arg)
 {
     int rv = 0;
@@ -700,10 +672,6 @@ ret_t do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op)
         rv = flask_mls_enabled;
         break;    
 
-    case FLASK_DISABLE:
-        rv = flask_disable();
-        break;
-
     case FLASK_GETAVC_THRESHOLD:
         rv = avc_cache_threshold;
         break;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (2 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 03/10] xsm: remove the ability to disable flask Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:44   ` Andrew Cooper
  2021-07-12 20:32 ` [PATCH v2 05/10] xsm: decouple xsm header inclusion selection Daniel P. Smith
                   ` (6 subsequent siblings)
  10 siblings, 1 reply; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

To reduce retpolines convert all the pointer function calls of the
xsm_ops hooks over to the alternative_call infrastructure.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/include/xsm/xsm.h | 195 +++++++++++++++++++++---------------------
 1 file changed, 99 insertions(+), 96 deletions(-)

diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index a8805f514b..a39b5dc42f 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -15,6 +15,9 @@
 #ifndef __XSM_H__
 #define __XSM_H__
 
+#ifdef CONFIG_XSM
+#include <xen/alternative-call.h>
+#endif
 #include <xen/sched.h>
 #include <xen/multiboot.h>
 
@@ -198,288 +201,288 @@ extern struct xsm_operations xsm_ops;
 static inline void xsm_security_domaininfo (struct domain *d,
                                         struct xen_domctl_getdomaininfo *info)
 {
-    xsm_ops.security_domaininfo(d, info);
+    alternative_vcall(xsm_ops.security_domaininfo, d, info);
 }
 
 static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
 {
-    return xsm_ops.domain_create(d, ssidref);
+    return alternative_call(xsm_ops.domain_create, d, ssidref);
 }
 
 static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.getdomaininfo(d);
+    return alternative_call(xsm_ops.getdomaininfo, d);
 }
 
 static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops.domctl_scheduler_op(d, cmd);
+    return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd);
 }
 
 static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
 {
-    return xsm_ops.sysctl_scheduler_op(cmd);
+    return alternative_call(xsm_ops.sysctl_scheduler_op, cmd);
 }
 
 static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
 {
-    return xsm_ops.set_target(d, e);
+    return alternative_call(xsm_ops.set_target, d, e);
 }
 
 static inline int xsm_domctl (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops.domctl(d, cmd);
+    return alternative_call(xsm_ops.domctl, d, cmd);
 }
 
 static inline int xsm_sysctl (xsm_default_t def, int cmd)
 {
-    return xsm_ops.sysctl(cmd);
+    return alternative_call(xsm_ops.sysctl, cmd);
 }
 
 static inline int xsm_readconsole (xsm_default_t def, uint32_t clear)
 {
-    return xsm_ops.readconsole(clear);
+    return alternative_call(xsm_ops.readconsole, clear);
 }
 
 static inline int xsm_evtchn_unbound (xsm_default_t def, struct domain *d1, struct evtchn *chn,
                                                                     domid_t id2)
 {
-    return xsm_ops.evtchn_unbound(d1, chn, id2);
+    return alternative_call(xsm_ops.evtchn_unbound, d1, chn, id2);
 }
 
 static inline int xsm_evtchn_interdomain (xsm_default_t def, struct domain *d1,
                 struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
 {
-    return xsm_ops.evtchn_interdomain(d1, chan1, d2, chan2);
+    return alternative_call(xsm_ops.evtchn_interdomain, d1, chan1, d2, chan2);
 }
 
 static inline void xsm_evtchn_close_post (struct evtchn *chn)
 {
-    xsm_ops.evtchn_close_post(chn);
+    alternative_vcall(xsm_ops.evtchn_close_post, chn);
 }
 
 static inline int xsm_evtchn_send (xsm_default_t def, struct domain *d, struct evtchn *chn)
 {
-    return xsm_ops.evtchn_send(d, chn);
+    return alternative_call(xsm_ops.evtchn_send, d, chn);
 }
 
 static inline int xsm_evtchn_status (xsm_default_t def, struct domain *d, struct evtchn *chn)
 {
-    return xsm_ops.evtchn_status(d, chn);
+    return alternative_call(xsm_ops.evtchn_status, d, chn);
 }
 
 static inline int xsm_evtchn_reset (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.evtchn_reset(d1, d2);
+    return alternative_call(xsm_ops.evtchn_reset, d1, d2);
 }
 
 static inline int xsm_grant_mapref (xsm_default_t def, struct domain *d1, struct domain *d2,
                                                                 uint32_t flags)
 {
-    return xsm_ops.grant_mapref(d1, d2, flags);
+    return alternative_call(xsm_ops.grant_mapref, d1, d2, flags);
 }
 
 static inline int xsm_grant_unmapref (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.grant_unmapref(d1, d2);
+    return alternative_call(xsm_ops.grant_unmapref, d1, d2);
 }
 
 static inline int xsm_grant_setup (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.grant_setup(d1, d2);
+    return alternative_call(xsm_ops.grant_setup, d1, d2);
 }
 
 static inline int xsm_grant_transfer (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.grant_transfer(d1, d2);
+    return alternative_call(xsm_ops.grant_transfer, d1, d2);
 }
 
 static inline int xsm_grant_copy (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.grant_copy(d1, d2);
+    return alternative_call(xsm_ops.grant_copy, d1, d2);
 }
 
 static inline int xsm_grant_query_size (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.grant_query_size(d1, d2);
+    return alternative_call(xsm_ops.grant_query_size, d1, d2);
 }
 
 static inline int xsm_alloc_security_domain (struct domain *d)
 {
-    return xsm_ops.alloc_security_domain(d);
+    return alternative_call(xsm_ops.alloc_security_domain, d);
 }
 
 static inline void xsm_free_security_domain (struct domain *d)
 {
-    xsm_ops.free_security_domain(d);
+    alternative_vcall(xsm_ops.free_security_domain, d);
 }
 
 static inline int xsm_alloc_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
-    return xsm_ops.alloc_security_evtchns(chn, nr);
+    return alternative_call(xsm_ops.alloc_security_evtchns, chn, nr);
 }
 
 static inline void xsm_free_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
-    xsm_ops.free_security_evtchns(chn, nr);
+    alternative_vcall(xsm_ops.free_security_evtchns, chn, nr);
 }
 
 static inline char *xsm_show_security_evtchn (struct domain *d, const struct evtchn *chn)
 {
-    return xsm_ops.show_security_evtchn(d, chn);
+    return alternative_call(xsm_ops.show_security_evtchn, d, chn);
 }
 
 static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.init_hardware_domain(d);
+    return alternative_call(xsm_ops.init_hardware_domain, d);
 }
 
 static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.get_pod_target(d);
+    return alternative_call(xsm_ops.get_pod_target, d);
 }
 
 static inline int xsm_set_pod_target (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.set_pod_target(d);
+    return alternative_call(xsm_ops.set_pod_target, d);
 }
 
 static inline int xsm_memory_exchange (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.memory_exchange(d);
+    return alternative_call(xsm_ops.memory_exchange, d);
 }
 
 static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct domain *d1, struct
                                                                     domain *d2)
 {
-    return xsm_ops.memory_adjust_reservation(d1, d2);
+    return alternative_call(xsm_ops.memory_adjust_reservation, d1, d2);
 }
 
 static inline int xsm_memory_stat_reservation (xsm_default_t def, struct domain *d1,
                                                             struct domain *d2)
 {
-    return xsm_ops.memory_stat_reservation(d1, d2);
+    return alternative_call(xsm_ops.memory_stat_reservation, d1, d2);
 }
 
 static inline int xsm_memory_pin_page(xsm_default_t def, struct domain *d1, struct domain *d2,
                                       struct page_info *page)
 {
-    return xsm_ops.memory_pin_page(d1, d2, page);
+    return alternative_call(xsm_ops.memory_pin_page, d1, d2, page);
 }
 
 static inline int xsm_add_to_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.add_to_physmap(d1, d2);
+    return alternative_call(xsm_ops.add_to_physmap, d1, d2);
 }
 
 static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.remove_from_physmap(d1, d2);
+    return alternative_call(xsm_ops.remove_from_physmap, d1, d2);
 }
 
 static inline int xsm_map_gmfn_foreign (xsm_default_t def, struct domain *d, struct domain *t)
 {
-    return xsm_ops.map_gmfn_foreign(d, t);
+    return alternative_call(xsm_ops.map_gmfn_foreign, d, t);
 }
 
 static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.claim_pages(d);
+    return alternative_call(xsm_ops.claim_pages, d);
 }
 
 static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops.console_io(d, cmd);
+    return alternative_call(xsm_ops.console_io, d, cmd);
 }
 
 static inline int xsm_profile (xsm_default_t def, struct domain *d, int op)
 {
-    return xsm_ops.profile(d, op);
+    return alternative_call(xsm_ops.profile, d, op);
 }
 
 static inline int xsm_kexec (xsm_default_t def)
 {
-    return xsm_ops.kexec();
+    return alternative_call(xsm_ops.kexec);
 }
 
 static inline int xsm_schedop_shutdown (xsm_default_t def, struct domain *d1, struct domain *d2)
 {
-    return xsm_ops.schedop_shutdown(d1, d2);
+    return alternative_call(xsm_ops.schedop_shutdown, d1, d2);
 }
 
 static inline char *xsm_show_irq_sid (int irq)
 {
-    return xsm_ops.show_irq_sid(irq);
+    return alternative_call(xsm_ops.show_irq_sid, irq);
 }
 
 static inline int xsm_map_domain_pirq (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.map_domain_pirq(d);
+    return alternative_call(xsm_ops.map_domain_pirq, d);
 }
 
 static inline int xsm_map_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
 {
-    return xsm_ops.map_domain_irq(d, irq, data);
+    return alternative_call(xsm_ops.map_domain_irq, d, irq, data);
 }
 
 static inline int xsm_unmap_domain_pirq (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.unmap_domain_pirq(d);
+    return alternative_call(xsm_ops.unmap_domain_pirq, d);
 }
 
 static inline int xsm_unmap_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
 {
-    return xsm_ops.unmap_domain_irq(d, irq, data);
+    return alternative_call(xsm_ops.unmap_domain_irq, d, irq, data);
 }
 
 static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d,
                                   struct xen_domctl_bind_pt_irq *bind)
 {
-    return xsm_ops.bind_pt_irq(d, bind);
+    return alternative_call(xsm_ops.bind_pt_irq, d, bind);
 }
 
 static inline int xsm_unbind_pt_irq(xsm_default_t def, struct domain *d,
                                     struct xen_domctl_bind_pt_irq *bind)
 {
-    return xsm_ops.unbind_pt_irq(d, bind);
+    return alternative_call(xsm_ops.unbind_pt_irq, d, bind);
 }
 
 static inline int xsm_irq_permission (xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
 {
-    return xsm_ops.irq_permission(d, pirq, allow);
+    return alternative_call(xsm_ops.irq_permission, d, pirq, allow);
 }
 
 static inline int xsm_iomem_permission (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
-    return xsm_ops.iomem_permission(d, s, e, allow);
+    return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
 }
 
 static inline int xsm_iomem_mapping (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
-    return xsm_ops.iomem_mapping(d, s, e, allow);
+    return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow);
 }
 
 static inline int xsm_pci_config_permission (xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
 {
-    return xsm_ops.pci_config_permission(d, machine_bdf, start, end, access);
+    return alternative_call(xsm_ops.pci_config_permission, d, machine_bdf, start, end, access);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
 static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops.get_device_group(machine_bdf);
+    return alternative_call(xsm_ops.get_device_group, machine_bdf);
 }
 
 static inline int xsm_assign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
 {
-    return xsm_ops.assign_device(d, machine_bdf);
+    return alternative_call(xsm_ops.assign_device, d, machine_bdf);
 }
 
 static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
 {
-    return xsm_ops.deassign_device(d, machine_bdf);
+    return alternative_call(xsm_ops.deassign_device, d, machine_bdf);
 }
 #endif /* HAS_PASSTHROUGH && HAS_PCI) */
 
@@ -487,60 +490,60 @@ static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint3
 static inline int xsm_assign_dtdevice(xsm_default_t def, struct domain *d,
                                       const char *dtpath)
 {
-    return xsm_ops.assign_dtdevice(d, dtpath);
+    return alternative_call(xsm_ops.assign_dtdevice, d, dtpath);
 }
 
 static inline int xsm_deassign_dtdevice(xsm_default_t def, struct domain *d,
                                         const char *dtpath)
 {
-    return xsm_ops.deassign_dtdevice(d, dtpath);
+    return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath);
 }
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
 static inline int xsm_resource_plug_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops.resource_plug_pci(machine_bdf);
+    return alternative_call(xsm_ops.resource_plug_pci, machine_bdf);
 }
 
 static inline int xsm_resource_unplug_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops.resource_unplug_pci(machine_bdf);
+    return alternative_call(xsm_ops.resource_unplug_pci, machine_bdf);
 }
 
 static inline int xsm_resource_plug_core (xsm_default_t def)
 {
-    return xsm_ops.resource_plug_core();
+    return alternative_call(xsm_ops.resource_plug_core);
 }
 
 static inline int xsm_resource_unplug_core (xsm_default_t def)
 {
-    return xsm_ops.resource_unplug_core();
+    return alternative_call(xsm_ops.resource_unplug_core);
 }
 
 static inline int xsm_resource_setup_pci (xsm_default_t def, uint32_t machine_bdf)
 {
-    return xsm_ops.resource_setup_pci(machine_bdf);
+    return alternative_call(xsm_ops.resource_setup_pci, machine_bdf);
 }
 
 static inline int xsm_resource_setup_gsi (xsm_default_t def, int gsi)
 {
-    return xsm_ops.resource_setup_gsi(gsi);
+    return alternative_call(xsm_ops.resource_setup_gsi, gsi);
 }
 
 static inline int xsm_resource_setup_misc (xsm_default_t def)
 {
-    return xsm_ops.resource_setup_misc();
+    return alternative_call(xsm_ops.resource_setup_misc);
 }
 
 static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
 {
-    return xsm_ops.page_offline(cmd);
+    return alternative_call(xsm_ops.page_offline, cmd);
 }
 
 static inline int xsm_hypfs_op(xsm_default_t def)
 {
-    return xsm_ops.hypfs_op();
+    return alternative_call(xsm_ops.hypfs_op);
 }
 
 static inline long xsm_do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
@@ -557,105 +560,105 @@ static inline int xsm_do_compat_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 
 static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned long op)
 {
-    return xsm_ops.hvm_param(d, op);
+    return alternative_call(xsm_ops.hvm_param, d, op);
 }
 
 static inline int xsm_hvm_control(xsm_default_t def, struct domain *d, unsigned long op)
 {
-    return xsm_ops.hvm_control(d, op);
+    return alternative_call(xsm_ops.hvm_control, d, op);
 }
 
 static inline int xsm_hvm_param_altp2mhvm (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.hvm_param_altp2mhvm(d);
+    return alternative_call(xsm_ops.hvm_param_altp2mhvm, d);
 }
 
 static inline int xsm_hvm_altp2mhvm_op (xsm_default_t def, struct domain *d, uint64_t mode, uint32_t op)
 {
-    return xsm_ops.hvm_altp2mhvm_op(d, mode, op);
+    return alternative_call(xsm_ops.hvm_altp2mhvm_op, d, mode, op);
 }
 
 static inline int xsm_get_vnumainfo (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.get_vnumainfo(d);
+    return alternative_call(xsm_ops.get_vnumainfo, d);
 }
 
 static inline int xsm_vm_event_control (xsm_default_t def, struct domain *d, int mode, int op)
 {
-    return xsm_ops.vm_event_control(d, mode, op);
+    return alternative_call(xsm_ops.vm_event_control, d, mode, op);
 }
 
 #ifdef CONFIG_MEM_ACCESS
 static inline int xsm_mem_access (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.mem_access(d);
+    return alternative_call(xsm_ops.mem_access, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_PAGING
 static inline int xsm_mem_paging (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.mem_paging(d);
+    return alternative_call(xsm_ops.mem_paging, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_SHARING
 static inline int xsm_mem_sharing (xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.mem_sharing(d);
+    return alternative_call(xsm_ops.mem_sharing, d);
 }
 #endif
 
 static inline int xsm_platform_op (xsm_default_t def, uint32_t op)
 {
-    return xsm_ops.platform_op(op);
+    return alternative_call(xsm_ops.platform_op, op);
 }
 
 #ifdef CONFIG_X86
 static inline int xsm_do_mca(xsm_default_t def)
 {
-    return xsm_ops.do_mca();
+    return alternative_call(xsm_ops.do_mca);
 }
 
 static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
 {
-    return xsm_ops.shadow_control(d, op);
+    return alternative_call(xsm_ops.shadow_control, d, op);
 }
 
 static inline int xsm_mem_sharing_op (xsm_default_t def, struct domain *d, struct domain *cd, int op)
 {
-    return xsm_ops.mem_sharing_op(d, cd, op);
+    return alternative_call(xsm_ops.mem_sharing_op, d, cd, op);
 }
 
 static inline int xsm_apic (xsm_default_t def, struct domain *d, int cmd)
 {
-    return xsm_ops.apic(d, cmd);
+    return alternative_call(xsm_ops.apic, d, cmd);
 }
 
 static inline int xsm_memtype (xsm_default_t def, uint32_t access)
 {
-    return xsm_ops.memtype(access);
+    return alternative_call(xsm_ops.memtype, access);
 }
 
 static inline int xsm_machine_memory_map(xsm_default_t def)
 {
-    return xsm_ops.machine_memory_map();
+    return alternative_call(xsm_ops.machine_memory_map);
 }
 
 static inline int xsm_domain_memory_map(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.domain_memory_map(d);
+    return alternative_call(xsm_ops.domain_memory_map, d);
 }
 
 static inline int xsm_mmu_update (xsm_default_t def, struct domain *d, struct domain *t,
                                   struct domain *f, uint32_t flags)
 {
-    return xsm_ops.mmu_update(d, t, f, flags);
+    return alternative_call(xsm_ops.mmu_update, d, t, f, flags);
 }
 
 static inline int xsm_mmuext_op (xsm_default_t def, struct domain *d, struct domain *f)
 {
-    return xsm_ops.mmuext_op(d, f);
+    return alternative_call(xsm_ops.mmuext_op, d, f);
 }
 
 static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, struct domain *f,
@@ -666,61 +669,61 @@ static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, str
 
 static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t)
 {
-    return xsm_ops.priv_mapping(d, t);
+    return alternative_call(xsm_ops.priv_mapping, d, t);
 }
 
 static inline int xsm_ioport_permission (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
-    return xsm_ops.ioport_permission(d, s, e, allow);
+    return alternative_call(xsm_ops.ioport_permission, d, s, e, allow);
 }
 
 static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
-    return xsm_ops.ioport_mapping(d, s, e, allow);
+    return alternative_call(xsm_ops.ioport_mapping, d, s, e, allow);
 }
 
 static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int op)
 {
-    return xsm_ops.pmu_op(d, op);
+    return alternative_call(xsm_ops.pmu_op, d, op);
 }
 
 #endif /* CONFIG_X86 */
 
 static inline int xsm_dm_op(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.dm_op(d);
+    return alternative_call(xsm_ops.dm_op, d);
 }
 
 static inline int xsm_xen_version (xsm_default_t def, uint32_t op)
 {
-    return xsm_ops.xen_version(op);
+    return alternative_call(xsm_ops.xen_version, op);
 }
 
 static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
 {
-    return xsm_ops.domain_resource_map(d);
+    return alternative_call(xsm_ops.domain_resource_map, d);
 }
 
 #ifdef CONFIG_ARGO
 static inline int xsm_argo_enable(const struct domain *d)
 {
-    return xsm_ops.argo_enable(d);
+    return alternative_call(xsm_ops.argo_enable, d);
 }
 
 static inline int xsm_argo_register_single_source(const struct domain *d,
                                                   const struct domain *t)
 {
-    return xsm_ops.argo_register_single_source(d, t);
+    return alternative_call(xsm_ops.argo_register_single_source, d, t);
 }
 
 static inline int xsm_argo_register_any_source(const struct domain *d)
 {
-    return xsm_ops.argo_register_any_source(d);
+    return alternative_call(xsm_ops.argo_register_any_source, d);
 }
 
 static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
 {
-    return xsm_ops.argo_send(d, t);
+    return alternative_call(xsm_ops.argo_send, d, t);
 }
 
 #endif /* CONFIG_ARGO */
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 05/10] xsm: decouple xsm header inclusion selection
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (3 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 20:32 ` [PATCH v2 06/10] xsm: enable xsm to always be included Daniel P. Smith
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

Multiple preprocessor defines were used as a mechanism to selective
include parts of the xsm.h header file. This makes it difficult to know
which portion is being included at anyone time. This commit works to
simplify this by separating the core structure and functions of XSM into
xsm-core.h away from the wrapper functions which remain in xsm.h and
dummy.h.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/include/xsm/dummy.h    |   2 +-
 xen/include/xsm/xsm-core.h | 263 +++++++++++++++++++++++++++++++++++++
 xen/include/xsm/xsm.h      | 241 +--------------------------------
 xen/xsm/dummy.c            |   1 -
 xen/xsm/silo.c             |   1 -
 5 files changed, 265 insertions(+), 243 deletions(-)
 create mode 100644 xen/include/xsm/xsm-core.h

diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 363c6d7798..c445c5681b 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -16,7 +16,7 @@
  */
 
 #include <xen/sched.h>
-#include <xsm/xsm.h>
+#include <xsm/xsm-core.h>
 #include <public/hvm/params.h>
 
 /* Cannot use BUILD_BUG_ON here because the expressions we check are not
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
new file mode 100644
index 0000000000..4f5e7a7d17
--- /dev/null
+++ b/xen/include/xsm/xsm-core.h
@@ -0,0 +1,263 @@
+/*
+ *  This file contains the XSM hook definitions for Xen.
+ *
+ *  This work is based on the LSM implementation in Linux 2.6.13.4.
+ *
+ *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
+ *
+ *  Contributors: Michael LeMay, <mdlemay@epoch.ncsc.mil>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#ifndef __XSM_CORE_H__
+#define __XSM_CORE_H__
+
+#include <xen/sched.h>
+#include <xen/multiboot.h>
+
+typedef void xsm_op_t;
+DEFINE_XEN_GUEST_HANDLE(xsm_op_t);
+
+/* policy magic number (defined by XSM_MAGIC) */
+typedef u32 xsm_magic_t;
+
+#ifdef CONFIG_XSM_FLASK
+#define XSM_MAGIC 0xf97cff8c
+#else
+#define XSM_MAGIC 0x0
+#endif
+
+/* These annotations are used by callers and in dummy.h to document the
+ * default actions of XSM hooks. They should be compiled out otherwise.
+ */
+enum xsm_default {
+    XSM_HOOK,     /* Guests can normally access the hypercall */
+    XSM_DM_PRIV,  /* Device model can perform on its target domain */
+    XSM_TARGET,   /* Can perform on self or your target domain */
+    XSM_PRIV,     /* Privileged - normally restricted to dom0 */
+    XSM_XS_PRIV,  /* Xenstore domain - can do some privileged operations */
+    XSM_OTHER     /* Something more complex */
+};
+typedef enum xsm_default xsm_default_t;
+
+struct xsm_operations {
+    void (*security_domaininfo) (struct domain *d,
+                                        struct xen_domctl_getdomaininfo *info);
+    int (*domain_create) (struct domain *d, u32 ssidref);
+    int (*getdomaininfo) (struct domain *d);
+    int (*domctl_scheduler_op) (struct domain *d, int op);
+    int (*sysctl_scheduler_op) (int op);
+    int (*set_target) (struct domain *d, struct domain *e);
+    int (*domctl) (struct domain *d, int cmd);
+    int (*sysctl) (int cmd);
+    int (*readconsole) (uint32_t clear);
+
+    int (*evtchn_unbound) (struct domain *d, struct evtchn *chn, domid_t id2);
+    int (*evtchn_interdomain) (struct domain *d1, struct evtchn *chn1,
+                                        struct domain *d2, struct evtchn *chn2);
+    void (*evtchn_close_post) (struct evtchn *chn);
+    int (*evtchn_send) (struct domain *d, struct evtchn *chn);
+    int (*evtchn_status) (struct domain *d, struct evtchn *chn);
+    int (*evtchn_reset) (struct domain *d1, struct domain *d2);
+
+    int (*grant_mapref) (struct domain *d1, struct domain *d2, uint32_t flags);
+    int (*grant_unmapref) (struct domain *d1, struct domain *d2);
+    int (*grant_setup) (struct domain *d1, struct domain *d2);
+    int (*grant_transfer) (struct domain *d1, struct domain *d2);
+    int (*grant_copy) (struct domain *d1, struct domain *d2);
+    int (*grant_query_size) (struct domain *d1, struct domain *d2);
+
+    int (*alloc_security_domain) (struct domain *d);
+    void (*free_security_domain) (struct domain *d);
+    int (*alloc_security_evtchns) (struct evtchn chn[], unsigned int nr);
+    void (*free_security_evtchns) (struct evtchn chn[], unsigned int nr);
+    char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
+    int (*init_hardware_domain) (struct domain *d);
+
+    int (*get_pod_target) (struct domain *d);
+    int (*set_pod_target) (struct domain *d);
+    int (*memory_exchange) (struct domain *d);
+    int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
+    int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
+    int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
+    int (*add_to_physmap) (struct domain *d1, struct domain *d2);
+    int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
+    int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
+    int (*claim_pages) (struct domain *d);
+
+    int (*console_io) (struct domain *d, int cmd);
+
+    int (*profile) (struct domain *d, int op);
+
+    int (*kexec) (void);
+    int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
+
+    char *(*show_irq_sid) (int irq);
+    int (*map_domain_pirq) (struct domain *d);
+    int (*map_domain_irq) (struct domain *d, int irq, const void *data);
+    int (*unmap_domain_pirq) (struct domain *d);
+    int (*unmap_domain_irq) (struct domain *d, int irq, const void *data);
+    int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
+    int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
+    int (*irq_permission) (struct domain *d, int pirq, uint8_t allow);
+    int (*iomem_permission) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
+    int (*iomem_mapping) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
+    int (*pci_config_permission) (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access);
+
+#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
+    int (*get_device_group) (uint32_t machine_bdf);
+    int (*assign_device) (struct domain *d, uint32_t machine_bdf);
+    int (*deassign_device) (struct domain *d, uint32_t machine_bdf);
+#endif
+
+#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
+    int (*assign_dtdevice) (struct domain *d, const char *dtpath);
+    int (*deassign_dtdevice) (struct domain *d, const char *dtpath);
+#endif
+
+    int (*resource_plug_core) (void);
+    int (*resource_unplug_core) (void);
+    int (*resource_plug_pci) (uint32_t machine_bdf);
+    int (*resource_unplug_pci) (uint32_t machine_bdf);
+    int (*resource_setup_pci) (uint32_t machine_bdf);
+    int (*resource_setup_gsi) (int gsi);
+    int (*resource_setup_misc) (void);
+
+    int (*page_offline)(uint32_t cmd);
+    int (*hypfs_op)(void);
+
+    long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
+#ifdef CONFIG_COMPAT
+    int (*do_compat_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
+#endif
+
+    int (*hvm_param) (struct domain *d, unsigned long op);
+    int (*hvm_control) (struct domain *d, unsigned long op);
+    int (*hvm_param_altp2mhvm) (struct domain *d);
+    int (*hvm_altp2mhvm_op) (struct domain *d, uint64_t mode, uint32_t op);
+    int (*get_vnumainfo) (struct domain *d);
+
+    int (*vm_event_control) (struct domain *d, int mode, int op);
+
+#ifdef CONFIG_MEM_ACCESS
+    int (*mem_access) (struct domain *d);
+#endif
+
+#ifdef CONFIG_MEM_PAGING
+    int (*mem_paging) (struct domain *d);
+#endif
+
+#ifdef CONFIG_MEM_SHARING
+    int (*mem_sharing) (struct domain *d);
+#endif
+
+    int (*platform_op) (uint32_t cmd);
+
+#ifdef CONFIG_X86
+    int (*do_mca) (void);
+    int (*shadow_control) (struct domain *d, uint32_t op);
+    int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
+    int (*apic) (struct domain *d, int cmd);
+    int (*memtype) (uint32_t access);
+    int (*machine_memory_map) (void);
+    int (*domain_memory_map) (struct domain *d);
+#define XSM_MMU_UPDATE_READ      1
+#define XSM_MMU_UPDATE_WRITE     2
+#define XSM_MMU_NORMAL_UPDATE    4
+#define XSM_MMU_MACHPHYS_UPDATE  8
+    int (*mmu_update) (struct domain *d, struct domain *t,
+                       struct domain *f, uint32_t flags);
+    int (*mmuext_op) (struct domain *d, struct domain *f);
+    int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte);
+    int (*priv_mapping) (struct domain *d, struct domain *t);
+    int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
+    int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
+    int (*pmu_op) (struct domain *d, unsigned int op);
+#endif
+    int (*dm_op) (struct domain *d);
+    int (*xen_version) (uint32_t cmd);
+    int (*domain_resource_map) (struct domain *d);
+#ifdef CONFIG_ARGO
+    int (*argo_enable) (const struct domain *d);
+    int (*argo_register_single_source) (const struct domain *d,
+                                        const struct domain *t);
+    int (*argo_register_any_source) (const struct domain *d);
+    int (*argo_send) (const struct domain *d, const struct domain *t);
+#endif
+};
+
+extern void xsm_fixup_ops(struct xsm_operations *ops);
+
+#ifdef CONFIG_XSM
+
+#ifdef CONFIG_MULTIBOOT
+extern int xsm_multiboot_init(unsigned long *module_map,
+                              const multiboot_info_t *mbi);
+extern int xsm_multiboot_policy_init(unsigned long *module_map,
+                                     const multiboot_info_t *mbi,
+                                     void **policy_buffer,
+                                     size_t *policy_size);
+#endif
+
+#ifdef CONFIG_HAS_DEVICE_TREE
+/*
+ * Initialize XSM
+ *
+ * On success, return 1 if using SILO mode else 0.
+ */
+extern int xsm_dt_init(void);
+extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
+extern bool has_xsm_magic(paddr_t);
+#endif
+
+#ifdef CONFIG_XSM_FLASK
+extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
+#else
+static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
+{
+    return NULL;
+}
+#endif
+
+#ifdef CONFIG_XSM_FLASK_POLICY
+extern const unsigned char xsm_flask_init_policy[];
+extern const unsigned int xsm_flask_init_policy_size;
+#endif
+
+#ifdef CONFIG_XSM_SILO
+extern struct xsm_operations *silo_init(void);
+#else
+static inline struct xsm_operations *silo_init(void)
+{
+    return NULL;
+}
+#endif
+
+#else /* CONFIG_XSM */
+
+#ifdef CONFIG_MULTIBOOT
+static inline int xsm_multiboot_init (unsigned long *module_map,
+                                      const multiboot_info_t *mbi)
+{
+    return 0;
+}
+#endif
+
+#ifdef CONFIG_HAS_DEVICE_TREE
+static inline int xsm_dt_init(void)
+{
+    return 0;
+}
+
+static inline bool has_xsm_magic(paddr_t start)
+{
+    return false;
+}
+#endif /* CONFIG_HAS_DEVICE_TREE */
+
+#endif /* CONFIG_XSM */
+
+#endif /* __XSM_CORE_H */
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index a39b5dc42f..f86cea4f88 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -20,184 +20,12 @@
 #endif
 #include <xen/sched.h>
 #include <xen/multiboot.h>
-
-typedef void xsm_op_t;
-DEFINE_XEN_GUEST_HANDLE(xsm_op_t);
-
-/* policy magic number (defined by XSM_MAGIC) */
-typedef u32 xsm_magic_t;
-
-#ifdef CONFIG_XSM_FLASK
-#define XSM_MAGIC 0xf97cff8c
-#else
-#define XSM_MAGIC 0x0
-#endif
-
-/* These annotations are used by callers and in dummy.h to document the
- * default actions of XSM hooks. They should be compiled out otherwise.
- */
-enum xsm_default {
-    XSM_HOOK,     /* Guests can normally access the hypercall */
-    XSM_DM_PRIV,  /* Device model can perform on its target domain */
-    XSM_TARGET,   /* Can perform on self or your target domain */
-    XSM_PRIV,     /* Privileged - normally restricted to dom0 */
-    XSM_XS_PRIV,  /* Xenstore domain - can do some privileged operations */
-    XSM_OTHER     /* Something more complex */
-};
-typedef enum xsm_default xsm_default_t;
-
-struct xsm_operations {
-    void (*security_domaininfo) (struct domain *d,
-                                        struct xen_domctl_getdomaininfo *info);
-    int (*domain_create) (struct domain *d, u32 ssidref);
-    int (*getdomaininfo) (struct domain *d);
-    int (*domctl_scheduler_op) (struct domain *d, int op);
-    int (*sysctl_scheduler_op) (int op);
-    int (*set_target) (struct domain *d, struct domain *e);
-    int (*domctl) (struct domain *d, int cmd);
-    int (*sysctl) (int cmd);
-    int (*readconsole) (uint32_t clear);
-
-    int (*evtchn_unbound) (struct domain *d, struct evtchn *chn, domid_t id2);
-    int (*evtchn_interdomain) (struct domain *d1, struct evtchn *chn1,
-                                        struct domain *d2, struct evtchn *chn2);
-    void (*evtchn_close_post) (struct evtchn *chn);
-    int (*evtchn_send) (struct domain *d, struct evtchn *chn);
-    int (*evtchn_status) (struct domain *d, struct evtchn *chn);
-    int (*evtchn_reset) (struct domain *d1, struct domain *d2);
-
-    int (*grant_mapref) (struct domain *d1, struct domain *d2, uint32_t flags);
-    int (*grant_unmapref) (struct domain *d1, struct domain *d2);
-    int (*grant_setup) (struct domain *d1, struct domain *d2);
-    int (*grant_transfer) (struct domain *d1, struct domain *d2);
-    int (*grant_copy) (struct domain *d1, struct domain *d2);
-    int (*grant_query_size) (struct domain *d1, struct domain *d2);
-
-    int (*alloc_security_domain) (struct domain *d);
-    void (*free_security_domain) (struct domain *d);
-    int (*alloc_security_evtchns) (struct evtchn chn[], unsigned int nr);
-    void (*free_security_evtchns) (struct evtchn chn[], unsigned int nr);
-    char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
-    int (*init_hardware_domain) (struct domain *d);
-
-    int (*get_pod_target) (struct domain *d);
-    int (*set_pod_target) (struct domain *d);
-    int (*memory_exchange) (struct domain *d);
-    int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
-    int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
-    int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
-    int (*add_to_physmap) (struct domain *d1, struct domain *d2);
-    int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
-    int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
-    int (*claim_pages) (struct domain *d);
-
-    int (*console_io) (struct domain *d, int cmd);
-
-    int (*profile) (struct domain *d, int op);
-
-    int (*kexec) (void);
-    int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
-
-    char *(*show_irq_sid) (int irq);
-    int (*map_domain_pirq) (struct domain *d);
-    int (*map_domain_irq) (struct domain *d, int irq, const void *data);
-    int (*unmap_domain_pirq) (struct domain *d);
-    int (*unmap_domain_irq) (struct domain *d, int irq, const void *data);
-    int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
-    int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
-    int (*irq_permission) (struct domain *d, int pirq, uint8_t allow);
-    int (*iomem_permission) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
-    int (*iomem_mapping) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
-    int (*pci_config_permission) (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access);
-
-#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-    int (*get_device_group) (uint32_t machine_bdf);
-    int (*assign_device) (struct domain *d, uint32_t machine_bdf);
-    int (*deassign_device) (struct domain *d, uint32_t machine_bdf);
-#endif
-
-#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-    int (*assign_dtdevice) (struct domain *d, const char *dtpath);
-    int (*deassign_dtdevice) (struct domain *d, const char *dtpath);
-#endif
-
-    int (*resource_plug_core) (void);
-    int (*resource_unplug_core) (void);
-    int (*resource_plug_pci) (uint32_t machine_bdf);
-    int (*resource_unplug_pci) (uint32_t machine_bdf);
-    int (*resource_setup_pci) (uint32_t machine_bdf);
-    int (*resource_setup_gsi) (int gsi);
-    int (*resource_setup_misc) (void);
-
-    int (*page_offline)(uint32_t cmd);
-    int (*hypfs_op)(void);
-
-    long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
-#ifdef CONFIG_COMPAT
-    int (*do_compat_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
-#endif
-
-    int (*hvm_param) (struct domain *d, unsigned long op);
-    int (*hvm_control) (struct domain *d, unsigned long op);
-    int (*hvm_param_altp2mhvm) (struct domain *d);
-    int (*hvm_altp2mhvm_op) (struct domain *d, uint64_t mode, uint32_t op);
-    int (*get_vnumainfo) (struct domain *d);
-
-    int (*vm_event_control) (struct domain *d, int mode, int op);
-
-#ifdef CONFIG_MEM_ACCESS
-    int (*mem_access) (struct domain *d);
-#endif
-
-#ifdef CONFIG_MEM_PAGING
-    int (*mem_paging) (struct domain *d);
-#endif
-
-#ifdef CONFIG_MEM_SHARING
-    int (*mem_sharing) (struct domain *d);
-#endif
-
-    int (*platform_op) (uint32_t cmd);
-
-#ifdef CONFIG_X86
-    int (*do_mca) (void);
-    int (*shadow_control) (struct domain *d, uint32_t op);
-    int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
-    int (*apic) (struct domain *d, int cmd);
-    int (*memtype) (uint32_t access);
-    int (*machine_memory_map) (void);
-    int (*domain_memory_map) (struct domain *d);
-#define XSM_MMU_UPDATE_READ      1
-#define XSM_MMU_UPDATE_WRITE     2
-#define XSM_MMU_NORMAL_UPDATE    4
-#define XSM_MMU_MACHPHYS_UPDATE  8
-    int (*mmu_update) (struct domain *d, struct domain *t,
-                       struct domain *f, uint32_t flags);
-    int (*mmuext_op) (struct domain *d, struct domain *f);
-    int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte);
-    int (*priv_mapping) (struct domain *d, struct domain *t);
-    int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
-    int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
-    int (*pmu_op) (struct domain *d, unsigned int op);
-#endif
-    int (*dm_op) (struct domain *d);
-    int (*xen_version) (uint32_t cmd);
-    int (*domain_resource_map) (struct domain *d);
-#ifdef CONFIG_ARGO
-    int (*argo_enable) (const struct domain *d);
-    int (*argo_register_single_source) (const struct domain *d,
-                                        const struct domain *t);
-    int (*argo_register_any_source) (const struct domain *d);
-    int (*argo_send) (const struct domain *d, const struct domain *t);
-#endif
-};
+#include <xsm/xsm-core.h>
 
 #ifdef CONFIG_XSM
 
 extern struct xsm_operations xsm_ops;
 
-#ifndef XSM_NO_WRAPPERS
-
 static inline void xsm_security_domaininfo (struct domain *d,
                                         struct xen_domctl_getdomaininfo *info)
 {
@@ -728,77 +556,10 @@ static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
 
 #endif /* CONFIG_ARGO */
 
-#endif /* XSM_NO_WRAPPERS */
-
-#ifdef CONFIG_MULTIBOOT
-extern int xsm_multiboot_init(unsigned long *module_map,
-                              const multiboot_info_t *mbi);
-extern int xsm_multiboot_policy_init(unsigned long *module_map,
-                                     const multiboot_info_t *mbi,
-                                     void **policy_buffer,
-                                     size_t *policy_size);
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-/*
- * Initialize XSM
- *
- * On success, return 1 if using SILO mode else 0.
- */
-extern int xsm_dt_init(void);
-extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
-extern bool has_xsm_magic(paddr_t);
-#endif
-
-extern void xsm_fixup_ops(struct xsm_operations *ops);
-
-#ifdef CONFIG_XSM_FLASK
-extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
-#else
-static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
-{
-    return NULL;
-}
-#endif
-
-#ifdef CONFIG_XSM_FLASK_POLICY
-extern const unsigned char xsm_flask_init_policy[];
-extern const unsigned int xsm_flask_init_policy_size;
-#endif
-
-#ifdef CONFIG_XSM_SILO
-extern struct xsm_operations *silo_init(void);
-#else
-static inline struct xsm_operations *silo_init(void)
-{
-    return NULL;
-}
-#endif
-
 #else /* CONFIG_XSM */
 
 #include <xsm/dummy.h>
 
-#ifdef CONFIG_MULTIBOOT
-static inline int xsm_multiboot_init (unsigned long *module_map,
-                                      const multiboot_info_t *mbi)
-{
-    return 0;
-}
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-static inline int xsm_dt_init(void)
-{
-    return 0;
-}
-
-static inline bool has_xsm_magic(paddr_t start)
-{
-    return false;
-}
-#endif /* CONFIG_HAS_DEVICE_TREE */
-
 #endif /* CONFIG_XSM */
 
 #endif /* __XSM_H */
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 066694763a..de4d6cf2cf 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -10,7 +10,6 @@
  *  as published by the Free Software Foundation.
  */
 
-#define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
 
 #define set_to_dummy_if_null(ops, function)                            \
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index 808350f122..754787e895 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,7 +17,6 @@
  * You should have received a copy of the GNU General Public License along with
  * this program; If not, see <http://www.gnu.org/licenses/>.
  */
-#define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
 
 /*
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 06/10] xsm: enable xsm to always be included
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (4 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 05/10] xsm: decouple xsm header inclusion selection Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-19 10:24   ` Jan Beulich
  2021-07-12 20:32 ` [PATCH v2 07/10] xsm: drop generic event channel labeling Daniel P. Smith
                   ` (4 subsequent siblings)
  10 siblings, 1 reply; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel
  Cc: Daniel P. Smith, Andrew Cooper, George Dunlap, Ian Jackson,
	Jan Beulich, Julien Grall, Stefano Stabellini, Wei Liu,
	Daniel De Graaf

The only difference between !CONFIG_XSM and CONFIG_XSM when SILO and FLASK are
not enabled is whether the XSM hooks in dummy.h are called as static inline
functions or as function pointers to static functions. As such this commit,

 * eliminates CONFIG_XSM
 * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event
   channel labels
 * makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/common/Kconfig            |  51 ++++----
 xen/include/xen/sched.h       |   2 +-
 xen/include/xsm/xsm-core.h    |  26 ----
 xen/include/xsm/xsm.h         |   8 --
 xen/xsm/Makefile              |   4 +-
 xen/xsm/dummy.c               |   4 +-
 xen/{include => }/xsm/dummy.h | 220 ++++++++++++++++------------------
 xen/xsm/silo.c                |  17 +--
 xen/xsm/xsm_core.c            |   4 -
 9 files changed, 141 insertions(+), 195 deletions(-)
 rename xen/{include => }/xsm/dummy.h (63%)

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 1594ce4e73..3b50391392 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -200,23 +200,20 @@ config XENOPROF
 
 	  If unsure, say Y.
 
-config XSM
-	bool "Xen Security Modules support"
-	default ARM
-	---help---
-	  Enables the security framework known as Xen Security Modules which
-	  allows administrators fine-grained control over a Xen domain and
-	  its capabilities by defining permissible interactions between domains,
-	  the hypervisor itself, and related resources such as memory and
-	  devices.
+menu "Xen Security Modules"
 
-	  If unsure, say N.
+config XSM_EVTCHN_LABELING
+	bool "Enables security labeling of event channels"
+	default n
+	help
+	  This enables an XSM module to label and enforce access control over
+	  event channels.
 
 config XSM_FLASK
-	def_bool y
-	prompt "FLux Advanced Security Kernel support"
-	depends on XSM
-	---help---
+	bool "FLux Advanced Security Kernel support"
+	default n
+	select XSM_EVTCHN_LABELING
+	help
 	  Enables FLASK (FLux Advanced Security Kernel) as the access control
 	  mechanism used by the XSM framework.  This provides a mandatory access
 	  control framework by which security enforcement, isolation, and
@@ -226,10 +223,10 @@ config XSM_FLASK
 	  If unsure, say Y.
 
 config XSM_FLASK_AVC_STATS
-	def_bool y
-	prompt "Maintain statistics on the FLASK access vector cache" if EXPERT
+	bool "Maintain statistics on the FLASK access vector cache" if EXPERT
+	default y
 	depends on XSM_FLASK
-	---help---
+	help
 	  Maintain counters on the access vector cache that can be viewed using
 	  the FLASK_AVC_CACHESTATS sub-op of the xsm_op hypercall.  Disabling
 	  this will save a tiny amount of memory and time to update the stats.
@@ -240,7 +237,7 @@ config XSM_FLASK_POLICY
 	bool "Compile Xen with a built-in FLASK security policy"
 	default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
 	depends on XSM_FLASK
-	---help---
+	help
 	  This includes a default XSM policy in the hypervisor so that the
 	  bootloader does not need to load a policy to get sane behavior from an
 	  XSM-enabled hypervisor.  If this is disabled, a policy must be
@@ -253,10 +250,10 @@ config XSM_FLASK_POLICY
 	  If unsure, say Y.
 
 config XSM_SILO
-	def_bool y
-	prompt "SILO support"
-	depends on XSM
-	---help---
+	bool "SILO support"
+	default y if ARM
+	default n
+	help
 	  Enables SILO as the access control mechanism used by the XSM framework.
 	  This is not the default module, add boot parameter xsm=silo to choose
 	  it. This will deny any unmediated communication channels (grant tables
@@ -265,24 +262,26 @@ config XSM_SILO
 	  If unsure, say Y.
 
 choice
-	prompt "Default XSM implementation"
-	depends on XSM
+	prompt "Default XSM module"
 	default XSM_SILO_DEFAULT if XSM_SILO && ARM
 	default XSM_FLASK_DEFAULT if XSM_FLASK
 	default XSM_SILO_DEFAULT if XSM_SILO
 	default XSM_DUMMY_DEFAULT
 	config XSM_DUMMY_DEFAULT
-		bool "Match non-XSM behavior"
+		bool "Classic Dom0 behavior"
 	config XSM_FLASK_DEFAULT
 		bool "FLux Advanced Security Kernel" if XSM_FLASK
 	config XSM_SILO_DEFAULT
 		bool "SILO" if XSM_SILO
+
 endchoice
 
+endmenu
+
 config LATE_HWDOM
 	bool "Dedicated hardware domain"
 	default n
-	depends on XSM && X86
+	depends on XSM_FLASK && X86
 	---help---
 	  Allows the creation of a dedicated hardware domain distinct from
 	  domain 0 that manages devices without needing access to other
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 28146ee404..aecf0b8424 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -120,7 +120,7 @@ struct evtchn
     unsigned short notify_vcpu_id; /* VCPU for local delivery notification */
     uint32_t fifo_lastq;           /* Data for identifying last queue. */
 
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_EVTCHN_LABELING
     union {
 #ifdef XSM_NEED_GENERIC_EVTCHN_SSID
         /*
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
index 4f5e7a7d17..e2eed30e90 100644
--- a/xen/include/xsm/xsm-core.h
+++ b/xen/include/xsm/xsm-core.h
@@ -191,8 +191,6 @@ struct xsm_operations {
 
 extern void xsm_fixup_ops(struct xsm_operations *ops);
 
-#ifdef CONFIG_XSM
-
 #ifdef CONFIG_MULTIBOOT
 extern int xsm_multiboot_init(unsigned long *module_map,
                               const multiboot_info_t *mbi);
@@ -236,28 +234,4 @@ static inline struct xsm_operations *silo_init(void)
 }
 #endif
 
-#else /* CONFIG_XSM */
-
-#ifdef CONFIG_MULTIBOOT
-static inline int xsm_multiboot_init (unsigned long *module_map,
-                                      const multiboot_info_t *mbi)
-{
-    return 0;
-}
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-static inline int xsm_dt_init(void)
-{
-    return 0;
-}
-
-static inline bool has_xsm_magic(paddr_t start)
-{
-    return false;
-}
-#endif /* CONFIG_HAS_DEVICE_TREE */
-
-#endif /* CONFIG_XSM */
-
 #endif /* __XSM_CORE_H */
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index f86cea4f88..170eae9b25 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -22,8 +22,6 @@
 #include <xen/multiboot.h>
 #include <xsm/xsm-core.h>
 
-#ifdef CONFIG_XSM
-
 extern struct xsm_operations xsm_ops;
 
 static inline void xsm_security_domaininfo (struct domain *d,
@@ -556,10 +554,4 @@ static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
 
 #endif /* CONFIG_ARGO */
 
-#else /* CONFIG_XSM */
-
-#include <xsm/dummy.h>
-
-#endif /* CONFIG_XSM */
-
 #endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index cf0a728f1c..0059794dd5 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,6 +1,6 @@
 obj-y += xsm_core.o
-obj-$(CONFIG_XSM) += xsm_policy.o
-obj-$(CONFIG_XSM) += dummy.o
+obj-y += xsm_policy.o
+obj-y += dummy.o
 obj-$(CONFIG_XSM_SILO) += silo.o
 
 obj-$(CONFIG_XSM_FLASK) += flask/
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index de4d6cf2cf..bfd8b96f08 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -10,12 +10,12 @@
  *  as published by the Free Software Foundation.
  */
 
-#include <xsm/dummy.h>
+#include "dummy.h"
 
 #define set_to_dummy_if_null(ops, function)                            \
     do {                                                               \
         if ( !ops->function )                                          \
-            ops->function = xsm_##function;                            \
+            ops->function = dummy_##function;                          \
     } while (0)
 
 void __init xsm_fixup_ops (struct xsm_operations *ops)
diff --git a/xen/include/xsm/dummy.h b/xen/xsm/dummy.h
similarity index 63%
rename from xen/include/xsm/dummy.h
rename to xen/xsm/dummy.h
index c445c5681b..a3e698c3b5 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -42,12 +42,10 @@ static inline void __xsm_action_mismatch_detected(void)
 void __xsm_action_mismatch_detected(void);
 #endif
 
-#ifdef CONFIG_XSM
-
-/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
- * contains static (not inline) functions compiled to the dummy XSM module.
- * There is no xsm_default_t argument available, so the value from the assertion
- * is used to initialize the variable.
+/* This header file is included from xsm/dummy.c, and contains static (not
+ * inline) functions compiled to the dummy XSM module.  There is no
+ * xsm_default_t argument available, so the value from the assertion is used to
+ * initialize the variable.
  */
 #define XSM_INLINE __maybe_unused
 
@@ -55,20 +53,6 @@ void __xsm_action_mismatch_detected(void);
 #define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
-#else /* CONFIG_XSM */
-
-/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
- * contains inline functions for each XSM hook. These functions also perform
- * compile-time checks on the xsm_default_t argument to ensure that the behavior
- * of the dummy XSM module is the same as the behavior with XSM disabled.
- */
-#define XSM_INLINE always_inline
-#define XSM_DEFAULT_ARG xsm_default_t action,
-#define XSM_DEFAULT_VOID xsm_default_t action
-#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
-
-#endif /* CONFIG_XSM */
-
 static always_inline int xsm_default_action(
     xsm_default_t action, struct domain *src, struct domain *target)
 {
@@ -98,43 +82,43 @@ static always_inline int xsm_default_action(
     }
 }
 
-static XSM_INLINE void xsm_security_domaininfo(struct domain *d,
+static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
                                     struct xen_domctl_getdomaininfo *info)
 {
     return;
 }
 
-static XSM_INLINE int xsm_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
+static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
+static XSM_INLINE int dummy_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
+static XSM_INLINE int dummy_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( cmd )
@@ -151,85 +135,85 @@ static XSM_INLINE int xsm_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
     }
 }
 
-static XSM_INLINE int xsm_sysctl(XSM_DEFAULT_ARG int cmd)
+static XSM_INLINE int dummy_sysctl(XSM_DEFAULT_ARG int cmd)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_readconsole(XSM_DEFAULT_ARG uint32_t clear)
+static XSM_INLINE int dummy_readconsole(XSM_DEFAULT_ARG uint32_t clear)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_alloc_security_domain(struct domain *d)
+static XSM_INLINE int dummy_alloc_security_domain(struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE void xsm_free_security_domain(struct domain *d)
+static XSM_INLINE void dummy_free_security_domain(struct domain *d)
 {
     return;
 }
 
-static XSM_INLINE int xsm_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
+static XSM_INLINE int dummy_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
                                                                 uint32_t flags)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
+static XSM_INLINE int dummy_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
                                                             struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     if ( d->is_console )
@@ -241,129 +225,129 @@ static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
     return xsm_default_action(XSM_PRIV, d, NULL);
 }
 
-static XSM_INLINE int xsm_profile(XSM_DEFAULT_ARG struct domain *d, int op)
+static XSM_INLINE int dummy_profile(XSM_DEFAULT_ARG struct domain *d, int op)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int xsm_kexec(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_kexec(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
+static XSM_INLINE int dummy_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
                                           struct page_info *page)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_claim_pages(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
+static XSM_INLINE int dummy_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
                                          domid_t id2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
+static XSM_INLINE int dummy_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
                                 *chan1, struct domain *d2, struct evtchn *chan2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE void xsm_evtchn_close_post(struct evtchn *chn)
+static XSM_INLINE void dummy_evtchn_close_post(struct evtchn *chn)
 {
     return;
 }
 
-static XSM_INLINE int xsm_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static XSM_INLINE int dummy_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int xsm_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static XSM_INLINE int dummy_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_alloc_security_evtchns(
+static XSM_INLINE int dummy_alloc_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
     return 0;
 }
 
-static XSM_INLINE void xsm_free_security_evtchns(
+static XSM_INLINE void dummy_free_security_evtchns(
     struct evtchn chn[], unsigned int nr)
 {
     return;
 }
 
-static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct evtchn *chn)
+static XSM_INLINE char *dummy_show_security_evtchn(struct domain *d, const struct evtchn *chn)
 {
     return NULL;
 }
 
-static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static XSM_INLINE int xsm_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static XSM_INLINE int dummy_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
@@ -372,14 +356,14 @@ static XSM_INLINE int xsm_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint
 #endif /* HAS_PASSTHROUGH && HAS_PCI */
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static XSM_INLINE int xsm_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
                                           const char *dtpath)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
                                             const char *dtpath)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
@@ -388,134 +372,134 @@ static XSM_INLINE int xsm_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
-static XSM_INLINE int xsm_resource_plug_core(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_plug_core(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_unplug_core(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
+static XSM_INLINE int dummy_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_resource_setup_misc(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
+static XSM_INLINE int dummy_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_hypfs_op(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_hypfs_op(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE long xsm_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static XSM_INLINE long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return -ENOSYS;
 }
 
 #ifdef CONFIG_COMPAT
-static XSM_INLINE int xsm_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static XSM_INLINE int dummy_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return -ENOSYS;
 }
 #endif
 
-static XSM_INLINE char *xsm_show_irq_sid(int irq)
+static XSM_INLINE char *dummy_show_irq_sid(int irq)
 {
     return NULL;
 }
 
-static XSM_INLINE int xsm_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
                                          int irq, const void *data)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static XSM_INLINE int dummy_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static XSM_INLINE int dummy_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
                                            int irq, const void *data)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
+static XSM_INLINE int dummy_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static XSM_INLINE int dummy_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static XSM_INLINE int dummy_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
+static XSM_INLINE int dummy_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
                                         uint16_t start, uint16_t end,
                                         uint8_t access)
 {
@@ -523,43 +507,43 @@ static XSM_INLINE int xsm_pci_config_permission(XSM_DEFAULT_ARG struct domain *d
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static XSM_INLINE int dummy_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, t);
 }
 
-static XSM_INLINE int xsm_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static XSM_INLINE int dummy_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static XSM_INLINE int dummy_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
+static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
 
@@ -578,14 +562,14 @@ static XSM_INLINE int xsm_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uin
     }
 }
 
-static XSM_INLINE int xsm_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
+static XSM_INLINE int dummy_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
 #ifdef CONFIG_MEM_ACCESS
-static XSM_INLINE int xsm_mem_access(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
@@ -593,7 +577,7 @@ static XSM_INLINE int xsm_mem_access(XSM_DEFAULT_ARG struct domain *d)
 #endif
 
 #ifdef CONFIG_MEM_PAGING
-static XSM_INLINE int xsm_mem_paging(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
@@ -601,57 +585,57 @@ static XSM_INLINE int xsm_mem_paging(XSM_DEFAULT_ARG struct domain *d)
 #endif
 
 #ifdef CONFIG_MEM_SHARING
-static XSM_INLINE int xsm_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 #endif
 
-static XSM_INLINE int xsm_platform_op(XSM_DEFAULT_ARG uint32_t op)
+static XSM_INLINE int dummy_platform_op(XSM_DEFAULT_ARG uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
 #ifdef CONFIG_X86
-static XSM_INLINE int xsm_do_mca(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_do_mca(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
+static XSM_INLINE int dummy_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
+static XSM_INLINE int dummy_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, cd);
 }
 
-static XSM_INLINE int xsm_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int xsm_machine_memory_map(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_machine_memory_map(XSM_DEFAULT_VOID)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
+static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
                                      struct domain *f, uint32_t flags)
 {
     int rc = 0;
@@ -663,38 +647,38 @@ static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct do
     return rc;
 }
 
-static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
+static XSM_INLINE int dummy_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, f);
 }
 
-static XSM_INLINE int xsm_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f, 
+static XSM_INLINE int dummy_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f,
                                                             l1_pgentry_t pte)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, f);
 }
 
-static XSM_INLINE int xsm_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static XSM_INLINE int dummy_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, t);
 }
 
-static XSM_INLINE int xsm_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static XSM_INLINE int dummy_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static XSM_INLINE int dummy_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int xsm_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
+static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
@@ -711,30 +695,30 @@ static XSM_INLINE int xsm_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int
 
 #endif /* CONFIG_X86 */
 
-static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_dm_op(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
 #ifdef CONFIG_ARGO
-static XSM_INLINE int xsm_argo_enable(const struct domain *d)
+static XSM_INLINE int dummy_argo_enable(const struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE int xsm_argo_register_single_source(const struct domain *d,
+static XSM_INLINE int dummy_argo_register_single_source(const struct domain *d,
                                                       const struct domain *t)
 {
     return 0;
 }
 
-static XSM_INLINE int xsm_argo_register_any_source(const struct domain *d)
+static XSM_INLINE int dummy_argo_register_any_source(const struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE int xsm_argo_send(const struct domain *d,
+static XSM_INLINE int dummy_argo_send(const struct domain *d,
                                     const struct domain *t)
 {
     return 0;
@@ -743,7 +727,7 @@ static XSM_INLINE int xsm_argo_send(const struct domain *d,
 #endif /* CONFIG_ARGO */
 
 #include <public/version.h>
-static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op)
+static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
@@ -767,7 +751,7 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op)
     }
 }
 
-static XSM_INLINE int xsm_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index 754787e895..78dc429df7 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,7 +17,8 @@
  * You should have received a copy of the GNU General Public License along with
  * this program; If not, see <http://www.gnu.org/licenses/>.
  */
-#include <xsm/dummy.h>
+#include <xsm/xsm-core.h>
+#include "dummy.h"
 
 /*
  * Check if inter-domain communication is allowed.
@@ -43,7 +44,7 @@ static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn,
     else
     {
         if ( silo_mode_dom_check(d1, d2) )
-            rc = xsm_evtchn_unbound(d1, chn, id2);
+            rc = dummy_evtchn_unbound(d1, chn, id2);
         rcu_unlock_domain(d2);
     }
 
@@ -54,7 +55,7 @@ static int silo_evtchn_interdomain(struct domain *d1, struct evtchn *chan1,
                                    struct domain *d2, struct evtchn *chan2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_evtchn_interdomain(d1, chan1, d2, chan2);
+        return dummy_evtchn_interdomain(d1, chan1, d2, chan2);
     return -EPERM;
 }
 
@@ -62,21 +63,21 @@ static int silo_grant_mapref(struct domain *d1, struct domain *d2,
                              uint32_t flags)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_mapref(d1, d2, flags);
+        return dummy_grant_mapref(d1, d2, flags);
     return -EPERM;
 }
 
 static int silo_grant_transfer(struct domain *d1, struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_transfer(d1, d2);
+        return dummy_grant_transfer(d1, d2);
     return -EPERM;
 }
 
 static int silo_grant_copy(struct domain *d1, struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_copy(d1, d2);
+        return dummy_grant_copy(d1, d2);
     return -EPERM;
 }
 
@@ -86,14 +87,14 @@ static int silo_argo_register_single_source(const struct domain *d1,
                                             const struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_argo_register_single_source(d1, d2);
+        return dummy_argo_register_single_source(d1, d2);
     return -EPERM;
 }
 
 static int silo_argo_send(const struct domain *d1, const struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_argo_send(d1, d2);
+        return dummy_argo_send(d1, d2);
     return -EPERM;
 }
 
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 7265f742e9..1654648961 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -18,8 +18,6 @@
 #include <xen/hypercall.h>
 #include <xsm/xsm.h>
 
-#ifdef CONFIG_XSM
-
 #ifdef CONFIG_MULTIBOOT
 #include <asm/setup.h>
 #endif
@@ -217,8 +215,6 @@ bool __init has_xsm_magic(paddr_t start)
 }
 #endif
 
-#endif
-
 long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return xsm_do_xsm_op(op);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 07/10] xsm: drop generic event channel labeling
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (5 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 06/10] xsm: enable xsm to always be included Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:52   ` Andrew Cooper
  2021-07-16  7:03   ` Jan Beulich
  2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
                   ` (3 subsequent siblings)
  10 siblings, 2 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel
  Cc: Daniel P. Smith, Andrew Cooper, George Dunlap, Ian Jackson,
	Jan Beulich, Julien Grall, Stefano Stabellini, Wei Liu

The generic event channel labeling has not been used by any XSM module since
its introduction. This commit removes the capability leaving FLASK labeling
field always present. In the future if a new XSM module needs to have its own
channel label, this or a new form can be introduced.
---
 xen/common/Kconfig      | 8 --------
 xen/include/xen/sched.h | 9 ---------
 2 files changed, 17 deletions(-)

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 3b50391392..d03a991183 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -202,17 +202,9 @@ config XENOPROF
 
 menu "Xen Security Modules"
 
-config XSM_EVTCHN_LABELING
-	bool "Enables security labeling of event channels"
-	default n
-	help
-	  This enables an XSM module to label and enforce access control over
-	  event channels.
-
 config XSM_FLASK
 	bool "FLux Advanced Security Kernel support"
 	default n
-	select XSM_EVTCHN_LABELING
 	help
 	  Enables FLASK (FLux Advanced Security Kernel) as the access control
 	  mechanism used by the XSM framework.  This provides a mandatory access
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index aecf0b8424..ef6ba6d791 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -120,15 +120,7 @@ struct evtchn
     unsigned short notify_vcpu_id; /* VCPU for local delivery notification */
     uint32_t fifo_lastq;           /* Data for identifying last queue. */
 
-#ifdef CONFIG_XSM_EVTCHN_LABELING
     union {
-#ifdef XSM_NEED_GENERIC_EVTCHN_SSID
-        /*
-         * If an XSM module needs more space for its event channel context,
-         * this pointer stores the necessary data for the security server.
-         */
-        void *generic;
-#endif
 #ifdef CONFIG_XSM_FLASK
         /*
          * Inlining the contents of the structure for FLASK avoids unneeded
@@ -138,7 +130,6 @@ struct evtchn
         uint32_t flask_sid;
 #endif
     } ssid;
-#endif
 } __attribute__((aligned(64)));
 
 int  evtchn_init(struct domain *d, unsigned int max_port);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (6 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 07/10] xsm: drop generic event channel labeling Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-16  7:23   ` Jan Beulich
                     ` (2 more replies)
  2021-07-12 20:32 ` [PATCH v2 09/10] xsm: expand the function related macros in dummy.h Daniel P. Smith
                   ` (2 subsequent siblings)
  10 siblings, 3 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: Volodymyr Babchuk, Wei Liu, George Dunlap, Tim Deegan,
	Alexandru Isaila, Petre Pircalabu, xen-devel
  Cc: Daniel P. Smith, Stefano Stabellini, Julien Grall, Andrew Cooper,
	Ian Jackson, Jan Beulich, Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf

The passing of an xsm_default_t at each of the xsm hook call sites
served different functions depending on whether XSM was enabled or not.
When XSM was not enabled it attempted to function as a link-time check
that declared default action at the call site matched the default
declared action for that hook in the dummy policy. When XSM was enabled,
it would just drop the  parameter.

The removal of these values is two fold. They are a redundancy that
provides little context, especially when the value is XSM_OTHER.  A more
appropriate approach is that the hook functions in the dummy policy
should provide reasoning of the default value when it is not clear. Next
is that with the change to make XSM always enabled is the case where the
parameter is completely ignored. Thus it is logical to remove them from
the hook call sites.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/arch/arm/dm.c                     |   2 +-
 xen/arch/arm/domctl.c                 |   6 +-
 xen/arch/arm/hvm.c                    |   2 +-
 xen/arch/arm/mm.c                     |   2 +-
 xen/arch/arm/platform_hypercall.c     |   2 +-
 xen/arch/x86/cpu/mcheck/mce.c         |   2 +-
 xen/arch/x86/cpu/vpmu.c               |   2 +-
 xen/arch/x86/domctl.c                 |   8 +-
 xen/arch/x86/hvm/dm.c                 |   2 +-
 xen/arch/x86/hvm/hvm.c                |  12 +-
 xen/arch/x86/irq.c                    |   5 +-
 xen/arch/x86/mm.c                     |  20 +--
 xen/arch/x86/mm/mem_paging.c          |   2 +-
 xen/arch/x86/mm/mem_sharing.c         |   9 +-
 xen/arch/x86/mm/p2m.c                 |   2 +-
 xen/arch/x86/mm/paging.c              |   4 +-
 xen/arch/x86/mm/shadow/set.c          |   2 +-
 xen/arch/x86/msi.c                    |   3 +-
 xen/arch/x86/pci.c                    |   2 +-
 xen/arch/x86/physdev.c                |  17 ++-
 xen/arch/x86/platform_hypercall.c     |  10 +-
 xen/arch/x86/pv/emul-priv-op.c        |   2 +-
 xen/arch/x86/sysctl.c                 |   4 +-
 xen/common/domain.c                   |   4 +-
 xen/common/domctl.c                   |  12 +-
 xen/common/event_channel.c            |  12 +-
 xen/common/grant_table.c              |  16 +--
 xen/common/hypfs.c                    |   2 +-
 xen/common/kernel.c                   |   2 +-
 xen/common/kexec.c                    |   2 +-
 xen/common/mem_access.c               |   2 +-
 xen/common/memory.c                   |  16 +--
 xen/common/monitor.c                  |   2 +-
 xen/common/sched/core.c               |   6 +-
 xen/common/sysctl.c                   |   8 +-
 xen/common/vm_event.c                 |   2 +-
 xen/common/xenoprof.c                 |   2 +-
 xen/drivers/char/console.c            |   2 +-
 xen/drivers/passthrough/device_tree.c |   4 +-
 xen/drivers/passthrough/pci.c         |  12 +-
 xen/include/xsm/xsm.h                 | 172 +++++++++++++-------------
 41 files changed, 197 insertions(+), 203 deletions(-)

diff --git a/xen/arch/arm/dm.c b/xen/arch/arm/dm.c
index 1b3fd6bc7d..c8b89c8f47 100644
--- a/xen/arch/arm/dm.c
+++ b/xen/arch/arm/dm.c
@@ -45,7 +45,7 @@ int dm_op(const struct dmop_args *op_args)
     if ( rc )
         return rc;
 
-    rc = xsm_dm_op(XSM_DM_PRIV, d);
+    rc = xsm_dm_op(d);
     if ( rc )
         goto out;
 
diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c
index b7d27f37df..e7202703ee 100644
--- a/xen/arch/arm/domctl.c
+++ b/xen/arch/arm/domctl.c
@@ -95,11 +95,11 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d,
          * done by the 2 hypercalls for consistency with other
          * architectures.
          */
-        rc = xsm_map_domain_irq(XSM_HOOK, d, irq, NULL);
+        rc = xsm_map_domain_irq(d, irq, NULL);
         if ( rc )
             return rc;
 
-        rc = xsm_bind_pt_irq(XSM_HOOK, d, bind);
+        rc = xsm_bind_pt_irq(d, bind);
         if ( rc )
             return rc;
 
@@ -130,7 +130,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d,
         if ( irq != virq )
             return -EINVAL;
 
-        rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind);
+        rc = xsm_unbind_pt_irq(d, bind);
         if ( rc )
             return rc;
 
diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
index 8951b34086..cf4bd9ae09 100644
--- a/xen/arch/arm/hvm.c
+++ b/xen/arch/arm/hvm.c
@@ -101,7 +101,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             return -ESRCH;
 
-        rc = xsm_hvm_param(XSM_TARGET, d, op);
+        rc = xsm_hvm_param(d, op);
         if ( rc )
             goto param_fail;
 
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 0e07335291..a256c89b62 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1446,7 +1446,7 @@ int xenmem_add_to_physmap_one(
             return -EINVAL;
         }
 
-        rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od);
+        rc = xsm_map_gmfn_foreign(d, od);
         if ( rc )
         {
             put_pg_owner(od);
diff --git a/xen/arch/arm/platform_hypercall.c b/xen/arch/arm/platform_hypercall.c
index 8efac7ee60..52985f8a51 100644
--- a/xen/arch/arm/platform_hypercall.c
+++ b/xen/arch/arm/platform_hypercall.c
@@ -33,7 +33,7 @@ long do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     if ( d == NULL )
         return -ESRCH;
 
-    ret = xsm_platform_op(XSM_PRIV, op->cmd);
+    ret = xsm_platform_op(op->cmd);
     if ( ret )
         return ret;
 
diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c
index 7f433343bc..58beb96663 100644
--- a/xen/arch/x86/cpu/mcheck/mce.c
+++ b/xen/arch/x86/cpu/mcheck/mce.c
@@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
     struct xen_mc_msrinject *mc_msrinject;
     struct xen_mc_mceinject *mc_mceinject;
 
-    ret = xsm_do_mca(XSM_PRIV);
+    ret = xsm_do_mca();
     if ( ret )
         return x86_mcerr("", ret);
 
diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
index 16e91a3694..34b536417b 100644
--- a/xen/arch/x86/cpu/vpmu.c
+++ b/xen/arch/x86/cpu/vpmu.c
@@ -706,7 +706,7 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
     if ( !opt_vpmu_enabled || has_vlapic(current->domain) )
         return -EOPNOTSUPP;
 
-    ret = xsm_pmu_op(XSM_OTHER, current->domain, op);
+    ret = xsm_pmu_op(current->domain, op);
     if ( ret )
         return ret;
 
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 26a76d2be9..8343c59e83 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -234,7 +234,7 @@ long arch_do_domctl(
         if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS )
             ret = -EINVAL;
         else if ( !ioports_access_permitted(currd, fp, fp + np - 1) ||
-                  xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
+                  xsm_ioport_permission(d, fp, fp + np - 1, allow) )
             ret = -EPERM;
         else if ( allow )
             ret = ioports_permit_access(d, fp, fp + np - 1);
@@ -534,7 +534,7 @@ long arch_do_domctl(
         if ( !is_hvm_domain(d) )
             break;
 
-        ret = xsm_bind_pt_irq(XSM_HOOK, d, bind);
+        ret = xsm_bind_pt_irq(d, bind);
         if ( ret )
             break;
 
@@ -569,7 +569,7 @@ long arch_do_domctl(
         if ( irq <= 0 || !irq_access_permitted(currd, irq) )
             break;
 
-        ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind);
+        ret = xsm_unbind_pt_irq(d, bind);
         if ( ret )
             break;
 
@@ -616,7 +616,7 @@ long arch_do_domctl(
         if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) )
             break;
 
-        ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add);
+        ret = xsm_ioport_mapping(d, fmp, fmp + np - 1, add);
         if ( ret )
             break;
 
diff --git a/xen/arch/x86/hvm/dm.c b/xen/arch/x86/hvm/dm.c
index b60b9f3364..6f996371b9 100644
--- a/xen/arch/x86/hvm/dm.c
+++ b/xen/arch/x86/hvm/dm.c
@@ -370,7 +370,7 @@ int dm_op(const struct dmop_args *op_args)
     if ( !is_hvm_domain(d) )
         goto out;
 
-    rc = xsm_dm_op(XSM_DM_PRIV, d);
+    rc = xsm_dm_op(d);
     if ( rc )
         goto out;
 
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 5086773e5c..c1b0d6fca8 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4080,7 +4080,7 @@ static int hvm_allow_set_param(struct domain *d,
     uint64_t value;
     int rc;
 
-    rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_set_param);
+    rc = xsm_hvm_param(d, HVMOP_set_param);
     if ( rc )
         return rc;
 
@@ -4227,7 +4227,7 @@ static int hvm_set_param(struct domain *d, uint32_t index, uint64_t value)
         rc = pmtimer_change_ioport(d, value);
         break;
     case HVM_PARAM_ALTP2M:
-        rc = xsm_hvm_param_altp2mhvm(XSM_PRIV, d);
+        rc = xsm_hvm_param_altp2mhvm(d);
         if ( rc )
             break;
         if ( (value > XEN_ALTP2M_limited) ||
@@ -4356,7 +4356,7 @@ static int hvm_allow_get_param(struct domain *d,
 {
     int rc;
 
-    rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_get_param);
+    rc = xsm_hvm_param(d, HVMOP_get_param);
     if ( rc )
         return rc;
 
@@ -4566,7 +4566,7 @@ static int do_altp2m_op(
         goto out;
     }
 
-    if ( (rc = xsm_hvm_altp2mhvm_op(XSM_OTHER, d, mode, a.cmd)) )
+    if ( (rc = xsm_hvm_altp2mhvm_op(d, mode, a.cmd)) )
         goto out;
 
     switch ( a.cmd )
@@ -4947,7 +4947,7 @@ static int hvmop_get_mem_type(
     if ( d == NULL )
         return -ESRCH;
 
-    rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_get_mem_type);
+    rc = xsm_hvm_param(d, HVMOP_get_mem_type);
     if ( rc )
         goto out;
 
@@ -5040,7 +5040,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( unlikely(d != current->domain) )
             rc = -EOPNOTSUPP;
         else if ( is_hvm_domain(d) && paging_mode_shadow(d) )
-            rc = xsm_hvm_param(XSM_TARGET, d, op);
+            rc = xsm_hvm_param(d, op);
         if ( !rc )
             pagetable_dying(a.gpa);
 
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index a1693f92dd..9f79ec1b86 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2122,7 +2122,7 @@ int map_domain_pirq(
         return 0;
     }
 
-    ret = xsm_map_domain_irq(XSM_HOOK, d, irq, data);
+    ret = xsm_map_domain_irq(d, irq, data);
     if ( ret )
     {
         dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d mapping to pirq %d\n",
@@ -2342,8 +2342,7 @@ int unmap_domain_pirq(struct domain *d, int pirq)
         nr = msi_desc->msi.nvec;
     }
 
-    ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq,
-                               msi_desc ? msi_desc->dev : NULL);
+    ret = xsm_unmap_domain_irq(d, irq, msi_desc ? msi_desc->dev : NULL);
     if ( ret )
         goto done;
 
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 4d799032dc..33d0aa8d4b 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -977,7 +977,7 @@ get_page_from_l1e(
          * minor hack can go away.
          */
         if ( (real_pg_owner == NULL) || (pg_owner == l1e_owner) ||
-             xsm_priv_mapping(XSM_TARGET, pg_owner, real_pg_owner) )
+             xsm_priv_mapping(pg_owner, real_pg_owner) )
         {
             gdprintk(XENLOG_WARNING,
                      "pg_owner d%d l1e_owner d%d, but real_pg_owner d%d\n",
@@ -3407,7 +3407,7 @@ long do_mmuext_op(
         return -EINVAL;
     }
 
-    rc = xsm_mmuext_op(XSM_TARGET, currd, pg_owner);
+    rc = xsm_mmuext_op(currd, pg_owner);
     if ( rc )
     {
         put_pg_owner(pg_owner);
@@ -3497,7 +3497,7 @@ long do_mmuext_op(
                 break;
             }
 
-            rc = xsm_memory_pin_page(XSM_HOOK, currd, pg_owner, page);
+            rc = xsm_memory_pin_page(currd, pg_owner, page);
             if ( !rc && unlikely(test_and_set_bit(_PGT_pinned,
                                                   &page->u.inuse.type_info)) )
             {
@@ -4006,7 +4006,7 @@ long do_mmu_update(
             }
             if ( xsm_needed != xsm_checked )
             {
-                rc = xsm_mmu_update(XSM_TARGET, d, pt_owner, pg_owner, xsm_needed);
+                rc = xsm_mmu_update(d, pt_owner, pg_owner, xsm_needed);
                 if ( rc )
                     break;
                 xsm_checked = xsm_needed;
@@ -4142,7 +4142,7 @@ long do_mmu_update(
             xsm_needed |= XSM_MMU_MACHPHYS_UPDATE;
             if ( xsm_needed != xsm_checked )
             {
-                rc = xsm_mmu_update(XSM_TARGET, d, NULL, pg_owner, xsm_needed);
+                rc = xsm_mmu_update(d, NULL, pg_owner, xsm_needed);
                 if ( rc )
                     break;
                 xsm_checked = xsm_needed;
@@ -4391,7 +4391,7 @@ static int __do_update_va_mapping(
 
     perfc_incr(calls_to_update_va);
 
-    rc = xsm_update_va_mapping(XSM_TARGET, d, pg_owner, val);
+    rc = xsm_update_va_mapping(d, pg_owner, val);
     if ( rc )
         return rc;
 
@@ -4630,7 +4630,7 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             return -ESRCH;
 
-        rc = xsm_domain_memory_map(XSM_TARGET, d);
+        rc = xsm_domain_memory_map(d);
         if ( rc )
         {
             rcu_unlock_domain(d);
@@ -4697,7 +4697,7 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         unsigned int i;
         bool store;
 
-        rc = xsm_machine_memory_map(XSM_PRIV);
+        rc = xsm_machine_memory_map();
         if ( rc )
             return rc;
 
@@ -4787,9 +4787,9 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
             return -ESRCH;
 
         if ( cmd == XENMEM_set_pod_target )
-            rc = xsm_set_pod_target(XSM_PRIV, d);
+            rc = xsm_set_pod_target(d);
         else
-            rc = xsm_get_pod_target(XSM_PRIV, d);
+            rc = xsm_get_pod_target(d);
 
         if ( rc != 0 )
             goto pod_target_out_unlock;
diff --git a/xen/arch/x86/mm/mem_paging.c b/xen/arch/x86/mm/mem_paging.c
index 01281f786e..073edb9499 100644
--- a/xen/arch/x86/mm/mem_paging.c
+++ b/xen/arch/x86/mm/mem_paging.c
@@ -452,7 +452,7 @@ int mem_paging_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_paging_op_t) arg)
     if ( rc )
         return rc;
 
-    rc = xsm_mem_paging(XSM_DM_PRIV, d);
+    rc = xsm_mem_paging(d);
     if ( rc )
         goto out;
 
diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c
index 98b14f7b0a..db5f5ce8b5 100644
--- a/xen/arch/x86/mm/mem_sharing.c
+++ b/xen/arch/x86/mm/mem_sharing.c
@@ -1883,7 +1883,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
     if ( rc )
         return rc;
 
-    rc = xsm_mem_sharing(XSM_DM_PRIV, d);
+    rc = xsm_mem_sharing(d);
     if ( rc )
         goto out;
 
@@ -1928,7 +1928,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
         if ( rc )
             goto out;
 
-        rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd, mso.op);
+        rc = xsm_mem_sharing_op(d, cd, mso.op);
         if ( rc )
         {
             rcu_unlock_domain(cd);
@@ -1994,7 +1994,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
         if ( rc )
             goto out;
 
-        rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd, mso.op);
+        rc = xsm_mem_sharing_op(d, cd, mso.op);
         if ( rc )
         {
             rcu_unlock_domain(cd);
@@ -2056,8 +2056,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
          * We reuse XENMEM_sharing_op_share XSM check here as this is
          * essentially the same concept repeated over multiple pages.
          */
-        rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd,
-                                XENMEM_sharing_op_share);
+        rc = xsm_mem_sharing_op(d, cd, XENMEM_sharing_op_share);
         if ( rc )
         {
             rcu_unlock_domain(cd);
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index dbb1cbeb59..5cee9f5a1d 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2637,7 +2637,7 @@ static int p2m_add_foreign(struct domain *tdom, unsigned long fgfn,
             goto out;
     }
 
-    rc = xsm_map_gmfn_foreign(XSM_TARGET, tdom, fdom);
+    rc = xsm_map_gmfn_foreign(tdom, fdom);
     if ( rc )
         goto out;
 
diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index c304c24526..86a1ec5b80 100644
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -714,7 +714,7 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc,
         return -EBUSY;
     }
 
-    rc = xsm_shadow_control(XSM_HOOK, d, sc->op);
+    rc = xsm_shadow_control(d, sc->op);
     if ( rc )
         return rc;
 
@@ -771,7 +771,7 @@ long paging_domctl_continuation(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
     if ( d == NULL )
         return -ESRCH;
 
-    ret = xsm_domctl(XSM_OTHER, d, op.cmd);
+    ret = xsm_domctl(d, op.cmd);
     if ( !ret )
     {
         if ( domctl_lock_acquire() )
diff --git a/xen/arch/x86/mm/shadow/set.c b/xen/arch/x86/mm/shadow/set.c
index 87e9c6eeb2..e7433ac81b 100644
--- a/xen/arch/x86/mm/shadow/set.c
+++ b/xen/arch/x86/mm/shadow/set.c
@@ -117,7 +117,7 @@ shadow_get_page_from_l1e(shadow_l1e_t sl1e, struct domain *d, p2m_type_t type)
      * not own, we let it succeed anyway.
      */
     if ( owner && (d != owner) &&
-         !(res = xsm_priv_mapping(XSM_TARGET, d, owner)) )
+         !(res = xsm_priv_mapping(d, owner)) )
     {
         res = get_page_from_l1e(sl1e, d, owner);
         SHADOW_PRINTK("privileged %pd installs map of %pd's mfn %"PRI_mfn": %s\n",
diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
index 5febc0ea4b..f821d145e5 100644
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1310,8 +1310,7 @@ int pci_restore_msi_state(struct pci_dev *pdev)
     if ( !use_msi )
         return -EOPNOTSUPP;
 
-    ret = xsm_resource_setup_pci(XSM_PRIV,
-                                (pdev->seg << 16) | (pdev->bus << 8) |
+    ret = xsm_resource_setup_pci((pdev->seg << 16) | (pdev->bus << 8) |
                                 pdev->devfn);
     if ( ret )
         return ret;
diff --git a/xen/arch/x86/pci.c b/xen/arch/x86/pci.c
index a9decd4f33..d5886c59e6 100644
--- a/xen/arch/x86/pci.c
+++ b/xen/arch/x86/pci.c
@@ -74,7 +74,7 @@ int pci_conf_write_intercept(unsigned int seg, unsigned int bdf,
                              uint32_t *data)
 {
     struct pci_dev *pdev;
-    int rc = xsm_pci_config_permission(XSM_HOOK, current->domain, bdf,
+    int rc = xsm_pci_config_permission(current->domain, bdf,
                                        reg, reg + size - 1, 1);
 
     if ( rc < 0 )
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index 23465bcd00..3f2a2035c5 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -110,7 +110,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index, int *pirq_p,
     if ( d == NULL )
         return -ESRCH;
 
-    ret = xsm_map_domain_pirq(XSM_DM_PRIV, d);
+    ret = xsm_map_domain_pirq(d);
     if ( ret )
         goto free_domain;
 
@@ -148,7 +148,7 @@ int physdev_unmap_pirq(domid_t domid, int pirq)
         return -ESRCH;
 
     if ( domid != DOMID_SELF || !is_hvm_domain(d) || !has_pirq(d) )
-        ret = xsm_unmap_domain_pirq(XSM_DM_PRIV, d);
+        ret = xsm_unmap_domain_pirq(d);
     if ( ret )
         goto free_domain;
 
@@ -355,7 +355,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         ret = -EFAULT;
         if ( copy_from_guest(&apic, arg, 1) != 0 )
             break;
-        ret = xsm_apic(XSM_PRIV, currd, cmd);
+        ret = xsm_apic(currd, cmd);
         if ( ret )
             break;
         ret = ioapic_guest_read(apic.apic_physbase, apic.reg, &apic.value);
@@ -369,7 +369,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         ret = -EFAULT;
         if ( copy_from_guest(&apic, arg, 1) != 0 )
             break;
-        ret = xsm_apic(XSM_PRIV, currd, cmd);
+        ret = xsm_apic(currd, cmd);
         if ( ret )
             break;
         ret = ioapic_guest_write(apic.apic_physbase, apic.reg, apic.value);
@@ -385,7 +385,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
 
         /* Use the APIC check since this dummy hypercall should still only
          * be called by the domain with access to program the ioapic */
-        ret = xsm_apic(XSM_PRIV, currd, cmd);
+        ret = xsm_apic(currd, cmd);
         if ( ret )
             break;
 
@@ -535,8 +535,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( copy_from_guest(&dev, arg, 1) )
             ret = -EFAULT;
         else
-            ret = xsm_resource_setup_pci(XSM_PRIV,
-                                         (dev.seg << 16) | (dev.bus << 8) |
+            ret = xsm_resource_setup_pci((dev.seg << 16) | (dev.bus << 8) |
                                          dev.devfn) ?:
                   pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
                                    cmd != PHYSDEVOP_prepare_msix);
@@ -546,7 +545,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
     case PHYSDEVOP_pci_mmcfg_reserved: {
         struct physdev_pci_mmcfg_reserved info;
 
-        ret = xsm_resource_setup_misc(XSM_PRIV);
+        ret = xsm_resource_setup_misc();
         if ( ret )
             break;
 
@@ -611,7 +610,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( setup_gsi.gsi < 0 || setup_gsi.gsi >= nr_irqs_gsi )
             break;
 
-        ret = xsm_resource_setup_gsi(XSM_PRIV, setup_gsi.gsi);
+        ret = xsm_resource_setup_gsi(setup_gsi.gsi);
         if ( ret )
             break;
 
diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c
index 284c2dfb9e..40d0f81572 100644
--- a/xen/arch/x86/platform_hypercall.c
+++ b/xen/arch/x86/platform_hypercall.c
@@ -221,7 +221,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     if ( op->interface_version != XENPF_INTERFACE_VERSION )
         return -EACCES;
 
-    ret = xsm_platform_op(XSM_PRIV, op->cmd);
+    ret = xsm_platform_op(op->cmd);
     if ( ret )
         return ret;
 
@@ -639,7 +639,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     {
         int cpu = op->u.cpu_ol.cpuid;
 
