From nobody Mon Feb 9 11:51:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1568403041; cv=none; d=zoho.com; s=zohoarc; b=M6TGVV/Dhhrmd492wJFCM+PIS8fOU7oxvsyRAOBuejh+IzVdkXLojryzr4vpu+X4uaOX6GEx8J/cBw3eQISsrchu+9DAbm8eFRZUjJnB9wQ80uAUtjqGQgGftRigS292CBS97luS3baSwFKtRYdPmNjv90q+ebTSy1VH5+Zvq84= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1568403041; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=+NxQo33Y1dCWFfQsvcqgqeoSWVr5VNu1dQ9LFQZORXc=; b=DG6wNcg2GdT29oCTAQCMKuXjz2YdIkEjOga9gi0hMrJ0DBaq63oNdVf6dV7Z/96nX6DWegFgQlLBecFXbcfmMJJGe+BdKKpaMon2aDXwH6it09SLAw487lO/T94DsHZMSj96I4inch+2eohBMmLuyjVInGAQmozF1YfxeqVyp+4= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1568403041412533.7432783658787; Fri, 13 Sep 2019 12:30:41 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i8rEw-0006q8-Qa; Fri, 13 Sep 2019 19:28:18 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i8rEv-0006pQ-DS for xen-devel@lists.xenproject.org; Fri, 13 Sep 2019 19:28:17 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 9d1cd2b4-d65c-11e9-a337-bc764e2007e4; Fri, 13 Sep 2019 19:28:07 +0000 (UTC) X-Inumbo-ID: 9d1cd2b4-d65c-11e9-a337-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1568402888; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=YbW7SS92a1SCXA6E4gpxQoKvv/lPGhwZNvL2NxV9CWA=; b=OE1TJGG9Raf2b/dIKMB6m2tgvAR9oQYcjmuwNS/cPOGKNgbiVXq7gT2m rgTxBnDunkOEnU8A9gOxBVaoFW6RwXKTb+rmH3yn7wSnJOKeGe6H8mQlJ /L5IfGUyAEA0cue8YhrWq6qQH27uGL71trD5tzt2s7kdzL3he6PWiidgK k=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa2.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 3rq8c88b/Cf/vHaODqynd0eTcZXExqK7OG/Be/rAtY3sp5By84LDh4QYeoq9fIwFQ8EEsAhkrH ib8qFlJO/i6kFCZ3arkvpkcokmOpzEJfXmcdn9YyYvgs8XRLsM3qiLgIoptDHpFMmOhgt2V5W1 3JUsJiG9qXqT3O70Q7t/zNy7+zZn1a7CPbsq+YirNqBcUU5tZMmr8AqyV8Zp0O1Q/C93XafTUh Fk4RDhFBr54dgWS3eXy9sRwIWIl6+KqLWXdBfJT3ZeCTAzGxJcVUqBFxsX4HTXOdQl86hBHplP FsI= X-SBRS: 2.7 X-MesageID: 5553061 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,501,1559534400"; d="scan'208";a="5553061" From: Andrew Cooper To: Xen-devel Date: Fri, 13 Sep 2019 20:27:54 +0100 Message-ID: <20190913192759.10795-6-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190913192759.10795-1-andrew.cooper3@citrix.com> References: <20190913192759.10795-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v2 05/10] x86/domctl: Implement XEN_DOMCTL_set_cpumsr_policy X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Sergey Dyasli , Wei Liu , Andrew Cooper , Ian Jackson , Jan Beulich , Daniel De Graaf , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) This hypercall allows the toolstack to present one combined CPUID and MSR policy for a domain, which can be audited in one go by Xen, which is necess= ary for correctness of the auditing. Reuse the existing set_cpuid XSM access vector, as this is logically the sa= me operation. As x86_cpu_policies_are_compatible() is still only a stub, retain the call = to recalculate_cpuid_policy() to discard unsafe toolstack settings. Signed-off-by: Andrew Cooper Signed-off-by: Sergey Dyasli Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Ian Jackson CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Daniel De Graaf v2: * Bump the DOMCTL interface version * Proactively set the error pointers in xc_set_domain_cpu_policy() * Adjust domctl API documentation to reflect that not all DOMCTL failures will write the error pointers. --- tools/libxc/include/xenctrl.h | 5 +++ tools/libxc/xc_cpuid_x86.c | 46 +++++++++++++++++++++ xen/arch/x86/domctl.c | 80 +++++++++++++++++++++++++++++++++= ++++ xen/include/public/domctl.h | 18 ++++++--- xen/xsm/flask/hooks.c | 1 + xen/xsm/flask/policy/access_vectors | 1 + 6 files changed, 146 insertions(+), 5 deletions(-) diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index 7559e1bc69..0da437318e 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -2530,6 +2530,11 @@ int xc_get_system_cpu_policy(xc_interface *xch, uint= 32_t index, int xc_get_domain_cpu_policy(xc_interface *xch, uint32_t domid, uint32_t *nr_leaves, xen_cpuid_leaf_t *leaves, uint32_t *nr_msrs, xen_msr_entry_t *msrs); +int xc_set_domain_cpu_policy(xc_interface *xch, uint32_t domid, + uint32_t nr_leaves, xen_cpuid_leaf_t *leaves, + uint32_t nr_msrs, xen_msr_entry_t *msrs, + uint32_t *err_leaf_p, uint32_t *err_subleaf_p, + uint32_t *err_msr_p); =20 uint32_t xc_get_cpu_featureset_size(void); =20 diff --git a/tools/libxc/xc_cpuid_x86.c b/tools/libxc/xc_cpuid_x86.c index b829336082..0f07317b54 100644 --- a/tools/libxc/xc_cpuid_x86.c +++ b/tools/libxc/xc_cpuid_x86.c @@ -229,6 +229,52 @@ int xc_get_domain_cpu_policy(xc_interface *xch, uint32= _t domid, return ret; } =20 +int xc_set_domain_cpu_policy(xc_interface *xch, uint32_t domid, + uint32_t nr_leaves, xen_cpuid_leaf_t *leaves, + uint32_t nr_msrs, xen_msr_entry_t *msrs, + uint32_t *err_leaf_p, uint32_t *err_subleaf_p, + uint32_t *err_msr_p) +{ + DECLARE_DOMCTL; + DECLARE_HYPERCALL_BOUNCE(leaves, + nr_leaves * sizeof(*leaves), + XC_HYPERCALL_BUFFER_BOUNCE_IN); + DECLARE_HYPERCALL_BOUNCE(msrs, + nr_msrs * sizeof(*msrs), + XC_HYPERCALL_BUFFER_BOUNCE_IN); + int ret; + + if ( xc_hypercall_bounce_pre(xch, leaves) ) + return -1; + + if ( xc_hypercall_bounce_pre(xch, msrs) ) + return -1; + + domctl.cmd =3D XEN_DOMCTL_set_cpu_policy; + domctl.domain =3D domid; + domctl.u.cpu_policy.nr_leaves =3D nr_leaves; + set_xen_guest_handle(domctl.u.cpu_policy.cpuid_policy, leaves); + domctl.u.cpu_policy.nr_msrs =3D nr_msrs; + set_xen_guest_handle(domctl.u.cpu_policy.msr_policy, msrs); + domctl.u.cpu_policy.err_leaf =3D ~0; + domctl.u.cpu_policy.err_subleaf =3D ~0; + domctl.u.cpu_policy.err_msr =3D ~0; + + ret =3D do_domctl(xch, &domctl); + + xc_hypercall_bounce_post(xch, leaves); + xc_hypercall_bounce_post(xch, msrs); + + if ( err_leaf_p ) + *err_leaf_p =3D domctl.u.cpu_policy.err_leaf; + if ( err_subleaf_p ) + *err_subleaf_p =3D domctl.u.cpu_policy.err_subleaf; + if ( err_msr_p ) + *err_msr_p =3D domctl.u.cpu_policy.err_msr; + + return ret; +} + struct cpuid_domain_info { unsigned int vendor; /* X86_VENDOR_* */ diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 48fccf2f7b..97ced32c21 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -294,6 +294,65 @@ static int update_domain_cpuid_info(struct domain *d, return 0; } =20 +static int update_domain_cpu_policy(struct domain *d, + xen_domctl_cpu_policy_t *xdpc) +{ + struct cpu_policy new =3D {}; + const struct cpu_policy *sys =3D is_pv_domain(d) + ? &system_policies[XEN_SYSCTL_cpu_policy_pv_max] + : &system_policies[XEN_SYSCTL_cpu_policy_hvm_max]; + struct cpu_policy_errors err =3D INIT_CPU_POLICY_ERRORS; + int ret =3D -ENOMEM; + + /* Start by copying the domain's existing policies. */ + if ( !(new.cpuid =3D xmemdup(d->arch.cpuid)) || + !(new.msr =3D xmemdup(d->arch.msr)) ) + goto out; + + /* Merge the toolstack provided data. */ + if ( (ret =3D x86_cpuid_copy_from_buffer( + new.cpuid, xdpc->cpuid_policy, xdpc->nr_leaves, + &err.leaf, &err.subleaf)) || + (ret =3D x86_msr_copy_from_buffer( + new.msr, xdpc->msr_policy, xdpc->nr_msrs, &err.msr)) ) + goto out; + + /* Trim any newly-stale out-of-range leaves. */ + x86_cpuid_policy_clear_out_of_range_leaves(new.cpuid); + + /* Audit the combined dataset. */ + ret =3D x86_cpu_policies_are_compatible(sys, &new, &err); + if ( ret ) + goto out; + + /* + * Audit was successful. Replace existing policies, leaving the old + * policies to be freed. + */ + SWAP(new.cpuid, d->arch.cpuid); + SWAP(new.msr, d->arch.msr); + + /* TODO: Drop when x86_cpu_policies_are_compatible() is completed. */ + recalculate_cpuid_policy(d); + + /* Recalculate relevant dom/vcpu state now the policy has changed. */ + domain_cpu_policy_changed(d); + + out: + /* Free whichever cpuid/msr structs are not installed in struct domain= . */ + xfree(new.cpuid); + xfree(new.msr); + + if ( ret ) + { + xdpc->err_leaf =3D err.leaf; + xdpc->err_subleaf =3D err.subleaf; + xdpc->err_msr =3D err.msr; + } + + return ret; +} + static int vcpu_set_vmce(struct vcpu *v, const struct xen_domctl_ext_vcpucontext *evc) { @@ -1476,6 +1535,27 @@ long arch_do_domctl( copyback =3D true; break; =20 + case XEN_DOMCTL_set_cpu_policy: + if ( d =3D=3D currd ) /* No domain_pause() */ + { + ret =3D -EINVAL; + break; + } + + domain_pause(d); + + if ( d->creation_finished ) + ret =3D -EEXIST; /* No changing once the domain is running. */ + else + { + ret =3D update_domain_cpu_policy(d, &domctl->u.cpu_policy); + if ( ret ) /* Copy domctl->u.cpu_policy.err_* to guest. */ + copyback =3D true; + } + + domain_unpause(d); + break; + default: ret =3D iommu_do_domctl(domctl, d, u_domctl); break; diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h index 77f546cbb8..bd7d26545d 100644 --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -38,7 +38,7 @@ #include "hvm/save.h" #include "memory.h" =20 -#define XEN_DOMCTL_INTERFACE_VERSION 0x00000011 +#define XEN_DOMCTL_INTERFACE_VERSION 0x00000012 =20 /* * NB. xen_domctl.domain is an IN/OUT parameter for this operation. @@ -658,17 +658,24 @@ struct xen_domctl_cpuid { }; =20 /* - * XEN_DOMCTL_get_cpu_policy (x86 specific) + * XEN_DOMCTL_{get,set}_cpu_policy (x86 specific) * - * Query the CPUID and MSR policies for a specific domain. + * Query or set the CPUID and MSR policies for a specific domain. */ struct xen_domctl_cpu_policy { uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to * 'cpuid_policy'. */ uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to * 'msr_domain_policy' */ - XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* OUT */ - XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_policy; /* OUT */ + XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* IN/OUT */ + XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_policy; /* IN/OUT */ + + /* + * OUT, set_policy only. Written in some (but not all) error cases to + * identify problem the CPUID leaf/subleaf and/or MSR which auditing + * objects to. + */ + uint32_t err_leaf, err_subleaf, err_msr; }; typedef struct xen_domctl_cpu_policy xen_domctl_cpu_policy_t; DEFINE_XEN_GUEST_HANDLE(xen_domctl_cpu_policy_t); @@ -1193,6 +1200,7 @@ struct xen_domctl { /* #define XEN_DOMCTL_set_gnttab_limits 80 - Moved into XEN_DOMCT= L_createdomain */ #define XEN_DOMCTL_vuart_op 81 #define XEN_DOMCTL_get_cpu_policy 82 +#define XEN_DOMCTL_set_cpu_policy 83 #define XEN_DOMCTL_gdbsx_guestmemio 1000 #define XEN_DOMCTL_gdbsx_pausevcpu 1001 #define XEN_DOMCTL_gdbsx_unpausevcpu 1002 diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 6800f2d9a0..b23772786a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -715,6 +715,7 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_set_virq_handler: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDL= ER); =20 + case XEN_DOMCTL_set_cpu_policy: case XEN_DOMCTL_set_cpuid: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID); =20 diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/acc= ess_vectors index 76f3d60ddd..6f3f9493f8 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -207,6 +207,7 @@ class domain2 # source =3D the domain making the hypercall # target =3D the new target domain set_as_target +# XEN_DOMCTL_set_cpu_policy # XEN_DOMCTL_set_cpuid set_cpuid # XEN_DOMCTL_gettscinfo --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel