From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>, xen-devel@lists.xen.org
Subject: Re: [PATCH 6/7] xen: Allow hardare domain != dom0
Date: Fri, 11 Apr 2014 14:22:53 -0400 [thread overview]
Message-ID: <534832FD.8000105@tycho.nsa.gov> (raw)
In-Reply-To: <5348244E02000078000080C2@nat28.tlf.novell.com>
[-- Attachment #1: Type: text/plain, Size: 7703 bytes --]
On 04/11/2014 11:20 AM, Jan Beulich wrote:
>>>> On 11.04.14 at 17:07, <dgdegra@tycho.nsa.gov> wrote:
>> On 04/11/2014 05:13 AM, Jan Beulich wrote:
>>>>>> On 27.03.14 at 12:52, <dgdegra@tycho.nsa.gov> wrote:
>>>> @@ -794,7 +795,7 @@ void watchdog_domain_destroy(struct domain *d);
>>>> * (that is, this would not be suitable for a driver domain)
>>>> * - There is never a reason to deny dom0 access to this
>>>> */
>>>> -#define is_hardware_domain(_d) ((_d)->domain_id == 0)
>>>> +#define is_hardware_domain(d) ((d)->domain_id == hardware_domid)
>>>
>>> This macro should imo evaluate to true for Dom0 until the hardware
>>> domain go created, i.e. you should compare _d with hardware_domain
>>> rather than their IDs. With that the definition of hardware_domid can
>>> then also be moved inside the #ifdef requested above.
>>
>> This isn't quite as simple as changing the function since there are
>> some places where is_hardware_domain needs to return false for domain 0
>> when a hardware domain is used. Also, the hardware_domain variable is
>> not set until domain_create returns, so there are a few places where the
>> domain ID still needs to be checked explicitly. It should be possible
>> to create an is_hardware_domid function for those cases, if comparing to
>> hardware_domain is preferred for most cases; I think that would belong in
>> a new patch 5.5/7 (i.e. 6/8 in v4).
>>
>> Otherwise, I think the is_hardware_domain definition should be:
>>
>> #ifdef CONFIG_LATE_HWDOM
>> #define is_hardware_domain(_d) ((_d)->domain_id == hardware_domid)
>> #else
>> #define is_hardware_domain(_d) ((_d)->domain_id == 0)
>> #endif
>>
>> This also allows hardware_domid to be declared inside the #ifdef.
>
> But that still wouldn't necessarily do the correct thing for any use of
> the macro before that new special case code in domain_create() got
> run. Maybe my thinking of this is wrong, but as I tried to state above,
> I would expect Dom0 to be the hardware domain up to the point
> where the intended hardware domain gets created, at which point all
> state Dom0 obtained because of having been the de-facto hardware
> domain get transferred to hardware_domain.
I agree with this in most cases, and I think the few places where that
is not true should be changed to make them more explicit. This must
include all checks in domain_create and those in functions called from
domain_create, because (d == hardware_domain) is always false inside
domain_create. An initial version of this patch is below, but unless
there are objections I plan to integrate it into patch 1 to avoid doing
(d->domain_id == 0) => is_hardware_domain => is_hardware_domain_by_id
for the ARM code.
------------------------------>8------------------------
Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id
In order to better handle the period when domain 0 is running but has
not yet built a late hardware domain, change is_hardware_domain to do
what its name implies: check that the passed domain is the hardware
domain. To address some cases where this variable is not set (in
particular, during the creation of domain 0 this variable will still be
NULL), the old check is retained with the name is_hardware_domain_by_id.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/arch/arm/domain.c | 2 +-
xen/arch/arm/gic.c | 2 +-
xen/arch/arm/vgic.c | 2 +-
xen/arch/arm/vtimer.c | 2 +-
xen/arch/arm/vuart.c | 2 +-
xen/common/domain.c | 4 ++--
xen/include/xen/sched.h | 9 ++++++++-
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index ccccb77..4f235e4 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
* Only use it for the hardware domain because the linux kernel may not
* support multi-platform.
*/
- if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
+ if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) )
goto fail;
return 0;
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 8168b7b..5c16aba 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -868,7 +868,7 @@ int gicv_setup(struct domain *d)
* The hardware domain gets the hardware address.
* Guests get the virtual platform layout.
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->arch.vgic.dbase = gic.dbase;
d->arch.vgic.cbase = gic.cbase;
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0..cc795e0 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
/* Currently nr_lines in vgic and gic doesn't have the same meanings
* Here nr_lines = number of SPIs
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
d->arch.vgic.nr_lines = gic_number_lines() - 32;
else
d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
index cb690bb..4dcb80d 100644
--- a/xen/arch/arm/vtimer.c
+++ b/xen/arch/arm/vtimer.c
@@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d)
int vcpu_vtimer_init(struct vcpu *v)
{
struct vtimer *t = &v->arch.phys_timer;
- bool_t d0 = is_hardware_domain(v->domain);
+ bool_t d0 = is_hardware_domain_by_id(v->domain);
/*
* Hardware domain uses the hardware interrupts, guests get the virtual
diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
index c02a8a9..cf9745c 100644
--- a/xen/arch/arm/vuart.c
+++ b/xen/arch/arm/vuart.c
@@ -46,7 +46,7 @@
int domain_vuart_init(struct domain *d)
{
- ASSERT( is_hardware_domain(d) );
+ ASSERT( is_hardware_domain_by_id(d) );
d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
if ( !d->arch.vuart.info )
diff --git a/xen/common/domain.c b/xen/common/domain.c
index c4720a9..4036e69 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -237,7 +237,7 @@ struct domain *domain_create(
else if ( domcr_flags & DOMCRF_pvh )
d->guest_type = guest_type_pvh;
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->is_pinned = opt_dom0_vcpus_pin;
d->disable_migrate = 1;
@@ -262,7 +262,7 @@ struct domain *domain_create(
d->is_paused_by_controller = 1;
atomic_inc(&d->pause_count);
- if ( !is_hardware_domain(d) )
+ if ( !is_hardware_domain_by_id(d) )
d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
else
d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cbbe8a4..34447f1 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain(_d) ((_d) == hardware_domain)
+
+/*
+ * Check for the hardware domain based on domain ID, not using the global
+ * hardware_domain variable. This is necessary inside domain_create where
+ * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
+ */
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
--
1.9.0
[-- Attachment #2: 0006-xen-introduce-is_hardware_domain_by_id.patch --]
[-- Type: text/x-patch, Size: 5043 bytes --]
>From 8271965e73890ce25b86f31045b2c1784bd04273 Mon Sep 17 00:00:00 2001
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 11 Apr 2014 13:46:24 -0400
Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id
In order to better handle the period when domain 0 is running but has
not yet built a late hardware domain, change is_hardware_domain to do
what its name implies: check that the passed domain is the hardware
domain. To address some cases where this variable is not set (in
particular, during the creation of domain 0 this variable will still be
NULL), the old check is retained with the name is_hardware_domain_by_id.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/arch/arm/domain.c | 2 +-
xen/arch/arm/gic.c | 2 +-
xen/arch/arm/vgic.c | 2 +-
xen/arch/arm/vtimer.c | 2 +-
xen/arch/arm/vuart.c | 2 +-
xen/common/domain.c | 4 ++--
xen/include/xen/sched.h | 9 ++++++++-
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index ccccb77..4f235e4 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
* Only use it for the hardware domain because the linux kernel may not
* support multi-platform.
*/
- if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
+ if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) )
goto fail;
return 0;
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 8168b7b..5c16aba 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -868,7 +868,7 @@ int gicv_setup(struct domain *d)
* The hardware domain gets the hardware address.
* Guests get the virtual platform layout.
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->arch.vgic.dbase = gic.dbase;
d->arch.vgic.cbase = gic.cbase;
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0..cc795e0 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
/* Currently nr_lines in vgic and gic doesn't have the same meanings
* Here nr_lines = number of SPIs
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
d->arch.vgic.nr_lines = gic_number_lines() - 32;
else
d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
index cb690bb..4dcb80d 100644
--- a/xen/arch/arm/vtimer.c
+++ b/xen/arch/arm/vtimer.c
@@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d)
int vcpu_vtimer_init(struct vcpu *v)
{
struct vtimer *t = &v->arch.phys_timer;
- bool_t d0 = is_hardware_domain(v->domain);
+ bool_t d0 = is_hardware_domain_by_id(v->domain);
/*
* Hardware domain uses the hardware interrupts, guests get the virtual
diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
index c02a8a9..cf9745c 100644
--- a/xen/arch/arm/vuart.c
+++ b/xen/arch/arm/vuart.c
@@ -46,7 +46,7 @@
int domain_vuart_init(struct domain *d)
{
- ASSERT( is_hardware_domain(d) );
+ ASSERT( is_hardware_domain_by_id(d) );
d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
if ( !d->arch.vuart.info )
diff --git a/xen/common/domain.c b/xen/common/domain.c
index c4720a9..4036e69 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -237,7 +237,7 @@ struct domain *domain_create(
else if ( domcr_flags & DOMCRF_pvh )
d->guest_type = guest_type_pvh;
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->is_pinned = opt_dom0_vcpus_pin;
d->disable_migrate = 1;
@@ -262,7 +262,7 @@ struct domain *domain_create(
d->is_paused_by_controller = 1;
atomic_inc(&d->pause_count);
- if ( !is_hardware_domain(d) )
+ if ( !is_hardware_domain_by_id(d) )
d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
else
d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cbbe8a4..34447f1 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain(_d) ((_d) == hardware_domain)
+
+/*
+ * Check for the hardware domain based on domain ID, not using the global
+ * hardware_domain variable. This is necessary inside domain_create where
+ * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
+ */
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
--
1.9.0
[-- Attachment #3: 0007-xen-Allow-hardware-domain-dom0.patch --]
[-- Type: text/x-patch, Size: 11513 bytes --]
>From 1cb71b69284ce002c299ea3a3dfa061cad78e7f7 Mon Sep 17 00:00:00 2001
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 6 May 2011 15:13:22 -0400
Subject: [PATCH RFC 7/8] xen: Allow hardware domain != dom0
This adds a hypervisor command line option "hardware_dom=" which takes a
domain ID. When the domain with this ID is created, it will be used
as the hardware domain.
This is intended to be used when domain 0 is a dedicated stub domain for
domain building, allowing the hardware domain to be de-privileged and
act only as a driver domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
---
docs/misc/xen-command-line.markdown | 10 +++++++++
xen/arch/x86/domain_build.c | 4 +++-
xen/common/domain.c | 5 +++++
xen/common/domctl.c | 41 +++++++++++++++++++++++++++++++++++++
xen/common/rangeset.c | 40 ++++++++++++++++++++++++++++++++++++
xen/include/xen/rangeset.h | 3 +++
xen/include/xen/sched.h | 10 +++++++--
xen/include/xsm/dummy.h | 6 ++++++
xen/include/xsm/xsm.h | 6 ++++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 2 ++
12 files changed, 132 insertions(+), 3 deletions(-)
diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 87de2dc..6f5064f 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -590,6 +590,16 @@ Paging (HAP).
Flag to enable 2 MB host page table support for Hardware Assisted
Paging (HAP).
+### hardware\_dom
+> `= <domid>`
+
+> Default: `0`
+
+Enable late hardware domain creation using the specified domain ID. This is
+intended to be used when domain 0 is a stub domain which builds a disaggregated
+system including a hardware domain with the specified domain ID. This option is
+supported only when compiled with CONFIG\_XSM on x86.
+
### hpetbroadcast
> `= <boolean>`
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index 08c40f8..1b61687 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1150,7 +1150,9 @@ int __init construct_dom0(
printk(" Xen warning: dom0 kernel broken ELF: %s\n",
elf_check_broken(&elf));
- iommu_hwdom_init(hardware_domain);
+ if ( is_hardware_domain_by_id(d) )
+ iommu_hwdom_init(d);
+
return 0;
out:
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 4036e69..2561236 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -61,6 +61,11 @@ struct domain *domain_list;
struct domain *hardware_domain __read_mostly;
+#ifdef CONFIG_LATE_HWDOM
+domid_t hardware_domid __read_mostly;
+integer_param("hardware_dom", hardware_domid);
+#endif
+
struct vcpu *idle_vcpu[NR_CPUS] __read_mostly;
vcpu_info_t dummy_vcpu_info;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index af3614b..c77fe99 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -472,6 +472,47 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
break;
}
+#ifdef CONFIG_LATE_HWDOM
+ if ( is_hardware_domain_by_id(d) )
+ {
+ struct domain *dom0 = hardware_domain;
+ ASSERT(dom0->domain_id == 0);
+
+ ret = xsm_init_hardware_domain(XSM_HOOK, d);
+ if ( ret )
+ {
+ domain_kill(d);
+ d = NULL;
+ break;
+ }
+
+ printk("Initialising hardware domain %d\n", hardware_domid);
+ hardware_domain = d;
+
+ /*
+ * Hardware resource ranges for domain 0 have been set up from
+ * various sources intended to restrict the hardware domain's
+ * access. Apply these ranges to the actual hardware domain.
+ *
+ * Because the lists are being swapped, a side effect of this
+ * operation is that Domain 0's rangesets are cleared. Since
+ * domain 0 should not be accessing the hardware when it constructs
+ * a hardware domain, this should not be a problem. Both lists
+ * may be modified after this hypercall returns if a more complex
+ * device model is desired.
+ *
+ * Since late hardware domain initialization is only supported on
+ * x86, the reference to arch.ioport_caps does not need its own
+ * preprocessor conditional.
+ */
+ rangeset_swap(d->irq_caps, dom0->irq_caps);
+ rangeset_swap(d->iomem_caps, dom0->iomem_caps);
+ rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps);
+
+ iommu_hwdom_init(d);
+ }
+#endif
+
ret = 0;
memcpy(d->handle, op->u.createdomain.handle,
diff --git a/xen/common/rangeset.c b/xen/common/rangeset.c
index f09c0c4..52fae1f 100644
--- a/xen/common/rangeset.c
+++ b/xen/common/rangeset.c
@@ -438,3 +438,43 @@ void rangeset_domain_printk(
spin_unlock(&d->rangesets_lock);
}
+
+void rangeset_swap(struct rangeset *a, struct rangeset *b)
+{
+ struct list_head tmp;
+ if (&a < &b)
+ {
+ spin_lock(&a->lock);
+ spin_lock(&b->lock);
+ }
+ else
+ {
+ spin_lock(&b->lock);
+ spin_lock(&a->lock);
+ }
+ memcpy(&tmp, &a->range_list, sizeof(tmp));
+ memcpy(&a->range_list, &b->range_list, sizeof(tmp));
+ memcpy(&b->range_list, &tmp, sizeof(tmp));
+ if ( a->range_list.next == &b->range_list )
+ {
+ a->range_list.next = &a->range_list;
+ a->range_list.prev = &a->range_list;
+ }
+ else
+ {
+ a->range_list.next->prev = &a->range_list;
+ a->range_list.prev->next = &a->range_list;
+ }
+ if ( b->range_list.next == &a->range_list )
+ {
+ b->range_list.next = &b->range_list;
+ b->range_list.prev = &b->range_list;
+ }
+ else
+ {
+ b->range_list.next->prev = &b->range_list;
+ b->range_list.prev->next = &b->range_list;
+ }
+ spin_unlock(&a->lock);
+ spin_unlock(&b->lock);
+}
diff --git a/xen/include/xen/rangeset.h b/xen/include/xen/rangeset.h
index 1e16a6b..805ebde 100644
--- a/xen/include/xen/rangeset.h
+++ b/xen/include/xen/rangeset.h
@@ -73,4 +73,7 @@ void rangeset_printk(
void rangeset_domain_printk(
struct domain *d);
+/* swap contents */
+void rangeset_swap(struct rangeset *a, struct rangeset *b);
+
#endif /* __XEN_RANGESET_H__ */
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 34447f1..50937db 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -46,6 +46,12 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t);
/* A global pointer to the hardware domain (usually DOM0). */
extern struct domain *hardware_domain;
+#ifdef CONFIG_LATE_HWDOM
+extern domid_t hardware_domid;
+#else
+#define hardware_domid 0
+#endif
+
#ifndef CONFIG_COMPAT
#define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG
#else
@@ -795,7 +801,7 @@ void watchdog_domain_destroy(struct domain *d);
* Use this check when the following are both true:
* - Using this feature or interface requires full access to the hardware
* (that is, this would not be suitable for a driver domain)
- * - There is never a reason to deny dom0 access to this
+ * - There is never a reason to deny the hardware domain access to this
*/
#define is_hardware_domain(_d) ((_d) == hardware_domain)
@@ -804,7 +810,7 @@ void watchdog_domain_destroy(struct domain *d);
* hardware_domain variable. This is necessary inside domain_create where
* hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
*/
-#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == hardware_domid)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index e722155..8ca1117 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -299,6 +299,12 @@ static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct
return NULL;
}
+static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_HOOK);
+ return xsm_default_action(action, current->domain, d);
+}
+
static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 2cd3a3b..ef1c584 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -82,6 +82,7 @@ struct xsm_operations {
int (*alloc_security_evtchn) (struct evtchn *chn);
void (*free_security_evtchn) (struct evtchn *chn);
char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
+ int (*init_hardware_domain) (struct domain *d);
int (*get_pod_target) (struct domain *d);
int (*set_pod_target) (struct domain *d);
@@ -311,6 +312,11 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt
return xsm_ops->show_security_evtchn(d, chn);
}
+static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->init_hardware_domain(d);
+}
+
static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
{
return xsm_ops->get_pod_target(d);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index b79e10f..c2804f2 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -58,6 +58,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, alloc_security_evtchn);
set_to_dummy_if_null(ops, free_security_evtchn);
set_to_dummy_if_null(ops, show_security_evtchn);
+ set_to_dummy_if_null(ops, init_hardware_domain);
+
set_to_dummy_if_null(ops, get_pod_target);
set_to_dummy_if_null(ops, set_pod_target);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 4ce31c9..f1a4a2d 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -327,6 +327,11 @@ static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *c
return ctx;
}
+static int flask_init_hardware_domain(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CREATE_HARDWARE_DOMAIN);
+}
+
static int flask_grant_mapref(struct domain *d1, struct domain *d2,
uint32_t flags)
{
@@ -1500,6 +1505,7 @@ static struct xsm_operations flask_ops = {
.alloc_security_evtchn = flask_alloc_security_evtchn,
.free_security_evtchn = flask_free_security_evtchn,
.show_security_evtchn = flask_show_security_evtchn,
+ .init_hardware_domain = flask_init_hardware_domain,
.get_pod_target = flask_get_pod_target,
.set_pod_target = flask_set_pod_target,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index a0ed13d..32371a9 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -198,6 +198,8 @@ class domain2
set_max_evtchn
# XEN_DOMCTL_cacheflush
cacheflush
+# Creation of the hardware domain when it is not dom0
+ create_hardware_domain
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.9.0
[-- Attachment #4: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2014-04-11 18:22 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-27 11:52 [PATCH v3 0/7] xen: Hardware domain support Daniel De Graaf
2014-03-27 11:52 ` [PATCH 1/7] xen: use domid check in is_hardware_domain Daniel De Graaf
2014-03-27 15:31 ` Ian Campbell
2014-03-27 11:52 ` [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init Daniel De Graaf
2014-03-27 11:52 ` [PATCH 3/7] xen: prevent 0 from being used as a dynamic domid Daniel De Graaf
2014-03-27 11:52 ` [PATCH 4/7] xen: rename dom0 to hardware_domain Daniel De Graaf
2014-03-27 12:20 ` Egger, Christoph
2014-03-27 12:48 ` Daniel De Graaf
2014-03-27 15:46 ` Egger, Christoph
2014-03-27 15:33 ` Ian Campbell
2014-03-27 11:52 ` [PATCH 5/7] xen: rename various functions referencing dom0 Daniel De Graaf
2014-03-27 15:34 ` Ian Campbell
2014-03-27 15:47 ` Daniel De Graaf
2014-03-27 11:52 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
2014-04-11 9:13 ` Jan Beulich
2014-04-11 15:07 ` Daniel De Graaf
2014-04-11 15:20 ` Jan Beulich
2014-04-11 18:22 ` Daniel De Graaf [this message]
2014-04-14 7:56 ` Jan Beulich
2014-04-14 20:12 ` Daniel De Graaf
2014-03-27 11:52 ` [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed Daniel De Graaf
2014-03-27 15:35 ` Ian Campbell
2014-04-02 15:08 ` Ian Jackson
2014-04-10 15:58 ` [PATCH v3 0/7] xen: Hardware domain support Keir Fraser
-- strict thread matches above, loose matches on Subject: below --
2014-03-18 21:34 [PATCH v2 " Daniel De Graaf
2014-03-18 21:34 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
2014-03-19 9:15 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534832FD.8000105@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.