* Re: [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
@ 2018-11-05 21:00 DeGraaf, Daniel G
0 siblings, 0 replies; 6+ messages in thread
From: DeGraaf, Daniel G @ 2018-11-05 21:00 UTC (permalink / raw)
To: 'Andrew Cooper', Xen-devel
Cc: Sergey Dyasli, Wei Liu, Ian Jackson, Jan Beulich,
Daniel De Graaf, Roger Pau Monné
> From: Sergey Dyasli <sergey.dyasli@citrix.com>
>
> This finally (after literally years of work!) marks the point where the
> toolstack can ask the hypervisor for the current CPUID configuration of a
> specific domain.
>
> Introduce a new flask access vector and update the default policies.
>
> Also extend xen-cpuid's --policy mode to be able to take a domid and dump a
> specific domains CPUID and MSR policy.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
2018-11-05 17:52 ` Roger Pau Monné
@ 2018-11-05 19:58 ` Andrew Cooper
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Cooper @ 2018-11-05 19:58 UTC (permalink / raw)
To: Roger Pau Monné
Cc: Sergey Dyasli, Wei Liu, Ian Jackson, Xen-devel, Jan Beulich,
Daniel De Graaf
On 05/11/18 17:52, Roger Pau Monné wrote:
> On Mon, Nov 05, 2018 at 11:16:40AM +0000, Andrew Cooper wrote:
>> diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
>> index 95ed853..2c41031 100644
>> --- a/tools/misc/xen-cpuid.c
>> +++ b/tools/misc/xen-cpuid.c
>> @@ -3,6 +3,8 @@
>> #include <err.h>
>> #include <getopt.h>
>> #include <string.h>
>> +#include <errno.h>
>> +#include <limits.h>
>>
>> #include <xenctrl.h>
>>
>> @@ -309,11 +311,13 @@ int main(int argc, char **argv)
>> {
>> enum { MODE_UNKNOWN, MODE_INFO, MODE_DETAIL, MODE_INTERPRET, MODE_POLICY }
>> mode = MODE_UNKNOWN;
>> + int domid = -1;
> Would it be better to use DOMID_INVALID instead of -1?
That doesn't exist anywhere consistent or useful to use in this case.
(Also, confusingly, DOMID_INVALID is 0x7ff4 in the public ABI, which is
different to the INVALID_DOMID of ~0/-1 used by various bits of libxc
and libxl)
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
2018-11-05 11:16 ` [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy Andrew Cooper
2018-11-05 15:47 ` Jan Beulich
2018-11-05 15:55 ` Wei Liu
@ 2018-11-05 17:52 ` Roger Pau Monné
2018-11-05 19:58 ` Andrew Cooper
2 siblings, 1 reply; 6+ messages in thread
From: Roger Pau Monné @ 2018-11-05 17:52 UTC (permalink / raw)
To: Andrew Cooper
Cc: Sergey Dyasli, Wei Liu, Ian Jackson, Xen-devel, Jan Beulich,
Daniel De Graaf
On Mon, Nov 05, 2018 at 11:16:40AM +0000, Andrew Cooper wrote:
> From: Sergey Dyasli <sergey.dyasli@citrix.com>
>
> This finally (after literally years of work!) marks the point where the
> toolstack can ask the hypervisor for the current CPUID configuration of a
> specific domain.
>
> Introduce a new flask access vector and update the default policies.
>
> Also extend xen-cpuid's --policy mode to be able to take a domid and dump a
> specific domains CPUID and MSR policy.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
> diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
> index 95ed853..2c41031 100644
> --- a/tools/misc/xen-cpuid.c
> +++ b/tools/misc/xen-cpuid.c
> @@ -3,6 +3,8 @@
> #include <err.h>
> #include <getopt.h>
> #include <string.h>
> +#include <errno.h>
> +#include <limits.h>
>
> #include <xenctrl.h>
>
> @@ -309,11 +311,13 @@ int main(int argc, char **argv)
> {
> enum { MODE_UNKNOWN, MODE_INFO, MODE_DETAIL, MODE_INTERPRET, MODE_POLICY }
> mode = MODE_UNKNOWN;
> + int domid = -1;
Would it be better to use DOMID_INVALID instead of -1?
Thanks, Roger.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
2018-11-05 11:16 ` [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy Andrew Cooper
2018-11-05 15:47 ` Jan Beulich
@ 2018-11-05 15:55 ` Wei Liu
2018-11-05 17:52 ` Roger Pau Monné
2 siblings, 0 replies; 6+ messages in thread
From: Wei Liu @ 2018-11-05 15:55 UTC (permalink / raw)
To: Andrew Cooper
Cc: Sergey Dyasli, Wei Liu, Ian Jackson, Xen-devel, Jan Beulich,
Daniel De Graaf, Roger Pau Monné
On Mon, Nov 05, 2018 at 11:16:40AM +0000, Andrew Cooper wrote:
> From: Sergey Dyasli <sergey.dyasli@citrix.com>
>
> This finally (after literally years of work!) marks the point where the
> toolstack can ask the hypervisor for the current CPUID configuration of a
> specific domain.
>
> Introduce a new flask access vector and update the default policies.
>
> Also extend xen-cpuid's --policy mode to be able to take a domid and dump a
> specific domains CPUID and MSR policy.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Sergey Dyasli <sergey.dyasli@citrix.com>
> CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> v3:
> * Misc code hygene
> * Fix comments to avoid having a SYSCTL/DOMCTL paste error
> * Introduce a new flask vector rather than reusing set_cpuid
> ---
> tools/flask/policy/modules/dom0.te | 2 +-
> tools/flask/policy/modules/xen.if | 2 +-
> tools/libxc/include/xenctrl.h | 3 ++
> tools/libxc/xc_cpuid_x86.c | 38 ++++++++++++++++++++++++
> tools/misc/xen-cpuid.c | 58 ++++++++++++++++++++++++++++++++-----
Acked-by: Wei Liu <wei.liu2@citrix.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
2018-11-05 11:16 ` [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy Andrew Cooper
@ 2018-11-05 15:47 ` Jan Beulich
2018-11-05 15:55 ` Wei Liu
2018-11-05 17:52 ` Roger Pau Monné
2 siblings, 0 replies; 6+ messages in thread
From: Jan Beulich @ 2018-11-05 15:47 UTC (permalink / raw)
To: Andrew Cooper
Cc: Sergey Dyasli, Wei Liu, Ian Jackson, Xen-devel, Daniel de Graaf,
Roger Pau Monne
>>> On 05.11.18 at 12:16, <andrew.cooper3@citrix.com> wrote:
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -1528,6 +1528,38 @@ long arch_do_domctl(
> recalculate_cpuid_policy(d);
> break;
>
> + case XEN_DOMCTL_get_cpu_policy:
> + /* Process the CPUID leaves. */
> + if ( guest_handle_is_null(domctl->u.cpu_policy.cpuid_policy) )
> + domctl->u.cpu_policy.nr_leaves = CPUID_MAX_SERIALISED_LEAVES;
> + else if ( (ret = x86_cpuid_copy_to_buffer(
> + d->arch.cpuid,
> + domctl->u.cpu_policy.cpuid_policy,
> + &domctl->u.cpu_policy.nr_leaves)) )
> + break;
> +
> + if ( __copy_field_to_guest(u_domctl, domctl,
> + u.cpu_policy.nr_leaves) )
> + {
> + ret = -EFAULT;
> + break;
> + }
> +
> + /* Process the MSR entries. */
> + if ( guest_handle_is_null(domctl->u.cpu_policy.msr_policy) )
> + domctl->u.cpu_policy.nr_msrs = MSR_MAX_SERIALISED_ENTRIES;
> + else if ( (ret = x86_msr_copy_to_buffer(
> + d->arch.msr,
> + domctl->u.cpu_policy.msr_policy,
> + &domctl->u.cpu_policy.nr_msrs)) )
> + break;
> +
> + if ( __copy_field_to_guest(u_domctl, domctl,
> + u.cpu_policy.nr_msrs) )
> + ret = -EFAULT;
Is it really worthwhile having extra code to copy back two fields,
rather than just setting copyback to true? Preferably with this
changed, hypervisor side
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy
2018-11-05 11:16 [PATCH v3 0/5] x86: Be able to retrieve system and domain policies Andrew Cooper
@ 2018-11-05 11:16 ` Andrew Cooper
2018-11-05 15:47 ` Jan Beulich
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Andrew Cooper @ 2018-11-05 11:16 UTC (permalink / raw)
To: Xen-devel
Cc: Sergey Dyasli, Wei Liu, Andrew Cooper, Ian Jackson, Jan Beulich,
Daniel De Graaf, Roger Pau Monné
From: Sergey Dyasli <sergey.dyasli@citrix.com>
This finally (after literally years of work!) marks the point where the
toolstack can ask the hypervisor for the current CPUID configuration of a
specific domain.
Introduce a new flask access vector and update the default policies.