-        ret = xsm_resource_plug_core(XSM_HOOK);
+        ret = xsm_resource_plug_core();
         if ( ret )
             break;
 
@@ -665,7 +665,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     {
         int cpu = op->u.cpu_ol.cpuid;
 
-        ret = xsm_resource_unplug_core(XSM_HOOK);
+        ret = xsm_resource_unplug_core();
         if ( ret )
             break;
 
@@ -694,7 +694,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     break;
 
     case XENPF_cpu_hotadd:
-        ret = xsm_resource_plug_core(XSM_HOOK);
+        ret = xsm_resource_plug_core();
         if ( ret )
             break;
 
@@ -704,7 +704,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
     break;
 
     case XENPF_mem_hotadd:
-        ret = xsm_resource_plug_core(XSM_HOOK);
+        ret = xsm_resource_plug_core();
         if ( ret )
             break;
 
diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 11467a1e3a..3a534a168c 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -252,7 +252,7 @@ static bool pci_cfg_ok(struct domain *currd, unsigned int start,
     }
 
     return !write ?
-           xsm_pci_config_permission(XSM_HOOK, currd, machine_bdf,
+           xsm_pci_config_permission(currd, machine_bdf,
                                      start, start + size - 1, 0) == 0 :
            pci_conf_write_intercept(0, machine_bdf, start, size, write) >= 0;
 }
diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c
index aff52a13f3..975672360b 100644
--- a/xen/arch/x86/sysctl.c
+++ b/xen/arch/x86/sysctl.c
@@ -190,8 +190,8 @@ long arch_do_sysctl(
         }
 
         if ( !ret )
-            ret = plug ? xsm_resource_plug_core(XSM_HOOK)
-                       : xsm_resource_unplug_core(XSM_HOOK);
+            ret = plug ? xsm_resource_plug_core()
+                       : xsm_resource_unplug_core();
 
         if ( !ret )
             ret = continue_hypercall_on_cpu(0, fn, hcpu);
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 6b71c6d6a9..392865f0f1 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -311,7 +311,7 @@ static int late_hwdom_init(struct domain *d)
     if ( d != hardware_domain || d->domain_id == 0 )
         return 0;
 
-    rv = xsm_init_hardware_domain(XSM_HOOK, d);
+    rv = xsm_init_hardware_domain(d);
     if ( rv )
         return rv;
 
@@ -649,7 +649,7 @@ struct domain *domain_create(domid_t domid,
         if ( !d->iomem_caps || !d->irq_caps )
             goto fail;
 
-        if ( (err = xsm_domain_create(XSM_HOOK, d, config->ssidref)) != 0 )
+        if ( (err = xsm_domain_create(d, config->ssidref)) != 0 )
             goto fail;
 
         d->controller_pause_count = 1;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index ef202c2b8c..de258ab7f7 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -314,7 +314,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
             return -ESRCH;
     }
 
-    ret = xsm_domctl(XSM_OTHER, d, op->cmd);
+    ret = xsm_domctl(d, op->cmd);
     if ( ret )
         goto domctl_out_unlock_domonly;
 
@@ -553,7 +553,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
         if ( d == NULL )
             goto getdomaininfo_out;
 
-        ret = xsm_getdomaininfo(XSM_HOOK, d);
+        ret = xsm_getdomaininfo(d);
         if ( ret )
             goto getdomaininfo_out;
 
@@ -688,7 +688,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
             break;
         }
         irq = pirq_access_permitted(current->domain, pirq);
-        if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) )
+        if ( !irq || xsm_irq_permission(d, irq, allow) )
             ret = -EPERM;
         else if ( allow )
             ret = irq_permit_access(d, irq);
@@ -709,7 +709,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
 
         if ( !iomem_access_permitted(current->domain,
                                      mfn, mfn + nr_mfns - 1) ||
-             xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
+             xsm_iomem_permission(d, mfn, mfn + nr_mfns - 1, allow) )
             ret = -EPERM;
         else if ( allow )
             ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
@@ -746,7 +746,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
              !iomem_access_permitted(d, mfn, mfn_end) )
             break;
 
-        ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add);
+        ret = xsm_iomem_mapping(d, mfn, mfn_end, add);
         if ( ret )
             break;
 
@@ -804,7 +804,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
 
         ret = -EOPNOTSUPP;
         if ( is_hvm_domain(e) )
-            ret = xsm_set_target(XSM_HOOK, d, e);
+            ret = xsm_set_target(d, e);
         if ( ret )
         {
             put_domain(e);
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index da88ad141a..288d8c36f2 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -301,7 +301,7 @@ static int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc)
         ERROR_EXIT_DOM(port, d);
     chn = evtchn_from_port(d, port);
 
-    rc = xsm_evtchn_unbound(XSM_TARGET, d, chn, alloc->remote_dom);
+    rc = xsm_evtchn_unbound(d, chn, alloc->remote_dom);
     if ( rc )
         goto out;
 
@@ -376,7 +376,7 @@ static int evtchn_bind_interdomain(evtchn_bind_interdomain_t *bind)
          (rchn->u.unbound.remote_domid != ld->domain_id) )
         ERROR_EXIT_DOM(-EINVAL, rd);
 
-    rc = xsm_evtchn_interdomain(XSM_HOOK, ld, lchn, rd, rchn);
+    rc = xsm_evtchn_interdomain(ld, lchn, rd, rchn);
     if ( rc )
         goto out;
 
@@ -754,7 +754,7 @@ int evtchn_send(struct domain *ld, unsigned int lport)
         goto out;
     }
 
-    ret = xsm_evtchn_send(XSM_HOOK, ld, lchn);
+    ret = xsm_evtchn_send(ld, lchn);
     if ( ret )
         goto out;
 
@@ -979,7 +979,7 @@ int evtchn_status(evtchn_status_t *status)
         goto out;
     }
 
-    rc = xsm_evtchn_status(XSM_TARGET, d, chn);
+    rc = xsm_evtchn_status(d, chn);
     if ( rc )
         goto out;
 
@@ -1295,7 +1295,7 @@ long do_event_channel_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             return -ESRCH;
 
-        rc = xsm_evtchn_reset(XSM_TARGET, current->domain, d);
+        rc = xsm_evtchn_reset(current->domain, d);
         if ( !rc )
             rc = evtchn_reset(d, cmd == EVTCHNOP_reset_cont);
 
@@ -1356,7 +1356,7 @@ int alloc_unbound_xen_event_channel(
         goto out;
     chn = evtchn_from_port(ld, port);
 
-    rc = xsm_evtchn_unbound(XSM_TARGET, ld, chn, remote_domid);
+    rc = xsm_evtchn_unbound(ld, chn, remote_domid);
     if ( rc )
         goto out;
 
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index fab77ab9cc..087b214335 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1051,7 +1051,7 @@ map_grant_ref(
         return;
     }
 
-    rc = xsm_grant_mapref(XSM_HOOK, ld, rd, op->flags);
+    rc = xsm_grant_mapref(ld, rd, op->flags);
     if ( rc )
     {
         rcu_unlock_domain(rd);
@@ -1391,7 +1391,7 @@ unmap_common(
         return;
     }
 
-    rc = xsm_grant_unmapref(XSM_HOOK, ld, rd);
+    rc = xsm_grant_unmapref(ld, rd);
     if ( rc )
     {
         rcu_unlock_domain(rd);
@@ -2009,7 +2009,7 @@ gnttab_setup_table(
         goto out;
     }
 
-    if ( xsm_grant_setup(XSM_TARGET, curr->domain, d) )
+    if ( xsm_grant_setup(curr->domain, d) )
     {
         op.status = GNTST_permission_denied;
         goto out;
@@ -2091,7 +2091,7 @@ gnttab_query_size(
         goto out;
     }
 
-    if ( xsm_grant_query_size(XSM_TARGET, current->domain, d) )
+    if ( xsm_grant_query_size(current->domain, d) )
     {
         op.status = GNTST_permission_denied;
         goto out;
@@ -2262,7 +2262,7 @@ gnttab_transfer(
             goto put_gfn_and_copyback;
         }
 
-        if ( xsm_grant_transfer(XSM_HOOK, d, e) )
+        if ( xsm_grant_transfer(d, e) )
         {
             gop.status = GNTST_permission_denied;
         unlock_and_copyback:
@@ -2800,7 +2800,7 @@ static int gnttab_copy_lock_domains(const struct gnttab_copy *op,
     if ( rc < 0 )
         goto error;
 
-    rc = xsm_grant_copy(XSM_HOOK, src->domain, dest->domain);
+    rc = xsm_grant_copy(src->domain, dest->domain);
     if ( rc < 0 )
     {
         rc = GNTST_permission_denied;
@@ -3219,7 +3219,7 @@ gnttab_get_status_frames(XEN_GUEST_HANDLE_PARAM(gnttab_get_status_frames_t) uop,
         op.status = GNTST_bad_domain;
         goto out1;
     }
-    rc = xsm_grant_setup(XSM_TARGET, current->domain, d);
+    rc = xsm_grant_setup(current->domain, d);
     if ( rc )
     {
         op.status = GNTST_permission_denied;
@@ -3283,7 +3283,7 @@ gnttab_get_version(XEN_GUEST_HANDLE_PARAM(gnttab_get_version_t) uop)
     if ( d == NULL )
         return -ESRCH;
 
-    rc = xsm_grant_query_size(XSM_TARGET, current->domain, d);
+    rc = xsm_grant_query_size(current->domain, d);
     if ( rc )
     {
         rcu_unlock_domain(d);
diff --git a/xen/common/hypfs.c b/xen/common/hypfs.c
index e71f7df479..052f3d472a 100644
--- a/xen/common/hypfs.c
+++ b/xen/common/hypfs.c
@@ -679,7 +679,7 @@ long do_hypfs_op(unsigned int cmd,
     struct hypfs_entry *entry;
     static char path[XEN_HYPFS_MAX_PATHLEN];
 
-    if ( xsm_hypfs_op(XSM_PRIV) )
+    if ( xsm_hypfs_op() )
         return -EPERM;
 
     if ( cmd == XEN_HYPFS_OP_get_version )
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index d77756a81e..89e01e908c 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -459,7 +459,7 @@ __initcall(param_init);
 
 DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
 {
-    bool_t deny = !!xsm_xen_version(XSM_OTHER, cmd);
+    bool_t deny = !!xsm_xen_version(cmd);
 
     switch ( cmd )
     {
diff --git a/xen/common/kexec.c b/xen/common/kexec.c
index ebeee6405a..a0d2858cd8 100644
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -1219,7 +1219,7 @@ static int do_kexec_op_internal(unsigned long op,
 {
     int ret = -EINVAL;
 
-    ret = xsm_kexec(XSM_PRIV);
+    ret = xsm_kexec();
     if ( ret )
         return ret;
 
diff --git a/xen/common/mem_access.c b/xen/common/mem_access.c
index 010e6f8dbf..2066510d3b 100644
--- a/xen/common/mem_access.c
+++ b/xen/common/mem_access.c
@@ -47,7 +47,7 @@ int mem_access_memop(unsigned long cmd,
     if ( !p2m_mem_access_sanity_check(d) )
         goto out;
 
-    rc = xsm_mem_access(XSM_DM_PRIV, d);
+    rc = xsm_mem_access(d);
     if ( rc )
         goto out;
 
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 72a6b70cb5..d2621bbb47 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -609,7 +609,7 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
         goto fail_early;
     }
 
-    rc = xsm_memory_exchange(XSM_TARGET, d);
+    rc = xsm_memory_exchange(d);
     if ( rc )
     {
         rcu_unlock_domain(d);
@@ -1072,7 +1072,7 @@ static long xatp_permission_check(struct domain *d, unsigned int space)
          (!is_hardware_domain(d) || (d != current->domain)) )
         return -EACCES;
 
-    return xsm_add_to_physmap(XSM_TARGET, current->domain, d);
+    return xsm_add_to_physmap(current->domain, d);
 }
 
 unsigned int ioreq_server_max_frames(const struct domain *d)
@@ -1232,7 +1232,7 @@ static int acquire_resource(
     if ( rc )
         return rc;
 
-    rc = xsm_domain_resource_map(XSM_DM_PRIV, d);
+    rc = xsm_domain_resource_map(d);
     if ( rc )
         goto out;
 
@@ -1388,7 +1388,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
              && (reservation.mem_flags & XENMEMF_populate_on_demand) )
             args.memflags |= MEMF_populate_on_demand;
 
-        if ( xsm_memory_adjust_reservation(XSM_TARGET, curr_d, d) )
+        if ( xsm_memory_adjust_reservation(curr_d, d) )
         {
             rcu_unlock_domain(d);
             return start_extent;
@@ -1462,7 +1462,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             return -ESRCH;
 
-        rc = xsm_memory_stat_reservation(XSM_TARGET, curr_d, d);
+        rc = xsm_memory_stat_reservation(curr_d, d);
         if ( rc )
         {
             rcu_unlock_domain(d);
@@ -1584,7 +1584,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
             return -ESRCH;
 
         rc = paging_mode_translate(d)
-             ? xsm_remove_from_physmap(XSM_TARGET, curr_d, d)
+             ? xsm_remove_from_physmap(curr_d, d)
              : -EACCES;
         if ( rc )
         {
@@ -1631,7 +1631,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             return -EINVAL;
 
-        rc = xsm_claim_pages(XSM_PRIV, d);
+        rc = xsm_claim_pages(d);
 
         if ( !rc )
             rc = domain_set_outstanding_pages(d, reservation.nr_extents);
@@ -1662,7 +1662,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( (d = rcu_lock_domain_by_any_id(topology.domid)) == NULL )
             return -ESRCH;
 
-        rc = xsm_get_vnumainfo(XSM_TARGET, d);
+        rc = xsm_get_vnumainfo(d);
         if ( rc )
         {
             rcu_unlock_domain(d);
diff --git a/xen/common/monitor.c b/xen/common/monitor.c
index d5c9ff1cbf..ff17bad733 100644
--- a/xen/common/monitor.c
+++ b/xen/common/monitor.c
@@ -36,7 +36,7 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop)
     if ( unlikely(current->domain == d) ) /* no domain_pause() */
         return -EPERM;
 
-    rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event);
+    rc = xsm_vm_event_control(d, mop->op, mop->event);
     if ( unlikely(rc) )
         return rc;
 
diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c
index 6d34764d38..e5c154fe9d 100644
--- a/xen/common/sched/core.c
+++ b/xen/common/sched/core.c
@@ -1944,7 +1944,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( d == NULL )
             break;
 
-        ret = xsm_schedop_shutdown(XSM_DM_PRIV, current->domain, d);
+        ret = xsm_schedop_shutdown(current->domain, d);
         if ( likely(!ret) )
             domain_shutdown(d, sched_remote_shutdown.reason);
 
@@ -2046,7 +2046,7 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op)
 {
     long ret;
 
-    ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd);
+    ret = xsm_domctl_scheduler_op(d, op->cmd);
     if ( ret )
         return ret;
 
@@ -2081,7 +2081,7 @@ long sched_adjust_global(struct xen_sysctl_scheduler_op *op)
     struct cpupool *pool;
     int rc;
 
-    rc = xsm_sysctl_scheduler_op(XSM_HOOK, op->cmd);
+    rc = xsm_sysctl_scheduler_op(op->cmd);
     if ( rc )
         return rc;
 
diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c
index 3558641cd9..4e25c0e499 100644
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -41,7 +41,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
     if ( op->interface_version != XEN_SYSCTL_INTERFACE_VERSION )
         return -EACCES;
 
-    ret = xsm_sysctl(XSM_PRIV, op->cmd);
+    ret = xsm_sysctl(op->cmd);
     if ( ret )
         return ret;
 
@@ -58,7 +58,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
     switch ( op->cmd )
     {
     case XEN_SYSCTL_readconsole:
-        ret = xsm_readconsole(XSM_HOOK, op->u.readconsole.clear);
+        ret = xsm_readconsole(op->u.readconsole.clear);
         if ( ret )
             break;
 
@@ -88,7 +88,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
             if ( num_domains == op->u.getdomaininfolist.max_domains )
                 break;
 
-            ret = xsm_getdomaininfo(XSM_HOOK, d);
+            ret = xsm_getdomaininfo(d);
             if ( ret )
                 continue;
 
@@ -191,7 +191,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
         if ( op->u.page_offline.end < op->u.page_offline.start )
             break;
 
-        ret = xsm_page_offline(XSM_HOOK, op->u.page_offline.cmd);
+        ret = xsm_page_offline(op->u.page_offline.cmd);
         if ( ret )
             break;
 
diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c
index 70ab3ba406..307f99fcf0 100644
--- a/xen/common/vm_event.c
+++ b/xen/common/vm_event.c
@@ -584,7 +584,7 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec)
         return 0;
     }
 
-    rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op);
+    rc = xsm_vm_event_control(d, vec->mode, vec->op);
     if ( rc )
         return rc;
 
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 1926a92fe4..76d8b1f807 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -737,7 +737,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
         return -EPERM;
     }
 
-    ret = xsm_profile(XSM_HOOK, current->domain, op);
+    ret = xsm_profile(current->domain, op);
     if ( ret )
         return ret;
 
diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index 7d0a603d03..b5d62ea4ee 100644
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -681,7 +681,7 @@ long do_console_io(unsigned int cmd, unsigned int count,
     long rc;
     unsigned int idx, len;
 
-    rc = xsm_console_io(XSM_OTHER, current->domain, cmd);
+    rc = xsm_console_io(current->domain, cmd);
     if ( rc )
         return rc;
 
diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c
index 999b831d90..67b03fd2a9 100644
--- a/xen/drivers/passthrough/device_tree.c
+++ b/xen/drivers/passthrough/device_tree.c
@@ -230,7 +230,7 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d,
         if ( ret )
             break;
 
-        ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev));
+        ret = xsm_assign_dtdevice(d, dt_node_full_name(dev));
         if ( ret )
             break;
 
@@ -284,7 +284,7 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d,
         if ( ret )
             break;
 
-        ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev));
+        ret = xsm_deassign_dtdevice(d, dt_node_full_name(dev));
 
         if ( d == dom_io )
             return -EINVAL;
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index 199ce08612..1363ef8121 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -704,7 +704,7 @@ int pci_add_device(u16 seg, u8 bus, u8 devfn,
     else
         pdev_type = "device";
 
-    ret = xsm_resource_plug_pci(XSM_PRIV, (seg << 16) | (bus << 8) | devfn);
+    ret = xsm_resource_plug_pci((seg << 16) | (bus << 8) | devfn);
     if ( ret )
         return ret;
 
@@ -814,7 +814,7 @@ int pci_remove_device(u16 seg, u8 bus, u8 devfn)
     struct pci_dev *pdev;
     int ret;
 
-    ret = xsm_resource_unplug_pci(XSM_PRIV, (seg << 16) | (bus << 8) | devfn);
+    ret = xsm_resource_unplug_pci((seg << 16) | (bus << 8) | devfn);
     if ( ret )
         return ret;
 
@@ -1477,7 +1477,7 @@ static int iommu_get_device_group(
              ((pdev->bus == bus) && (pdev->devfn == devfn)) )
             continue;
 
-        if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (pdev->bus << 8) | pdev->devfn) )
+        if ( xsm_get_device_group((seg << 16) | (pdev->bus << 8) | pdev->devfn) )
             continue;
 
         sdev_id = ops->get_device_group_id(seg, pdev->bus, pdev->devfn);
@@ -1545,7 +1545,7 @@ int iommu_do_pci_domctl(
         u32 max_sdevs;
         XEN_GUEST_HANDLE_64(uint32) sdevs;
 
-        ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf);
+        ret = xsm_get_device_group(domctl->u.get_device_group.machine_sbdf);
         if ( ret )
             break;
 
@@ -1596,7 +1596,7 @@ int iommu_do_pci_domctl(
 
         machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf;
 
-        ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf);
+        ret = xsm_assign_device(d, machine_sbdf);
         if ( ret )
             break;
 
@@ -1641,7 +1641,7 @@ int iommu_do_pci_domctl(
 
         machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf;
 
-        ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf);
+        ret = xsm_deassign_device(d, machine_sbdf);
         if ( ret )
             break;
 
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 170eae9b25..bab10be7a2 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -30,53 +30,53 @@ static inline void xsm_security_domaininfo (struct domain *d,
     alternative_vcall(xsm_ops.security_domaininfo, d, info);
 }
 
-static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
+static inline int xsm_domain_create (struct domain *d, u32 ssidref)
 {
     return alternative_call(xsm_ops.domain_create, d, ssidref);
 }
 
-static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
+static inline int xsm_getdomaininfo (struct domain *d)
 {
     return alternative_call(xsm_ops.getdomaininfo, d);
 }
 
-static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_domctl_scheduler_op (struct domain *d, int cmd)
 {
     return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd);
 }
 
-static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
+static inline int xsm_sysctl_scheduler_op (int cmd)
 {
     return alternative_call(xsm_ops.sysctl_scheduler_op, cmd);
 }
 
-static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
+static inline int xsm_set_target (struct domain *d, struct domain *e)
 {
     return alternative_call(xsm_ops.set_target, d, e);
 }
 
-static inline int xsm_domctl (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_domctl (struct domain *d, int cmd)
 {
     return alternative_call(xsm_ops.domctl, d, cmd);
 }
 
-static inline int xsm_sysctl (xsm_default_t def, int cmd)
+static inline int xsm_sysctl (int cmd)
 {
     return alternative_call(xsm_ops.sysctl, cmd);
 }
 
-static inline int xsm_readconsole (xsm_default_t def, uint32_t clear)
+static inline int xsm_readconsole (uint32_t clear)
 {
     return alternative_call(xsm_ops.readconsole, clear);
 }
 
-static inline int xsm_evtchn_unbound (xsm_default_t def, struct domain *d1, struct evtchn *chn,
+static inline int xsm_evtchn_unbound (struct domain *d1, struct evtchn *chn,
                                                                     domid_t id2)
 {
     return alternative_call(xsm_ops.evtchn_unbound, d1, chn, id2);
 }
 
-static inline int xsm_evtchn_interdomain (xsm_default_t def, struct domain *d1,
+static inline int xsm_evtchn_interdomain (struct domain *d1,
                 struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
 {
     return alternative_call(xsm_ops.evtchn_interdomain, d1, chan1, d2, chan2);
@@ -87,48 +87,48 @@ static inline void xsm_evtchn_close_post (struct evtchn *chn)
     alternative_vcall(xsm_ops.evtchn_close_post, chn);
 }
 
-static inline int xsm_evtchn_send (xsm_default_t def, struct domain *d, struct evtchn *chn)
+static inline int xsm_evtchn_send (struct domain *d, struct evtchn *chn)
 {
     return alternative_call(xsm_ops.evtchn_send, d, chn);
 }
 
-static inline int xsm_evtchn_status (xsm_default_t def, struct domain *d, struct evtchn *chn)
+static inline int xsm_evtchn_status (struct domain *d, struct evtchn *chn)
 {
     return alternative_call(xsm_ops.evtchn_status, d, chn);
 }
 
-static inline int xsm_evtchn_reset (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_evtchn_reset (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.evtchn_reset, d1, d2);
 }
 
-static inline int xsm_grant_mapref (xsm_default_t def, struct domain *d1, struct domain *d2,
+static inline int xsm_grant_mapref (struct domain *d1, struct domain *d2,
                                                                 uint32_t flags)
 {
     return alternative_call(xsm_ops.grant_mapref, d1, d2, flags);
 }
 
-static inline int xsm_grant_unmapref (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_unmapref (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.grant_unmapref, d1, d2);
 }
 
-static inline int xsm_grant_setup (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_setup (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.grant_setup, d1, d2);
 }
 
-static inline int xsm_grant_transfer (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_transfer (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.grant_transfer, d1, d2);
 }
 
-static inline int xsm_grant_copy (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_copy (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.grant_copy, d1, d2);
 }
 
-static inline int xsm_grant_query_size (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_query_size (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.grant_query_size, d1, d2);
 }
@@ -160,80 +160,80 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt
     return alternative_call(xsm_ops.show_security_evtchn, d, chn);
 }
 
-static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
+static inline int xsm_init_hardware_domain (struct domain *d)
 {
     return alternative_call(xsm_ops.init_hardware_domain, d);
 }
 
-static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
+static inline int xsm_get_pod_target (struct domain *d)
 {
     return alternative_call(xsm_ops.get_pod_target, d);
 }
 
-static inline int xsm_set_pod_target (xsm_default_t def, struct domain *d)
+static inline int xsm_set_pod_target (struct domain *d)
 {
     return alternative_call(xsm_ops.set_pod_target, d);
 }
 
-static inline int xsm_memory_exchange (xsm_default_t def, struct domain *d)
+static inline int xsm_memory_exchange (struct domain *d)
 {
     return alternative_call(xsm_ops.memory_exchange, d);
 }
 
-static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct domain *d1, struct
+static inline int xsm_memory_adjust_reservation (struct domain *d1, struct
                                                                     domain *d2)
 {
     return alternative_call(xsm_ops.memory_adjust_reservation, d1, d2);
 }
 
-static inline int xsm_memory_stat_reservation (xsm_default_t def, struct domain *d1,
+static inline int xsm_memory_stat_reservation (struct domain *d1,
                                                             struct domain *d2)
 {
     return alternative_call(xsm_ops.memory_stat_reservation, d1, d2);
 }
 
-static inline int xsm_memory_pin_page(xsm_default_t def, struct domain *d1, struct domain *d2,
+static inline int xsm_memory_pin_page(struct domain *d1, struct domain *d2,
                                       struct page_info *page)
 {
     return alternative_call(xsm_ops.memory_pin_page, d1, d2, page);
 }
 
-static inline int xsm_add_to_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_add_to_physmap(struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.add_to_physmap, d1, d2);
 }
 
-static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_remove_from_physmap(struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.remove_from_physmap, d1, d2);
 }
 
-static inline int xsm_map_gmfn_foreign (xsm_default_t def, struct domain *d, struct domain *t)
+static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t)
 {
     return alternative_call(xsm_ops.map_gmfn_foreign, d, t);
 }
 
-static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
+static inline int xsm_claim_pages(struct domain *d)
 {
     return alternative_call(xsm_ops.claim_pages, d);
 }
 
-static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_console_io (struct domain *d, int cmd)
 {
     return alternative_call(xsm_ops.console_io, d, cmd);
 }
 
-static inline int xsm_profile (xsm_default_t def, struct domain *d, int op)
+static inline int xsm_profile (struct domain *d, int op)
 {
     return alternative_call(xsm_ops.profile, d, op);
 }
 
-static inline int xsm_kexec (xsm_default_t def)
+static inline int xsm_kexec (void)
 {
     return alternative_call(xsm_ops.kexec);
 }
 
-static inline int xsm_schedop_shutdown (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_schedop_shutdown (struct domain *d1, struct domain *d2)
 {
     return alternative_call(xsm_ops.schedop_shutdown, d1, d2);
 }
@@ -243,131 +243,129 @@ static inline char *xsm_show_irq_sid (int irq)
     return alternative_call(xsm_ops.show_irq_sid, irq);
 }
 
-static inline int xsm_map_domain_pirq (xsm_default_t def, struct domain *d)
+static inline int xsm_map_domain_pirq (struct domain *d)
 {
     return alternative_call(xsm_ops.map_domain_pirq, d);
 }
 
-static inline int xsm_map_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
+static inline int xsm_map_domain_irq (struct domain *d, int irq, void *data)
 {
     return alternative_call(xsm_ops.map_domain_irq, d, irq, data);
 }
 
-static inline int xsm_unmap_domain_pirq (xsm_default_t def, struct domain *d)
+static inline int xsm_unmap_domain_pirq (struct domain *d)
 {
     return alternative_call(xsm_ops.unmap_domain_pirq, d);
 }
 
-static inline int xsm_unmap_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
+static inline int xsm_unmap_domain_irq (struct domain *d, int irq, void *data)
 {
     return alternative_call(xsm_ops.unmap_domain_irq, d, irq, data);
 }
 
-static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d,
+static inline int xsm_bind_pt_irq(struct domain *d,
                                   struct xen_domctl_bind_pt_irq *bind)
 {
     return alternative_call(xsm_ops.bind_pt_irq, d, bind);
 }
 
-static inline int xsm_unbind_pt_irq(xsm_default_t def, struct domain *d,
+static inline int xsm_unbind_pt_irq(struct domain *d,
                                     struct xen_domctl_bind_pt_irq *bind)
 {
     return alternative_call(xsm_ops.unbind_pt_irq, d, bind);
 }
 
-static inline int xsm_irq_permission (xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
+static inline int xsm_irq_permission (struct domain *d, int pirq, uint8_t allow)
 {
     return alternative_call(xsm_ops.irq_permission, d, pirq, allow);
 }
 
-static inline int xsm_iomem_permission (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int xsm_iomem_permission (struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
     return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
 }
 
-static inline int xsm_iomem_mapping (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int xsm_iomem_mapping (struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
 {
     return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow);
 }
 
-static inline int xsm_pci_config_permission (xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
+static inline int xsm_pci_config_permission (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
 {
     return alternative_call(xsm_ops.pci_config_permission, d, machine_bdf, start, end, access);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_get_device_group(uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.get_device_group, machine_bdf);
 }
 
-static inline int xsm_assign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
+static inline int xsm_assign_device(struct domain *d, uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.assign_device, d, machine_bdf);
 }
 
-static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
+static inline int xsm_deassign_device(struct domain *d, uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.deassign_device, d, machine_bdf);
 }
 #endif /* HAS_PASSTHROUGH && HAS_PCI) */
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static inline int xsm_assign_dtdevice(xsm_default_t def, struct domain *d,
-                                      const char *dtpath)
+static inline int xsm_assign_dtdevice(struct domain *d, const char *dtpath)
 {
     return alternative_call(xsm_ops.assign_dtdevice, d, dtpath);
 }
 
-static inline int xsm_deassign_dtdevice(xsm_default_t def, struct domain *d,
-                                        const char *dtpath)
+static inline int xsm_deassign_dtdevice(struct domain *d, const char *dtpath)
 {
     return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath);
 }
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
-static inline int xsm_resource_plug_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_plug_pci (uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.resource_plug_pci, machine_bdf);
 }
 
-static inline int xsm_resource_unplug_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_unplug_pci (uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.resource_unplug_pci, machine_bdf);
 }
 
-static inline int xsm_resource_plug_core (xsm_default_t def)
+static inline int xsm_resource_plug_core (void)
 {
     return alternative_call(xsm_ops.resource_plug_core);
 }
 
-static inline int xsm_resource_unplug_core (xsm_default_t def)
+static inline int xsm_resource_unplug_core (void)
 {
     return alternative_call(xsm_ops.resource_unplug_core);
 }
 
-static inline int xsm_resource_setup_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_setup_pci (uint32_t machine_bdf)
 {
     return alternative_call(xsm_ops.resource_setup_pci, machine_bdf);
 }
 
-static inline int xsm_resource_setup_gsi (xsm_default_t def, int gsi)
+static inline int xsm_resource_setup_gsi (int gsi)
 {
     return alternative_call(xsm_ops.resource_setup_gsi, gsi);
 }
 
-static inline int xsm_resource_setup_misc (xsm_default_t def)
+static inline int xsm_resource_setup_misc (void)
 {
     return alternative_call(xsm_ops.resource_setup_misc);
 }
 
-static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
+static inline int xsm_page_offline(uint32_t cmd)
 {
     return alternative_call(xsm_ops.page_offline, cmd);
 }
 
-static inline int xsm_hypfs_op(xsm_default_t def)
+static inline int xsm_hypfs_op(void)
 {
     return alternative_call(xsm_ops.hypfs_op);
 }
@@ -384,148 +382,148 @@ static inline int xsm_do_compat_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 }
 #endif
 
-static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned long op)
+static inline int xsm_hvm_param (struct domain *d, unsigned long op)
 {
     return alternative_call(xsm_ops.hvm_param, d, op);
 }
 
-static inline int xsm_hvm_control(xsm_default_t def, struct domain *d, unsigned long op)
+static inline int xsm_hvm_control(struct domain *d, unsigned long op)
 {
     return alternative_call(xsm_ops.hvm_control, d, op);
 }
 
-static inline int xsm_hvm_param_altp2mhvm (xsm_default_t def, struct domain *d)
+static inline int xsm_hvm_param_altp2mhvm (struct domain *d)
 {
     return alternative_call(xsm_ops.hvm_param_altp2mhvm, d);
 }
 
-static inline int xsm_hvm_altp2mhvm_op (xsm_default_t def, struct domain *d, uint64_t mode, uint32_t op)
+static inline int xsm_hvm_altp2mhvm_op (struct domain *d, uint64_t mode, uint32_t op)
 {
     return alternative_call(xsm_ops.hvm_altp2mhvm_op, d, mode, op);
 }
 
-static inline int xsm_get_vnumainfo (xsm_default_t def, struct domain *d)
+static inline int xsm_get_vnumainfo (struct domain *d)
 {
     return alternative_call(xsm_ops.get_vnumainfo, d);
 }
 
-static inline int xsm_vm_event_control (xsm_default_t def, struct domain *d, int mode, int op)
+static inline int xsm_vm_event_control (struct domain *d, int mode, int op)
 {
     return alternative_call(xsm_ops.vm_event_control, d, mode, op);
 }
 
 #ifdef CONFIG_MEM_ACCESS
-static inline int xsm_mem_access (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_access (struct domain *d)
 {
     return alternative_call(xsm_ops.mem_access, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_PAGING
-static inline int xsm_mem_paging (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_paging (struct domain *d)
 {
     return alternative_call(xsm_ops.mem_paging, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_SHARING
-static inline int xsm_mem_sharing (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_sharing (struct domain *d)
 {
     return alternative_call(xsm_ops.mem_sharing, d);
 }
 #endif
 
-static inline int xsm_platform_op (xsm_default_t def, uint32_t op)
+static inline int xsm_platform_op (uint32_t op)
 {
     return alternative_call(xsm_ops.platform_op, op);
 }
 
 #ifdef CONFIG_X86
-static inline int xsm_do_mca(xsm_default_t def)
+static inline int xsm_do_mca(void)
 {
     return alternative_call(xsm_ops.do_mca);
 }
 
-static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
+static inline int xsm_shadow_control (struct domain *d, uint32_t op)
 {
     return alternative_call(xsm_ops.shadow_control, d, op);
 }
 
-static inline int xsm_mem_sharing_op (xsm_default_t def, struct domain *d, struct domain *cd, int op)
+static inline int xsm_mem_sharing_op (struct domain *d, struct domain *cd, int op)
 {
     return alternative_call(xsm_ops.mem_sharing_op, d, cd, op);
 }
 
-static inline int xsm_apic (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_apic (struct domain *d, int cmd)
 {
     return alternative_call(xsm_ops.apic, d, cmd);
 }
 
-static inline int xsm_memtype (xsm_default_t def, uint32_t access)
+static inline int xsm_memtype (uint32_t access)
 {
     return alternative_call(xsm_ops.memtype, access);
 }
 
-static inline int xsm_machine_memory_map(xsm_default_t def)
+static inline int xsm_machine_memory_map(void)
 {
     return alternative_call(xsm_ops.machine_memory_map);
 }
 
-static inline int xsm_domain_memory_map(xsm_default_t def, struct domain *d)
+static inline int xsm_domain_memory_map(struct domain *d)
 {
     return alternative_call(xsm_ops.domain_memory_map, d);
 }
 
-static inline int xsm_mmu_update (xsm_default_t def, struct domain *d, struct domain *t,
+static inline int xsm_mmu_update (struct domain *d, struct domain *t,
                                   struct domain *f, uint32_t flags)
 {
     return alternative_call(xsm_ops.mmu_update, d, t, f, flags);
 }
 
-static inline int xsm_mmuext_op (xsm_default_t def, struct domain *d, struct domain *f)
+static inline int xsm_mmuext_op (struct domain *d, struct domain *f)
 {
     return alternative_call(xsm_ops.mmuext_op, d, f);
 }
 
-static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, struct domain *f,
+static inline int xsm_update_va_mapping(struct domain *d, struct domain *f,
                                                             l1_pgentry_t pte)
 {
     return xsm_ops.update_va_mapping(d, f, pte);
 }
 
-static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t)
+static inline int xsm_priv_mapping(struct domain *d, struct domain *t)
 {
     return alternative_call(xsm_ops.priv_mapping, d, t);
 }
 
-static inline int xsm_ioport_permission (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int xsm_ioport_permission (struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
     return alternative_call(xsm_ops.ioport_permission, d, s, e, allow);
 }
 
-static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int xsm_ioport_mapping (struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
     return alternative_call(xsm_ops.ioport_mapping, d, s, e, allow);
 }
 
-static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int op)
+static inline int xsm_pmu_op (struct domain *d, unsigned int op)
 {
     return alternative_call(xsm_ops.pmu_op, d, op);
 }
 
 #endif /* CONFIG_X86 */
 
-static inline int xsm_dm_op(xsm_default_t def, struct domain *d)
+static inline int xsm_dm_op(struct domain *d)
 {
     return alternative_call(xsm_ops.dm_op, d);
 }
 
-static inline int xsm_xen_version (xsm_default_t def, uint32_t op)
+static inline int xsm_xen_version (uint32_t op)
 {
     return alternative_call(xsm_ops.xen_version, op);
 }
 
-static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
+static inline int xsm_domain_resource_map(struct domain *d)
 {
     return alternative_call(xsm_ops.domain_resource_map, d);
 }
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 09/10] xsm: expand the function related macros in dummy.h
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (7 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-16  7:34   ` Jan Beulich
  2021-07-12 20:32 ` [PATCH v2 10/10] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
  2021-07-12 23:12 ` [PATCH v2 00/10] xsm: refactoring xsm hooks Andrew Cooper
  10 siblings, 1 reply; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

With the elimination of switching how dummy.h gets included, the function
declaration macros are no longer necessary. This commit expands them out to the
only value for which they will ever be set. This results in function
declaration lengths changing and since some definitions did not even follow the
80 column wrapping style, all function definitions were aligned with the
predominate style found in core hypervisor code.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/xsm/dummy.h | 275 +++++++++++++++++++++++++++---------------------
 1 file changed, 153 insertions(+), 122 deletions(-)

diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
index a3e698c3b5..1cb26e4146 100644
--- a/xen/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -9,7 +9,7 @@
  *
  *
  *  Each XSM hook implementing an access check should have its first parameter
- *  preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
+ *  preceded by (or use XSM_DEFAULT_VOID if it has no
  *  arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
  *  with the expected type of the hook, which will either define or check the
  *  value of action.
@@ -47,14 +47,11 @@ void __xsm_action_mismatch_detected(void);
  * xsm_default_t argument available, so the value from the assertion is used to
  * initialize the variable.
  */
-#define XSM_INLINE __maybe_unused
-
-#define XSM_DEFAULT_ARG /* */
-#define XSM_DEFAULT_VOID void
 #define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
-static always_inline int xsm_default_action(
-    xsm_default_t action, struct domain *src, struct domain *target)
+static always_inline int xsm_default_action(xsm_default_t action,
+                                            struct domain *src,
+                                            struct domain *target)
 {
     switch ( action ) {
     case XSM_HOOK:
@@ -82,43 +79,43 @@ static always_inline int xsm_default_action(
     }
 }
 
-static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
+static inline void dummy_security_domaininfo(struct domain *d,
                                     struct xen_domctl_getdomaininfo *info)
 {
     return;
 }
 
-static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
+static inline int dummy_domain_create(struct domain *d, u32 ssidref)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_getdomaininfo(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static inline int dummy_domctl_scheduler_op(struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
+static inline int dummy_sysctl_scheduler_op(int cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
+static inline int dummy_set_target(struct domain *d, struct domain *e)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static inline int dummy_domctl(struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( cmd )
@@ -135,85 +132,91 @@ static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
     }
 }
 
-static XSM_INLINE int dummy_sysctl(XSM_DEFAULT_ARG int cmd)
+static inline int dummy_sysctl(int cmd)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_readconsole(XSM_DEFAULT_ARG uint32_t clear)
+static inline int dummy_readconsole(uint32_t clear)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_alloc_security_domain(struct domain *d)
+static inline int dummy_alloc_security_domain(struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE void dummy_free_security_domain(struct domain *d)
+static inline void dummy_free_security_domain(struct domain *d)
 {
     return;
 }
 
-static XSM_INLINE int dummy_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
-                                                                uint32_t flags)
+static inline int dummy_grant_mapref(struct domain *d1,
+                                             struct domain *d2,
+                                             uint32_t flags)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_grant_unmapref(struct domain *d1,
+                                               struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_grant_setup(struct domain *d1,
+                                            struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_grant_transfer(struct domain *d1,
+                                               struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_grant_copy(struct domain *d1, struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_grant_query_size(struct domain *d1,
+                                                 struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_memory_exchange(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
-                                                            struct domain *d2)
+static inline int dummy_memory_adjust_reservation(struct domain *d1,
+                                                          struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_memory_stat_reservation(struct domain *d1,
+                                                        struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static inline int dummy_console_io(struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     if ( d->is_console )
@@ -225,129 +228,140 @@ static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd
     return xsm_default_action(XSM_PRIV, d, NULL);
 }
 
-static XSM_INLINE int dummy_profile(XSM_DEFAULT_ARG struct domain *d, int op)
+static inline int dummy_profile(struct domain *d, int op)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int dummy_kexec(XSM_DEFAULT_VOID)
+static inline int dummy_kexec(void)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_schedop_shutdown(struct domain *d1,
+                                                 struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
-                                          struct page_info *page)
+static inline int dummy_memory_pin_page(struct domain *d1,
+                                                struct domain *d2,
+                                                struct page_info *page)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_claim_pages(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
-                                         domid_t id2)
+static inline int dummy_evtchn_unbound(struct domain *d,
+                                               struct evtchn *chn,
+                                               domid_t id2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
-                                *chan1, struct domain *d2, struct evtchn *chan2)
+static inline int dummy_evtchn_interdomain(struct domain *d1,
+                                                   struct evtchn *chan1,
+                                                   struct domain *d2,
+                                                   struct evtchn *chan2)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE void dummy_evtchn_close_post(struct evtchn *chn)
+static inline void dummy_evtchn_close_post(struct evtchn *chn)
 {
     return;
 }
 
-static XSM_INLINE int dummy_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static inline int dummy_evtchn_send(struct domain *d,
+                                            struct evtchn *chn)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int dummy_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static inline int dummy_evtchn_status(struct domain *d,
+                                              struct evtchn *chn)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_evtchn_reset(struct domain *d1,
+                                             struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_alloc_security_evtchns(
-    struct evtchn chn[], unsigned int nr)
+static inline int dummy_alloc_security_evtchns(struct evtchn chn[],
+                                                       unsigned int nr)
 {
     return 0;
 }
 
-static XSM_INLINE void dummy_free_security_evtchns(
-    struct evtchn chn[], unsigned int nr)
+static inline void dummy_free_security_evtchns(struct evtchn chn[],
+                                                       unsigned int nr)
 {
     return;
 }
 
-static XSM_INLINE char *dummy_show_security_evtchn(struct domain *d, const struct evtchn *chn)
+static inline char *dummy_show_security_evtchn(struct domain *d,
+                                                       const struct evtchn *chn)
 {
     return NULL;
 }
 
-static XSM_INLINE int dummy_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_init_hardware_domain(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_get_pod_target(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_set_pod_target(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_get_vnumainfo(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static XSM_INLINE int dummy_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static inline int dummy_get_device_group(uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static inline int dummy_assign_device(struct domain *d,
+                                              uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static inline int dummy_deassign_device(struct domain *d,
+                                                uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
@@ -356,15 +370,15 @@ static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, ui
 #endif /* HAS_PASSTHROUGH && HAS_PCI */
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static XSM_INLINE int dummy_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
-                                          const char *dtpath)
+static inline int dummy_assign_dtdevice(struct domain *d,
+                                                const char *dtpath)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
-                                            const char *dtpath)
+static inline int dummy_deassign_dtdevice(struct domain *d,
+                                                  const char *dtpath)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
@@ -372,178 +386,190 @@ static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
-static XSM_INLINE int dummy_resource_plug_core(XSM_DEFAULT_VOID)
+static inline int dummy_resource_plug_core(void)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
+static inline int dummy_resource_unplug_core(void)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static inline int dummy_resource_plug_pci(uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static inline int dummy_resource_unplug_pci(uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static inline int dummy_resource_setup_pci(uint32_t machine_bdf)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
+static inline int dummy_resource_setup_gsi(int gsi)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
+static inline int dummy_resource_setup_misc(void)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
+static inline int dummy_page_offline(uint32_t cmd)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_hypfs_op(XSM_DEFAULT_VOID)
+static inline int dummy_hypfs_op(void)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static inline long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return -ENOSYS;
 }
 
 #ifdef CONFIG_COMPAT
-static XSM_INLINE int dummy_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static inline int dummy_do_compat_op(
+                                XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return -ENOSYS;
 }
 #endif
 
-static XSM_INLINE char *dummy_show_irq_sid(int irq)
+static inline char *dummy_show_irq_sid(int irq)
 {
     return NULL;
 }
 
-static XSM_INLINE int dummy_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_map_domain_pirq(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
-                                         int irq, const void *data)
+static inline int dummy_map_domain_irq(struct domain *d, int irq,
+                                               const void *data)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_unmap_domain_pirq(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static inline int dummy_bind_pt_irq(struct domain *d,
+                                            struct xen_domctl_bind_pt_irq *bind)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static inline int dummy_unbind_pt_irq(struct domain *d,
+                                        struct xen_domctl_bind_pt_irq *bind)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
-                                           int irq, const void *data)
+static inline int dummy_unmap_domain_irq(struct domain *d, int irq,
+                                                 const void *data)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
+static inline int dummy_irq_permission(struct domain *d, int pirq,
+                                               uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int dummy_iomem_permission(struct domain *d, uint64_t s,
+                                                 uint64_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int dummy_iomem_mapping(struct domain *d, uint64_t s,
+                                              uint64_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
-                                        uint16_t start, uint16_t end,
-                                        uint8_t access)
+static inline int dummy_pci_config_permission(struct domain *d,
+                                                      uint32_t machine_bdf,
+                                                      uint16_t start,
+                                                      uint16_t end,
+                                                      uint8_t access)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_add_to_physmap(struct domain *d1,
+                                               struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static inline int dummy_remove_from_physmap(struct domain *d1,
+                                                    struct domain *d2)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d1, d2);
 }
 
-static XSM_INLINE int dummy_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static inline int dummy_map_gmfn_foreign(struct domain *d,
+                                                 struct domain *t)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, t);
 }
 
-static XSM_INLINE int dummy_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static inline int dummy_hvm_param(struct domain *d, unsigned long op)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static inline int dummy_hvm_control(struct domain *d, unsigned long op)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_hvm_param_altp2mhvm(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
+static inline int dummy_hvm_altp2mhvm_op(struct domain *d,
+                                                 uint64_t mode, uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
 
@@ -562,14 +588,15 @@ static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, u
     }
 }
 
-static XSM_INLINE int dummy_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
+static inline int dummy_vm_event_control(struct domain *d, int mode,
+                                                 int op)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
 #ifdef CONFIG_MEM_ACCESS
-static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_mem_access(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
@@ -577,7 +604,7 @@ static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
 #endif
 
 #ifdef CONFIG_MEM_PAGING
-static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_mem_paging(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
@@ -585,58 +612,59 @@ static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
 #endif
 
 #ifdef CONFIG_MEM_SHARING
-static XSM_INLINE int dummy_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_mem_sharing(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 #endif
 
-static XSM_INLINE int dummy_platform_op(XSM_DEFAULT_ARG uint32_t op)
+static inline int dummy_platform_op(uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
 #ifdef CONFIG_X86
-static XSM_INLINE int dummy_do_mca(XSM_DEFAULT_VOID)
+static inline int dummy_do_mca(void)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
+static inline int dummy_shadow_control(struct domain *d, uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
+static inline int dummy_mem_sharing_op(struct domain *d,
+                                               struct domain *cd, int op)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, cd);
 }
 
-static XSM_INLINE int dummy_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static inline int dummy_apic(struct domain *d, int cmd)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, d, NULL);
 }
 
-static XSM_INLINE int dummy_machine_memory_map(XSM_DEFAULT_VOID)
+static inline int dummy_machine_memory_map(void)
 {
     XSM_ASSERT_ACTION(XSM_PRIV);
     return xsm_default_action(action, current->domain, NULL);
 }
 
-static XSM_INLINE int dummy_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_domain_memory_map(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
-                                     struct domain *f, uint32_t flags)
+static inline int dummy_mmu_update(struct domain *d, struct domain *t,
+                                           struct domain *f, uint32_t flags)
 {
     int rc = 0;
     XSM_ASSERT_ACTION(XSM_TARGET);
@@ -647,38 +675,41 @@ static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct
     return rc;
 }
 
-static XSM_INLINE int dummy_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
+static inline int dummy_mmuext_op(struct domain *d, struct domain *f)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, f);
 }
 
-static XSM_INLINE int dummy_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f,
-                                                            l1_pgentry_t pte)
+static inline int dummy_update_va_mapping(struct domain *d,
+                                                  struct domain *f,
+                                                  l1_pgentry_t pte)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, f);
 }
 
-static XSM_INLINE int dummy_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static inline int dummy_priv_mapping(struct domain *d, struct domain *t)
 {
     XSM_ASSERT_ACTION(XSM_TARGET);
     return xsm_default_action(action, d, t);
 }
 
-static XSM_INLINE int dummy_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int dummy_ioport_permission(struct domain *d, uint32_t s,
+                                                  uint32_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int dummy_ioport_mapping(struct domain *d, uint32_t s,
+                                               uint32_t e, uint8_t allow)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
+static inline int dummy_pmu_op (struct domain *d, unsigned int op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
@@ -695,31 +726,31 @@ static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned i
 
 #endif /* CONFIG_X86 */
 
-static XSM_INLINE int dummy_dm_op(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_dm_op(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
 #ifdef CONFIG_ARGO
-static XSM_INLINE int dummy_argo_enable(const struct domain *d)
+static inline int dummy_argo_enable(const struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE int dummy_argo_register_single_source(const struct domain *d,
-                                                      const struct domain *t)
+static inline int dummy_argo_register_single_source(const struct domain *d,
+                                                            const struct domain *t)
 {
     return 0;
 }
 
-static XSM_INLINE int dummy_argo_register_any_source(const struct domain *d)
+static inline int dummy_argo_register_any_source(const struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE int dummy_argo_send(const struct domain *d,
-                                    const struct domain *t)
+static inline int dummy_argo_send(const struct domain *d,
+                                          const struct domain *t)
 {
     return 0;
 }
@@ -727,7 +758,7 @@ static XSM_INLINE int dummy_argo_send(const struct domain *d,
 #endif /* CONFIG_ARGO */
 
 #include <public/version.h>
-static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
+static inline int dummy_xen_version(uint32_t op)
 {
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
@@ -751,7 +782,7 @@ static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
     }
 }
 
-static XSM_INLINE int dummy_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
+static inline int dummy_domain_resource_map(struct domain *d)
 {
     XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [PATCH v2 10/10] xsm: removing the XSM_ASSERT_ACTION macro
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (8 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 09/10] xsm: expand the function related macros in dummy.h Daniel P. Smith
@ 2021-07-12 20:32 ` Daniel P. Smith
  2021-07-12 23:12 ` [PATCH v2 00/10] xsm: refactoring xsm hooks Andrew Cooper
  10 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-12 20:32 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel P. Smith, Daniel De Graaf

With the eliminations of default priv from all the XSM hook call sites, this
renders the XSM_ASSERT_ACTION macro unneeded. This commit cleans up all the
dummy hooks, removing the macro.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/xsm/dummy.h | 253 +++++++++++++++---------------------------------
 1 file changed, 80 insertions(+), 173 deletions(-)

diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
index 1cb26e4146..1aaec86b05 100644
--- a/xen/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -6,13 +6,6 @@
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License version 2,
  *  as published by the Free Software Foundation.
- *
- *
- *  Each XSM hook implementing an access check should have its first parameter
- *  preceded by (or use XSM_DEFAULT_VOID if it has no
- *  arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
- *  with the expected type of the hook, which will either define or check the
- *  value of action.
  */
 
 #include <xen/sched.h>
@@ -47,7 +40,6 @@ void __xsm_action_mismatch_detected(void);
  * xsm_default_t argument available, so the value from the assertion is used to
  * initialize the variable.
  */
-#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
 
 static always_inline int xsm_default_action(xsm_default_t action,
                                             struct domain *src,
@@ -87,37 +79,31 @@ static inline void dummy_security_domaininfo(struct domain *d,
 
 static inline int dummy_domain_create(struct domain *d, u32 ssidref)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_getdomaininfo(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_domctl_scheduler_op(struct domain *d, int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_sysctl_scheduler_op(int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_set_target(struct domain *d, struct domain *e)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_domctl(struct domain *d, int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( cmd )
     {
     case XEN_DOMCTL_ioport_mapping:
@@ -134,14 +120,12 @@ static inline int dummy_domctl(struct domain *d, int cmd)
 
 static inline int dummy_sysctl(int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_readconsole(uint32_t clear)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_alloc_security_domain(struct domain *d)
@@ -158,67 +142,57 @@ static inline int dummy_grant_mapref(struct domain *d1,
                                              struct domain *d2,
                                              uint32_t flags)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline int dummy_grant_unmapref(struct domain *d1,
                                                struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline int dummy_grant_setup(struct domain *d1,
                                             struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_grant_transfer(struct domain *d1,
                                                struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline int dummy_grant_copy(struct domain *d1, struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline int dummy_grant_query_size(struct domain *d1,
                                                  struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_memory_exchange(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 static inline int dummy_memory_adjust_reservation(struct domain *d1,
                                                           struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_memory_stat_reservation(struct domain *d1,
                                                         struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_console_io(struct domain *d, int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_OTHER);
     if ( d->is_console )
         return xsm_default_action(XSM_HOOK, d, NULL);
 #ifdef CONFIG_VERBOSE_DEBUG
@@ -230,43 +204,37 @@ static inline int dummy_console_io(struct domain *d, int cmd)
 
 static inline int dummy_profile(struct domain *d, int op)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d, NULL);
+    return xsm_default_action(XSM_HOOK, d, NULL);
 }
 
 static inline int dummy_kexec(void)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_schedop_shutdown(struct domain *d1,
                                                  struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_PRIV, d1, d2);
 }
 
 static inline int dummy_memory_pin_page(struct domain *d1,
                                                 struct domain *d2,
                                                 struct page_info *page)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline int dummy_claim_pages(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_PRIV, current->domain, d);
 }
 
 static inline int dummy_evtchn_unbound(struct domain *d,
                                                struct evtchn *chn,
                                                domid_t id2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 static inline int dummy_evtchn_interdomain(struct domain *d1,
@@ -274,8 +242,7 @@ static inline int dummy_evtchn_interdomain(struct domain *d1,
                                                    struct domain *d2,
                                                    struct evtchn *chan2)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_HOOK, d1, d2);
 }
 
 static inline void dummy_evtchn_close_post(struct evtchn *chn)
@@ -286,22 +253,19 @@ static inline void dummy_evtchn_close_post(struct evtchn *chn)
 static inline int dummy_evtchn_send(struct domain *d,
                                             struct evtchn *chn)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, d, NULL);
+    return xsm_default_action(XSM_HOOK, d, NULL);
 }
 
 static inline int dummy_evtchn_status(struct domain *d,
                                               struct evtchn *chn)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 static inline int dummy_evtchn_reset(struct domain *d1,
                                              struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_alloc_security_evtchns(struct evtchn chn[],
@@ -324,47 +288,40 @@ static inline char *dummy_show_security_evtchn(struct domain *d,
 
 static inline int dummy_init_hardware_domain(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_get_pod_target(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_PRIV, current->domain, d);
 }
 
 static inline int dummy_set_pod_target(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_PRIV, current->domain, d);
 }
 
 static inline int dummy_get_vnumainfo(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 #if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
 static inline int dummy_get_device_group(uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_assign_device(struct domain *d,
                                               uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_deassign_device(struct domain *d,
                                                 uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 #endif /* HAS_PASSTHROUGH && HAS_PCI */
@@ -373,71 +330,60 @@ static inline int dummy_deassign_device(struct domain *d,
 static inline int dummy_assign_dtdevice(struct domain *d,
                                                 const char *dtpath)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_deassign_dtdevice(struct domain *d,
                                                   const char *dtpath)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 #endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
 
 static inline int dummy_resource_plug_core(void)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_resource_unplug_core(void)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_resource_plug_pci(uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_resource_unplug_pci(uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_resource_setup_pci(uint32_t machine_bdf)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_resource_setup_gsi(int gsi)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_resource_setup_misc(void)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_page_offline(uint32_t cmd)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_HOOK, current->domain, NULL);
 }
 
 static inline int dummy_hypfs_op(void)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
@@ -460,63 +406,54 @@ static inline char *dummy_show_irq_sid(int irq)
 
 static inline int dummy_map_domain_pirq(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 
 static inline int dummy_map_domain_irq(struct domain *d, int irq,
                                                const void *data)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_unmap_domain_pirq(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 
 static inline int dummy_bind_pt_irq(struct domain *d,
                                             struct xen_domctl_bind_pt_irq *bind)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_unbind_pt_irq(struct domain *d,
                                         struct xen_domctl_bind_pt_irq *bind)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_unmap_domain_irq(struct domain *d, int irq,
                                                  const void *data)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_irq_permission(struct domain *d, int pirq,
                                                uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_iomem_permission(struct domain *d, uint64_t s,
                                                  uint64_t e, uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_iomem_mapping(struct domain *d, uint64_t s,
                                               uint64_t e, uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_pci_config_permission(struct domain *d,
@@ -525,54 +462,45 @@ static inline int dummy_pci_config_permission(struct domain *d,
                                                       uint16_t end,
                                                       uint8_t access)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_add_to_physmap(struct domain *d1,
                                                struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_remove_from_physmap(struct domain *d1,
                                                     struct domain *d2)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d1, d2);
+    return xsm_default_action(XSM_TARGET, d1, d2);
 }
 
 static inline int dummy_map_gmfn_foreign(struct domain *d,
                                                  struct domain *t)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d, t);
+    return xsm_default_action(XSM_TARGET, d, t);
 }
 
 static inline int dummy_hvm_param(struct domain *d, unsigned long op)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 static inline int dummy_hvm_control(struct domain *d, unsigned long op)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 
 static inline int dummy_hvm_param_altp2mhvm(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_PRIV, current->domain, d);
 }
 
 static inline int dummy_hvm_altp2mhvm_op(struct domain *d,
                                                  uint64_t mode, uint32_t op)
 {
-    XSM_ASSERT_ACTION(XSM_OTHER);
-
     switch ( mode )
     {
     case XEN_ALTP2M_mixed:
@@ -591,127 +519,109 @@ static inline int dummy_hvm_altp2mhvm_op(struct domain *d,
 static inline int dummy_vm_event_control(struct domain *d, int mode,
                                                  int op)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_PRIV, current->domain, d);
 }
 
 #ifdef CONFIG_MEM_ACCESS
 static inline int dummy_mem_access(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_PAGING
 static inline int dummy_mem_paging(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 #endif
 
 #ifdef CONFIG_MEM_SHARING
 static inline int dummy_mem_sharing(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 #endif
 
 static inline int dummy_platform_op(uint32_t op)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 #ifdef CONFIG_X86
 static inline int dummy_do_mca(void)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_shadow_control(struct domain *d, uint32_t op)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_mem_sharing_op(struct domain *d,
                                                struct domain *cd, int op)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, cd);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, cd);
 }
 
 static inline int dummy_apic(struct domain *d, int cmd)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, d, NULL);
+    return xsm_default_action(XSM_PRIV, d, NULL);
 }
 
 static inline int dummy_machine_memory_map(void)
 {
-    XSM_ASSERT_ACTION(XSM_PRIV);
-    return xsm_default_action(action, current->domain, NULL);
+    return xsm_default_action(XSM_PRIV, current->domain, NULL);
 }
 
 static inline int dummy_domain_memory_map(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_TARGET, current->domain, d);
 }
 
 static inline int dummy_mmu_update(struct domain *d, struct domain *t,
                                            struct domain *f, uint32_t flags)
 {
     int rc = 0;
-    XSM_ASSERT_ACTION(XSM_TARGET);
     if ( f != dom_io )
-        rc = xsm_default_action(action, d, f);
+        rc = xsm_default_action(XSM_TARGET, d, f);
     if ( evaluate_nospec(t) && !rc )
-        rc = xsm_default_action(action, d, t);
+        rc = xsm_default_action(XSM_TARGET, d, t);
     return rc;
 }
 
 static inline int dummy_mmuext_op(struct domain *d, struct domain *f)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d, f);
+    return xsm_default_action(XSM_TARGET, d, f);
 }
 
 static inline int dummy_update_va_mapping(struct domain *d,
                                                   struct domain *f,
                                                   l1_pgentry_t pte)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d, f);
+    return xsm_default_action(XSM_TARGET, d, f);
 }
 
 static inline int dummy_priv_mapping(struct domain *d, struct domain *t)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
-    return xsm_default_action(action, d, t);
+    return xsm_default_action(XSM_TARGET, d, t);
 }
 
 static inline int dummy_ioport_permission(struct domain *d, uint32_t s,
                                                   uint32_t e, uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_ioport_mapping(struct domain *d, uint32_t s,
                                                uint32_t e, uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_HOOK, current->domain, d);
 }
 
 static inline int dummy_pmu_op (struct domain *d, unsigned int op)
 {
-    XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
     {
     case XENPMU_init:
@@ -728,8 +638,7 @@ static inline int dummy_pmu_op (struct domain *d, unsigned int op)
 
 static inline int dummy_dm_op(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
 
 #ifdef CONFIG_ARGO
@@ -760,7 +669,6 @@ static inline int dummy_argo_send(const struct domain *d,
 #include <public/version.h>
 static inline int dummy_xen_version(uint32_t op)
 {
-    XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( op )
     {
     case XENVER_version:
@@ -784,6 +692,5 @@ static inline int dummy_xen_version(uint32_t op)
 
 static inline int dummy_domain_resource_map(struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_DM_PRIV);
-    return xsm_default_action(action, current->domain, d);
+    return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 }
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 00/10] xsm: refactoring xsm hooks
  2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
                   ` (9 preceding siblings ...)
  2021-07-12 20:32 ` [PATCH v2 10/10] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
@ 2021-07-12 23:12 ` Andrew Cooper
  10 siblings, 0 replies; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:12 UTC (permalink / raw)
  To: Daniel P. Smith, xen-devel

On 12/07/2021 21:32, Daniel P. Smith wrote:
> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
> patch set is being split into two separate patch sets. This is the first
> patch set and is focused purely on the clean up and refactoring of the
> XSM hooks.
>
> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
> infrastructure. Then proceeds to move and realign the headers to remove the
> psuedo is/is not enable implementation. The remainder of the changes are clean up
> and removing no longer necessary abstractions.
>
> v2:
>  - restructured the patches, breaking them up as needed
>  - incorporate Andrew Cooper's alternative call common code
>  - change XSM module registration, removing register_xsm
>  - incoporate KConfig recommendations
>  - reworded commit messages
>  - incorporate macro expansion recommendations
>  - misc clean-up fallout from recommendations

CI is heavily broken atm, but there is one issue I've spotted which is
introduced by this series.

https://gitlab.com/xen-project/patchew/xen/-/jobs/1418359368

In file included from xsm_policy.c:21:
/builds/xen-project/patchew/xen/xen/include/xsm/xsm.h: In function
'xsm_security_domaininfo':
/builds/xen-project/patchew/xen/xen/include/xsm/xsm.h:30:5: error:
implicit declaration of function 'alternative_vcall'
[-Werror=implicit-function-declaration]
   30 |     alternative_vcall(xsm_ops.security_domaininfo, d, info);
      |     ^~~~~~~~~~~~~~~~~


You need to drop the XSM guard around including xen/alternative-call.h
in patch 4, especially seeing as as you don't delete it in patch 6 where
CONFIG_XSM formally disappears.  The x86 build only works by chance,
with asm/alternative.h being included implicitly.

~Andrew



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 03/10] xsm: remove the ability to disable flask
  2021-07-12 20:32 ` [PATCH v2 03/10] xsm: remove the ability to disable flask Daniel P. Smith
@ 2021-07-12 23:22   ` Andrew Cooper
  2021-07-15 17:17     ` Daniel P. Smith
  2021-07-14 15:58   ` Jan Beulich
  1 sibling, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:22 UTC (permalink / raw)
  To: Daniel P. Smith, xen-devel; +Cc: Daniel De Graaf

On 12/07/2021 21:32, Daniel P. Smith wrote:
> The flask XSM module provided the ability to switch from flask back to
> the dummy XSM module during runtime. With this removal the only way to
> switch between XSM modules is at boot time.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>

This patch wants reordering ahead of "xsm: refactor xsm_ops handling"
which will reduce the churn in that patch.

In addition, you want:

diff --git a/xen/include/public/xsm/flask_op.h
b/xen/include/public/xsm/flask_op.h
index 16af7bc22f75..b41dd6dac894 100644
--- a/xen/include/public/xsm/flask_op.h
+++ b/xen/include/public/xsm/flask_op.h
@@ -188,7 +188,7 @@ struct xen_flask_op {
 #define FLASK_SETBOOL           12
 #define FLASK_COMMITBOOLS       13
 #define FLASK_MLS               14
-#define FLASK_DISABLE           15
+#define FLASK_DISABLE           15 /* No longer implemented */
 #define FLASK_GETAVC_THRESHOLD  16
 #define FLASK_SETAVC_THRESHOLD  17
 #define FLASK_AVC_HASHSTATS     18

to match the removal of FLASK_USER in c/s 559f439bfa3bf

~Andrew

^ permalink raw reply related	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 02/10] xsm: refactor xsm_ops handling
  2021-07-12 20:32 ` [PATCH v2 02/10] xsm: refactor xsm_ops handling Daniel P. Smith
@ 2021-07-12 23:39   ` Andrew Cooper
  2021-07-14 15:54     ` Jan Beulich
  2021-07-15 17:16     ` Daniel P. Smith
  0 siblings, 2 replies; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:39 UTC (permalink / raw)
  To: Daniel P. Smith, xen-devel; +Cc: Daniel De Graaf

On 12/07/2021 21:32, Daniel P. Smith wrote:
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index ad3cddbf7d..a8805f514b 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -747,16 +747,14 @@ extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
>  extern bool has_xsm_magic(paddr_t);
>  #endif
>  
> -extern int register_xsm(struct xsm_operations *ops);
> -
> -extern struct xsm_operations dummy_xsm_ops;
>  extern void xsm_fixup_ops(struct xsm_operations *ops);
>  
>  #ifdef CONFIG_XSM_FLASK
> -extern void flask_init(const void *policy_buffer, size_t policy_size);
> +extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
>  #else
> -static inline void flask_init(const void *policy_buffer, size_t policy_size)
> +static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
>  {
> +    return NULL;
>  }
>  #endif

As you touch almost every current user of xsm_operations and introduce
quite a few more, can I recommend taking the opportunity to shorten the
name to struct xsm_ops.

> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
> index 01e52138a1..32e079d676 100644
> --- a/xen/xsm/flask/flask_op.c
> +++ b/xen/xsm/flask/flask_op.c
> @@ -226,6 +226,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
>  static int flask_disable(void)
>  {
>      static int flask_disabled = 0;
> +    struct xsm_operations default_ops;
>  
>      if ( ss_initialized )
>      {
> @@ -244,7 +245,8 @@ static int flask_disable(void)
>      flask_disabled = 1;
>  
>      /* Reset xsm_ops to the original module. */
> -    xsm_ops = &dummy_xsm_ops;
> +    xsm_fixup_ops(&default_ops);
> +    xsm_ops = default_ops;
>  
>      return 0;
>  }

These two hunks will disappear when patch 3 is reordered with respect to
this one.

... which is good because you've just pointed xsm_ops at a
soon-to-be-out-of-scope local variable on the stack.

> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index f1a1217c98..a3a88aa8ed 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -1883,7 +1883,8 @@ static struct xsm_operations flask_ops = {
>  #endif
>  };

flask and silo ops should become:

static const struct xsm_ops __initconst {flask,silo}_ops = {

as they're neither modified, nor needed after init, following this change.

>  
> -void __init flask_init(const void *policy_buffer, size_t policy_size)
> +struct xsm_operations __init *flask_init(const void *policy_buffer,
> +					 size_t policy_size)

struct xsm_ops *__init flask_init(...)

Otherwise you've got the __init in the middle of the return type, and
some compilers are more picky than others.

> @@ -1923,6 +1921,9 @@ void __init flask_init(const void *policy_buffer, size_t policy_size)
>          printk(XENLOG_INFO "Flask:  Starting in enforcing mode.\n");
>      else
>          printk(XENLOG_INFO "Flask:  Starting in permissive mode.\n");
> +
> +    return &flask_ops;
> +

Stray newline.

>  }
>  
>  /*
> diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
> index fc2ca5cd2d..808350f122 100644
> --- a/xen/xsm/silo.c
> +++ b/xen/xsm/silo.c
> @@ -112,12 +112,11 @@ static struct xsm_operations silo_xsm_ops = {
>  #endif
>  };
>  
> -void __init silo_init(void)
> +struct xsm_operations __init *silo_init(void)

Same here as with flask.

> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
> index 5eab21e1b1..7265f742e9 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> @@ -68,17 +76,10 @@ static int __init parse_xsm_param(const char *s)
>  }
>  custom_param("xsm", parse_xsm_param);
>  
> -static inline int verify(struct xsm_operations *ops)
> -{
> -    /* verify the security_operations structure exists */
> -    if ( !ops )
> -        return -EINVAL;
> -    xsm_fixup_ops(ops);
> -    return 0;
> -}
> -
>  static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>  {
> +	struct xsm_operations *mod_ops;
> +

Hard tabs, and later in this function.  Also, how about just 'ops' for
the local variable name?

> @@ -113,6 +124,17 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>          break;
>      }
>  
> +    /*
> +     * This handles three cases,
> +     *   - dummy policy module was selected
> +     *   - a policy module  does not provide all handlers

Stray double space.

~Andrew



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call
  2021-07-12 20:32 ` [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call Daniel P. Smith
@ 2021-07-12 23:44   ` Andrew Cooper
  2021-07-15 17:20     ` Daniel P. Smith
  0 siblings, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:44 UTC (permalink / raw)
  To: Daniel P. Smith, xen-devel; +Cc: Daniel De Graaf

On 12/07/2021 21:32, Daniel P. Smith wrote:
> To reduce retpolines convert all the pointer function calls of the
> xsm_ops hooks over to the alternative_call infrastructure.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> ---
>  xen/include/xsm/xsm.h | 195 +++++++++++++++++++++---------------------
>  1 file changed, 99 insertions(+), 96 deletions(-)
>
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index a8805f514b..a39b5dc42f 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -15,6 +15,9 @@
>  #ifndef __XSM_H__
>  #define __XSM_H__
>  
> +#ifdef CONFIG_XSM
> +#include <xen/alternative-call.h>
> +#endif

This guard needs dropping to fix the build on ARM.

Otherwise, Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
@ 2021-07-12 23:48   ` Andrew Cooper
  2021-07-13  6:28     ` Jan Beulich
  2021-07-14 15:35   ` Jan Beulich
  1 sibling, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:48 UTC (permalink / raw)
  To: Daniel P. Smith, Wei Liu, xen-devel
  Cc: Jan Beulich, Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini

On 12/07/2021 21:32, Daniel P. Smith wrote:
> diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
> new file mode 100644
> index 0000000000..11d1c26068
> --- /dev/null
> +++ b/xen/include/xen/alternative-call.h
> @@ -0,0 +1,65 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef XEN_ALTERNATIVE_CALL
> +#define XEN_ALTERNATIVE_CALL
> +
> +/*
> + * Some subsystems in Xen may have multiple implementions, which can be
> + * resolved to a single implementation at boot time.  By default, this will
> + * result in the use of function pointers.
> + *
> + * Some architectures may have mechanisms for dynamically modifying .text.
> + * Using this mechnaism, function pointers can be converted to direct calls
> + * which are typically more efficient at runtime.
> + *
> + * For architectures to support:
> + *
> + * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
> + *   requirements are to emit a function pointer call at build time, and stash
> + *   enough metadata to simplify the call at boot once the implementation has
> + *   been resolved.
> + * - Select ALTERNATIVE_CALL in Kconfig.
> + *
> + * To use:
> + *
> + * Consider the following simplified example.
> + *
> + *  1) struct foo_ops __alt_call_maybe_initdata ops;
> + *
> + *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
> + *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };

It occurs to me after reviewing patch 2 that these want to be const
struct foo_ops __initconst ..., and there is no need for
__alt_call_maybe_initconst at all.

The only thing wanting a conditional annotation like this is the single
ops object, and it needs to be initdata (or hopefully ro_after_init in
the future).

~Andrew


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 07/10] xsm: drop generic event channel labeling
  2021-07-12 20:32 ` [PATCH v2 07/10] xsm: drop generic event channel labeling Daniel P. Smith
@ 2021-07-12 23:52   ` Andrew Cooper
  2021-07-15 17:26     ` Daniel P. Smith
  2021-07-16  7:03   ` Jan Beulich
  1 sibling, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-12 23:52 UTC (permalink / raw)
  To: Daniel P. Smith, xen-devel
  Cc: George Dunlap, Ian Jackson, Jan Beulich, Julien Grall,
	Stefano Stabellini, Wei Liu

On 12/07/2021 21:32, Daniel P. Smith wrote:
> The generic event channel labeling has not been used by any XSM module since
> its introduction. This commit removes the capability leaving FLASK labeling
> field always present. In the future if a new XSM module needs to have its own
> channel label, this or a new form can be introduced.

You're missing a SoB line.

Also, this too would benefit from being reordered higher than patch 6,
to reduce the churn there.


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-12 23:48   ` Andrew Cooper
@ 2021-07-13  6:28     ` Jan Beulich
  2021-07-13  8:36       ` Andrew Cooper
  0 siblings, 1 reply; 44+ messages in thread
From: Jan Beulich @ 2021-07-13  6:28 UTC (permalink / raw)
  To: Andrew Cooper, Daniel P. Smith
  Cc: Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini,
	xen-devel, Wei Liu

On 13.07.2021 01:48, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
>> new file mode 100644
>> index 0000000000..11d1c26068
>> --- /dev/null
>> +++ b/xen/include/xen/alternative-call.h
>> @@ -0,0 +1,65 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef XEN_ALTERNATIVE_CALL
>> +#define XEN_ALTERNATIVE_CALL
>> +
>> +/*
>> + * Some subsystems in Xen may have multiple implementions, which can be
>> + * resolved to a single implementation at boot time.  By default, this will
>> + * result in the use of function pointers.
>> + *
>> + * Some architectures may have mechanisms for dynamically modifying .text.
>> + * Using this mechnaism, function pointers can be converted to direct calls
>> + * which are typically more efficient at runtime.
>> + *
>> + * For architectures to support:
>> + *
>> + * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
>> + *   requirements are to emit a function pointer call at build time, and stash
>> + *   enough metadata to simplify the call at boot once the implementation has
>> + *   been resolved.
>> + * - Select ALTERNATIVE_CALL in Kconfig.
>> + *
>> + * To use:
>> + *
>> + * Consider the following simplified example.
>> + *
>> + *  1) struct foo_ops __alt_call_maybe_initdata ops;
>> + *
>> + *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
>> + *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
> 
> It occurs to me after reviewing patch 2 that these want to be const
> struct foo_ops __initconst ...,

__initconstrel then, I suppose.

> and there is no need for
> __alt_call_maybe_initconst at all.
> 
> The only thing wanting a conditional annotation like this is the single
> ops object, and it needs to be initdata (or hopefully ro_after_init in
> the future).

ro_after_init and initdata can't be alternatives of one another; ops
(until be gain ro_after_init) need to remain in .bss (or .data).

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-13  6:28     ` Jan Beulich
@ 2021-07-13  8:36       ` Andrew Cooper
  2021-07-13  8:53         ` Jan Beulich
  0 siblings, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-13  8:36 UTC (permalink / raw)
  To: Jan Beulich, Daniel P. Smith
  Cc: Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini,
	xen-devel, Wei Liu

On 13/07/2021 07:28, Jan Beulich wrote:
> On 13.07.2021 01:48, Andrew Cooper wrote:
>> On 12/07/2021 21:32, Daniel P. Smith wrote:
>>> diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
>>> new file mode 100644
>>> index 0000000000..11d1c26068
>>> --- /dev/null
>>> +++ b/xen/include/xen/alternative-call.h
>>> @@ -0,0 +1,65 @@
>>> +/* SPDX-License-Identifier: GPL-2.0 */
>>> +#ifndef XEN_ALTERNATIVE_CALL
>>> +#define XEN_ALTERNATIVE_CALL
>>> +
>>> +/*
>>> + * Some subsystems in Xen may have multiple implementions, which can be
>>> + * resolved to a single implementation at boot time.  By default, this will
>>> + * result in the use of function pointers.
>>> + *
>>> + * Some architectures may have mechanisms for dynamically modifying .text.
>>> + * Using this mechnaism, function pointers can be converted to direct calls
>>> + * which are typically more efficient at runtime.
>>> + *
>>> + * For architectures to support:
>>> + *
>>> + * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
>>> + *   requirements are to emit a function pointer call at build time, and stash
>>> + *   enough metadata to simplify the call at boot once the implementation has
>>> + *   been resolved.
>>> + * - Select ALTERNATIVE_CALL in Kconfig.
>>> + *
>>> + * To use:
>>> + *
>>> + * Consider the following simplified example.
>>> + *
>>> + *  1) struct foo_ops __alt_call_maybe_initdata ops;
>>> + *
>>> + *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
>>> + *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
>> It occurs to me after reviewing patch 2 that these want to be const
>> struct foo_ops __initconst ...,
> __initconstrel then, I suppose.
>
>> and there is no need for
>> __alt_call_maybe_initconst at all.
>>
>> The only thing wanting a conditional annotation like this is the single
>> ops object, and it needs to be initdata (or hopefully ro_after_init in
>> the future).
> ro_after_init and initdata can't be alternatives of one another; ops
> (until be gain ro_after_init) need to remain in .bss (or .data).

Once alternatives have run, the ops structure is no longer referenced by
anything at runtime, and can be reclaimed.

All the x86 examples are weird because we've either got extra data
fields which are referenced at runtime, or we've not accelerated all
function pointers.

In neither case does modifying an accelerated function pointer after the
fact do what the programmer expected, and conditionally initdata makes
this far more obvious.

~Andrew



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-13  8:36       ` Andrew Cooper
@ 2021-07-13  8:53         ` Jan Beulich
  0 siblings, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-13  8:53 UTC (permalink / raw)
  To: Andrew Cooper
  Cc: Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini,
	xen-devel, Wei Liu, Daniel P. Smith

On 13.07.2021 10:36, Andrew Cooper wrote:
> On 13/07/2021 07:28, Jan Beulich wrote:
>> On 13.07.2021 01:48, Andrew Cooper wrote:
>>> On 12/07/2021 21:32, Daniel P. Smith wrote:
>>>> diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
>>>> new file mode 100644
>>>> index 0000000000..11d1c26068
>>>> --- /dev/null
>>>> +++ b/xen/include/xen/alternative-call.h
>>>> @@ -0,0 +1,65 @@
>>>> +/* SPDX-License-Identifier: GPL-2.0 */
>>>> +#ifndef XEN_ALTERNATIVE_CALL
>>>> +#define XEN_ALTERNATIVE_CALL
>>>> +
>>>> +/*
>>>> + * Some subsystems in Xen may have multiple implementions, which can be
>>>> + * resolved to a single implementation at boot time.  By default, this will
>>>> + * result in the use of function pointers.
>>>> + *
>>>> + * Some architectures may have mechanisms for dynamically modifying .text.
>>>> + * Using this mechnaism, function pointers can be converted to direct calls
>>>> + * which are typically more efficient at runtime.
>>>> + *
>>>> + * For architectures to support:
>>>> + *
>>>> + * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
>>>> + *   requirements are to emit a function pointer call at build time, and stash
>>>> + *   enough metadata to simplify the call at boot once the implementation has
>>>> + *   been resolved.
>>>> + * - Select ALTERNATIVE_CALL in Kconfig.
>>>> + *
>>>> + * To use:
>>>> + *
>>>> + * Consider the following simplified example.
>>>> + *
>>>> + *  1) struct foo_ops __alt_call_maybe_initdata ops;
>>>> + *
>>>> + *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
>>>> + *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
>>> It occurs to me after reviewing patch 2 that these want to be const
>>> struct foo_ops __initconst ...,
>> __initconstrel then, I suppose.
>>
>>> and there is no need for
>>> __alt_call_maybe_initconst at all.
>>>
>>> The only thing wanting a conditional annotation like this is the single
>>> ops object, and it needs to be initdata (or hopefully ro_after_init in
>>> the future).
>> ro_after_init and initdata can't be alternatives of one another; ops
>> (until be gain ro_after_init) need to remain in .bss (or .data).
> 
> Once alternatives have run, the ops structure is no longer referenced by
> anything at runtime, and can be reclaimed.

Oh, right - if all pointers have been consumed for patching, initdata
is of course fine.

Jan

> All the x86 examples are weird because we've either got extra data
> fields which are referenced at runtime, or we've not accelerated all
> function pointers.
> 
> In neither case does modifying an accelerated function pointer after the
> fact do what the programmer expected, and conditionally initdata makes
> this far more obvious.
> 
> ~Andrew
> 



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code
  2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
  2021-07-12 23:48   ` Andrew Cooper
@ 2021-07-14 15:35   ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-14 15:35 UTC (permalink / raw)
  To: Andrew Cooper
  Cc: Roger Pau Monné,
	George Dunlap, Ian Jackson, Julien Grall, Stefano Stabellini,
	Wei Liu, xen-devel, Daniel P. Smith

On 12.07.2021 22:32, Daniel P. Smith wrote:
> --- a/xen/arch/x86/Kconfig
> +++ b/xen/arch/x86/Kconfig
> @@ -9,6 +9,7 @@ config X86
>  	select ARCH_SUPPORTS_INT128
>  	select CORE_PARKING
>  	select HAS_ALTERNATIVE
> +	select ALTERNATIVE_CALL
>  	select HAS_COMPAT
>  	select HAS_CPUFREQ
>  	select HAS_EHCI

Please respect the (at least largely) alphabetical ordering here and ...

> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -25,6 +25,9 @@ config GRANT_TABLE
>  config HAS_ALTERNATIVE
>  	bool
>  
> +config ALTERNATIVE_CALL
> +	bool
> +
>  config HAS_COMPAT
>  	bool

... maybe also here.

> --- /dev/null
> +++ b/xen/include/xen/alternative-call.h
> @@ -0,0 +1,65 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef XEN_ALTERNATIVE_CALL
> +#define XEN_ALTERNATIVE_CALL
> +
> +/*
> + * Some subsystems in Xen may have multiple implementions, which can be
> + * resolved to a single implementation at boot time.  By default, this will
> + * result in the use of function pointers.
> + *
> + * Some architectures may have mechanisms for dynamically modifying .text.
> + * Using this mechnaism, function pointers can be converted to direct calls
> + * which are typically more efficient at runtime.
> + *
> + * For architectures to support:
> + *
> + * - Implement alternative_{,v}call() in asm/alternative.h.  Code generation
> + *   requirements are to emit a function pointer call at build time, and stash
> + *   enough metadata to simplify the call at boot once the implementation has
> + *   been resolved.
> + * - Select ALTERNATIVE_CALL in Kconfig.
> + *
> + * To use:
> + *
> + * Consider the following simplified example.
> + *
> + *  1) struct foo_ops __alt_call_maybe_initdata ops;
> + *
> + *  2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
> + *     struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
> + *
> + *     void foo_init(void)
> + *     {
> + *         ...
> + *         if ( use_impl_a )
> + *             ops = *foo_a_ops;
> + *         else if ( use_impl_b )
> + *             ops = *foo_b_ops;
> + *         ...
> + *     }
> + *
> + *  3) alternative_call(ops.bar, ...);
> + *
> + * There needs to a single ops object (1) which will eventually contain the
> + * function pointers.  This should be populated in foo's init() function (2)
> + * by one of the available implementations.  To call functions, use
> + * alternative_{,v}call() referencing the main ops object (3).
> + */

May be worth adding a sentence about the section annotations, the
more that (as you did point out in an earlier reply) there are
pre-existing cases differing from the general goal here?

> +#ifdef CONFIG_ALTERNATIVE_CALL
> +
> +#include <asm/alternative.h>
> +
> +#define __alt_call_maybe_initdata  __initdata
> +#define __alt_call_maybe_initconst __initconst

As indicated elsewhere, I think this wants to be __initconstrel,
as the function pointers to place in the structures will
definitely involve relocations. Otoh, given your initial reply,
__alt_call_maybe_initdata may be all that's actually needed.

> +#else
> +
> +#define alternative_call(func, args...)  (func)(args)
> +#define alternative_vcall(func, args...) (func)(args)
> +
> +#define __alt_call_maybe_initdata
> +#define __alt_call_maybe_initconst
> +
> +#endif /* !CONFIG_ALTERNATIVE_CALL */
> +#endif /* XEN_ALTERNATIVE_CALL */

I'm surprised you have no "Local variables:" footer comment here.
Not that I need it for anything, but I thought you and others are
quite interested in it to be there.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 02/10] xsm: refactor xsm_ops handling
  2021-07-12 23:39   ` Andrew Cooper
@ 2021-07-14 15:54     ` Jan Beulich
  2021-07-15 17:16     ` Daniel P. Smith
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-14 15:54 UTC (permalink / raw)
  To: Andrew Cooper, Daniel P. Smith; +Cc: Daniel De Graaf, xen-devel

On 13.07.2021 01:39, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
>> index ad3cddbf7d..a8805f514b 100644
>> --- a/xen/include/xsm/xsm.h
>> +++ b/xen/include/xsm/xsm.h
>> @@ -747,16 +747,14 @@ extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
>>  extern bool has_xsm_magic(paddr_t);
>>  #endif
>>  
>> -extern int register_xsm(struct xsm_operations *ops);
>> -
>> -extern struct xsm_operations dummy_xsm_ops;
>>  extern void xsm_fixup_ops(struct xsm_operations *ops);
>>  
>>  #ifdef CONFIG_XSM_FLASK
>> -extern void flask_init(const void *policy_buffer, size_t policy_size);
>> +extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
>>  #else
>> -static inline void flask_init(const void *policy_buffer, size_t policy_size)
>> +static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
>>  {
>> +    return NULL;
>>  }
>>  #endif
> 
> As you touch almost every current user of xsm_operations and introduce
> quite a few more, can I recommend taking the opportunity to shorten the
> name to struct xsm_ops.

+1

>> --- a/xen/xsm/flask/flask_op.c
>> +++ b/xen/xsm/flask/flask_op.c
>> @@ -226,6 +226,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
>>  static int flask_disable(void)
>>  {
>>      static int flask_disabled = 0;
>> +    struct xsm_operations default_ops;
>>  
>>      if ( ss_initialized )
>>      {
>> @@ -244,7 +245,8 @@ static int flask_disable(void)
>>      flask_disabled = 1;
>>  
>>      /* Reset xsm_ops to the original module. */
>> -    xsm_ops = &dummy_xsm_ops;
>> +    xsm_fixup_ops(&default_ops);
>> +    xsm_ops = default_ops;
>>  
>>      return 0;
>>  }
> 
> These two hunks will disappear when patch 3 is reordered with respect to
> this one.
> 
> ... which is good because you've just pointed xsm_ops at a
> soon-to-be-out-of-scope local variable on the stack.

Not really, it's a structure copy now. What I'm concerned about is
the size of that on-stack variable and its lack of an initializer,
undermining the many set_to_dummy_if_null() that xsm_fixup_ops()
uses. Can't xsm_fixup_ops() act on xsm_ops directly, perhaps after
memset()-ing it here first (if nothing else then just to be on the
safe side)?

>> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
>> index f1a1217c98..a3a88aa8ed 100644
>> --- a/xen/xsm/flask/hooks.c
>> +++ b/xen/xsm/flask/hooks.c
>> @@ -1883,7 +1883,8 @@ static struct xsm_operations flask_ops = {
>>  #endif
>>  };
> 
> flask and silo ops should become:
> 
> static const struct xsm_ops __initconst {flask,silo}_ops = {
> 
> as they're neither modified, nor needed after init, following this change.
> 
>>  
>> -void __init flask_init(const void *policy_buffer, size_t policy_size)
>> +struct xsm_operations __init *flask_init(const void *policy_buffer,
>> +					 size_t policy_size)
> 
> struct xsm_ops *__init flask_init(...)
> 
> Otherwise you've got the __init in the middle of the return type, and
> some compilers are more picky than others.

Also, even if {flask,silo}_ops couldn't be const for some reason,
these init functions now want to return a pointer-to-const, as
the caller isn't supposed to modify the struct-s any further.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 03/10] xsm: remove the ability to disable flask
  2021-07-12 20:32 ` [PATCH v2 03/10] xsm: remove the ability to disable flask Daniel P. Smith
  2021-07-12 23:22   ` Andrew Cooper
@ 2021-07-14 15:58   ` Jan Beulich
  2021-07-15 17:19     ` Daniel P. Smith
  1 sibling, 1 reply; 44+ messages in thread
From: Jan Beulich @ 2021-07-14 15:58 UTC (permalink / raw)
  To: Daniel P. Smith; +Cc: Daniel De Graaf, xen-devel

On 12.07.2021 22:32, Daniel P. Smith wrote:
> The flask XSM module provided the ability to switch from flask back to
> the dummy XSM module during runtime. With this removal the only way to
> switch between XSM modules is at boot time.
> 
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>

Can you please add a statement as to why you/we want this, perhaps
helping clarify why apparently you think no-one is making use of
this?

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 02/10] xsm: refactor xsm_ops handling
  2021-07-12 23:39   ` Andrew Cooper
  2021-07-14 15:54     ` Jan Beulich
@ 2021-07-15 17:16     ` Daniel P. Smith
  1 sibling, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-15 17:16 UTC (permalink / raw)
  To: Andrew Cooper, xen-devel; +Cc: Daniel De Graaf, Jan Beulich

On 7/12/21 7:39 PM, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
>> index ad3cddbf7d..a8805f514b 100644
>> --- a/xen/include/xsm/xsm.h
>> +++ b/xen/include/xsm/xsm.h
>> @@ -747,16 +747,14 @@ extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
>>  extern bool has_xsm_magic(paddr_t);
>>  #endif
>>  
>> -extern int register_xsm(struct xsm_operations *ops);
>> -
>> -extern struct xsm_operations dummy_xsm_ops;
>>  extern void xsm_fixup_ops(struct xsm_operations *ops);
>>  
>>  #ifdef CONFIG_XSM_FLASK
>> -extern void flask_init(const void *policy_buffer, size_t policy_size);
>> +extern struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size);
>>  #else
>> -static inline void flask_init(const void *policy_buffer, size_t policy_size)
>> +static inline struct xsm_operations *flask_init(const void *policy_buffer, size_t policy_size)
>>  {
>> +    return NULL;
>>  }
>>  #endif
> 
> As you touch almost every current user of xsm_operations and introduce
> quite a few more, can I recommend taking the opportunity to shorten the
> name to struct xsm_ops.

Looks like Jan also agreed, so I will add this to the mix.

>> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
>> index 01e52138a1..32e079d676 100644
>> --- a/xen/xsm/flask/flask_op.c
>> +++ b/xen/xsm/flask/flask_op.c
>> @@ -226,6 +226,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
>>  static int flask_disable(void)
>>  {
>>      static int flask_disabled = 0;
>> +    struct xsm_operations default_ops;
>>  
>>      if ( ss_initialized )
>>      {
>> @@ -244,7 +245,8 @@ static int flask_disable(void)
>>      flask_disabled = 1;
>>  
>>      /* Reset xsm_ops to the original module. */
>> -    xsm_ops = &dummy_xsm_ops;
>> +    xsm_fixup_ops(&default_ops);
>> +    xsm_ops = default_ops;
>>  
>>      return 0;
>>  }
> 
> These two hunks will disappear when patch 3 is reordered with respect to
> this one.
> 
> ... which is good because you've just pointed xsm_ops at a
> soon-to-be-out-of-scope local variable on the stack.
> 

As Jan has pointed out it is not a ref issue, but it was very bad of me
to leave the stack var uninitialized. Regardless as you pointed out,
this will be irrelevant with moving patch 3 ahead of this.

>> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
>> index f1a1217c98..a3a88aa8ed 100644
>> --- a/xen/xsm/flask/hooks.c
>> +++ b/xen/xsm/flask/hooks.c
>> @@ -1883,7 +1883,8 @@ static struct xsm_operations flask_ops = {
>>  #endif
>>  };
> 
> flask and silo ops should become:
> 
> static const struct xsm_ops __initconst {flask,silo}_ops = {
> 
> as they're neither modified, nor needed after init, following this change.
> 

After this and seeing Jan's comments, I am going to walk through this
again and see if there is more adjustments/cleanups I can do/

>>  
>> -void __init flask_init(const void *policy_buffer, size_t policy_size)
>> +struct xsm_operations __init *flask_init(const void *policy_buffer,
>> +					 size_t policy_size)
> 
> struct xsm_ops *__init flask_init(...)
> 
> Otherwise you've got the __init in the middle of the return type, and
> some compilers are more picky than others.

Ack

>> @@ -1923,6 +1921,9 @@ void __init flask_init(const void *policy_buffer, size_t policy_size)
>>          printk(XENLOG_INFO "Flask:  Starting in enforcing mode.\n");
>>      else
>>          printk(XENLOG_INFO "Flask:  Starting in permissive mode.\n");
>> +
>> +    return &flask_ops;
>> +
> 
> Stray newline.

Ack

>>  }
>>  
>>  /*
>> diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
>> index fc2ca5cd2d..808350f122 100644
>> --- a/xen/xsm/silo.c
>> +++ b/xen/xsm/silo.c
>> @@ -112,12 +112,11 @@ static struct xsm_operations silo_xsm_ops = {
>>  #endif
>>  };
>>  
>> -void __init silo_init(void)
>> +struct xsm_operations __init *silo_init(void)
> 
> Same here as with flask.

Ack

>> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
>> index 5eab21e1b1..7265f742e9 100644
>> --- a/xen/xsm/xsm_core.c
>> +++ b/xen/xsm/xsm_core.c
>> @@ -68,17 +76,10 @@ static int __init parse_xsm_param(const char *s)
>>  }
>>  custom_param("xsm", parse_xsm_param);
>>  
>> -static inline int verify(struct xsm_operations *ops)
>> -{
>> -    /* verify the security_operations structure exists */
>> -    if ( !ops )
>> -        return -EINVAL;
>> -    xsm_fixup_ops(ops);
>> -    return 0;
>> -}
>> -
>>  static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>>  {
>> +	struct xsm_operations *mod_ops;
>> +
> 
> Hard tabs, and later in this function.  Also, how about just 'ops' for
> the local variable name?

Ack

>> @@ -113,6 +124,17 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>>          break;
>>      }
>>  
>> +    /*
>> +     * This handles three cases,
>> +     *   - dummy policy module was selected
>> +     *   - a policy module  does not provide all handlers
> 
> Stray double space.

Ack

> ~Andrew
> 

v/r,
dps


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 03/10] xsm: remove the ability to disable flask
  2021-07-12 23:22   ` Andrew Cooper
@ 2021-07-15 17:17     ` Daniel P. Smith
  0 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-15 17:17 UTC (permalink / raw)
  To: Andrew Cooper, xen-devel; +Cc: Daniel De Graaf

On 7/12/21 7:22 PM, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> The flask XSM module provided the ability to switch from flask back to
>> the dummy XSM module during runtime. With this removal the only way to
>> switch between XSM modules is at boot time.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> 
> This patch wants reordering ahead of "xsm: refactor xsm_ops handling"
> which will reduce the churn in that patch.

Ack

> In addition, you want:
> 
> diff --git a/xen/include/public/xsm/flask_op.h
> b/xen/include/public/xsm/flask_op.h
> index 16af7bc22f75..b41dd6dac894 100644
> --- a/xen/include/public/xsm/flask_op.h
> +++ b/xen/include/public/xsm/flask_op.h
> @@ -188,7 +188,7 @@ struct xen_flask_op {
>  #define FLASK_SETBOOL           12
>  #define FLASK_COMMITBOOLS       13
>  #define FLASK_MLS               14
> -#define FLASK_DISABLE           15
> +#define FLASK_DISABLE           15 /* No longer implemented */
>  #define FLASK_GETAVC_THRESHOLD  16
>  #define FLASK_SETAVC_THRESHOLD  17
>  #define FLASK_AVC_HASHSTATS     18
> 
> to match the removal of FLASK_USER in c/s 559f439bfa3bf

Ack



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 03/10] xsm: remove the ability to disable flask
  2021-07-14 15:58   ` Jan Beulich
@ 2021-07-15 17:19     ` Daniel P. Smith
  0 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-15 17:19 UTC (permalink / raw)
  To: Jan Beulich; +Cc: Daniel De Graaf, xen-devel

On 7/14/21 11:58 AM, Jan Beulich wrote:
> On 12.07.2021 22:32, Daniel P. Smith wrote:
>> The flask XSM module provided the ability to switch from flask back to
>> the dummy XSM module during runtime. With this removal the only way to
>> switch between XSM modules is at boot time.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> 
> Can you please add a statement as to why you/we want this, perhaps
> helping clarify why apparently you think no-one is making use of
> this?

Yes, I can expand more on the why.

v/r
dps



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call
  2021-07-12 23:44   ` Andrew Cooper
@ 2021-07-15 17:20     ` Daniel P. Smith
  0 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-15 17:20 UTC (permalink / raw)
  To: Andrew Cooper, xen-devel; +Cc: Daniel De Graaf

On 7/12/21 7:44 PM, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> To reduce retpolines convert all the pointer function calls of the
>> xsm_ops hooks over to the alternative_call infrastructure.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>> ---
>>  xen/include/xsm/xsm.h | 195 +++++++++++++++++++++---------------------
>>  1 file changed, 99 insertions(+), 96 deletions(-)
>>
>> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
>> index a8805f514b..a39b5dc42f 100644
>> --- a/xen/include/xsm/xsm.h
>> +++ b/xen/include/xsm/xsm.h
>> @@ -15,6 +15,9 @@
>>  #ifndef __XSM_H__
>>  #define __XSM_H__
>>  
>> +#ifdef CONFIG_XSM
>> +#include <xen/alternative-call.h>
>> +#endif
> 
> This guard needs dropping to fix the build on ARM.

Ack

> Otherwise, Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 

v/r,
dps


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 07/10] xsm: drop generic event channel labeling
  2021-07-12 23:52   ` Andrew Cooper
@ 2021-07-15 17:26     ` Daniel P. Smith
  0 siblings, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-15 17:26 UTC (permalink / raw)
  To: Andrew Cooper, xen-devel
  Cc: George Dunlap, Ian Jackson, Jan Beulich, Julien Grall,
	Stefano Stabellini, Wei Liu

On 7/12/21 7:52 PM, Andrew Cooper wrote:
> On 12/07/2021 21:32, Daniel P. Smith wrote:
>> The generic event channel labeling has not been used by any XSM module since
>> its introduction. This commit removes the capability leaving FLASK labeling
>> field always present. In the future if a new XSM module needs to have its own
>> channel label, this or a new form can be introduced.
> 
> You're missing a SoB line.

Apologies, i was originally going to squash this but then decided it
probably served to be kept as a standalone commit. Will get the SoB added.

> Also, this too would benefit from being reordered higher than patch 6,
> to reduce the churn there.

Ack

v/r,
dps


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 07/10] xsm: drop generic event channel labeling
  2021-07-12 20:32 ` [PATCH v2 07/10] xsm: drop generic event channel labeling Daniel P. Smith
  2021-07-12 23:52   ` Andrew Cooper
@ 2021-07-16  7:03   ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-16  7:03 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Andrew Cooper, George Dunlap, Ian Jackson, Julien Grall,
	Stefano Stabellini, Wei Liu, xen-devel

On 12.07.2021 22:32, Daniel P. Smith wrote:
> The generic event channel labeling has not been used by any XSM module since
> its introduction. This commit removes the capability leaving FLASK labeling
> field always present. In the future if a new XSM module needs to have its own
> channel label, this or a new form can be introduced.

I'm not fully convinced of this removal: Does it get in the way of
anything?

> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -120,15 +120,7 @@ struct evtchn
>      unsigned short notify_vcpu_id; /* VCPU for local delivery notification */
>      uint32_t fifo_lastq;           /* Data for identifying last queue. */
>  
> -#ifdef CONFIG_XSM_EVTCHN_LABELING
>      union {
> -#ifdef XSM_NEED_GENERIC_EVTCHN_SSID
> -        /*
> -         * If an XSM module needs more space for its event channel context,
> -         * this pointer stores the necessary data for the security server.
> -         */
> -        void *generic;
> -#endif
>  #ifdef CONFIG_XSM_FLASK
>          /*
>           * Inlining the contents of the structure for FLASK avoids unneeded

This comment's "with only FLASK" now becomes stale, and hence would
imo better be updated.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
@ 2021-07-16  7:23   ` Jan Beulich
  2021-07-16 14:15     ` Andrew Cooper
  2021-07-16  7:37   ` Jan Beulich
  2021-07-27 13:39   ` Ian Jackson
  2 siblings, 1 reply; 44+ messages in thread
From: Jan Beulich @ 2021-07-16  7:23 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Stefano Stabellini, Julien Grall, Andrew Cooper, Ian Jackson,
	Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Petre Pircalabu,
	Paul Durrant, Daniel De Graaf, xen-devel, Tim Deegan,
	Alexandru Isaila, Volodymyr Babchuk, Wei Liu, George Dunlap

On 12.07.2021 22:32, Daniel P. Smith wrote:
> The passing of an xsm_default_t at each of the xsm hook call sites
> served different functions depending on whether XSM was enabled or not.
> When XSM was not enabled it attempted to function as a link-time check
> that declared default action at the call site matched the default
> declared action for that hook in the dummy policy. When XSM was enabled,
> it would just drop the  parameter.
> 
> The removal of these values is two fold. They are a redundancy that
> provides little context, especially when the value is XSM_OTHER.

For XSM_OTHER I may agree, but in general I find the call-site uses
helpful to know at least the rough level of intended restriction.
E.g. ...

> --- a/xen/arch/x86/cpu/mcheck/mce.c
> +++ b/xen/arch/x86/cpu/mcheck/mce.c
> @@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
>      struct xen_mc_msrinject *mc_msrinject;
>      struct xen_mc_mceinject *mc_mceinject;
>  
> -    ret = xsm_do_mca(XSM_PRIV);
> +    ret = xsm_do_mca();

... to now understand what this enforces (or not) I have to go to
the actual implementation, even if I only want to know the trivial
dummy incarnation of it. This effectively extends the "provides
little context" from XSM_OTHER to all hooks.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 09/10] xsm: expand the function related macros in dummy.h
  2021-07-12 20:32 ` [PATCH v2 09/10] xsm: expand the function related macros in dummy.h Daniel P. Smith
@ 2021-07-16  7:34   ` Jan Beulich
  2021-07-24 20:07     ` Daniel P. Smith
  0 siblings, 1 reply; 44+ messages in thread
From: Jan Beulich @ 2021-07-16  7:34 UTC (permalink / raw)
  To: Daniel P. Smith; +Cc: Daniel De Graaf, xen-devel

On 12.07.2021 22:32, Daniel P. Smith wrote:
> With the elimination of switching how dummy.h gets included, the function
> declaration macros are no longer necessary. This commit expands them out to the
> only value for which they will ever be set. This results in function
> declaration lengths changing and since some definitions did not even follow the
> 80 column wrapping style, all function definitions were aligned with the
> predominate style found in core hypervisor code.

I'm afraid this last half sentence is quite far from true:

> @@ -82,43 +79,43 @@ static always_inline int xsm_default_action(
>      }
>  }
>  
> -static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
> +static inline void dummy_security_domaininfo(struct domain *d,
>                                      struct xen_domctl_getdomaininfo *info)

Padding wasn't good here before, but you clearly do not change it to
either of the forms we agreed on as being the goal for consistency:

static inline void dummy_security_domaininfo(struct domain *d,
                                             struct xen_domctl_getdomaininfo *info)

or

static inline void dummy_security_domaininfo(
    struct domain *d,
    struct xen_domctl_getdomaininfo *info)

. Further down there are enough other examples.

> -static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
> +static inline int dummy_domain_create(struct domain *d, u32 ssidref)

When you have to touch lines anyway, may I suggest that you also take
the opportunity and convert u<N> to uint<N>_t, to bring this file
better in line with ./CODING_STYLE?

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
  2021-07-16  7:23   ` Jan Beulich
@ 2021-07-16  7:37   ` Jan Beulich
  2021-07-27 13:39   ` Ian Jackson
  2 siblings, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-16  7:37 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Stefano Stabellini, Julien Grall, Andrew Cooper, Ian Jackson,
	Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf, Volodymyr Babchuk, Wei Liu, George Dunlap,
	Tim Deegan, Alexandru Isaila, Petre Pircalabu, xen-devel

On 12.07.2021 22:32, Daniel P. Smith wrote:
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -30,53 +30,53 @@ static inline void xsm_security_domaininfo (struct domain *d,
>      alternative_vcall(xsm_ops.security_domaininfo, d, info);
>  }
>  
> -static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
> +static inline int xsm_domain_create (struct domain *d, u32 ssidref)

When you have to touch such lines anyway, may I suggest that you also
take the opportunity and drop the stray blanks immediately ahead of
the opening parenthesis, to bring this file better in line with
./CODING_STYLE? And as just said for a later patch, converting u<N>
to uint<N>_t at this occasion would also be nice, for the same reason.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-16  7:23   ` Jan Beulich
@ 2021-07-16 14:15     ` Andrew Cooper
  2021-07-16 14:55       ` Jan Beulich
  0 siblings, 1 reply; 44+ messages in thread
From: Andrew Cooper @ 2021-07-16 14:15 UTC (permalink / raw)
  To: Jan Beulich, Daniel P. Smith
  Cc: Stefano Stabellini, Julien Grall, Ian Jackson,
	Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Petre Pircalabu,
	Paul Durrant, Daniel De Graaf, xen-devel, Tim Deegan,
	Alexandru Isaila, Volodymyr Babchuk, Wei Liu, George Dunlap

On 16/07/2021 08:23, Jan Beulich wrote:
> On 12.07.2021 22:32, Daniel P. Smith wrote:
>> The passing of an xsm_default_t at each of the xsm hook call sites
>> served different functions depending on whether XSM was enabled or not.
>> When XSM was not enabled it attempted to function as a link-time check
>> that declared default action at the call site matched the default
>> declared action for that hook in the dummy policy. When XSM was enabled,
>> it would just drop the  parameter.
>>
>> The removal of these values is two fold. They are a redundancy that
>> provides little context, especially when the value is XSM_OTHER.
> For XSM_OTHER I may agree, but in general I find the call-site uses
> helpful to know at least the rough level of intended restriction.
> E.g. ...
>
>> --- a/xen/arch/x86/cpu/mcheck/mce.c
>> +++ b/xen/arch/x86/cpu/mcheck/mce.c
>> @@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
>>      struct xen_mc_msrinject *mc_msrinject;
>>      struct xen_mc_mceinject *mc_mceinject;
>>  
>> -    ret = xsm_do_mca(XSM_PRIV);
>> +    ret = xsm_do_mca();
> ... to now understand what this enforces (or not) I have to go to
> the actual implementation, even if I only want to know the trivial
> dummy incarnation of it. This effectively extends the "provides
> little context" from XSM_OTHER to all hooks.

The old scheme was even worse because it was only a plausible
approximation for the !XSM case while being actively wrong for SILO and
FLASK.

Furthermore, someone reading the code could be forgiven for thinking
that XSM_HOOK was something other than dead code.

~Andrew


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-16 14:15     ` Andrew Cooper
@ 2021-07-16 14:55       ` Jan Beulich
  0 siblings, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-07-16 14:55 UTC (permalink / raw)
  To: Andrew Cooper
  Cc: Stefano Stabellini, Julien Grall, Ian Jackson,
	Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Petre Pircalabu,
	Paul Durrant, Daniel De Graaf, xen-devel, Tim Deegan,
	Alexandru Isaila, Volodymyr Babchuk, Wei Liu, George Dunlap,
	Daniel P. Smith

On 16.07.2021 16:15, Andrew Cooper wrote:
> On 16/07/2021 08:23, Jan Beulich wrote:
>> On 12.07.2021 22:32, Daniel P. Smith wrote:
>>> The passing of an xsm_default_t at each of the xsm hook call sites
>>> served different functions depending on whether XSM was enabled or not.
>>> When XSM was not enabled it attempted to function as a link-time check
>>> that declared default action at the call site matched the default
>>> declared action for that hook in the dummy policy. When XSM was enabled,
>>> it would just drop the  parameter.
>>>
>>> The removal of these values is two fold. They are a redundancy that
>>> provides little context, especially when the value is XSM_OTHER.
>> For XSM_OTHER I may agree, but in general I find the call-site uses
>> helpful to know at least the rough level of intended restriction.
>> E.g. ...
>>
>>> --- a/xen/arch/x86/cpu/mcheck/mce.c
>>> +++ b/xen/arch/x86/cpu/mcheck/mce.c
>>> @@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
>>>      struct xen_mc_msrinject *mc_msrinject;
>>>      struct xen_mc_mceinject *mc_mceinject;
>>>  
>>> -    ret = xsm_do_mca(XSM_PRIV);
>>> +    ret = xsm_do_mca();
>> ... to now understand what this enforces (or not) I have to go to
>> the actual implementation, even if I only want to know the trivial
>> dummy incarnation of it. This effectively extends the "provides
>> little context" from XSM_OTHER to all hooks.
> 
> The old scheme was even worse because it was only a plausible
> approximation for the !XSM case while being actively wrong for SILO and
> FLASK.

"Actively wrong" is perhaps going a little far? I don't think SILO
relaxes things anywhere over the !XSM case, and I also wouldn't
expect a Flask policy to commonly relax things. Of course these
simplistic categories can't reflect the full possible range with
an actual policy, but seeing XSM_PRIV in a call used to be a fair
hint that subsequent code isn't expected to be reachable for
unprivileged entities. No such hints would exist anymore following
this change, and its description didn't sound to me like this
aspect was taken into consideration. Yet it is a difference to me
whether such removal of information (no matter how precise it is)
is deliberate or an unintended / unnoticed / unexpected side effect.

> Furthermore, someone reading the code could be forgiven for thinking
> that XSM_HOOK was something other than dead code.

I certainly agree with this part.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 06/10] xsm: enable xsm to always be included
  2021-07-12 20:32 ` [PATCH v2 06/10] xsm: enable xsm to always be included Daniel P. Smith
@ 2021-07-19 10:24   ` Jan Beulich
  2021-07-25 20:47     ` Daniel P. Smith
  0 siblings, 1 reply; 44+ messages in thread
From: Jan Beulich @ 2021-07-19 10:24 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Andrew Cooper, George Dunlap, Ian Jackson, Julien Grall,
	Stefano Stabellini, Wei Liu, Daniel De Graaf, xen-devel

On 12.07.2021 22:32, Daniel P. Smith wrote:
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -200,23 +200,20 @@ config XENOPROF
>  
>  	  If unsure, say Y.
>  
> -config XSM
> -	bool "Xen Security Modules support"
> -	default ARM
> -	---help---
> -	  Enables the security framework known as Xen Security Modules which
> -	  allows administrators fine-grained control over a Xen domain and
> -	  its capabilities by defining permissible interactions between domains,
> -	  the hypervisor itself, and related resources such as memory and
> -	  devices.
> +menu "Xen Security Modules"

I remain unconvinced of the removal of this top level option. I don't
view my concern on code size / performance as "unreasonable" (as Andrew
did call it) when comparing with the current !XSM configuration, and I
also remain to be convinced of people who had to simply answer 'n' to
the XSM kconfig prompt being happy to make an informed decision for all
the (previously sub-)options that they will now be prompted for. As
said before - it is one thing to re-work what exactly !XSM means
internally (and the conversion away from inline functions may very well
be a win; we simply don't know without you showing e.g. bloat-o-meter
like data). It is another to require in-depth knowledge to configure
Xen that previously wasn't required.

Keeping the top-level option would then also make it unnecessary to
alter some of the (prior sub-)options' defaults.

As to Andrew previously having said

"There is no such thing as !XSM even in staging right now.

 All over Xen, we have calls to xsm_*() functions which, even in the !XSM
 case, contain a non-trivial security policy."

Yes, this is one possible viewpoint, which I simply do not share. I view
the xsm_*() calls in the !XSM case as simple surrogates, not anything that
deserves the name "module". This is actually supported by the help text
of the XSM Kconfig option saying "which allows administrators fine-grained
control": There's nothing fine-grained with what currently is !XSM.

> -	  If unsure, say N.
> +config XSM_EVTCHN_LABELING
> +	bool "Enables security labeling of event channels"

Does this really need to have a prompt, instead of simply being
selected by the module(s) needing it? IOW what do users gain when they
answer y here but n for XSM_FLASK?

Furthermore, if the prompt is to remain, then I'll have to again
raise the question of ordering of options: This way, via e.g. the
"syncconfig" or "oldconfig" targets, I'd be asked for the setting here
when, if I'd then also set XSM_FLASK=y, the question was in vein - the
option will be set to y anyway.

> +	default n

May I ask to omit "default n" lines. I'm unaware of anything good they
do.

> @@ -265,24 +262,26 @@ config XSM_SILO
>  	  If unsure, say Y.
>  
>  choice
> -	prompt "Default XSM implementation"
> -	depends on XSM
> +	prompt "Default XSM module"
>  	default XSM_SILO_DEFAULT if XSM_SILO && ARM
>  	default XSM_FLASK_DEFAULT if XSM_FLASK
>  	default XSM_SILO_DEFAULT if XSM_SILO
>  	default XSM_DUMMY_DEFAULT
>  	config XSM_DUMMY_DEFAULT
> -		bool "Match non-XSM behavior"
> +		bool "Classic Dom0 behavior"
>  	config XSM_FLASK_DEFAULT
>  		bool "FLux Advanced Security Kernel" if XSM_FLASK
>  	config XSM_SILO_DEFAULT
>  		bool "SILO" if XSM_SILO
> +
>  endchoice

Nit: I see only two consistent formatting options here: Either there is
a blank line ahead of "endchoice" and after "choice", or there are none
in both places. I don't mind which one it is, but I do mind
inconsistencies getting introduced.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 09/10] xsm: expand the function related macros in dummy.h
  2021-07-16  7:34   ` Jan Beulich
@ 2021-07-24 20:07     ` Daniel P. Smith
  2021-07-24 20:43       ` Daniel P. Smith
  2021-08-03  7:23       ` Jan Beulich
  0 siblings, 2 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-24 20:07 UTC (permalink / raw)
  To: Jan Beulich; +Cc: Daniel De Graaf, xen-devel

On 7/16/21 3:34 AM, Jan Beulich wrote:
> On 12.07.2021 22:32, Daniel P. Smith wrote:
>> With the elimination of switching how dummy.h gets included, the function
>> declaration macros are no longer necessary. This commit expands them out to the
>> only value for which they will ever be set. This results in function
>> declaration lengths changing and since some definitions did not even follow the
>> 80 column wrapping style, all function definitions were aligned with the
>> predominate style found in core hypervisor code.
> 
> I'm afraid this last half sentence is quite far from true:

I would disagree since I know I went through the frustration of trying
to find a discernible consistency in the files in common/ in the end I
settled on following common/memory.c since it seemed to have the most
uniform, it had only a couple of anomalies, as opposed to other files
where indentation was varied throughout.

>> @@ -82,43 +79,43 @@ static always_inline int xsm_default_action(
>>      }
>>  }
>>  
>> -static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
>> +static inline void dummy_security_domaininfo(struct domain *d,
>>                                      struct xen_domctl_getdomaininfo *info)
> 
> Padding wasn't good here before, but you clearly do not change it to
> either of the forms we agreed on as being the goal for consistency:

Then that agreement should be document as CODING_STYLE only states:


Line Length
-----------

Lines should be less than 80 characters in length.  Long lines should
be split at sensible places and the trailing portions indented.


I found that in common/memory.c the predominate style was to align
parameters with the first parameter when wrapping, which is what I
followed. In this specific case when I wrapped the second parameter to
make the line less than 80 chars (an explicit rule in CODING_STYLE) and
attempted to align with the first paramter resulted in the line
exceeding 80 chars. Since the only hard rule is lines must be less than
80, I decreased the indent by enough characters for the line to be less
than 80 to be in line with CODING_STYLE since it only calls for sensible
splits that are indented.

> static inline void dummy_security_domaininfo(struct domain *d,
>                                              struct xen_domctl_getdomaininfo *info)
> 
> or
> 
> static inline void dummy_security_domaininfo(
>     struct domain *d,
>     struct xen_domctl_getdomaininfo *info)
> 

I will align to the second, even though I find it annoying to switch
alignment styles, since the first would be in violation of CODING_STYLE
sine the second line would exceed 80 chars

>> -static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
>> +static inline int dummy_domain_create(struct domain *d, u32 ssidref)
> 
> When you have to touch lines anyway, may I suggest that you also take
> the opportunity and convert u<N> to uint<N>_t, to bring this file
> better in line with ./CODING_STYLE?

Sure.

v/r,
dps




^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 09/10] xsm: expand the function related macros in dummy.h
  2021-07-24 20:07     ` Daniel P. Smith
@ 2021-07-24 20:43       ` Daniel P. Smith
  2021-08-03  7:23       ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-24 20:43 UTC (permalink / raw)
  To: Jan Beulich; +Cc: Daniel De Graaf, xen-devel

On 7/24/21 4:07 PM, Daniel P. Smith wrote:
> On 7/16/21 3:34 AM, Jan Beulich wrote:
>> On 12.07.2021 22:32, Daniel P. Smith wrote:
>>> With the elimination of switching how dummy.h gets included, the function
>>> declaration macros are no longer necessary. This commit expands them out to the
>>> only value for which they will ever be set. This results in function
>>> declaration lengths changing and since some definitions did not even follow the
>>> 80 column wrapping style, all function definitions were aligned with the
>>> predominate style found in core hypervisor code.
>>
>> I'm afraid this last half sentence is quite far from true:
> 
> I would disagree since I know I went through the frustration of trying
> to find a discernible consistency in the files in common/ in the end I
> settled on following common/memory.c since it seemed to have the most
> uniform, it had only a couple of anomalies, as opposed to other files
> where indentation was varied throughout.
> 

Going back into the patch I found what happened. I am not sure how, but
every parameter line I wrapped had 7 additional spaces. This has been
corrected.

v/r
dps



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 06/10] xsm: enable xsm to always be included
  2021-07-19 10:24   ` Jan Beulich
@ 2021-07-25 20:47     ` Daniel P. Smith
  2021-08-03  7:08       ` Jan Beulich
  0 siblings, 1 reply; 44+ messages in thread
From: Daniel P. Smith @ 2021-07-25 20:47 UTC (permalink / raw)
  To: Jan Beulich
  Cc: Andrew Cooper, George Dunlap, Ian Jackson, Julien Grall,
	Stefano Stabellini, Wei Liu, Daniel De Graaf, xen-devel

On 7/19/21 6:24 AM, Jan Beulich wrote:
> On 12.07.2021 22:32, Daniel P. Smith wrote:
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -200,23 +200,20 @@ config XENOPROF
>>  
>>  	  If unsure, say Y.
>>  
>> -config XSM
>> -	bool "Xen Security Modules support"
>> -	default ARM
>> -	---help---
>> -	  Enables the security framework known as Xen Security Modules which
>> -	  allows administrators fine-grained control over a Xen domain and
>> -	  its capabilities by defining permissible interactions between domains,
>> -	  the hypervisor itself, and related resources such as memory and
>> -	  devices.
>> +menu "Xen Security Modules"
> 
> I remain unconvinced of the removal of this top level option. I don't
> view my concern on code size / performance as "unreasonable" (as Andrew
> did call it) when comparing with the current !XSM configuration, and I
> also remain to be convinced of people who had to simply answer 'n' to
> the XSM kconfig prompt being happy to make an informed decision for all
> the (previously sub-)options that they will now be prompted for. As
> said before - it is one thing to re-work what exactly !XSM means
> internally (and the conversion away from inline functions may very well
> be a win; we simply don't know without you showing e.g. bloat-o-meter
> like data). It is another to require in-depth knowledge to configure
> Xen that previously wasn't required.

For me personally a concern about code size / performance itself is not
"unreasonable" but I would say it is a bit disingenuous to use it to
defend a position that the security framework should be special
conditioned and kept convoluted considering, 1) other subsystems, e.g.
iommu, do not appear to me to have the same subjugation requiring a
special case of one hook set over another, 2) the architecture (Arm)
which IMHO has the greatest concern over code size / performance is also
the architecture with the only security supported configuration that
requires an XSM enabled configuration, 3) this approach effectively
requires the maintaining of two sets of hook handlers which increases
work and risk for vulnerability introduction, and 4) based on the
discussions at the Developers Summit, no one seemed to be aware that the
only logical difference between !XSM and XSM was the invocation
mechanism, inline vs call-site, let alone that XSM_HOOK represented no
control check.

To bring context to the discussion, after applying the clean up patches
(everything up to the patch dropping !XSM) of the patch set, the
bloat-o-meter shows a 0.18% increase going from !XSM to XSM (without
SILO and Flask). IMHO this increase does not justify keeping the
convoluted gyrations being done to swap in an optimized security hook
when no other security module is enabled. In fact we should be working
to make the security framework clear and concise. I am all for
maximizing performance while doing so but the end goal is for it to be
clear and concise so that it can be reasoned about by everybody.

As to your position that this increases configuration complexity, I
would have to strongly disagree. I have worked to ensure no new
configuration steps are necessary. The default config will only have XSM
and the default/dummy policy enabled unless on Arm which will enable
SILO and make it the default policy. Prior to this if XSM was enabled,
the default policy was forced to Flask. While I am an advocate for
Flask, I do not agree this is a reasonable configuration. It now works
such that,
    - if you enable only SILO, it is set as the default
    - if you enable only Flask, it is set as the default
    - if you enable both SILO & Flask, it uses SILO as the default
Which basically works such that if one selects a policy, then it assumes
that policy is desired to be used, and when more than one is selected it
will default to the one that functions most like classic Dom0 model.
IMHO this is much more intuitive. Now one alternative I am thinking
about that might be a bit of a compromise is to move the default policy
selection up to the same level as XSM menu. That would make it so one
could immediately see what the default policy is but must go into the
XSM menu if they want to alter what policy modules are available.

> Keeping the top-level option would then also make it unnecessary to
> alter some of the (prior sub-)options' defaults.

I would beg to differ, it now makes the builder have to explicitly enter
that sub-option if they desire to enable an alternate security model,
e.g. have explicit intent instead of having the potential for accidental
selection.

> As to Andrew previously having said
> 
> "There is no such thing as !XSM even in staging right now.
> 
>  All over Xen, we have calls to xsm_*() functions which, even in the !XSM
>  case, contain a non-trivial security policy."
> 
> Yes, this is one possible viewpoint, which I simply do not share. I view
> the xsm_*() calls in the !XSM case as simple surrogates, not anything that
> deserves the name "module". This is actually supported by the help text
> of the XSM Kconfig option saying "which allows administrators fine-grained
> control": There's nothing fine-grained with what currently is !XSM.

IMHO that is a very unfortunate viewpoint. An xsm_*() call is an access
control check point where a decision needs to be made on whether an
access to a resource should be allowed. In a kernel with a monolithic
access control there would still be an implicit or an explicit access
check necessary at this location. What XSM does is makes all the access
check locations to be explicit checks where the decision can be handled
by different access control frameworks to be plugged in to implement the
security architecture that the implementer requires.

>> -	  If unsure, say N.
>> +config XSM_EVTCHN_LABELING
>> +	bool "Enables security labeling of event channels"
> 
> Does this really need to have a prompt, instead of simply being
> selected by the module(s) needing it? IOW what do users gain when they
> answer y here but n for XSM_FLASK?
> 
> Furthermore, if the prompt is to remain, then I'll have to again
> raise the question of ordering of options: This way, via e.g. the
> "syncconfig" or "oldconfig" targets, I'd be asked for the setting here
> when, if I'd then also set XSM_FLASK=y, the question was in vein - the
> option will be set to y anyway.
> 
>> +	default n
> 
> May I ask to omit "default n" lines. I'm unaware of anything good they
> do.

It has been dropped

>> @@ -265,24 +262,26 @@ config XSM_SILO
>>  	  If unsure, say Y.
>>  
>>  choice
>> -	prompt "Default XSM implementation"
>> -	depends on XSM
>> +	prompt "Default XSM module"
>>  	default XSM_SILO_DEFAULT if XSM_SILO && ARM
>>  	default XSM_FLASK_DEFAULT if XSM_FLASK
>>  	default XSM_SILO_DEFAULT if XSM_SILO
>>  	default XSM_DUMMY_DEFAULT
>>  	config XSM_DUMMY_DEFAULT
>> -		bool "Match non-XSM behavior"
>> +		bool "Classic Dom0 behavior"
>>  	config XSM_FLASK_DEFAULT
>>  		bool "FLux Advanced Security Kernel" if XSM_FLASK
>>  	config XSM_SILO_DEFAULT
>>  		bool "SILO" if XSM_SILO
>> +
>>  endchoice
> 
> Nit: I see only two consistent formatting options here: Either there is
> a blank line ahead of "endchoice" and after "choice", or there are none
> in both places. I don't mind which one it is, but I do mind
> inconsistencies getting introduced.

ack

v/r,
dps



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
  2021-07-16  7:23   ` Jan Beulich
  2021-07-16  7:37   ` Jan Beulich
@ 2021-07-27 13:39   ` Ian Jackson
  2021-08-06 21:41     ` Daniel P. Smith
  2 siblings, 1 reply; 44+ messages in thread
From: Ian Jackson @ 2021-07-27 13:39 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Volodymyr Babchuk, Wei Liu, George Dunlap, Tim Deegan,
	Alexandru Isaila, Petre Pircalabu, xen-devel, Stefano Stabellini,
	Julien Grall, Andrew Cooper, Ian Jackson, Jan Beulich,
	Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf

I have read the thread here and it seems that there are some
disagreements which may be blocking progress.

The mailing list thread is a rather tangled way of dealing with this.
I did read it but I feel I am lacking some of the context and/or
having trouble synthesising it.

Daniel, if you agree with me that this seems to be getting hung up on
disagreements, do you think you would be able to summarise the
disagreement(s) including the context and the arguments you can see on
the various sides ?  I'm not expecting such a summary to be neutral
but I think you are in a good position to motivate your changes.

Thanks,
Ian.


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 06/10] xsm: enable xsm to always be included
  2021-07-25 20:47     ` Daniel P. Smith
@ 2021-08-03  7:08       ` Jan Beulich
  0 siblings, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-08-03  7:08 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Andrew Cooper, George Dunlap, Ian Jackson, Julien Grall,
	Stefano Stabellini, Wei Liu, Daniel De Graaf, xen-devel

On 25.07.2021 22:47, Daniel P. Smith wrote:
> On 7/19/21 6:24 AM, Jan Beulich wrote:
>> On 12.07.2021 22:32, Daniel P. Smith wrote:
>>> --- a/xen/common/Kconfig
>>> +++ b/xen/common/Kconfig
>>> @@ -200,23 +200,20 @@ config XENOPROF
>>>  
>>>  	  If unsure, say Y.
>>>  
>>> -config XSM
>>> -	bool "Xen Security Modules support"
>>> -	default ARM
>>> -	---help---
>>> -	  Enables the security framework known as Xen Security Modules which
>>> -	  allows administrators fine-grained control over a Xen domain and
>>> -	  its capabilities by defining permissible interactions between domains,
>>> -	  the hypervisor itself, and related resources such as memory and
>>> -	  devices.
>>> +menu "Xen Security Modules"
>>
>> I remain unconvinced of the removal of this top level option. I don't
>> view my concern on code size / performance as "unreasonable" (as Andrew
>> did call it) when comparing with the current !XSM configuration, and I
>> also remain to be convinced of people who had to simply answer 'n' to
>> the XSM kconfig prompt being happy to make an informed decision for all
>> the (previously sub-)options that they will now be prompted for. As
>> said before - it is one thing to re-work what exactly !XSM means
>> internally (and the conversion away from inline functions may very well
>> be a win; we simply don't know without you showing e.g. bloat-o-meter
>> like data). It is another to require in-depth knowledge to configure
>> Xen that previously wasn't required.
> 
> For me personally a concern about code size / performance itself is not
> "unreasonable" but I would say it is a bit disingenuous to use it to
> defend a position that the security framework should be special
> conditioned and kept convoluted considering, 1) other subsystems, e.g.
> iommu, do not appear to me to have the same subjugation requiring a
> special case of one hook set over another, 2) the architecture (Arm)
> which IMHO has the greatest concern over code size / performance is also
> the architecture with the only security supported configuration that
> requires an XSM enabled configuration, 3) this approach effectively
> requires the maintaining of two sets of hook handlers which increases
> work and risk for vulnerability introduction, and 4) based on the
> discussions at the Developers Summit, no one seemed to be aware that the
> only logical difference between !XSM and XSM was the invocation
> mechanism, inline vs call-site, let alone that XSM_HOOK represented no
> control check.
> 
> To bring context to the discussion, after applying the clean up patches
> (everything up to the patch dropping !XSM) of the patch set, the
> bloat-o-meter shows a 0.18% increase going from !XSM to XSM (without
> SILO and Flask). IMHO this increase does not justify keeping the
> convoluted gyrations being done to swap in an optimized security hook
> when no other security module is enabled. In fact we should be working
> to make the security framework clear and concise. I am all for
> maximizing performance while doing so but the end goal is for it to be
> clear and concise so that it can be reasoned about by everybody.

Well, I guess if the majority is with you then that's what is going to
happen.

> As to your position that this increases configuration complexity, I
> would have to strongly disagree. I have worked to ensure no new
> configuration steps are necessary.

I'm having a hard time seeing how this could be the case, especially
since ...

> The default config will only have XSM
> and the default/dummy policy enabled unless on Arm which will enable
> SILO and make it the default policy. Prior to this if XSM was enabled,
> the default policy was forced to Flask. While I am an advocate for
> Flask, I do not agree this is a reasonable configuration. It now works
> such that,
>     - if you enable only SILO, it is set as the default
>     - if you enable only Flask, it is set as the default
>     - if you enable both SILO & Flask, it uses SILO as the default
> Which basically works such that if one selects a policy, then it assumes
> that policy is desired to be used, and when more than one is selected it
> will default to the one that functions most like classic Dom0 model.

... I don't see how putting in place suitable defaults would suppress
any respective prompts during e.g. "make syncconfig". (I can see that
what you say may apply to e.g. "make menuconfig", which I think I've
indicated before I don't use myself and hence I don't care all that
much about.)

> IMHO this is much more intuitive. Now one alternative I am thinking
> about that might be a bit of a compromise is to move the default policy
> selection up to the same level as XSM menu. That would make it so one
> could immediately see what the default policy is but must go into the
> XSM menu if they want to alter what policy modules are available.

All of this appears to support my assumption that you're looking at
things from a "make menuconfig"-centric viewpoint.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 09/10] xsm: expand the function related macros in dummy.h
  2021-07-24 20:07     ` Daniel P. Smith
  2021-07-24 20:43       ` Daniel P. Smith
@ 2021-08-03  7:23       ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-08-03  7:23 UTC (permalink / raw)
  To: Daniel P. Smith; +Cc: Daniel De Graaf, xen-devel

On 24.07.2021 22:07, Daniel P. Smith wrote:
> On 7/16/21 3:34 AM, Jan Beulich wrote:
>> On 12.07.2021 22:32, Daniel P. Smith wrote:
>>> With the elimination of switching how dummy.h gets included, the function
>>> declaration macros are no longer necessary. This commit expands them out to the
>>> only value for which they will ever be set. This results in function
>>> declaration lengths changing and since some definitions did not even follow the
>>> 80 column wrapping style, all function definitions were aligned with the
>>> predominate style found in core hypervisor code.
>>
>> I'm afraid this last half sentence is quite far from true:
> 
> I would disagree since I know I went through the frustration of trying
> to find a discernible consistency in the files in common/ in the end I
> settled on following common/memory.c since it seemed to have the most
> uniform, it had only a couple of anomalies, as opposed to other files
> where indentation was varied throughout.
> 
>>> @@ -82,43 +79,43 @@ static always_inline int xsm_default_action(
>>>      }
>>>  }
>>>  
>>> -static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
>>> +static inline void dummy_security_domaininfo(struct domain *d,
>>>                                      struct xen_domctl_getdomaininfo *info)
>>
>> Padding wasn't good here before, but you clearly do not change it to
>> either of the forms we agreed on as being the goal for consistency:
> 
> Then that agreement should be document as CODING_STYLE only states:
> 
> 
> Line Length
> -----------
> 
> Lines should be less than 80 characters in length.  Long lines should
> be split at sensible places and the trailing portions indented.
> 
> 
> I found that in common/memory.c the predominate style was to align
> parameters with the first parameter when wrapping, which is what I
> followed. In this specific case when I wrapped the second parameter to
> make the line less than 80 chars (an explicit rule in CODING_STYLE) and
> attempted to align with the first paramter resulted in the line
> exceeding 80 chars. Since the only hard rule is lines must be less than
> 80, I decreased the indent by enough characters for the line to be less
> than 80 to be in line with CODING_STYLE since it only calls for sensible
> splits that are indented.
> 
>> static inline void dummy_security_domaininfo(struct domain *d,
>>                                              struct xen_domctl_getdomaininfo *info)
>>
>> or
>>
>> static inline void dummy_security_domaininfo(
>>     struct domain *d,
>>     struct xen_domctl_getdomaininfo *info)
>>
> 
> I will align to the second, even though I find it annoying to switch
> alignment styles, since the first would be in violation of CODING_STYLE
> sine the second line would exceed 80 chars

I guess you nevertheless realize that this 2nd form is precisely to
overcome the problem with otherwise exceeding the 80 chars limit,
while at the same time making sure the indentation doesn't end up
entirely random then?

As to extending ./CODING_STYLE - I've had rather bad experience
with attempts to do so, with my two most recent patches to that effect
just having had their 2nd anniversary without getting any feedback
moving things forward (despite, unlike in some earlier instances, the
proposed changes not looking overly controversial to me).

Coincidence or not, just a few days after my submission Volodymyr
submitted a patch making an attempt to document function parameter
indentation [1]. While the patch as is had some comments, it didn't
seem like it was controversial either. Yet nothing has since made it
in.

Jan

[1] https://lists.xen.org/archives/html/xen-devel/2019-07/msg02440.html



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-07-27 13:39   ` Ian Jackson
@ 2021-08-06 21:41     ` Daniel P. Smith
  2021-08-10  8:39       ` Jan Beulich
  2021-08-26  9:42       ` Jan Beulich
  0 siblings, 2 replies; 44+ messages in thread
From: Daniel P. Smith @ 2021-08-06 21:41 UTC (permalink / raw)
  To: Ian Jackson
  Cc: Volodymyr Babchuk, Wei Liu, George Dunlap, Tim Deegan,
	Alexandru Isaila, Petre Pircalabu, xen-devel, Stefano Stabellini,
	Julien Grall, Andrew Cooper, Jan Beulich, Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf

On 7/27/21 9:39 AM, Ian Jackson wrote:
> I have read the thread here and it seems that there are some
> disagreements which may be blocking progress.
> 
> The mailing list thread is a rather tangled way of dealing with this.
> I did read it but I feel I am lacking some of the context and/or
> having trouble synthesising it.
> 
> Daniel, if you agree with me that this seems to be getting hung up on
> disagreements, do you think you would be able to summarise the
> disagreement(s) including the context and the arguments you can see on
> the various sides ?  I'm not expecting such a summary to be neutral
> but I think you are in a good position to motivate your changes.
> 
> Thanks,
> Ian.
> 

Hey Ian,

Thank you so much for reaching out. While there is definitely a
disagreement, as you will likely have seen, I put out a v3 of the patch
set where there is an attempt to strike a compromise between the two
positions. To provide some context, below is a list of points of
contention, my concerns regarding the points of contention, and a list
of what was addressed in v3 of the series.

Points of contention:
A1. Agreement on what is and constitutes XSM.
A2. Based on (A1), what does it really mean to turn XSM on or off.
A3. Providing the facade that a capability is turned off to hide config
options
    a user may not understand
A4. There are two versions of the XSM hook interfaces and corresponding
    XSM hook implementations
A5. Whether the XSM hook's call sites should include the access level

My concerns/issues:
B1. The irony that XSM is unsupported but XSM + SILO is supported (for
    Arm)
B2. The counter-positive to the position of (A3) is that every KConfig
    option must be understandable by all users
B3. The complexity of the preprocessor code to enable (A3) results in
    challenging code to reason about
B4. The increased overhead in having to maintaining the two sets of
    hooks caused by (A3)
B5. The (A3) optimization is being done to common code but only applies
    to x86 security supported configurations
B6. That (A3) is justified to maintain a legacy mental model that Dom0
    is all powerful at the expense of unnecessarily complicating Xen's
    core access control code.
B7. That (A5) is only completely correct when default/dummy policy is in
    effect B8. (A5) was justified as it gives the developer a notion of
    what will be checked, which is bad for a number of reasons, but the
    primary is that it will either directly or indirectly influence a
    developer to write code with false sense of what access level a
    domain may have

What v3 addresses:
C1. Instead of doing a submenu for XSM v3 replaces XSM on/off with a
    "select to configure XSM", addressing (A2, A3, B2)
C2. Instead of dropping one of the interfaces/implementations, merged
    them to provide a single interface with similar inlining properties,
    addressing (A4, B3, B4, B5)
C3. The passing of a default at the call site was left intact addressing
    (A5)

Deferrals and concessions in v3:
D1. Answering (A1) can be addressed later by reviewing, refreshing, and
    expanding XSM documentation
D2. Will work with community to get XSM in a supported status to resolve
   (B1)
D3. The issue of (B6) is partially resolved in v3, v1 and v2 provided a
    better separation but all three are logically equivalent
D4. I conceded on (B7) and (B8) which are related to (B6) with respect
    that the all powerful dom0 continues to be hard coded throughout the
    hypervisor instead of trying to abstracting it out.

While not all of the points of contentions nor all of my concerns are
all addressed, I would like to hope that v3 is seen as an attempt
compromise, those compromises are acceptable, and that I can begin to
bring the next patch set forward. Thank you and looking forward to
responses.

V/r,
Daniel P. Smith


^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-08-06 21:41     ` Daniel P. Smith
@ 2021-08-10  8:39       ` Jan Beulich
  2021-08-26  9:42       ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-08-10  8:39 UTC (permalink / raw)
  To: Daniel P. Smith
  Cc: Volodymyr Babchuk, Wei Liu, George Dunlap, Tim Deegan,
	Alexandru Isaila, Petre Pircalabu, xen-devel, Stefano Stabellini,
	Julien Grall, Andrew Cooper, Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf, Ian Jackson

On 06.08.2021 23:41, Daniel P. Smith wrote:
> My concerns/issues:
> B1. The irony that XSM is unsupported but XSM + SILO is supported (for
>     Arm)

Just one remark here: Prior to SILO introduction (and to some perhaps
ever afterwards), just like !XSM stood for "XSM dummy module", XSM
stood for "XSM/Flask". There's pretty little core XSM code, and the
reason for it to be considered unsupported was mainly the bad quality
of Flask code (which no-one, not even the maintainer, ever cared to
address, except maybe tiny aspects thereof). Which luckily ...

> Deferrals and concessions in v3:
> D1. Answering (A1) can be addressed later by reviewing, refreshing, and
>     expanding XSM documentation
> D2. Will work with community to get XSM in a supported status to resolve
>    (B1)

... you aim to address. Until such point I think though that people
better wouldn't be forced or talked into including unsupported code
in their builds. (I say this without having looked at v3 yet; you may
very well have taken care of this already.)

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

* Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions
  2021-08-06 21:41     ` Daniel P. Smith
  2021-08-10  8:39       ` Jan Beulich
@ 2021-08-26  9:42       ` Jan Beulich
  1 sibling, 0 replies; 44+ messages in thread
From: Jan Beulich @ 2021-08-26  9:42 UTC (permalink / raw)
  To: Daniel P. Smith, Ian Jackson
  Cc: Volodymyr Babchuk, Wei Liu, George Dunlap, Tim Deegan,
	Alexandru Isaila, Petre Pircalabu, xen-devel, Stefano Stabellini,
	Julien Grall, Andrew Cooper, Roger Pau Monné,
	Tamas K Lengyel, Juergen Gross, Dario Faggioli, Paul Durrant,
	Daniel De Graaf

On 06.08.2021 23:41, Daniel P. Smith wrote:
> While not all of the points of contentions nor all of my concerns are
> all addressed, I would like to hope that v3 is seen as an attempt
> compromise, those compromises are acceptable, and that I can begin to
> bring the next patch set forward. Thank you and looking forward to
> responses.

Having gone through the series I've been happy to see the adjustments
that have been made. There are still further requests I have spelled
out, but I think (hope) those aren't as controversial anymore.

Jan



^ permalink raw reply	[flat|nested] 44+ messages in thread

end of thread, other threads:[~2021-08-26  9:42 UTC | newest]

Thread overview: 44+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-12 20:32 [PATCH v2 00/10] xsm: refactoring xsm hooks Daniel P. Smith
2021-07-12 20:32 ` [PATCH v2 01/10] xen: Implement xen/alternative-call.h for use in common code Daniel P. Smith
2021-07-12 23:48   ` Andrew Cooper
2021-07-13  6:28     ` Jan Beulich
2021-07-13  8:36       ` Andrew Cooper
2021-07-13  8:53         ` Jan Beulich
2021-07-14 15:35   ` Jan Beulich
2021-07-12 20:32 ` [PATCH v2 02/10] xsm: refactor xsm_ops handling Daniel P. Smith
2021-07-12 23:39   ` Andrew Cooper
2021-07-14 15:54     ` Jan Beulich
2021-07-15 17:16     ` Daniel P. Smith
2021-07-12 20:32 ` [PATCH v2 03/10] xsm: remove the ability to disable flask Daniel P. Smith
2021-07-12 23:22   ` Andrew Cooper
2021-07-15 17:17     ` Daniel P. Smith
2021-07-14 15:58   ` Jan Beulich
2021-07-15 17:19     ` Daniel P. Smith
2021-07-12 20:32 ` [PATCH v2 04/10] xsm: convert xsm_ops hook calls to alternative call Daniel P. Smith
2021-07-12 23:44   ` Andrew Cooper
2021-07-15 17:20     ` Daniel P. Smith
2021-07-12 20:32 ` [PATCH v2 05/10] xsm: decouple xsm header inclusion selection Daniel P. Smith
2021-07-12 20:32 ` [PATCH v2 06/10] xsm: enable xsm to always be included Daniel P. Smith
2021-07-19 10:24   ` Jan Beulich
2021-07-25 20:47     ` Daniel P. Smith
2021-08-03  7:08       ` Jan Beulich
2021-07-12 20:32 ` [PATCH v2 07/10] xsm: drop generic event channel labeling Daniel P. Smith
2021-07-12 23:52   ` Andrew Cooper
2021-07-15 17:26     ` Daniel P. Smith
2021-07-16  7:03   ` Jan Beulich
2021-07-12 20:32 ` [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions Daniel P. Smith
2021-07-16  7:23   ` Jan Beulich
2021-07-16 14:15     ` Andrew Cooper
2021-07-16 14:55       ` Jan Beulich
2021-07-16  7:37   ` Jan Beulich
2021-07-27 13:39   ` Ian Jackson
2021-08-06 21:41     ` Daniel P. Smith
2021-08-10  8:39       ` Jan Beulich
2021-08-26  9:42       ` Jan Beulich
2021-07-12 20:32 ` [PATCH v2 09/10] xsm: expand the function related macros in dummy.h Daniel P. Smith
2021-07-16  7:34   ` Jan Beulich
2021-07-24 20:07     ` Daniel P. Smith
2021-07-24 20:43       ` Daniel P. Smith
2021-08-03  7:23       ` Jan Beulich
2021-07-12 20:32 ` [PATCH v2 10/10] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
2021-07-12 23:12 ` [PATCH v2 00/10] xsm: refactoring xsm hooks Andrew Cooper

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.