From nobody Mon May 6 15:59:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=bitdefender.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1580389742662860.8162387303727; Thu, 30 Jan 2020 05:09:02 -0800 (PST) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ix9XY-0001Qg-Qg; Thu, 30 Jan 2020 13:07:24 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ix9XX-0001Qb-HL for xen-devel@lists.xenproject.org; Thu, 30 Jan 2020 13:07:23 +0000 Received: from EUR03-AM5-obe.outbound.protection.outlook.com (unknown [40.107.3.96]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 73100ff0-4361-11ea-8a51-12813bfff9fa; Thu, 30 Jan 2020 13:07:21 +0000 (UTC) Received: from DB6PR02MB2999.eurprd02.prod.outlook.com (10.170.219.144) by DB6PR02MB3093.eurprd02.prod.outlook.com (10.175.233.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.26; Thu, 30 Jan 2020 13:07:15 +0000 Received: from DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d]) by DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d%7]) with mapi id 15.20.2665.027; Thu, 30 Jan 2020 13:07:15 +0000 Received: from aisaila-Latitude-E5570.dsd.bitdefender.biz (91.199.104.6) by ZRAP278CA0010.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:10::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.20 via Frontend Transport; Thu, 30 Jan 2020 13:07:13 +0000 X-Inumbo-ID: 73100ff0-4361-11ea-8a51-12813bfff9fa ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cT9J442gzDwSkXycjB/ttEzs7UNuTsIa2azJx408znU3HhBSzHUl1JxCZYDDbfhKbRLatKOa85VUGv453f1+YgROeLXeTcJ39DhlPsiPNGTAt/09mi9QNhl875x56KlisazDRtAjSK76QaBqKqag+q1WJw/XtcIqxPRLBBDLvw+gYasqjcgy1KxC5xWNwp+zAJDEJFJAxaW7NAjgXdnb63iVx5F9RnFBxj8BE4QBjYLrghK1/o3wyZZ+94hlqgxpbdiQJaq3tdcWw5jddKscV38OT7Vls0jMltaTABE5PQGLkX5hB1hOo6LMrwYb49aWBRbocBuatnxi3DsDBOxC3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Bb3c7ikKEaUpRKvl3OOPC8awpqp517KhQxRKIwnyx+8=; b=hh/aatZD3PS+IXDMdhMmByUcEPFfeu9IGGsfXex/hxfPguwfQTkUehbw9CcUt+mRByozeTi9/f/RxBmobEgubduUYQS7+zgOVafqJTNkGE+RzHvFvCZBArEEJCozPLKqdiR0JVxhmKHaU/3eut722LmqweaT5qP3d0Tt2fvWK2a+C57QuahxD/FAfeunN4A+Rt8VRtNFv21/Z6uqQFtG6tv1r6lT53KONWTcXAqn8YtBZuEtHMT0cRDOJho9TAA9mNwt4ON+aewYpQh0CWoKcZJwVCCqJaPxNCgQAU9/+wTHpyYeHkmDoRPqkMo/QyzNSWC2NvbKYMF9CLo+wyMZVw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitdefender.onmicrosoft.com; s=selector2-bitdefender-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Bb3c7ikKEaUpRKvl3OOPC8awpqp517KhQxRKIwnyx+8=; b=ELDs9u+9dvOaHHBN9ZbAYeJRd9EVaj3YMWLf5eYhanKkC26UUFn5hhX6xxuFUjtGcXGF02d09fw2GOdIAedMAHvIG99snsTZDCd1vVanZsBoO1kpnHp3pYzLfBt0m89jjkGadT6O9hrr4Mzi0+Y7c0NFpHYXZI2Xfsb0v67dcuU= From: Alexandru Stefan ISAILA To: "xen-devel@lists.xenproject.org" Thread-Topic: [PATCH V2] x86/altp2m: Hypercall to set altp2m view visibility Thread-Index: AQHV124xlaiLFBXa8kCbjgVBTXJ5ww== Date: Thu, 30 Jan 2020 13:07:15 +0000 Message-ID: <20200130130649.14538-1-aisaila@bitdefender.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: ZRAP278CA0010.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:10::20) To DB6PR02MB2999.eurprd02.prod.outlook.com (2603:10a6:6:17::16) authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@bitdefender.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.17.1 x-originating-ip: [91.199.104.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 48dd1b75-aeeb-4f83-f3e4-08d7a58553ad x-ms-traffictypediagnostic: DB6PR02MB3093:|DB6PR02MB3093: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2657; x-forefront-prvs: 02981BE340 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(189003)(199004)(498600001)(5660300002)(81156014)(66946007)(66446008)(64756008)(66476007)(66556008)(1076003)(7416002)(8676002)(8936002)(81166006)(6486002)(36756003)(71200400001)(54906003)(6512007)(4326008)(86362001)(186003)(16526019)(2616005)(26005)(6506007)(956004)(2906002)(6916009)(52116002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR02MB3093; H:DB6PR02MB2999.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; Received-SPF: none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; received-spf: None (protection.outlook.com: bitdefender.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: aidIFauMqTAwi93spfoN24V5FtlE2BmZqGxeR1yKUkYfeTkLb5jYVyDmjTzJwL8shME1y7ICfGDC+lQHQsakLZA0wbULEBzu/RNerINdycWseJvzaLhBpsVY2RnCmFKc5HATo1C1aHMjxxAqErYjKdKN6od9JlEQx83d4THv604l0yeNdb6LnGILCegpt1Rz9IcRTgooA03wX/ZAIDf2KpvrpIDk2vDG6lwYG3wOO7f3+Bfcjjf7i4+GEKDg20zekQw/Pd7k7fNrmqfk66AWgWm/S8iMrn6ZL0EC+DN6ebdmI74b2oMn90xeYSXTWisNoQsFwaPDfyNBS3Kt7HJoXac79TliMIoXUkWOr0edfXin996eBNn8clHit6aylirBzz0V1w5TLEzXA1AE7Bo7h73wEiIYMAXM86lZTciVK6Y2Lm/rpRfgOYM0UUgd/kxK x-ms-exchange-antispam-messagedata: OlJpTKSNbl/NBZcv5BXROJF8f0ffKBnBqyuf9HUS0Dba1cIovFG+oiiKqHaztjI1q6O4ohvAkyGO2AZ8ikc+jEjtY4+Qnp116VzuPUx2nvC3GUydlZd+VzsQPBqMLGpO8YbIvEg3IlmHHrCV3dPFhg== Content-ID: <8B6C98E9D42B82428DF867AFB7224D76@eurprd02.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: bitdefender.com X-MS-Exchange-CrossTenant-Network-Message-Id: 48dd1b75-aeeb-4f83-f3e4-08d7a58553ad X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2020 13:07:15.1225 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 487baf29-f1da-469a-9221-243f830c36f3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: cnvvH0TfUf0Kik5l3X7snc3wPQy31XqZNxc7ouCgqPoxVlP2jbCD19YUJt54D/MDExs56c9ZL5/YmwznCF4GhwK+Sp3Jrc0d/uzvSC6wQNk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR02MB3093 Subject: [Xen-devel] [PATCH V2] x86/altp2m: Hypercall to set altp2m view visibility X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Kevin Tian , Stefano Stabellini , Julien Grall , Jun Nakajima , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Alexandru Stefan ISAILA , =?utf-8?B?Um9nZXIgUGF1IE1vbm7DqQ==?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) At this moment a guest can call vmfunc to change the altp2m view. This should be limited in order to avoid any unwanted view switch. The new xc_altp2m_set_visibility() solves this by making views invisible to vmfunc. This is done by having a separate arch.altp2m_working_eptp that is populated and made invalid in the same places as altp2m_eptp. This is written to EPTP_LIST_ADDR. The views are made in/visible by marking them with INVALID_MFN or copying them back from altp2m_eptp. To have consistency the visibility also applies to p2m_switch_domain_altp2m_by_id(). Signed-off-by: Alexandru Isaila --- CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: George Dunlap CC: Jan Beulich CC: Julien Grall CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: "Roger Pau Monn=C3=A9" CC: Jun Nakajima CC: Kevin Tian CC: George Dunlap --- Changes since V1: - Drop double view from title. --- tools/libxc/include/xenctrl.h | 2 ++ tools/libxc/xc_altp2m.c | 24 ++++++++++++++++++++++++ xen/arch/x86/hvm/hvm.c | 25 +++++++++++++++++++++++++ xen/arch/x86/hvm/vmx/vmx.c | 2 +- xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++ xen/arch/x86/mm/p2m-ept.c | 1 + xen/arch/x86/mm/p2m.c | 5 ++++- xen/include/asm-x86/domain.h | 1 + xen/include/public/hvm/hvm_op.h | 10 ++++++++++ 9 files changed, 83 insertions(+), 2 deletions(-) diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index cc4eb1e3d3..dbea7861e7 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -1943,6 +1943,8 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32= _t domid, xen_pfn_t new_gfn); int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid, uint32_t vcpuid, uint16_t *p2midx); +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, + uint16_t view_id, bool visible); =20 /**=20 * Mem paging operations. diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c index 46fb725806..6987c9541f 100644 --- a/tools/libxc/xc_altp2m.c +++ b/tools/libxc/xc_altp2m.c @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, u= int32_t domid, xc_hypercall_buffer_free(handle, arg); return rc; } + +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, + uint16_t view_id, bool visible) +{ + int rc; + + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg); + + arg =3D xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg)); + if ( arg =3D=3D NULL ) + return -1; + + arg->version =3D HVMOP_ALTP2M_INTERFACE_VERSION; + arg->cmd =3D HVMOP_altp2m_set_visibility; + arg->domain =3D domid; + arg->u.set_visibility.altp2m_idx =3D view_id; + arg->u.set_visibility.visible =3D visible; + + rc =3D xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m, + HYPERCALL_BUFFER_AS_ARG(arg)); + + xc_hypercall_buffer_free(handle, arg); + return rc; +} diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 0b93609a82..a41e9b6356 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4537,6 +4537,7 @@ static int do_altp2m_op( case HVMOP_altp2m_get_mem_access: case HVMOP_altp2m_change_gfn: case HVMOP_altp2m_get_p2m_idx: + case HVMOP_altp2m_set_visibility: break; =20 default: @@ -4814,6 +4815,30 @@ static int do_altp2m_op( break; } =20 + case HVMOP_altp2m_set_visibility: + { + uint16_t altp2m_idx =3D a.u.set_visibility.altp2m_idx; + + if ( a.u.set_visibility.pad || a.u.set_visibility.pad2 ) + rc =3D -EINVAL; + else + { + if ( !altp2m_active(d) || !hap_enabled(d) ) + { + rc =3D -EOPNOTSUPP; + break; + } + + if ( a.u.set_visibility.visible ) + d->arch.altp2m_working_eptp[altp2m_idx] =3D + d->arch.altp2m_eptp[altp2m_idx]; + else + d->arch.altp2m_working_eptp[altp2m_idx] =3D + mfn_x(INVALID_MFN); + } + break; + } + default: ASSERT_UNREACHABLE(); } diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index b262d38a7c..65fe75383f 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2139,7 +2139,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v) { v->arch.hvm.vmx.secondary_exec_control |=3D mask; __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING); - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp)); + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_ept= p)); =20 if ( cpu_has_vmx_virt_exceptions ) { diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index 3d93f3451c..5969ec8922 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -488,8 +488,17 @@ int hap_enable(struct domain *d, u32 mode) goto out; } =20 + if ( (d->arch.altp2m_working_eptp =3D alloc_xenheap_page()) =3D=3D= NULL ) + { + rv =3D -ENOMEM; + goto out; + } + for ( i =3D 0; i < MAX_EPTP; i++ ) + { d->arch.altp2m_eptp[i] =3D mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[i] =3D mfn_x(INVALID_MFN); + } =20 for ( i =3D 0; i < MAX_ALTP2M; i++ ) { @@ -523,6 +532,12 @@ void hap_final_teardown(struct domain *d) d->arch.altp2m_eptp =3D NULL; } =20 + if ( d->arch.altp2m_working_eptp ) + { + free_xenheap_page(d->arch.altp2m_working_eptp); + d->arch.altp2m_working_eptp =3D NULL; + } + for ( i =3D 0; i < MAX_ALTP2M; i++ ) p2m_teardown(d->arch.altp2m_p2m[i]); } diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index 05a5526e08..0e740ed58e 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -1361,6 +1361,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned i= nt i) ept =3D &p2m->ept; ept->mfn =3D pagetable_get_pfn(p2m_get_pagetable(p2m)); d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] =3D ept->eptp; + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] =3D ept->= eptp; } =20 unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 49cc138362..008357b761 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2531,6 +2531,7 @@ void p2m_flush_altp2m(struct domain *d) { p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE); d->arch.altp2m_eptp[i] =3D mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[i] =3D mfn_x(INVALID_MFN); } =20 altp2m_list_unlock(d); @@ -2651,6 +2652,8 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsign= ed int idx) p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE); d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =3D mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)]= =3D + mfn_x(INVALID_MFN); rc =3D 0; } } @@ -2677,7 +2680,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, = unsigned int idx) rc =3D -EINVAL; altp2m_list_lock(d); =20 - if ( d->arch.altp2m_eptp[idx] !=3D mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_working_eptp[idx] !=3D mfn_x(INVALID_MFN) ) { for_each_vcpu( d, v ) if ( idx !=3D vcpu_altp2m(v).p2midx ) diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h index a3ae5d9a20..9d36f490e4 100644 --- a/xen/include/asm-x86/domain.h +++ b/xen/include/asm-x86/domain.h @@ -326,6 +326,7 @@ struct arch_domain struct p2m_domain *altp2m_p2m[MAX_ALTP2M]; mm_lock_t altp2m_list_lock; uint64_t *altp2m_eptp; + uint64_t *altp2m_working_eptp; #endif =20 /* NB. protected by d->event_lock and by irq_desc[irq].lock */ diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_o= p.h index 610e020a62..17a29615ed 100644 --- a/xen/include/public/hvm/hvm_op.h +++ b/xen/include/public/hvm/hvm_op.h @@ -317,6 +317,13 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx { uint16_t altp2m_idx; }; =20 +struct xen_hvm_altp2m_set_visibility { + uint16_t altp2m_idx; + uint8_t visible; + uint8_t pad; + uint32_t pad2; +}; + struct xen_hvm_altp2m_op { uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */ uint32_t cmd; @@ -349,6 +356,8 @@ struct xen_hvm_altp2m_op { #define HVMOP_altp2m_get_p2m_idx 14 /* Set the "Supress #VE" bit for a range of pages */ #define HVMOP_altp2m_set_suppress_ve_multi 15 +/* Set visibility for a given altp2m view */ +#define HVMOP_altp2m_set_visibility 16 domid_t domain; uint16_t pad1; uint32_t pad2; @@ -366,6 +375,7 @@ struct xen_hvm_altp2m_op { struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi; struct xen_hvm_altp2m_vcpu_disable_notify disable_notify; struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx; + struct xen_hvm_altp2m_set_visibility set_visibility; uint8_t pad[64]; } u; }; --=20 2.17.1 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel