* [PATCH 1/7] xen: use domid check in is_hardware_domain
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 9:03 ` Jan Beulich
2014-03-18 21:34 ` [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init Daniel De Graaf
` (5 subsequent siblings)
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel
Cc: Keir Fraser, Ian Campbell, Tim Deegan, Stefano Stabellini,
Jan Beulich, Daniel De Graaf, Suravee Suthikulpanit,
Xiantao Zhang
Instead of checking is_privileged to determine if a domain should
control the hardware, check that the domain_id is equal to zero (which
is currently the only domain for which is_privileged is true). This
allows other places where domain_id is checked for zero to be replaced
with is_hardware_domain.
The distinction between is_hardware_domain, is_control_domain, and
domain 0 is based on the following disaggregation model:
Domain 0 bootstraps the system. It may remain to perform requested
builds of domains that need a minimal trust chain (i.e. vTPM domains).
Other than being built by the hypervisor, nothing is special about this
domain - although it may be useful to have is_control_domain() return
true depending on the toolstack it uses to build other domains.
The hardware domain manages devices for PCI pass-through to driver
domains or can act as a driver domain itself, depending on the desired
degree of disaggregation. It is also the domain managing devices that
do not support pass-through: PCI configuration space access, parsing the
hardware ACPI tables and system power or machine check events. This is
the only domain where is_hardware_domain() is true. The return of
is_control_domain() may be false for this domain.
The control domain manages other domains, controls guest launch and
shutdown, and manages resource constraints; is_control_domain() returns
true. The functionality guarded by is_control_domain may in the future
be adapted to use explicit hypercalls, eliminating the special treatment
of this domain. It may be reasonable to have multiple control domains
on a multi-tenant system.
Guest domains and other service or driver domains are all treated
identically by the hypervisor; the security policy may further constrain
administrative actions on or communication between these domains.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Tim Deegan <tim@xen.org>
Cc: Xiantao Zhang <xiantao.zhang@intel.com>
---
Changes from v1:
- Fix up some references to dom0 in comments
- Show real CPUID values to hardware domain
- Require xenoprof to be hardware domain due to lack of cleanup on destroy
- Change a few ( d == dom0 ) references to is_hardware_domain
xen/arch/arm/domain.c | 6 +++---
xen/arch/arm/gic.c | 4 ++--
xen/arch/arm/vgic.c | 2 +-
xen/arch/arm/vtimer.c | 5 +++--
xen/arch/arm/vuart.c | 2 +-
xen/arch/x86/cpu/mcheck/vmce.c | 2 +-
xen/arch/x86/domain.c | 3 ++-
xen/arch/x86/hvm/i8254.c | 2 +-
xen/arch/x86/mm.c | 2 +-
xen/arch/x86/time.c | 4 ++--
xen/arch/x86/traps.c | 21 +++++++++++----------
xen/common/domain.c | 6 +++---
xen/common/kernel.c | 2 +-
xen/common/xenoprof.c | 8 +++++++-
xen/drivers/passthrough/amd/pci_amd_iommu.c | 2 +-
xen/drivers/passthrough/iommu.c | 2 +-
xen/drivers/passthrough/vtd/iommu.c | 11 ++++++-----
xen/drivers/passthrough/vtd/x86/vtd.c | 2 +-
xen/include/xen/sched.h | 4 ++--
19 files changed, 50 insertions(+), 40 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 46ee486..2c76a8f 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -540,10 +540,10 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
/*
* Virtual UART is only used by linux early printk and decompress code.
- * Only use it for dom0 because the linux kernel may not support
- * multi-platform.
+ * Only use it for the hardware domain because the linux kernel may not
+ * support multi-platform.
*/
- if ( (d->domain_id == 0) && (rc = domain_vuart_init(d)) )
+ if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
goto fail;
return 0;
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 0095b97..8168b7b 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -865,10 +865,10 @@ int gicv_setup(struct domain *d)
int ret;
/*
- * Domain 0 gets the hardware address.
+ * The hardware domain gets the hardware address.
* Guests get the virtual platform layout.
*/
- if ( d->domain_id == 0 )
+ if ( is_hardware_domain(d) )
{
d->arch.vgic.dbase = gic.dbase;
d->arch.vgic.cbase = gic.cbase;
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 553411d..65f48f2 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
/* Currently nr_lines in vgic and gic doesn't have the same meanings
* Here nr_lines = number of SPIs
*/
- if ( d->domain_id == 0 )
+ if ( is_hardware_domain(d) )
d->arch.vgic.nr_lines = gic_number_lines() - 32;
else
d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
index 3d6a721..cb690bb 100644
--- a/xen/arch/arm/vtimer.c
+++ b/xen/arch/arm/vtimer.c
@@ -54,10 +54,11 @@ int vcpu_domain_init(struct domain *d)
int vcpu_vtimer_init(struct vcpu *v)
{
struct vtimer *t = &v->arch.phys_timer;
- bool_t d0 = (v->domain == dom0);
+ bool_t d0 = is_hardware_domain(v->domain);
/*
- * Domain 0 uses the hardware interrupts, guests get the virtual platform.
+ * Hardware domain uses the hardware interrupts, guests get the virtual
+ * platform.
*/
init_timer(&t->timer, phys_timer_expired, t, v->processor);
diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
index b9d3ced..c02a8a9 100644
--- a/xen/arch/arm/vuart.c
+++ b/xen/arch/arm/vuart.c
@@ -46,7 +46,7 @@
int domain_vuart_init(struct domain *d)
{
- ASSERT( !d->domain_id );
+ ASSERT( is_hardware_domain(d) );
d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
if ( !d->arch.vuart.info )
diff --git a/xen/arch/x86/cpu/mcheck/vmce.c b/xen/arch/x86/cpu/mcheck/vmce.c
index ed00f7c..c83375e 100644
--- a/xen/arch/x86/cpu/mcheck/vmce.c
+++ b/xen/arch/x86/cpu/mcheck/vmce.c
@@ -430,7 +430,7 @@ int unmmap_broken_page(struct domain *d, mfn_t mfn, unsigned long gfn)
int rc;
/* Always trust dom0's MCE handler will prevent future access */
- if ( d == dom0 )
+ if ( is_hardware_domain(d) )
return 0;
if (!mfn_valid(mfn_x(mfn)))
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 0d563de..0cfca2a 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -1504,7 +1504,8 @@ void context_switch(struct vcpu *prev, struct vcpu *next)
}
set_cpuid_faulting(is_pv_vcpu(next) &&
- (next->domain->domain_id != 0));
+ !is_control_domain(next->domain) &&
+ !is_hardware_domain(next->domain));
}
if (is_hvm_vcpu(next) && (prev != next) )
diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
index f7493b8..6a91f76 100644
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -540,7 +540,7 @@ int pv_pit_handler(int port, int data, int write)
.data = data
};
- if ( (current->domain->domain_id == 0) && dom0_pit_access(&ioreq) )
+ if ( is_hardware_domain(current->domain) && dom0_pit_access(&ioreq) )
{
/* nothing to do */;
}
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index fdc5ed3..ad48acc 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4787,7 +4787,7 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
.max_mfn = MACH2PHYS_NR_ENTRIES - 1
};
- if ( !mem_hotplug && current->domain == dom0 )
+ if ( !mem_hotplug && is_hardware_domain(current->domain) )
mapping.max_mfn = max_page - 1;
if ( copy_to_guest(arg, &mapping, 1) )
return -EFAULT;
diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
index f904af2..89308bd 100644
--- a/xen/arch/x86/time.c
+++ b/xen/arch/x86/time.c
@@ -1839,7 +1839,7 @@ void tsc_set_info(struct domain *d,
uint32_t tsc_mode, uint64_t elapsed_nsec,
uint32_t gtsc_khz, uint32_t incarnation)
{
- if ( is_idle_domain(d) || (d->domain_id == 0) )
+ if ( is_idle_domain(d) || is_hardware_domain(d) )
{
d->arch.vtsc = 0;
return;
@@ -1943,7 +1943,7 @@ static void dump_softtsc(unsigned char key)
"warp=%lu (count=%lu)\n", tsc_max_warp, tsc_check_count);
for_each_domain ( d )
{
- if ( d->domain_id == 0 && d->arch.tsc_mode == TSC_MODE_DEFAULT )
+ if ( is_hardware_domain(d) && d->arch.tsc_mode == TSC_MODE_DEFAULT )
continue;
printk("dom%u%s: mode=%d",d->domain_id,
is_hvm_domain(d) ? "(hvm)" : "", d->arch.tsc_mode);
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index ed4ae2d..21c8b63 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -732,18 +732,19 @@ int cpuid_hypervisor_leaves( uint32_t idx, uint32_t sub_idx,
void pv_cpuid(struct cpu_user_regs *regs)
{
uint32_t a, b, c, d;
+ struct vcpu *curr = current;
a = regs->eax;
b = regs->ebx;
c = regs->ecx;
d = regs->edx;
- if ( current->domain->domain_id != 0 )
+ if ( !is_control_domain(curr->domain) && !is_hardware_domain(curr->domain) )
{
unsigned int cpuid_leaf = a, sub_leaf = c;
if ( !cpuid_hypervisor_leaves(a, c, &a, &b, &c, &d) )
- domain_cpuid(current->domain, a, c, &a, &b, &c, &d);
+ domain_cpuid(curr->domain, a, c, &a, &b, &c, &d);
switch ( cpuid_leaf )
{
@@ -751,15 +752,15 @@ void pv_cpuid(struct cpu_user_regs *regs)
{
unsigned int _eax, _ebx, _ecx, _edx;
/* EBX value of main leaf 0 depends on enabled xsave features */
- if ( sub_leaf == 0 && current->arch.xcr0 )
+ if ( sub_leaf == 0 && curr->arch.xcr0 )
{
/* reset EBX to default value first */
b = XSTATE_AREA_MIN_SIZE;
for ( sub_leaf = 2; sub_leaf < 63; sub_leaf++ )
{
- if ( !(current->arch.xcr0 & (1ULL << sub_leaf)) )
+ if ( !(curr->arch.xcr0 & (1ULL << sub_leaf)) )
continue;
- domain_cpuid(current->domain, cpuid_leaf, sub_leaf,
+ domain_cpuid(curr->domain, cpuid_leaf, sub_leaf,
&_eax, &_ebx, &_ecx, &_edx);
if ( (_eax + _ebx) > b )
b = _eax + _ebx;
@@ -796,7 +797,7 @@ void pv_cpuid(struct cpu_user_regs *regs)
__clear_bit(X86_FEATURE_DS, &d);
__clear_bit(X86_FEATURE_ACC, &d);
__clear_bit(X86_FEATURE_PBE, &d);
- if ( is_pvh_vcpu(current) )
+ if ( is_pvh_vcpu(curr) )
__clear_bit(X86_FEATURE_MTRR, &d);
__clear_bit(X86_FEATURE_DTES64 % 32, &c);
@@ -805,7 +806,7 @@ void pv_cpuid(struct cpu_user_regs *regs)
__clear_bit(X86_FEATURE_VMXE % 32, &c);
__clear_bit(X86_FEATURE_SMXE % 32, &c);
__clear_bit(X86_FEATURE_TM2 % 32, &c);
- if ( is_pv_32bit_vcpu(current) )
+ if ( is_pv_32bit_vcpu(curr) )
__clear_bit(X86_FEATURE_CX16 % 32, &c);
__clear_bit(X86_FEATURE_XTPR % 32, &c);
__clear_bit(X86_FEATURE_PDCM % 32, &c);
@@ -844,12 +845,12 @@ void pv_cpuid(struct cpu_user_regs *regs)
case 0x80000001:
/* Modify Feature Information. */
- if ( is_pv_32bit_vcpu(current) )
+ if ( is_pv_32bit_vcpu(curr) )
{
__clear_bit(X86_FEATURE_LM % 32, &d);
__clear_bit(X86_FEATURE_LAHF_LM % 32, &c);
}
- if ( is_pv_32on64_vcpu(current) &&
+ if ( is_pv_32on64_vcpu(curr) &&
boot_cpu_data.x86_vendor != X86_VENDOR_AMD )
__clear_bit(X86_FEATURE_SYSCALL % 32, &d);
__clear_bit(X86_FEATURE_PAGE1GB % 32, &d);
@@ -1860,7 +1861,7 @@ static inline uint64_t guest_misc_enable(uint64_t val)
static int is_cpufreq_controller(struct domain *d)
{
return ((cpufreq_controller == FREQCTL_dom0_kernel) &&
- (d->domain_id == 0));
+ is_hardware_domain(d));
}
#include "x86_64/mmconfig.h"
diff --git a/xen/common/domain.c b/xen/common/domain.c
index ad8a1b6..b5868a5 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -237,7 +237,7 @@ struct domain *domain_create(
else if ( domcr_flags & DOMCRF_pvh )
d->guest_type = guest_type_pvh;
- if ( domid == 0 )
+ if ( is_hardware_domain(d) )
{
d->is_pinned = opt_dom0_vcpus_pin;
d->disable_migrate = 1;
@@ -262,7 +262,7 @@ struct domain *domain_create(
d->is_paused_by_controller = 1;
atomic_inc(&d->pause_count);
- if ( domid )
+ if ( !is_hardware_domain(d) )
d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
else
d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
@@ -594,7 +594,7 @@ void domain_shutdown(struct domain *d, u8 reason)
d->shutdown_code = reason;
reason = d->shutdown_code;
- if ( d->domain_id == 0 )
+ if ( is_hardware_domain(d) )
dom0_shutdown(reason);
if ( d->is_shutting_down )
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index b371f8f..7e83353 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -303,7 +303,7 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
(1U << XENFEAT_auto_translated_physmap);
if ( supervisor_mode_kernel )
fi.submap |= 1U << XENFEAT_supervisor_mode_kernel;
- if ( current->domain == dom0 )
+ if ( is_hardware_domain(current->domain) )
fi.submap |= 1U << XENFEAT_dom0;
#ifdef CONFIG_X86
switch ( d->guest_type )
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 52ab00d..3c30c3e 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -601,9 +601,15 @@ static int xenoprof_op_init(XEN_GUEST_HANDLE_PARAM(void) arg)
xenoprof_init.cpu_type)) )
return ret;
+ /* Only the hardware domain may become the primary profiler here because
+ * there is currently no cleanup of xenoprof_primary_profiler or associated
+ * profiling state when the primary profiling domain is shut down or
+ * crashes. Once a better cleanup method is present, it will be possible to
+ * allow another domain to be the primary profiler.
+ */
xenoprof_init.is_primary =
((xenoprof_primary_profiler == d) ||
- ((xenoprof_primary_profiler == NULL) && (d->domain_id == 0)));
+ ((xenoprof_primary_profiler == NULL) && is_hardware_domain(d)));
if ( xenoprof_init.is_primary )
xenoprof_primary_profiler = current->domain;
diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
index c26aabc..cf67494 100644
--- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
@@ -122,7 +122,7 @@ static void amd_iommu_setup_domain_device(
BUG_ON( !hd->root_table || !hd->paging_mode || !iommu->dev_table.buffer );
- if ( iommu_passthrough && (domain->domain_id == 0) )
+ if ( iommu_passthrough && is_hardware_domain(domain) )
valid = 0;
if ( ats_enabled )
diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index 0cf0748..54d891f 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -817,7 +817,7 @@ static void iommu_dump_p2m_table(unsigned char key)
ops = iommu_get_ops();
for_each_domain(d)
{
- if ( !d->domain_id )
+ if ( is_hardware_domain(d) )
continue;
if ( iommu_use_hap_pt(d) )
diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c
index beb3723..9c8e4a3 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -1327,7 +1327,7 @@ int domain_context_mapping_one(
return res;
}
- if ( iommu_passthrough && (domain->domain_id == 0) )
+ if ( iommu_passthrough && is_hardware_domain(domain) )
{
context_set_translation_type(*context, CONTEXT_TT_PASS_THRU);
agaw = level_to_agaw(iommu->nr_pt_levels);
@@ -1723,7 +1723,7 @@ static int intel_iommu_map_page(
return 0;
/* do nothing if dom0 and iommu supports pass thru */
- if ( iommu_passthrough && (d->domain_id == 0) )
+ if ( iommu_passthrough && is_hardware_domain(d) )
return 0;
spin_lock(&hd->mapping_lock);
@@ -1767,7 +1767,7 @@ static int intel_iommu_map_page(
static int intel_iommu_unmap_page(struct domain *d, unsigned long gfn)
{
/* Do nothing if dom0 and iommu supports pass thru. */
- if ( iommu_passthrough && (d->domain_id == 0) )
+ if ( iommu_passthrough && is_hardware_domain(d) )
return 0;
dma_pte_clear_one(d, (paddr_t)gfn << PAGE_SHIFT_4K);
@@ -1950,8 +1950,9 @@ static int intel_iommu_remove_device(u8 devfn, struct pci_dev *pdev)
continue;
/*
- * If the device belongs to dom0, and it has RMRR, don't remove
- * it from dom0, because BIOS may use RMRR at booting time.
+ * If the device belongs to the hardware domain, and it has RMRR, don't
+ * remove it from the hardware domain, because BIOS may use RMRR at
+ * booting time.
*/
if ( is_hardware_domain(pdev->domain) )
return 0;
diff --git a/xen/drivers/passthrough/vtd/x86/vtd.c b/xen/drivers/passthrough/vtd/x86/vtd.c
index ca17cb1..f271a42 100644
--- a/xen/drivers/passthrough/vtd/x86/vtd.c
+++ b/xen/drivers/passthrough/vtd/x86/vtd.c
@@ -111,7 +111,7 @@ void __init iommu_set_dom0_mapping(struct domain *d)
{
unsigned long i, j, tmp, top;
- BUG_ON(d->domain_id != 0);
+ BUG_ON(!is_hardware_domain(d));
top = max(max_pdx, pfn_to_pdx(0xffffffffUL >> PAGE_SHIFT) + 1);
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 00f0eba..466949f 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -775,10 +775,10 @@ void watchdog_domain_destroy(struct domain *d);
/*
* Use this check when the following are both true:
* - Using this feature or interface requires full access to the hardware
- * (that is, this is would not be suitable for a driver domain)
+ * (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->is_privileged)
+#define is_hardware_domain(_d) ((_d)->domain_id == 0)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 1/7] xen: use domid check in is_hardware_domain
2014-03-18 21:34 ` [PATCH 1/7] xen: use domid check in is_hardware_domain Daniel De Graaf
@ 2014-03-19 9:03 ` Jan Beulich
0 siblings, 0 replies; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 9:03 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Keir Fraser, Ian Campbell, Tim Deegan, xen-devel,
Stefano Stabellini, Suravee Suthikulpanit, Xiantao Zhang
>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> Instead of checking is_privileged to determine if a domain should
> control the hardware, check that the domain_id is equal to zero (which
> is currently the only domain for which is_privileged is true). This
> allows other places where domain_id is checked for zero to be replaced
> with is_hardware_domain.
>
> The distinction between is_hardware_domain, is_control_domain, and
> domain 0 is based on the following disaggregation model:
>
> Domain 0 bootstraps the system. It may remain to perform requested
> builds of domains that need a minimal trust chain (i.e. vTPM domains).
> Other than being built by the hypervisor, nothing is special about this
> domain - although it may be useful to have is_control_domain() return
> true depending on the toolstack it uses to build other domains.
>
> The hardware domain manages devices for PCI pass-through to driver
> domains or can act as a driver domain itself, depending on the desired
> degree of disaggregation. It is also the domain managing devices that
> do not support pass-through: PCI configuration space access, parsing the
> hardware ACPI tables and system power or machine check events. This is
> the only domain where is_hardware_domain() is true. The return of
> is_control_domain() may be false for this domain.
>
> The control domain manages other domains, controls guest launch and
> shutdown, and manages resource constraints; is_control_domain() returns
> true. The functionality guarded by is_control_domain may in the future
> be adapted to use explicit hypercalls, eliminating the special treatment
> of this domain. It may be reasonable to have multiple control domains
> on a multi-tenant system.
>
> Guest domains and other service or driver domains are all treated
> identically by the hypervisor; the security policy may further constrain
> administrative actions on or communication between these domains.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
> Cc: Keir Fraser <keir@xen.org>
> Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
> Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
> Cc: Tim Deegan <tim@xen.org>
> Cc: Xiantao Zhang <xiantao.zhang@intel.com>
>
> ---
> Changes from v1:
> - Fix up some references to dom0 in comments
> - Show real CPUID values to hardware domain
> - Require xenoprof to be hardware domain due to lack of cleanup on destroy
> - Change a few ( d == dom0 ) references to is_hardware_domain
>
> xen/arch/arm/domain.c | 6 +++---
> xen/arch/arm/gic.c | 4 ++--
> xen/arch/arm/vgic.c | 2 +-
> xen/arch/arm/vtimer.c | 5 +++--
> xen/arch/arm/vuart.c | 2 +-
> xen/arch/x86/cpu/mcheck/vmce.c | 2 +-
> xen/arch/x86/domain.c | 3 ++-
> xen/arch/x86/hvm/i8254.c | 2 +-
> xen/arch/x86/mm.c | 2 +-
> xen/arch/x86/time.c | 4 ++--
> xen/arch/x86/traps.c | 21 +++++++++++----------
> xen/common/domain.c | 6 +++---
> xen/common/kernel.c | 2 +-
> xen/common/xenoprof.c | 8 +++++++-
> xen/drivers/passthrough/amd/pci_amd_iommu.c | 2 +-
> xen/drivers/passthrough/iommu.c | 2 +-
> xen/drivers/passthrough/vtd/iommu.c | 11 ++++++-----
> xen/drivers/passthrough/vtd/x86/vtd.c | 2 +-
> xen/include/xen/sched.h | 4 ++--
> 19 files changed, 50 insertions(+), 40 deletions(-)
>
> diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
> index 46ee486..2c76a8f 100644
> --- a/xen/arch/arm/domain.c
> +++ b/xen/arch/arm/domain.c
> @@ -540,10 +540,10 @@ int arch_domain_create(struct domain *d, unsigned int
> domcr_flags)
>
> /*
> * Virtual UART is only used by linux early printk and decompress code.
> - * Only use it for dom0 because the linux kernel may not support
> - * multi-platform.
> + * Only use it for the hardware domain because the linux kernel may not
> + * support multi-platform.
> */
> - if ( (d->domain_id == 0) && (rc = domain_vuart_init(d)) )
> + if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
> goto fail;
>
> return 0;
> diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
> index 0095b97..8168b7b 100644
> --- a/xen/arch/arm/gic.c
> +++ b/xen/arch/arm/gic.c
> @@ -865,10 +865,10 @@ int gicv_setup(struct domain *d)
> int ret;
>
> /*
> - * Domain 0 gets the hardware address.
> + * The hardware domain gets the hardware address.
> * Guests get the virtual platform layout.
> */
> - if ( d->domain_id == 0 )
> + if ( is_hardware_domain(d) )
> {
> d->arch.vgic.dbase = gic.dbase;
> d->arch.vgic.cbase = gic.cbase;
> diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
> index 553411d..65f48f2 100644
> --- a/xen/arch/arm/vgic.c
> +++ b/xen/arch/arm/vgic.c
> @@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
> /* Currently nr_lines in vgic and gic doesn't have the same meanings
> * Here nr_lines = number of SPIs
> */
> - if ( d->domain_id == 0 )
> + if ( is_hardware_domain(d) )
> d->arch.vgic.nr_lines = gic_number_lines() - 32;
> else
> d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
> diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
> index 3d6a721..cb690bb 100644
> --- a/xen/arch/arm/vtimer.c
> +++ b/xen/arch/arm/vtimer.c
> @@ -54,10 +54,11 @@ int vcpu_domain_init(struct domain *d)
> int vcpu_vtimer_init(struct vcpu *v)
> {
> struct vtimer *t = &v->arch.phys_timer;
> - bool_t d0 = (v->domain == dom0);
> + bool_t d0 = is_hardware_domain(v->domain);
>
> /*
> - * Domain 0 uses the hardware interrupts, guests get the virtual
> platform.
> + * Hardware domain uses the hardware interrupts, guests get the virtual
> + * platform.
> */
>
> init_timer(&t->timer, phys_timer_expired, t, v->processor);
> diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
> index b9d3ced..c02a8a9 100644
> --- a/xen/arch/arm/vuart.c
> +++ b/xen/arch/arm/vuart.c
> @@ -46,7 +46,7 @@
>
> int domain_vuart_init(struct domain *d)
> {
> - ASSERT( !d->domain_id );
> + ASSERT( is_hardware_domain(d) );
>
> d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
> if ( !d->arch.vuart.info )
> diff --git a/xen/arch/x86/cpu/mcheck/vmce.c b/xen/arch/x86/cpu/mcheck/vmce.c
> index ed00f7c..c83375e 100644
> --- a/xen/arch/x86/cpu/mcheck/vmce.c
> +++ b/xen/arch/x86/cpu/mcheck/vmce.c
> @@ -430,7 +430,7 @@ int unmmap_broken_page(struct domain *d, mfn_t mfn,
> unsigned long gfn)
> int rc;
>
> /* Always trust dom0's MCE handler will prevent future access */
> - if ( d == dom0 )
> + if ( is_hardware_domain(d) )
> return 0;
>
> if (!mfn_valid(mfn_x(mfn)))
> diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
> index 0d563de..0cfca2a 100644
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -1504,7 +1504,8 @@ void context_switch(struct vcpu *prev, struct vcpu
> *next)
> }
>
> set_cpuid_faulting(is_pv_vcpu(next) &&
> - (next->domain->domain_id != 0));
> + !is_control_domain(next->domain) &&
> + !is_hardware_domain(next->domain));
> }
>
> if (is_hvm_vcpu(next) && (prev != next) )
> diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
> index f7493b8..6a91f76 100644
> --- a/xen/arch/x86/hvm/i8254.c
> +++ b/xen/arch/x86/hvm/i8254.c
> @@ -540,7 +540,7 @@ int pv_pit_handler(int port, int data, int write)
> .data = data
> };
>
> - if ( (current->domain->domain_id == 0) && dom0_pit_access(&ioreq) )
> + if ( is_hardware_domain(current->domain) && dom0_pit_access(&ioreq) )
> {
> /* nothing to do */;
> }
> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> index fdc5ed3..ad48acc 100644
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -4787,7 +4787,7 @@ long arch_memory_op(int op,
> XEN_GUEST_HANDLE_PARAM(void) arg)
> .max_mfn = MACH2PHYS_NR_ENTRIES - 1
> };
>
> - if ( !mem_hotplug && current->domain == dom0 )
> + if ( !mem_hotplug && is_hardware_domain(current->domain) )
> mapping.max_mfn = max_page - 1;
> if ( copy_to_guest(arg, &mapping, 1) )
> return -EFAULT;
> diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
> index f904af2..89308bd 100644
> --- a/xen/arch/x86/time.c
> +++ b/xen/arch/x86/time.c
> @@ -1839,7 +1839,7 @@ void tsc_set_info(struct domain *d,
> uint32_t tsc_mode, uint64_t elapsed_nsec,
> uint32_t gtsc_khz, uint32_t incarnation)
> {
> - if ( is_idle_domain(d) || (d->domain_id == 0) )
> + if ( is_idle_domain(d) || is_hardware_domain(d) )
> {
> d->arch.vtsc = 0;
> return;
> @@ -1943,7 +1943,7 @@ static void dump_softtsc(unsigned char key)
> "warp=%lu (count=%lu)\n", tsc_max_warp, tsc_check_count);
> for_each_domain ( d )
> {
> - if ( d->domain_id == 0 && d->arch.tsc_mode == TSC_MODE_DEFAULT )
> + if ( is_hardware_domain(d) && d->arch.tsc_mode == TSC_MODE_DEFAULT )
> continue;
> printk("dom%u%s: mode=%d",d->domain_id,
> is_hvm_domain(d) ? "(hvm)" : "", d->arch.tsc_mode);
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index ed4ae2d..21c8b63 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -732,18 +732,19 @@ int cpuid_hypervisor_leaves( uint32_t idx, uint32_t
> sub_idx,
> void pv_cpuid(struct cpu_user_regs *regs)
> {
> uint32_t a, b, c, d;
> + struct vcpu *curr = current;
>
> a = regs->eax;
> b = regs->ebx;
> c = regs->ecx;
> d = regs->edx;
>
> - if ( current->domain->domain_id != 0 )
> + if ( !is_control_domain(curr->domain) && !is_hardware_domain(curr->domain) )
> {
> unsigned int cpuid_leaf = a, sub_leaf = c;
>
> if ( !cpuid_hypervisor_leaves(a, c, &a, &b, &c, &d) )
> - domain_cpuid(current->domain, a, c, &a, &b, &c, &d);
> + domain_cpuid(curr->domain, a, c, &a, &b, &c, &d);
>
> switch ( cpuid_leaf )
> {
> @@ -751,15 +752,15 @@ void pv_cpuid(struct cpu_user_regs *regs)
> {
> unsigned int _eax, _ebx, _ecx, _edx;
> /* EBX value of main leaf 0 depends on enabled xsave features
> */
> - if ( sub_leaf == 0 && current->arch.xcr0 )
> + if ( sub_leaf == 0 && curr->arch.xcr0 )
> {
> /* reset EBX to default value first */
> b = XSTATE_AREA_MIN_SIZE;
> for ( sub_leaf = 2; sub_leaf < 63; sub_leaf++ )
> {
> - if ( !(current->arch.xcr0 & (1ULL << sub_leaf)) )
> + if ( !(curr->arch.xcr0 & (1ULL << sub_leaf)) )
> continue;
> - domain_cpuid(current->domain, cpuid_leaf, sub_leaf,
> + domain_cpuid(curr->domain, cpuid_leaf, sub_leaf,
> &_eax, &_ebx, &_ecx, &_edx);
> if ( (_eax + _ebx) > b )
> b = _eax + _ebx;
> @@ -796,7 +797,7 @@ void pv_cpuid(struct cpu_user_regs *regs)
> __clear_bit(X86_FEATURE_DS, &d);
> __clear_bit(X86_FEATURE_ACC, &d);
> __clear_bit(X86_FEATURE_PBE, &d);
> - if ( is_pvh_vcpu(current) )
> + if ( is_pvh_vcpu(curr) )
> __clear_bit(X86_FEATURE_MTRR, &d);
>
> __clear_bit(X86_FEATURE_DTES64 % 32, &c);
> @@ -805,7 +806,7 @@ void pv_cpuid(struct cpu_user_regs *regs)
> __clear_bit(X86_FEATURE_VMXE % 32, &c);
> __clear_bit(X86_FEATURE_SMXE % 32, &c);
> __clear_bit(X86_FEATURE_TM2 % 32, &c);
> - if ( is_pv_32bit_vcpu(current) )
> + if ( is_pv_32bit_vcpu(curr) )
> __clear_bit(X86_FEATURE_CX16 % 32, &c);
> __clear_bit(X86_FEATURE_XTPR % 32, &c);
> __clear_bit(X86_FEATURE_PDCM % 32, &c);
> @@ -844,12 +845,12 @@ void pv_cpuid(struct cpu_user_regs *regs)
>
> case 0x80000001:
> /* Modify Feature Information. */
> - if ( is_pv_32bit_vcpu(current) )
> + if ( is_pv_32bit_vcpu(curr) )
> {
> __clear_bit(X86_FEATURE_LM % 32, &d);
> __clear_bit(X86_FEATURE_LAHF_LM % 32, &c);
> }
> - if ( is_pv_32on64_vcpu(current) &&
> + if ( is_pv_32on64_vcpu(curr) &&
> boot_cpu_data.x86_vendor != X86_VENDOR_AMD )
> __clear_bit(X86_FEATURE_SYSCALL % 32, &d);
> __clear_bit(X86_FEATURE_PAGE1GB % 32, &d);
> @@ -1860,7 +1861,7 @@ static inline uint64_t guest_misc_enable(uint64_t val)
> static int is_cpufreq_controller(struct domain *d)
> {
> return ((cpufreq_controller == FREQCTL_dom0_kernel) &&
> - (d->domain_id == 0));
> + is_hardware_domain(d));
> }
>
> #include "x86_64/mmconfig.h"
> diff --git a/xen/common/domain.c b/xen/common/domain.c
> index ad8a1b6..b5868a5 100644
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -237,7 +237,7 @@ struct domain *domain_create(
> else if ( domcr_flags & DOMCRF_pvh )
> d->guest_type = guest_type_pvh;
>
> - if ( domid == 0 )
> + if ( is_hardware_domain(d) )
> {
> d->is_pinned = opt_dom0_vcpus_pin;
> d->disable_migrate = 1;
> @@ -262,7 +262,7 @@ struct domain *domain_create(
> d->is_paused_by_controller = 1;
> atomic_inc(&d->pause_count);
>
> - if ( domid )
> + if ( !is_hardware_domain(d) )
> d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
> else
> d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
> @@ -594,7 +594,7 @@ void domain_shutdown(struct domain *d, u8 reason)
> d->shutdown_code = reason;
> reason = d->shutdown_code;
>
> - if ( d->domain_id == 0 )
> + if ( is_hardware_domain(d) )
> dom0_shutdown(reason);
>
> if ( d->is_shutting_down )
> diff --git a/xen/common/kernel.c b/xen/common/kernel.c
> index b371f8f..7e83353 100644
> --- a/xen/common/kernel.c
> +++ b/xen/common/kernel.c
> @@ -303,7 +303,7 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void)
> arg)
> (1U << XENFEAT_auto_translated_physmap);
> if ( supervisor_mode_kernel )
> fi.submap |= 1U << XENFEAT_supervisor_mode_kernel;
> - if ( current->domain == dom0 )
> + if ( is_hardware_domain(current->domain) )
> fi.submap |= 1U << XENFEAT_dom0;
> #ifdef CONFIG_X86
> switch ( d->guest_type )
> diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
> index 52ab00d..3c30c3e 100644
> --- a/xen/common/xenoprof.c
> +++ b/xen/common/xenoprof.c
> @@ -601,9 +601,15 @@ static int xenoprof_op_init(XEN_GUEST_HANDLE_PARAM(void)
> arg)
> xenoprof_init.cpu_type)) )
> return ret;
>
> + /* Only the hardware domain may become the primary profiler here
> because
> + * there is currently no cleanup of xenoprof_primary_profiler or
> associated
> + * profiling state when the primary profiling domain is shut down or
> + * crashes. Once a better cleanup method is present, it will be
> possible to
> + * allow another domain to be the primary profiler.
> + */
> xenoprof_init.is_primary =
> ((xenoprof_primary_profiler == d) ||
> - ((xenoprof_primary_profiler == NULL) && (d->domain_id == 0)));
> + ((xenoprof_primary_profiler == NULL) && is_hardware_domain(d)));
> if ( xenoprof_init.is_primary )
> xenoprof_primary_profiler = current->domain;
>
> diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c
> b/xen/drivers/passthrough/amd/pci_amd_iommu.c
> index c26aabc..cf67494 100644
> --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
> +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
> @@ -122,7 +122,7 @@ static void amd_iommu_setup_domain_device(
>
> BUG_ON( !hd->root_table || !hd->paging_mode || !iommu->dev_table.buffer );
>
> - if ( iommu_passthrough && (domain->domain_id == 0) )
> + if ( iommu_passthrough && is_hardware_domain(domain) )
> valid = 0;
>
> if ( ats_enabled )
> diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
> index 0cf0748..54d891f 100644
> --- a/xen/drivers/passthrough/iommu.c
> +++ b/xen/drivers/passthrough/iommu.c
> @@ -817,7 +817,7 @@ static void iommu_dump_p2m_table(unsigned char key)
> ops = iommu_get_ops();
> for_each_domain(d)
> {
> - if ( !d->domain_id )
> + if ( is_hardware_domain(d) )
> continue;
>
> if ( iommu_use_hap_pt(d) )
> diff --git a/xen/drivers/passthrough/vtd/iommu.c
> b/xen/drivers/passthrough/vtd/iommu.c
> index beb3723..9c8e4a3 100644
> --- a/xen/drivers/passthrough/vtd/iommu.c
> +++ b/xen/drivers/passthrough/vtd/iommu.c
> @@ -1327,7 +1327,7 @@ int domain_context_mapping_one(
> return res;
> }
>
> - if ( iommu_passthrough && (domain->domain_id == 0) )
> + if ( iommu_passthrough && is_hardware_domain(domain) )
> {
> context_set_translation_type(*context, CONTEXT_TT_PASS_THRU);
> agaw = level_to_agaw(iommu->nr_pt_levels);
> @@ -1723,7 +1723,7 @@ static int intel_iommu_map_page(
> return 0;
>
> /* do nothing if dom0 and iommu supports pass thru */
> - if ( iommu_passthrough && (d->domain_id == 0) )
> + if ( iommu_passthrough && is_hardware_domain(d) )
> return 0;
>
> spin_lock(&hd->mapping_lock);
> @@ -1767,7 +1767,7 @@ static int intel_iommu_map_page(
> static int intel_iommu_unmap_page(struct domain *d, unsigned long gfn)
> {
> /* Do nothing if dom0 and iommu supports pass thru. */
> - if ( iommu_passthrough && (d->domain_id == 0) )
> + if ( iommu_passthrough && is_hardware_domain(d) )
> return 0;
>
> dma_pte_clear_one(d, (paddr_t)gfn << PAGE_SHIFT_4K);
> @@ -1950,8 +1950,9 @@ static int intel_iommu_remove_device(u8 devfn, struct
> pci_dev *pdev)
> continue;
>
> /*
> - * If the device belongs to dom0, and it has RMRR, don't remove
> - * it from dom0, because BIOS may use RMRR at booting time.
> + * If the device belongs to the hardware domain, and it has RMRR,
> don't
> + * remove it from the hardware domain, because BIOS may use RMRR at
> + * booting time.
> */
> if ( is_hardware_domain(pdev->domain) )
> return 0;
> diff --git a/xen/drivers/passthrough/vtd/x86/vtd.c
> b/xen/drivers/passthrough/vtd/x86/vtd.c
> index ca17cb1..f271a42 100644
> --- a/xen/drivers/passthrough/vtd/x86/vtd.c
> +++ b/xen/drivers/passthrough/vtd/x86/vtd.c
> @@ -111,7 +111,7 @@ void __init iommu_set_dom0_mapping(struct domain *d)
> {
> unsigned long i, j, tmp, top;
>
> - BUG_ON(d->domain_id != 0);
> + BUG_ON(!is_hardware_domain(d));
>
> top = max(max_pdx, pfn_to_pdx(0xffffffffUL >> PAGE_SHIFT) + 1);
>
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index 00f0eba..466949f 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -775,10 +775,10 @@ void watchdog_domain_destroy(struct domain *d);
> /*
> * Use this check when the following are both true:
> * - Using this feature or interface requires full access to the hardware
> - * (that is, this is would not be suitable for a driver domain)
> + * (that is, this would not be suitable for a driver domain)
> * - There is never a reason to deny dom0 access to this
> */
> -#define is_hardware_domain(_d) ((_d)->is_privileged)
> +#define is_hardware_domain(_d) ((_d)->domain_id == 0)
>
> /* This check is for functionality specific to a control domain */
> #define is_control_domain(_d) ((_d)->is_privileged)
> --
> 1.8.5.3
^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
2014-03-18 21:34 ` [PATCH 1/7] xen: use domid check in is_hardware_domain Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 9:02 ` Jan Beulich
2014-03-18 21:34 ` [PATCH 3/7] xen: prevent 0 from being used as a dynamic domid Daniel De Graaf
` (4 subsequent siblings)
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel
Cc: Daniel De Graaf, Xiantao Zhang, Keir Fraser,
Suravee Suthikulpanit, Jan Beulich
When the hardware domain is split from domain 0, the initialization code
for the hardware domain cannot be in the __init section, since the
actual domain creation happens after these sections have been discarded.
Create a __hwdom_init section designator to annotate these functions,
and control it using the XSM configuration option for now (since XSM is
required to take advantage of the security benefits of disaggregation).
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Xiantao Zhang <xiantao.zhang@intel.com>
---
xen/Rules.mk | 5 +++++
xen/arch/x86/setup.c | 4 ++--
xen/drivers/passthrough/amd/pci_amd_iommu.c | 5 +++--
xen/drivers/passthrough/iommu.c | 6 +++---
xen/drivers/passthrough/pci.c | 4 ++--
xen/drivers/passthrough/vtd/iommu.c | 6 +++---
xen/drivers/passthrough/vtd/quirks.c | 2 +-
xen/drivers/passthrough/vtd/x86/vtd.c | 4 ++--
xen/include/xen/init.h | 8 ++++++++
9 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/xen/Rules.mk b/xen/Rules.mk
index 3a6cec5..2470650 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -41,6 +41,10 @@ ALL_OBJS-y += $(BASEDIR)/xsm/built_in.o
ALL_OBJS-y += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
ALL_OBJS-$(x86) += $(BASEDIR)/crypto/built_in.o
+ifeq ($(x86),y)
+LATE_HWDOM_ENABLE ?= $(XSM_ENABLE)
+endif
+
CFLAGS += -fno-builtin -fno-common
CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
@@ -49,6 +53,7 @@ CFLAGS += -nostdinc
CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
+CFLAGS-$(LATE_HWDOM_ENABLE) += -DLATE_HWDOM_ENABLE
CFLAGS-$(verbose) += -DVERBOSE
CFLAGS-$(crash_debug) += -DCRASH_DEBUG
CFLAGS-$(perfc) += -DPERF_COUNTERS
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 4dbf2b7..13a148c 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -1438,7 +1438,7 @@ void arch_get_xen_caps(xen_capabilities_info_t *info)
}
}
-int __init xen_in_range(unsigned long mfn)
+int __hwdom_init xen_in_range(unsigned long mfn)
{
paddr_t start, end;
int i;
@@ -1446,7 +1446,7 @@ int __init xen_in_range(unsigned long mfn)
enum { region_s3, region_text, region_bss, nr_regions };
static struct {
paddr_t s, e;
- } xen_regions[nr_regions] __initdata;
+ } xen_regions[nr_regions] __hwdom_initdata;
/* initialize first time */
if ( !xen_regions[0].s )
diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
index cf67494..ff5f06e 100644
--- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
@@ -169,7 +169,8 @@ static void amd_iommu_setup_domain_device(
}
}
-static int __init amd_iommu_setup_dom0_device(u8 devfn, struct pci_dev *pdev)
+static int __hwdom_init amd_iommu_setup_dom0_device(
+ u8 devfn, struct pci_dev *pdev)
{
int bdf = PCI_BDF2(pdev->bus, pdev->devfn);
struct amd_iommu *iommu = find_iommu_for_device(pdev->seg, bdf);
@@ -280,7 +281,7 @@ static int amd_iommu_domain_init(struct domain *d)
return 0;
}
-static void __init amd_iommu_dom0_init(struct domain *d)
+static void __hwdom_init amd_iommu_dom0_init(struct domain *d)
{
unsigned long i;
diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index 54d891f..c12d27f 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -45,7 +45,7 @@ custom_param("iommu", parse_iommu_param);
bool_t __initdata iommu_enable = 1;
bool_t __read_mostly iommu_enabled;
bool_t __read_mostly force_iommu;
-bool_t __initdata iommu_dom0_strict;
+bool_t __read_mostly iommu_dom0_strict;
bool_t __read_mostly iommu_verbose;
bool_t __read_mostly iommu_workaround_bios_bug;
bool_t __read_mostly iommu_passthrough;
@@ -130,7 +130,7 @@ int iommu_domain_init(struct domain *d)
return hd->platform_ops->init(d);
}
-static __init void check_dom0_pvh_reqs(struct domain *d)
+static void __hwdom_init check_dom0_pvh_reqs(struct domain *d)
{
if ( !iommu_enabled )
panic("Presently, iommu must be enabled for pvh dom0\n");
@@ -141,7 +141,7 @@ static __init void check_dom0_pvh_reqs(struct domain *d)
iommu_dom0_strict = 1;
}
-void __init iommu_dom0_init(struct domain *d)
+void __hwdom_init iommu_dom0_init(struct domain *d)
{
struct hvm_iommu *hd = domain_hvm_iommu(d);
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index ff78142..dfa195a 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -893,7 +893,7 @@ static void setup_one_dom0_device(const struct setup_dom0 *ctxt,
PCI_SLOT(devfn) == PCI_SLOT(pdev->devfn) );
}
-static int __init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
+static int __hwdom_init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
{
struct setup_dom0 *ctxt = arg;
int bus, devfn;
@@ -943,7 +943,7 @@ static int __init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
return 0;
}
-void __init setup_dom0_pci_devices(
+void __hwdom_init setup_dom0_pci_devices(
struct domain *d, int (*handler)(u8 devfn, struct pci_dev *))
{
struct setup_dom0 ctxt = { .d = d, .handler = handler };
diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c
index 9c8e4a3..d22d518 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -1242,7 +1242,7 @@ static int intel_iommu_domain_init(struct domain *d)
return 0;
}
-static void __init intel_iommu_dom0_init(struct domain *d)
+static void __hwdom_init intel_iommu_dom0_init(struct domain *d)
{
struct acpi_drhd_unit *drhd;
@@ -1992,7 +1992,7 @@ static int intel_iommu_remove_device(u8 devfn, struct pci_dev *pdev)
return domain_context_unmap(pdev->domain, devfn, pdev);
}
-static int __init setup_dom0_device(u8 devfn, struct pci_dev *pdev)
+static int __hwdom_init setup_dom0_device(u8 devfn, struct pci_dev *pdev)
{
int err;
@@ -2140,7 +2140,7 @@ static int init_vtd_hw(void)
return 0;
}
-static void __init setup_dom0_rmrr(struct domain *d)
+static void __hwdom_init setup_dom0_rmrr(struct domain *d)
{
struct acpi_rmrr_unit *rmrr;
u16 bdf;
diff --git a/xen/drivers/passthrough/vtd/quirks.c b/xen/drivers/passthrough/vtd/quirks.c
index 7f6c3a7..fbba23b 100644
--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -384,7 +384,7 @@ void me_wifi_quirk(struct domain *domain, u8 bus, u8 devfn, int map)
* - This can cause system failure upon non-fatal VT-d faults
* - Potential security issue if malicious guest trigger VT-d faults
*/
-void __init pci_vtd_quirk(struct pci_dev *pdev)
+void __hwdom_init pci_vtd_quirk(struct pci_dev *pdev)
{
int seg = pdev->seg;
int bus = pdev->bus;
diff --git a/xen/drivers/passthrough/vtd/x86/vtd.c b/xen/drivers/passthrough/vtd/x86/vtd.c
index f271a42..2a33b38 100644
--- a/xen/drivers/passthrough/vtd/x86/vtd.c
+++ b/xen/drivers/passthrough/vtd/x86/vtd.c
@@ -36,7 +36,7 @@
* iommu_inclusive_mapping: when set, all memory below 4GB is included in dom0
* 1:1 iommu mappings except xen and unusable regions.
*/
-static bool_t __initdata iommu_inclusive_mapping = 1;
+static bool_t __read_mostly iommu_inclusive_mapping = 1;
boolean_param("iommu_inclusive_mapping", iommu_inclusive_mapping);
void *map_vtd_domain_page(u64 maddr)
@@ -107,7 +107,7 @@ void hvm_dpci_isairq_eoi(struct domain *d, unsigned int isairq)
spin_unlock(&d->event_lock);
}
-void __init iommu_set_dom0_mapping(struct domain *d)
+void __hwdom_init iommu_set_dom0_mapping(struct domain *d)
{
unsigned long i, j, tmp, top;
diff --git a/xen/include/xen/init.h b/xen/include/xen/init.h
index 9d481b3..81091553 100644
--- a/xen/include/xen/init.h
+++ b/xen/include/xen/init.h
@@ -16,6 +16,14 @@
#define __init_call(lvl) __used_section(".initcall" lvl ".init")
#define __exit_call __used_section(".exitcall.exit")
+#ifdef LATE_HWDOM_ENABLE
+#define __hwdom_init /* nothing */
+#define __hwdom_initdata /* nothing */
+#else
+#define __hwdom_init __init
+#define __hwdom_initdata __initdata
+#endif
+
/* These macros are used to mark some functions or
* initialized data (doesn't apply to uninitialized data)
* as `initialization' functions. The kernel can take this
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init
2014-03-18 21:34 ` [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init Daniel De Graaf
@ 2014-03-19 9:02 ` Jan Beulich
2014-03-19 14:06 ` Daniel De Graaf
0 siblings, 1 reply; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 9:02 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Keir Fraser, Xiantao Zhang, Suravee Suthikulpanit, xen-devel
>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> --- a/xen/Rules.mk
> +++ b/xen/Rules.mk
> @@ -41,6 +41,10 @@ ALL_OBJS-y += $(BASEDIR)/xsm/built_in.o
> ALL_OBJS-y += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
> ALL_OBJS-$(x86) += $(BASEDIR)/crypto/built_in.o
>
> +ifeq ($(x86),y)
> +LATE_HWDOM_ENABLE ?= $(XSM_ENABLE)
> +endif
> +
> CFLAGS += -fno-builtin -fno-common
> CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
> CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
> @@ -49,6 +53,7 @@ CFLAGS += -nostdinc
> CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
> CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
> CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
> +CFLAGS-$(LATE_HWDOM_ENABLE) += -DLATE_HWDOM_ENABLE
You don't really need the make level definition, and it would seem
better to me to set CONFIG_LATE_HWDOM in asm/config.h instead
(we should really try to avoid adding further -D options here, and
instead see to remove some of what's there already - only options
needed at the make level _and_ at the source level are imo valid
candidates to go here).
> --- a/xen/drivers/passthrough/iommu.c
> +++ b/xen/drivers/passthrough/iommu.c
> @@ -45,7 +45,7 @@ custom_param("iommu", parse_iommu_param);
> bool_t __initdata iommu_enable = 1;
> bool_t __read_mostly iommu_enabled;
> bool_t __read_mostly force_iommu;
> -bool_t __initdata iommu_dom0_strict;
> +bool_t __read_mostly iommu_dom0_strict;
Wouldn't this rather be __hwdom_initdata now?
> --- a/xen/drivers/passthrough/vtd/x86/vtd.c
> +++ b/xen/drivers/passthrough/vtd/x86/vtd.c
> @@ -36,7 +36,7 @@
> * iommu_inclusive_mapping: when set, all memory below 4GB is included in dom0
> * 1:1 iommu mappings except xen and unusable regions.
> */
> -static bool_t __initdata iommu_inclusive_mapping = 1;
> +static bool_t __read_mostly iommu_inclusive_mapping = 1;
Same here?
Jan
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init
2014-03-19 9:02 ` Jan Beulich
@ 2014-03-19 14:06 ` Daniel De Graaf
2014-03-19 14:14 ` Jan Beulich
0 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-19 14:06 UTC (permalink / raw)
To: Jan Beulich; +Cc: Keir Fraser, Xiantao Zhang, Suravee Suthikulpanit, xen-devel
On 03/19/2014 05:02 AM, Jan Beulich wrote:
>>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>> --- a/xen/Rules.mk
>> +++ b/xen/Rules.mk
>> @@ -41,6 +41,10 @@ ALL_OBJS-y += $(BASEDIR)/xsm/built_in.o
>> ALL_OBJS-y += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
>> ALL_OBJS-$(x86) += $(BASEDIR)/crypto/built_in.o
>>
>> +ifeq ($(x86),y)
>> +LATE_HWDOM_ENABLE ?= $(XSM_ENABLE)
>> +endif
>> +
>> CFLAGS += -fno-builtin -fno-common
>> CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
>> CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
>> @@ -49,6 +53,7 @@ CFLAGS += -nostdinc
>> CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
>> CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
>> CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
>> +CFLAGS-$(LATE_HWDOM_ENABLE) += -DLATE_HWDOM_ENABLE
>
> You don't really need the make level definition, and it would seem
> better to me to set CONFIG_LATE_HWDOM in asm/config.h instead
> (we should really try to avoid adding further -D options here, and
> instead see to remove some of what's there already - only options
> needed at the make level _and_ at the source level are imo valid
> candidates to go here).
OK. I think I can clean up some of the other XSM defines in that case,
especially as it is no longer reasonable to enable XSM without FLASK.
That change will be independent of this patch series, however.
>> --- a/xen/drivers/passthrough/iommu.c
>> +++ b/xen/drivers/passthrough/iommu.c
>> @@ -45,7 +45,7 @@ custom_param("iommu", parse_iommu_param);
>> bool_t __initdata iommu_enable = 1;
>> bool_t __read_mostly iommu_enabled;
>> bool_t __read_mostly force_iommu;
>> -bool_t __initdata iommu_dom0_strict;
>> +bool_t __read_mostly iommu_dom0_strict;
>
> Wouldn't this rather be __hwdom_initdata now?
I was trying to avoid making a __hwdom_initdata_or_read_mostly symbol to
just save two bytes of theoretical memory (with zero actual savings due
to alignment). I can do that if it's preferred.
>
>> --- a/xen/drivers/passthrough/vtd/x86/vtd.c
>> +++ b/xen/drivers/passthrough/vtd/x86/vtd.c
>> @@ -36,7 +36,7 @@
>> * iommu_inclusive_mapping: when set, all memory below 4GB is included in dom0
>> * 1:1 iommu mappings except xen and unusable regions.
>> */
>> -static bool_t __initdata iommu_inclusive_mapping = 1;
>> +static bool_t __read_mostly iommu_inclusive_mapping = 1;
>
> Same here?
>
> Jan
>
>
>
--
Daniel De Graaf
National Security Agency
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init
2014-03-19 14:06 ` Daniel De Graaf
@ 2014-03-19 14:14 ` Jan Beulich
0 siblings, 0 replies; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 14:14 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Keir Fraser, Xiantao Zhang, Suravee Suthikulpanit, xen-devel
>>> On 19.03.14 at 15:06, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> On 03/19/2014 05:02 AM, Jan Beulich wrote:
>>>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>>> --- a/xen/Rules.mk
>>> +++ b/xen/Rules.mk
>>> @@ -41,6 +41,10 @@ ALL_OBJS-y += $(BASEDIR)/xsm/built_in.o
>>> ALL_OBJS-y += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
>>> ALL_OBJS-$(x86) += $(BASEDIR)/crypto/built_in.o
>>>
>>> +ifeq ($(x86),y)
>>> +LATE_HWDOM_ENABLE ?= $(XSM_ENABLE)
>>> +endif
>>> +
>>> CFLAGS += -fno-builtin -fno-common
>>> CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith
>>> CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h
>>> @@ -49,6 +53,7 @@ CFLAGS += -nostdinc
>>> CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
>>> CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
>>> CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
>>> +CFLAGS-$(LATE_HWDOM_ENABLE) += -DLATE_HWDOM_ENABLE
>>
>> You don't really need the make level definition, and it would seem
>> better to me to set CONFIG_LATE_HWDOM in asm/config.h instead
>> (we should really try to avoid adding further -D options here, and
>> instead see to remove some of what's there already - only options
>> needed at the make level _and_ at the source level are imo valid
>> candidates to go here).
>
> OK. I think I can clean up some of the other XSM defines in that case,
> especially as it is no longer reasonable to enable XSM without FLASK.
> That change will be independent of this patch series, however.
Of course.
>>> --- a/xen/drivers/passthrough/iommu.c
>>> +++ b/xen/drivers/passthrough/iommu.c
>>> @@ -45,7 +45,7 @@ custom_param("iommu", parse_iommu_param);
>>> bool_t __initdata iommu_enable = 1;
>>> bool_t __read_mostly iommu_enabled;
>>> bool_t __read_mostly force_iommu;
>>> -bool_t __initdata iommu_dom0_strict;
>>> +bool_t __read_mostly iommu_dom0_strict;
>>
>> Wouldn't this rather be __hwdom_initdata now?
>
> I was trying to avoid making a __hwdom_initdata_or_read_mostly symbol to
> just save two bytes of theoretical memory (with zero actual savings due
> to alignment). I can do that if it's preferred.
No need to - just use __hwdom_initdata. Depending on the other
uses of it, it might be appropriate to always make this an alias of
__read_mostly in the XSM-enabled case.
Jan
^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH 3/7] xen: prevent 0 from being used as a dynamic domid
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
2014-03-18 21:34 ` [PATCH 1/7] xen: use domid check in is_hardware_domain Daniel De Graaf
2014-03-18 21:34 ` [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-18 21:34 ` [PATCH 4/7] xen: rename dom0 to hardware_domain Daniel De Graaf
` (3 subsequent siblings)
6 siblings, 0 replies; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Keir Fraser
When the hardware domain is made distinct from dom0, it becomes possible
to shut down and destroy domain 0 while leaving the hypervisor running.
If this happens, prevent this domain ID from being considered for
allocation to a new guest.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Keir Fraser <keir@xen.org>
---
xen/common/domctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 7cf610a..eebeee7 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -436,7 +436,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
for ( dom = rover + 1; dom != rover; dom++ )
{
if ( dom == DOMID_FIRST_RESERVED )
- dom = 0;
+ dom = 1;
if ( is_free_domid(dom) )
break;
}
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [PATCH 4/7] xen: rename dom0 to hardware_domain
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
` (2 preceding siblings ...)
2014-03-18 21:34 ` [PATCH 3/7] xen: prevent 0 from being used as a dynamic domid Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 9:09 ` Jan Beulich
2014-03-18 21:34 ` [PATCH 5/7] xen: rename various functions referencing dom0 Daniel De Graaf
` (2 subsequent siblings)
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel
Cc: Liu Jinsong, Ian Campbell, Christoph Egger, Tim Deegan,
Stefano Stabellini, Jan Beulich, Daniel De Graaf,
Suravee Suthikulpanit, Xiantao Zhang
This should not change any functionality other than renaming the global
variable. In a few cases (primarily the domain building code), a local
variable named dom0 was created and used instead of the global to
clarify that the domain being used in this case is actually domain 0.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
Cc: Tim Deegan <tim@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Liu Jinsong <jinsong.liu@intel.com>
Cc: Christoph Egger <chegger@amazon.de>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Xiantao Zhang <xiantao.zhang@intel.com>
---
xen/arch/arm/domain_build.c | 2 ++
xen/arch/arm/setup.c | 3 ++-
xen/arch/x86/acpi/cpu_idle.c | 2 +-
xen/arch/x86/cpu/mcheck/vmce.h | 5 ++--
xen/arch/x86/crash.c | 2 +-
xen/arch/x86/domain_build.c | 36 +++++++++++++++--------------
xen/arch/x86/io_apic.c | 8 +++----
xen/arch/x86/irq.c | 8 +++----
xen/arch/x86/mm.c | 2 +-
xen/arch/x86/nmi.c | 2 +-
xen/arch/x86/setup.c | 3 ++-
xen/arch/x86/traps.c | 2 +-
xen/arch/x86/x86_64/mm.c | 6 ++---
xen/common/domain.c | 2 +-
xen/common/event_channel.c | 2 +-
xen/common/kexec.c | 2 +-
xen/common/keyhandler.c | 4 ++--
xen/common/xenoprof.c | 2 +-
xen/drivers/char/ns16550.c | 4 +++-
xen/drivers/passthrough/amd/pci_amd_iommu.c | 2 +-
xen/drivers/passthrough/iommu.c | 10 ++++----
xen/drivers/passthrough/pci.c | 4 ++--
xen/drivers/passthrough/vtd/iommu.c | 4 ++--
xen/include/asm-arm/domain.h | 2 +-
xen/include/xen/sched.h | 4 ++--
25 files changed, 66 insertions(+), 57 deletions(-)
diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index d3345bf..a293bf9 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -52,6 +52,8 @@ custom_param("dom0_mem", parse_dom0_mem);
struct vcpu *__init alloc_dom0_vcpu0(void)
{
+ struct domain *dom0 = hardware_domain;
+
if ( opt_dom0_max_vcpus == 0 )
opt_dom0_max_vcpus = num_online_cpus();
if ( opt_dom0_max_vcpus > MAX_VIRT_CPUS )
diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 4a3016a..f9e7d50 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -661,6 +661,7 @@ void __init start_xen(unsigned long boot_phys_offset,
size_t fdt_size;
int cpus, i;
const char *cmdline;
+ struct domain *dom0;
setup_cache();
@@ -757,7 +758,7 @@ void __init start_xen(unsigned long boot_phys_offset,
do_initcalls();
/* Create initial domain 0. */
- dom0 = domain_create(0, 0, 0);
+ hardware_domain = dom0 = domain_create(0, 0, 0);
if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
panic("Error creating domain 0");
diff --git a/xen/arch/x86/acpi/cpu_idle.c b/xen/arch/x86/acpi/cpu_idle.c
index d2119e2..b05fb39 100644
--- a/xen/arch/x86/acpi/cpu_idle.c
+++ b/xen/arch/x86/acpi/cpu_idle.c
@@ -972,7 +972,7 @@ static void set_cx(
cx->entry_method = ACPI_CSTATE_EM_HALT;
break;
case ACPI_ADR_SPACE_SYSTEM_IO:
- if ( ioports_deny_access(dom0, cx->address, cx->address) )
+ if ( ioports_deny_access(hardware_domain, cx->address, cx->address) )
printk(XENLOG_WARNING "Could not deny access to port %04x\n",
cx->address);
cx->entry_method = ACPI_CSTATE_EM_SYSIO;
diff --git a/xen/arch/x86/cpu/mcheck/vmce.h b/xen/arch/x86/cpu/mcheck/vmce.h
index 6b2c95a..163ce3c 100644
--- a/xen/arch/x86/cpu/mcheck/vmce.h
+++ b/xen/arch/x86/cpu/mcheck/vmce.h
@@ -5,8 +5,9 @@
int vmce_init(struct cpuinfo_x86 *c);
-#define dom0_vmce_enabled() (dom0 && dom0->max_vcpus && dom0->vcpu[0] \
- && guest_enabled_event(dom0->vcpu[0], VIRQ_MCA))
+#define dom0_vmce_enabled() (hardware_domain && hardware_domain->max_vcpus \
+ && hardware_domain->vcpu[0] \
+ && guest_enabled_event(hardware_domain->vcpu[0], VIRQ_MCA))
int unmmap_broken_page(struct domain *d, mfn_t mfn, unsigned long gfn);
diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c
index ec586bd..aed3b3e 100644
--- a/xen/arch/x86/crash.c
+++ b/xen/arch/x86/crash.c
@@ -205,7 +205,7 @@ void machine_crash_shutdown(void)
info = kexec_crash_save_info();
info->xen_phys_start = xen_phys_start;
info->dom0_pfn_to_mfn_frame_list_list =
- arch_get_pfn_to_mfn_frame_list_list(dom0);
+ arch_get_pfn_to_mfn_frame_list_list(hardware_domain);
}
/*
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index 84ce392..e251d61 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -103,6 +103,7 @@ custom_param("dom0_max_vcpus", parse_dom0_max_vcpus);
struct vcpu *__init alloc_dom0_vcpu0(void)
{
unsigned max_vcpus;
+ struct domain *dom0 = hardware_domain;
max_vcpus = num_cpupool_cpus(cpupool0);
if ( opt_dom0_max_vcpus_min > max_vcpus )
@@ -302,7 +303,7 @@ static void __init process_dom0_ioports_disable(void)
printk("Disabling dom0 access to ioport range %04lx-%04lx\n",
io_from, io_to);
- if ( ioports_deny_access(dom0, io_from, io_to) != 0 )
+ if ( ioports_deny_access(hardware_domain, io_from, io_to) != 0 )
BUG();
}
}
@@ -1082,27 +1083,28 @@ int __init construct_dom0(
rc = 0;
- /* DOM0 is permitted full I/O capabilities. */
- rc |= ioports_permit_access(dom0, 0, 0xFFFF);
- rc |= iomem_permit_access(dom0, 0UL, ~0UL);
- rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
+ /* The hardware domain is initially permitted full I/O capabilities. */
+ rc |= ioports_permit_access(hardware_domain, 0, 0xFFFF);
+ rc |= iomem_permit_access(hardware_domain, 0UL, ~0UL);
+ rc |= irqs_permit_access(hardware_domain, 1, nr_irqs_gsi - 1);
/*
* Modify I/O port access permissions.
*/
/* Master Interrupt Controller (PIC). */
- rc |= ioports_deny_access(dom0, 0x20, 0x21);
+ rc |= ioports_deny_access(hardware_domain, 0x20, 0x21);
/* Slave Interrupt Controller (PIC). */
- rc |= ioports_deny_access(dom0, 0xA0, 0xA1);
+ rc |= ioports_deny_access(hardware_domain, 0xA0, 0xA1);
/* Interval Timer (PIT). */
- rc |= ioports_deny_access(dom0, 0x40, 0x43);
+ rc |= ioports_deny_access(hardware_domain, 0x40, 0x43);
/* PIT Channel 2 / PC Speaker Control. */
- rc |= ioports_deny_access(dom0, 0x61, 0x61);
+ rc |= ioports_deny_access(hardware_domain, 0x61, 0x61);
/* ACPI PM Timer. */
if ( pmtmr_ioport )
- rc |= ioports_deny_access(dom0, pmtmr_ioport, pmtmr_ioport + 3);
+ rc |= ioports_deny_access(hardware_domain, pmtmr_ioport,
+ pmtmr_ioport + 3);
/* PCI configuration space (NB. 0xcf8 has special treatment). */
- rc |= ioports_deny_access(dom0, 0xcfc, 0xcff);
+ rc |= ioports_deny_access(hardware_domain, 0xcfc, 0xcff);
/* Command-line I/O ranges. */
process_dom0_ioports_disable();
@@ -1113,22 +1115,22 @@ int __init construct_dom0(
if ( mp_lapic_addr != 0 )
{
mfn = paddr_to_pfn(mp_lapic_addr);
- rc |= iomem_deny_access(dom0, mfn, mfn);
+ rc |= iomem_deny_access(hardware_domain, mfn, mfn);
}
/* I/O APICs. */
for ( i = 0; i < nr_ioapics; i++ )
{
mfn = paddr_to_pfn(mp_ioapics[i].mpc_apicaddr);
if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
- rc |= iomem_deny_access(dom0, mfn, mfn);
+ rc |= iomem_deny_access(hardware_domain, mfn, mfn);
}
/* MSI range. */
- rc |= iomem_deny_access(dom0, paddr_to_pfn(MSI_ADDR_BASE_LO),
+ rc |= iomem_deny_access(hardware_domain, paddr_to_pfn(MSI_ADDR_BASE_LO),
paddr_to_pfn(MSI_ADDR_BASE_LO +
MSI_ADDR_DEST_ID_MASK));
/* HyperTransport range. */
if ( boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- rc |= iomem_deny_access(dom0, paddr_to_pfn(0xfdULL << 32),
+ rc |= iomem_deny_access(hardware_domain, paddr_to_pfn(0xfdULL << 32),
paddr_to_pfn((1ULL << 40) - 1));
/* Remove access to E820_UNUSABLE I/O regions above 1MB. */
@@ -1140,7 +1142,7 @@ int __init construct_dom0(
if ( (e820.map[i].type == E820_UNUSABLE) &&
(e820.map[i].size != 0) &&
(sfn <= efn) )
- rc |= iomem_deny_access(dom0, sfn, efn);
+ rc |= iomem_deny_access(hardware_domain, sfn, efn);
}
BUG_ON(rc != 0);
@@ -1149,7 +1151,7 @@ int __init construct_dom0(
printk(" Xen warning: dom0 kernel broken ELF: %s\n",
elf_check_broken(&elf));
- iommu_dom0_init(dom0);
+ iommu_dom0_init(hardware_domain);
return 0;
out:
diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
index bddc588..4e6fe2b 100644
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -2363,7 +2363,7 @@ int ioapic_guest_write(unsigned long physbase, unsigned int reg, u32 val)
* that dom0 pirq == irq.
*/
pirq = (irq >= 256) ? irq : rte.vector;
- if ( (pirq < 0) || (pirq >= dom0->nr_pirqs) )
+ if ( (pirq < 0) || (pirq >= hardware_domain->nr_pirqs) )
return -EINVAL;
if ( desc->action )
@@ -2399,10 +2399,10 @@ int ioapic_guest_write(unsigned long physbase, unsigned int reg, u32 val)
printk(XENLOG_INFO "allocated vector %02x for irq %d\n", ret, irq);
}
- spin_lock(&dom0->event_lock);
- ret = map_domain_pirq(dom0, pirq, irq,
+ spin_lock(&hardware_domain->event_lock);
+ ret = map_domain_pirq(hardware_domain, pirq, irq,
MAP_PIRQ_TYPE_GSI, NULL);
- spin_unlock(&dom0->event_lock);
+ spin_unlock(&hardware_domain->event_lock);
if ( ret < 0 )
return ret;
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index 88444be..ca68f92 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -185,9 +185,9 @@ int create_irq(int node)
desc->arch.used = IRQ_UNUSED;
irq = ret;
}
- else if ( dom0 )
+ else if ( hardware_domain )
{
- ret = irq_permit_access(dom0, irq);
+ ret = irq_permit_access(hardware_domain, irq);
if ( ret )
printk(XENLOG_G_ERR
"Could not grant Dom0 access to IRQ%d (error %d)\n",
@@ -205,9 +205,9 @@ void destroy_irq(unsigned int irq)
BUG_ON(!MSI_IRQ(irq));
- if ( dom0 )
+ if ( hardware_domain )
{
- int err = irq_deny_access(dom0, irq);
+ int err = irq_deny_access(hardware_domain, irq);
if ( err )
printk(XENLOG_G_ERR
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index ad48acc..b9a54a5 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -5222,7 +5222,7 @@ void *alloc_xen_pagetable(void)
{
void *ptr = alloc_xenheap_page();
- BUG_ON(!dom0 && !ptr);
+ BUG_ON(!hardware_domain && !ptr);
return ptr;
}
diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c
index c67a9c3..526020b 100644
--- a/xen/arch/x86/nmi.c
+++ b/xen/arch/x86/nmi.c
@@ -519,7 +519,7 @@ static void do_nmi_stats(unsigned char key)
for_each_online_cpu ( i )
printk("%3d\t%3d\n", i, nmi_count(i));
- if ( ((d = dom0) == NULL) || (d->vcpu == NULL) ||
+ if ( ((d = hardware_domain) == NULL) || (d->vcpu == NULL) ||
((v = d->vcpu[0]) == NULL) )
return;
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 13a148c..b4514c3 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -547,6 +547,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
unsigned long nr_pages, raw_max_page, modules_headroom, *module_map;
int i, j, e820_warn = 0, bytes = 0;
bool_t acpi_boot_table_init_done = 0;
+ struct domain *dom0;
struct ns16550_defaults ns16550 = {
.data_bits = 8,
.parity = 'n',
@@ -1338,7 +1339,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
panic("Could not protect TXT memory regions");
/* Create initial domain 0. */
- dom0 = domain_create(0, DOMCRF_s3_integrity, 0);
+ hardware_domain = dom0 = domain_create(0, DOMCRF_s3_integrity, 0);
if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
panic("Error creating domain 0");
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 21c8b63..e5c1269 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -3152,7 +3152,7 @@ void async_exception_cleanup(struct vcpu *curr)
static void nmi_dom0_report(unsigned int reason_idx)
{
- struct domain *d = dom0;
+ struct domain *d = hardware_domain;
if ( (d == NULL) || (d->vcpu == NULL) || (d->vcpu[0] == NULL) )
return;
diff --git a/xen/arch/x86/x86_64/mm.c b/xen/arch/x86/x86_64/mm.c
index f6ea012..71ae519 100644
--- a/xen/arch/x86/x86_64/mm.c
+++ b/xen/arch/x86/x86_64/mm.c
@@ -1447,15 +1447,15 @@ int memory_add(unsigned long spfn, unsigned long epfn, unsigned int pxm)
if ( ret )
goto destroy_m2p;
- if ( !need_iommu(dom0) )
+ if ( !need_iommu(hardware_domain) )
{
for ( i = spfn; i < epfn; i++ )
- if ( iommu_map_page(dom0, i, i, IOMMUF_readable|IOMMUF_writable) )
+ if ( iommu_map_page(hardware_domain, i, i, IOMMUF_readable|IOMMUF_writable) )
break;
if ( i != epfn )
{
while (i-- > old_max)
- iommu_unmap_page(dom0, i);
+ iommu_unmap_page(hardware_domain, i);
goto destroy_m2p;
}
}
diff --git a/xen/common/domain.c b/xen/common/domain.c
index b5868a5..94890b7 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -59,7 +59,7 @@ DEFINE_RCU_READ_LOCK(domlist_read_lock);
static struct domain *domain_hash[DOMAIN_HASH_SIZE];
struct domain *domain_list;
-struct domain *dom0;
+struct domain *hardware_domain;
struct vcpu *idle_vcpu[NR_CPUS] __read_mostly;
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index db952af..51fd63d 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -743,7 +743,7 @@ void send_global_virq(uint32_t virq)
ASSERT(virq < NR_VIRQS);
ASSERT(virq_is_global(virq));
- send_guest_global_virq(global_virq_handlers[virq] ?: dom0, virq);
+ send_guest_global_virq(global_virq_handlers[virq] ?: hardware_domain, virq);
}
int set_global_virq_handler(struct domain *d, uint32_t virq)
diff --git a/xen/common/kexec.c b/xen/common/kexec.c
index 23d964e..2239ee8 100644
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -872,7 +872,7 @@ static int kexec_load_slot(struct kexec_image *kimage)
static uint16_t kexec_load_v1_arch(void)
{
#ifdef CONFIG_X86
- return is_pv_32on64_domain(dom0) ? EM_386 : EM_X86_64;
+ return is_pv_32on64_domain(hardware_domain) ? EM_386 : EM_X86_64;
#else
return EM_NONE;
#endif
diff --git a/xen/common/keyhandler.c b/xen/common/keyhandler.c
index 5a974b1..627ef99 100644
--- a/xen/common/keyhandler.c
+++ b/xen/common/keyhandler.c
@@ -172,12 +172,12 @@ static void dump_dom0_registers(unsigned char key)
{
struct vcpu *v;
- if ( dom0 == NULL )
+ if ( hardware_domain == NULL )
return;
printk("'%c' pressed -> dumping Dom0's registers\n", key);
- for_each_vcpu ( dom0, v )
+ for_each_vcpu ( hardware_domain, v )
{
if ( alt_key_handling && softirq_pending(smp_processor_id()) )
{
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 3c30c3e..3de20b8 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -219,7 +219,7 @@ static int alloc_xenoprof_struct(
bufsize = sizeof(struct xenoprof_buf);
i = sizeof(struct event_log);
#ifdef CONFIG_COMPAT
- d->xenoprof->is_compat = is_pv_32on64_domain(is_passive ? dom0 : d);
+ d->xenoprof->is_compat = is_pv_32on64_domain(is_passive ? hardware_domain : d);
if ( XENOPROF_COMPAT(d->xenoprof) )
{
bufsize = sizeof(struct compat_oprof_buf);
diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c
index 429d786..d437bbf 100644
--- a/xen/drivers/char/ns16550.c
+++ b/xen/drivers/char/ns16550.c
@@ -703,10 +703,12 @@ static void __init ns16550_endboot(struct serial_port *port)
{
#ifdef HAS_IOPORTS
struct ns16550 *uart = port->uart;
+ int rv;
if ( uart->remapped_io_base )
return;
- if ( ioports_deny_access(dom0, uart->io_base, uart->io_base + 7) != 0 )
+ rv = ioports_deny_access(hardware_domain, uart->io_base, uart->io_base + 7);
+ if ( rv != 0 )
BUG();
#endif
}
diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
index ff5f06e..031480f 100644
--- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
@@ -403,7 +403,7 @@ static int amd_iommu_assign_device(struct domain *d, u8 devfn,
ivrs_mappings[req_id].read_permission);
}
- return reassign_device(dom0, d, devfn, pdev);
+ return reassign_device(hardware_domain, d, devfn, pdev);
}
static void deallocate_next_page_table(struct page_info *pg, int level)
diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index c12d27f..f561186 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -265,7 +265,7 @@ static void iommu_teardown(struct domain *d)
}
/*
- * If the device isn't owned by dom0, it means it already
+ * If the device isn't owned by the hardware domain, it means it already
* has been assigned to other domain, or it doesn't exist.
*/
static int device_assigned(u16 seg, u8 bus, u8 devfn)
@@ -273,7 +273,7 @@ static int device_assigned(u16 seg, u8 bus, u8 devfn)
struct pci_dev *pdev;
spin_lock(&pcidevs_lock);
- pdev = pci_get_pdev_by_domain(dom0, seg, bus, devfn);
+ pdev = pci_get_pdev_by_domain(hardware_domain, seg, bus, devfn);
spin_unlock(&pcidevs_lock);
return pdev ? 0 : -EBUSY;
@@ -312,7 +312,7 @@ static int assign_device(struct domain *d, u16 seg, u8 bus, u8 devfn)
d->need_iommu = 1;
}
- pdev = pci_get_pdev_by_domain(dom0, seg, bus, devfn);
+ pdev = pci_get_pdev_by_domain(hardware_domain, seg, bus, devfn);
if ( !pdev )
{
rc = pci_get_pdev(seg, bus, devfn) ? -EBUSY : -ENODEV;
@@ -507,7 +507,7 @@ int deassign_device(struct domain *d, u16 seg, u8 bus, u8 devfn)
devfn += pdev->phantom_stride;
if ( PCI_SLOT(devfn) != PCI_SLOT(pdev->devfn) )
break;
- ret = hd->platform_ops->reassign_device(d, dom0, devfn, pdev);
+ ret = hd->platform_ops->reassign_device(d, hardware_domain, devfn, pdev);
if ( !ret )
continue;
@@ -517,7 +517,7 @@ int deassign_device(struct domain *d, u16 seg, u8 bus, u8 devfn)
}
devfn = pdev->devfn;
- ret = hd->platform_ops->reassign_device(d, dom0, devfn, pdev);
+ ret = hd->platform_ops->reassign_device(d, hardware_domain, devfn, pdev);
if ( ret )
{
dprintk(XENLOG_G_ERR,
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index dfa195a..fbc777c 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -569,7 +569,7 @@ int pci_add_device(u16 seg, u8 bus, u8 devfn, const struct pci_dev_info *info)
ret = 0;
if ( !pdev->domain )
{
- pdev->domain = dom0;
+ pdev->domain = hardware_domain;
ret = iommu_add_device(pdev);
if ( ret )
{
@@ -577,7 +577,7 @@ int pci_add_device(u16 seg, u8 bus, u8 devfn, const struct pci_dev_info *info)
goto out;
}
- list_add(&pdev->domain_list, &dom0->arch.pdev_list);
+ list_add(&pdev->domain_list, &hardware_domain->arch.pdev_list);
}
else
iommu_enable_device(pdev);
diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c
index d22d518..263448d 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -1667,7 +1667,7 @@ static int reassign_device_ownership(
* can attempt to send arbitrary LAPIC/MSI messages. We are unprotected
* by the root complex unless interrupt remapping is enabled.
*/
- if ( (target != dom0) && !iommu_intremap )
+ if ( (target != hardware_domain) && !iommu_intremap )
untrusted_msi = 1;
ret = domain_context_unmap(source, devfn, pdev);
@@ -2270,7 +2270,7 @@ static int intel_iommu_assign_device(
if ( list_empty(&acpi_drhd_units) )
return -ENODEV;
- ret = reassign_device_ownership(dom0, d, devfn, pdev);
+ ret = reassign_device_ownership(hardware_domain, d, devfn, pdev);
if ( ret )
goto done;
diff --git a/xen/include/asm-arm/domain.h b/xen/include/asm-arm/domain.h
index 28c359a..ec66a4e 100644
--- a/xen/include/asm-arm/domain.h
+++ b/xen/include/asm-arm/domain.h
@@ -87,7 +87,7 @@ enum domain_type {
#endif
extern int dom0_11_mapping;
-#define is_domain_direct_mapped(d) ((d) == dom0 && dom0_11_mapping)
+#define is_domain_direct_mapped(d) ((d) == hardware_domain && dom0_11_mapping)
struct vtimer {
struct vcpu *v;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 466949f..146514d 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -43,8 +43,8 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t);
#define SCHED_STAT_CRANK(_X) (perfc_incr(_X))
-/* A global pointer to the initial domain (DOM0). */
-extern struct domain *dom0;
+/* A global pointer to the hardware domain (usually DOM0). */
+extern struct domain *hardware_domain;
#ifndef CONFIG_COMPAT
#define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 4/7] xen: rename dom0 to hardware_domain
2014-03-18 21:34 ` [PATCH 4/7] xen: rename dom0 to hardware_domain Daniel De Graaf
@ 2014-03-19 9:09 ` Jan Beulich
0 siblings, 0 replies; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 9:09 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Liu Jinsong, Ian Campbell, Christoph Egger, Tim Deegan,
xen-devel, Stefano Stabellini, Suravee Suthikulpanit,
Xiantao Zhang
>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> This should not change any functionality other than renaming the global
> variable. In a few cases (primarily the domain building code), a local
> variable named dom0 was created and used instead of the global to
> clarify that the domain being used in this case is actually domain 0.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Ian Campbell <ian.campbell@citrix.com>
> Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
> Cc: Tim Deegan <tim@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
with one minor remark below.
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -59,7 +59,7 @@ DEFINE_RCU_READ_LOCK(domlist_read_lock);
> static struct domain *domain_hash[DOMAIN_HASH_SIZE];
> struct domain *domain_list;
>
> -struct domain *dom0;
> +struct domain *hardware_domain;
I already saw that you do so in patch 6, but I think it would be more
logical to make this __read_mostly here right away rather than later
touching the same line again.
Jan
^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH 5/7] xen: rename various functions referencing dom0
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
` (3 preceding siblings ...)
2014-03-18 21:34 ` [PATCH 4/7] xen: rename dom0 to hardware_domain Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 9:13 ` Jan Beulich
2014-03-18 21:34 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
2014-03-18 21:34 ` [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed Daniel De Graaf
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel
Cc: Ian Campbell, Tim Deegan, Stefano Stabellini, Jan Beulich,
Daniel De Graaf, Suravee Suthikulpanit, Xiantao Zhang
Most of these functions actually act on the hardware domain, so change
their names to reflect this. For alloc_dom0_vcpu0 which actually
modifies dom0, avoid using the misleading hardware_domain global
variable as an implied argument.
Command line parameters and variables based on those parameters are
excluded since those changes would be user-visible, as are any public
headers.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
Cc: Tim Deegan <tim@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Xiantao Zhang <xiantao.zhang@intel.com>
---
xen/arch/arm/domain_build.c | 4 +---
xen/arch/arm/setup.c | 2 +-
xen/arch/x86/domain_build.c | 5 ++---
xen/arch/x86/hvm/i8254.c | 2 +-
xen/arch/x86/setup.c | 2 +-
xen/arch/x86/time.c | 2 +-
xen/common/domain.c | 2 +-
xen/common/keyhandler.c | 22 +++++++++++-----------
xen/common/shutdown.c | 2 +-
xen/drivers/passthrough/amd/pci_amd_iommu.c | 8 ++++----
xen/drivers/passthrough/iommu.c | 8 ++++----
xen/drivers/passthrough/pci.c | 18 +++++++++---------
xen/drivers/passthrough/vtd/iommu.c | 18 +++++++++---------
xen/drivers/passthrough/vtd/x86/vtd.c | 2 +-
xen/include/asm-x86/time.h | 2 +-
xen/include/xen/domain.h | 2 +-
xen/include/xen/iommu.h | 6 +++---
xen/include/xen/pci.h | 2 +-
xen/include/xen/shutdown.h | 2 +-
19 files changed, 54 insertions(+), 57 deletions(-)
diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index a293bf9..39844e5 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -50,10 +50,8 @@ custom_param("dom0_mem", parse_dom0_mem);
*/
#define DOM0_FDT_EXTRA_SIZE (128 + sizeof(struct fdt_reserve_entry))
-struct vcpu *__init alloc_dom0_vcpu0(void)
+struct vcpu *__init alloc_dom0_vcpu0(struct domain *dom0)
{
- struct domain *dom0 = hardware_domain;
-
if ( opt_dom0_max_vcpus == 0 )
opt_dom0_max_vcpus = num_online_cpus();
if ( opt_dom0_max_vcpus > MAX_VIRT_CPUS )
diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index f9e7d50..322fc13 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -759,7 +759,7 @@ void __init start_xen(unsigned long boot_phys_offset,
/* Create initial domain 0. */
hardware_domain = dom0 = domain_create(0, 0, 0);
- if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
+ if ( IS_ERR(dom0) || (alloc_dom0_vcpu0(dom0) == NULL) )
panic("Error creating domain 0");
dom0->is_privileged = 1;
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index e251d61..f75f6e7 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -100,10 +100,9 @@ static void __init parse_dom0_max_vcpus(const char *s)
}
custom_param("dom0_max_vcpus", parse_dom0_max_vcpus);
-struct vcpu *__init alloc_dom0_vcpu0(void)
+struct vcpu *__init alloc_dom0_vcpu0(struct domain *dom0)
{
unsigned max_vcpus;
- struct domain *dom0 = hardware_domain;
max_vcpus = num_cpupool_cpus(cpupool0);
if ( opt_dom0_max_vcpus_min > max_vcpus )
@@ -1151,7 +1150,7 @@ int __init construct_dom0(
printk(" Xen warning: dom0 kernel broken ELF: %s\n",
elf_check_broken(&elf));
- iommu_dom0_init(hardware_domain);
+ iommu_hwdom_init(hardware_domain);
return 0;
out:
diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
index 6a91f76..8907721 100644
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -540,7 +540,7 @@ int pv_pit_handler(int port, int data, int write)
.data = data
};
- if ( is_hardware_domain(current->domain) && dom0_pit_access(&ioreq) )
+ if ( is_hardware_domain(current->domain) && hwdom_pit_access(&ioreq) )
{
/* nothing to do */;
}
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index b4514c3..75cf212 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -1340,7 +1340,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
/* Create initial domain 0. */
hardware_domain = dom0 = domain_create(0, DOMCRF_s3_integrity, 0);
- if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
+ if ( IS_ERR(dom0) || (alloc_dom0_vcpu0(dom0) == NULL) )
panic("Error creating domain 0");
dom0->is_privileged = 1;
diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
index 89308bd..07bceda 100644
--- a/xen/arch/x86/time.c
+++ b/xen/arch/x86/time.c
@@ -1602,7 +1602,7 @@ int time_resume(void)
return 0;
}
-int dom0_pit_access(struct ioreq *ioreq)
+int hwdom_pit_access(struct ioreq *ioreq)
{
/* Is Xen using Channel 2? Then disallow direct dom0 access. */
if ( using_pit )
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 94890b7..c8414ed 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -595,7 +595,7 @@ void domain_shutdown(struct domain *d, u8 reason)
reason = d->shutdown_code;
if ( is_hardware_domain(d) )
- dom0_shutdown(reason);
+ hwdom_shutdown(reason);
if ( d->is_shutting_down )
{
diff --git a/xen/common/keyhandler.c b/xen/common/keyhandler.c
index 627ef99..5afcfef 100644
--- a/xen/common/keyhandler.c
+++ b/xen/common/keyhandler.c
@@ -148,9 +148,9 @@ static struct keyhandler dump_registers_keyhandler = {
.desc = "dump registers"
};
-static DECLARE_TASKLET(dump_dom0_tasklet, NULL, 0);
+static DECLARE_TASKLET(dump_hwdom_tasklet, NULL, 0);
-static void dump_dom0_action(unsigned long arg)
+static void dump_hwdom_action(unsigned long arg)
{
struct vcpu *v = (void *)arg;
@@ -161,14 +161,14 @@ static void dump_dom0_action(unsigned long arg)
break;
if ( softirq_pending(smp_processor_id()) )
{
- dump_dom0_tasklet.data = (unsigned long)v;
- tasklet_schedule_on_cpu(&dump_dom0_tasklet, v->processor);
+ dump_hwdom_tasklet.data = (unsigned long)v;
+ tasklet_schedule_on_cpu(&dump_hwdom_tasklet, v->processor);
break;
}
}
}
-static void dump_dom0_registers(unsigned char key)
+static void dump_hwdom_registers(unsigned char key)
{
struct vcpu *v;
@@ -181,19 +181,19 @@ static void dump_dom0_registers(unsigned char key)
{
if ( alt_key_handling && softirq_pending(smp_processor_id()) )
{
- tasklet_kill(&dump_dom0_tasklet);
- tasklet_init(&dump_dom0_tasklet, dump_dom0_action,
+ tasklet_kill(&dump_hwdom_tasklet);
+ tasklet_init(&dump_hwdom_tasklet, dump_hwdom_action,
(unsigned long)v);
- tasklet_schedule_on_cpu(&dump_dom0_tasklet, v->processor);
+ tasklet_schedule_on_cpu(&dump_hwdom_tasklet, v->processor);
return;
}
vcpu_show_execution_state(v);
}
}
-static struct keyhandler dump_dom0_registers_keyhandler = {
+static struct keyhandler dump_hwdom_registers_keyhandler = {
.diagnostic = 1,
- .u.fn = dump_dom0_registers,
+ .u.fn = dump_hwdom_registers,
.desc = "dump Dom0 registers"
};
@@ -543,7 +543,7 @@ void __init initialize_keytable(void)
register_keyhandler('r', &dump_runq_keyhandler);
register_keyhandler('R', &reboot_machine_keyhandler);
register_keyhandler('t', &read_clocks_keyhandler);
- register_keyhandler('0', &dump_dom0_registers_keyhandler);
+ register_keyhandler('0', &dump_hwdom_registers_keyhandler);
register_keyhandler('%', &do_debug_key_keyhandler);
register_keyhandler('*', &run_all_keyhandlers_keyhandler);
diff --git a/xen/common/shutdown.c b/xen/common/shutdown.c
index fadb69b..94d4c53 100644
--- a/xen/common/shutdown.c
+++ b/xen/common/shutdown.c
@@ -32,7 +32,7 @@ static void noreturn maybe_reboot(void)
}
}
-void dom0_shutdown(u8 reason)
+void hwdom_shutdown(u8 reason)
{
switch ( reason )
{
diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c
index 031480f..366c750 100644
--- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
@@ -169,7 +169,7 @@ static void amd_iommu_setup_domain_device(
}
}
-static int __hwdom_init amd_iommu_setup_dom0_device(
+static int __hwdom_init amd_iommu_setup_hwdom_device(
u8 devfn, struct pci_dev *pdev)
{
int bdf = PCI_BDF2(pdev->bus, pdev->devfn);
@@ -281,7 +281,7 @@ static int amd_iommu_domain_init(struct domain *d)
return 0;
}
-static void __hwdom_init amd_iommu_dom0_init(struct domain *d)
+static void __hwdom_init amd_iommu_hwdom_init(struct domain *d)
{
unsigned long i;
@@ -305,7 +305,7 @@ static void __hwdom_init amd_iommu_dom0_init(struct domain *d)
}
}
- setup_dom0_pci_devices(d, amd_iommu_setup_dom0_device);
+ setup_hwdom_pci_devices(d, amd_iommu_setup_hwdom_device);
}
void amd_iommu_disable_domain_device(struct domain *domain,
@@ -603,7 +603,7 @@ static void amd_dump_p2m_table(struct domain *d)
const struct iommu_ops amd_iommu_ops = {
.init = amd_iommu_domain_init,
- .dom0_init = amd_iommu_dom0_init,
+ .hwdom_init = amd_iommu_hwdom_init,
.add_device = amd_iommu_add_device,
.remove_device = amd_iommu_remove_device,
.assign_device = amd_iommu_assign_device,
diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index f561186..07604ed 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -130,7 +130,7 @@ int iommu_domain_init(struct domain *d)
return hd->platform_ops->init(d);
}
-static void __hwdom_init check_dom0_pvh_reqs(struct domain *d)
+static void __hwdom_init check_hwdom_pvh_reqs(struct domain *d)
{
if ( !iommu_enabled )
panic("Presently, iommu must be enabled for pvh dom0\n");
@@ -141,12 +141,12 @@ static void __hwdom_init check_dom0_pvh_reqs(struct domain *d)
iommu_dom0_strict = 1;
}
-void __hwdom_init iommu_dom0_init(struct domain *d)
+void __hwdom_init iommu_hwdom_init(struct domain *d)
{
struct hvm_iommu *hd = domain_hvm_iommu(d);
if ( is_pvh_domain(d) )
- check_dom0_pvh_reqs(d);
+ check_hwdom_pvh_reqs(d);
if ( !iommu_enabled )
return;
@@ -173,7 +173,7 @@ void __hwdom_init iommu_dom0_init(struct domain *d)
}
}
- return hd->platform_ops->dom0_init(d);
+ return hd->platform_ops->hwdom_init(d);
}
int iommu_add_device(struct pci_dev *pdev)
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index fbc777c..0794eaf 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -867,12 +867,12 @@ int __init scan_pci_devices(void)
return ret;
}
-struct setup_dom0 {
+struct setup_hwdom {
struct domain *d;
int (*handler)(u8 devfn, struct pci_dev *);
};
-static void setup_one_dom0_device(const struct setup_dom0 *ctxt,
+static void setup_one_hwdom_device(const struct setup_hwdom *ctxt,
struct pci_dev *pdev)
{
u8 devfn = pdev->devfn;
@@ -893,9 +893,9 @@ static void setup_one_dom0_device(const struct setup_dom0 *ctxt,
PCI_SLOT(devfn) == PCI_SLOT(pdev->devfn) );
}
-static int __hwdom_init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
+static int __hwdom_init _setup_hwdom_pci_devices(struct pci_seg *pseg, void *arg)
{
- struct setup_dom0 *ctxt = arg;
+ struct setup_hwdom *ctxt = arg;
int bus, devfn;
for ( bus = 0; bus < 256; bus++ )
@@ -911,12 +911,12 @@ static int __hwdom_init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
{
pdev->domain = ctxt->d;
list_add(&pdev->domain_list, &ctxt->d->arch.pdev_list);
- setup_one_dom0_device(ctxt, pdev);
+ setup_one_hwdom_device(ctxt, pdev);
}
else if ( pdev->domain == dom_xen )
{
pdev->domain = ctxt->d;
- setup_one_dom0_device(ctxt, pdev);
+ setup_one_hwdom_device(ctxt, pdev);
pdev->domain = dom_xen;
}
else if ( pdev->domain != ctxt->d )
@@ -943,13 +943,13 @@ static int __hwdom_init _setup_dom0_pci_devices(struct pci_seg *pseg, void *arg)
return 0;
}
-void __hwdom_init setup_dom0_pci_devices(
+void __hwdom_init setup_hwdom_pci_devices(
struct domain *d, int (*handler)(u8 devfn, struct pci_dev *))
{
- struct setup_dom0 ctxt = { .d = d, .handler = handler };
+ struct setup_hwdom ctxt = { .d = d, .handler = handler };
spin_lock(&pcidevs_lock);
- pci_segments_iterate(_setup_dom0_pci_devices, &ctxt);
+ pci_segments_iterate(_setup_hwdom_pci_devices, &ctxt);
spin_unlock(&pcidevs_lock);
}
diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c
index 263448d..abaa8c9 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -55,8 +55,8 @@ int nr_iommus;
static struct tasklet vtd_fault_tasklet;
-static int setup_dom0_device(u8 devfn, struct pci_dev *);
-static void setup_dom0_rmrr(struct domain *d);
+static int setup_hwdom_device(u8 devfn, struct pci_dev *);
+static void setup_hwdom_rmrr(struct domain *d);
static int domain_iommu_domid(struct domain *d,
struct iommu *iommu)
@@ -1242,18 +1242,18 @@ static int intel_iommu_domain_init(struct domain *d)
return 0;
}
-static void __hwdom_init intel_iommu_dom0_init(struct domain *d)
+static void __hwdom_init intel_iommu_hwdom_init(struct domain *d)
{
struct acpi_drhd_unit *drhd;
if ( !iommu_passthrough && !need_iommu(d) )
{
/* Set up 1:1 page table for dom0 */
- iommu_set_dom0_mapping(d);
+ iommu_set_hwdom_mapping(d);
}
- setup_dom0_pci_devices(d, setup_dom0_device);
- setup_dom0_rmrr(d);
+ setup_hwdom_pci_devices(d, setup_hwdom_device);
+ setup_hwdom_rmrr(d);
iommu_flush_all();
@@ -1992,7 +1992,7 @@ static int intel_iommu_remove_device(u8 devfn, struct pci_dev *pdev)
return domain_context_unmap(pdev->domain, devfn, pdev);
}
-static int __hwdom_init setup_dom0_device(u8 devfn, struct pci_dev *pdev)
+static int __hwdom_init setup_hwdom_device(u8 devfn, struct pci_dev *pdev)
{
int err;
@@ -2140,7 +2140,7 @@ static int init_vtd_hw(void)
return 0;
}
-static void __hwdom_init setup_dom0_rmrr(struct domain *d)
+static void __hwdom_init setup_hwdom_rmrr(struct domain *d)
{
struct acpi_rmrr_unit *rmrr;
u16 bdf;
@@ -2464,7 +2464,7 @@ static void vtd_dump_p2m_table(struct domain *d)
const struct iommu_ops intel_iommu_ops = {
.init = intel_iommu_domain_init,
- .dom0_init = intel_iommu_dom0_init,
+ .hwdom_init = intel_iommu_hwdom_init,
.add_device = intel_iommu_add_device,
.enable_device = intel_iommu_enable_device,
.remove_device = intel_iommu_remove_device,
diff --git a/xen/drivers/passthrough/vtd/x86/vtd.c b/xen/drivers/passthrough/vtd/x86/vtd.c
index 2a33b38..1e30c23 100644
--- a/xen/drivers/passthrough/vtd/x86/vtd.c
+++ b/xen/drivers/passthrough/vtd/x86/vtd.c
@@ -107,7 +107,7 @@ void hvm_dpci_isairq_eoi(struct domain *d, unsigned int isairq)
spin_unlock(&d->event_lock);
}
-void __hwdom_init iommu_set_dom0_mapping(struct domain *d)
+void __hwdom_init iommu_set_hwdom_mapping(struct domain *d)
{
unsigned long i, j, tmp, top;
diff --git a/xen/include/asm-x86/time.h b/xen/include/asm-x86/time.h
index c01b0a2..0631baa 100644
--- a/xen/include/asm-x86/time.h
+++ b/xen/include/asm-x86/time.h
@@ -44,7 +44,7 @@ int time_resume(void);
void init_percpu_time(void);
struct ioreq;
-int dom0_pit_access(struct ioreq *ioreq);
+int hwdom_pit_access(struct ioreq *ioreq);
int cpu_frequency_change(u64 freq);
diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h
index a057069..bb1c398 100644
--- a/xen/include/xen/domain.h
+++ b/xen/include/xen/domain.h
@@ -12,7 +12,7 @@ typedef union {
struct vcpu *alloc_vcpu(
struct domain *d, unsigned int vcpu_id, unsigned int cpu_id);
-struct vcpu *alloc_dom0_vcpu0(void);
+struct vcpu *alloc_dom0_vcpu0(struct domain *dom0);
int vcpu_reset(struct vcpu *);
struct xen_domctl_getdomaininfo;
diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h
index 4f534ed..f8da9f2 100644
--- a/xen/include/xen/iommu.h
+++ b/xen/include/xen/iommu.h
@@ -55,7 +55,7 @@ int iommu_add_device(struct pci_dev *pdev);
int iommu_enable_device(struct pci_dev *pdev);
int iommu_remove_device(struct pci_dev *pdev);
int iommu_domain_init(struct domain *d);
-void iommu_dom0_init(struct domain *d);
+void iommu_hwdom_init(struct domain *d);
void iommu_domain_destroy(struct domain *d);
int deassign_device(struct domain *d, u16 seg, u8 bus, u8 devfn);
@@ -90,7 +90,7 @@ struct page_info;
struct iommu_ops {
int (*init)(struct domain *d);
- void (*dom0_init)(struct domain *d);
+ void (*hwdom_init)(struct domain *d);
int (*add_device)(u8 devfn, struct pci_dev *);
int (*enable_device)(struct pci_dev *pdev);
int (*remove_device)(u8 devfn, struct pci_dev *);
@@ -127,7 +127,7 @@ void iommu_suspend(void);
void iommu_resume(void);
void iommu_crash_shutdown(void);
-void iommu_set_dom0_mapping(struct domain *d);
+void iommu_set_hwdom_mapping(struct domain *d);
void iommu_share_p2m_table(struct domain *d);
int iommu_do_domctl(struct xen_domctl *, struct domain *d,
diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h
index cadb525..edafa20 100644
--- a/xen/include/xen/pci.h
+++ b/xen/include/xen/pci.h
@@ -97,7 +97,7 @@ struct pci_dev *pci_lock_pdev(int seg, int bus, int devfn);
struct pci_dev *pci_lock_domain_pdev(
struct domain *, int seg, int bus, int devfn);
-void setup_dom0_pci_devices(struct domain *,
+void setup_hwdom_pci_devices(struct domain *,
int (*)(u8 devfn, struct pci_dev *));
void pci_release_devices(struct domain *d);
int pci_add_segment(u16 seg);
diff --git a/xen/include/xen/shutdown.h b/xen/include/xen/shutdown.h
index a00bfef..b3f7e30 100644
--- a/xen/include/xen/shutdown.h
+++ b/xen/include/xen/shutdown.h
@@ -6,7 +6,7 @@
/* opt_noreboot: If true, machine will need manual reset on error. */
extern bool_t opt_noreboot;
-void noreturn dom0_shutdown(u8 reason);
+void noreturn hwdom_shutdown(u8 reason);
void noreturn machine_restart(unsigned int delay_millisecs);
void noreturn machine_halt(void);
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 5/7] xen: rename various functions referencing dom0
2014-03-18 21:34 ` [PATCH 5/7] xen: rename various functions referencing dom0 Daniel De Graaf
@ 2014-03-19 9:13 ` Jan Beulich
2014-03-19 15:25 ` Daniel De Graaf
0 siblings, 1 reply; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 9:13 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Ian Campbell, Tim Deegan, xen-devel, Stefano Stabellini,
Suravee Suthikulpanit, Xiantao Zhang
>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> --- a/xen/arch/arm/domain_build.c
> +++ b/xen/arch/arm/domain_build.c
> @@ -50,10 +50,8 @@ custom_param("dom0_mem", parse_dom0_mem);
> */
> #define DOM0_FDT_EXTRA_SIZE (128 + sizeof(struct fdt_reserve_entry))
>
> -struct vcpu *__init alloc_dom0_vcpu0(void)
> +struct vcpu *__init alloc_dom0_vcpu0(struct domain *dom0)
> {
> - struct domain *dom0 = hardware_domain;
> -
> if ( opt_dom0_max_vcpus == 0 )
> opt_dom0_max_vcpus = num_online_cpus();
> if ( opt_dom0_max_vcpus > MAX_VIRT_CPUS )
> --- a/xen/arch/arm/setup.c
> +++ b/xen/arch/arm/setup.c
> @@ -759,7 +759,7 @@ void __init start_xen(unsigned long boot_phys_offset,
>
> /* Create initial domain 0. */
> hardware_domain = dom0 = domain_create(0, 0, 0);
> - if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
> + if ( IS_ERR(dom0) || (alloc_dom0_vcpu0(dom0) == NULL) )
Any reason why a change like this can't be done right away in the
earlier patch introducing the local "dom0" variables, reducing the
overall churn?
Jan
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [PATCH 5/7] xen: rename various functions referencing dom0
2014-03-19 9:13 ` Jan Beulich
@ 2014-03-19 15:25 ` Daniel De Graaf
2014-03-19 15:32 ` Jan Beulich
0 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-19 15:25 UTC (permalink / raw)
To: Jan Beulich
Cc: Ian Campbell, Tim Deegan, xen-devel, Stefano Stabellini,
Suravee Suthikulpanit, Xiantao Zhang
On 03/19/2014 05:13 AM, Jan Beulich wrote:
>>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>> --- a/xen/arch/arm/domain_build.c
>> +++ b/xen/arch/arm/domain_build.c
>> @@ -50,10 +50,8 @@ custom_param("dom0_mem", parse_dom0_mem);
>> */
>> #define DOM0_FDT_EXTRA_SIZE (128 + sizeof(struct fdt_reserve_entry))
>>
>> -struct vcpu *__init alloc_dom0_vcpu0(void)
>> +struct vcpu *__init alloc_dom0_vcpu0(struct domain *dom0)
>> {
>> - struct domain *dom0 = hardware_domain;
>> -
>> if ( opt_dom0_max_vcpus == 0 )
>> opt_dom0_max_vcpus = num_online_cpus();
>> if ( opt_dom0_max_vcpus > MAX_VIRT_CPUS )
>> --- a/xen/arch/arm/setup.c
>> +++ b/xen/arch/arm/setup.c
>> @@ -759,7 +759,7 @@ void __init start_xen(unsigned long boot_phys_offset,
>>
>> /* Create initial domain 0. */
>> hardware_domain = dom0 = domain_create(0, 0, 0);
>> - if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
>> + if ( IS_ERR(dom0) || (alloc_dom0_vcpu0(dom0) == NULL) )
>
> Any reason why a change like this can't be done right away in the
> earlier patch introducing the local "dom0" variables, reducing the
> overall churn?
>
> Jan
I was trying to restrict the earlier patch to just variable renames,
with this patch covering function names (and prototypes). I could move
this change back, or just merge the patches if "rename dom0->hwdom"
does not end up being an overly large patch.
--
Daniel De Graaf
National Security Agency
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [PATCH 5/7] xen: rename various functions referencing dom0
2014-03-19 15:25 ` Daniel De Graaf
@ 2014-03-19 15:32 ` Jan Beulich
0 siblings, 0 replies; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 15:32 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Ian Campbell, Tim Deegan, xen-devel, Stefano Stabellini,
Suravee Suthikulpanit, Xiantao Zhang
>>> On 19.03.14 at 16:25, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> On 03/19/2014 05:13 AM, Jan Beulich wrote:
>>>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>>> --- a/xen/arch/arm/domain_build.c
>>> +++ b/xen/arch/arm/domain_build.c
>>> @@ -50,10 +50,8 @@ custom_param("dom0_mem", parse_dom0_mem);
>>> */
>>> #define DOM0_FDT_EXTRA_SIZE (128 + sizeof(struct fdt_reserve_entry))
>>>
>>> -struct vcpu *__init alloc_dom0_vcpu0(void)
>>> +struct vcpu *__init alloc_dom0_vcpu0(struct domain *dom0)
>>> {
>>> - struct domain *dom0 = hardware_domain;
>>> -
>>> if ( opt_dom0_max_vcpus == 0 )
>>> opt_dom0_max_vcpus = num_online_cpus();
>>> if ( opt_dom0_max_vcpus > MAX_VIRT_CPUS )
>>> --- a/xen/arch/arm/setup.c
>>> +++ b/xen/arch/arm/setup.c
>>> @@ -759,7 +759,7 @@ void __init start_xen(unsigned long boot_phys_offset,
>>>
>>> /* Create initial domain 0. */
>>> hardware_domain = dom0 = domain_create(0, 0, 0);
>>> - if ( IS_ERR(dom0) || (alloc_dom0_vcpu0() == NULL) )
>>> + if ( IS_ERR(dom0) || (alloc_dom0_vcpu0(dom0) == NULL) )
>>
>> Any reason why a change like this can't be done right away in the
>> earlier patch introducing the local "dom0" variables, reducing the
>> overall churn?
>
> I was trying to restrict the earlier patch to just variable renames,
> with this patch covering function names (and prototypes). I could move
> this change back, or just merge the patches if "rename dom0->hwdom"
> does not end up being an overly large patch.
I'd suggest keeping them separate, but avoid the second one
re-writing what the first one touched already, i.e. move over
just this kind of change.
Jan
^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH 6/7] xen: Allow hardare domain != dom0
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
` (4 preceding siblings ...)
2014-03-18 21:34 ` [PATCH 5/7] xen: rename various functions referencing dom0 Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 9:15 ` Jan Beulich
2014-03-18 21:34 ` [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed Daniel De Graaf
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Keir Fraser, Jan Beulich
This adds a hypervisor command line option "hardware_dom=" which takes a
domain ID. When the domain with this ID is created, it will be used
as the hardware domain.
This is intended to be used when domain 0 is a dedicated stub domain for
domain building, allowing the hardware domain to be de-privileged and
act only as a driver domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/domain_build.c | 4 +++-
xen/arch/x86/setup.c | 2 ++
xen/common/domain.c | 3 ++-
xen/common/domctl.c | 40 +++++++++++++++++++++++++++++++++++++
xen/common/rangeset.c | 40 +++++++++++++++++++++++++++++++++++++
xen/include/xen/rangeset.h | 3 +++
xen/include/xen/sched.h | 3 ++-
xen/include/xsm/dummy.h | 6 ++++++
xen/include/xsm/xsm.h | 6 ++++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 2 ++
12 files changed, 114 insertions(+), 3 deletions(-)
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index f75f6e7..a554d3b 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1150,7 +1150,9 @@ int __init construct_dom0(
printk(" Xen warning: dom0 kernel broken ELF: %s\n",
elf_check_broken(&elf));
- iommu_hwdom_init(hardware_domain);
+ if ( is_hardware_domain(d) )
+ iommu_hwdom_init(d);
+
return 0;
out:
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 75cf212..f246ac3 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -84,6 +84,8 @@ unsigned long __initdata highmem_start;
size_param("highmem-start", highmem_start);
#endif
+integer_param("hardware_dom", hardware_domid);
+
cpumask_t __read_mostly cpu_present_map;
unsigned long __read_mostly xen_phys_start;
diff --git a/xen/common/domain.c b/xen/common/domain.c
index c8414ed..a77f8af 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -59,7 +59,8 @@ DEFINE_RCU_READ_LOCK(domlist_read_lock);
static struct domain *domain_hash[DOMAIN_HASH_SIZE];
struct domain *domain_list;
-struct domain *hardware_domain;
+struct domain *hardware_domain __read_mostly;
+domid_t hardware_domid __read_mostly;
struct vcpu *idle_vcpu[NR_CPUS] __read_mostly;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index eebeee7..9af24bf 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -472,6 +472,46 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
break;
}
+ /*
+ * Late initialization of the hardware domain is only supported on x86,
+ * so only check for it there.
+ */
+#ifdef LATE_HWDOM_ENABLE
+ if ( is_hardware_domain(d) )
+ {
+ struct domain *dom0 = hardware_domain;
+ ASSERT(dom0->domain_id == 0);
+
+ ret = xsm_init_hardware_domain(XSM_HOOK, d);
+ if ( ret )
+ {
+ domain_kill(d);
+ d = NULL;
+ break;
+ }
+
+ printk("Initialising hardware domain %d\n", hardware_domid);
+ hardware_domain = d;
+
+ /* Hardware resource ranges for domain 0 have been set up from
+ * various sources intended to restrict the hardware domain's
+ * access. Apply these ranges to the actual hardware domain.
+ *
+ * Because the lists are being swapped, a side effect of this
+ * operation is that Domain 0's rangesets are cleared. Since domain
+ * 0 should not be accessing the hardware when it constructs a
+ * hardware domain, this should not be a problem. Both lists should
+ * be modified after this hypercall returns if a more complex
+ * device model is desired.
+ */
+ rangeset_swap(d->irq_caps, dom0->irq_caps);
+ rangeset_swap(d->iomem_caps, dom0->iomem_caps);
+ rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps);
+
+ iommu_hwdom_init(d);
+ }
+#endif
+
ret = 0;
memcpy(d->handle, op->u.createdomain.handle,
diff --git a/xen/common/rangeset.c b/xen/common/rangeset.c
index f09c0c4..52fae1f 100644
--- a/xen/common/rangeset.c
+++ b/xen/common/rangeset.c
@@ -438,3 +438,43 @@ void rangeset_domain_printk(
spin_unlock(&d->rangesets_lock);
}
+
+void rangeset_swap(struct rangeset *a, struct rangeset *b)
+{
+ struct list_head tmp;
+ if ( &a < &b )
+ {
+ spin_lock(&a->lock);
+ spin_lock(&b->lock);
+ }
+ else
+ {
+ spin_lock(&b->lock);
+ spin_lock(&a->lock);
+ }
+ memcpy(&tmp, &a->range_list, sizeof(tmp));
+ memcpy(&a->range_list, &b->range_list, sizeof(tmp));
+ memcpy(&b->range_list, &tmp, sizeof(tmp));
+ if ( a->range_list.next == &b->range_list )
+ {
+ a->range_list.next = &a->range_list;
+ a->range_list.prev = &a->range_list;
+ }
+ else
+ {
+ a->range_list.next->prev = &a->range_list;
+ a->range_list.prev->next = &a->range_list;
+ }
+ if ( b->range_list.next == &a->range_list )
+ {
+ b->range_list.next = &b->range_list;
+ b->range_list.prev = &b->range_list;
+ }
+ else
+ {
+ b->range_list.next->prev = &b->range_list;
+ b->range_list.prev->next = &b->range_list;
+ }
+ spin_unlock(&a->lock);
+ spin_unlock(&b->lock);
+}
diff --git a/xen/include/xen/rangeset.h b/xen/include/xen/rangeset.h
index 1e16a6b..805ebde 100644
--- a/xen/include/xen/rangeset.h
+++ b/xen/include/xen/rangeset.h
@@ -73,4 +73,7 @@ void rangeset_printk(
void rangeset_domain_printk(
struct domain *d);
+/* swap contents */
+void rangeset_swap(struct rangeset *a, struct rangeset *b);
+
#endif /* __XEN_RANGESET_H__ */
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 146514d..ce37c77 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -45,6 +45,7 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t);
/* A global pointer to the hardware domain (usually DOM0). */
extern struct domain *hardware_domain;
+extern domid_t hardware_domid;
#ifndef CONFIG_COMPAT
#define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG
@@ -778,7 +779,7 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain(d) ((d)->domain_id == hardware_domid)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 3bcd941..180cc88 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -305,6 +305,12 @@ static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct
return NULL;
}
+static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_HOOK);
+ return xsm_default_action(action, current->domain, d);
+}
+
static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index de9cf86..6ab9ed1 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -83,6 +83,7 @@ struct xsm_operations {
int (*alloc_security_evtchn) (struct evtchn *chn);
void (*free_security_evtchn) (struct evtchn *chn);
char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
+ int (*init_hardware_domain) (struct domain *d);
int (*get_pod_target) (struct domain *d);
int (*set_pod_target) (struct domain *d);
@@ -314,6 +315,11 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt
return xsm_ops->show_security_evtchn(d, chn);
}
+static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->init_hardware_domain(d);
+}
+
static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
{
return xsm_ops->get_pod_target(d);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 3fe4c59..689af3d 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -59,6 +59,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, alloc_security_evtchn);
set_to_dummy_if_null(ops, free_security_evtchn);
set_to_dummy_if_null(ops, show_security_evtchn);
+ set_to_dummy_if_null(ops, init_hardware_domain);
+
set_to_dummy_if_null(ops, get_pod_target);
set_to_dummy_if_null(ops, set_pod_target);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 96276ac..5b906d6 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -344,6 +344,11 @@ static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *c
return ctx;
}
+static int flask_init_hardware_domain(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CREATE_HARDWARE_DOMAIN);
+}
+
static int flask_grant_mapref(struct domain *d1, struct domain *d2,
uint32_t flags)
{
@@ -1491,6 +1496,7 @@ static struct xsm_operations flask_ops = {
.alloc_security_evtchn = flask_alloc_security_evtchn,
.free_security_evtchn = flask_free_security_evtchn,
.show_security_evtchn = flask_show_security_evtchn,
+ .init_hardware_domain = flask_init_hardware_domain,
.get_pod_target = flask_get_pod_target,
.set_pod_target = flask_set_pod_target,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index a0ed13d..32371a9 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -198,6 +198,8 @@ class domain2
set_max_evtchn
# XEN_DOMCTL_cacheflush
cacheflush
+# Creation of the hardware domain when it is not dom0
+ create_hardware_domain
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 6/7] xen: Allow hardare domain != dom0
2014-03-18 21:34 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
@ 2014-03-19 9:15 ` Jan Beulich
0 siblings, 0 replies; 26+ messages in thread
From: Jan Beulich @ 2014-03-19 9:15 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: Keir Fraser, xen-devel
>>> On 18.03.14 at 22:34, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> This adds a hypervisor command line option "hardware_dom=" which takes a
> domain ID. When the domain with this ID is created, it will be used
> as the hardware domain.
>
> This is intended to be used when domain 0 is a dedicated stub domain for
> domain building, allowing the hardware domain to be de-privileged and
> act only as a driver domain.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Keir Fraser <keir@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
(assuming the LATE_HWDOM_ENABLE -> CONFIG_LATE_HWDOM
will get done)
> ---
> xen/arch/x86/domain_build.c | 4 +++-
> xen/arch/x86/setup.c | 2 ++
> xen/common/domain.c | 3 ++-
> xen/common/domctl.c | 40 +++++++++++++++++++++++++++++++++++++
> xen/common/rangeset.c | 40 +++++++++++++++++++++++++++++++++++++
> xen/include/xen/rangeset.h | 3 +++
> xen/include/xen/sched.h | 3 ++-
> xen/include/xsm/dummy.h | 6 ++++++
> xen/include/xsm/xsm.h | 6 ++++++
> xen/xsm/dummy.c | 2 ++
> xen/xsm/flask/hooks.c | 6 ++++++
> xen/xsm/flask/policy/access_vectors | 2 ++
> 12 files changed, 114 insertions(+), 3 deletions(-)
>
> diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
> index f75f6e7..a554d3b 100644
> --- a/xen/arch/x86/domain_build.c
> +++ b/xen/arch/x86/domain_build.c
> @@ -1150,7 +1150,9 @@ int __init construct_dom0(
> printk(" Xen warning: dom0 kernel broken ELF: %s\n",
> elf_check_broken(&elf));
>
> - iommu_hwdom_init(hardware_domain);
> + if ( is_hardware_domain(d) )
> + iommu_hwdom_init(d);
> +
> return 0;
>
> out:
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 75cf212..f246ac3 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -84,6 +84,8 @@ unsigned long __initdata highmem_start;
> size_param("highmem-start", highmem_start);
> #endif
>
> +integer_param("hardware_dom", hardware_domid);
> +
> cpumask_t __read_mostly cpu_present_map;
>
> unsigned long __read_mostly xen_phys_start;
> diff --git a/xen/common/domain.c b/xen/common/domain.c
> index c8414ed..a77f8af 100644
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -59,7 +59,8 @@ DEFINE_RCU_READ_LOCK(domlist_read_lock);
> static struct domain *domain_hash[DOMAIN_HASH_SIZE];
> struct domain *domain_list;
>
> -struct domain *hardware_domain;
> +struct domain *hardware_domain __read_mostly;
> +domid_t hardware_domid __read_mostly;
>
> struct vcpu *idle_vcpu[NR_CPUS] __read_mostly;
>
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index eebeee7..9af24bf 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -472,6 +472,46 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
> u_domctl)
> break;
> }
>
> + /*
> + * Late initialization of the hardware domain is only supported on
> x86,
> + * so only check for it there.
> + */
> +#ifdef LATE_HWDOM_ENABLE
> + if ( is_hardware_domain(d) )
> + {
> + struct domain *dom0 = hardware_domain;
> + ASSERT(dom0->domain_id == 0);
> +
> + ret = xsm_init_hardware_domain(XSM_HOOK, d);
> + if ( ret )
> + {
> + domain_kill(d);
> + d = NULL;
> + break;
> + }
> +
> + printk("Initialising hardware domain %d\n", hardware_domid);
> + hardware_domain = d;
> +
> + /* Hardware resource ranges for domain 0 have been set up from
> + * various sources intended to restrict the hardware domain's
> + * access. Apply these ranges to the actual hardware domain.
> + *
> + * Because the lists are being swapped, a side effect of this
> + * operation is that Domain 0's rangesets are cleared. Since
> domain
> + * 0 should not be accessing the hardware when it constructs a
> + * hardware domain, this should not be a problem. Both lists
> should
> + * be modified after this hypercall returns if a more complex
> + * device model is desired.
> + */
> + rangeset_swap(d->irq_caps, dom0->irq_caps);
> + rangeset_swap(d->iomem_caps, dom0->iomem_caps);
> + rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps);
> +
> + iommu_hwdom_init(d);
> + }
> +#endif
> +
> ret = 0;
>
> memcpy(d->handle, op->u.createdomain.handle,
> diff --git a/xen/common/rangeset.c b/xen/common/rangeset.c
> index f09c0c4..52fae1f 100644
> --- a/xen/common/rangeset.c
> +++ b/xen/common/rangeset.c
> @@ -438,3 +438,43 @@ void rangeset_domain_printk(
>
> spin_unlock(&d->rangesets_lock);
> }
> +
> +void rangeset_swap(struct rangeset *a, struct rangeset *b)
> +{
> + struct list_head tmp;
> + if ( &a < &b )
> + {
> + spin_lock(&a->lock);
> + spin_lock(&b->lock);
> + }
> + else
> + {
> + spin_lock(&b->lock);
> + spin_lock(&a->lock);
> + }
> + memcpy(&tmp, &a->range_list, sizeof(tmp));
> + memcpy(&a->range_list, &b->range_list, sizeof(tmp));
> + memcpy(&b->range_list, &tmp, sizeof(tmp));
> + if ( a->range_list.next == &b->range_list )
> + {
> + a->range_list.next = &a->range_list;
> + a->range_list.prev = &a->range_list;
> + }
> + else
> + {
> + a->range_list.next->prev = &a->range_list;
> + a->range_list.prev->next = &a->range_list;
> + }
> + if ( b->range_list.next == &a->range_list )
> + {
> + b->range_list.next = &b->range_list;
> + b->range_list.prev = &b->range_list;
> + }
> + else
> + {
> + b->range_list.next->prev = &b->range_list;
> + b->range_list.prev->next = &b->range_list;
> + }
> + spin_unlock(&a->lock);
> + spin_unlock(&b->lock);
> +}
> diff --git a/xen/include/xen/rangeset.h b/xen/include/xen/rangeset.h
> index 1e16a6b..805ebde 100644
> --- a/xen/include/xen/rangeset.h
> +++ b/xen/include/xen/rangeset.h
> @@ -73,4 +73,7 @@ void rangeset_printk(
> void rangeset_domain_printk(
> struct domain *d);
>
> +/* swap contents */
> +void rangeset_swap(struct rangeset *a, struct rangeset *b);
> +
> #endif /* __XEN_RANGESET_H__ */
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index 146514d..ce37c77 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -45,6 +45,7 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t);
>
> /* A global pointer to the hardware domain (usually DOM0). */
> extern struct domain *hardware_domain;
> +extern domid_t hardware_domid;
>
> #ifndef CONFIG_COMPAT
> #define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG
> @@ -778,7 +779,7 @@ void watchdog_domain_destroy(struct domain *d);
> * (that is, this would not be suitable for a driver domain)
> * - There is never a reason to deny dom0 access to this
> */
> -#define is_hardware_domain(_d) ((_d)->domain_id == 0)
> +#define is_hardware_domain(d) ((d)->domain_id == hardware_domid)
>
> /* This check is for functionality specific to a control domain */
> #define is_control_domain(_d) ((_d)->is_privileged)
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 3bcd941..180cc88 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -305,6 +305,12 @@ static XSM_INLINE char *xsm_show_security_evtchn(struct
> domain *d, const struct
> return NULL;
> }
>
> +static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct
> domain *d)
> +{
> + XSM_ASSERT_ACTION(XSM_HOOK);
> + return xsm_default_action(action, current->domain, d);
> +}
> +
> static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
> {
> XSM_ASSERT_ACTION(XSM_PRIV);
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index de9cf86..6ab9ed1 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -83,6 +83,7 @@ struct xsm_operations {
> int (*alloc_security_evtchn) (struct evtchn *chn);
> void (*free_security_evtchn) (struct evtchn *chn);
> char *(*show_security_evtchn) (struct domain *d, const struct evtchn
> *chn);
> + int (*init_hardware_domain) (struct domain *d);
>
> int (*get_pod_target) (struct domain *d);
> int (*set_pod_target) (struct domain *d);
> @@ -314,6 +315,11 @@ static inline char *xsm_show_security_evtchn (struct
> domain *d, const struct evt
> return xsm_ops->show_security_evtchn(d, chn);
> }
>
> +static inline int xsm_init_hardware_domain (xsm_default_t def, struct
> domain *d)
> +{
> + return xsm_ops->init_hardware_domain(d);
> +}
> +
> static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
> {
> return xsm_ops->get_pod_target(d);
> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
> index 3fe4c59..689af3d 100644
> --- a/xen/xsm/dummy.c
> +++ b/xen/xsm/dummy.c
> @@ -59,6 +59,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, alloc_security_evtchn);
> set_to_dummy_if_null(ops, free_security_evtchn);
> set_to_dummy_if_null(ops, show_security_evtchn);
> + set_to_dummy_if_null(ops, init_hardware_domain);
> +
> set_to_dummy_if_null(ops, get_pod_target);
> set_to_dummy_if_null(ops, set_pod_target);
>
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 96276ac..5b906d6 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -344,6 +344,11 @@ static char *flask_show_security_evtchn(struct domain
> *d, const struct evtchn *c
> return ctx;
> }
>
> +static int flask_init_hardware_domain(struct domain *d)
> +{
> + return current_has_perm(d, SECCLASS_DOMAIN2,
> DOMAIN2__CREATE_HARDWARE_DOMAIN);
> +}
> +
> static int flask_grant_mapref(struct domain *d1, struct domain *d2,
> uint32_t flags)
> {
> @@ -1491,6 +1496,7 @@ static struct xsm_operations flask_ops = {
> .alloc_security_evtchn = flask_alloc_security_evtchn,
> .free_security_evtchn = flask_free_security_evtchn,
> .show_security_evtchn = flask_show_security_evtchn,
> + .init_hardware_domain = flask_init_hardware_domain,
>
> .get_pod_target = flask_get_pod_target,
> .set_pod_target = flask_set_pod_target,
> diff --git a/xen/xsm/flask/policy/access_vectors
> b/xen/xsm/flask/policy/access_vectors
> index a0ed13d..32371a9 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -198,6 +198,8 @@ class domain2
> set_max_evtchn
> # XEN_DOMCTL_cacheflush
> cacheflush
> +# Creation of the hardware domain when it is not dom0
> + create_hardware_domain
> }
>
> # Similar to class domain, but primarily contains domctls related to HVM
> domains
> --
> 1.8.5.3
^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed
2014-03-18 21:34 [PATCH v2 0/7] xen: Hardware domain support Daniel De Graaf
` (5 preceding siblings ...)
2014-03-18 21:34 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
@ 2014-03-18 21:34 ` Daniel De Graaf
2014-03-19 11:02 ` Ian Campbell
6 siblings, 1 reply; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-18 21:34 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Ian Jackson, Ian Campbell, Stefano Stabellini
When dom0 is not the hardware domain, it can be destroyed in the same
way as any other service domain. To avoid accidental use when a domain
is not resolved, destroying domain 0 requires passing -f to xl destroy.
Since the hypervisor already prevents a domain from destroying itself,
this patch is only useful in a disaggregated environment.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
---
tools/libxl/xl_cmdimpl.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index 6b1ebfa..54dea5c 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -3076,12 +3076,13 @@ static void unpause_domain(uint32_t domid)
libxl_domain_unpause(ctx, domid);
}
-static void destroy_domain(uint32_t domid)
+static void destroy_domain(uint32_t domid, int force)
{
int rc;
- if (domid == 0) {
- fprintf(stderr, "Cannot destroy privileged domain 0.\n\n");
+ if (domid == 0 && !force) {
+ fprintf(stderr, "Destroying domain 0 is only supported in a"
+ " disaggregated environment and requires the -f flag.\n\n");
exit(-1);
}
rc = libxl_domain_destroy(ctx, domid, 0);
@@ -4166,12 +4167,15 @@ int main_unpause(int argc, char **argv)
int main_destroy(int argc, char **argv)
{
int opt;
+ int force = 0;
- SWITCH_FOREACH_OPT(opt, "", NULL, "destroy", 1) {
- /* No options */
+ SWITCH_FOREACH_OPT(opt, "f", NULL, "destroy", 1) {
+ case 'f':
+ force = 1;
+ break;
}
- destroy_domain(find_domain(argv[optind]));
+ destroy_domain(find_domain(argv[optind]), force);
return 0;
}
--
1.8.5.3
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed
2014-03-18 21:34 ` [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed Daniel De Graaf
@ 2014-03-19 11:02 ` Ian Campbell
2014-03-19 15:12 ` Daniel De Graaf
0 siblings, 1 reply; 26+ messages in thread
From: Ian Campbell @ 2014-03-19 11:02 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: Stefano Stabellini, Ian Jackson, xen-devel
On Tue, 2014-03-18 at 17:34 -0400, Daniel De Graaf wrote:
> @@ -3076,12 +3076,13 @@ static void unpause_domain(uint32_t domid)
> libxl_domain_unpause(ctx, domid);
> }
>
> -static void destroy_domain(uint32_t domid)
> +static void destroy_domain(uint32_t domid, int force)
> {
> int rc;
>
> - if (domid == 0) {
> - fprintf(stderr, "Cannot destroy privileged domain 0.\n\n");
> + if (domid == 0 && !force) {
> + fprintf(stderr, "Destroying domain 0 is only supported in a"
> + " disaggregated environment and requires the -f flag.\n\n");
>From a user point of view perhaps this would be clearer if worded
something like:
Not destroying domain 0, use -f to force.
Is the error message on attempted self destruction informative? If not
then append "This can only be done from another domain, e.g. a
disaggregated toolstack domain".
Last random thought: Does this code know or have the potential to know
which domain it is running in?
All of this info should also be added to the man page and the help text
in xl_cmdtable.c needs to have the -f added to it.
> exit(-1);
> }
> rc = libxl_domain_destroy(ctx, domid, 0);
> @@ -4166,12 +4167,15 @@ int main_unpause(int argc, char **argv)
> int main_destroy(int argc, char **argv)
> {
> int opt;
> + int force = 0;
>
> - SWITCH_FOREACH_OPT(opt, "", NULL, "destroy", 1) {
> - /* No options */
> + SWITCH_FOREACH_OPT(opt, "f", NULL, "destroy", 1) {
> + case 'f':
> + force = 1;
> + break;
> }
>
> - destroy_domain(find_domain(argv[optind]));
> + destroy_domain(find_domain(argv[optind]), force);
> return 0;
> }
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed
2014-03-19 11:02 ` Ian Campbell
@ 2014-03-19 15:12 ` Daniel De Graaf
0 siblings, 0 replies; 26+ messages in thread
From: Daniel De Graaf @ 2014-03-19 15:12 UTC (permalink / raw)
To: Ian Campbell; +Cc: Stefano Stabellini, Ian Jackson, xen-devel
On 03/19/2014 07:02 AM, Ian Campbell wrote:
> On Tue, 2014-03-18 at 17:34 -0400, Daniel De Graaf wrote:
>> @@ -3076,12 +3076,13 @@ static void unpause_domain(uint32_t domid)
>> libxl_domain_unpause(ctx, domid);
>> }
>>
>> -static void destroy_domain(uint32_t domid)
>> +static void destroy_domain(uint32_t domid, int force)
>> {
>> int rc;
>>
>> - if (domid == 0) {
>> - fprintf(stderr, "Cannot destroy privileged domain 0.\n\n");
>> + if (domid == 0 && !force) {
>> + fprintf(stderr, "Destroying domain 0 is only supported in a"
>> + " disaggregated environment and requires the -f flag.\n\n");
>
>>From a user point of view perhaps this would be clearer if worded
> something like:
>
> Not destroying domain 0, use -f to force.
OK, I like that error message better.
> Is the error message on attempted self destruction informative? If not
> then append "This can only be done from another domain, e.g. a
> disaggregated toolstack domain".
libxl: error: libxl.c:1411:libxl__destroy_domid: xc_domain_pause failed for 0
libxl: error: libxl.c:1471:devices_destroy_cb: xc_domain_destroy failed for 0
libxl: error: libxl.c:1342:domain_destroy_callback: unable to destroy guest with domid 0
libxl: error: libxl.c:1269:domain_destroy_cb: destruction of domain 0 failed
destroy failed (rc=-3)
It seems that libxl should include the errno from the hypervisor (EINVAL
in this case) somewhere in its output.
> Last random thought: Does this code know or have the potential to know
> which domain it is running in?
Not easily; I discussed this with Ian Jackson for the v1 patch, and we
decided that determining your own domain ID here was too cumbersome.
> All of this info should also be added to the man page and the help text
> in xl_cmdtable.c needs to have the -f added to it.
Ah, yes, documentation... will do.
>> exit(-1);
>> }
>> rc = libxl_domain_destroy(ctx, domid, 0);
>> @@ -4166,12 +4167,15 @@ int main_unpause(int argc, char **argv)
>> int main_destroy(int argc, char **argv)
>> {
>> int opt;
>> + int force = 0;
>>
>> - SWITCH_FOREACH_OPT(opt, "", NULL, "destroy", 1) {
>> - /* No options */
>> + SWITCH_FOREACH_OPT(opt, "f", NULL, "destroy", 1) {
>> + case 'f':
>> + force = 1;
>> + break;
>> }
>>
>> - destroy_domain(find_domain(argv[optind]));
>> + destroy_domain(find_domain(argv[optind]), force);
>> return 0;
>> }
--
Daniel De Graaf
National Security Agency
^ permalink raw reply [flat|nested] 26+ messages in thread