* [PATCH 0/6] xsm: refactoring xsm hooks
@ 2021-06-17 23:39 Daniel P. Smith
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
` (6 more replies)
0 siblings, 7 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
patch set is being split into two separate patch sets. This is the first
patch set and is focused purely on the clean up and refactoring of the
XSM hooks.
This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
infrastructure. Then proceeds to move and realign the headers to remove the
psuedo is/is not enable implementation. The remainder of the changes are clean up
and removing no longer necessary abstractions.
Daniel P. Smith (6):
xsm: refactor xsm_ops handling
xsm: decouple xsm header inclusion selection
xsm: enabling xsm to always be included
xsm: remove xen_defualt_t from hook definitions
xsm: expanding function related macros in dummy.h
xsm: removing the XSM_ASSERT_ACTION macro
xen/arch/arm/dm.c | 2 +-
xen/arch/arm/domctl.c | 6 +-
xen/arch/arm/hvm.c | 2 +-
xen/arch/arm/mm.c | 2 +-
xen/arch/arm/platform_hypercall.c | 2 +-
xen/arch/x86/cpu/mcheck/mce.c | 2 +-
xen/arch/x86/cpu/vpmu.c | 2 +-
xen/arch/x86/domctl.c | 8 +-
xen/arch/x86/hvm/dm.c | 2 +-
xen/arch/x86/hvm/hvm.c | 12 +-
xen/arch/x86/irq.c | 5 +-
xen/arch/x86/mm.c | 20 +-
xen/arch/x86/mm/mem_paging.c | 2 +-
xen/arch/x86/mm/mem_sharing.c | 9 +-
xen/arch/x86/mm/p2m.c | 2 +-
xen/arch/x86/mm/paging.c | 4 +-
xen/arch/x86/mm/shadow/set.c | 2 +-
xen/arch/x86/msi.c | 3 +-
xen/arch/x86/pci.c | 2 +-
xen/arch/x86/physdev.c | 17 +-
xen/arch/x86/platform_hypercall.c | 10 +-
xen/arch/x86/pv/emul-priv-op.c | 2 +-
xen/arch/x86/sysctl.c | 4 +-
xen/common/Kconfig | 55 +-
xen/common/domain.c | 4 +-
xen/common/domctl.c | 12 +-
xen/common/event_channel.c | 12 +-
xen/common/grant_table.c | 16 +-
xen/common/hypfs.c | 2 +-
xen/common/kernel.c | 2 +-
xen/common/kexec.c | 2 +-
xen/common/mem_access.c | 2 +-
xen/common/memory.c | 16 +-
xen/common/monitor.c | 2 +-
xen/common/sched/core.c | 6 +-
xen/common/sysctl.c | 8 +-
xen/common/vm_event.c | 2 +-
xen/common/xenoprof.c | 2 +-
xen/drivers/char/console.c | 2 +-
xen/drivers/passthrough/device_tree.c | 4 +-
xen/drivers/passthrough/pci.c | 12 +-
xen/include/xen/sched.h | 2 +-
xen/include/xsm/dummy.h | 774 --------------------------
xen/include/xsm/xsm-core.h | 236 ++++++++
xen/include/xsm/xsm.h | 626 +++++++--------------
xen/xsm/Makefile | 4 +-
xen/xsm/dummy.c | 7 +-
xen/xsm/dummy.h | 697 +++++++++++++++++++++++
xen/xsm/flask/flask_op.c | 21 +-
xen/xsm/silo.c | 18 +-
xen/xsm/xsm_core.c | 54 +-
51 files changed, 1309 insertions(+), 1413 deletions(-)
delete mode 100644 xen/include/xsm/dummy.h
create mode 100644 xen/include/xsm/xsm-core.h
create mode 100644 xen/xsm/dummy.h
--
2.20.1
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-18 11:34 ` Andrew Cooper
2021-07-12 12:36 ` [PATCH 0.5/6] xen: Implement xen/alternative-call.h for use in common code Andrew Cooper
2021-06-17 23:39 ` [PATCH 2/6] xsm: decouple xsm header inclusion selection Daniel P. Smith
` (5 subsequent siblings)
6 siblings, 2 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
The assignment and setup of xsm_ops structure was refactored to make it a
one-time assignment. The calling of the xsm_ops were refactored to use the
alternate_call framework to reduce the need for retpolines.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/include/xsm/xsm.h | 206 ++++++++++++++++++++-------------------
xen/xsm/dummy.c | 2 -
xen/xsm/flask/flask_op.c | 21 +---
xen/xsm/xsm_core.c | 50 ++++++----
4 files changed, 138 insertions(+), 141 deletions(-)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index ad3cddbf7d..86ca045e74 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -15,6 +15,9 @@
#ifndef __XSM_H__
#define __XSM_H__
+#ifdef CONFIG_XSM
+#include <asm/alternative.h>
+#endif
#include <xen/sched.h>
#include <xen/multiboot.h>
@@ -191,295 +194,295 @@ struct xsm_operations {
#ifdef CONFIG_XSM
-extern struct xsm_operations *xsm_ops;
+extern struct xsm_operations xsm_ops;
#ifndef XSM_NO_WRAPPERS
static inline void xsm_security_domaininfo (struct domain *d,
struct xen_domctl_getdomaininfo *info)
{
- xsm_ops->security_domaininfo(d, info);
+ alternative_vcall(xsm_ops.security_domaininfo, d, info);
}
static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
{
- return xsm_ops->domain_create(d, ssidref);
+ return alternative_call(xsm_ops.domain_create, d, ssidref);
}
static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
{
- return xsm_ops->getdomaininfo(d);
+ return alternative_call(xsm_ops.getdomaininfo, d);
}
static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
{
- return xsm_ops->domctl_scheduler_op(d, cmd);
+ return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd);
}
static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
{
- return xsm_ops->sysctl_scheduler_op(cmd);
+ return alternative_call(xsm_ops.sysctl_scheduler_op, cmd);
}
static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
{
- return xsm_ops->set_target(d, e);
+ return alternative_call(xsm_ops.set_target, d, e);
}
static inline int xsm_domctl (xsm_default_t def, struct domain *d, int cmd)
{
- return xsm_ops->domctl(d, cmd);
+ return alternative_call(xsm_ops.domctl, d, cmd);
}
static inline int xsm_sysctl (xsm_default_t def, int cmd)
{
- return xsm_ops->sysctl(cmd);
+ return alternative_call(xsm_ops.sysctl, cmd);
}
static inline int xsm_readconsole (xsm_default_t def, uint32_t clear)
{
- return xsm_ops->readconsole(clear);
+ return alternative_call(xsm_ops.readconsole, clear);
}
static inline int xsm_evtchn_unbound (xsm_default_t def, struct domain *d1, struct evtchn *chn,
domid_t id2)
{
- return xsm_ops->evtchn_unbound(d1, chn, id2);
+ return alternative_call(xsm_ops.evtchn_unbound, d1, chn, id2);
}
static inline int xsm_evtchn_interdomain (xsm_default_t def, struct domain *d1,
struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
{
- return xsm_ops->evtchn_interdomain(d1, chan1, d2, chan2);
+ return alternative_call(xsm_ops.evtchn_interdomain, d1, chan1, d2, chan2);
}
static inline void xsm_evtchn_close_post (struct evtchn *chn)
{
- xsm_ops->evtchn_close_post(chn);
+ alternative_vcall(xsm_ops.evtchn_close_post, chn);
}
static inline int xsm_evtchn_send (xsm_default_t def, struct domain *d, struct evtchn *chn)
{
- return xsm_ops->evtchn_send(d, chn);
+ return alternative_call(xsm_ops.evtchn_send, d, chn);
}
static inline int xsm_evtchn_status (xsm_default_t def, struct domain *d, struct evtchn *chn)
{
- return xsm_ops->evtchn_status(d, chn);
+ return alternative_call(xsm_ops.evtchn_status, d, chn);
}
static inline int xsm_evtchn_reset (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->evtchn_reset(d1, d2);
+ return alternative_call(xsm_ops.evtchn_reset, d1, d2);
}
static inline int xsm_grant_mapref (xsm_default_t def, struct domain *d1, struct domain *d2,
uint32_t flags)
{
- return xsm_ops->grant_mapref(d1, d2, flags);
+ return alternative_call(xsm_ops.grant_mapref, d1, d2, flags);
}
static inline int xsm_grant_unmapref (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->grant_unmapref(d1, d2);
+ return alternative_call(xsm_ops.grant_unmapref, d1, d2);
}
static inline int xsm_grant_setup (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->grant_setup(d1, d2);
+ return alternative_call(xsm_ops.grant_setup, d1, d2);
}
static inline int xsm_grant_transfer (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->grant_transfer(d1, d2);
+ return alternative_call(xsm_ops.grant_transfer, d1, d2);
}
static inline int xsm_grant_copy (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->grant_copy(d1, d2);
+ return alternative_call(xsm_ops.grant_copy, d1, d2);
}
static inline int xsm_grant_query_size (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->grant_query_size(d1, d2);
+ return alternative_call(xsm_ops.grant_query_size, d1, d2);
}
static inline int xsm_alloc_security_domain (struct domain *d)
{
- return xsm_ops->alloc_security_domain(d);
+ return alternative_call(xsm_ops.alloc_security_domain, d);
}
static inline void xsm_free_security_domain (struct domain *d)
{
- xsm_ops->free_security_domain(d);
+ alternative_vcall(xsm_ops.free_security_domain, d);
}
static inline int xsm_alloc_security_evtchns(
struct evtchn chn[], unsigned int nr)
{
- return xsm_ops->alloc_security_evtchns(chn, nr);
+ return alternative_call(xsm_ops.alloc_security_evtchns, chn, nr);
}
static inline void xsm_free_security_evtchns(
struct evtchn chn[], unsigned int nr)
{
- xsm_ops->free_security_evtchns(chn, nr);
+ alternative_vcall(xsm_ops.free_security_evtchns, chn, nr);
}
static inline char *xsm_show_security_evtchn (struct domain *d, const struct evtchn *chn)
{
- return xsm_ops->show_security_evtchn(d, chn);
+ return alternative_call(xsm_ops.show_security_evtchn, d, chn);
}
static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
{
- return xsm_ops->init_hardware_domain(d);
+ return alternative_call(xsm_ops.init_hardware_domain, d);
}
static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
{
- return xsm_ops->get_pod_target(d);
+ return alternative_call(xsm_ops.get_pod_target, d);
}
static inline int xsm_set_pod_target (xsm_default_t def, struct domain *d)
{
- return xsm_ops->set_pod_target(d);
+ return alternative_call(xsm_ops.set_pod_target, d);
}
static inline int xsm_memory_exchange (xsm_default_t def, struct domain *d)
{
- return xsm_ops->memory_exchange(d);
+ return alternative_call(xsm_ops.memory_exchange, d);
}
static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct domain *d1, struct
domain *d2)
{
- return xsm_ops->memory_adjust_reservation(d1, d2);
+ return alternative_call(xsm_ops.memory_adjust_reservation, d1, d2);
}
static inline int xsm_memory_stat_reservation (xsm_default_t def, struct domain *d1,
struct domain *d2)
{
- return xsm_ops->memory_stat_reservation(d1, d2);
+ return alternative_call(xsm_ops.memory_stat_reservation, d1, d2);
}
static inline int xsm_memory_pin_page(xsm_default_t def, struct domain *d1, struct domain *d2,
struct page_info *page)
{
- return xsm_ops->memory_pin_page(d1, d2, page);
+ return alternative_call(xsm_ops.memory_pin_page, d1, d2, page);
}
static inline int xsm_add_to_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->add_to_physmap(d1, d2);
+ return alternative_call(xsm_ops.add_to_physmap, d1, d2);
}
static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->remove_from_physmap(d1, d2);
+ return alternative_call(xsm_ops.remove_from_physmap, d1, d2);
}
static inline int xsm_map_gmfn_foreign (xsm_default_t def, struct domain *d, struct domain *t)
{
- return xsm_ops->map_gmfn_foreign(d, t);
+ return alternative_call(xsm_ops.map_gmfn_foreign, d, t);
}
static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
{
- return xsm_ops->claim_pages(d);
+ return alternative_call(xsm_ops.claim_pages, d);
}
static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
{
- return xsm_ops->console_io(d, cmd);
+ return alternative_call(xsm_ops.console_io, d, cmd);
}
static inline int xsm_profile (xsm_default_t def, struct domain *d, int op)
{
- return xsm_ops->profile(d, op);
+ return alternative_call(xsm_ops.profile, d, op);
}
static inline int xsm_kexec (xsm_default_t def)
{
- return xsm_ops->kexec();
+ return alternative_call(xsm_ops.kexec);
}
static inline int xsm_schedop_shutdown (xsm_default_t def, struct domain *d1, struct domain *d2)
{
- return xsm_ops->schedop_shutdown(d1, d2);
+ return alternative_call(xsm_ops.schedop_shutdown, d1, d2);
}
static inline char *xsm_show_irq_sid (int irq)
{
- return xsm_ops->show_irq_sid(irq);
+ return alternative_call(xsm_ops.show_irq_sid, irq);
}
static inline int xsm_map_domain_pirq (xsm_default_t def, struct domain *d)
{
- return xsm_ops->map_domain_pirq(d);
+ return alternative_call(xsm_ops.map_domain_pirq, d);
}
static inline int xsm_map_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
{
- return xsm_ops->map_domain_irq(d, irq, data);
+ return alternative_call(xsm_ops.map_domain_irq, d, irq, data);
}
static inline int xsm_unmap_domain_pirq (xsm_default_t def, struct domain *d)
{
- return xsm_ops->unmap_domain_pirq(d);
+ return alternative_call(xsm_ops.unmap_domain_pirq, d);
}
static inline int xsm_unmap_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
{
- return xsm_ops->unmap_domain_irq(d, irq, data);
+ return alternative_call(xsm_ops.unmap_domain_irq, d, irq, data);
}
static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
- return xsm_ops->bind_pt_irq(d, bind);
+ return alternative_call(xsm_ops.bind_pt_irq, d, bind);
}
static inline int xsm_unbind_pt_irq(xsm_default_t def, struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
- return xsm_ops->unbind_pt_irq(d, bind);
+ return alternative_call(xsm_ops.unbind_pt_irq, d, bind);
}
static inline int xsm_irq_permission (xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
{
- return xsm_ops->irq_permission(d, pirq, allow);
+ return alternative_call(xsm_ops.irq_permission, d, pirq, allow);
}
static inline int xsm_iomem_permission (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
- return xsm_ops->iomem_permission(d, s, e, allow);
+ return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
}
static inline int xsm_iomem_mapping (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
- return xsm_ops->iomem_mapping(d, s, e, allow);
+ return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow);
}
static inline int xsm_pci_config_permission (xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
{
- return xsm_ops->pci_config_permission(d, machine_bdf, start, end, access);
+ return alternative_call(xsm_ops.pci_config_permission, d, machine_bdf, start, end, access);
}
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf)
{
- return xsm_ops->get_device_group(machine_bdf);
+ return alternative_call(xsm_ops.get_device_group, machine_bdf);
}
static inline int xsm_assign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
{
- return xsm_ops->assign_device(d, machine_bdf);
+ return alternative_call(xsm_ops.assign_device, d, machine_bdf);
}
static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
{
- return xsm_ops->deassign_device(d, machine_bdf);
+ return alternative_call(xsm_ops.deassign_device, d, machine_bdf);
}
#endif /* HAS_PASSTHROUGH && HAS_PCI) */
@@ -487,240 +490,243 @@ static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint3
static inline int xsm_assign_dtdevice(xsm_default_t def, struct domain *d,
const char *dtpath)
{
- return xsm_ops->assign_dtdevice(d, dtpath);
+ return alternative_call(xsm_ops.assign_dtdevice, d, dtpath);
}
static inline int xsm_deassign_dtdevice(xsm_default_t def, struct domain *d,
const char *dtpath)
{
- return xsm_ops->deassign_dtdevice(d, dtpath);
+ return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath);
}
#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
static inline int xsm_resource_plug_pci (xsm_default_t def, uint32_t machine_bdf)
{
- return xsm_ops->resource_plug_pci(machine_bdf);
+ return alternative_call(xsm_ops.resource_plug_pci, machine_bdf);
}
static inline int xsm_resource_unplug_pci (xsm_default_t def, uint32_t machine_bdf)
{
- return xsm_ops->resource_unplug_pci(machine_bdf);
+ return alternative_call(xsm_ops.resource_unplug_pci, machine_bdf);
}
static inline int xsm_resource_plug_core (xsm_default_t def)
{
- return xsm_ops->resource_plug_core();
+ return alternative_call(xsm_ops.resource_plug_core);
}
static inline int xsm_resource_unplug_core (xsm_default_t def)
{
- return xsm_ops->resource_unplug_core();
+ return alternative_call(xsm_ops.resource_unplug_core);
}
static inline int xsm_resource_setup_pci (xsm_default_t def, uint32_t machine_bdf)
{
- return xsm_ops->resource_setup_pci(machine_bdf);
+ return alternative_call(xsm_ops.resource_setup_pci, machine_bdf);
}
static inline int xsm_resource_setup_gsi (xsm_default_t def, int gsi)
{
- return xsm_ops->resource_setup_gsi(gsi);
+ return alternative_call(xsm_ops.resource_setup_gsi, gsi);
}
static inline int xsm_resource_setup_misc (xsm_default_t def)
{
- return xsm_ops->resource_setup_misc();
+ return alternative_call(xsm_ops.resource_setup_misc);
}
static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
{
- return xsm_ops->page_offline(cmd);
+ return alternative_call(xsm_ops.page_offline, cmd);
}
static inline int xsm_hypfs_op(xsm_default_t def)
{
- return xsm_ops->hypfs_op();
+ return alternative_call(xsm_ops.hypfs_op);
}
static inline long xsm_do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
- return xsm_ops->do_xsm_op(op);
+ /* "op"(struct) is being passed by value, alternative_call does not support */
+ return xsm_ops.do_xsm_op(op);
}
#ifdef CONFIG_COMPAT
static inline int xsm_do_compat_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
- return xsm_ops->do_compat_op(op);
+ /* "op"(struct) is being passed by value, alternative_call does not support */
+ return xsm_ops.do_compat_op(op);
}
#endif
static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned long op)
{
- return xsm_ops->hvm_param(d, op);
+ return alternative_call(xsm_ops.hvm_param, d, op);
}
static inline int xsm_hvm_control(xsm_default_t def, struct domain *d, unsigned long op)
{
- return xsm_ops->hvm_control(d, op);
+ return alternative_call(xsm_ops.hvm_control, d, op);
}
static inline int xsm_hvm_param_altp2mhvm (xsm_default_t def, struct domain *d)
{
- return xsm_ops->hvm_param_altp2mhvm(d);
+ return alternative_call(xsm_ops.hvm_param_altp2mhvm, d);
}
static inline int xsm_hvm_altp2mhvm_op (xsm_default_t def, struct domain *d, uint64_t mode, uint32_t op)
{
- return xsm_ops->hvm_altp2mhvm_op(d, mode, op);
+ return alternative_call(xsm_ops.hvm_altp2mhvm_op, d, mode, op);
}
static inline int xsm_get_vnumainfo (xsm_default_t def, struct domain *d)
{
- return xsm_ops->get_vnumainfo(d);
+ return alternative_call(xsm_ops.get_vnumainfo, d);
}
static inline int xsm_vm_event_control (xsm_default_t def, struct domain *d, int mode, int op)
{
- return xsm_ops->vm_event_control(d, mode, op);
+ return alternative_call(xsm_ops.vm_event_control, d, mode, op);
}
#ifdef CONFIG_MEM_ACCESS
static inline int xsm_mem_access (xsm_default_t def, struct domain *d)
{
- return xsm_ops->mem_access(d);
+ return alternative_call(xsm_ops.mem_access, d);
}
#endif
#ifdef CONFIG_MEM_PAGING
static inline int xsm_mem_paging (xsm_default_t def, struct domain *d)
{
- return xsm_ops->mem_paging(d);
+ return alternative_call(xsm_ops.mem_paging, d);
}
#endif
#ifdef CONFIG_MEM_SHARING
static inline int xsm_mem_sharing (xsm_default_t def, struct domain *d)
{
- return xsm_ops->mem_sharing(d);
+ return alternative_call(xsm_ops.mem_sharing, d);
}
#endif
static inline int xsm_platform_op (xsm_default_t def, uint32_t op)
{
- return xsm_ops->platform_op(op);
+ return alternative_call(xsm_ops.platform_op, op);
}
#ifdef CONFIG_X86
static inline int xsm_do_mca(xsm_default_t def)
{
- return xsm_ops->do_mca();
+ return alternative_call(xsm_ops.do_mca);
}
static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
{
- return xsm_ops->shadow_control(d, op);
+ return alternative_call(xsm_ops.shadow_control, d, op);
}
static inline int xsm_mem_sharing_op (xsm_default_t def, struct domain *d, struct domain *cd, int op)
{
- return xsm_ops->mem_sharing_op(d, cd, op);
+ return alternative_call(xsm_ops.mem_sharing_op, d, cd, op);
}
static inline int xsm_apic (xsm_default_t def, struct domain *d, int cmd)
{
- return xsm_ops->apic(d, cmd);
+ return alternative_call(xsm_ops.apic, d, cmd);
}
static inline int xsm_memtype (xsm_default_t def, uint32_t access)
{
- return xsm_ops->memtype(access);
+ return alternative_call(xsm_ops.memtype, access);
}
static inline int xsm_machine_memory_map(xsm_default_t def)
{
- return xsm_ops->machine_memory_map();
+ return alternative_call(xsm_ops.machine_memory_map);
}
static inline int xsm_domain_memory_map(xsm_default_t def, struct domain *d)
{
- return xsm_ops->domain_memory_map(d);
+ return alternative_call(xsm_ops.domain_memory_map, d);
}
static inline int xsm_mmu_update (xsm_default_t def, struct domain *d, struct domain *t,
struct domain *f, uint32_t flags)
{
- return xsm_ops->mmu_update(d, t, f, flags);
+ return alternative_call(xsm_ops.mmu_update, d, t, f, flags);
}
static inline int xsm_mmuext_op (xsm_default_t def, struct domain *d, struct domain *f)
{
- return xsm_ops->mmuext_op(d, f);
+ return alternative_call(xsm_ops.mmuext_op, d, f);
}
static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, struct domain *f,
l1_pgentry_t pte)
{
- return xsm_ops->update_va_mapping(d, f, pte);
+ /* pte(struct) is being passed by value, alternative_call does not support */
+ return xsm_ops.update_va_mapping(d, f, pte);
}
static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t)
{
- return xsm_ops->priv_mapping(d, t);
+ return alternative_call(xsm_ops.priv_mapping, d, t);
}
static inline int xsm_ioport_permission (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
- return xsm_ops->ioport_permission(d, s, e, allow);
+ return alternative_call(xsm_ops.ioport_permission, d, s, e, allow);
}
static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
- return xsm_ops->ioport_mapping(d, s, e, allow);
+ return alternative_call(xsm_ops.ioport_mapping, d, s, e, allow);
}
static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int op)
{
- return xsm_ops->pmu_op(d, op);
+ return alternative_call(xsm_ops.pmu_op, d, op);
}
#endif /* CONFIG_X86 */
static inline int xsm_dm_op(xsm_default_t def, struct domain *d)
{
- return xsm_ops->dm_op(d);
+ return alternative_call(xsm_ops.dm_op, d);
}
static inline int xsm_xen_version (xsm_default_t def, uint32_t op)
{
- return xsm_ops->xen_version(op);
+ return alternative_call(xsm_ops.xen_version, op);
}
static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
{
- return xsm_ops->domain_resource_map(d);
+ return alternative_call(xsm_ops.domain_resource_map, d);
}
#ifdef CONFIG_ARGO
static inline int xsm_argo_enable(const struct domain *d)
{
- return xsm_ops->argo_enable(d);
+ return alternative_call(xsm_ops.argo_enable, d);
}
static inline int xsm_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
- return xsm_ops->argo_register_single_source(d, t);
+ return alternative_call(xsm_ops.argo_register_single_source, d, t);
}
static inline int xsm_argo_register_any_source(const struct domain *d)
{
- return xsm_ops->argo_register_any_source(d);
+ return alternative_call(xsm_ops.argo_register_any_source, d);
}
static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
{
- return xsm_ops->argo_send(d, t);
+ return alternative_call(xsm_ops.argo_send, d, t);
}
#endif /* CONFIG_ARGO */
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index de44b10130..066694763a 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -13,8 +13,6 @@
#define XSM_NO_WRAPPERS
#include <xsm/dummy.h>
-struct xsm_operations dummy_xsm_ops;
-
#define set_to_dummy_if_null(ops, function) \
do { \
if ( !ops->function ) \
diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index 01e52138a1..df9fcc1d6d 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -225,26 +225,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
static int flask_disable(void)
{
- static int flask_disabled = 0;
-
- if ( ss_initialized )
- {
- /* Not permitted after initial policy load. */
- return -EINVAL;
- }
-
- if ( flask_disabled )
- {
- /* Only do this once. */
- return -EINVAL;
- }
-
- printk("Flask: Disabled at runtime.\n");
-
- flask_disabled = 1;
-
- /* Reset xsm_ops to the original module. */
- xsm_ops = &dummy_xsm_ops;
+ printk("Flask: Disabling is not supported.\n");
return 0;
}
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 5eab21e1b1..acc1af7166 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -28,9 +28,17 @@
#include <asm/setup.h>
#endif
-#define XSM_FRAMEWORK_VERSION "1.0.0"
+#define XSM_FRAMEWORK_VERSION "1.0.1"
-struct xsm_operations *xsm_ops;
+struct xsm_operations xsm_ops;
+
+enum xsm_ops_state {
+ XSM_OPS_UNREGISTERED,
+ XSM_OPS_REG_FAILED,
+ XSM_OPS_REGISTERED,
+};
+
+static enum xsm_ops_state xsm_ops_registered = XSM_OPS_UNREGISTERED;
enum xsm_bootparam {
XSM_BOOTPARAM_DUMMY,
@@ -68,15 +76,6 @@ static int __init parse_xsm_param(const char *s)
}
custom_param("xsm", parse_xsm_param);
-static inline int verify(struct xsm_operations *ops)
-{
- /* verify the security_operations structure exists */
- if ( !ops )
- return -EINVAL;
- xsm_fixup_ops(ops);
- return 0;
-}
-
static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
{
#ifdef CONFIG_XSM_FLASK_POLICY
@@ -87,17 +86,22 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
}
#endif
- if ( verify(&dummy_xsm_ops) )
+ if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
{
- printk(XENLOG_ERR "Could not verify dummy_xsm_ops structure\n");
+ printk(XENLOG_ERR
+ "Could not init XSM, xsm_ops register already attempted\n");
return -EIO;
}
- xsm_ops = &dummy_xsm_ops;
+ /* install the dummy ops as default to ensure ops
+ * are defined if requested policy fails init
+ */
+ xsm_fixup_ops(&xsm_ops);
switch ( xsm_bootparam )
{
case XSM_BOOTPARAM_DUMMY:
+ xsm_ops_registered = XSM_OPS_REGISTERED;
break;
case XSM_BOOTPARAM_FLASK:
@@ -113,6 +117,9 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
break;
}
+ if ( xsm_ops_registered != XSM_OPS_REGISTERED )
+ xsm_ops_registered = XSM_OPS_REG_FAILED;
+
return 0;
}
@@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
int __init register_xsm(struct xsm_operations *ops)
{
- if ( verify(ops) )
+ if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
+ return -EAGAIN;
+
+ if ( !ops )
{
- printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
+ xsm_ops_registered = XSM_OPS_REG_FAILED;
+ printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
return -EINVAL;
}
- if ( xsm_ops != &dummy_xsm_ops )
- return -EAGAIN;
+ /* use dummy ops for any empty ops */
+ xsm_fixup_ops(ops);
- xsm_ops = ops;
+ xsm_ops = *ops;
+ xsm_ops_registered = XSM_OPS_REGISTERED;
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 2/6] xsm: decouple xsm header inclusion selection
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-17 23:39 ` [PATCH 3/6] xsm: enabling xsm to always be included Daniel P. Smith
` (4 subsequent siblings)
6 siblings, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
Multiple preprocessor defines were used as a mechanism to selective
include parts of the xsm.h header file. This makes it difficult to know
which portion is being included at anyone time. This commit works to
simplify this by separating the core structure and functions of XSM into
xsm-core.h away from the wrapper functions which remain in xsm.h and
dummy.h.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/include/xsm/dummy.h | 2 +-
xen/include/xsm/xsm-core.h | 262 +++++++++++++++++++++++++++++++++++++
xen/include/xsm/xsm.h | 240 +--------------------------------
xen/xsm/dummy.c | 1 -
xen/xsm/silo.c | 1 -
5 files changed, 264 insertions(+), 242 deletions(-)
create mode 100644 xen/include/xsm/xsm-core.h
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 363c6d7798..c445c5681b 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -16,7 +16,7 @@
*/
#include <xen/sched.h>
-#include <xsm/xsm.h>
+#include <xsm/xsm-core.h>
#include <public/hvm/params.h>
/* Cannot use BUILD_BUG_ON here because the expressions we check are not
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
new file mode 100644
index 0000000000..5297c73fe6
--- /dev/null
+++ b/xen/include/xsm/xsm-core.h
@@ -0,0 +1,262 @@
+/*
+ * This file contains the XSM hook definitions for Xen.
+ *
+ * This work is based on the LSM implementation in Linux 2.6.13.4.
+ *
+ * Author: George Coker, <gscoker@alpha.ncsc.mil>
+ *
+ * Contributors: Michael LeMay, <mdlemay@epoch.ncsc.mil>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#ifndef __XSM_CORE_H__
+#define __XSM_CORE_H__
+
+#include <xen/sched.h>
+#include <xen/multiboot.h>
+
+typedef void xsm_op_t;
+DEFINE_XEN_GUEST_HANDLE(xsm_op_t);
+
+/* policy magic number (defined by XSM_MAGIC) */
+typedef u32 xsm_magic_t;
+
+#ifdef CONFIG_XSM_FLASK
+#define XSM_MAGIC 0xf97cff8c
+#else
+#define XSM_MAGIC 0x0
+#endif
+
+/* These annotations are used by callers and in dummy.h to document the
+ * default actions of XSM hooks. They should be compiled out otherwise.
+ */
+enum xsm_default {
+ XSM_HOOK, /* Guests can normally access the hypercall */
+ XSM_DM_PRIV, /* Device model can perform on its target domain */
+ XSM_TARGET, /* Can perform on self or your target domain */
+ XSM_PRIV, /* Privileged - normally restricted to dom0 */
+ XSM_XS_PRIV, /* Xenstore domain - can do some privileged operations */
+ XSM_OTHER /* Something more complex */
+};
+typedef enum xsm_default xsm_default_t;
+
+struct xsm_operations {
+ void (*security_domaininfo) (struct domain *d,
+ struct xen_domctl_getdomaininfo *info);
+ int (*domain_create) (struct domain *d, u32 ssidref);
+ int (*getdomaininfo) (struct domain *d);
+ int (*domctl_scheduler_op) (struct domain *d, int op);
+ int (*sysctl_scheduler_op) (int op);
+ int (*set_target) (struct domain *d, struct domain *e);
+ int (*domctl) (struct domain *d, int cmd);
+ int (*sysctl) (int cmd);
+ int (*readconsole) (uint32_t clear);
+
+ int (*evtchn_unbound) (struct domain *d, struct evtchn *chn, domid_t id2);
+ int (*evtchn_interdomain) (struct domain *d1, struct evtchn *chn1,
+ struct domain *d2, struct evtchn *chn2);
+ void (*evtchn_close_post) (struct evtchn *chn);
+ int (*evtchn_send) (struct domain *d, struct evtchn *chn);
+ int (*evtchn_status) (struct domain *d, struct evtchn *chn);
+ int (*evtchn_reset) (struct domain *d1, struct domain *d2);
+
+ int (*grant_mapref) (struct domain *d1, struct domain *d2, uint32_t flags);
+ int (*grant_unmapref) (struct domain *d1, struct domain *d2);
+ int (*grant_setup) (struct domain *d1, struct domain *d2);
+ int (*grant_transfer) (struct domain *d1, struct domain *d2);
+ int (*grant_copy) (struct domain *d1, struct domain *d2);
+ int (*grant_query_size) (struct domain *d1, struct domain *d2);
+
+ int (*alloc_security_domain) (struct domain *d);
+ void (*free_security_domain) (struct domain *d);
+ int (*alloc_security_evtchns) (struct evtchn chn[], unsigned int nr);
+ void (*free_security_evtchns) (struct evtchn chn[], unsigned int nr);
+ char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
+ int (*init_hardware_domain) (struct domain *d);
+
+ int (*get_pod_target) (struct domain *d);
+ int (*set_pod_target) (struct domain *d);
+ int (*memory_exchange) (struct domain *d);
+ int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
+ int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
+ int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
+ int (*add_to_physmap) (struct domain *d1, struct domain *d2);
+ int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
+ int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
+ int (*claim_pages) (struct domain *d);
+
+ int (*console_io) (struct domain *d, int cmd);
+
+ int (*profile) (struct domain *d, int op);
+
+ int (*kexec) (void);
+ int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
+
+ char *(*show_irq_sid) (int irq);
+ int (*map_domain_pirq) (struct domain *d);
+ int (*map_domain_irq) (struct domain *d, int irq, const void *data);
+ int (*unmap_domain_pirq) (struct domain *d);
+ int (*unmap_domain_irq) (struct domain *d, int irq, const void *data);
+ int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
+ int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
+ int (*irq_permission) (struct domain *d, int pirq, uint8_t allow);
+ int (*iomem_permission) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
+ int (*iomem_mapping) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
+ int (*pci_config_permission) (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access);
+
+#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
+ int (*get_device_group) (uint32_t machine_bdf);
+ int (*assign_device) (struct domain *d, uint32_t machine_bdf);
+ int (*deassign_device) (struct domain *d, uint32_t machine_bdf);
+#endif
+
+#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
+ int (*assign_dtdevice) (struct domain *d, const char *dtpath);
+ int (*deassign_dtdevice) (struct domain *d, const char *dtpath);
+#endif
+
+ int (*resource_plug_core) (void);
+ int (*resource_unplug_core) (void);
+ int (*resource_plug_pci) (uint32_t machine_bdf);
+ int (*resource_unplug_pci) (uint32_t machine_bdf);
+ int (*resource_setup_pci) (uint32_t machine_bdf);
+ int (*resource_setup_gsi) (int gsi);
+ int (*resource_setup_misc) (void);
+
+ int (*page_offline)(uint32_t cmd);
+ int (*hypfs_op)(void);
+
+ long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
+#ifdef CONFIG_COMPAT
+ int (*do_compat_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
+#endif
+
+ int (*hvm_param) (struct domain *d, unsigned long op);
+ int (*hvm_control) (struct domain *d, unsigned long op);
+ int (*hvm_param_altp2mhvm) (struct domain *d);
+ int (*hvm_altp2mhvm_op) (struct domain *d, uint64_t mode, uint32_t op);
+ int (*get_vnumainfo) (struct domain *d);
+
+ int (*vm_event_control) (struct domain *d, int mode, int op);
+
+#ifdef CONFIG_MEM_ACCESS
+ int (*mem_access) (struct domain *d);
+#endif
+
+#ifdef CONFIG_MEM_PAGING
+ int (*mem_paging) (struct domain *d);
+#endif
+
+#ifdef CONFIG_MEM_SHARING
+ int (*mem_sharing) (struct domain *d);
+#endif
+
+ int (*platform_op) (uint32_t cmd);
+
+#ifdef CONFIG_X86
+ int (*do_mca) (void);
+ int (*shadow_control) (struct domain *d, uint32_t op);
+ int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
+ int (*apic) (struct domain *d, int cmd);
+ int (*memtype) (uint32_t access);
+ int (*machine_memory_map) (void);
+ int (*domain_memory_map) (struct domain *d);
+#define XSM_MMU_UPDATE_READ 1
+#define XSM_MMU_UPDATE_WRITE 2
+#define XSM_MMU_NORMAL_UPDATE 4
+#define XSM_MMU_MACHPHYS_UPDATE 8
+ int (*mmu_update) (struct domain *d, struct domain *t,
+ struct domain *f, uint32_t flags);
+ int (*mmuext_op) (struct domain *d, struct domain *f);
+ int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte);
+ int (*priv_mapping) (struct domain *d, struct domain *t);
+ int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
+ int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
+ int (*pmu_op) (struct domain *d, unsigned int op);
+#endif
+ int (*dm_op) (struct domain *d);
+ int (*xen_version) (uint32_t cmd);
+ int (*domain_resource_map) (struct domain *d);
+#ifdef CONFIG_ARGO
+ int (*argo_enable) (const struct domain *d);
+ int (*argo_register_single_source) (const struct domain *d,
+ const struct domain *t);
+ int (*argo_register_any_source) (const struct domain *d);
+ int (*argo_send) (const struct domain *d, const struct domain *t);
+#endif
+};
+
+#ifdef CONFIG_XSM
+
+#ifdef CONFIG_MULTIBOOT
+extern int xsm_multiboot_init(unsigned long *module_map,
+ const multiboot_info_t *mbi);
+extern int xsm_multiboot_policy_init(unsigned long *module_map,
+ const multiboot_info_t *mbi,
+ void **policy_buffer,
+ size_t *policy_size);
+#endif
+
+#ifdef CONFIG_HAS_DEVICE_TREE
+/*
+ * Initialize XSM
+ *
+ * On success, return 1 if using SILO mode else 0.
+ */
+extern int xsm_dt_init(void);
+extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
+extern bool has_xsm_magic(paddr_t);
+#endif
+
+extern int register_xsm(struct xsm_operations *ops);
+
+extern struct xsm_operations dummy_xsm_ops;
+extern void xsm_fixup_ops(struct xsm_operations *ops);
+
+#ifdef CONFIG_XSM_FLASK
+extern void flask_init(const void *policy_buffer, size_t policy_size);
+#else
+static inline void flask_init(const void *policy_buffer, size_t policy_size)
+{
+}
+#endif
+
+#ifdef CONFIG_XSM_FLASK_POLICY
+extern const unsigned char xsm_flask_init_policy[];
+extern const unsigned int xsm_flask_init_policy_size;
+#endif
+
+#ifdef CONFIG_XSM_SILO
+extern void silo_init(void);
+#else
+static inline void silo_init(void) {}
+#endif
+
+#else /* CONFIG_XSM */
+
+#ifdef CONFIG_MULTIBOOT
+static inline int xsm_multiboot_init (unsigned long *module_map,
+ const multiboot_info_t *mbi)
+{
+ return 0;
+}
+#endif
+
+#ifdef CONFIG_HAS_DEVICE_TREE
+static inline int xsm_dt_init(void)
+{
+ return 0;
+}
+
+static inline bool has_xsm_magic(paddr_t start)
+{
+ return false;
+}
+#endif /* CONFIG_HAS_DEVICE_TREE */
+
+#endif /* CONFIG_XSM */
+
+#endif /* __XSM_CORE_H */
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 86ca045e74..ecbdee2c7d 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -20,184 +20,12 @@
#endif
#include <xen/sched.h>
#include <xen/multiboot.h>
-
-typedef void xsm_op_t;
-DEFINE_XEN_GUEST_HANDLE(xsm_op_t);
-
-/* policy magic number (defined by XSM_MAGIC) */
-typedef u32 xsm_magic_t;
-
-#ifdef CONFIG_XSM_FLASK
-#define XSM_MAGIC 0xf97cff8c
-#else
-#define XSM_MAGIC 0x0
-#endif
-
-/* These annotations are used by callers and in dummy.h to document the
- * default actions of XSM hooks. They should be compiled out otherwise.
- */
-enum xsm_default {
- XSM_HOOK, /* Guests can normally access the hypercall */
- XSM_DM_PRIV, /* Device model can perform on its target domain */
- XSM_TARGET, /* Can perform on self or your target domain */
- XSM_PRIV, /* Privileged - normally restricted to dom0 */
- XSM_XS_PRIV, /* Xenstore domain - can do some privileged operations */
- XSM_OTHER /* Something more complex */
-};
-typedef enum xsm_default xsm_default_t;
-
-struct xsm_operations {
- void (*security_domaininfo) (struct domain *d,
- struct xen_domctl_getdomaininfo *info);
- int (*domain_create) (struct domain *d, u32 ssidref);
- int (*getdomaininfo) (struct domain *d);
- int (*domctl_scheduler_op) (struct domain *d, int op);
- int (*sysctl_scheduler_op) (int op);
- int (*set_target) (struct domain *d, struct domain *e);
- int (*domctl) (struct domain *d, int cmd);
- int (*sysctl) (int cmd);
- int (*readconsole) (uint32_t clear);
-
- int (*evtchn_unbound) (struct domain *d, struct evtchn *chn, domid_t id2);
- int (*evtchn_interdomain) (struct domain *d1, struct evtchn *chn1,
- struct domain *d2, struct evtchn *chn2);
- void (*evtchn_close_post) (struct evtchn *chn);
- int (*evtchn_send) (struct domain *d, struct evtchn *chn);
- int (*evtchn_status) (struct domain *d, struct evtchn *chn);
- int (*evtchn_reset) (struct domain *d1, struct domain *d2);
-
- int (*grant_mapref) (struct domain *d1, struct domain *d2, uint32_t flags);
- int (*grant_unmapref) (struct domain *d1, struct domain *d2);
- int (*grant_setup) (struct domain *d1, struct domain *d2);
- int (*grant_transfer) (struct domain *d1, struct domain *d2);
- int (*grant_copy) (struct domain *d1, struct domain *d2);
- int (*grant_query_size) (struct domain *d1, struct domain *d2);
-
- int (*alloc_security_domain) (struct domain *d);
- void (*free_security_domain) (struct domain *d);
- int (*alloc_security_evtchns) (struct evtchn chn[], unsigned int nr);
- void (*free_security_evtchns) (struct evtchn chn[], unsigned int nr);
- char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
- int (*init_hardware_domain) (struct domain *d);
-
- int (*get_pod_target) (struct domain *d);
- int (*set_pod_target) (struct domain *d);
- int (*memory_exchange) (struct domain *d);
- int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
- int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
- int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
- int (*add_to_physmap) (struct domain *d1, struct domain *d2);
- int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
- int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
- int (*claim_pages) (struct domain *d);
-
- int (*console_io) (struct domain *d, int cmd);
-
- int (*profile) (struct domain *d, int op);
-
- int (*kexec) (void);
- int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
-
- char *(*show_irq_sid) (int irq);
- int (*map_domain_pirq) (struct domain *d);
- int (*map_domain_irq) (struct domain *d, int irq, const void *data);
- int (*unmap_domain_pirq) (struct domain *d);
- int (*unmap_domain_irq) (struct domain *d, int irq, const void *data);
- int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
- int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
- int (*irq_permission) (struct domain *d, int pirq, uint8_t allow);
- int (*iomem_permission) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
- int (*iomem_mapping) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
- int (*pci_config_permission) (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access);
-
-#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
- int (*get_device_group) (uint32_t machine_bdf);
- int (*assign_device) (struct domain *d, uint32_t machine_bdf);
- int (*deassign_device) (struct domain *d, uint32_t machine_bdf);
-#endif
-
-#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
- int (*assign_dtdevice) (struct domain *d, const char *dtpath);
- int (*deassign_dtdevice) (struct domain *d, const char *dtpath);
-#endif
-
- int (*resource_plug_core) (void);
- int (*resource_unplug_core) (void);
- int (*resource_plug_pci) (uint32_t machine_bdf);
- int (*resource_unplug_pci) (uint32_t machine_bdf);
- int (*resource_setup_pci) (uint32_t machine_bdf);
- int (*resource_setup_gsi) (int gsi);
- int (*resource_setup_misc) (void);
-
- int (*page_offline)(uint32_t cmd);
- int (*hypfs_op)(void);
-
- long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
-#ifdef CONFIG_COMPAT
- int (*do_compat_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
-#endif
-
- int (*hvm_param) (struct domain *d, unsigned long op);
- int (*hvm_control) (struct domain *d, unsigned long op);
- int (*hvm_param_altp2mhvm) (struct domain *d);
- int (*hvm_altp2mhvm_op) (struct domain *d, uint64_t mode, uint32_t op);
- int (*get_vnumainfo) (struct domain *d);
-
- int (*vm_event_control) (struct domain *d, int mode, int op);
-
-#ifdef CONFIG_MEM_ACCESS
- int (*mem_access) (struct domain *d);
-#endif
-
-#ifdef CONFIG_MEM_PAGING
- int (*mem_paging) (struct domain *d);
-#endif
-
-#ifdef CONFIG_MEM_SHARING
- int (*mem_sharing) (struct domain *d);
-#endif
-
- int (*platform_op) (uint32_t cmd);
-
-#ifdef CONFIG_X86
- int (*do_mca) (void);
- int (*shadow_control) (struct domain *d, uint32_t op);
- int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
- int (*apic) (struct domain *d, int cmd);
- int (*memtype) (uint32_t access);
- int (*machine_memory_map) (void);
- int (*domain_memory_map) (struct domain *d);
-#define XSM_MMU_UPDATE_READ 1
-#define XSM_MMU_UPDATE_WRITE 2
-#define XSM_MMU_NORMAL_UPDATE 4
-#define XSM_MMU_MACHPHYS_UPDATE 8
- int (*mmu_update) (struct domain *d, struct domain *t,
- struct domain *f, uint32_t flags);
- int (*mmuext_op) (struct domain *d, struct domain *f);
- int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte);
- int (*priv_mapping) (struct domain *d, struct domain *t);
- int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
- int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
- int (*pmu_op) (struct domain *d, unsigned int op);
-#endif
- int (*dm_op) (struct domain *d);
- int (*xen_version) (uint32_t cmd);
- int (*domain_resource_map) (struct domain *d);
-#ifdef CONFIG_ARGO
- int (*argo_enable) (const struct domain *d);
- int (*argo_register_single_source) (const struct domain *d,
- const struct domain *t);
- int (*argo_register_any_source) (const struct domain *d);
- int (*argo_send) (const struct domain *d, const struct domain *t);
-#endif
-};
+#include <xsm/xsm-core.h>
#ifdef CONFIG_XSM
extern struct xsm_operations xsm_ops;
-#ifndef XSM_NO_WRAPPERS
-
static inline void xsm_security_domaininfo (struct domain *d,
struct xen_domctl_getdomaininfo *info)
{
@@ -731,76 +559,10 @@ static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
#endif /* CONFIG_ARGO */
-#endif /* XSM_NO_WRAPPERS */
-
-#ifdef CONFIG_MULTIBOOT
-extern int xsm_multiboot_init(unsigned long *module_map,
- const multiboot_info_t *mbi);
-extern int xsm_multiboot_policy_init(unsigned long *module_map,
- const multiboot_info_t *mbi,
- void **policy_buffer,
- size_t *policy_size);
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-/*
- * Initialize XSM
- *
- * On success, return 1 if using SILO mode else 0.
- */
-extern int xsm_dt_init(void);
-extern int xsm_dt_policy_init(void **policy_buffer, size_t *policy_size);
-extern bool has_xsm_magic(paddr_t);
-#endif
-
-extern int register_xsm(struct xsm_operations *ops);
-
-extern struct xsm_operations dummy_xsm_ops;
-extern void xsm_fixup_ops(struct xsm_operations *ops);
-
-#ifdef CONFIG_XSM_FLASK
-extern void flask_init(const void *policy_buffer, size_t policy_size);
-#else
-static inline void flask_init(const void *policy_buffer, size_t policy_size)
-{
-}
-#endif
-
-#ifdef CONFIG_XSM_FLASK_POLICY
-extern const unsigned char xsm_flask_init_policy[];
-extern const unsigned int xsm_flask_init_policy_size;
-#endif
-
-#ifdef CONFIG_XSM_SILO
-extern void silo_init(void);
-#else
-static inline void silo_init(void) {}
-#endif
-
#else /* CONFIG_XSM */
#include <xsm/dummy.h>
-#ifdef CONFIG_MULTIBOOT
-static inline int xsm_multiboot_init (unsigned long *module_map,
- const multiboot_info_t *mbi)
-{
- return 0;
-}
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-static inline int xsm_dt_init(void)
-{
- return 0;
-}
-
-static inline bool has_xsm_magic(paddr_t start)
-{
- return false;
-}
-#endif /* CONFIG_HAS_DEVICE_TREE */
-
#endif /* CONFIG_XSM */
#endif /* __XSM_H */
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 066694763a..de4d6cf2cf 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -10,7 +10,6 @@
* as published by the Free Software Foundation.
*/
-#define XSM_NO_WRAPPERS
#include <xsm/dummy.h>
#define set_to_dummy_if_null(ops, function) \
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index fc2ca5cd2d..b96dacd181 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,7 +17,6 @@
* You should have received a copy of the GNU General Public License along with
* this program; If not, see <http://www.gnu.org/licenses/>.
*/
-#define XSM_NO_WRAPPERS
#include <xsm/dummy.h>
/*
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
2021-06-17 23:39 ` [PATCH 2/6] xsm: decouple xsm header inclusion selection Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-18 11:53 ` Andrew Cooper
2021-06-18 12:26 ` Jan Beulich
2021-06-17 23:39 ` [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions Daniel P. Smith
` (3 subsequent siblings)
6 siblings, 2 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
is whether the XSM hooks in dummy.h are called as static inline functions or as function
pointers to static functions. As such this commit,
* eliminates CONFIG_XSM
* introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
* makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/common/Kconfig | 55 ++++-----
xen/include/xen/sched.h | 2 +-
xen/include/xsm/xsm-core.h | 26 ----
xen/include/xsm/xsm.h | 8 --
xen/xsm/Makefile | 4 +-
xen/xsm/dummy.c | 4 +-
xen/{include => }/xsm/dummy.h | 220 ++++++++++++++++------------------
xen/xsm/silo.c | 17 +--
xen/xsm/xsm_core.c | 4 -
9 files changed, 142 insertions(+), 198 deletions(-)
rename xen/{include => }/xsm/dummy.h (63%)
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 0ddd18e11a..203ad7ea23 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -197,22 +197,33 @@ config XENOPROF
If unsure, say Y.
-config XSM
- bool "Xen Security Modules support"
- default ARM
- ---help---
- Enables the security framework known as Xen Security Modules which
- allows administrators fine-grained control over a Xen domain and
- its capabilities by defining permissible interactions between domains,
- the hypervisor itself, and related resources such as memory and
- devices.
+menu "Xen Security Modules"
- If unsure, say N.
+choice
+ prompt "Default XSM module"
+ default XSM_SILO_DEFAULT if XSM_SILO && ARM
+ default XSM_FLASK_DEFAULT if XSM_FLASK
+ default XSM_SILO_DEFAULT if XSM_SILO
+ default XSM_DUMMY_DEFAULT
+ config XSM_DUMMY_DEFAULT
+ bool "Match non-XSM behavior"
+ config XSM_FLASK_DEFAULT
+ bool "FLux Advanced Security Kernel" if XSM_FLASK
+ config XSM_SILO_DEFAULT
+ bool "SILO" if XSM_SILO
+endchoice
+
+config XSM_EVTCHN_LABELING
+ bool "Enables security labeling of event channels"
+ default n
+ ---help---
+ This enables an XSM module to label and enforce access control over
+ event channels.
config XSM_FLASK
- def_bool y
+ def_bool n
prompt "FLux Advanced Security Kernel support"
- depends on XSM
+ select XSM_EVTCHN_LABELING
---help---
Enables FLASK (FLux Advanced Security Kernel) as the access control
mechanism used by the XSM framework. This provides a mandatory access
@@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
If unsure, say Y.
config XSM_SILO
- def_bool y
+ def_bool n
prompt "SILO support"
- depends on XSM
---help---
Enables SILO as the access control mechanism used by the XSM framework.
This is not the default module, add boot parameter xsm=silo to choose
@@ -261,25 +271,12 @@ config XSM_SILO
If unsure, say Y.
-choice
- prompt "Default XSM implementation"
- depends on XSM
- default XSM_SILO_DEFAULT if XSM_SILO && ARM
- default XSM_FLASK_DEFAULT if XSM_FLASK
- default XSM_SILO_DEFAULT if XSM_SILO
- default XSM_DUMMY_DEFAULT
- config XSM_DUMMY_DEFAULT
- bool "Match non-XSM behavior"
- config XSM_FLASK_DEFAULT
- bool "FLux Advanced Security Kernel" if XSM_FLASK
- config XSM_SILO_DEFAULT
- bool "SILO" if XSM_SILO
-endchoice
+endmenu
config LATE_HWDOM
bool "Dedicated hardware domain"
default n
- depends on XSM && X86
+ depends on XSM_FLASK && X86
---help---
Allows the creation of a dedicated hardware domain distinct from
domain 0 that manages devices without needing access to other
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 3982167144..e92d2cdeab 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -120,7 +120,7 @@ struct evtchn
unsigned short notify_vcpu_id; /* VCPU for local delivery notification */
uint32_t fifo_lastq; /* Data for identifying last queue. */
-#ifdef CONFIG_XSM
+#ifdef CONFIG_XSM_EVTCHN_LABELING
union {
#ifdef XSM_NEED_GENERIC_EVTCHN_SSID
/*
diff --git a/xen/include/xsm/xsm-core.h b/xen/include/xsm/xsm-core.h
index 5297c73fe6..e3718bc62d 100644
--- a/xen/include/xsm/xsm-core.h
+++ b/xen/include/xsm/xsm-core.h
@@ -189,8 +189,6 @@ struct xsm_operations {
#endif
};
-#ifdef CONFIG_XSM
-
#ifdef CONFIG_MULTIBOOT
extern int xsm_multiboot_init(unsigned long *module_map,
const multiboot_info_t *mbi);
@@ -235,28 +233,4 @@ extern void silo_init(void);
static inline void silo_init(void) {}
#endif
-#else /* CONFIG_XSM */
-
-#ifdef CONFIG_MULTIBOOT
-static inline int xsm_multiboot_init (unsigned long *module_map,
- const multiboot_info_t *mbi)
-{
- return 0;
-}
-#endif
-
-#ifdef CONFIG_HAS_DEVICE_TREE
-static inline int xsm_dt_init(void)
-{
- return 0;
-}
-
-static inline bool has_xsm_magic(paddr_t start)
-{
- return false;
-}
-#endif /* CONFIG_HAS_DEVICE_TREE */
-
-#endif /* CONFIG_XSM */
-
#endif /* __XSM_CORE_H */
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index ecbdee2c7d..69f68300e2 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -22,8 +22,6 @@
#include <xen/multiboot.h>
#include <xsm/xsm-core.h>
-#ifdef CONFIG_XSM
-
extern struct xsm_operations xsm_ops;
static inline void xsm_security_domaininfo (struct domain *d,
@@ -559,10 +557,4 @@ static inline int xsm_argo_send(const struct domain *d, const struct domain *t)
#endif /* CONFIG_ARGO */
-#else /* CONFIG_XSM */
-
-#include <xsm/dummy.h>
-
-#endif /* CONFIG_XSM */
-
#endif /* __XSM_H */
diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile
index cf0a728f1c..0059794dd5 100644
--- a/xen/xsm/Makefile
+++ b/xen/xsm/Makefile
@@ -1,6 +1,6 @@
obj-y += xsm_core.o
-obj-$(CONFIG_XSM) += xsm_policy.o
-obj-$(CONFIG_XSM) += dummy.o
+obj-y += xsm_policy.o
+obj-y += dummy.o
obj-$(CONFIG_XSM_SILO) += silo.o
obj-$(CONFIG_XSM_FLASK) += flask/
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index de4d6cf2cf..bfd8b96f08 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -10,12 +10,12 @@
* as published by the Free Software Foundation.
*/
-#include <xsm/dummy.h>
+#include "dummy.h"
#define set_to_dummy_if_null(ops, function) \
do { \
if ( !ops->function ) \
- ops->function = xsm_##function; \
+ ops->function = dummy_##function; \
} while (0)
void __init xsm_fixup_ops (struct xsm_operations *ops)
diff --git a/xen/include/xsm/dummy.h b/xen/xsm/dummy.h
similarity index 63%
rename from xen/include/xsm/dummy.h
rename to xen/xsm/dummy.h
index c445c5681b..7e2bb09dac 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -42,12 +42,10 @@ static inline void __xsm_action_mismatch_detected(void)
void __xsm_action_mismatch_detected(void);
#endif
-#ifdef CONFIG_XSM
-
-/* In CONFIG_XSM builds, this header file is included from xsm/dummy.c, and
- * contains static (not inline) functions compiled to the dummy XSM module.
- * There is no xsm_default_t argument available, so the value from the assertion
- * is used to initialize the variable.
+/* This header file is included from xsm/dummy.c, and contains static (not
+ * inline) functions compiled to the dummy XSM module. There is no
+ * xsm_default_t argument available, so the value from the assertion is used to
+ * initialize the variable.
*/
#define XSM_INLINE __maybe_unused
@@ -55,20 +53,6 @@ void __xsm_action_mismatch_detected(void);
#define XSM_DEFAULT_VOID void
#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
-#else /* CONFIG_XSM */
-
-/* In !CONFIG_XSM builds, this header file is included from xsm/xsm.h, and
- * contains inline functions for each XSM hook. These functions also perform
- * compile-time checks on the xsm_default_t argument to ensure that the behavior
- * of the dummy XSM module is the same as the behavior with XSM disabled.
- */
-#define XSM_INLINE always_inline
-#define XSM_DEFAULT_ARG xsm_default_t action,
-#define XSM_DEFAULT_VOID xsm_default_t action
-#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action)
-
-#endif /* CONFIG_XSM */
-
static always_inline int xsm_default_action(
xsm_default_t action, struct domain *src, struct domain *target)
{
@@ -98,43 +82,43 @@ static always_inline int xsm_default_action(
}
}
-static XSM_INLINE void xsm_security_domaininfo(struct domain *d,
+static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
struct xen_domctl_getdomaininfo *info)
{
return;
}
-static XSM_INLINE int xsm_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
+static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
+static XSM_INLINE int dummy_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
+static XSM_INLINE int dummy_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( cmd )
@@ -151,85 +135,85 @@ static XSM_INLINE int xsm_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
}
}
-static XSM_INLINE int xsm_sysctl(XSM_DEFAULT_ARG int cmd)
+static XSM_INLINE int dummy_sysctl(XSM_DEFAULT_ARG int cmd)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_readconsole(XSM_DEFAULT_ARG uint32_t clear)
+static XSM_INLINE int dummy_readconsole(XSM_DEFAULT_ARG uint32_t clear)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_alloc_security_domain(struct domain *d)
+static XSM_INLINE int dummy_alloc_security_domain(struct domain *d)
{
return 0;
}
-static XSM_INLINE void xsm_free_security_domain(struct domain *d)
+static XSM_INLINE void dummy_free_security_domain(struct domain *d)
{
return;
}
-static XSM_INLINE int xsm_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
+static XSM_INLINE int dummy_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
uint32_t flags)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
+static XSM_INLINE int dummy_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_OTHER);
if ( d->is_console )
@@ -241,129 +225,129 @@ static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
return xsm_default_action(XSM_PRIV, d, NULL);
}
-static XSM_INLINE int xsm_profile(XSM_DEFAULT_ARG struct domain *d, int op)
+static XSM_INLINE int dummy_profile(XSM_DEFAULT_ARG struct domain *d, int op)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int xsm_kexec(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_kexec(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
+static XSM_INLINE int dummy_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
struct page_info *page)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_claim_pages(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
+static XSM_INLINE int dummy_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
domid_t id2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
+static XSM_INLINE int dummy_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
*chan1, struct domain *d2, struct evtchn *chan2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE void xsm_evtchn_close_post(struct evtchn *chn)
+static XSM_INLINE void dummy_evtchn_close_post(struct evtchn *chn)
{
return;
}
-static XSM_INLINE int xsm_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static XSM_INLINE int dummy_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int xsm_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static XSM_INLINE int dummy_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_alloc_security_evtchns(
+static XSM_INLINE int dummy_alloc_security_evtchns(
struct evtchn chn[], unsigned int nr)
{
return 0;
}
-static XSM_INLINE void xsm_free_security_evtchns(
+static XSM_INLINE void dummy_free_security_evtchns(
struct evtchn chn[], unsigned int nr)
{
return;
}
-static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct evtchn *chn)
+static XSM_INLINE char *dummy_show_security_evtchn(struct domain *d, const struct evtchn *chn)
{
return NULL;
}
-static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static XSM_INLINE int xsm_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static XSM_INLINE int dummy_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
@@ -372,14 +356,14 @@ static XSM_INLINE int xsm_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint
#endif /* HAS_PASSTHROUGH && HAS_PCI */
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static XSM_INLINE int xsm_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
const char *dtpath)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
const char *dtpath)
{
XSM_ASSERT_ACTION(XSM_HOOK);
@@ -388,134 +372,134 @@ static XSM_INLINE int xsm_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
-static XSM_INLINE int xsm_resource_plug_core(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_plug_core(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_unplug_core(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static XSM_INLINE int dummy_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
+static XSM_INLINE int dummy_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_resource_setup_misc(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
+static XSM_INLINE int dummy_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_hypfs_op(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_hypfs_op(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE long xsm_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static XSM_INLINE long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
return -ENOSYS;
}
#ifdef CONFIG_COMPAT
-static XSM_INLINE int xsm_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static XSM_INLINE int dummy_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
return -ENOSYS;
}
#endif
-static XSM_INLINE char *xsm_show_irq_sid(int irq)
+static XSM_INLINE char *dummy_show_irq_sid(int irq)
{
return NULL;
}
-static XSM_INLINE int xsm_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
int irq, const void *data)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static XSM_INLINE int dummy_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static XSM_INLINE int dummy_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
+static XSM_INLINE int dummy_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
int irq, const void *data)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
+static XSM_INLINE int dummy_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static XSM_INLINE int dummy_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static XSM_INLINE int dummy_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
+static XSM_INLINE int dummy_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
uint16_t start, uint16_t end,
uint8_t access)
{
@@ -523,43 +507,43 @@ static XSM_INLINE int xsm_pci_config_permission(XSM_DEFAULT_ARG struct domain *d
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static XSM_INLINE int dummy_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static XSM_INLINE int dummy_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, t);
}
-static XSM_INLINE int xsm_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static XSM_INLINE int dummy_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static XSM_INLINE int dummy_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
+static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
@@ -578,14 +562,14 @@ static XSM_INLINE int xsm_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uin
}
}
-static XSM_INLINE int xsm_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
+static XSM_INLINE int dummy_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#ifdef CONFIG_MEM_ACCESS
-static XSM_INLINE int xsm_mem_access(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
@@ -593,7 +577,7 @@ static XSM_INLINE int xsm_mem_access(XSM_DEFAULT_ARG struct domain *d)
#endif
#ifdef CONFIG_MEM_PAGING
-static XSM_INLINE int xsm_mem_paging(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
@@ -601,57 +585,57 @@ static XSM_INLINE int xsm_mem_paging(XSM_DEFAULT_ARG struct domain *d)
#endif
#ifdef CONFIG_MEM_SHARING
-static XSM_INLINE int xsm_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#endif
-static XSM_INLINE int xsm_platform_op(XSM_DEFAULT_ARG uint32_t op)
+static XSM_INLINE int dummy_platform_op(XSM_DEFAULT_ARG uint32_t op)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
#ifdef CONFIG_X86
-static XSM_INLINE int xsm_do_mca(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_do_mca(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
+static XSM_INLINE int dummy_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
+static XSM_INLINE int dummy_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, cd);
}
-static XSM_INLINE int xsm_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static XSM_INLINE int dummy_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int xsm_machine_memory_map(XSM_DEFAULT_VOID)
+static XSM_INLINE int dummy_machine_memory_map(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
+static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
struct domain *f, uint32_t flags)
{
int rc = 0;
@@ -663,38 +647,38 @@ static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct do
return rc;
}
-static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
+static XSM_INLINE int dummy_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, f);
}
-static XSM_INLINE int xsm_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f,
+static XSM_INLINE int dummy_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f,
l1_pgentry_t pte)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, f);
}
-static XSM_INLINE int xsm_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static XSM_INLINE int dummy_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, t);
}
-static XSM_INLINE int xsm_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static XSM_INLINE int dummy_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static XSM_INLINE int dummy_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int xsm_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
+static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
@@ -711,30 +695,30 @@ static XSM_INLINE int xsm_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int
#endif /* CONFIG_X86 */
-static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_dm_op(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#ifdef CONFIG_ARGO
-static XSM_INLINE int xsm_argo_enable(const struct domain *d)
+static XSM_INLINE int dummy_argo_enable(const struct domain *d)
{
return 0;
}
-static XSM_INLINE int xsm_argo_register_single_source(const struct domain *d,
+static XSM_INLINE int dummy_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
return 0;
}
-static XSM_INLINE int xsm_argo_register_any_source(const struct domain *d)
+static XSM_INLINE int dummy_argo_register_any_source(const struct domain *d)
{
return 0;
}
-static XSM_INLINE int xsm_argo_send(const struct domain *d,
+static XSM_INLINE int dummy_argo_send(const struct domain *d,
const struct domain *t)
{
return 0;
@@ -743,7 +727,7 @@ static XSM_INLINE int xsm_argo_send(const struct domain *d,
#endif /* CONFIG_ARGO */
#include <public/version.h>
-static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op)
+static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
@@ -767,7 +751,7 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op)
}
}
-static XSM_INLINE int xsm_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
+static XSM_INLINE int dummy_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index b96dacd181..ebe5814efc 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,7 +17,8 @@
* You should have received a copy of the GNU General Public License along with
* this program; If not, see <http://www.gnu.org/licenses/>.
*/
-#include <xsm/dummy.h>
+#include <xsm/xsm-core.h>
+#include "dummy.h"
/*
* Check if inter-domain communication is allowed.
@@ -43,7 +44,7 @@ static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn,
else
{
if ( silo_mode_dom_check(d1, d2) )
- rc = xsm_evtchn_unbound(d1, chn, id2);
+ rc = dummy_evtchn_unbound(d1, chn, id2);
rcu_unlock_domain(d2);
}
@@ -54,7 +55,7 @@ static int silo_evtchn_interdomain(struct domain *d1, struct evtchn *chan1,
struct domain *d2, struct evtchn *chan2)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_evtchn_interdomain(d1, chan1, d2, chan2);
+ return dummy_evtchn_interdomain(d1, chan1, d2, chan2);
return -EPERM;
}
@@ -62,21 +63,21 @@ static int silo_grant_mapref(struct domain *d1, struct domain *d2,
uint32_t flags)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_grant_mapref(d1, d2, flags);
+ return dummy_grant_mapref(d1, d2, flags);
return -EPERM;
}
static int silo_grant_transfer(struct domain *d1, struct domain *d2)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_grant_transfer(d1, d2);
+ return dummy_grant_transfer(d1, d2);
return -EPERM;
}
static int silo_grant_copy(struct domain *d1, struct domain *d2)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_grant_copy(d1, d2);
+ return dummy_grant_copy(d1, d2);
return -EPERM;
}
@@ -86,14 +87,14 @@ static int silo_argo_register_single_source(const struct domain *d1,
const struct domain *d2)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_argo_register_single_source(d1, d2);
+ return dummy_argo_register_single_source(d1, d2);
return -EPERM;
}
static int silo_argo_send(const struct domain *d1, const struct domain *d2)
{
if ( silo_mode_dom_check(d1, d2) )
- return xsm_argo_send(d1, d2);
+ return dummy_argo_send(d1, d2);
return -EPERM;
}
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index acc1af7166..a51dc6f7dd 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -18,8 +18,6 @@
#include <xen/hypercall.h>
#include <xsm/xsm.h>
-#ifdef CONFIG_XSM
-
#ifdef CONFIG_MULTIBOOT
#include <asm/setup.h>
#endif
@@ -223,8 +221,6 @@ int __init register_xsm(struct xsm_operations *ops)
return 0;
}
-#endif
-
long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
return xsm_do_xsm_op(op);
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
` (2 preceding siblings ...)
2021-06-17 23:39 ` [PATCH 3/6] xsm: enabling xsm to always be included Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-18 11:56 ` Andrew Cooper
2021-06-18 12:32 ` Jan Beulich
2021-06-17 23:39 ` [PATCH 5/6] xsm: expanding function related macros in dummy.h Daniel P. Smith
` (2 subsequent siblings)
6 siblings, 2 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
With the conversion of making XSM always enabled even the dummy XSM module is
being invoked through the xsm_ops dispatch which does not use passing of the
default privilege. This commit removes the xen_default_t parameter from the hook
definitions and all the respective call sites.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/arch/arm/dm.c | 2 +-
xen/arch/arm/domctl.c | 6 +-
xen/arch/arm/hvm.c | 2 +-
xen/arch/arm/mm.c | 2 +-
xen/arch/arm/platform_hypercall.c | 2 +-
xen/arch/x86/cpu/mcheck/mce.c | 2 +-
xen/arch/x86/cpu/vpmu.c | 2 +-
xen/arch/x86/domctl.c | 8 +-
xen/arch/x86/hvm/dm.c | 2 +-
xen/arch/x86/hvm/hvm.c | 12 +-
xen/arch/x86/irq.c | 5 +-
xen/arch/x86/mm.c | 20 +--
xen/arch/x86/mm/mem_paging.c | 2 +-
xen/arch/x86/mm/mem_sharing.c | 9 +-
xen/arch/x86/mm/p2m.c | 2 +-
xen/arch/x86/mm/paging.c | 4 +-
xen/arch/x86/mm/shadow/set.c | 2 +-
xen/arch/x86/msi.c | 3 +-
xen/arch/x86/pci.c | 2 +-
xen/arch/x86/physdev.c | 17 ++-
xen/arch/x86/platform_hypercall.c | 10 +-
xen/arch/x86/pv/emul-priv-op.c | 2 +-
xen/arch/x86/sysctl.c | 4 +-
xen/common/domain.c | 4 +-
xen/common/domctl.c | 12 +-
xen/common/event_channel.c | 12 +-
xen/common/grant_table.c | 16 +--
xen/common/hypfs.c | 2 +-
xen/common/kernel.c | 2 +-
xen/common/kexec.c | 2 +-
xen/common/mem_access.c | 2 +-
xen/common/memory.c | 16 +--
xen/common/monitor.c | 2 +-
xen/common/sched/core.c | 6 +-
xen/common/sysctl.c | 8 +-
xen/common/vm_event.c | 2 +-
xen/common/xenoprof.c | 2 +-
xen/drivers/char/console.c | 2 +-
xen/drivers/passthrough/device_tree.c | 4 +-
xen/drivers/passthrough/pci.c | 12 +-
xen/include/xsm/xsm.h | 172 +++++++++++++-------------
41 files changed, 197 insertions(+), 203 deletions(-)
diff --git a/xen/arch/arm/dm.c b/xen/arch/arm/dm.c
index 1b3fd6bc7d..c8b89c8f47 100644
--- a/xen/arch/arm/dm.c
+++ b/xen/arch/arm/dm.c
@@ -45,7 +45,7 @@ int dm_op(const struct dmop_args *op_args)
if ( rc )
return rc;
- rc = xsm_dm_op(XSM_DM_PRIV, d);
+ rc = xsm_dm_op(d);
if ( rc )
goto out;
diff --git a/xen/arch/arm/domctl.c b/xen/arch/arm/domctl.c
index b7d27f37df..e7202703ee 100644
--- a/xen/arch/arm/domctl.c
+++ b/xen/arch/arm/domctl.c
@@ -95,11 +95,11 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d,
* done by the 2 hypercalls for consistency with other
* architectures.
*/
- rc = xsm_map_domain_irq(XSM_HOOK, d, irq, NULL);
+ rc = xsm_map_domain_irq(d, irq, NULL);
if ( rc )
return rc;
- rc = xsm_bind_pt_irq(XSM_HOOK, d, bind);
+ rc = xsm_bind_pt_irq(d, bind);
if ( rc )
return rc;
@@ -130,7 +130,7 @@ long arch_do_domctl(struct xen_domctl *domctl, struct domain *d,
if ( irq != virq )
return -EINVAL;
- rc = xsm_unbind_pt_irq(XSM_HOOK, d, bind);
+ rc = xsm_unbind_pt_irq(d, bind);
if ( rc )
return rc;
diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
index 8951b34086..cf4bd9ae09 100644
--- a/xen/arch/arm/hvm.c
+++ b/xen/arch/arm/hvm.c
@@ -101,7 +101,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -ESRCH;
- rc = xsm_hvm_param(XSM_TARGET, d, op);
+ rc = xsm_hvm_param(d, op);
if ( rc )
goto param_fail;
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 0e07335291..a256c89b62 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1446,7 +1446,7 @@ int xenmem_add_to_physmap_one(
return -EINVAL;
}
- rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od);
+ rc = xsm_map_gmfn_foreign(d, od);
if ( rc )
{
put_pg_owner(od);
diff --git a/xen/arch/arm/platform_hypercall.c b/xen/arch/arm/platform_hypercall.c
index 8efac7ee60..52985f8a51 100644
--- a/xen/arch/arm/platform_hypercall.c
+++ b/xen/arch/arm/platform_hypercall.c
@@ -33,7 +33,7 @@ long do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
if ( d == NULL )
return -ESRCH;
- ret = xsm_platform_op(XSM_PRIV, op->cmd);
+ ret = xsm_platform_op(op->cmd);
if ( ret )
return ret;
diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c
index 7f433343bc..58beb96663 100644
--- a/xen/arch/x86/cpu/mcheck/mce.c
+++ b/xen/arch/x86/cpu/mcheck/mce.c
@@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
struct xen_mc_msrinject *mc_msrinject;
struct xen_mc_mceinject *mc_mceinject;
- ret = xsm_do_mca(XSM_PRIV);
+ ret = xsm_do_mca();
if ( ret )
return x86_mcerr("", ret);
diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
index 16e91a3694..34b536417b 100644
--- a/xen/arch/x86/cpu/vpmu.c
+++ b/xen/arch/x86/cpu/vpmu.c
@@ -706,7 +706,7 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
if ( !opt_vpmu_enabled || has_vlapic(current->domain) )
return -EOPNOTSUPP;
- ret = xsm_pmu_op(XSM_OTHER, current->domain, op);
+ ret = xsm_pmu_op(current->domain, op);
if ( ret )
return ret;
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 26a76d2be9..8343c59e83 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -234,7 +234,7 @@ long arch_do_domctl(
if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS )
ret = -EINVAL;
else if ( !ioports_access_permitted(currd, fp, fp + np - 1) ||
- xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
+ xsm_ioport_permission(d, fp, fp + np - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = ioports_permit_access(d, fp, fp + np - 1);
@@ -534,7 +534,7 @@ long arch_do_domctl(
if ( !is_hvm_domain(d) )
break;
- ret = xsm_bind_pt_irq(XSM_HOOK, d, bind);
+ ret = xsm_bind_pt_irq(d, bind);
if ( ret )
break;
@@ -569,7 +569,7 @@ long arch_do_domctl(
if ( irq <= 0 || !irq_access_permitted(currd, irq) )
break;
- ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind);
+ ret = xsm_unbind_pt_irq(d, bind);
if ( ret )
break;
@@ -616,7 +616,7 @@ long arch_do_domctl(
if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) )
break;
- ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add);
+ ret = xsm_ioport_mapping(d, fmp, fmp + np - 1, add);
if ( ret )
break;
diff --git a/xen/arch/x86/hvm/dm.c b/xen/arch/x86/hvm/dm.c
index b60b9f3364..6f996371b9 100644
--- a/xen/arch/x86/hvm/dm.c
+++ b/xen/arch/x86/hvm/dm.c
@@ -370,7 +370,7 @@ int dm_op(const struct dmop_args *op_args)
if ( !is_hvm_domain(d) )
goto out;
- rc = xsm_dm_op(XSM_DM_PRIV, d);
+ rc = xsm_dm_op(d);
if ( rc )
goto out;
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 5086773e5c..c1b0d6fca8 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4080,7 +4080,7 @@ static int hvm_allow_set_param(struct domain *d,
uint64_t value;
int rc;
- rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_set_param);
+ rc = xsm_hvm_param(d, HVMOP_set_param);
if ( rc )
return rc;
@@ -4227,7 +4227,7 @@ static int hvm_set_param(struct domain *d, uint32_t index, uint64_t value)
rc = pmtimer_change_ioport(d, value);
break;
case HVM_PARAM_ALTP2M:
- rc = xsm_hvm_param_altp2mhvm(XSM_PRIV, d);
+ rc = xsm_hvm_param_altp2mhvm(d);
if ( rc )
break;
if ( (value > XEN_ALTP2M_limited) ||
@@ -4356,7 +4356,7 @@ static int hvm_allow_get_param(struct domain *d,
{
int rc;
- rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_get_param);
+ rc = xsm_hvm_param(d, HVMOP_get_param);
if ( rc )
return rc;
@@ -4566,7 +4566,7 @@ static int do_altp2m_op(
goto out;
}
- if ( (rc = xsm_hvm_altp2mhvm_op(XSM_OTHER, d, mode, a.cmd)) )
+ if ( (rc = xsm_hvm_altp2mhvm_op(d, mode, a.cmd)) )
goto out;
switch ( a.cmd )
@@ -4947,7 +4947,7 @@ static int hvmop_get_mem_type(
if ( d == NULL )
return -ESRCH;
- rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_get_mem_type);
+ rc = xsm_hvm_param(d, HVMOP_get_mem_type);
if ( rc )
goto out;
@@ -5040,7 +5040,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( unlikely(d != current->domain) )
rc = -EOPNOTSUPP;
else if ( is_hvm_domain(d) && paging_mode_shadow(d) )
- rc = xsm_hvm_param(XSM_TARGET, d, op);
+ rc = xsm_hvm_param(d, op);
if ( !rc )
pagetable_dying(a.gpa);
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index a1693f92dd..9f79ec1b86 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2122,7 +2122,7 @@ int map_domain_pirq(
return 0;
}
- ret = xsm_map_domain_irq(XSM_HOOK, d, irq, data);
+ ret = xsm_map_domain_irq(d, irq, data);
if ( ret )
{
dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d mapping to pirq %d\n",
@@ -2342,8 +2342,7 @@ int unmap_domain_pirq(struct domain *d, int pirq)
nr = msi_desc->msi.nvec;
}
- ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq,
- msi_desc ? msi_desc->dev : NULL);
+ ret = xsm_unmap_domain_irq(d, irq, msi_desc ? msi_desc->dev : NULL);
if ( ret )
goto done;
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 4d799032dc..33d0aa8d4b 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -977,7 +977,7 @@ get_page_from_l1e(
* minor hack can go away.
*/
if ( (real_pg_owner == NULL) || (pg_owner == l1e_owner) ||
- xsm_priv_mapping(XSM_TARGET, pg_owner, real_pg_owner) )
+ xsm_priv_mapping(pg_owner, real_pg_owner) )
{
gdprintk(XENLOG_WARNING,
"pg_owner d%d l1e_owner d%d, but real_pg_owner d%d\n",
@@ -3407,7 +3407,7 @@ long do_mmuext_op(
return -EINVAL;
}
- rc = xsm_mmuext_op(XSM_TARGET, currd, pg_owner);
+ rc = xsm_mmuext_op(currd, pg_owner);
if ( rc )
{
put_pg_owner(pg_owner);
@@ -3497,7 +3497,7 @@ long do_mmuext_op(
break;
}
- rc = xsm_memory_pin_page(XSM_HOOK, currd, pg_owner, page);
+ rc = xsm_memory_pin_page(currd, pg_owner, page);
if ( !rc && unlikely(test_and_set_bit(_PGT_pinned,
&page->u.inuse.type_info)) )
{
@@ -4006,7 +4006,7 @@ long do_mmu_update(
}
if ( xsm_needed != xsm_checked )
{
- rc = xsm_mmu_update(XSM_TARGET, d, pt_owner, pg_owner, xsm_needed);
+ rc = xsm_mmu_update(d, pt_owner, pg_owner, xsm_needed);
if ( rc )
break;
xsm_checked = xsm_needed;
@@ -4142,7 +4142,7 @@ long do_mmu_update(
xsm_needed |= XSM_MMU_MACHPHYS_UPDATE;
if ( xsm_needed != xsm_checked )
{
- rc = xsm_mmu_update(XSM_TARGET, d, NULL, pg_owner, xsm_needed);
+ rc = xsm_mmu_update(d, NULL, pg_owner, xsm_needed);
if ( rc )
break;
xsm_checked = xsm_needed;
@@ -4391,7 +4391,7 @@ static int __do_update_va_mapping(
perfc_incr(calls_to_update_va);
- rc = xsm_update_va_mapping(XSM_TARGET, d, pg_owner, val);
+ rc = xsm_update_va_mapping(d, pg_owner, val);
if ( rc )
return rc;
@@ -4630,7 +4630,7 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -ESRCH;
- rc = xsm_domain_memory_map(XSM_TARGET, d);
+ rc = xsm_domain_memory_map(d);
if ( rc )
{
rcu_unlock_domain(d);
@@ -4697,7 +4697,7 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
unsigned int i;
bool store;
- rc = xsm_machine_memory_map(XSM_PRIV);
+ rc = xsm_machine_memory_map();
if ( rc )
return rc;
@@ -4787,9 +4787,9 @@ long arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
return -ESRCH;
if ( cmd == XENMEM_set_pod_target )
- rc = xsm_set_pod_target(XSM_PRIV, d);
+ rc = xsm_set_pod_target(d);
else
- rc = xsm_get_pod_target(XSM_PRIV, d);
+ rc = xsm_get_pod_target(d);
if ( rc != 0 )
goto pod_target_out_unlock;
diff --git a/xen/arch/x86/mm/mem_paging.c b/xen/arch/x86/mm/mem_paging.c
index 01281f786e..073edb9499 100644
--- a/xen/arch/x86/mm/mem_paging.c
+++ b/xen/arch/x86/mm/mem_paging.c
@@ -452,7 +452,7 @@ int mem_paging_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_paging_op_t) arg)
if ( rc )
return rc;
- rc = xsm_mem_paging(XSM_DM_PRIV, d);
+ rc = xsm_mem_paging(d);
if ( rc )
goto out;
diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c
index 98b14f7b0a..db5f5ce8b5 100644
--- a/xen/arch/x86/mm/mem_sharing.c
+++ b/xen/arch/x86/mm/mem_sharing.c
@@ -1883,7 +1883,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
if ( rc )
return rc;
- rc = xsm_mem_sharing(XSM_DM_PRIV, d);
+ rc = xsm_mem_sharing(d);
if ( rc )
goto out;
@@ -1928,7 +1928,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
if ( rc )
goto out;
- rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd, mso.op);
+ rc = xsm_mem_sharing_op(d, cd, mso.op);
if ( rc )
{
rcu_unlock_domain(cd);
@@ -1994,7 +1994,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
if ( rc )
goto out;
- rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd, mso.op);
+ rc = xsm_mem_sharing_op(d, cd, mso.op);
if ( rc )
{
rcu_unlock_domain(cd);
@@ -2056,8 +2056,7 @@ int mem_sharing_memop(XEN_GUEST_HANDLE_PARAM(xen_mem_sharing_op_t) arg)
* We reuse XENMEM_sharing_op_share XSM check here as this is
* essentially the same concept repeated over multiple pages.
*/
- rc = xsm_mem_sharing_op(XSM_DM_PRIV, d, cd,
- XENMEM_sharing_op_share);
+ rc = xsm_mem_sharing_op(d, cd, XENMEM_sharing_op_share);
if ( rc )
{
rcu_unlock_domain(cd);
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index dbb1cbeb59..5cee9f5a1d 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2637,7 +2637,7 @@ static int p2m_add_foreign(struct domain *tdom, unsigned long fgfn,
goto out;
}
- rc = xsm_map_gmfn_foreign(XSM_TARGET, tdom, fdom);
+ rc = xsm_map_gmfn_foreign(tdom, fdom);
if ( rc )
goto out;
diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index c304c24526..86a1ec5b80 100644
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -714,7 +714,7 @@ int paging_domctl(struct domain *d, struct xen_domctl_shadow_op *sc,
return -EBUSY;
}
- rc = xsm_shadow_control(XSM_HOOK, d, sc->op);
+ rc = xsm_shadow_control(d, sc->op);
if ( rc )
return rc;
@@ -771,7 +771,7 @@ long paging_domctl_continuation(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
if ( d == NULL )
return -ESRCH;
- ret = xsm_domctl(XSM_OTHER, d, op.cmd);
+ ret = xsm_domctl(d, op.cmd);
if ( !ret )
{
if ( domctl_lock_acquire() )
diff --git a/xen/arch/x86/mm/shadow/set.c b/xen/arch/x86/mm/shadow/set.c
index 87e9c6eeb2..e7433ac81b 100644
--- a/xen/arch/x86/mm/shadow/set.c
+++ b/xen/arch/x86/mm/shadow/set.c
@@ -117,7 +117,7 @@ shadow_get_page_from_l1e(shadow_l1e_t sl1e, struct domain *d, p2m_type_t type)
* not own, we let it succeed anyway.
*/
if ( owner && (d != owner) &&
- !(res = xsm_priv_mapping(XSM_TARGET, d, owner)) )
+ !(res = xsm_priv_mapping(d, owner)) )
{
res = get_page_from_l1e(sl1e, d, owner);
SHADOW_PRINTK("privileged %pd installs map of %pd's mfn %"PRI_mfn": %s\n",
diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
index 5febc0ea4b..f821d145e5 100644
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1310,8 +1310,7 @@ int pci_restore_msi_state(struct pci_dev *pdev)
if ( !use_msi )
return -EOPNOTSUPP;
- ret = xsm_resource_setup_pci(XSM_PRIV,
- (pdev->seg << 16) | (pdev->bus << 8) |
+ ret = xsm_resource_setup_pci((pdev->seg << 16) | (pdev->bus << 8) |
pdev->devfn);
if ( ret )
return ret;
diff --git a/xen/arch/x86/pci.c b/xen/arch/x86/pci.c
index a9decd4f33..d5886c59e6 100644
--- a/xen/arch/x86/pci.c
+++ b/xen/arch/x86/pci.c
@@ -74,7 +74,7 @@ int pci_conf_write_intercept(unsigned int seg, unsigned int bdf,
uint32_t *data)
{
struct pci_dev *pdev;
- int rc = xsm_pci_config_permission(XSM_HOOK, current->domain, bdf,
+ int rc = xsm_pci_config_permission(current->domain, bdf,
reg, reg + size - 1, 1);
if ( rc < 0 )
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index 23465bcd00..3f2a2035c5 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -110,7 +110,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index, int *pirq_p,
if ( d == NULL )
return -ESRCH;
- ret = xsm_map_domain_pirq(XSM_DM_PRIV, d);
+ ret = xsm_map_domain_pirq(d);
if ( ret )
goto free_domain;
@@ -148,7 +148,7 @@ int physdev_unmap_pirq(domid_t domid, int pirq)
return -ESRCH;
if ( domid != DOMID_SELF || !is_hvm_domain(d) || !has_pirq(d) )
- ret = xsm_unmap_domain_pirq(XSM_DM_PRIV, d);
+ ret = xsm_unmap_domain_pirq(d);
if ( ret )
goto free_domain;
@@ -355,7 +355,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
ret = -EFAULT;
if ( copy_from_guest(&apic, arg, 1) != 0 )
break;
- ret = xsm_apic(XSM_PRIV, currd, cmd);
+ ret = xsm_apic(currd, cmd);
if ( ret )
break;
ret = ioapic_guest_read(apic.apic_physbase, apic.reg, &apic.value);
@@ -369,7 +369,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
ret = -EFAULT;
if ( copy_from_guest(&apic, arg, 1) != 0 )
break;
- ret = xsm_apic(XSM_PRIV, currd, cmd);
+ ret = xsm_apic(currd, cmd);
if ( ret )
break;
ret = ioapic_guest_write(apic.apic_physbase, apic.reg, apic.value);
@@ -385,7 +385,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
/* Use the APIC check since this dummy hypercall should still only
* be called by the domain with access to program the ioapic */
- ret = xsm_apic(XSM_PRIV, currd, cmd);
+ ret = xsm_apic(currd, cmd);
if ( ret )
break;
@@ -535,8 +535,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( copy_from_guest(&dev, arg, 1) )
ret = -EFAULT;
else
- ret = xsm_resource_setup_pci(XSM_PRIV,
- (dev.seg << 16) | (dev.bus << 8) |
+ ret = xsm_resource_setup_pci((dev.seg << 16) | (dev.bus << 8) |
dev.devfn) ?:
pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
cmd != PHYSDEVOP_prepare_msix);
@@ -546,7 +545,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
case PHYSDEVOP_pci_mmcfg_reserved: {
struct physdev_pci_mmcfg_reserved info;
- ret = xsm_resource_setup_misc(XSM_PRIV);
+ ret = xsm_resource_setup_misc();
if ( ret )
break;
@@ -611,7 +610,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( setup_gsi.gsi < 0 || setup_gsi.gsi >= nr_irqs_gsi )
break;
- ret = xsm_resource_setup_gsi(XSM_PRIV, setup_gsi.gsi);
+ ret = xsm_resource_setup_gsi(setup_gsi.gsi);
if ( ret )
break;
diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c
index 23fadbc782..afa97f74fd 100644
--- a/xen/arch/x86/platform_hypercall.c
+++ b/xen/arch/x86/platform_hypercall.c
@@ -196,7 +196,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
if ( op->interface_version != XENPF_INTERFACE_VERSION )
return -EACCES;
- ret = xsm_platform_op(XSM_PRIV, op->cmd);
+ ret = xsm_platform_op(op->cmd);
if ( ret )
return ret;
@@ -614,7 +614,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
{
int cpu = op->u.cpu_ol.cpuid;
- ret = xsm_resource_plug_core(XSM_HOOK);
+ ret = xsm_resource_plug_core();
if ( ret )
break;
@@ -640,7 +640,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
{
int cpu = op->u.cpu_ol.cpuid;
- ret = xsm_resource_unplug_core(XSM_HOOK);
+ ret = xsm_resource_unplug_core();
if ( ret )
break;
@@ -669,7 +669,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
break;
case XENPF_cpu_hotadd:
- ret = xsm_resource_plug_core(XSM_HOOK);
+ ret = xsm_resource_plug_core();
if ( ret )
break;
@@ -679,7 +679,7 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op)
break;
case XENPF_mem_hotadd:
- ret = xsm_resource_plug_core(XSM_HOOK);
+ ret = xsm_resource_plug_core();
if ( ret )
break;
diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 8889509d2a..d833b8e2e6 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -250,7 +250,7 @@ static bool pci_cfg_ok(struct domain *currd, unsigned int start,
}
return !write ?
- xsm_pci_config_permission(XSM_HOOK, currd, machine_bdf,
+ xsm_pci_config_permission(currd, machine_bdf,
start, start + size - 1, 0) == 0 :
pci_conf_write_intercept(0, machine_bdf, start, size, write) >= 0;
}
diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c
index aff52a13f3..975672360b 100644
--- a/xen/arch/x86/sysctl.c
+++ b/xen/arch/x86/sysctl.c
@@ -190,8 +190,8 @@ long arch_do_sysctl(
}
if ( !ret )
- ret = plug ? xsm_resource_plug_core(XSM_HOOK)
- : xsm_resource_unplug_core(XSM_HOOK);
+ ret = plug ? xsm_resource_plug_core()
+ : xsm_resource_unplug_core();
if ( !ret )
ret = continue_hypercall_on_cpu(0, fn, hcpu);
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 6b71c6d6a9..392865f0f1 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -311,7 +311,7 @@ static int late_hwdom_init(struct domain *d)
if ( d != hardware_domain || d->domain_id == 0 )
return 0;
- rv = xsm_init_hardware_domain(XSM_HOOK, d);
+ rv = xsm_init_hardware_domain(d);
if ( rv )
return rv;
@@ -649,7 +649,7 @@ struct domain *domain_create(domid_t domid,
if ( !d->iomem_caps || !d->irq_caps )
goto fail;
- if ( (err = xsm_domain_create(XSM_HOOK, d, config->ssidref)) != 0 )
+ if ( (err = xsm_domain_create(d, config->ssidref)) != 0 )
goto fail;
d->controller_pause_count = 1;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index ef202c2b8c..de258ab7f7 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -314,7 +314,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
return -ESRCH;
}
- ret = xsm_domctl(XSM_OTHER, d, op->cmd);
+ ret = xsm_domctl(d, op->cmd);
if ( ret )
goto domctl_out_unlock_domonly;
@@ -553,7 +553,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
if ( d == NULL )
goto getdomaininfo_out;
- ret = xsm_getdomaininfo(XSM_HOOK, d);
+ ret = xsm_getdomaininfo(d);
if ( ret )
goto getdomaininfo_out;
@@ -688,7 +688,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
break;
}
irq = pirq_access_permitted(current->domain, pirq);
- if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) )
+ if ( !irq || xsm_irq_permission(d, irq, allow) )
ret = -EPERM;
else if ( allow )
ret = irq_permit_access(d, irq);
@@ -709,7 +709,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
if ( !iomem_access_permitted(current->domain,
mfn, mfn + nr_mfns - 1) ||
- xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
+ xsm_iomem_permission(d, mfn, mfn + nr_mfns - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
@@ -746,7 +746,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
!iomem_access_permitted(d, mfn, mfn_end) )
break;
- ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add);
+ ret = xsm_iomem_mapping(d, mfn, mfn_end, add);
if ( ret )
break;
@@ -804,7 +804,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
ret = -EOPNOTSUPP;
if ( is_hvm_domain(e) )
- ret = xsm_set_target(XSM_HOOK, d, e);
+ ret = xsm_set_target(d, e);
if ( ret )
{
put_domain(e);
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index 5479315aae..21e7b496ef 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -296,7 +296,7 @@ static long evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc)
ERROR_EXIT_DOM(port, d);
chn = evtchn_from_port(d, port);
- rc = xsm_evtchn_unbound(XSM_TARGET, d, chn, alloc->remote_dom);
+ rc = xsm_evtchn_unbound(d, chn, alloc->remote_dom);
if ( rc )
goto out;
@@ -372,7 +372,7 @@ static long evtchn_bind_interdomain(evtchn_bind_interdomain_t *bind)
(rchn->u.unbound.remote_domid != ld->domain_id) )
ERROR_EXIT_DOM(-EINVAL, rd);
- rc = xsm_evtchn_interdomain(XSM_HOOK, ld, lchn, rd, rchn);
+ rc = xsm_evtchn_interdomain(ld, lchn, rd, rchn);
if ( rc )
goto out;
@@ -760,7 +760,7 @@ int evtchn_send(struct domain *ld, unsigned int lport)
goto out;
}
- ret = xsm_evtchn_send(XSM_HOOK, ld, lchn);
+ ret = xsm_evtchn_send(ld, lchn);
if ( ret )
goto out;
@@ -985,7 +985,7 @@ int evtchn_status(evtchn_status_t *status)
goto out;
}
- rc = xsm_evtchn_status(XSM_TARGET, d, chn);
+ rc = xsm_evtchn_status(d, chn);
if ( rc )
goto out;
@@ -1310,7 +1310,7 @@ long do_event_channel_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -ESRCH;
- rc = xsm_evtchn_reset(XSM_TARGET, current->domain, d);
+ rc = xsm_evtchn_reset(current->domain, d);
if ( !rc )
rc = evtchn_reset(d, cmd == EVTCHNOP_reset_cont);
@@ -1371,7 +1371,7 @@ int alloc_unbound_xen_event_channel(
goto out;
chn = evtchn_from_port(ld, port);
- rc = xsm_evtchn_unbound(XSM_TARGET, ld, chn, remote_domid);
+ rc = xsm_evtchn_unbound(ld, chn, remote_domid);
if ( rc )
goto out;
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index ab30e2e8cf..df516f6340 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1063,7 +1063,7 @@ map_grant_ref(
return;
}
- rc = xsm_grant_mapref(XSM_HOOK, ld, rd, op->flags);
+ rc = xsm_grant_mapref(ld, rd, op->flags);
if ( rc )
{
rcu_unlock_domain(rd);
@@ -1403,7 +1403,7 @@ unmap_common(
return;
}
- rc = xsm_grant_unmapref(XSM_HOOK, ld, rd);
+ rc = xsm_grant_unmapref(ld, rd);
if ( rc )
{
rcu_unlock_domain(rd);
@@ -2021,7 +2021,7 @@ gnttab_setup_table(
goto out;
}
- if ( xsm_grant_setup(XSM_TARGET, curr->domain, d) )
+ if ( xsm_grant_setup(curr->domain, d) )
{
op.status = GNTST_permission_denied;
goto out;
@@ -2103,7 +2103,7 @@ gnttab_query_size(
goto out;
}
- if ( xsm_grant_query_size(XSM_TARGET, current->domain, d) )
+ if ( xsm_grant_query_size(current->domain, d) )
{
op.status = GNTST_permission_denied;
goto out;
@@ -2274,7 +2274,7 @@ gnttab_transfer(
goto put_gfn_and_copyback;
}
- if ( xsm_grant_transfer(XSM_HOOK, d, e) )
+ if ( xsm_grant_transfer(d, e) )
{
gop.status = GNTST_permission_denied;
unlock_and_copyback:
@@ -2812,7 +2812,7 @@ static int gnttab_copy_lock_domains(const struct gnttab_copy *op,
if ( rc < 0 )
goto error;
- rc = xsm_grant_copy(XSM_HOOK, src->domain, dest->domain);
+ rc = xsm_grant_copy(src->domain, dest->domain);
if ( rc < 0 )
{
rc = GNTST_permission_denied;
@@ -3231,7 +3231,7 @@ gnttab_get_status_frames(XEN_GUEST_HANDLE_PARAM(gnttab_get_status_frames_t) uop,
op.status = GNTST_bad_domain;
goto out1;
}
- rc = xsm_grant_setup(XSM_TARGET, current->domain, d);
+ rc = xsm_grant_setup(current->domain, d);
if ( rc )
{
op.status = GNTST_permission_denied;
@@ -3295,7 +3295,7 @@ gnttab_get_version(XEN_GUEST_HANDLE_PARAM(gnttab_get_version_t) uop)
if ( d == NULL )
return -ESRCH;
- rc = xsm_grant_query_size(XSM_TARGET, current->domain, d);
+ rc = xsm_grant_query_size(current->domain, d);
if ( rc )
{
rcu_unlock_domain(d);
diff --git a/xen/common/hypfs.c b/xen/common/hypfs.c
index e71f7df479..052f3d472a 100644
--- a/xen/common/hypfs.c
+++ b/xen/common/hypfs.c
@@ -679,7 +679,7 @@ long do_hypfs_op(unsigned int cmd,
struct hypfs_entry *entry;
static char path[XEN_HYPFS_MAX_PATHLEN];
- if ( xsm_hypfs_op(XSM_PRIV) )
+ if ( xsm_hypfs_op() )
return -EPERM;
if ( cmd == XEN_HYPFS_OP_get_version )
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index d77756a81e..89e01e908c 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -459,7 +459,7 @@ __initcall(param_init);
DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
{
- bool_t deny = !!xsm_xen_version(XSM_OTHER, cmd);
+ bool_t deny = !!xsm_xen_version(cmd);
switch ( cmd )
{
diff --git a/xen/common/kexec.c b/xen/common/kexec.c
index ebeee6405a..a0d2858cd8 100644
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -1219,7 +1219,7 @@ static int do_kexec_op_internal(unsigned long op,
{
int ret = -EINVAL;
- ret = xsm_kexec(XSM_PRIV);
+ ret = xsm_kexec();
if ( ret )
return ret;
diff --git a/xen/common/mem_access.c b/xen/common/mem_access.c
index 010e6f8dbf..2066510d3b 100644
--- a/xen/common/mem_access.c
+++ b/xen/common/mem_access.c
@@ -47,7 +47,7 @@ int mem_access_memop(unsigned long cmd,
if ( !p2m_mem_access_sanity_check(d) )
goto out;
- rc = xsm_mem_access(XSM_DM_PRIV, d);
+ rc = xsm_mem_access(d);
if ( rc )
goto out;
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 72a6b70cb5..d2621bbb47 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -609,7 +609,7 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
goto fail_early;
}
- rc = xsm_memory_exchange(XSM_TARGET, d);
+ rc = xsm_memory_exchange(d);
if ( rc )
{
rcu_unlock_domain(d);
@@ -1072,7 +1072,7 @@ static long xatp_permission_check(struct domain *d, unsigned int space)
(!is_hardware_domain(d) || (d != current->domain)) )
return -EACCES;
- return xsm_add_to_physmap(XSM_TARGET, current->domain, d);
+ return xsm_add_to_physmap(current->domain, d);
}
unsigned int ioreq_server_max_frames(const struct domain *d)
@@ -1232,7 +1232,7 @@ static int acquire_resource(
if ( rc )
return rc;
- rc = xsm_domain_resource_map(XSM_DM_PRIV, d);
+ rc = xsm_domain_resource_map(d);
if ( rc )
goto out;
@@ -1388,7 +1388,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
&& (reservation.mem_flags & XENMEMF_populate_on_demand) )
args.memflags |= MEMF_populate_on_demand;
- if ( xsm_memory_adjust_reservation(XSM_TARGET, curr_d, d) )
+ if ( xsm_memory_adjust_reservation(curr_d, d) )
{
rcu_unlock_domain(d);
return start_extent;
@@ -1462,7 +1462,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -ESRCH;
- rc = xsm_memory_stat_reservation(XSM_TARGET, curr_d, d);
+ rc = xsm_memory_stat_reservation(curr_d, d);
if ( rc )
{
rcu_unlock_domain(d);
@@ -1584,7 +1584,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
return -ESRCH;
rc = paging_mode_translate(d)
- ? xsm_remove_from_physmap(XSM_TARGET, curr_d, d)
+ ? xsm_remove_from_physmap(curr_d, d)
: -EACCES;
if ( rc )
{
@@ -1631,7 +1631,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -EINVAL;
- rc = xsm_claim_pages(XSM_PRIV, d);
+ rc = xsm_claim_pages(d);
if ( !rc )
rc = domain_set_outstanding_pages(d, reservation.nr_extents);
@@ -1662,7 +1662,7 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( (d = rcu_lock_domain_by_any_id(topology.domid)) == NULL )
return -ESRCH;
- rc = xsm_get_vnumainfo(XSM_TARGET, d);
+ rc = xsm_get_vnumainfo(d);
if ( rc )
{
rcu_unlock_domain(d);
diff --git a/xen/common/monitor.c b/xen/common/monitor.c
index d5c9ff1cbf..ff17bad733 100644
--- a/xen/common/monitor.c
+++ b/xen/common/monitor.c
@@ -36,7 +36,7 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop)
if ( unlikely(current->domain == d) ) /* no domain_pause() */
return -EPERM;
- rc = xsm_vm_event_control(XSM_PRIV, d, mop->op, mop->event);
+ rc = xsm_vm_event_control(d, mop->op, mop->event);
if ( unlikely(rc) )
return rc;
diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c
index 6d34764d38..e5c154fe9d 100644
--- a/xen/common/sched/core.c
+++ b/xen/common/sched/core.c
@@ -1944,7 +1944,7 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
break;
- ret = xsm_schedop_shutdown(XSM_DM_PRIV, current->domain, d);
+ ret = xsm_schedop_shutdown(current->domain, d);
if ( likely(!ret) )
domain_shutdown(d, sched_remote_shutdown.reason);
@@ -2046,7 +2046,7 @@ long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op)
{
long ret;
- ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd);
+ ret = xsm_domctl_scheduler_op(d, op->cmd);
if ( ret )
return ret;
@@ -2081,7 +2081,7 @@ long sched_adjust_global(struct xen_sysctl_scheduler_op *op)
struct cpupool *pool;
int rc;
- rc = xsm_sysctl_scheduler_op(XSM_HOOK, op->cmd);
+ rc = xsm_sysctl_scheduler_op(op->cmd);
if ( rc )
return rc;
diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c
index 3558641cd9..4e25c0e499 100644
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -41,7 +41,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
if ( op->interface_version != XEN_SYSCTL_INTERFACE_VERSION )
return -EACCES;
- ret = xsm_sysctl(XSM_PRIV, op->cmd);
+ ret = xsm_sysctl(op->cmd);
if ( ret )
return ret;
@@ -58,7 +58,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
switch ( op->cmd )
{
case XEN_SYSCTL_readconsole:
- ret = xsm_readconsole(XSM_HOOK, op->u.readconsole.clear);
+ ret = xsm_readconsole(op->u.readconsole.clear);
if ( ret )
break;
@@ -88,7 +88,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
if ( num_domains == op->u.getdomaininfolist.max_domains )
break;
- ret = xsm_getdomaininfo(XSM_HOOK, d);
+ ret = xsm_getdomaininfo(d);
if ( ret )
continue;
@@ -191,7 +191,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
if ( op->u.page_offline.end < op->u.page_offline.start )
break;
- ret = xsm_page_offline(XSM_HOOK, op->u.page_offline.cmd);
+ ret = xsm_page_offline(op->u.page_offline.cmd);
if ( ret )
break;
diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c
index 70ab3ba406..307f99fcf0 100644
--- a/xen/common/vm_event.c
+++ b/xen/common/vm_event.c
@@ -584,7 +584,7 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec)
return 0;
}
- rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op);
+ rc = xsm_vm_event_control(d, vec->mode, vec->op);
if ( rc )
return rc;
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 1926a92fe4..76d8b1f807 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -737,7 +737,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
return -EPERM;
}
- ret = xsm_profile(XSM_HOOK, current->domain, op);
+ ret = xsm_profile(current->domain, op);
if ( ret )
return ret;
diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index 7d0a603d03..b5d62ea4ee 100644
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -681,7 +681,7 @@ long do_console_io(unsigned int cmd, unsigned int count,
long rc;
unsigned int idx, len;
- rc = xsm_console_io(XSM_OTHER, current->domain, cmd);
+ rc = xsm_console_io(current->domain, cmd);
if ( rc )
return rc;
diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c
index 999b831d90..67b03fd2a9 100644
--- a/xen/drivers/passthrough/device_tree.c
+++ b/xen/drivers/passthrough/device_tree.c
@@ -230,7 +230,7 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d,
if ( ret )
break;
- ret = xsm_assign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev));
+ ret = xsm_assign_dtdevice(d, dt_node_full_name(dev));
if ( ret )
break;
@@ -284,7 +284,7 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct domain *d,
if ( ret )
break;
- ret = xsm_deassign_dtdevice(XSM_HOOK, d, dt_node_full_name(dev));
+ ret = xsm_deassign_dtdevice(d, dt_node_full_name(dev));
if ( d == dom_io )
return -EINVAL;
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index 199ce08612..1363ef8121 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -704,7 +704,7 @@ int pci_add_device(u16 seg, u8 bus, u8 devfn,
else
pdev_type = "device";
- ret = xsm_resource_plug_pci(XSM_PRIV, (seg << 16) | (bus << 8) | devfn);
+ ret = xsm_resource_plug_pci((seg << 16) | (bus << 8) | devfn);
if ( ret )
return ret;
@@ -814,7 +814,7 @@ int pci_remove_device(u16 seg, u8 bus, u8 devfn)
struct pci_dev *pdev;
int ret;
- ret = xsm_resource_unplug_pci(XSM_PRIV, (seg << 16) | (bus << 8) | devfn);
+ ret = xsm_resource_unplug_pci((seg << 16) | (bus << 8) | devfn);
if ( ret )
return ret;
@@ -1477,7 +1477,7 @@ static int iommu_get_device_group(
((pdev->bus == bus) && (pdev->devfn == devfn)) )
continue;
- if ( xsm_get_device_group(XSM_HOOK, (seg << 16) | (pdev->bus << 8) | pdev->devfn) )
+ if ( xsm_get_device_group((seg << 16) | (pdev->bus << 8) | pdev->devfn) )
continue;
sdev_id = ops->get_device_group_id(seg, pdev->bus, pdev->devfn);
@@ -1545,7 +1545,7 @@ int iommu_do_pci_domctl(
u32 max_sdevs;
XEN_GUEST_HANDLE_64(uint32) sdevs;
- ret = xsm_get_device_group(XSM_HOOK, domctl->u.get_device_group.machine_sbdf);
+ ret = xsm_get_device_group(domctl->u.get_device_group.machine_sbdf);
if ( ret )
break;
@@ -1596,7 +1596,7 @@ int iommu_do_pci_domctl(
machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf;
- ret = xsm_assign_device(XSM_HOOK, d, machine_sbdf);
+ ret = xsm_assign_device(d, machine_sbdf);
if ( ret )
break;
@@ -1641,7 +1641,7 @@ int iommu_do_pci_domctl(
machine_sbdf = domctl->u.assign_device.u.pci.machine_sbdf;
- ret = xsm_deassign_device(XSM_HOOK, d, machine_sbdf);
+ ret = xsm_deassign_device(d, machine_sbdf);
if ( ret )
break;
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 69f68300e2..1d25954731 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -30,53 +30,53 @@ static inline void xsm_security_domaininfo (struct domain *d,
alternative_vcall(xsm_ops.security_domaininfo, d, info);
}
-static inline int xsm_domain_create (xsm_default_t def, struct domain *d, u32 ssidref)
+static inline int xsm_domain_create (struct domain *d, u32 ssidref)
{
return alternative_call(xsm_ops.domain_create, d, ssidref);
}
-static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
+static inline int xsm_getdomaininfo (struct domain *d)
{
return alternative_call(xsm_ops.getdomaininfo, d);
}
-static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_domctl_scheduler_op (struct domain *d, int cmd)
{
return alternative_call(xsm_ops.domctl_scheduler_op, d, cmd);
}
-static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
+static inline int xsm_sysctl_scheduler_op (int cmd)
{
return alternative_call(xsm_ops.sysctl_scheduler_op, cmd);
}
-static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
+static inline int xsm_set_target (struct domain *d, struct domain *e)
{
return alternative_call(xsm_ops.set_target, d, e);
}
-static inline int xsm_domctl (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_domctl (struct domain *d, int cmd)
{
return alternative_call(xsm_ops.domctl, d, cmd);
}
-static inline int xsm_sysctl (xsm_default_t def, int cmd)
+static inline int xsm_sysctl (int cmd)
{
return alternative_call(xsm_ops.sysctl, cmd);
}
-static inline int xsm_readconsole (xsm_default_t def, uint32_t clear)
+static inline int xsm_readconsole (uint32_t clear)
{
return alternative_call(xsm_ops.readconsole, clear);
}
-static inline int xsm_evtchn_unbound (xsm_default_t def, struct domain *d1, struct evtchn *chn,
+static inline int xsm_evtchn_unbound (struct domain *d1, struct evtchn *chn,
domid_t id2)
{
return alternative_call(xsm_ops.evtchn_unbound, d1, chn, id2);
}
-static inline int xsm_evtchn_interdomain (xsm_default_t def, struct domain *d1,
+static inline int xsm_evtchn_interdomain (struct domain *d1,
struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
{
return alternative_call(xsm_ops.evtchn_interdomain, d1, chan1, d2, chan2);
@@ -87,48 +87,48 @@ static inline void xsm_evtchn_close_post (struct evtchn *chn)
alternative_vcall(xsm_ops.evtchn_close_post, chn);
}
-static inline int xsm_evtchn_send (xsm_default_t def, struct domain *d, struct evtchn *chn)
+static inline int xsm_evtchn_send (struct domain *d, struct evtchn *chn)
{
return alternative_call(xsm_ops.evtchn_send, d, chn);
}
-static inline int xsm_evtchn_status (xsm_default_t def, struct domain *d, struct evtchn *chn)
+static inline int xsm_evtchn_status (struct domain *d, struct evtchn *chn)
{
return alternative_call(xsm_ops.evtchn_status, d, chn);
}
-static inline int xsm_evtchn_reset (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_evtchn_reset (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.evtchn_reset, d1, d2);
}
-static inline int xsm_grant_mapref (xsm_default_t def, struct domain *d1, struct domain *d2,
+static inline int xsm_grant_mapref (struct domain *d1, struct domain *d2,
uint32_t flags)
{
return alternative_call(xsm_ops.grant_mapref, d1, d2, flags);
}
-static inline int xsm_grant_unmapref (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_unmapref (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.grant_unmapref, d1, d2);
}
-static inline int xsm_grant_setup (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_setup (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.grant_setup, d1, d2);
}
-static inline int xsm_grant_transfer (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_transfer (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.grant_transfer, d1, d2);
}
-static inline int xsm_grant_copy (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_copy (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.grant_copy, d1, d2);
}
-static inline int xsm_grant_query_size (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_grant_query_size (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.grant_query_size, d1, d2);
}
@@ -160,80 +160,80 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt
return alternative_call(xsm_ops.show_security_evtchn, d, chn);
}
-static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
+static inline int xsm_init_hardware_domain (struct domain *d)
{
return alternative_call(xsm_ops.init_hardware_domain, d);
}
-static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
+static inline int xsm_get_pod_target (struct domain *d)
{
return alternative_call(xsm_ops.get_pod_target, d);
}
-static inline int xsm_set_pod_target (xsm_default_t def, struct domain *d)
+static inline int xsm_set_pod_target (struct domain *d)
{
return alternative_call(xsm_ops.set_pod_target, d);
}
-static inline int xsm_memory_exchange (xsm_default_t def, struct domain *d)
+static inline int xsm_memory_exchange (struct domain *d)
{
return alternative_call(xsm_ops.memory_exchange, d);
}
-static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct domain *d1, struct
+static inline int xsm_memory_adjust_reservation (struct domain *d1, struct
domain *d2)
{
return alternative_call(xsm_ops.memory_adjust_reservation, d1, d2);
}
-static inline int xsm_memory_stat_reservation (xsm_default_t def, struct domain *d1,
+static inline int xsm_memory_stat_reservation (struct domain *d1,
struct domain *d2)
{
return alternative_call(xsm_ops.memory_stat_reservation, d1, d2);
}
-static inline int xsm_memory_pin_page(xsm_default_t def, struct domain *d1, struct domain *d2,
+static inline int xsm_memory_pin_page(struct domain *d1, struct domain *d2,
struct page_info *page)
{
return alternative_call(xsm_ops.memory_pin_page, d1, d2, page);
}
-static inline int xsm_add_to_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_add_to_physmap(struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.add_to_physmap, d1, d2);
}
-static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_remove_from_physmap(struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.remove_from_physmap, d1, d2);
}
-static inline int xsm_map_gmfn_foreign (xsm_default_t def, struct domain *d, struct domain *t)
+static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t)
{
return alternative_call(xsm_ops.map_gmfn_foreign, d, t);
}
-static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
+static inline int xsm_claim_pages(struct domain *d)
{
return alternative_call(xsm_ops.claim_pages, d);
}
-static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_console_io (struct domain *d, int cmd)
{
return alternative_call(xsm_ops.console_io, d, cmd);
}
-static inline int xsm_profile (xsm_default_t def, struct domain *d, int op)
+static inline int xsm_profile (struct domain *d, int op)
{
return alternative_call(xsm_ops.profile, d, op);
}
-static inline int xsm_kexec (xsm_default_t def)
+static inline int xsm_kexec (void)
{
return alternative_call(xsm_ops.kexec);
}
-static inline int xsm_schedop_shutdown (xsm_default_t def, struct domain *d1, struct domain *d2)
+static inline int xsm_schedop_shutdown (struct domain *d1, struct domain *d2)
{
return alternative_call(xsm_ops.schedop_shutdown, d1, d2);
}
@@ -243,131 +243,129 @@ static inline char *xsm_show_irq_sid (int irq)
return alternative_call(xsm_ops.show_irq_sid, irq);
}
-static inline int xsm_map_domain_pirq (xsm_default_t def, struct domain *d)
+static inline int xsm_map_domain_pirq (struct domain *d)
{
return alternative_call(xsm_ops.map_domain_pirq, d);
}
-static inline int xsm_map_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
+static inline int xsm_map_domain_irq (struct domain *d, int irq, void *data)
{
return alternative_call(xsm_ops.map_domain_irq, d, irq, data);
}
-static inline int xsm_unmap_domain_pirq (xsm_default_t def, struct domain *d)
+static inline int xsm_unmap_domain_pirq (struct domain *d)
{
return alternative_call(xsm_ops.unmap_domain_pirq, d);
}
-static inline int xsm_unmap_domain_irq (xsm_default_t def, struct domain *d, int irq, void *data)
+static inline int xsm_unmap_domain_irq (struct domain *d, int irq, void *data)
{
return alternative_call(xsm_ops.unmap_domain_irq, d, irq, data);
}
-static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d,
+static inline int xsm_bind_pt_irq(struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
return alternative_call(xsm_ops.bind_pt_irq, d, bind);
}
-static inline int xsm_unbind_pt_irq(xsm_default_t def, struct domain *d,
+static inline int xsm_unbind_pt_irq(struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
return alternative_call(xsm_ops.unbind_pt_irq, d, bind);
}
-static inline int xsm_irq_permission (xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
+static inline int xsm_irq_permission (struct domain *d, int pirq, uint8_t allow)
{
return alternative_call(xsm_ops.irq_permission, d, pirq, allow);
}
-static inline int xsm_iomem_permission (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int xsm_iomem_permission (struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
}
-static inline int xsm_iomem_mapping (xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static inline int xsm_iomem_mapping (struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
{
return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow);
}
-static inline int xsm_pci_config_permission (xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
+static inline int xsm_pci_config_permission (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access)
{
return alternative_call(xsm_ops.pci_config_permission, d, machine_bdf, start, end, access);
}
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static inline int xsm_get_device_group(xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_get_device_group(uint32_t machine_bdf)
{
return alternative_call(xsm_ops.get_device_group, machine_bdf);
}
-static inline int xsm_assign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
+static inline int xsm_assign_device(struct domain *d, uint32_t machine_bdf)
{
return alternative_call(xsm_ops.assign_device, d, machine_bdf);
}
-static inline int xsm_deassign_device(xsm_default_t def, struct domain *d, uint32_t machine_bdf)
+static inline int xsm_deassign_device(struct domain *d, uint32_t machine_bdf)
{
return alternative_call(xsm_ops.deassign_device, d, machine_bdf);
}
#endif /* HAS_PASSTHROUGH && HAS_PCI) */
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static inline int xsm_assign_dtdevice(xsm_default_t def, struct domain *d,
- const char *dtpath)
+static inline int xsm_assign_dtdevice(struct domain *d, const char *dtpath)
{
return alternative_call(xsm_ops.assign_dtdevice, d, dtpath);
}
-static inline int xsm_deassign_dtdevice(xsm_default_t def, struct domain *d,
- const char *dtpath)
+static inline int xsm_deassign_dtdevice(struct domain *d, const char *dtpath)
{
return alternative_call(xsm_ops.deassign_dtdevice, d, dtpath);
}
#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
-static inline int xsm_resource_plug_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_plug_pci (uint32_t machine_bdf)
{
return alternative_call(xsm_ops.resource_plug_pci, machine_bdf);
}
-static inline int xsm_resource_unplug_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_unplug_pci (uint32_t machine_bdf)
{
return alternative_call(xsm_ops.resource_unplug_pci, machine_bdf);
}
-static inline int xsm_resource_plug_core (xsm_default_t def)
+static inline int xsm_resource_plug_core (void)
{
return alternative_call(xsm_ops.resource_plug_core);
}
-static inline int xsm_resource_unplug_core (xsm_default_t def)
+static inline int xsm_resource_unplug_core (void)
{
return alternative_call(xsm_ops.resource_unplug_core);
}
-static inline int xsm_resource_setup_pci (xsm_default_t def, uint32_t machine_bdf)
+static inline int xsm_resource_setup_pci (uint32_t machine_bdf)
{
return alternative_call(xsm_ops.resource_setup_pci, machine_bdf);
}
-static inline int xsm_resource_setup_gsi (xsm_default_t def, int gsi)
+static inline int xsm_resource_setup_gsi (int gsi)
{
return alternative_call(xsm_ops.resource_setup_gsi, gsi);
}
-static inline int xsm_resource_setup_misc (xsm_default_t def)
+static inline int xsm_resource_setup_misc (void)
{
return alternative_call(xsm_ops.resource_setup_misc);
}
-static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
+static inline int xsm_page_offline(uint32_t cmd)
{
return alternative_call(xsm_ops.page_offline, cmd);
}
-static inline int xsm_hypfs_op(xsm_default_t def)
+static inline int xsm_hypfs_op(void)
{
return alternative_call(xsm_ops.hypfs_op);
}
@@ -386,149 +384,149 @@ static inline int xsm_do_compat_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
}
#endif
-static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned long op)
+static inline int xsm_hvm_param (struct domain *d, unsigned long op)
{
return alternative_call(xsm_ops.hvm_param, d, op);
}
-static inline int xsm_hvm_control(xsm_default_t def, struct domain *d, unsigned long op)
+static inline int xsm_hvm_control(struct domain *d, unsigned long op)
{
return alternative_call(xsm_ops.hvm_control, d, op);
}
-static inline int xsm_hvm_param_altp2mhvm (xsm_default_t def, struct domain *d)
+static inline int xsm_hvm_param_altp2mhvm (struct domain *d)
{
return alternative_call(xsm_ops.hvm_param_altp2mhvm, d);
}
-static inline int xsm_hvm_altp2mhvm_op (xsm_default_t def, struct domain *d, uint64_t mode, uint32_t op)
+static inline int xsm_hvm_altp2mhvm_op (struct domain *d, uint64_t mode, uint32_t op)
{
return alternative_call(xsm_ops.hvm_altp2mhvm_op, d, mode, op);
}
-static inline int xsm_get_vnumainfo (xsm_default_t def, struct domain *d)
+static inline int xsm_get_vnumainfo (struct domain *d)
{
return alternative_call(xsm_ops.get_vnumainfo, d);
}
-static inline int xsm_vm_event_control (xsm_default_t def, struct domain *d, int mode, int op)
+static inline int xsm_vm_event_control (struct domain *d, int mode, int op)
{
return alternative_call(xsm_ops.vm_event_control, d, mode, op);
}
#ifdef CONFIG_MEM_ACCESS
-static inline int xsm_mem_access (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_access (struct domain *d)
{
return alternative_call(xsm_ops.mem_access, d);
}
#endif
#ifdef CONFIG_MEM_PAGING
-static inline int xsm_mem_paging (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_paging (struct domain *d)
{
return alternative_call(xsm_ops.mem_paging, d);
}
#endif
#ifdef CONFIG_MEM_SHARING
-static inline int xsm_mem_sharing (xsm_default_t def, struct domain *d)
+static inline int xsm_mem_sharing (struct domain *d)
{
return alternative_call(xsm_ops.mem_sharing, d);
}
#endif
-static inline int xsm_platform_op (xsm_default_t def, uint32_t op)
+static inline int xsm_platform_op (uint32_t op)
{
return alternative_call(xsm_ops.platform_op, op);
}
#ifdef CONFIG_X86
-static inline int xsm_do_mca(xsm_default_t def)
+static inline int xsm_do_mca(void)
{
return alternative_call(xsm_ops.do_mca);
}
-static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
+static inline int xsm_shadow_control (struct domain *d, uint32_t op)
{
return alternative_call(xsm_ops.shadow_control, d, op);
}
-static inline int xsm_mem_sharing_op (xsm_default_t def, struct domain *d, struct domain *cd, int op)
+static inline int xsm_mem_sharing_op (struct domain *d, struct domain *cd, int op)
{
return alternative_call(xsm_ops.mem_sharing_op, d, cd, op);
}
-static inline int xsm_apic (xsm_default_t def, struct domain *d, int cmd)
+static inline int xsm_apic (struct domain *d, int cmd)
{
return alternative_call(xsm_ops.apic, d, cmd);
}
-static inline int xsm_memtype (xsm_default_t def, uint32_t access)
+static inline int xsm_memtype (uint32_t access)
{
return alternative_call(xsm_ops.memtype, access);
}
-static inline int xsm_machine_memory_map(xsm_default_t def)
+static inline int xsm_machine_memory_map(void)
{
return alternative_call(xsm_ops.machine_memory_map);
}
-static inline int xsm_domain_memory_map(xsm_default_t def, struct domain *d)
+static inline int xsm_domain_memory_map(struct domain *d)
{
return alternative_call(xsm_ops.domain_memory_map, d);
}
-static inline int xsm_mmu_update (xsm_default_t def, struct domain *d, struct domain *t,
+static inline int xsm_mmu_update (struct domain *d, struct domain *t,
struct domain *f, uint32_t flags)
{
return alternative_call(xsm_ops.mmu_update, d, t, f, flags);
}
-static inline int xsm_mmuext_op (xsm_default_t def, struct domain *d, struct domain *f)
+static inline int xsm_mmuext_op (struct domain *d, struct domain *f)
{
return alternative_call(xsm_ops.mmuext_op, d, f);
}
-static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, struct domain *f,
+static inline int xsm_update_va_mapping(struct domain *d, struct domain *f,
l1_pgentry_t pte)
{
/* pte(struct) is being passed by value, alternative_call does not support */
return xsm_ops.update_va_mapping(d, f, pte);
}
-static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t)
+static inline int xsm_priv_mapping(struct domain *d, struct domain *t)
{
return alternative_call(xsm_ops.priv_mapping, d, t);
}
-static inline int xsm_ioport_permission (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int xsm_ioport_permission (struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
return alternative_call(xsm_ops.ioport_permission, d, s, e, allow);
}
-static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static inline int xsm_ioport_mapping (struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
{
return alternative_call(xsm_ops.ioport_mapping, d, s, e, allow);
}
-static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int op)
+static inline int xsm_pmu_op (struct domain *d, unsigned int op)
{
return alternative_call(xsm_ops.pmu_op, d, op);
}
#endif /* CONFIG_X86 */
-static inline int xsm_dm_op(xsm_default_t def, struct domain *d)
+static inline int xsm_dm_op(struct domain *d)
{
return alternative_call(xsm_ops.dm_op, d);
}
-static inline int xsm_xen_version (xsm_default_t def, uint32_t op)
+static inline int xsm_xen_version (uint32_t op)
{
return alternative_call(xsm_ops.xen_version, op);
}
-static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
+static inline int xsm_domain_resource_map(struct domain *d)
{
return alternative_call(xsm_ops.domain_resource_map, d);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
` (3 preceding siblings ...)
2021-06-17 23:39 ` [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-18 12:03 ` Andrew Cooper
2021-06-17 23:39 ` [PATCH 6/6] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
2021-06-18 10:14 ` [PATCH 0/6] xsm: refactoring xsm hooks Andrew Cooper
6 siblings, 1 reply; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
With the elimination of switching how dummy.h gets included, the function
declaration macros are no longer necessary. This commit expands them out to the
only value for which they will ever be set. This results in function
declaration lengths changing and since some definitions did not even follow the
80 column wrapping style, all function definitions were aligned with the
predominate style that is used in the hypervisor code.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/xsm/dummy.h | 274 +++++++++++++++++++++++++++---------------------
1 file changed, 153 insertions(+), 121 deletions(-)
diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
index 7e2bb09dac..0f8ea163af 100644
--- a/xen/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -9,7 +9,7 @@
*
*
* Each XSM hook implementing an access check should have its first parameter
- * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
+ * preceded by (or use XSM_DEFAULT_VOID if it has no
* arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
* with the expected type of the hook, which will either define or check the
* value of action.
@@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
* xsm_default_t argument available, so the value from the assertion is used to
* initialize the variable.
*/
-#define XSM_INLINE __maybe_unused
-
-#define XSM_DEFAULT_ARG /* */
#define XSM_DEFAULT_VOID void
#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
-static always_inline int xsm_default_action(
- xsm_default_t action, struct domain *src, struct domain *target)
+static always_inline int xsm_default_action(xsm_default_t action,
+ struct domain *src,
+ struct domain *target)
{
switch ( action ) {
case XSM_HOOK:
@@ -82,43 +80,43 @@ static always_inline int xsm_default_action(
}
}
-static XSM_INLINE void dummy_security_domaininfo(struct domain *d,
+static __maybe_unused void dummy_security_domaininfo(struct domain *d,
struct xen_domctl_getdomaininfo *info)
{
return;
}
-static XSM_INLINE int dummy_domain_create(XSM_DEFAULT_ARG struct domain *d, u32 ssidref)
+static __maybe_unused int dummy_domain_create(struct domain *d, u32 ssidref)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_getdomaininfo(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static __maybe_unused int dummy_domctl_scheduler_op(struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
+static __maybe_unused int dummy_sysctl_scheduler_op(int cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
+static __maybe_unused int dummy_set_target(struct domain *d, struct domain *e)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static __maybe_unused int dummy_domctl(struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( cmd )
@@ -135,85 +133,91 @@ static XSM_INLINE int dummy_domctl(XSM_DEFAULT_ARG struct domain *d, int cmd)
}
}
-static XSM_INLINE int dummy_sysctl(XSM_DEFAULT_ARG int cmd)
+static __maybe_unused int dummy_sysctl(int cmd)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_readconsole(XSM_DEFAULT_ARG uint32_t clear)
+static __maybe_unused int dummy_readconsole(uint32_t clear)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_alloc_security_domain(struct domain *d)
+static __maybe_unused int dummy_alloc_security_domain(struct domain *d)
{
return 0;
}
-static XSM_INLINE void dummy_free_security_domain(struct domain *d)
+static __maybe_unused void dummy_free_security_domain(struct domain *d)
{
return;
}
-static XSM_INLINE int dummy_grant_mapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
- uint32_t flags)
+static __maybe_unused int dummy_grant_mapref(struct domain *d1,
+ struct domain *d2,
+ uint32_t flags)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_grant_unmapref(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_grant_unmapref(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_grant_setup(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_grant_setup(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_grant_transfer(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_grant_transfer(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_grant_copy(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_grant_copy(struct domain *d1, struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_grant_query_size(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_grant_query_size(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_memory_exchange(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_memory_exchange(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_memory_adjust_reservation(XSM_DEFAULT_ARG struct domain *d1,
- struct domain *d2)
+static __maybe_unused int dummy_memory_adjust_reservation(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_memory_stat_reservation(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_memory_stat_reservation(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static __maybe_unused int dummy_console_io(struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_OTHER);
if ( d->is_console )
@@ -225,129 +229,140 @@ static XSM_INLINE int dummy_console_io(XSM_DEFAULT_ARG struct domain *d, int cmd
return xsm_default_action(XSM_PRIV, d, NULL);
}
-static XSM_INLINE int dummy_profile(XSM_DEFAULT_ARG struct domain *d, int op)
+static __maybe_unused int dummy_profile(struct domain *d, int op)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int dummy_kexec(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_kexec(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_schedop_shutdown(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_schedop_shutdown(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2,
- struct page_info *page)
+static __maybe_unused int dummy_memory_pin_page(struct domain *d1,
+ struct domain *d2,
+ struct page_info *page)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_claim_pages(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
- domid_t id2)
+static __maybe_unused int dummy_evtchn_unbound(struct domain *d,
+ struct evtchn *chn,
+ domid_t id2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_evtchn_interdomain(XSM_DEFAULT_ARG struct domain *d1, struct evtchn
- *chan1, struct domain *d2, struct evtchn *chan2)
+static __maybe_unused int dummy_evtchn_interdomain(struct domain *d1,
+ struct evtchn *chan1,
+ struct domain *d2,
+ struct evtchn *chan2)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE void dummy_evtchn_close_post(struct evtchn *chn)
+static __maybe_unused void dummy_evtchn_close_post(struct evtchn *chn)
{
return;
}
-static XSM_INLINE int dummy_evtchn_send(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static __maybe_unused int dummy_evtchn_send(struct domain *d,
+ struct evtchn *chn)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int dummy_evtchn_status(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn)
+static __maybe_unused int dummy_evtchn_status(struct domain *d,
+ struct evtchn *chn)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_evtchn_reset(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_evtchn_reset(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_alloc_security_evtchns(
- struct evtchn chn[], unsigned int nr)
+static __maybe_unused int dummy_alloc_security_evtchns(struct evtchn chn[],
+ unsigned int nr)
{
return 0;
}
-static XSM_INLINE void dummy_free_security_evtchns(
- struct evtchn chn[], unsigned int nr)
+static __maybe_unused void dummy_free_security_evtchns(struct evtchn chn[],
+ unsigned int nr)
{
return;
}
-static XSM_INLINE char *dummy_show_security_evtchn(struct domain *d, const struct evtchn *chn)
+static __maybe_unused char *dummy_show_security_evtchn(struct domain *d,
+ const struct evtchn *chn)
{
return NULL;
}
-static XSM_INLINE int dummy_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_init_hardware_domain(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_get_pod_target(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_set_pod_target(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_set_pod_target(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_get_vnumainfo(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_get_vnumainfo(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
-static XSM_INLINE int dummy_get_device_group(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static __maybe_unused int dummy_get_device_group(uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_assign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static __maybe_unused int dummy_assign_device(struct domain *d,
+ uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf)
+static __maybe_unused int dummy_deassign_device(struct domain *d,
+ uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
@@ -356,15 +371,15 @@ static XSM_INLINE int dummy_deassign_device(XSM_DEFAULT_ARG struct domain *d, ui
#endif /* HAS_PASSTHROUGH && HAS_PCI */
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_DEVICE_TREE)
-static XSM_INLINE int dummy_assign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
- const char *dtpath)
+static __maybe_unused int dummy_assign_dtdevice(struct domain *d,
+ const char *dtpath)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
- const char *dtpath)
+static __maybe_unused int dummy_deassign_dtdevice(struct domain *d,
+ const char *dtpath)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
@@ -372,178 +387,190 @@ static XSM_INLINE int dummy_deassign_dtdevice(XSM_DEFAULT_ARG struct domain *d,
#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
-static XSM_INLINE int dummy_resource_plug_core(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_resource_plug_core(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_plug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static __maybe_unused int dummy_resource_plug_pci(uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_unplug_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static __maybe_unused int dummy_resource_unplug_pci(uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_setup_pci(XSM_DEFAULT_ARG uint32_t machine_bdf)
+static __maybe_unused int dummy_resource_setup_pci(uint32_t machine_bdf)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_setup_gsi(XSM_DEFAULT_ARG int gsi)
+static __maybe_unused int dummy_resource_setup_gsi(int gsi)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
+static __maybe_unused int dummy_page_offline(uint32_t cmd)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_hypfs_op(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_hypfs_op(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static __maybe_unused long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
return -ENOSYS;
}
#ifdef CONFIG_COMPAT
-static XSM_INLINE int dummy_do_compat_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
+static __maybe_unused int dummy_do_compat_op(
+ XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
return -ENOSYS;
}
#endif
-static XSM_INLINE char *dummy_show_irq_sid(int irq)
+static __maybe_unused char *dummy_show_irq_sid(int irq)
{
return NULL;
}
-static XSM_INLINE int dummy_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_map_domain_pirq(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_map_domain_irq(XSM_DEFAULT_ARG struct domain *d,
- int irq, const void *data)
+static __maybe_unused int dummy_map_domain_irq(struct domain *d, int irq,
+ const void *data)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_unmap_domain_pirq(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static __maybe_unused int dummy_bind_pt_irq(struct domain *d,
+ struct xen_domctl_bind_pt_irq *bind)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_unbind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind)
+static __maybe_unused int dummy_unbind_pt_irq(struct domain *d,
+ struct xen_domctl_bind_pt_irq *bind)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_unmap_domain_irq(XSM_DEFAULT_ARG struct domain *d,
- int irq, const void *data)
+static __maybe_unused int dummy_unmap_domain_irq(struct domain *d, int irq,
+ const void *data)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_irq_permission(XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
+static __maybe_unused int dummy_irq_permission(struct domain *d, int pirq,
+ uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_iomem_permission(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static __maybe_unused int dummy_iomem_permission(struct domain *d, uint64_t s,
+ uint64_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_iomem_mapping(XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
+static __maybe_unused int dummy_iomem_mapping(struct domain *d, uint64_t s,
+ uint64_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_pci_config_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf,
- uint16_t start, uint16_t end,
- uint8_t access)
+static __maybe_unused int dummy_pci_config_permission(struct domain *d,
+ uint32_t machine_bdf,
+ uint16_t start,
+ uint16_t end,
+ uint8_t access)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_add_to_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_add_to_physmap(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, struct domain *d2)
+static __maybe_unused int dummy_remove_from_physmap(struct domain *d1,
+ struct domain *d2)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d1, d2);
}
-static XSM_INLINE int dummy_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static __maybe_unused int dummy_map_gmfn_foreign(struct domain *d,
+ struct domain *t)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, t);
}
-static XSM_INLINE int dummy_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static __maybe_unused int dummy_hvm_param(struct domain *d, unsigned long op)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_hvm_control(XSM_DEFAULT_ARG struct domain *d, unsigned long op)
+static __maybe_unused int dummy_hvm_control(struct domain *d, unsigned long op)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_hvm_param_altp2mhvm(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_hvm_param_altp2mhvm(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, uint64_t mode, uint32_t op)
+static __maybe_unused int dummy_hvm_altp2mhvm_op(struct domain *d,
+ uint64_t mode, uint32_t op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
@@ -562,14 +589,15 @@ static XSM_INLINE int dummy_hvm_altp2mhvm_op(XSM_DEFAULT_ARG struct domain *d, u
}
}
-static XSM_INLINE int dummy_vm_event_control(XSM_DEFAULT_ARG struct domain *d, int mode, int op)
+static __maybe_unused int dummy_vm_event_control(struct domain *d, int mode,
+ int op)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#ifdef CONFIG_MEM_ACCESS
-static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_mem_access(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
@@ -577,7 +605,7 @@ static XSM_INLINE int dummy_mem_access(XSM_DEFAULT_ARG struct domain *d)
#endif
#ifdef CONFIG_MEM_PAGING
-static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_mem_paging(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
@@ -585,58 +613,59 @@ static XSM_INLINE int dummy_mem_paging(XSM_DEFAULT_ARG struct domain *d)
#endif
#ifdef CONFIG_MEM_SHARING
-static XSM_INLINE int dummy_mem_sharing(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_mem_sharing(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#endif
-static XSM_INLINE int dummy_platform_op(XSM_DEFAULT_ARG uint32_t op)
+static __maybe_unused int dummy_platform_op(uint32_t op)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
#ifdef CONFIG_X86
-static XSM_INLINE int dummy_do_mca(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_do_mca(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
+static __maybe_unused int dummy_shadow_control(struct domain *d, uint32_t op)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_mem_sharing_op(XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op)
+static __maybe_unused int dummy_mem_sharing_op(struct domain *d,
+ struct domain *cd, int op)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, cd);
}
-static XSM_INLINE int dummy_apic(XSM_DEFAULT_ARG struct domain *d, int cmd)
+static __maybe_unused int dummy_apic(struct domain *d, int cmd)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, d, NULL);
}
-static XSM_INLINE int dummy_machine_memory_map(XSM_DEFAULT_VOID)
+static __maybe_unused int dummy_machine_memory_map(XSM_DEFAULT_VOID)
{
XSM_ASSERT_ACTION(XSM_PRIV);
return xsm_default_action(action, current->domain, NULL);
}
-static XSM_INLINE int dummy_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_domain_memory_map(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
- struct domain *f, uint32_t flags)
+static __maybe_unused int dummy_mmu_update(struct domain *d, struct domain *t,
+ struct domain *f, uint32_t flags)
{
int rc = 0;
XSM_ASSERT_ACTION(XSM_TARGET);
@@ -647,38 +676,41 @@ static XSM_INLINE int dummy_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct
return rc;
}
-static XSM_INLINE int dummy_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
+static __maybe_unused int dummy_mmuext_op(struct domain *d, struct domain *f)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, f);
}
-static XSM_INLINE int dummy_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *f,
- l1_pgentry_t pte)
+static __maybe_unused int dummy_update_va_mapping(struct domain *d,
+ struct domain *f,
+ l1_pgentry_t pte)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, f);
}
-static XSM_INLINE int dummy_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+static __maybe_unused int dummy_priv_mapping(struct domain *d, struct domain *t)
{
XSM_ASSERT_ACTION(XSM_TARGET);
return xsm_default_action(action, d, t);
}
-static XSM_INLINE int dummy_ioport_permission(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static __maybe_unused int dummy_ioport_permission(struct domain *d, uint32_t s,
+ uint32_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
+static __maybe_unused int dummy_ioport_mapping(struct domain *d, uint32_t s,
+ uint32_t e, uint8_t allow)
{
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
-static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int op)
+static __maybe_unused int dummy_pmu_op (struct domain *d, unsigned int op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
@@ -695,31 +727,31 @@ static XSM_INLINE int dummy_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned i
#endif /* CONFIG_X86 */
-static XSM_INLINE int dummy_dm_op(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_dm_op(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
}
#ifdef CONFIG_ARGO
-static XSM_INLINE int dummy_argo_enable(const struct domain *d)
+static __maybe_unused int dummy_argo_enable(const struct domain *d)
{
return 0;
}
-static XSM_INLINE int dummy_argo_register_single_source(const struct domain *d,
- const struct domain *t)
+static __maybe_unused int dummy_argo_register_single_source(const struct domain *d,
+ const struct domain *t)
{
return 0;
}
-static XSM_INLINE int dummy_argo_register_any_source(const struct domain *d)
+static __maybe_unused int dummy_argo_register_any_source(const struct domain *d)
{
return 0;
}
-static XSM_INLINE int dummy_argo_send(const struct domain *d,
- const struct domain *t)
+static __maybe_unused int dummy_argo_send(const struct domain *d,
+ const struct domain *t)
{
return 0;
}
@@ -727,7 +759,7 @@ static XSM_INLINE int dummy_argo_send(const struct domain *d,
#endif /* CONFIG_ARGO */
#include <public/version.h>
-static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
+static __maybe_unused int dummy_xen_version(uint32_t op)
{
XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
@@ -751,7 +783,7 @@ static XSM_INLINE int dummy_xen_version (XSM_DEFAULT_ARG uint32_t op)
}
}
-static XSM_INLINE int dummy_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
+static __maybe_unused int dummy_domain_resource_map(struct domain *d)
{
XSM_ASSERT_ACTION(XSM_DM_PRIV);
return xsm_default_action(action, current->domain, d);
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 6/6] xsm: removing the XSM_ASSERT_ACTION macro
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
` (4 preceding siblings ...)
2021-06-17 23:39 ` [PATCH 5/6] xsm: expanding function related macros in dummy.h Daniel P. Smith
@ 2021-06-17 23:39 ` Daniel P. Smith
2021-06-18 10:14 ` [PATCH 0/6] xsm: refactoring xsm hooks Andrew Cooper
6 siblings, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-17 23:39 UTC (permalink / raw)
To: xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
With the eliminations of default priv from all the XSM hook call sites, this
renders the XSM_ASSERT_ACTION macro unneeded. This commit cleans up all the
dummy hooks, removing the macro.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
xen/xsm/dummy.h | 253 +++++++++++++++---------------------------------
1 file changed, 80 insertions(+), 173 deletions(-)
diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
index 0f8ea163af..1a9a6b2935 100644
--- a/xen/xsm/dummy.h
+++ b/xen/xsm/dummy.h
@@ -6,13 +6,6 @@
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
- *
- *
- * Each XSM hook implementing an access check should have its first parameter
- * preceded by (or use XSM_DEFAULT_VOID if it has no
- * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
- * with the expected type of the hook, which will either define or check the
- * value of action.
*/
#include <xen/sched.h>
@@ -48,7 +41,6 @@ void __xsm_action_mismatch_detected(void);
* initialize the variable.
*/
#define XSM_DEFAULT_VOID void
-#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action
static always_inline int xsm_default_action(xsm_default_t action,
struct domain *src,
@@ -88,37 +80,31 @@ static __maybe_unused void dummy_security_domaininfo(struct domain *d,
static __maybe_unused int dummy_domain_create(struct domain *d, u32 ssidref)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_getdomaininfo(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_domctl_scheduler_op(struct domain *d, int cmd)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_sysctl_scheduler_op(int cmd)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_set_target(struct domain *d, struct domain *e)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_domctl(struct domain *d, int cmd)
{
- XSM_ASSERT_ACTION(XSM_OTHER);
switch ( cmd )
{
case XEN_DOMCTL_ioport_mapping:
@@ -135,14 +121,12 @@ static __maybe_unused int dummy_domctl(struct domain *d, int cmd)
static __maybe_unused int dummy_sysctl(int cmd)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_readconsole(uint32_t clear)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_alloc_security_domain(struct domain *d)
@@ -159,67 +143,57 @@ static __maybe_unused int dummy_grant_mapref(struct domain *d1,
struct domain *d2,
uint32_t flags)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused int dummy_grant_unmapref(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused int dummy_grant_setup(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_grant_transfer(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused int dummy_grant_copy(struct domain *d1, struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused int dummy_grant_query_size(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_memory_exchange(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
static __maybe_unused int dummy_memory_adjust_reservation(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_memory_stat_reservation(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_console_io(struct domain *d, int cmd)
{
- XSM_ASSERT_ACTION(XSM_OTHER);
if ( d->is_console )
return xsm_default_action(XSM_HOOK, d, NULL);
#ifdef CONFIG_VERBOSE_DEBUG
@@ -231,43 +205,37 @@ static __maybe_unused int dummy_console_io(struct domain *d, int cmd)
static __maybe_unused int dummy_profile(struct domain *d, int op)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d, NULL);
+ return xsm_default_action(XSM_HOOK, d, NULL);
}
static __maybe_unused int dummy_kexec(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_schedop_shutdown(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_PRIV, d1, d2);
}
static __maybe_unused int dummy_memory_pin_page(struct domain *d1,
struct domain *d2,
struct page_info *page)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused int dummy_claim_pages(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_evtchn_unbound(struct domain *d,
struct evtchn *chn,
domid_t id2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
static __maybe_unused int dummy_evtchn_interdomain(struct domain *d1,
@@ -275,8 +243,7 @@ static __maybe_unused int dummy_evtchn_interdomain(struct domain *d1,
struct domain *d2,
struct evtchn *chan2)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_HOOK, d1, d2);
}
static __maybe_unused void dummy_evtchn_close_post(struct evtchn *chn)
@@ -287,22 +254,19 @@ static __maybe_unused void dummy_evtchn_close_post(struct evtchn *chn)
static __maybe_unused int dummy_evtchn_send(struct domain *d,
struct evtchn *chn)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, d, NULL);
+ return xsm_default_action(XSM_HOOK, d, NULL);
}
static __maybe_unused int dummy_evtchn_status(struct domain *d,
struct evtchn *chn)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
static __maybe_unused int dummy_evtchn_reset(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_alloc_security_evtchns(struct evtchn chn[],
@@ -325,47 +289,40 @@ static __maybe_unused char *dummy_show_security_evtchn(struct domain *d,
static __maybe_unused int dummy_init_hardware_domain(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_get_pod_target(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_set_pod_target(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_get_vnumainfo(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
#if defined(CONFIG_HAS_PASSTHROUGH) && defined(CONFIG_HAS_PCI)
static __maybe_unused int dummy_get_device_group(uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_assign_device(struct domain *d,
uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_deassign_device(struct domain *d,
uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
#endif /* HAS_PASSTHROUGH && HAS_PCI */
@@ -374,71 +331,60 @@ static __maybe_unused int dummy_deassign_device(struct domain *d,
static __maybe_unused int dummy_assign_dtdevice(struct domain *d,
const char *dtpath)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_deassign_dtdevice(struct domain *d,
const char *dtpath)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
#endif /* HAS_PASSTHROUGH && HAS_DEVICE_TREE */
static __maybe_unused int dummy_resource_plug_core(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_resource_unplug_core(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_resource_plug_pci(uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_resource_unplug_pci(uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_resource_setup_pci(uint32_t machine_bdf)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_resource_setup_gsi(int gsi)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_resource_setup_misc(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_page_offline(uint32_t cmd)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_HOOK, current->domain, NULL);
}
static __maybe_unused int dummy_hypfs_op(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused long dummy_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
@@ -461,63 +407,54 @@ static __maybe_unused char *dummy_show_irq_sid(int irq)
static __maybe_unused int dummy_map_domain_pirq(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_map_domain_irq(struct domain *d, int irq,
const void *data)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_unmap_domain_pirq(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_bind_pt_irq(struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_unbind_pt_irq(struct domain *d,
struct xen_domctl_bind_pt_irq *bind)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_unmap_domain_irq(struct domain *d, int irq,
const void *data)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_irq_permission(struct domain *d, int pirq,
uint8_t allow)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_iomem_permission(struct domain *d, uint64_t s,
uint64_t e, uint8_t allow)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_iomem_mapping(struct domain *d, uint64_t s,
uint64_t e, uint8_t allow)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_pci_config_permission(struct domain *d,
@@ -526,54 +463,45 @@ static __maybe_unused int dummy_pci_config_permission(struct domain *d,
uint16_t end,
uint8_t access)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_add_to_physmap(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_remove_from_physmap(struct domain *d1,
struct domain *d2)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d1, d2);
+ return xsm_default_action(XSM_TARGET, d1, d2);
}
static __maybe_unused int dummy_map_gmfn_foreign(struct domain *d,
struct domain *t)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d, t);
+ return xsm_default_action(XSM_TARGET, d, t);
}
static __maybe_unused int dummy_hvm_param(struct domain *d, unsigned long op)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
static __maybe_unused int dummy_hvm_control(struct domain *d, unsigned long op)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_hvm_param_altp2mhvm(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_PRIV, current->domain, d);
}
static __maybe_unused int dummy_hvm_altp2mhvm_op(struct domain *d,
uint64_t mode, uint32_t op)
{
- XSM_ASSERT_ACTION(XSM_OTHER);
-
switch ( mode )
{
case XEN_ALTP2M_mixed:
@@ -592,127 +520,109 @@ static __maybe_unused int dummy_hvm_altp2mhvm_op(struct domain *d,
static __maybe_unused int dummy_vm_event_control(struct domain *d, int mode,
int op)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_PRIV, current->domain, d);
}
#ifdef CONFIG_MEM_ACCESS
static __maybe_unused int dummy_mem_access(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
#endif
#ifdef CONFIG_MEM_PAGING
static __maybe_unused int dummy_mem_paging(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
#endif
#ifdef CONFIG_MEM_SHARING
static __maybe_unused int dummy_mem_sharing(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
#endif
static __maybe_unused int dummy_platform_op(uint32_t op)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
#ifdef CONFIG_X86
static __maybe_unused int dummy_do_mca(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_shadow_control(struct domain *d, uint32_t op)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_mem_sharing_op(struct domain *d,
struct domain *cd, int op)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, cd);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, cd);
}
static __maybe_unused int dummy_apic(struct domain *d, int cmd)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, d, NULL);
+ return xsm_default_action(XSM_PRIV, d, NULL);
}
static __maybe_unused int dummy_machine_memory_map(XSM_DEFAULT_VOID)
{
- XSM_ASSERT_ACTION(XSM_PRIV);
- return xsm_default_action(action, current->domain, NULL);
+ return xsm_default_action(XSM_PRIV, current->domain, NULL);
}
static __maybe_unused int dummy_domain_memory_map(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_TARGET, current->domain, d);
}
static __maybe_unused int dummy_mmu_update(struct domain *d, struct domain *t,
struct domain *f, uint32_t flags)
{
int rc = 0;
- XSM_ASSERT_ACTION(XSM_TARGET);
if ( f != dom_io )
- rc = xsm_default_action(action, d, f);
+ rc = xsm_default_action(XSM_TARGET, d, f);
if ( evaluate_nospec(t) && !rc )
- rc = xsm_default_action(action, d, t);
+ rc = xsm_default_action(XSM_TARGET, d, t);
return rc;
}
static __maybe_unused int dummy_mmuext_op(struct domain *d, struct domain *f)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d, f);
+ return xsm_default_action(XSM_TARGET, d, f);
}
static __maybe_unused int dummy_update_va_mapping(struct domain *d,
struct domain *f,
l1_pgentry_t pte)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d, f);
+ return xsm_default_action(XSM_TARGET, d, f);
}
static __maybe_unused int dummy_priv_mapping(struct domain *d, struct domain *t)
{
- XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d, t);
+ return xsm_default_action(XSM_TARGET, d, t);
}
static __maybe_unused int dummy_ioport_permission(struct domain *d, uint32_t s,
uint32_t e, uint8_t allow)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_ioport_mapping(struct domain *d, uint32_t s,
uint32_t e, uint8_t allow)
{
- XSM_ASSERT_ACTION(XSM_HOOK);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_HOOK, current->domain, d);
}
static __maybe_unused int dummy_pmu_op (struct domain *d, unsigned int op)
{
- XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
{
case XENPMU_init:
@@ -729,8 +639,7 @@ static __maybe_unused int dummy_pmu_op (struct domain *d, unsigned int op)
static __maybe_unused int dummy_dm_op(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
#ifdef CONFIG_ARGO
@@ -761,7 +670,6 @@ static __maybe_unused int dummy_argo_send(const struct domain *d,
#include <public/version.h>
static __maybe_unused int dummy_xen_version(uint32_t op)
{
- XSM_ASSERT_ACTION(XSM_OTHER);
switch ( op )
{
case XENVER_version:
@@ -785,6 +693,5 @@ static __maybe_unused int dummy_xen_version(uint32_t op)
static __maybe_unused int dummy_domain_resource_map(struct domain *d)
{
- XSM_ASSERT_ACTION(XSM_DM_PRIV);
- return xsm_default_action(action, current->domain, d);
+ return xsm_default_action(XSM_DM_PRIV, current->domain, d);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [PATCH 0/6] xsm: refactoring xsm hooks
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
` (5 preceding siblings ...)
2021-06-17 23:39 ` [PATCH 6/6] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
@ 2021-06-18 10:14 ` Andrew Cooper
2021-06-18 11:48 ` Jan Beulich
2021-06-18 15:53 ` Daniel P. Smith
6 siblings, 2 replies; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 10:14 UTC (permalink / raw)
To: Daniel P. Smith, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 18/06/2021 00:39, Daniel P. Smith wrote:
> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
> patch set is being split into two separate patch sets. This is the first
> patch set and is focused purely on the clean up and refactoring of the
> XSM hooks.
>
> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
> infrastructure. Then proceeds to move and realign the headers to remove the
> psuedo is/is not enable implementation. The remainder of the changes are clean up
> and removing no longer necessary abstractions.
>
> <snip>
> 51 files changed, 1309 insertions(+), 1413 deletions(-)
The diffstat is great, but sadly CI says no.
https://gitlab.com/xen-project/patchew/xen/-/pipelines/323044913
The problem is that ARM doesn't have alternative_vcall(). Given how
much of an improvement this ought to be for hypercalls, I don't want to
lose the vcalls.
One option is to implement vcall() support on ARM, but that will leave
new architectures (RISC-V on the way) with a heavy lift to get XSM to
compile.
Instead, what we want to do is make vcall() a common interface, falling
back to a plain function pointer call for architectures which don't
implement the optimisation. So something like:
1) Introduce CONFIG_HAS_VCALL, which is selected by X86 only right now
2) Introduce xen/vcall.h which uses CONFIG_HAS_VCALL to either include
asm/vcall.h or provide the fallback implementation
3) Switch x86's current use over to this new interface
The iommu_vcall() is a red herring, not adequately documented, and needs
to stay in some form. Specifically, it needs to not become an
alternative on ARM, even if ARM gains vcalls. I'd be tempted to rework
it in 4) to use the common vcall() by default, and leave ARM as the
special case overriding the default behaviour, along with an explanation
of why it isn't a vcall().
Obviously, name subject bikeshedding. alternative_vcall() is a bit of a
mouthful, and I don't think that alt_vcall() loses any salient information.
Thoughts?
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
@ 2021-06-18 11:34 ` Andrew Cooper
2021-06-18 11:44 ` Jan Beulich
2021-06-18 16:17 ` Daniel P. Smith
2021-07-12 12:36 ` [PATCH 0.5/6] xen: Implement xen/alternative-call.h for use in common code Andrew Cooper
1 sibling, 2 replies; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 11:34 UTC (permalink / raw)
To: Daniel P. Smith, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 18/06/2021 00:39, Daniel P. Smith wrote:
> The assignment and setup of xsm_ops structure was refactored to make it a
> one-time assignment. The calling of the xsm_ops were refactored to use the
> alternate_call framework to reduce the need for retpolines.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
I think the commit message needs a little more explanation for anyone
doing code archaeology.
AFAICT, the current infrastructure has some (incomplete?) support for
Flask to unload itself as the security engine, which doesn't sounds like
a clever thing in general.
What we do here is make a semantic change to say that the security
engine (Dummy, Flask or SILO) gets chosen once during boot, and is
immutable thereafter. This is better from a security standpoint (no
accidentally unloading Flask at runtime), and allows for the use of the
alternative_vcall() infrastructure to drop all the function pointer calls.
Does that about sum things up?
> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
> index 01e52138a1..df9fcc1d6d 100644
> --- a/xen/xsm/flask/flask_op.c
> +++ b/xen/xsm/flask/flask_op.c
> @@ -225,26 +225,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
>
> static int flask_disable(void)
> {
> - static int flask_disabled = 0;
> -
> - if ( ss_initialized )
> - {
> - /* Not permitted after initial policy load. */
> - return -EINVAL;
> - }
> -
> - if ( flask_disabled )
> - {
> - /* Only do this once. */
> - return -EINVAL;
> - }
> -
> - printk("Flask: Disabled at runtime.\n");
> -
> - flask_disabled = 1;
> -
> - /* Reset xsm_ops to the original module. */
> - xsm_ops = &dummy_xsm_ops;
> + printk("Flask: Disabling is not supported.\n");
Judging by this, should this patch be split up more?
I think you want to remove FLASK_DISABLE (and this function too - just
return -EOPNOTSUPP in the parent) as a separate explained change (as it
is a logical change in how Flask works).
The second patch wants to be the rest, which changes the indirection of
xsm_ops and converts to vcall(). This is a fairly mechanical change
without semantic changes.
I'm unsure if you want a 3rd patch in the middle, separating the
xsm_core_init() juggling, with the "switch to using vcall()". It might
be a good idea for more easily demonstrating the changes, but I'll leave
it to your judgement.
> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
> index 5eab21e1b1..acc1af7166 100644
> --- a/xen/xsm/xsm_core.c
> +++ b/xen/xsm/xsm_core.c
> static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
> {
> #ifdef CONFIG_XSM_FLASK_POLICY
> @@ -87,17 +86,22 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
> }
> #endif
>
> - if ( verify(&dummy_xsm_ops) )
> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
> {
> - printk(XENLOG_ERR "Could not verify dummy_xsm_ops structure\n");
> + printk(XENLOG_ERR
> + "Could not init XSM, xsm_ops register already attempted\n");
Indentation.
> return -EIO;
> }
>
> - xsm_ops = &dummy_xsm_ops;
> + /* install the dummy ops as default to ensure ops
> + * are defined if requested policy fails init
> + */
> + xsm_fixup_ops(&xsm_ops);
/* Comment style. */
or
/*
* Multi-
* line comment style.
*/
> switch ( xsm_bootparam )
> {
> case XSM_BOOTPARAM_DUMMY:
> + xsm_ops_registered = XSM_OPS_REGISTERED;
> break;
>
> case XSM_BOOTPARAM_FLASK:
> @@ -113,6 +117,9 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
> break;
> }
>
> + if ( xsm_ops_registered != XSM_OPS_REGISTERED )
> + xsm_ops_registered = XSM_OPS_REG_FAILED;
> +
> return 0;
> }
>
> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>
> int __init register_xsm(struct xsm_operations *ops)
> {
> - if ( verify(ops) )
> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
> + return -EAGAIN;
I know you moved this around the function, but it really isn't -EAGAIN
material any more. It's "too late - nope".
-EEXIST is probably best for "I'm never going to tolerate another call".
> +
> + if ( !ops )
> {
> - printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
> + xsm_ops_registered = XSM_OPS_REG_FAILED;
> + printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
> return -EINVAL;
Honestly, I'd be half tempted to declare register_xsm() with
__nonnull(0) and let the compiler reject any attempt to pass a NULL ops
pointer.
Both callers pass a pointer to a static singleton objects.
> }
>
> - if ( xsm_ops != &dummy_xsm_ops )
> - return -EAGAIN;
> + /* use dummy ops for any empty ops */
> + xsm_fixup_ops(ops);
Isn't this redundant with the call in xsm_core_init(), seeing as
register_xsm() must be nested within the switch statement?
> - xsm_ops = ops;
> + xsm_ops = *ops;
> + xsm_ops_registered = XSM_OPS_REGISTERED;
>
> return 0;
> }
Having got to the end, the xsm_core_init() vs register_xsm() dynamic is
quite weird.
I think it would result in clearer code to have init_{flask,silo}()
return pointers to their struct xsm_operations *, and let
xsm_core_init() do the copy in to xsm_ops. This reduces the scope of
xsm_ops_state to this function only, and gets rid of at least one
runtime panic() call which is dead code.
If you were to go with this approach, you'd definitely want to split
into the 3-patch approach.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-18 11:34 ` Andrew Cooper
@ 2021-06-18 11:44 ` Jan Beulich
2021-06-18 11:45 ` Andrew Cooper
2021-06-18 16:26 ` Daniel P. Smith
2021-06-18 16:17 ` Daniel P. Smith
1 sibling, 2 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 11:44 UTC (permalink / raw)
To: Andrew Cooper, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 13:34, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>>
>> int __init register_xsm(struct xsm_operations *ops)
>> {
>> - if ( verify(ops) )
>> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
>> + return -EAGAIN;
>
> I know you moved this around the function, but it really isn't -EAGAIN
> material any more. It's "too late - nope".
>
> -EEXIST is probably best for "I'm never going to tolerate another call".
>
>> +
>> + if ( !ops )
>> {
>> - printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
>> + xsm_ops_registered = XSM_OPS_REG_FAILED;
>> + printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
>> return -EINVAL;
>
> Honestly, I'd be half tempted to declare register_xsm() with
> __nonnull(0) and let the compiler reject any attempt to pass a NULL ops
> pointer.
>
> Both callers pass a pointer to a static singleton objects.
Why check at all when the source of the arguments is all internal?
We don't check pointers to be non-NULL elsewhere, with a few odd
exceptions (which imo should all be dropped).
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-18 11:44 ` Jan Beulich
@ 2021-06-18 11:45 ` Andrew Cooper
2021-06-18 16:26 ` Daniel P. Smith
1 sibling, 0 replies; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 11:45 UTC (permalink / raw)
To: Jan Beulich, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18/06/2021 12:44, Jan Beulich wrote:
> On 18.06.2021 13:34, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>>>
>>> int __init register_xsm(struct xsm_operations *ops)
>>> {
>>> - if ( verify(ops) )
>>> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
>>> + return -EAGAIN;
>> I know you moved this around the function, but it really isn't -EAGAIN
>> material any more. It's "too late - nope".
>>
>> -EEXIST is probably best for "I'm never going to tolerate another call".
>>
>>> +
>>> + if ( !ops )
>>> {
>>> - printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
>>> + xsm_ops_registered = XSM_OPS_REG_FAILED;
>>> + printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
>>> return -EINVAL;
>> Honestly, I'd be half tempted to declare register_xsm() with
>> __nonnull(0) and let the compiler reject any attempt to pass a NULL ops
>> pointer.
>>
>> Both callers pass a pointer to a static singleton objects.
> Why check at all when the source of the arguments is all internal?
> We don't check pointers to be non-NULL elsewhere, with a few odd
> exceptions (which imo should all be dropped).
That too. At the end of my email, I suggested an alternative approach
which would remove register_xsm() entirely, and I think that is a
better-still way forward.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/6] xsm: refactoring xsm hooks
2021-06-18 10:14 ` [PATCH 0/6] xsm: refactoring xsm hooks Andrew Cooper
@ 2021-06-18 11:48 ` Jan Beulich
2021-06-18 21:21 ` Andrew Cooper
2021-06-18 15:53 ` Daniel P. Smith
1 sibling, 1 reply; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 11:48 UTC (permalink / raw)
To: Andrew Cooper, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 12:14, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
>> patch set is being split into two separate patch sets. This is the first
>> patch set and is focused purely on the clean up and refactoring of the
>> XSM hooks.
>>
>> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
>> infrastructure. Then proceeds to move and realign the headers to remove the
>> psuedo is/is not enable implementation. The remainder of the changes are clean up
>> and removing no longer necessary abstractions.
>>
>> <snip>
>> 51 files changed, 1309 insertions(+), 1413 deletions(-)
>
> The diffstat is great, but sadly CI says no.
> https://gitlab.com/xen-project/patchew/xen/-/pipelines/323044913
>
> The problem is that ARM doesn't have alternative_vcall(). Given how
> much of an improvement this ought to be for hypercalls, I don't want to
> lose the vcalls.
>
> One option is to implement vcall() support on ARM, but that will leave
> new architectures (RISC-V on the way) with a heavy lift to get XSM to
> compile.
>
> Instead, what we want to do is make vcall() a common interface, falling
> back to a plain function pointer call for architectures which don't
> implement the optimisation. So something like:
>
> 1) Introduce CONFIG_HAS_VCALL, which is selected by X86 only right now
> 2) Introduce xen/vcall.h which uses CONFIG_HAS_VCALL to either include
> asm/vcall.h or provide the fallback implementation
A word on the suggested names: The 'v' in alternative_vcall() stands for
"returning void", as opposed to alternative_call(). It's unclear to me
what you see it stand for in the names you propose.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-17 23:39 ` [PATCH 3/6] xsm: enabling xsm to always be included Daniel P. Smith
@ 2021-06-18 11:53 ` Andrew Cooper
2021-06-18 16:35 ` Daniel P. Smith
2021-06-18 12:26 ` Jan Beulich
1 sibling, 1 reply; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 11:53 UTC (permalink / raw)
To: Daniel P. Smith, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 18/06/2021 00:39, Daniel P. Smith wrote:
> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
> is whether the XSM hooks in dummy.h are called as static inline functions or as function
> pointers to static functions. As such this commit,
> * eliminates CONFIG_XSM
> * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
> * makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> ---
> xen/common/Kconfig | 55 ++++-----
> xen/include/xen/sched.h | 2 +-
> xen/include/xsm/xsm-core.h | 26 ----
> xen/include/xsm/xsm.h | 8 --
> xen/xsm/Makefile | 4 +-
> xen/xsm/dummy.c | 4 +-
> xen/{include => }/xsm/dummy.h | 220 ++++++++++++++++------------------
> xen/xsm/silo.c | 17 +--
> xen/xsm/xsm_core.c | 4 -
> 9 files changed, 142 insertions(+), 198 deletions(-)
> rename xen/{include => }/xsm/dummy.h (63%)
>
> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
> index 0ddd18e11a..203ad7ea23 100644
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -197,22 +197,33 @@ config XENOPROF
>
> If unsure, say Y.
>
> -config XSM
> - bool "Xen Security Modules support"
> - default ARM
> - ---help---
> - Enables the security framework known as Xen Security Modules which
> - allows administrators fine-grained control over a Xen domain and
> - its capabilities by defining permissible interactions between domains,
> - the hypervisor itself, and related resources such as memory and
> - devices.
> +menu "Xen Security Modules"
>
> - If unsure, say N.
> +choice
> + prompt "Default XSM module"
> + default XSM_SILO_DEFAULT if XSM_SILO && ARM
> + default XSM_FLASK_DEFAULT if XSM_FLASK
> + default XSM_SILO_DEFAULT if XSM_SILO
> + default XSM_DUMMY_DEFAULT
> + config XSM_DUMMY_DEFAULT
> + bool "Match non-XSM behavior"
There is no non-XSM behaviour any more.
Is it time to rename Dummy to "traditional dom0-all-powerful" or
something suitable?
> + config XSM_FLASK_DEFAULT
> + bool "FLux Advanced Security Kernel" if XSM_FLASK
> + config XSM_SILO_DEFAULT
> + bool "SILO" if XSM_SILO
> +endchoice
> +
> +config XSM_EVTCHN_LABELING
> + bool "Enables security labeling of event channels"
> + default n
> + ---help---
> + This enables an XSM module to label and enforce access control over
> + event channels.
Please use help rather than ---help--- for new options (its changed in
upstream Kconfig). The indentation of the help message wants to be one
tab, then two spaces. (Yes, sadly...)
> config XSM_FLASK
> - def_bool y
> + def_bool n
> prompt "FLux Advanced Security Kernel support"
> - depends on XSM
> + select XSM_EVTCHN_LABELING
> ---help---
> Enables FLASK (FLux Advanced Security Kernel) as the access control
> mechanism used by the XSM framework. This provides a mandatory access
> @@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
> If unsure, say Y.
>
> config XSM_SILO
> - def_bool y
> + def_bool n
I'm not sure we want to alter the FLASK/SILO defaults. SILO in
particular is mandatory on ARM, and without it, you're in a security
unsupported configuration.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions
2021-06-17 23:39 ` [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions Daniel P. Smith
@ 2021-06-18 11:56 ` Andrew Cooper
2021-06-18 16:35 ` Daniel P. Smith
2021-06-18 12:32 ` Jan Beulich
1 sibling, 1 reply; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 11:56 UTC (permalink / raw)
To: Daniel P. Smith, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 18/06/2021 00:39, Daniel P. Smith wrote:
> With the conversion of making XSM always enabled even the dummy XSM module is
> being invoked through the xsm_ops dispatch which does not use passing of the
> default privilege. This commit removes the xen_default_t parameter from the hook
> definitions and all the respective call sites.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
I'm struggling to parse the first sentence. Also, there's a typo in the
subject.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-17 23:39 ` [PATCH 5/6] xsm: expanding function related macros in dummy.h Daniel P. Smith
@ 2021-06-18 12:03 ` Andrew Cooper
2021-06-18 12:40 ` Jan Beulich
2021-06-18 16:36 ` Daniel P. Smith
0 siblings, 2 replies; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 12:03 UTC (permalink / raw)
To: Daniel P. Smith, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 18/06/2021 00:39, Daniel P. Smith wrote:
> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
> index 7e2bb09dac..0f8ea163af 100644
> --- a/xen/xsm/dummy.h
> +++ b/xen/xsm/dummy.h
> @@ -9,7 +9,7 @@
> *
> *
> * Each XSM hook implementing an access check should have its first parameter
> - * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
> + * preceded by (or use XSM_DEFAULT_VOID if it has no
> * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
> * with the expected type of the hook, which will either define or check the
> * value of action.
> @@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
> * xsm_default_t argument available, so the value from the assertion is used to
> * initialize the variable.
> */
> -#define XSM_INLINE __maybe_unused
Nothing in a header file should ever need __maybe_unused. Now that the
!XSM case has been untangled, I think this can be dropped, rather than
expanded inline.
> -
> -#define XSM_DEFAULT_ARG /* */
> #define XSM_DEFAULT_VOID void
XSM_DEFAULT_VOID needs to disappear too. I can't see what it is even
doing before the cleanup, because if it is missing, you'll fail the
compile for using K&R style functions.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-17 23:39 ` [PATCH 3/6] xsm: enabling xsm to always be included Daniel P. Smith
2021-06-18 11:53 ` Andrew Cooper
@ 2021-06-18 12:26 ` Jan Beulich
2021-06-18 20:27 ` Daniel P. Smith
2021-06-18 21:20 ` Andrew Cooper
1 sibling, 2 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 12:26 UTC (permalink / raw)
To: Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 01:39, Daniel P. Smith wrote:
> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
> is whether the XSM hooks in dummy.h are called as static inline functions or as function
> pointers to static functions. As such this commit,
> * eliminates CONFIG_XSM
Following from what Andrew has said (including him mentioning your
changing of certain Kconfig option defaults), I'm not convinced this is
a good move. This still ought to serve as the overall XSM-yes-or-no
setting. If internally you make said two variants match in behavior,
that's a different thing.
> * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
Is this mode needed as separate functionality at all? Nothing defines
XSM_NEED_GENERIC_EVTCHN_SSID anywhere. _If_ XSM went away as a separate
setting, then imo this one should go away as well.
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -197,22 +197,33 @@ config XENOPROF
>
> If unsure, say Y.
>
> -config XSM
> - bool "Xen Security Modules support"
> - default ARM
> - ---help---
> - Enables the security framework known as Xen Security Modules which
> - allows administrators fine-grained control over a Xen domain and
> - its capabilities by defining permissible interactions between domains,
> - the hypervisor itself, and related resources such as memory and
> - devices.
> +menu "Xen Security Modules"
>
> - If unsure, say N.
> +choice
> + prompt "Default XSM module"
> + default XSM_SILO_DEFAULT if XSM_SILO && ARM
> + default XSM_FLASK_DEFAULT if XSM_FLASK
> + default XSM_SILO_DEFAULT if XSM_SILO
> + default XSM_DUMMY_DEFAULT
> + config XSM_DUMMY_DEFAULT
> + bool "Match non-XSM behavior"
> + config XSM_FLASK_DEFAULT
> + bool "FLux Advanced Security Kernel" if XSM_FLASK
> + config XSM_SILO_DEFAULT
> + bool "SILO" if XSM_SILO
> +endchoice
This did live after the individual options it depends on for a reason,
and you don't say anywhere why you need to move it up. The way you
have it, with the default command line kconfig tool, users will be
presented with dependent options before having chosen the settings of
the dependency ones. That's because this tool, to a degree, moves
linearly through the options it has parsed.
> @@ -261,25 +271,12 @@ config XSM_SILO
>
> If unsure, say Y.
>
> -choice
> - prompt "Default XSM implementation"
> - depends on XSM
> - default XSM_SILO_DEFAULT if XSM_SILO && ARM
> - default XSM_FLASK_DEFAULT if XSM_FLASK
> - default XSM_SILO_DEFAULT if XSM_SILO
> - default XSM_DUMMY_DEFAULT
> - config XSM_DUMMY_DEFAULT
> - bool "Match non-XSM behavior"
> - config XSM_FLASK_DEFAULT
> - bool "FLux Advanced Security Kernel" if XSM_FLASK
> - config XSM_SILO_DEFAULT
> - bool "SILO" if XSM_SILO
> -endchoice
> +endmenu
>
> config LATE_HWDOM
> bool "Dedicated hardware domain"
> default n
> - depends on XSM && X86
> + depends on XSM_FLASK && X86
I don't think this is a compatible change. I'm not going to exclude that
this is how it was meant, but as it stands LATE_HWDOM right now doesn't
really require FLASK, and could e.g. also go with SILO or dummy. If you
_mean_ to change this, then your description needs to say so (and ideally
it would then be split out, so - if this is actually a bug - it could
also be backported).
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions
2021-06-17 23:39 ` [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions Daniel P. Smith
2021-06-18 11:56 ` Andrew Cooper
@ 2021-06-18 12:32 ` Jan Beulich
1 sibling, 0 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 12:32 UTC (permalink / raw)
To: Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 01:39, Daniel P. Smith wrote:
> With the conversion of making XSM always enabled even the dummy XSM module is
> being invoked through the xsm_ops dispatch which does not use passing of the
> default privilege. This commit removes the xen_default_t parameter from the hook
> definitions and all the respective call sites.
I don't think it has really become clear from the earlier patches
that even in dummy mode we now have (as per my reading of the
above) actual function calls, where previously everything got
inlined in this case. I'm afraid I view this as another argument
against the removal of XSM as a top level Kconfig option.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-18 12:03 ` Andrew Cooper
@ 2021-06-18 12:40 ` Jan Beulich
2021-06-18 12:44 ` Jan Beulich
2021-06-18 16:36 ` Daniel P. Smith
1 sibling, 1 reply; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 12:40 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
Daniel P. Smith, xen-devel
On 18.06.2021 14:03, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>> index 7e2bb09dac..0f8ea163af 100644
>> --- a/xen/xsm/dummy.h
>> +++ b/xen/xsm/dummy.h
>> @@ -9,7 +9,7 @@
>> *
>> *
>> * Each XSM hook implementing an access check should have its first parameter
>> - * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
>> + * preceded by (or use XSM_DEFAULT_VOID if it has no
>> * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
>> * with the expected type of the hook, which will either define or check the
>> * value of action.
>> @@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
>> * xsm_default_t argument available, so the value from the assertion is used to
>> * initialize the variable.
>> */
>> -#define XSM_INLINE __maybe_unused
>
> Nothing in a header file should ever need __maybe_unused. Now that the
> !XSM case has been untangled, I think this can be dropped, rather than
> expanded inline.
>
>> -
>> -#define XSM_DEFAULT_ARG /* */
>> #define XSM_DEFAULT_VOID void
>
> XSM_DEFAULT_VOID needs to disappear too. I can't see what it is even
> doing before the cleanup, because if it is missing, you'll fail the
> compile for using K&R style functions.
You need to look at the state before patch 3 to see its purpose. Patch 3
removed the other variant, and hence the need for this one as well, but
I think it is reasonable to not clean up everything in one go (unless
it would mean touching exactly the same code a 2nd time later on).
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-18 12:40 ` Jan Beulich
@ 2021-06-18 12:44 ` Jan Beulich
2021-06-18 16:38 ` Daniel P. Smith
0 siblings, 1 reply; 38+ messages in thread
From: Jan Beulich @ 2021-06-18 12:44 UTC (permalink / raw)
To: Andrew Cooper, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 14:40, Jan Beulich wrote:
> On 18.06.2021 14:03, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>>> index 7e2bb09dac..0f8ea163af 100644
>>> --- a/xen/xsm/dummy.h
>>> +++ b/xen/xsm/dummy.h
>>> @@ -9,7 +9,7 @@
>>> *
>>> *
>>> * Each XSM hook implementing an access check should have its first parameter
>>> - * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
>>> + * preceded by (or use XSM_DEFAULT_VOID if it has no
>>> * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
>>> * with the expected type of the hook, which will either define or check the
>>> * value of action.
>>> @@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
>>> * xsm_default_t argument available, so the value from the assertion is used to
>>> * initialize the variable.
>>> */
>>> -#define XSM_INLINE __maybe_unused
>>
>> Nothing in a header file should ever need __maybe_unused. Now that the
>> !XSM case has been untangled, I think this can be dropped, rather than
>> expanded inline.
>>
>>> -
>>> -#define XSM_DEFAULT_ARG /* */
>>> #define XSM_DEFAULT_VOID void
>>
>> XSM_DEFAULT_VOID needs to disappear too. I can't see what it is even
>> doing before the cleanup, because if it is missing, you'll fail the
>> compile for using K&R style functions.
>
> You need to look at the state before patch 3 to see its purpose. Patch 3
> removed the other variant, and hence the need for this one as well, but
> I think it is reasonable to not clean up everything in one go (unless
> it would mean touching exactly the same code a 2nd time later on).
Albeit, having looked at the patch itself, I agree it should be dropped
here together with XSM_DEFAULT_ARG, of which it is (was) a companion.
But again, all provided there is agreement to remove the top level XSM
option, which I personally don't think is a good idea.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/6] xsm: refactoring xsm hooks
2021-06-18 10:14 ` [PATCH 0/6] xsm: refactoring xsm hooks Andrew Cooper
2021-06-18 11:48 ` Jan Beulich
@ 2021-06-18 15:53 ` Daniel P. Smith
1 sibling, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 15:53 UTC (permalink / raw)
To: Andrew Cooper, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 6/18/21 6:14 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
>> patch set is being split into two separate patch sets. This is the first
>> patch set and is focused purely on the clean up and refactoring of the
>> XSM hooks.
>>
>> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
>> infrastructure. Then proceeds to move and realign the headers to remove the
>> psuedo is/is not enable implementation. The remainder of the changes are clean up
>> and removing no longer necessary abstractions.
>>
>> <snip>
>> 51 files changed, 1309 insertions(+), 1413 deletions(-)
>
> The diffstat is great, but sadly CI says no.
> https://gitlab.com/xen-project/patchew/xen/-/pipelines/323044913
>
> The problem is that ARM doesn't have alternative_vcall(). Given how
> much of an improvement this ought to be for hypercalls, I don't want to
> lose the vcalls.
>
> One option is to implement vcall() support on ARM, but that will leave
> new architectures (RISC-V on the way) with a heavy lift to get XSM to
> compile.
>
> Instead, what we want to do is make vcall() a common interface, falling
> back to a plain function pointer call for architectures which don't
> implement the optimisation. So something like:
>
> 1) Introduce CONFIG_HAS_VCALL, which is selected by X86 only right now
> 2) Introduce xen/vcall.h which uses CONFIG_HAS_VCALL to either include
> asm/vcall.h or provide the fallback implementation
> 3) Switch x86's current use over to this new interface
>
> The iommu_vcall() is a red herring, not adequately documented, and needs
> to stay in some form. Specifically, it needs to not become an
> alternative on ARM, even if ARM gains vcalls. I'd be tempted to rework
> it in 4) to use the common vcall() by default, and leave ARM as the
> special case overriding the default behaviour, along with an explanation
> of why it isn't a vcall().
>
> Obviously, name subject bikeshedding. alternative_vcall() is a bit of a
> mouthful, and I don't think that alt_vcall() loses any salient information.
>
> Thoughts?
I can look at spinning an attempt at what you are suggesting and submitting.
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-18 11:34 ` Andrew Cooper
2021-06-18 11:44 ` Jan Beulich
@ 2021-06-18 16:17 ` Daniel P. Smith
1 sibling, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:17 UTC (permalink / raw)
To: Andrew Cooper, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 6/18/21 7:34 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> The assignment and setup of xsm_ops structure was refactored to make it a
>> one-time assignment. The calling of the xsm_ops were refactored to use the
>> alternate_call framework to reduce the need for retpolines.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>
> I think the commit message needs a little more explanation for anyone
> doing code archaeology.
>
> AFAICT, the current infrastructure has some (incomplete?) support for
> Flask to unload itself as the security engine, which doesn't sounds like
> a clever thing in general.
>
> What we do here is make a semantic change to say that the security
> engine (Dummy, Flask or SILO) gets chosen once during boot, and is
> immutable thereafter. This is better from a security standpoint (no
> accidentally unloading Flask at runtime), and allows for the use of the
> alternative_vcall() infrastructure to drop all the function pointer calls.
>
> Does that about sum things up?
ack
>> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
>> index 01e52138a1..df9fcc1d6d 100644
>> --- a/xen/xsm/flask/flask_op.c
>> +++ b/xen/xsm/flask/flask_op.c
>> @@ -225,26 +225,7 @@ static int flask_security_sid(struct xen_flask_sid_context *arg)
>>
>> static int flask_disable(void)
>> {
>> - static int flask_disabled = 0;
>> -
>> - if ( ss_initialized )
>> - {
>> - /* Not permitted after initial policy load. */
>> - return -EINVAL;
>> - }
>> -
>> - if ( flask_disabled )
>> - {
>> - /* Only do this once. */
>> - return -EINVAL;
>> - }
>> -
>> - printk("Flask: Disabled at runtime.\n");
>> -
>> - flask_disabled = 1;
>> -
>> - /* Reset xsm_ops to the original module. */
>> - xsm_ops = &dummy_xsm_ops;
>> + printk("Flask: Disabling is not supported.\n");
>
> Judging by this, should this patch be split up more?
>
> I think you want to remove FLASK_DISABLE (and this function too - just
> return -EOPNOTSUPP in the parent) as a separate explained change (as it
> is a logical change in how Flask works).
>
> The second patch wants to be the rest, which changes the indirection of
> xsm_ops and converts to vcall(). This is a fairly mechanical change
> without semantic changes.
>
> I'm unsure if you want a 3rd patch in the middle, separating the
> xsm_core_init() juggling, with the "switch to using vcall()". It might
> be a good idea for more easily demonstrating the changes, but I'll leave
> it to your judgement.
>
>> diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
>> index 5eab21e1b1..acc1af7166 100644
>> --- a/xen/xsm/xsm_core.c
>> +++ b/xen/xsm/xsm_core.c
>> static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>> {
>> #ifdef CONFIG_XSM_FLASK_POLICY
>> @@ -87,17 +86,22 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>> }
>> #endif
>>
>> - if ( verify(&dummy_xsm_ops) )
>> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
>> {
>> - printk(XENLOG_ERR "Could not verify dummy_xsm_ops structure\n");
>> + printk(XENLOG_ERR
>> + "Could not init XSM, xsm_ops register already attempted\n");
>
> Indentation.
ack
>> return -EIO;
>> }
>>
>> - xsm_ops = &dummy_xsm_ops;
>> + /* install the dummy ops as default to ensure ops
>> + * are defined if requested policy fails init
>> + */
>> + xsm_fixup_ops(&xsm_ops);
>
> /* Comment style. */
>
> or
>
> /*
> * Multi-
> * line comment style.
> */
ack
>> switch ( xsm_bootparam )
>> {
>> case XSM_BOOTPARAM_DUMMY:
>> + xsm_ops_registered = XSM_OPS_REGISTERED;
>> break;
>>
>> case XSM_BOOTPARAM_FLASK:
>> @@ -113,6 +117,9 @@ static int __init xsm_core_init(const void *policy_buffer, size_t policy_size)
>> break;
>> }
>>
>> + if ( xsm_ops_registered != XSM_OPS_REGISTERED )
>> + xsm_ops_registered = XSM_OPS_REG_FAILED;
>> +
>> return 0;
>> }
>>
>> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>>
>> int __init register_xsm(struct xsm_operations *ops)
>> {
>> - if ( verify(ops) )
>> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
>> + return -EAGAIN;
>
> I know you moved this around the function, but it really isn't -EAGAIN
> material any more. It's "too late - nope".
>
> -EEXIST is probably best for "I'm never going to tolerate another call".
Honestly I didn't think EAGAIN was correct in the first place, so will
gladly change it.
>> +
>> + if ( !ops )
>> {
>> - printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
>> + xsm_ops_registered = XSM_OPS_REG_FAILED;
>> + printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
>> return -EINVAL;
>
> Honestly, I'd be half tempted to declare register_xsm() with
> __nonnull(0) and let the compiler reject any attempt to pass a NULL ops
> pointer.
>
> Both callers pass a pointer to a static singleton objects.
>
>> }
>>
>> - if ( xsm_ops != &dummy_xsm_ops )
>> - return -EAGAIN;
>> + /* use dummy ops for any empty ops */
>> + xsm_fixup_ops(ops);
>
> Isn't this redundant with the call in xsm_core_init(), seeing as
> register_xsm() must be nested within the switch statement?
I don't believe so, the one in xsm_core_init is setting the
default/fallback of xsm_ops var to dummy_* before attempting to register
a policy module's ops. Here in register_xsm we are taking a new instance
of a struct xsm_ops and ensuring every handler has a defined entry
before overwriting the xsm_ops variable with passed in xsm module's ops.
Now with that said, I do like your suggest down at the end.
>> - xsm_ops = ops;
>> + xsm_ops = *ops;
>> + xsm_ops_registered = XSM_OPS_REGISTERED;
>>
>> return 0;
>> }
>
> Having got to the end, the xsm_core_init() vs register_xsm() dynamic is
> quite weird.
>
> I think it would result in clearer code to have init_{flask,silo}()
> return pointers to their struct xsm_operations *, and let
> xsm_core_init() do the copy in to xsm_ops. This reduces the scope of
> xsm_ops_state to this function only, and gets rid of at least one
> runtime panic() call which is dead code.
I agree full.
> If you were to go with this approach, you'd definitely want to split
> into the 3-patch approach.
v2 will have this broken out
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 1/6] xsm: refactor xsm_ops handling
2021-06-18 11:44 ` Jan Beulich
2021-06-18 11:45 ` Andrew Cooper
@ 2021-06-18 16:26 ` Daniel P. Smith
1 sibling, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:26 UTC (permalink / raw)
To: Jan Beulich, Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 6/18/21 7:44 AM, Jan Beulich wrote:
> On 18.06.2021 13:34, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> @@ -197,16 +204,21 @@ bool __init has_xsm_magic(paddr_t start)
>>>
>>> int __init register_xsm(struct xsm_operations *ops)
>>> {
>>> - if ( verify(ops) )
>>> + if ( xsm_ops_registered != XSM_OPS_UNREGISTERED )
>>> + return -EAGAIN;
>>
>> I know you moved this around the function, but it really isn't -EAGAIN
>> material any more. It's "too late - nope".
>>
>> -EEXIST is probably best for "I'm never going to tolerate another call".
>>
>>> +
>>> + if ( !ops )
>>> {
>>> - printk(XENLOG_ERR "Could not verify xsm_operations structure\n");
>>> + xsm_ops_registered = XSM_OPS_REG_FAILED;
>>> + printk(XENLOG_ERR "Invalid xsm_operations structure registered\n");
>>> return -EINVAL;
>>
>> Honestly, I'd be half tempted to declare register_xsm() with
>> __nonnull(0) and let the compiler reject any attempt to pass a NULL ops
>> pointer.
>>
>> Both callers pass a pointer to a static singleton objects.
>
> Why check at all when the source of the arguments is all internal?
> We don't check pointers to be non-NULL elsewhere, with a few odd
> exceptions (which imo should all be dropped).
In verify(ops) there was a check on ops for NULL, I pulled that check up
into here as I removed verify(). Based on Andy's comment, this function
is looking like it is on the chopping block as well.
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 11:53 ` Andrew Cooper
@ 2021-06-18 16:35 ` Daniel P. Smith
2021-06-21 6:53 ` Jan Beulich
0 siblings, 1 reply; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:35 UTC (permalink / raw)
To: Andrew Cooper, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 6/18/21 7:53 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>> pointers to static functions. As such this commit,
>> * eliminates CONFIG_XSM
>> * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
>> * makes CONFIG_XSM_SILO AND CONFIG_XSM_FLASK default to no
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>> ---
>> xen/common/Kconfig | 55 ++++-----
>> xen/include/xen/sched.h | 2 +-
>> xen/include/xsm/xsm-core.h | 26 ----
>> xen/include/xsm/xsm.h | 8 --
>> xen/xsm/Makefile | 4 +-
>> xen/xsm/dummy.c | 4 +-
>> xen/{include => }/xsm/dummy.h | 220 ++++++++++++++++------------------
>> xen/xsm/silo.c | 17 +--
>> xen/xsm/xsm_core.c | 4 -
>> 9 files changed, 142 insertions(+), 198 deletions(-)
>> rename xen/{include => }/xsm/dummy.h (63%)
>>
>> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
>> index 0ddd18e11a..203ad7ea23 100644
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -197,22 +197,33 @@ config XENOPROF
>>
>> If unsure, say Y.
>>
>> -config XSM
>> - bool "Xen Security Modules support"
>> - default ARM
>> - ---help---
>> - Enables the security framework known as Xen Security Modules which
>> - allows administrators fine-grained control over a Xen domain and
>> - its capabilities by defining permissible interactions between domains,
>> - the hypervisor itself, and related resources such as memory and
>> - devices.
>> +menu "Xen Security Modules"
>>
>> - If unsure, say N.
>> +choice
>> + prompt "Default XSM module"
>> + default XSM_SILO_DEFAULT if XSM_SILO && ARM
>> + default XSM_FLASK_DEFAULT if XSM_FLASK
>> + default XSM_SILO_DEFAULT if XSM_SILO
>> + default XSM_DUMMY_DEFAULT
>> + config XSM_DUMMY_DEFAULT
>> + bool "Match non-XSM behavior"
>
> There is no non-XSM behaviour any more.
>
> Is it time to rename Dummy to "traditional dom0-all-powerful" or
Well, I left as dummy since that is what it has been known by thus far
and additionally the subsequent patch set was going to rename this to
XSM_ROLES/"XSM Role-based Access Control" For the intermediate time, I
can change the wording to reflect the correct state.
>> + config XSM_FLASK_DEFAULT
>> + bool "FLux Advanced Security Kernel" if XSM_FLASK
>> + config XSM_SILO_DEFAULT
>> + bool "SILO" if XSM_SILO
>> +endchoice
>> +
>> +config XSM_EVTCHN_LABELING
>> + bool "Enables security labeling of event channels"
>> + default n
>> + ---help---
>> + This enables an XSM module to label and enforce access control over
>> + event channels.
>
> Please use help rather than ---help--- for new options (its changed in
> upstream Kconfig). The indentation of the help message wants to be one
> tab, then two spaces. (Yes, sadly...)
ack
>> config XSM_FLASK
>> - def_bool y
>> + def_bool n
>> prompt "FLux Advanced Security Kernel support"
>> - depends on XSM
>> + select XSM_EVTCHN_LABELING
>> ---help---
>> Enables FLASK (FLux Advanced Security Kernel) as the access control
>> mechanism used by the XSM framework. This provides a mandatory access
>> @@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
>> If unsure, say Y.
>>
>> config XSM_SILO
>> - def_bool y
>> + def_bool n
>
> I'm not sure we want to alter the FLASK/SILO defaults. SILO in
> particular is mandatory on ARM, and without it, you're in a security
> unsupported configuration.
The intent here is the default is the classic dom0 configuration. What
if I did,
def bool n
def bool y if ARM
v/r
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions
2021-06-18 11:56 ` Andrew Cooper
@ 2021-06-18 16:35 ` Daniel P. Smith
0 siblings, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:35 UTC (permalink / raw)
To: Andrew Cooper, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 6/18/21 7:56 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> With the conversion of making XSM always enabled even the dummy XSM module is
>> being invoked through the xsm_ops dispatch which does not use passing of the
>> default privilege. This commit removes the xen_default_t parameter from the hook
>> definitions and all the respective call sites.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>
> I'm struggling to parse the first sentence. Also, there's a typo in the
> subject.
I will rewrite.
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-18 12:03 ` Andrew Cooper
2021-06-18 12:40 ` Jan Beulich
@ 2021-06-18 16:36 ` Daniel P. Smith
1 sibling, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:36 UTC (permalink / raw)
To: Andrew Cooper, xen-devel
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Jan Beulich, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis
On 6/18/21 8:03 AM, Andrew Cooper wrote:
> On 18/06/2021 00:39, Daniel P. Smith wrote:
>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>> index 7e2bb09dac..0f8ea163af 100644
>> --- a/xen/xsm/dummy.h
>> +++ b/xen/xsm/dummy.h
>> @@ -9,7 +9,7 @@
>> *
>> *
>> * Each XSM hook implementing an access check should have its first parameter
>> - * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
>> + * preceded by (or use XSM_DEFAULT_VOID if it has no
>> * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
>> * with the expected type of the hook, which will either define or check the
>> * value of action.
>> @@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
>> * xsm_default_t argument available, so the value from the assertion is used to
>> * initialize the variable.
>> */
>> -#define XSM_INLINE __maybe_unused
>
> Nothing in a header file should ever need __maybe_unused. Now that the
> !XSM case has been untangled, I think this can be dropped, rather than
> expanded inline.
ack
>> -
>> -#define XSM_DEFAULT_ARG /* */
>> #define XSM_DEFAULT_VOID void
>
> XSM_DEFAULT_VOID needs to disappear too. I can't see what it is even
> doing before the cleanup, because if it is missing, you'll fail the
> compile for using K&R style functions.
ack, will drop
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 5/6] xsm: expanding function related macros in dummy.h
2021-06-18 12:44 ` Jan Beulich
@ 2021-06-18 16:38 ` Daniel P. Smith
0 siblings, 0 replies; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 16:38 UTC (permalink / raw)
To: Jan Beulich, Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 6/18/21 8:44 AM, Jan Beulich wrote:
> On 18.06.2021 14:40, Jan Beulich wrote:
>> On 18.06.2021 14:03, Andrew Cooper wrote:
>>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>>> diff --git a/xen/xsm/dummy.h b/xen/xsm/dummy.h
>>>> index 7e2bb09dac..0f8ea163af 100644
>>>> --- a/xen/xsm/dummy.h
>>>> +++ b/xen/xsm/dummy.h
>>>> @@ -9,7 +9,7 @@
>>>> *
>>>> *
>>>> * Each XSM hook implementing an access check should have its first parameter
>>>> - * preceded by XSM_DEFAULT_ARG (or use XSM_DEFAULT_VOID if it has no
>>>> + * preceded by (or use XSM_DEFAULT_VOID if it has no
>>>> * arguments). The first non-declaration statement shold be XSM_ASSERT_ACTION
>>>> * with the expected type of the hook, which will either define or check the
>>>> * value of action.
>>>> @@ -47,14 +47,12 @@ void __xsm_action_mismatch_detected(void);
>>>> * xsm_default_t argument available, so the value from the assertion is used to
>>>> * initialize the variable.
>>>> */
>>>> -#define XSM_INLINE __maybe_unused
>>>
>>> Nothing in a header file should ever need __maybe_unused. Now that the
>>> !XSM case has been untangled, I think this can be dropped, rather than
>>> expanded inline.
>>>
>>>> -
>>>> -#define XSM_DEFAULT_ARG /* */
>>>> #define XSM_DEFAULT_VOID void
>>>
>>> XSM_DEFAULT_VOID needs to disappear too. I can't see what it is even
>>> doing before the cleanup, because if it is missing, you'll fail the
>>> compile for using K&R style functions.
>>
>> You need to look at the state before patch 3 to see its purpose. Patch 3
>> removed the other variant, and hence the need for this one as well, but
>> I think it is reasonable to not clean up everything in one go (unless
>> it would mean touching exactly the same code a 2nd time later on).
>
> Albeit, having looked at the patch itself, I agree it should be dropped
> here together with XSM_DEFAULT_ARG, of which it is (was) a companion.
> But again, all provided there is agreement to remove the top level XSM
> option, which I personally don't think is a good idea.
ack, will be removing it
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 12:26 ` Jan Beulich
@ 2021-06-18 20:27 ` Daniel P. Smith
2021-06-21 6:58 ` Jan Beulich
2021-06-18 21:20 ` Andrew Cooper
1 sibling, 1 reply; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-18 20:27 UTC (permalink / raw)
To: Jan Beulich
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 6/18/21 8:26 AM, Jan Beulich wrote:
> On 18.06.2021 01:39, Daniel P. Smith wrote:
>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>> pointers to static functions. As such this commit,
>> * eliminates CONFIG_XSM
>
> Following from what Andrew has said (including him mentioning your
> changing of certain Kconfig option defaults), I'm not convinced this is
> a good move. This still ought to serve as the overall XSM-yes-or-no
> setting. If internally you make said two variants match in behavior,
> that's a different thing.
Apologies that I did not express this clearly. What I was attempting to
say is the fact of the matter is that there is no logical behavior
difference between "XSM no" and "XSM yes with dummy policy". The only
difference is the mechanics of how the dummy functions get called.
Specifically via macro magic the dummy functions are either flipped into
static inline declarations that are then included into the code where
they are invoked or the macro magic has them ending up in the dummy.c
XSM module where they are wrapped in macro generated functions that are
set as the functions in the dummy xsm_ops structure. Thus it is always
the same logic being invoked, it is just mechanics of how you get to the
logic.
>> * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
>
> Is this mode needed as separate functionality at all? Nothing defines
> XSM_NEED_GENERIC_EVTCHN_SSID anywhere. _If_ XSM went away as a separate
> setting, then imo this one should go away as well.
>
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -197,22 +197,33 @@ config XENOPROF
>>
>> If unsure, say Y.
>>
>> -config XSM
>> - bool "Xen Security Modules support"
>> - default ARM
>> - ---help---
>> - Enables the security framework known as Xen Security Modules which
>> - allows administrators fine-grained control over a Xen domain and
>> - its capabilities by defining permissible interactions between domains,
>> - the hypervisor itself, and related resources such as memory and
>> - devices.
>> +menu "Xen Security Modules"
>>
>> - If unsure, say N.
>> +choice
>> + prompt "Default XSM module"
>> + default XSM_SILO_DEFAULT if XSM_SILO && ARM
>> + default XSM_FLASK_DEFAULT if XSM_FLASK
>> + default XSM_SILO_DEFAULT if XSM_SILO
>> + default XSM_DUMMY_DEFAULT
>> + config XSM_DUMMY_DEFAULT
>> + bool "Match non-XSM behavior"
>> + config XSM_FLASK_DEFAULT
>> + bool "FLux Advanced Security Kernel" if XSM_FLASK
>> + config XSM_SILO_DEFAULT
>> + bool "SILO" if XSM_SILO
>> +endchoice
>
> This did live after the individual options it depends on for a reason,
> and you don't say anywhere why you need to move it up. The way you
> have it, with the default command line kconfig tool, users will be
> presented with dependent options before having chosen the settings of
> the dependency ones. That's because this tool, to a degree, moves
> linearly through the options it has parsed.
Yes, this is specifically why I moved it up. Clearly we have different
approaches to how we like to interact with configurations, which is not
bad thing. I personally found it awkward the other way but can easily
move it back.
>> @@ -261,25 +271,12 @@ config XSM_SILO
>>
>> If unsure, say Y.
>>
>> -choice
>> - prompt "Default XSM implementation"
>> - depends on XSM
>> - default XSM_SILO_DEFAULT if XSM_SILO && ARM
>> - default XSM_FLASK_DEFAULT if XSM_FLASK
>> - default XSM_SILO_DEFAULT if XSM_SILO
>> - default XSM_DUMMY_DEFAULT
>> - config XSM_DUMMY_DEFAULT
>> - bool "Match non-XSM behavior"
>> - config XSM_FLASK_DEFAULT
>> - bool "FLux Advanced Security Kernel" if XSM_FLASK
>> - config XSM_SILO_DEFAULT
>> - bool "SILO" if XSM_SILO
>> -endchoice
>> +endmenu
>>
>> config LATE_HWDOM
>> bool "Dedicated hardware domain"
>> default n
>> - depends on XSM && X86
>> + depends on XSM_FLASK && X86
>
> I don't think this is a compatible change. I'm not going to exclude that
> this is how it was meant, but as it stands LATE_HWDOM right now doesn't
> really require FLASK, and could e.g. also go with SILO or dummy. If you
> _mean_ to change this, then your description needs to say so (and ideally
> it would then be split out, so - if this is actually a bug - it could
> also be backported).
Actually this is the root cause that started all of this work. If you
want to get technical, LATE_HWDOM does not rely on XSM at all. The issue
is that you cannot use it as it was originally intended, to run Xen
without a classic dom0 while still having all existing capabilities.
Specifically the hardware domain does not have the ability to assign the
pass-through devices for which it is in control. This is were Flask
comes in to enable assigning specific privileges to labels and then
constructing domains with those labels, In particular it grants the
ability to do pass-through assignment to the label assigned to the
hardware domain. With the upcoming XSM-Roles patch set, these privileges
are assigned to roles and it becomes possible to assign the necessary
roles to the hardware domain.
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 12:26 ` Jan Beulich
2021-06-18 20:27 ` Daniel P. Smith
@ 2021-06-18 21:20 ` Andrew Cooper
2021-06-21 7:03 ` Jan Beulich
1 sibling, 1 reply; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 21:20 UTC (permalink / raw)
To: Jan Beulich, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18/06/2021 13:26, Jan Beulich wrote:
> On 18.06.2021 01:39, Daniel P. Smith wrote:
>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>> pointers to static functions. As such this commit,
>> * eliminates CONFIG_XSM
> Following from what Andrew has said (including him mentioning your
> changing of certain Kconfig option defaults), I'm not convinced this is
> a good move. This still ought to serve as the overall XSM-yes-or-no
> setting. If internally you make said two variants match in behavior,
> that's a different thing.
I firmly disagree. There is no such thing as !XSM even in staging right now.
All over Xen, we have calls to xsm_*() functions which, even in the !XSM
case, contain a non-trivial security policy.
The fact that under the hood, XSM vs !XSM creates two very different
implementations of "the dom0-all-powerful model" is an error needing
correcting, as it contributes a massive quantity of code complexity.
This series of Daniel's takes steps to make the code match reality, and
getting rid of CONFIG_XSM is absolutely the right thing to do. XSM is
never actually absent from a build of Xen, even if you choose CONFIG_XSM=n.
I do think that the thing we currently call XSM_DUMMY wants renaming to
indicate that it is "the dom0-all-powerful" security model, and I think
that wants doing as part of this series. Name suggestions welcome.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/6] xsm: refactoring xsm hooks
2021-06-18 11:48 ` Jan Beulich
@ 2021-06-18 21:21 ` Andrew Cooper
2021-06-21 6:45 ` Jan Beulich
0 siblings, 1 reply; 38+ messages in thread
From: Andrew Cooper @ 2021-06-18 21:21 UTC (permalink / raw)
To: Jan Beulich, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18/06/2021 12:48, Jan Beulich wrote:
> On 18.06.2021 12:14, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
>>> patch set is being split into two separate patch sets. This is the first
>>> patch set and is focused purely on the clean up and refactoring of the
>>> XSM hooks.
>>>
>>> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
>>> infrastructure. Then proceeds to move and realign the headers to remove the
>>> psuedo is/is not enable implementation. The remainder of the changes are clean up
>>> and removing no longer necessary abstractions.
>>>
>>> <snip>
>>> 51 files changed, 1309 insertions(+), 1413 deletions(-)
>> The diffstat is great, but sadly CI says no.
>> https://gitlab.com/xen-project/patchew/xen/-/pipelines/323044913
>>
>> The problem is that ARM doesn't have alternative_vcall(). Given how
>> much of an improvement this ought to be for hypercalls, I don't want to
>> lose the vcalls.
>>
>> One option is to implement vcall() support on ARM, but that will leave
>> new architectures (RISC-V on the way) with a heavy lift to get XSM to
>> compile.
>>
>> Instead, what we want to do is make vcall() a common interface, falling
>> back to a plain function pointer call for architectures which don't
>> implement the optimisation. So something like:
>>
>> 1) Introduce CONFIG_HAS_VCALL, which is selected by X86 only right now
>> 2) Introduce xen/vcall.h which uses CONFIG_HAS_VCALL to either include
>> asm/vcall.h or provide the fallback implementation
> A word on the suggested names: The 'v' in alternative_vcall() stands for
> "returning void", as opposed to alternative_call(). It's unclear to me
> what you see it stand for in the names you propose.
Urgh - yet another reason to prefer the Linux static_call() infrastructure.
Would a general alt_call name be acceptable?
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/6] xsm: refactoring xsm hooks
2021-06-18 21:21 ` Andrew Cooper
@ 2021-06-21 6:45 ` Jan Beulich
0 siblings, 0 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-21 6:45 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Daniel P. Smith
On 18.06.2021 23:21, Andrew Cooper wrote:
> On 18/06/2021 12:48, Jan Beulich wrote:
>> On 18.06.2021 12:14, Andrew Cooper wrote:
>>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>>> Based on feedback from 2021 Xen Developers Summit the xsm-roles RFC
>>>> patch set is being split into two separate patch sets. This is the first
>>>> patch set and is focused purely on the clean up and refactoring of the
>>>> XSM hooks.
>>>>
>>>> This patch set refactors the xsm_ops wrapper hooks to use the alternative_call
>>>> infrastructure. Then proceeds to move and realign the headers to remove the
>>>> psuedo is/is not enable implementation. The remainder of the changes are clean up
>>>> and removing no longer necessary abstractions.
>>>>
>>>> <snip>
>>>> 51 files changed, 1309 insertions(+), 1413 deletions(-)
>>> The diffstat is great, but sadly CI says no.
>>> https://gitlab.com/xen-project/patchew/xen/-/pipelines/323044913
>>>
>>> The problem is that ARM doesn't have alternative_vcall(). Given how
>>> much of an improvement this ought to be for hypercalls, I don't want to
>>> lose the vcalls.
>>>
>>> One option is to implement vcall() support on ARM, but that will leave
>>> new architectures (RISC-V on the way) with a heavy lift to get XSM to
>>> compile.
>>>
>>> Instead, what we want to do is make vcall() a common interface, falling
>>> back to a plain function pointer call for architectures which don't
>>> implement the optimisation. So something like:
>>>
>>> 1) Introduce CONFIG_HAS_VCALL, which is selected by X86 only right now
>>> 2) Introduce xen/vcall.h which uses CONFIG_HAS_VCALL to either include
>>> asm/vcall.h or provide the fallback implementation
>> A word on the suggested names: The 'v' in alternative_vcall() stands for
>> "returning void", as opposed to alternative_call(). It's unclear to me
>> what you see it stand for in the names you propose.
>
> Urgh - yet another reason to prefer the Linux static_call() infrastructure.
Which iirc wasn't there yet when I wrote ours.
> Would a general alt_call name be acceptable?
Well, it seemed a little terse to me at the time, but I'm not opposed.
There's hardly anything else the "alt" there could stand for, I guess.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 16:35 ` Daniel P. Smith
@ 2021-06-21 6:53 ` Jan Beulich
2021-06-24 17:18 ` Daniel P. Smith
0 siblings, 1 reply; 38+ messages in thread
From: Jan Beulich @ 2021-06-21 6:53 UTC (permalink / raw)
To: Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Andrew Cooper
On 18.06.2021 18:35, Daniel P. Smith wrote:
> On 6/18/21 7:53 AM, Andrew Cooper wrote:
>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>> @@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
>>> If unsure, say Y.
>>>
>>> config XSM_SILO
>>> - def_bool y
>>> + def_bool n
>>
>> I'm not sure we want to alter the FLASK/SILO defaults. SILO in
>> particular is mandatory on ARM, and without it, you're in a security
>> unsupported configuration.
> The intent here is the default is the classic dom0 configuration. What
> if I did,
>
> def bool n
> def bool y if ARM
Besides it needing to be with the order of the two lines flipped, if
Arm requires XSM_SILO, then I think it would better "select" it.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 20:27 ` Daniel P. Smith
@ 2021-06-21 6:58 ` Jan Beulich
2021-06-21 10:41 ` Andrew Cooper
0 siblings, 1 reply; 38+ messages in thread
From: Jan Beulich @ 2021-06-21 6:58 UTC (permalink / raw)
To: Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Andrew Cooper, George Dunlap, Ian Jackson, Wei Liu,
Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 18.06.2021 22:27, Daniel P. Smith wrote:
> On 6/18/21 8:26 AM, Jan Beulich wrote:
>> On 18.06.2021 01:39, Daniel P. Smith wrote:
>>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>>> pointers to static functions. As such this commit,
>>> * eliminates CONFIG_XSM
>>
>> Following from what Andrew has said (including him mentioning your
>> changing of certain Kconfig option defaults), I'm not convinced this is
>> a good move. This still ought to serve as the overall XSM-yes-or-no
>> setting. If internally you make said two variants match in behavior,
>> that's a different thing.
>
> Apologies that I did not express this clearly. What I was attempting to
> say is the fact of the matter is that there is no logical behavior
> difference between "XSM no" and "XSM yes with dummy policy". The only
> difference is the mechanics of how the dummy functions get called.
> Specifically via macro magic the dummy functions are either flipped into
> static inline declarations that are then included into the code where
> they are invoked or the macro magic has them ending up in the dummy.c
> XSM module where they are wrapped in macro generated functions that are
> set as the functions in the dummy xsm_ops structure. Thus it is always
> the same logic being invoked, it is just mechanics of how you get to the
> logic.
That's what I understood, really. What I dislike is the inline functions
going away in what we currently call !XSM.
>>> * introduces CONFIG_XSM_EVTCHN_LABELING as replacement for enabling event channel labels
>>
>> Is this mode needed as separate functionality at all? Nothing defines
>> XSM_NEED_GENERIC_EVTCHN_SSID anywhere. _If_ XSM went away as a separate
>> setting, then imo this one should go away as well.
>>
>>> --- a/xen/common/Kconfig
>>> +++ b/xen/common/Kconfig
>>> @@ -197,22 +197,33 @@ config XENOPROF
>>>
>>> If unsure, say Y.
>>>
>>> -config XSM
>>> - bool "Xen Security Modules support"
>>> - default ARM
>>> - ---help---
>>> - Enables the security framework known as Xen Security Modules which
>>> - allows administrators fine-grained control over a Xen domain and
>>> - its capabilities by defining permissible interactions between domains,
>>> - the hypervisor itself, and related resources such as memory and
>>> - devices.
>>> +menu "Xen Security Modules"
>>>
>>> - If unsure, say N.
>>> +choice
>>> + prompt "Default XSM module"
>>> + default XSM_SILO_DEFAULT if XSM_SILO && ARM
>>> + default XSM_FLASK_DEFAULT if XSM_FLASK
>>> + default XSM_SILO_DEFAULT if XSM_SILO
>>> + default XSM_DUMMY_DEFAULT
>>> + config XSM_DUMMY_DEFAULT
>>> + bool "Match non-XSM behavior"
>>> + config XSM_FLASK_DEFAULT
>>> + bool "FLux Advanced Security Kernel" if XSM_FLASK
>>> + config XSM_SILO_DEFAULT
>>> + bool "SILO" if XSM_SILO
>>> +endchoice
>>
>> This did live after the individual options it depends on for a reason,
>> and you don't say anywhere why you need to move it up. The way you
>> have it, with the default command line kconfig tool, users will be
>> presented with dependent options before having chosen the settings of
>> the dependency ones. That's because this tool, to a degree, moves
>> linearly through the options it has parsed.
>
> Yes, this is specifically why I moved it up. Clearly we have different
> approaches to how we like to interact with configurations, which is not
> bad thing. I personally found it awkward the other way but can easily
> move it back.
I'm having a hard time seeing how presenting dependent options ahead
of their dependencies can be a good thing: The user will have made
their "choice" here, while the availability of the individual settings
then may change in case the depended upon options change from their
defaults upon the user reacting to those prompts.
>>> @@ -261,25 +271,12 @@ config XSM_SILO
>>>
>>> If unsure, say Y.
>>>
>>> -choice
>>> - prompt "Default XSM implementation"
>>> - depends on XSM
>>> - default XSM_SILO_DEFAULT if XSM_SILO && ARM
>>> - default XSM_FLASK_DEFAULT if XSM_FLASK
>>> - default XSM_SILO_DEFAULT if XSM_SILO
>>> - default XSM_DUMMY_DEFAULT
>>> - config XSM_DUMMY_DEFAULT
>>> - bool "Match non-XSM behavior"
>>> - config XSM_FLASK_DEFAULT
>>> - bool "FLux Advanced Security Kernel" if XSM_FLASK
>>> - config XSM_SILO_DEFAULT
>>> - bool "SILO" if XSM_SILO
>>> -endchoice
>>> +endmenu
>>>
>>> config LATE_HWDOM
>>> bool "Dedicated hardware domain"
>>> default n
>>> - depends on XSM && X86
>>> + depends on XSM_FLASK && X86
>>
>> I don't think this is a compatible change. I'm not going to exclude that
>> this is how it was meant, but as it stands LATE_HWDOM right now doesn't
>> really require FLASK, and could e.g. also go with SILO or dummy. If you
>> _mean_ to change this, then your description needs to say so (and ideally
>> it would then be split out, so - if this is actually a bug - it could
>> also be backported).
>
> Actually this is the root cause that started all of this work. If you
> want to get technical, LATE_HWDOM does not rely on XSM at all. The issue
> is that you cannot use it as it was originally intended, to run Xen
> without a classic dom0 while still having all existing capabilities.
> Specifically the hardware domain does not have the ability to assign the
> pass-through devices for which it is in control. This is were Flask
> comes in to enable assigning specific privileges to labels and then
> constructing domains with those labels, In particular it grants the
> ability to do pass-through assignment to the label assigned to the
> hardware domain. With the upcoming XSM-Roles patch set, these privileges
> are assigned to roles and it becomes possible to assign the necessary
> roles to the hardware domain.
In which case this needs spelling out in the description, to justify
the change in behavior (which I'm not sure I really follow / agree with
just yet).
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-18 21:20 ` Andrew Cooper
@ 2021-06-21 7:03 ` Jan Beulich
0 siblings, 0 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-21 7:03 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Daniel P. Smith
On 18.06.2021 23:20, Andrew Cooper wrote:
> On 18/06/2021 13:26, Jan Beulich wrote:
>> On 18.06.2021 01:39, Daniel P. Smith wrote:
>>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>>> pointers to static functions. As such this commit,
>>> * eliminates CONFIG_XSM
>> Following from what Andrew has said (including him mentioning your
>> changing of certain Kconfig option defaults), I'm not convinced this is
>> a good move. This still ought to serve as the overall XSM-yes-or-no
>> setting. If internally you make said two variants match in behavior,
>> that's a different thing.
>
> I firmly disagree. There is no such thing as !XSM even in staging right now.
>
> All over Xen, we have calls to xsm_*() functions which, even in the !XSM
> case, contain a non-trivial security policy.
Compared with the full-fledged XSM, I view the present xsm_default_action()
as sufficiently trivial. The inline wrappers of it really only exist to
allow #ifdef-ary at all the use sites to be avoided, and for the code to
act like before XSM got introduced. Whether you call this !XSM or
XSM_HWDOM_ALL_POWERFUL is secondary to me.
> The fact that under the hood, XSM vs !XSM creates two very different
> implementations of "the dom0-all-powerful model" is an error needing
> correcting, as it contributes a massive quantity of code complexity.
>
> This series of Daniel's takes steps to make the code match reality, and
> getting rid of CONFIG_XSM is absolutely the right thing to do. XSM is
> never actually absent from a build of Xen, even if you choose CONFIG_XSM=n.
As said, what you discuss is just how to call the child. What I point out
as undesirable is the going away of the inline functions, replaced by real
function calls (not indirect ones thanks to alternatives patching, but
still not clearly on par with the current model in terms of overhead).
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-21 6:58 ` Jan Beulich
@ 2021-06-21 10:41 ` Andrew Cooper
2021-06-21 11:39 ` Jan Beulich
0 siblings, 1 reply; 38+ messages in thread
From: Andrew Cooper @ 2021-06-21 10:41 UTC (permalink / raw)
To: Jan Beulich, Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel
On 21/06/2021 07:58, Jan Beulich wrote:
> On 18.06.2021 22:27, Daniel P. Smith wrote:
>> On 6/18/21 8:26 AM, Jan Beulich wrote:
>>> On 18.06.2021 01:39, Daniel P. Smith wrote:
>>>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>>>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>>>> pointers to static functions. As such this commit,
>>>> * eliminates CONFIG_XSM
>>> Following from what Andrew has said (including him mentioning your
>>> changing of certain Kconfig option defaults), I'm not convinced this is
>>> a good move. This still ought to serve as the overall XSM-yes-or-no
>>> setting. If internally you make said two variants match in behavior,
>>> that's a different thing.
>> Apologies that I did not express this clearly. What I was attempting to
>> say is the fact of the matter is that there is no logical behavior
>> difference between "XSM no" and "XSM yes with dummy policy". The only
>> difference is the mechanics of how the dummy functions get called.
>> Specifically via macro magic the dummy functions are either flipped into
>> static inline declarations that are then included into the code where
>> they are invoked or the macro magic has them ending up in the dummy.c
>> XSM module where they are wrapped in macro generated functions that are
>> set as the functions in the dummy xsm_ops structure. Thus it is always
>> the same logic being invoked, it is just mechanics of how you get to the
>> logic.
> That's what I understood, really. What I dislike is the inline functions
> going away in what we currently call !XSM.
I'm sorry, but this is an unreasonable objection.
The mess used to create the status quo *is* the majority reason why
fixing/developing XSM is so hard, and why the code is so obfuscated. To
prove this point, how many people on this email thread realise that
calls using XSM_HOOK offer 0 security under xsm_default_action()?
Having xsm_default_action() forced inline isn't obviously the right move
in the first place, and I doubt that you could even measure a
performance difference for using real function calls.
Even if there is a marginal performance difference, and I doubt that
there is, performance is far less important than de-obfuscating the code
and fixing our various security mechanisms to be first-class supported
citizens.
~Andrew
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-21 10:41 ` Andrew Cooper
@ 2021-06-21 11:39 ` Jan Beulich
0 siblings, 0 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-21 11:39 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Daniel P. Smith
On 21.06.2021 12:41, Andrew Cooper wrote:
> On 21/06/2021 07:58, Jan Beulich wrote:
>> On 18.06.2021 22:27, Daniel P. Smith wrote:
>>> On 6/18/21 8:26 AM, Jan Beulich wrote:
>>>> On 18.06.2021 01:39, Daniel P. Smith wrote:
>>>>> The only difference between !CONFIG_XSM and CONFIG_XSM with !CONFIG_XSM_SILO and !CONFIG_XSM_FLASK
>>>>> is whether the XSM hooks in dummy.h are called as static inline functions or as function
>>>>> pointers to static functions. As such this commit,
>>>>> * eliminates CONFIG_XSM
>>>> Following from what Andrew has said (including him mentioning your
>>>> changing of certain Kconfig option defaults), I'm not convinced this is
>>>> a good move. This still ought to serve as the overall XSM-yes-or-no
>>>> setting. If internally you make said two variants match in behavior,
>>>> that's a different thing.
>>> Apologies that I did not express this clearly. What I was attempting to
>>> say is the fact of the matter is that there is no logical behavior
>>> difference between "XSM no" and "XSM yes with dummy policy". The only
>>> difference is the mechanics of how the dummy functions get called.
>>> Specifically via macro magic the dummy functions are either flipped into
>>> static inline declarations that are then included into the code where
>>> they are invoked or the macro magic has them ending up in the dummy.c
>>> XSM module where they are wrapped in macro generated functions that are
>>> set as the functions in the dummy xsm_ops structure. Thus it is always
>>> the same logic being invoked, it is just mechanics of how you get to the
>>> logic.
>> That's what I understood, really. What I dislike is the inline functions
>> going away in what we currently call !XSM.
>
> I'm sorry, but this is an unreasonable objection.
>
> The mess used to create the status quo *is* the majority reason why
> fixing/developing XSM is so hard, and why the code is so obfuscated. To
> prove this point, how many people on this email thread realise that
> calls using XSM_HOOK offer 0 security under xsm_default_action()?
>
> Having xsm_default_action() forced inline isn't obviously the right move
> in the first place, and I doubt that you could even measure a
> performance difference for using real function calls.
>
> Even if there is a marginal performance difference, and I doubt that
> there is, performance is far less important than de-obfuscating the code
> and fixing our various security mechanisms to be first-class supported
> citizens.
What I don't understand from all you say is why you think that having
an as-if-no-XSM build configuration, without any way to switch to an
alternative model (i.e. the XSM=n that we have right now), is a bad
thing. I don't mind the XSM=y case getting improved, but I don't see
(yet) why it is a good thing to force this onto everyone.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-21 6:53 ` Jan Beulich
@ 2021-06-24 17:18 ` Daniel P. Smith
2021-06-25 6:39 ` Jan Beulich
0 siblings, 1 reply; 38+ messages in thread
From: Daniel P. Smith @ 2021-06-24 17:18 UTC (permalink / raw)
To: Jan Beulich
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Andrew Cooper
On 6/21/21 2:53 AM, Jan Beulich wrote:
> On 18.06.2021 18:35, Daniel P. Smith wrote:
>> On 6/18/21 7:53 AM, Andrew Cooper wrote:
>>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>>> @@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
>>>> If unsure, say Y.
>>>>
>>>> config XSM_SILO
>>>> - def_bool y
>>>> + def_bool n
>>>
>>> I'm not sure we want to alter the FLASK/SILO defaults. SILO in
>>> particular is mandatory on ARM, and without it, you're in a security
>>> unsupported configuration.
>> The intent here is the default is the classic dom0 configuration. What
>> if I did,
>>
>> def bool n
>> def bool y if ARM
>
> Besides it needing to be with the order of the two lines flipped, if
> Arm requires XSM_SILO, then I think it would better "select" it.
Ack, I realized that as I fixed it for the upcoming v2.
Correct me if I am wrong but if you do a "select" that means you are
forcing the user to always have SILO built in, i.e. that makes it so the
option cannot be disabled. There may be users who would prefer to only
have Flask enabled on ARM and those users would not be able to turn SILO
off.
v/r,
dps
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 3/6] xsm: enabling xsm to always be included
2021-06-24 17:18 ` Daniel P. Smith
@ 2021-06-25 6:39 ` Jan Beulich
0 siblings, 0 replies; 38+ messages in thread
From: Jan Beulich @ 2021-06-25 6:39 UTC (permalink / raw)
To: Daniel P. Smith
Cc: Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
George Dunlap, Ian Jackson, Wei Liu, Roger Pau Monné,
Tamas K Lengyel, Tim Deegan, Juergen Gross, Alexandru Isaila,
Petre Pircalabu, Dario Faggioli, Paul Durrant, Daniel De Graaf,
persaur, christopher.w.clark, adam.schwalm, scott.davis,
xen-devel, Andrew Cooper
On 24.06.2021 19:18, Daniel P. Smith wrote:
>
>
> On 6/21/21 2:53 AM, Jan Beulich wrote:
>> On 18.06.2021 18:35, Daniel P. Smith wrote:
>>> On 6/18/21 7:53 AM, Andrew Cooper wrote:
>>>> On 18/06/2021 00:39, Daniel P. Smith wrote:
>>>>> @@ -250,9 +261,8 @@ config XSM_FLASK_POLICY
>>>>> If unsure, say Y.
>>>>>
>>>>> config XSM_SILO
>>>>> - def_bool y
>>>>> + def_bool n
>>>>
>>>> I'm not sure we want to alter the FLASK/SILO defaults. SILO in
>>>> particular is mandatory on ARM, and without it, you're in a security
>>>> unsupported configuration.
>>> The intent here is the default is the classic dom0 configuration. What
>>> if I did,
>>>
>>> def bool n
>>> def bool y if ARM
>>
>> Besides it needing to be with the order of the two lines flipped, if
>> Arm requires XSM_SILO, then I think it would better "select" it.
>
>
> Ack, I realized that as I fixed it for the upcoming v2.
>
> Correct me if I am wrong but if you do a "select" that means you are
> forcing the user to always have SILO built in, i.e. that makes it so the
> option cannot be disabled. There may be users who would prefer to only
> have Flask enabled on ARM and those users would not be able to turn SILO
> off.
Yes, you're right. Problem is the (imo) malformed entry, which makes
it that I couldn't see the presence of a prompt anymore in the context
above. Well-formed (imo; I might also say "consistently formatted")
entries with a prompt ought to look like (taking your change into
account already, leaving aside whether that's really what we want)
config XSM_SILO
bool "SILO support"
default y if ARM
default n
Whether "depends" precedes or follows "default" is a less clear cut.
def_bool imo would better be used only for prompt-less entries.
Jan
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0.5/6] xen: Implement xen/alternative-call.h for use in common code
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
2021-06-18 11:34 ` Andrew Cooper
@ 2021-07-12 12:36 ` Andrew Cooper
1 sibling, 0 replies; 38+ messages in thread
From: Andrew Cooper @ 2021-07-12 12:36 UTC (permalink / raw)
To: Xen-devel
Cc: Andrew Cooper, Jan Beulich, Roger Pau Monné,
Wei Liu, Stefano Stabellini, Julien Grall, Volodymyr Babchuk,
Bob Eshleman, Alistair Francis, Connor Davis, Daniel P . Smith
The alternative call infrastructure is x86-only for now, but the common iommu
code has a variant and more common code wants to use the infrastructure.
Introduce CONFIG_ALTERNATIVE_CALL and a conditional implemetnation so common
code can use the optimisation when available, without requiring all
architectures to implement no-op stubs.
Write some documentation, which was thus far entirely absent, covering the
requirements for an architecture to implement this optimsiation, and how to
use the infrastructure in general code.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
CC: Bob Eshleman <bobbyeshleman@gmail.com>
CC: Alistair Francis <alistair.francis@wdc.com>
CC: Connor Davis <connojdavis@gmail.com>
CC: Daniel P. Smith <dpsmith@apertussolutions.com>
This is a pre-requisite to "xsm: refactor xsm_ops handling" to avoid breaking
the ARM build.
Build test for the XSM code:
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 5eab21e1b168..592074e8f41c 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -195,6 +195,16 @@ bool __init has_xsm_magic(paddr_t start)
}
#endif
+#include <xen/alternative-call.h>
+struct foo {
+ int (*bar)(void *);
+} foo __alt_call_maybe_initdata;
+
+int test_alternative_call(void)
+{
+ return alternative_call(foo.bar, NULL);
+}
+
int __init register_xsm(struct xsm_operations *ops)
{
if ( verify(ops) )
---
xen/arch/x86/Kconfig | 1 +
xen/common/Kconfig | 3 ++
xen/include/xen/alternative-call.h | 65 ++++++++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
create mode 100644 xen/include/xen/alternative-call.h
diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index 9b164db64187..c91cdd83dc8a 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -9,6 +9,7 @@ config X86
select ARCH_SUPPORTS_INT128
select CORE_PARKING
select HAS_ALTERNATIVE
+ select ALTERNATIVE_CALL
select HAS_COMPAT
select HAS_CPUFREQ
select HAS_EHCI
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 0ddd18e11af3..1594ce4e7313 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -25,6 +25,9 @@ config GRANT_TABLE
config HAS_ALTERNATIVE
bool
+config ALTERNATIVE_CALL
+ bool
+
config HAS_COMPAT
bool
diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h
new file mode 100644
index 000000000000..11d1c2606818
--- /dev/null
+++ b/xen/include/xen/alternative-call.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef XEN_ALTERNATIVE_CALL
+#define XEN_ALTERNATIVE_CALL
+
+/*
+ * Some subsystems in Xen may have multiple implementions, which can be
+ * resolved to a single implementation at boot time. By default, this will
+ * result in the use of function pointers.
+ *
+ * Some architectures may have mechanisms for dynamically modifying .text.
+ * Using this mechnaism, function pointers can be converted to direct calls
+ * which are typically more efficient at runtime.
+ *
+ * For architectures to support:
+ *
+ * - Implement alternative_{,v}call() in asm/alternative.h. Code generation
+ * requirements are to emit a function pointer call at build time, and stash
+ * enough metadata to simplify the call at boot once the implementation has
+ * been resolved.
+ * - Select ALTERNATIVE_CALL in Kconfig.
+ *
+ * To use:
+ *
+ * Consider the following simplified example.
+ *
+ * 1) struct foo_ops __alt_call_maybe_initdata ops;
+ *
+ * 2) struct foo_ops __alt_call_maybe_initconst foo_a_ops = { ... };
+ * struct foo_ops __alt_call_maybe_initconst foo_b_ops = { ... };
+ *
+ * void foo_init(void)
+ * {
+ * ...
+ * if ( use_impl_a )
+ * ops = *foo_a_ops;
+ * else if ( use_impl_b )
+ * ops = *foo_b_ops;
+ * ...
+ * }
+ *
+ * 3) alternative_call(ops.bar, ...);
+ *
+ * There needs to a single ops object (1) which will eventually contain the
+ * function pointers. This should be populated in foo's init() function (2)
+ * by one of the available implementations. To call functions, use
+ * alternative_{,v}call() referencing the main ops object (3).
+ */
+
+#ifdef CONFIG_ALTERNATIVE_CALL
+
+#include <asm/alternative.h>
+
+#define __alt_call_maybe_initdata __initdata
+#define __alt_call_maybe_initconst __initconst
+
+#else
+
+#define alternative_call(func, args...) (func)(args)
+#define alternative_vcall(func, args...) (func)(args)
+
+#define __alt_call_maybe_initdata
+#define __alt_call_maybe_initconst
+
+#endif /* !CONFIG_ALTERNATIVE_CALL */
+#endif /* XEN_ALTERNATIVE_CALL */
--
2.11.0
^ permalink raw reply related [flat|nested] 38+ messages in thread
end of thread, other threads:[~2021-07-12 12:37 UTC | newest]
Thread overview: 38+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-17 23:39 [PATCH 0/6] xsm: refactoring xsm hooks Daniel P. Smith
2021-06-17 23:39 ` [PATCH 1/6] xsm: refactor xsm_ops handling Daniel P. Smith
2021-06-18 11:34 ` Andrew Cooper
2021-06-18 11:44 ` Jan Beulich
2021-06-18 11:45 ` Andrew Cooper
2021-06-18 16:26 ` Daniel P. Smith
2021-06-18 16:17 ` Daniel P. Smith
2021-07-12 12:36 ` [PATCH 0.5/6] xen: Implement xen/alternative-call.h for use in common code Andrew Cooper
2021-06-17 23:39 ` [PATCH 2/6] xsm: decouple xsm header inclusion selection Daniel P. Smith
2021-06-17 23:39 ` [PATCH 3/6] xsm: enabling xsm to always be included Daniel P. Smith
2021-06-18 11:53 ` Andrew Cooper
2021-06-18 16:35 ` Daniel P. Smith
2021-06-21 6:53 ` Jan Beulich
2021-06-24 17:18 ` Daniel P. Smith
2021-06-25 6:39 ` Jan Beulich
2021-06-18 12:26 ` Jan Beulich
2021-06-18 20:27 ` Daniel P. Smith
2021-06-21 6:58 ` Jan Beulich
2021-06-21 10:41 ` Andrew Cooper
2021-06-21 11:39 ` Jan Beulich
2021-06-18 21:20 ` Andrew Cooper
2021-06-21 7:03 ` Jan Beulich
2021-06-17 23:39 ` [PATCH 4/6] xsm: remove xen_defualt_t from hook definitions Daniel P. Smith
2021-06-18 11:56 ` Andrew Cooper
2021-06-18 16:35 ` Daniel P. Smith
2021-06-18 12:32 ` Jan Beulich
2021-06-17 23:39 ` [PATCH 5/6] xsm: expanding function related macros in dummy.h Daniel P. Smith
2021-06-18 12:03 ` Andrew Cooper
2021-06-18 12:40 ` Jan Beulich
2021-06-18 12:44 ` Jan Beulich
2021-06-18 16:38 ` Daniel P. Smith
2021-06-18 16:36 ` Daniel P. Smith
2021-06-17 23:39 ` [PATCH 6/6] xsm: removing the XSM_ASSERT_ACTION macro Daniel P. Smith
2021-06-18 10:14 ` [PATCH 0/6] xsm: refactoring xsm hooks Andrew Cooper
2021-06-18 11:48 ` Jan Beulich
2021-06-18 21:21 ` Andrew Cooper
2021-06-21 6:45 ` Jan Beulich
2021-06-18 15:53 ` Daniel P. Smith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).