Also extend xen-cpuid's --policy mode to be able to take a domid and dump a
specific domains CPUID and MSR policy.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Sergey Dyasli <sergey.dyasli@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Sergey Dyasli <sergey.dyasli@citrix.com>
CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
v3:
* Misc code hygene
* Fix comments to avoid having a SYSCTL/DOMCTL paste error
* Introduce a new flask vector rather than reusing set_cpuid
---
tools/flask/policy/modules/dom0.te | 2 +-
tools/flask/policy/modules/xen.if | 2 +-
tools/libxc/include/xenctrl.h | 3 ++
tools/libxc/xc_cpuid_x86.c | 38 ++++++++++++++++++++++++
tools/misc/xen-cpuid.c | 58 ++++++++++++++++++++++++++++++++-----
xen/arch/x86/domctl.c | 32 ++++++++++++++++++++
xen/include/public/domctl.h | 18 ++++++++++++
xen/xsm/flask/hooks.c | 3 ++
xen/xsm/flask/policy/access_vectors | 2 ++
9 files changed, 148 insertions(+), 10 deletions(-)
diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index dfdcdcd..c7d565d 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -39,7 +39,7 @@ allow dom0_t dom0_t:domain {
};
allow dom0_t dom0_t:domain2 {
set_cpuid gettsc settsc setscheduler set_vnumainfo
- get_vnumainfo psr_cmt_op psr_alloc
+ get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy
};
allow dom0_t dom0_t:resource { add remove };
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 4e06cfc..de5fb33 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -53,7 +53,7 @@ define(`create_domain_common', `
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_vnumainfo get_vnumainfo cacheflush
psr_cmt_op psr_alloc soft_reset
- resource_map };
+ resource_map get_cpu_policy };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 74fa88b..97ae965 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -2538,6 +2538,9 @@ int xc_get_cpu_policy_size(xc_interface *xch, uint32_t *nr_leaves,
int xc_get_system_cpu_policy(xc_interface *xch, uint32_t index,
uint32_t *nr_leaves, xen_cpuid_leaf_t *leaves,
uint32_t *nr_msrs, xen_msr_entry_t *msrs);
+int xc_get_domain_cpu_policy(xc_interface *xch, uint32_t domid,
+ uint32_t *nr_leaves, xen_cpuid_leaf_t *leaves,
+ uint32_t *nr_msrs, xen_msr_entry_t *msrs);
uint32_t xc_get_cpu_featureset_size(void);
diff --git a/tools/libxc/xc_cpuid_x86.c b/tools/libxc/xc_cpuid_x86.c
index 00e27f0..9e47fc8 100644
--- a/tools/libxc/xc_cpuid_x86.c
+++ b/tools/libxc/xc_cpuid_x86.c
@@ -189,6 +189,44 @@ int xc_get_system_cpu_policy(xc_interface *xch, uint32_t index,
return ret;
}
+int xc_get_domain_cpu_policy(xc_interface *xch, uint32_t domid,
+ uint32_t *nr_leaves, xen_cpuid_leaf_t *leaves,
+ uint32_t *nr_msrs, xen_msr_entry_t *msrs)
+{
+ DECLARE_DOMCTL;
+ DECLARE_HYPERCALL_BOUNCE(leaves,
+ *nr_leaves * sizeof(*leaves),
+ XC_HYPERCALL_BUFFER_BOUNCE_OUT);
+ DECLARE_HYPERCALL_BOUNCE(msrs,
+ *nr_msrs * sizeof(*msrs),
+ XC_HYPERCALL_BUFFER_BOUNCE_OUT);
+ int ret;
+
+ if ( xc_hypercall_bounce_pre(xch, leaves) ||
+ xc_hypercall_bounce_pre(xch, msrs) )
+ return -1;
+
+ domctl.cmd = XEN_DOMCTL_get_cpu_policy;
+ domctl.domain = domid;
+ domctl.u.cpu_policy.nr_leaves = *nr_leaves;
+ set_xen_guest_handle(domctl.u.cpu_policy.cpuid_policy, leaves);
+ domctl.u.cpu_policy.nr_msrs = *nr_msrs;
+ set_xen_guest_handle(domctl.u.cpu_policy.msr_policy, msrs);
+
+ ret = do_domctl(xch, &domctl);
+
+ xc_hypercall_bounce_post(xch, leaves);
+ xc_hypercall_bounce_post(xch, msrs);
+
+ if ( !ret )
+ {
+ *nr_leaves = domctl.u.cpu_policy.nr_leaves;
+ *nr_msrs = domctl.u.cpu_policy.nr_msrs;
+ }
+
+ return ret;
+}
+
struct cpuid_domain_info
{
enum
diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
index 95ed853..2c41031 100644
--- a/tools/misc/xen-cpuid.c
+++ b/tools/misc/xen-cpuid.c
@@ -3,6 +3,8 @@
#include <err.h>
#include <getopt.h>
#include <string.h>
+#include <errno.h>
+#include <limits.h>
#include <xenctrl.h>
@@ -309,11 +311,13 @@ int main(int argc, char **argv)
{
enum { MODE_UNKNOWN, MODE_INFO, MODE_DETAIL, MODE_INTERPRET, MODE_POLICY }
mode = MODE_UNKNOWN;
+ int domid = -1;
nr_features = xc_get_cpu_featureset_size();
for ( ;; )
{
+ const char *tmp_optarg;
int option_index = 0, c;
static struct option long_options[] =
{
@@ -321,11 +325,11 @@ int main(int argc, char **argv)
{ "info", no_argument, NULL, 'i' },
{ "detail", no_argument, NULL, 'd' },
{ "verbose", no_argument, NULL, 'v' },
- { "policy", no_argument, NULL, 'p' },
+ { "policy", optional_argument, NULL, 'p' },
{ NULL, 0, NULL, 0 },
};
- c = getopt_long(argc, argv, "hidvp", long_options, &option_index);
+ c = getopt_long(argc, argv, "hidvp::", long_options, &option_index);
if ( c == -1 )
break;
@@ -345,6 +349,24 @@ int main(int argc, char **argv)
case 'p':
mode = MODE_POLICY;
+
+ tmp_optarg = optarg;
+
+ /* Make "--policy $DOMID" and "-p $DOMID" work. */
+ if ( !optarg && optind < argc &&
+ argv[optind] != NULL && argv[optind][0] != '\0' &&
+ argv[optind][0] != '-' )
+ tmp_optarg = argv[optind++];
+
+ if ( tmp_optarg )
+ {
+ char *endptr;
+
+ errno = 0;
+ domid = strtol(tmp_optarg, &endptr, 0);
+ if ( errno || endptr == tmp_optarg )
+ err(1, "strtol(%s,,)", tmp_optarg);
+ }
break;
case 'd':
@@ -398,8 +420,9 @@ int main(int argc, char **argv)
if ( xc_get_cpu_policy_size(xch, &max_leaves, &max_msrs) )
err(1, "xc_get_cpu_policy_size(...)");
- printf("Xen reports there are maximum %u leaves and %u MSRs\n",
- max_leaves, max_msrs);
+ if ( domid == -1 )
+ printf("Xen reports there are maximum %u leaves and %u MSRs\n",
+ max_leaves, max_msrs);
leaves = calloc(max_leaves, sizeof(xen_cpuid_leaf_t));
if ( !leaves )
@@ -408,16 +431,35 @@ int main(int argc, char **argv)
if ( !msrs )
err(1, "calloc(max_msrs)");
- for ( i = 0; i < ARRAY_SIZE(sys_policies); ++i )
+ if ( domid != -1 )
{
+ char name[20];
uint32_t nr_leaves = max_leaves;
uint32_t nr_msrs = max_msrs;
- if ( xc_get_system_cpu_policy(xch, i, &nr_leaves, leaves,
+ if ( xc_get_domain_cpu_policy(xch, domid, &nr_leaves, leaves,
&nr_msrs, msrs) )
- err(1, "xc_get_system_cpu_policy(, %s,,)", sys_policies[i]);
+ err(1, "xc_get_domain_cpu_policy(, %d, %d,, %d,)",
+ domid, nr_leaves, nr_msrs);
- print_policy(sys_policies[i], leaves, nr_leaves, msrs, nr_msrs);
+ snprintf(name, sizeof(name), "Domain %d", domid);
+ print_policy(name, leaves, nr_leaves, msrs, nr_msrs);
+ }
+ else
+ {
+ /* Get system policies */
+ for ( i = 0; i < ARRAY_SIZE(sys_policies); ++i )
+ {
+ uint32_t nr_leaves = max_leaves;
+ uint32_t nr_msrs = max_msrs;
+
+ if ( xc_get_system_cpu_policy(xch, i, &nr_leaves, leaves,
+ &nr_msrs, msrs) )
+ err(1, "xc_get_system_cpu_policy(, %s,,)", sys_policies[i]);
+
+ print_policy(sys_policies[i], leaves, nr_leaves,
+ msrs, nr_msrs);
+ }
}
free(leaves);
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index f79827e..d91b6ab 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -1528,6 +1528,38 @@ long arch_do_domctl(
recalculate_cpuid_policy(d);
break;
+ case XEN_DOMCTL_get_cpu_policy:
+ /* Process the CPUID leaves. */
+ if ( guest_handle_is_null(domctl->u.cpu_policy.cpuid_policy) )
+ domctl->u.cpu_policy.nr_leaves = CPUID_MAX_SERIALISED_LEAVES;
+ else if ( (ret = x86_cpuid_copy_to_buffer(
+ d->arch.cpuid,
+ domctl->u.cpu_policy.cpuid_policy,
+ &domctl->u.cpu_policy.nr_leaves)) )
+ break;
+
+ if ( __copy_field_to_guest(u_domctl, domctl,
+ u.cpu_policy.nr_leaves) )
+ {
+ ret = -EFAULT;
+ break;
+ }
+
+ /* Process the MSR entries. */
+ if ( guest_handle_is_null(domctl->u.cpu_policy.msr_policy) )
+ domctl->u.cpu_policy.nr_msrs = MSR_MAX_SERIALISED_ENTRIES;
+ else if ( (ret = x86_msr_copy_to_buffer(
+ d->arch.msr,
+ domctl->u.cpu_policy.msr_policy,
+ &domctl->u.cpu_policy.nr_msrs)) )
+ break;
+
+ if ( __copy_field_to_guest(u_domctl, domctl,
+ u.cpu_policy.nr_msrs) )
+ ret = -EFAULT;
+
+ break;
+
default:
ret = iommu_do_domctl(domctl, d, u_domctl);
break;
diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
index 1bbdcd9..4a46c28 100644
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -652,6 +652,22 @@ struct xen_domctl_cpuid {
uint32_t ecx;
uint32_t edx;
};
+
+/*
+ * XEN_DOMCTL_get_cpu_policy (x86 specific)
+ *
+ * Query the CPUID and MSR policies for a specific domain.
+ */
+struct xen_domctl_cpu_policy {
+ uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to
+ * 'cpuid_policy'. */
+ uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to
+ * 'msr_domain_policy' */
+ XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* OUT */
+ XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_policy; /* OUT */
+};
+typedef struct xen_domctl_cpu_policy xen_domctl_cpu_policy_t;
+DEFINE_XEN_GUEST_HANDLE(xen_domctl_cpu_policy_t);
#endif
/*
@@ -1177,6 +1193,7 @@ struct xen_domctl {
#define XEN_DOMCTL_soft_reset 79
/* #define XEN_DOMCTL_set_gnttab_limits 80 - Moved into XEN_DOMCTL_createdomain */
#define XEN_DOMCTL_vuart_op 81
+#define XEN_DOMCTL_get_cpu_policy 82
#define XEN_DOMCTL_gdbsx_guestmemio 1000
#define XEN_DOMCTL_gdbsx_pausevcpu 1001
#define XEN_DOMCTL_gdbsx_unpausevcpu 1002
@@ -1221,6 +1238,7 @@ struct xen_domctl {
struct xen_domctl_mem_sharing_op mem_sharing_op;
#if defined(__i386__) || defined(__x86_64__)
struct xen_domctl_cpuid cpuid;
+ struct xen_domctl_cpu_policy cpu_policy;
struct xen_domctl_vcpuextstate vcpuextstate;
struct xen_domctl_vcpu_msrs vcpu_msrs;
#endif
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index e5b0c60..96d31aa 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -742,6 +742,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_soft_reset:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SOFT_RESET);
+ case XEN_DOMCTL_get_cpu_policy:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
+
default:
return avc_unknown_permission("domctl", cmd);
}
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index e58a50d..6fecfda 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -248,6 +248,8 @@ class domain2
psr_alloc
# XENMEM_resource_map
resource_map
+# XEN_DOMCTL_get_cpu_policy
+ get_cpu_policy
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-11-05 21:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-05 21:00 [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy DeGraaf, Daniel G
-- strict thread matches above, loose matches on Subject: below --
2018-11-05 11:16 [PATCH v3 0/5] x86: Be able to retrieve system and domain policies Andrew Cooper
2018-11-05 11:16 ` [PATCH v3 5/5] x86/domctl: Implement XEN_DOMCTL_get_cpu_policy Andrew Cooper
2018-11-05 15:47 ` Jan Beulich
2018-11-05 15:55 ` Wei Liu
2018-11-05 17:52 ` Roger Pau Monné
2018-11-05 19:58 ` Andrew Cooper
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.