tools/libxc/include/xenctrl.h | 7 +++++++ tools/libxc/xc_altp2m.c | 24 +++++++++++++++++++++++ xen/arch/x86/hvm/hvm.c | 14 ++++++++++++++ xen/arch/x86/hvm/vmx/vmx.c | 2 +- xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++ xen/arch/x86/mm/p2m-ept.c | 1 + xen/arch/x86/mm/p2m.c | 34 +++++++++++++++++++++++++++++++-- xen/include/asm-x86/domain.h | 1 + xen/include/asm-x86/p2m.h | 4 ++++ xen/include/public/hvm/hvm_op.h | 9 +++++++++ 10 files changed, 108 insertions(+), 3 deletions(-)
At this moment a guest can call vmfunc to change the altp2m view. This
should be limited in order to avoid any unwanted view switch.
The new xc_altp2m_set_visibility() solves this by making views invisible
to vmfunc.
This is done by having a separate arch.altp2m_working_eptp that is
populated and made invalid in the same places as altp2m_eptp. This is
written to EPTP_LIST_ADDR.
The views are made in/visible by marking them with INVALID_MFN or
copying them back from altp2m_eptp.
To have consistency the visibility also applies to
p2m_switch_domain_altp2m_by_id().
The usage of this hypercall is aimed at dom0 having a logic with a number of views
created and at some time there is a need to be sure that only some of the views
can be switched, saving the rest and making them visible when the time
is right.
Note: If altp2m mode is set to mixed the guest is able to change the view
visibility and then call vmfunc.
Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
---
CC: Ian Jackson <ian.jackson@eu.citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: "Roger Pau Monné" <roger.pau@citrix.com>
CC: Jun Nakajima <jun.nakajima@intel.com>
CC: Kevin Tian <kevin.tian@intel.com>
---
Changes since V6:
- Update commit message.
Changes since V5:
- Change idx type from uint16_t to unsigned int
- Add rc var and dropped the err return from p2m_get_suppress_ve().
Changes since V4:
- Move p2m specific things from hvm to p2m.c
- Add comment for altp2m_idx bounds check
- Add altp2m_list_lock/unlock().
Changes since V3:
- Change var name form altp2m_idx to idx to shorten line length
- Add bounds check for idx
- Update commit message
- Add comment in xenctrl.h.
Changes since V2:
- Drop hap_enabled() check
- Reduce the indentation depth in hvm.c
- Fix assignment indentation
- Drop pad2.
Changes since V1:
- Drop double view from title.
---
tools/libxc/include/xenctrl.h | 7 +++++++
tools/libxc/xc_altp2m.c | 24 +++++++++++++++++++++++
xen/arch/x86/hvm/hvm.c | 14 ++++++++++++++
xen/arch/x86/hvm/vmx/vmx.c | 2 +-
xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++
xen/arch/x86/mm/p2m-ept.c | 1 +
xen/arch/x86/mm/p2m.c | 34 +++++++++++++++++++++++++++++++--
xen/include/asm-x86/domain.h | 1 +
xen/include/asm-x86/p2m.h | 4 ++++
xen/include/public/hvm/hvm_op.h | 9 +++++++++
10 files changed, 108 insertions(+), 3 deletions(-)
diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index fc6e57a1a0..2e6e652678 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -1943,6 +1943,13 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid,
xen_pfn_t new_gfn);
int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
uint32_t vcpuid, uint16_t *p2midx);
+/*
+ * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
+ * Note: If altp2m mode is set to mixed the guest is able to change the view
+ * visibility and then call vmfunc.
+ */
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+ uint16_t view_id, bool visible);
/**
* Mem paging operations.
diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
index 46fb725806..6987c9541f 100644
--- a/tools/libxc/xc_altp2m.c
+++ b/tools/libxc/xc_altp2m.c
@@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
xc_hypercall_buffer_free(handle, arg);
return rc;
}
+
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+ uint16_t view_id, bool visible)
+{
+ int rc;
+
+ DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
+
+ arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
+ if ( arg == NULL )
+ return -1;
+
+ arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
+ arg->cmd = HVMOP_altp2m_set_visibility;
+ arg->domain = domid;
+ arg->u.set_visibility.altp2m_idx = view_id;
+ arg->u.set_visibility.visible = visible;
+
+ rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
+ HYPERCALL_BUFFER_AS_ARG(arg));
+
+ xc_hypercall_buffer_free(handle, arg);
+ return rc;
+}
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index a3d115b650..375e9cf368 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4511,6 +4511,7 @@ static int do_altp2m_op(
case HVMOP_altp2m_get_mem_access:
case HVMOP_altp2m_change_gfn:
case HVMOP_altp2m_get_p2m_idx:
+ case HVMOP_altp2m_set_visibility:
break;
default:
@@ -4788,6 +4789,19 @@ static int do_altp2m_op(
break;
}
+ case HVMOP_altp2m_set_visibility:
+ {
+ unsigned int idx = a.u.set_visibility.altp2m_idx;
+
+ if ( a.u.set_visibility.pad )
+ rc = -EINVAL;
+ else if ( !altp2m_active(d) )
+ rc = -EOPNOTSUPP;
+ else
+ rc = p2m_set_altp2m_view_visibility(d, idx,
+ a.u.set_visibility.visible);
+ }
+
default:
ASSERT_UNREACHABLE();
}
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index d265ed46ad..bb44ef39a1 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
{
v->arch.hvm.vmx.secondary_exec_control |= mask;
__vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
- __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
+ __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp));
if ( cpu_has_vmx_virt_exceptions )
{
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index a6d5e39b02..372c84da9b 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -493,8 +493,17 @@ int hap_enable(struct domain *d, u32 mode)
goto out;
}
+ if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
+ {
+ rv = -ENOMEM;
+ goto out;
+ }
+
for ( i = 0; i < MAX_EPTP; i++ )
+ {
d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
+ }
for ( i = 0; i < MAX_ALTP2M; i++ )
{
@@ -528,6 +537,12 @@ void hap_final_teardown(struct domain *d)
d->arch.altp2m_eptp = NULL;
}
+ if ( d->arch.altp2m_working_eptp )
+ {
+ free_xenheap_page(d->arch.altp2m_working_eptp);
+ d->arch.altp2m_working_eptp = NULL;
+ }
+
for ( i = 0; i < MAX_ALTP2M; i++ )
p2m_teardown(d->arch.altp2m_p2m[i]);
}
diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index eb0f0edfef..6539ca619b 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
ept = &p2m->ept;
ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
+ d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
}
unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index d93c418bcf..0526bff5b2 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2515,6 +2515,7 @@ void p2m_flush_altp2m(struct domain *d)
{
p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
}
altp2m_list_unlock(d);
@@ -2634,7 +2635,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
{
p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
- mfn_x(INVALID_MFN);
+ mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
+ mfn_x(INVALID_MFN);
rc = 0;
}
}
@@ -2661,7 +2664,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
rc = -EINVAL;
altp2m_list_lock(d);
- if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
+ if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
{
for_each_vcpu( d, v )
if ( idx != vcpu_altp2m(v).p2midx )
@@ -3145,6 +3148,33 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve,
return rc;
}
+
+int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int altp2m_idx,
+ uint8_t visible)
+{
+ int rc = 0;
+
+ altp2m_list_lock(d);
+
+ /*
+ * Eptp index is correlated with altp2m index and should not exceed
+ * min(MAX_ALTP2M, MAX_EPTP).
+ */
+ if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
+ d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
+ mfn_x(INVALID_MFN) )
+ rc = -EINVAL;
+ else if ( visible )
+ d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
+ d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)];
+ else
+ d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
+ mfn_x(INVALID_MFN);
+
+ altp2m_list_unlock(d);
+
+ return rc;
+}
#endif
/*
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index 105adf96eb..800e12eae5 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -327,6 +327,7 @@ struct arch_domain
struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
mm_lock_t altp2m_list_lock;
uint64_t *altp2m_eptp;
+ uint64_t *altp2m_working_eptp;
#endif
/* NB. protected by d->event_lock and by irq_desc[irq].lock */
diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
index a2c6049834..ace3573ae8 100644
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -898,6 +898,10 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx,
int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn,
mfn_t mfn, unsigned int page_order,
p2m_type_t p2mt, p2m_access_t p2ma);
+
+/* Set a specific p2m view visibility */
+int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int idx,
+ uint8_t visible);
#else
struct p2m_domain *p2m_get_altp2m(struct vcpu *v);
static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) {}
diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
index b599d3cbd0..870ec52060 100644
--- a/xen/include/public/hvm/hvm_op.h
+++ b/xen/include/public/hvm/hvm_op.h
@@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
uint16_t altp2m_idx;
};
+struct xen_hvm_altp2m_set_visibility {
+ uint16_t altp2m_idx;
+ uint8_t visible;
+ uint8_t pad;
+};
+
struct xen_hvm_altp2m_op {
uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */
uint32_t cmd;
@@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
#define HVMOP_altp2m_get_p2m_idx 14
/* Set the "Supress #VE" bit for a range of pages */
#define HVMOP_altp2m_set_suppress_ve_multi 15
+/* Set visibility for a given altp2m view */
+#define HVMOP_altp2m_set_visibility 16
domid_t domain;
uint16_t pad1;
uint32_t pad2;
@@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi;
struct xen_hvm_altp2m_vcpu_disable_notify disable_notify;
struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx;
+ struct xen_hvm_altp2m_set_visibility set_visibility;
uint8_t pad[64];
} u;
};
--
2.17.1
On 30.03.2020 08:54, Alexandru Isaila wrote: > At this moment a guest can call vmfunc to change the altp2m view. This > should be limited in order to avoid any unwanted view switch. > > The new xc_altp2m_set_visibility() solves this by making views invisible > to vmfunc. > This is done by having a separate arch.altp2m_working_eptp that is > populated and made invalid in the same places as altp2m_eptp. This is > written to EPTP_LIST_ADDR. > The views are made in/visible by marking them with INVALID_MFN or > copying them back from altp2m_eptp. > To have consistency the visibility also applies to > p2m_switch_domain_altp2m_by_id(). > > The usage of this hypercall is aimed at dom0 having a logic with a number of views > created and at some time there is a need to be sure that only some of the views > can be switched, saving the rest and making them visible when the time > is right. > > Note: If altp2m mode is set to mixed the guest is able to change the view > visibility and then call vmfunc. > > Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> For v6 I did provide a hypervisor side R-b; I didn't think ... > Changes since V6: > - Update commit message. ... this alone would have warranted to drop it? Jan
On 31.03.2020 10:43, Jan Beulich wrote: > On 30.03.2020 08:54, Alexandru Isaila wrote: >> At this moment a guest can call vmfunc to change the altp2m view. This >> should be limited in order to avoid any unwanted view switch. >> >> The new xc_altp2m_set_visibility() solves this by making views invisible >> to vmfunc. >> This is done by having a separate arch.altp2m_working_eptp that is >> populated and made invalid in the same places as altp2m_eptp. This is >> written to EPTP_LIST_ADDR. >> The views are made in/visible by marking them with INVALID_MFN or >> copying them back from altp2m_eptp. >> To have consistency the visibility also applies to >> p2m_switch_domain_altp2m_by_id(). >> >> The usage of this hypercall is aimed at dom0 having a logic with a number of views >> created and at some time there is a need to be sure that only some of the views >> can be switched, saving the rest and making them visible when the time >> is right. >> >> Note: If altp2m mode is set to mixed the guest is able to change the view >> visibility and then call vmfunc. >> >> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> > > For v6 I did provide a hypervisor side R-b; I didn't think ... No you didn't. > >> Changes since V6: >> - Update commit message. > > ... this alone would have warranted to drop it? I don't think so and if you provide a r-b now I will add it if it will be a need for another version (if nothing big changes). Thanks, Alex
On 31.03.2020 09:54, Isaila Alexandru wrote: > > > On 31.03.2020 10:43, Jan Beulich wrote: >> On 30.03.2020 08:54, Alexandru Isaila wrote: >>> At this moment a guest can call vmfunc to change the altp2m view. This >>> should be limited in order to avoid any unwanted view switch. >>> >>> The new xc_altp2m_set_visibility() solves this by making views invisible >>> to vmfunc. >>> This is done by having a separate arch.altp2m_working_eptp that is >>> populated and made invalid in the same places as altp2m_eptp. This is >>> written to EPTP_LIST_ADDR. >>> The views are made in/visible by marking them with INVALID_MFN or >>> copying them back from altp2m_eptp. >>> To have consistency the visibility also applies to >>> p2m_switch_domain_altp2m_by_id(). >>> >>> The usage of this hypercall is aimed at dom0 having a logic with a number of views >>> created and at some time there is a need to be sure that only some of the views >>> can be switched, saving the rest and making them visible when the time >>> is right. >>> >>> Note: If altp2m mode is set to mixed the guest is able to change the view >>> visibility and then call vmfunc. >>> >>> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> >> >> For v6 I did provide a hypervisor side R-b; I didn't think ... > > No you didn't. https://lists.xenproject.org/archives/html/xen-devel/2020-03/msg00145.html Jan
> From: Alexandru Isaila <aisaila@bitdefender.com>
> Sent: Monday, March 30, 2020 2:55 PM
>
> At this moment a guest can call vmfunc to change the altp2m view. This
> should be limited in order to avoid any unwanted view switch.
>
> The new xc_altp2m_set_visibility() solves this by making views invisible
> to vmfunc.
> This is done by having a separate arch.altp2m_working_eptp that is
> populated and made invalid in the same places as altp2m_eptp. This is
> written to EPTP_LIST_ADDR.
> The views are made in/visible by marking them with INVALID_MFN or
> copying them back from altp2m_eptp.
> To have consistency the visibility also applies to
> p2m_switch_domain_altp2m_by_id().
>
> The usage of this hypercall is aimed at dom0 having a logic with a number of
> views
> created and at some time there is a need to be sure that only some of the
> views
> can be switched, saving the rest and making them visible when the time
> is right.
>
> Note: If altp2m mode is set to mixed the guest is able to change the view
> visibility and then call vmfunc.
>
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
> ---
> CC: Ian Jackson <ian.jackson@eu.citrix.com>
> CC: Wei Liu <wl@xen.org>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: George Dunlap <George.Dunlap@eu.citrix.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: "Roger Pau Monné" <roger.pau@citrix.com>
> CC: Jun Nakajima <jun.nakajima@intel.com>
> CC: Kevin Tian <kevin.tian@intel.com>
> ---
> Changes since V6:
> - Update commit message.
>
> Changes since V5:
> - Change idx type from uint16_t to unsigned int
> - Add rc var and dropped the err return from p2m_get_suppress_ve().
>
> Changes since V4:
> - Move p2m specific things from hvm to p2m.c
> - Add comment for altp2m_idx bounds check
> - Add altp2m_list_lock/unlock().
>
> Changes since V3:
> - Change var name form altp2m_idx to idx to shorten line length
> - Add bounds check for idx
> - Update commit message
> - Add comment in xenctrl.h.
>
> Changes since V2:
> - Drop hap_enabled() check
> - Reduce the indentation depth in hvm.c
> - Fix assignment indentation
> - Drop pad2.
>
> Changes since V1:
> - Drop double view from title.
> ---
> tools/libxc/include/xenctrl.h | 7 +++++++
> tools/libxc/xc_altp2m.c | 24 +++++++++++++++++++++++
> xen/arch/x86/hvm/hvm.c | 14 ++++++++++++++
> xen/arch/x86/hvm/vmx/vmx.c | 2 +-
> xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++
> xen/arch/x86/mm/p2m-ept.c | 1 +
> xen/arch/x86/mm/p2m.c | 34 +++++++++++++++++++++++++++++++--
> xen/include/asm-x86/domain.h | 1 +
> xen/include/asm-x86/p2m.h | 4 ++++
> xen/include/public/hvm/hvm_op.h | 9 +++++++++
> 10 files changed, 108 insertions(+), 3 deletions(-)
>
> diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
> index fc6e57a1a0..2e6e652678 100644
> --- a/tools/libxc/include/xenctrl.h
> +++ b/tools/libxc/include/xenctrl.h
> @@ -1943,6 +1943,13 @@ int xc_altp2m_change_gfn(xc_interface *handle,
> uint32_t domid,
> xen_pfn_t new_gfn);
> int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
> uint32_t vcpuid, uint16_t *p2midx);
> +/*
> + * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
> + * Note: If altp2m mode is set to mixed the guest is able to change the view
> + * visibility and then call vmfunc.
> + */
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible);
>
> /**
> * Mem paging operations.
> diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
> index 46fb725806..6987c9541f 100644
> --- a/tools/libxc/xc_altp2m.c
> +++ b/tools/libxc/xc_altp2m.c
> @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface
> *handle, uint32_t domid,
> xc_hypercall_buffer_free(handle, arg);
> return rc;
> }
> +
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible)
> +{
> + int rc;
> +
> + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
> +
> + arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
> + if ( arg == NULL )
> + return -1;
> +
> + arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
> + arg->cmd = HVMOP_altp2m_set_visibility;
> + arg->domain = domid;
> + arg->u.set_visibility.altp2m_idx = view_id;
> + arg->u.set_visibility.visible = visible;
> +
> + rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
> + HYPERCALL_BUFFER_AS_ARG(arg));
> +
> + xc_hypercall_buffer_free(handle, arg);
> + return rc;
> +}
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index a3d115b650..375e9cf368 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -4511,6 +4511,7 @@ static int do_altp2m_op(
> case HVMOP_altp2m_get_mem_access:
> case HVMOP_altp2m_change_gfn:
> case HVMOP_altp2m_get_p2m_idx:
> + case HVMOP_altp2m_set_visibility:
> break;
>
> default:
> @@ -4788,6 +4789,19 @@ static int do_altp2m_op(
> break;
> }
>
> + case HVMOP_altp2m_set_visibility:
> + {
> + unsigned int idx = a.u.set_visibility.altp2m_idx;
> +
> + if ( a.u.set_visibility.pad )
> + rc = -EINVAL;
> + else if ( !altp2m_active(d) )
> + rc = -EOPNOTSUPP;
> + else
> + rc = p2m_set_altp2m_view_visibility(d, idx,
> + a.u.set_visibility.visible);
> + }
> +
> default:
> ASSERT_UNREACHABLE();
> }
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index d265ed46ad..bb44ef39a1 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct
> vcpu *v)
> {
> v->arch.hvm.vmx.secondary_exec_control |= mask;
> __vmwrite(VM_FUNCTION_CONTROL,
> VMX_VMFUNC_EPTP_SWITCHING);
> - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
> + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d-
> >arch.altp2m_working_eptp));
Is "altp2m_visible_eptp" more accurate here? 'working' is a bit misleading
since even invisible eptp could still work but just not directly togged by
vmfunc...
otherwise,
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
>
> if ( cpu_has_vmx_virt_exceptions )
> {
> diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
> index a6d5e39b02..372c84da9b 100644
> --- a/xen/arch/x86/mm/hap/hap.c
> +++ b/xen/arch/x86/mm/hap/hap.c
> @@ -493,8 +493,17 @@ int hap_enable(struct domain *d, u32 mode)
> goto out;
> }
>
> + if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
> + {
> + rv = -ENOMEM;
> + goto out;
> + }
> +
> for ( i = 0; i < MAX_EPTP; i++ )
> + {
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> + }
>
> for ( i = 0; i < MAX_ALTP2M; i++ )
> {
> @@ -528,6 +537,12 @@ void hap_final_teardown(struct domain *d)
> d->arch.altp2m_eptp = NULL;
> }
>
> + if ( d->arch.altp2m_working_eptp )
> + {
> + free_xenheap_page(d->arch.altp2m_working_eptp);
> + d->arch.altp2m_working_eptp = NULL;
> + }
> +
> for ( i = 0; i < MAX_ALTP2M; i++ )
> p2m_teardown(d->arch.altp2m_p2m[i]);
> }
> diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
> index eb0f0edfef..6539ca619b 100644
> --- a/xen/arch/x86/mm/p2m-ept.c
> +++ b/xen/arch/x86/mm/p2m-ept.c
> @@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d,
> unsigned int i)
> ept = &p2m->ept;
> ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
> d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
> + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept-
> >eptp;
> }
>
> unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
> diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
> index d93c418bcf..0526bff5b2 100644
> --- a/xen/arch/x86/mm/p2m.c
> +++ b/xen/arch/x86/mm/p2m.c
> @@ -2515,6 +2515,7 @@ void p2m_flush_altp2m(struct domain *d)
> {
> p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> }
>
> altp2m_list_unlock(d);
> @@ -2634,7 +2635,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d,
> unsigned int idx)
> {
> p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
> - mfn_x(INVALID_MFN);
> + mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)]
> =
> + mfn_x(INVALID_MFN);
> rc = 0;
> }
> }
> @@ -2661,7 +2664,7 @@ int p2m_switch_domain_altp2m_by_id(struct
> domain *d, unsigned int idx)
> rc = -EINVAL;
> altp2m_list_lock(d);
>
> - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
> + if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
> {
> for_each_vcpu( d, v )
> if ( idx != vcpu_altp2m(v).p2midx )
> @@ -3145,6 +3148,33 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t
> gfn, bool *suppress_ve,
>
> return rc;
> }
> +
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int
> altp2m_idx,
> + uint8_t visible)
> +{
> + int rc = 0;
> +
> + altp2m_list_lock(d);
> +
> + /*
> + * Eptp index is correlated with altp2m index and should not exceed
> + * min(MAX_ALTP2M, MAX_EPTP).
> + */
> + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
> + mfn_x(INVALID_MFN) )
> + rc = -EINVAL;
> + else if ( visible )
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx,
> MAX_EPTP)] =
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)];
> + else
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx,
> MAX_EPTP)] =
> + mfn_x(INVALID_MFN);
> +
> + altp2m_list_unlock(d);
> +
> + return rc;
> +}
> #endif
>
> /*
> diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
> index 105adf96eb..800e12eae5 100644
> --- a/xen/include/asm-x86/domain.h
> +++ b/xen/include/asm-x86/domain.h
> @@ -327,6 +327,7 @@ struct arch_domain
> struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
> mm_lock_t altp2m_list_lock;
> uint64_t *altp2m_eptp;
> + uint64_t *altp2m_working_eptp;
> #endif
>
> /* NB. protected by d->event_lock and by irq_desc[irq].lock */
> diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
> index a2c6049834..ace3573ae8 100644
> --- a/xen/include/asm-x86/p2m.h
> +++ b/xen/include/asm-x86/p2m.h
> @@ -898,6 +898,10 @@ int p2m_change_altp2m_gfn(struct domain *d,
> unsigned int idx,
> int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn,
> mfn_t mfn, unsigned int page_order,
> p2m_type_t p2mt, p2m_access_t p2ma);
> +
> +/* Set a specific p2m view visibility */
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int idx,
> + uint8_t visible);
> #else
> struct p2m_domain *p2m_get_altp2m(struct vcpu *v);
> static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) {}
> diff --git a/xen/include/public/hvm/hvm_op.h
> b/xen/include/public/hvm/hvm_op.h
> index b599d3cbd0..870ec52060 100644
> --- a/xen/include/public/hvm/hvm_op.h
> +++ b/xen/include/public/hvm/hvm_op.h
> @@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
> uint16_t altp2m_idx;
> };
>
> +struct xen_hvm_altp2m_set_visibility {
> + uint16_t altp2m_idx;
> + uint8_t visible;
> + uint8_t pad;
> +};
> +
> struct xen_hvm_altp2m_op {
> uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */
> uint32_t cmd;
> @@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
> #define HVMOP_altp2m_get_p2m_idx 14
> /* Set the "Supress #VE" bit for a range of pages */
> #define HVMOP_altp2m_set_suppress_ve_multi 15
> +/* Set visibility for a given altp2m view */
> +#define HVMOP_altp2m_set_visibility 16
> domid_t domain;
> uint16_t pad1;
> uint32_t pad2;
> @@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
> struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi;
> struct xen_hvm_altp2m_vcpu_disable_notify disable_notify;
> struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx;
> + struct xen_hvm_altp2m_set_visibility set_visibility;
> uint8_t pad[64];
> } u;
> };
> --
> 2.17.1
On 10.04.2020 06:10, Tian, Kevin wrote:
>> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
>> index a3d115b650..375e9cf368 100644
>> --- a/xen/arch/x86/hvm/hvm.c
>> +++ b/xen/arch/x86/hvm/hvm.c
>> @@ -4511,6 +4511,7 @@ static int do_altp2m_op(
>> case HVMOP_altp2m_get_mem_access:
>> case HVMOP_altp2m_change_gfn:
>> case HVMOP_altp2m_get_p2m_idx:
>> + case HVMOP_altp2m_set_visibility:
>> break;
>>
>> default:
>> @@ -4788,6 +4789,19 @@ static int do_altp2m_op(
>> break;
>> }
>>
>> + case HVMOP_altp2m_set_visibility:
>> + {
>> + unsigned int idx = a.u.set_visibility.altp2m_idx;
>> +
>> + if ( a.u.set_visibility.pad )
>> + rc = -EINVAL;
>> + else if ( !altp2m_active(d) )
>> + rc = -EOPNOTSUPP;
>> + else
>> + rc = p2m_set_altp2m_view_visibility(d, idx,
>> + a.u.set_visibility.visible);
>> + }
>> +
>> default:
>> ASSERT_UNREACHABLE();
>> }
>> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
>> index d265ed46ad..bb44ef39a1 100644
>> --- a/xen/arch/x86/hvm/vmx/vmx.c
>> +++ b/xen/arch/x86/hvm/vmx/vmx.c
>> @@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct
>> vcpu *v)
>> {
>> v->arch.hvm.vmx.secondary_exec_control |= mask;
>> __vmwrite(VM_FUNCTION_CONTROL,
>> VMX_VMFUNC_EPTP_SWITCHING);
>> - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
>> + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d-
>>> arch.altp2m_working_eptp));
>
> Is "altp2m_visible_eptp" more accurate here? 'working' is a bit misleading
> since even invisible eptp could still work but just not directly togged by
> vmfunc...
Yes, you are right and I can change this before it is commited.
>
> otherwise,
> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Thanks for the review,
Alex
Are there any more r-b needed for this patch?
Thanks,
Alex
On 30.03.2020 09:54, Alexandru Isaila wrote:
> At this moment a guest can call vmfunc to change the altp2m view. This
> should be limited in order to avoid any unwanted view switch.
>
> The new xc_altp2m_set_visibility() solves this by making views invisible
> to vmfunc.
> This is done by having a separate arch.altp2m_working_eptp that is
> populated and made invalid in the same places as altp2m_eptp. This is
> written to EPTP_LIST_ADDR.
> The views are made in/visible by marking them with INVALID_MFN or
> copying them back from altp2m_eptp.
> To have consistency the visibility also applies to
> p2m_switch_domain_altp2m_by_id().
>
> The usage of this hypercall is aimed at dom0 having a logic with a number of views
> created and at some time there is a need to be sure that only some of the views
> can be switched, saving the rest and making them visible when the time
> is right.
>
> Note: If altp2m mode is set to mixed the guest is able to change the view
> visibility and then call vmfunc.
>
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
> ---
> CC: Ian Jackson <ian.jackson@eu.citrix.com>
> CC: Wei Liu <wl@xen.org>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: George Dunlap <George.Dunlap@eu.citrix.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: "Roger Pau Monné" <roger.pau@citrix.com>
> CC: Jun Nakajima <jun.nakajima@intel.com>
> CC: Kevin Tian <kevin.tian@intel.com>
> ---
> Changes since V6:
> - Update commit message.
>
> Changes since V5:
> - Change idx type from uint16_t to unsigned int
> - Add rc var and dropped the err return from p2m_get_suppress_ve().
>
> Changes since V4:
> - Move p2m specific things from hvm to p2m.c
> - Add comment for altp2m_idx bounds check
> - Add altp2m_list_lock/unlock().
>
> Changes since V3:
> - Change var name form altp2m_idx to idx to shorten line length
> - Add bounds check for idx
> - Update commit message
> - Add comment in xenctrl.h.
>
> Changes since V2:
> - Drop hap_enabled() check
> - Reduce the indentation depth in hvm.c
> - Fix assignment indentation
> - Drop pad2.
>
> Changes since V1:
> - Drop double view from title.
> ---
> tools/libxc/include/xenctrl.h | 7 +++++++
> tools/libxc/xc_altp2m.c | 24 +++++++++++++++++++++++
> xen/arch/x86/hvm/hvm.c | 14 ++++++++++++++
> xen/arch/x86/hvm/vmx/vmx.c | 2 +-
> xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++
> xen/arch/x86/mm/p2m-ept.c | 1 +
> xen/arch/x86/mm/p2m.c | 34 +++++++++++++++++++++++++++++++--
> xen/include/asm-x86/domain.h | 1 +
> xen/include/asm-x86/p2m.h | 4 ++++
> xen/include/public/hvm/hvm_op.h | 9 +++++++++
> 10 files changed, 108 insertions(+), 3 deletions(-)
>
> diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
> index fc6e57a1a0..2e6e652678 100644
> --- a/tools/libxc/include/xenctrl.h
> +++ b/tools/libxc/include/xenctrl.h
> @@ -1943,6 +1943,13 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid,
> xen_pfn_t new_gfn);
> int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
> uint32_t vcpuid, uint16_t *p2midx);
> +/*
> + * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
> + * Note: If altp2m mode is set to mixed the guest is able to change the view
> + * visibility and then call vmfunc.
> + */
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible);
>
> /**
> * Mem paging operations.
> diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
> index 46fb725806..6987c9541f 100644
> --- a/tools/libxc/xc_altp2m.c
> +++ b/tools/libxc/xc_altp2m.c
> @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
> xc_hypercall_buffer_free(handle, arg);
> return rc;
> }
> +
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible)
> +{
> + int rc;
> +
> + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
> +
> + arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
> + if ( arg == NULL )
> + return -1;
> +
> + arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
> + arg->cmd = HVMOP_altp2m_set_visibility;
> + arg->domain = domid;
> + arg->u.set_visibility.altp2m_idx = view_id;
> + arg->u.set_visibility.visible = visible;
> +
> + rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
> + HYPERCALL_BUFFER_AS_ARG(arg));
> +
> + xc_hypercall_buffer_free(handle, arg);
> + return rc;
> +}
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index a3d115b650..375e9cf368 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -4511,6 +4511,7 @@ static int do_altp2m_op(
> case HVMOP_altp2m_get_mem_access:
> case HVMOP_altp2m_change_gfn:
> case HVMOP_altp2m_get_p2m_idx:
> + case HVMOP_altp2m_set_visibility:
> break;
>
> default:
> @@ -4788,6 +4789,19 @@ static int do_altp2m_op(
> break;
> }
>
> + case HVMOP_altp2m_set_visibility:
> + {
> + unsigned int idx = a.u.set_visibility.altp2m_idx;
> +
> + if ( a.u.set_visibility.pad )
> + rc = -EINVAL;
> + else if ( !altp2m_active(d) )
> + rc = -EOPNOTSUPP;
> + else
> + rc = p2m_set_altp2m_view_visibility(d, idx,
> + a.u.set_visibility.visible);
> + }
> +
> default:
> ASSERT_UNREACHABLE();
> }
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index d265ed46ad..bb44ef39a1 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
> {
> v->arch.hvm.vmx.secondary_exec_control |= mask;
> __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
> - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
> + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp));
>
> if ( cpu_has_vmx_virt_exceptions )
> {
> diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
> index a6d5e39b02..372c84da9b 100644
> --- a/xen/arch/x86/mm/hap/hap.c
> +++ b/xen/arch/x86/mm/hap/hap.c
> @@ -493,8 +493,17 @@ int hap_enable(struct domain *d, u32 mode)
> goto out;
> }
>
> + if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
> + {
> + rv = -ENOMEM;
> + goto out;
> + }
> +
> for ( i = 0; i < MAX_EPTP; i++ )
> + {
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> + }
>
> for ( i = 0; i < MAX_ALTP2M; i++ )
> {
> @@ -528,6 +537,12 @@ void hap_final_teardown(struct domain *d)
> d->arch.altp2m_eptp = NULL;
> }
>
> + if ( d->arch.altp2m_working_eptp )
> + {
> + free_xenheap_page(d->arch.altp2m_working_eptp);
> + d->arch.altp2m_working_eptp = NULL;
> + }
> +
> for ( i = 0; i < MAX_ALTP2M; i++ )
> p2m_teardown(d->arch.altp2m_p2m[i]);
> }
> diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
> index eb0f0edfef..6539ca619b 100644
> --- a/xen/arch/x86/mm/p2m-ept.c
> +++ b/xen/arch/x86/mm/p2m-ept.c
> @@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
> ept = &p2m->ept;
> ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
> d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
> + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
> }
>
> unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
> diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
> index d93c418bcf..0526bff5b2 100644
> --- a/xen/arch/x86/mm/p2m.c
> +++ b/xen/arch/x86/mm/p2m.c
> @@ -2515,6 +2515,7 @@ void p2m_flush_altp2m(struct domain *d)
> {
> p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> }
>
> altp2m_list_unlock(d);
> @@ -2634,7 +2635,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
> {
> p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
> - mfn_x(INVALID_MFN);
> + mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
> + mfn_x(INVALID_MFN);
> rc = 0;
> }
> }
> @@ -2661,7 +2664,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
> rc = -EINVAL;
> altp2m_list_lock(d);
>
> - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
> + if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
> {
> for_each_vcpu( d, v )
> if ( idx != vcpu_altp2m(v).p2midx )
> @@ -3145,6 +3148,33 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve,
>
> return rc;
> }
> +
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int altp2m_idx,
> + uint8_t visible)
> +{
> + int rc = 0;
> +
> + altp2m_list_lock(d);
> +
> + /*
> + * Eptp index is correlated with altp2m index and should not exceed
> + * min(MAX_ALTP2M, MAX_EPTP).
> + */
> + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
> + mfn_x(INVALID_MFN) )
> + rc = -EINVAL;
> + else if ( visible )
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)];
> + else
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
> + mfn_x(INVALID_MFN);
> +
> + altp2m_list_unlock(d);
> +
> + return rc;
> +}
> #endif
>
> /*
> diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
> index 105adf96eb..800e12eae5 100644
> --- a/xen/include/asm-x86/domain.h
> +++ b/xen/include/asm-x86/domain.h
> @@ -327,6 +327,7 @@ struct arch_domain
> struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
> mm_lock_t altp2m_list_lock;
> uint64_t *altp2m_eptp;
> + uint64_t *altp2m_working_eptp;
> #endif
>
> /* NB. protected by d->event_lock and by irq_desc[irq].lock */
> diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
> index a2c6049834..ace3573ae8 100644
> --- a/xen/include/asm-x86/p2m.h
> +++ b/xen/include/asm-x86/p2m.h
> @@ -898,6 +898,10 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx,
> int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn,
> mfn_t mfn, unsigned int page_order,
> p2m_type_t p2mt, p2m_access_t p2ma);
> +
> +/* Set a specific p2m view visibility */
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int idx,
> + uint8_t visible);
> #else
> struct p2m_domain *p2m_get_altp2m(struct vcpu *v);
> static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) {}
> diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
> index b599d3cbd0..870ec52060 100644
> --- a/xen/include/public/hvm/hvm_op.h
> +++ b/xen/include/public/hvm/hvm_op.h
> @@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
> uint16_t altp2m_idx;
> };
>
> +struct xen_hvm_altp2m_set_visibility {
> + uint16_t altp2m_idx;
> + uint8_t visible;
> + uint8_t pad;
> +};
> +
> struct xen_hvm_altp2m_op {
> uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */
> uint32_t cmd;
> @@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
> #define HVMOP_altp2m_get_p2m_idx 14
> /* Set the "Supress #VE" bit for a range of pages */
> #define HVMOP_altp2m_set_suppress_ve_multi 15
> +/* Set visibility for a given altp2m view */
> +#define HVMOP_altp2m_set_visibility 16
> domid_t domain;
> uint16_t pad1;
> uint32_t pad2;
> @@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
> struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi;
> struct xen_hvm_altp2m_vcpu_disable_notify disable_notify;
> struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx;
> + struct xen_hvm_altp2m_set_visibility set_visibility;
> uint8_t pad[64];
> } u;
> };
>
Hi Kevin,
This is a kind reminder if you can have another look at the new version
of this patch.
Thanks,
Alex
On 30.03.2020 09:54, Alexandru Isaila wrote:
> At this moment a guest can call vmfunc to change the altp2m view. This
> should be limited in order to avoid any unwanted view switch.
>
> The new xc_altp2m_set_visibility() solves this by making views invisible
> to vmfunc.
> This is done by having a separate arch.altp2m_working_eptp that is
> populated and made invalid in the same places as altp2m_eptp. This is
> written to EPTP_LIST_ADDR.
> The views are made in/visible by marking them with INVALID_MFN or
> copying them back from altp2m_eptp.
> To have consistency the visibility also applies to
> p2m_switch_domain_altp2m_by_id().
>
> The usage of this hypercall is aimed at dom0 having a logic with a number of views
> created and at some time there is a need to be sure that only some of the views
> can be switched, saving the rest and making them visible when the time
> is right.
>
> Note: If altp2m mode is set to mixed the guest is able to change the view
> visibility and then call vmfunc.
>
> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
> ---
> CC: Ian Jackson <ian.jackson@eu.citrix.com>
> CC: Wei Liu <wl@xen.org>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: George Dunlap <George.Dunlap@eu.citrix.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: "Roger Pau Monné" <roger.pau@citrix.com>
> CC: Jun Nakajima <jun.nakajima@intel.com>
> CC: Kevin Tian <kevin.tian@intel.com>
> ---
> Changes since V6:
> - Update commit message.
>
> Changes since V5:
> - Change idx type from uint16_t to unsigned int
> - Add rc var and dropped the err return from p2m_get_suppress_ve().
>
> Changes since V4:
> - Move p2m specific things from hvm to p2m.c
> - Add comment for altp2m_idx bounds check
> - Add altp2m_list_lock/unlock().
>
> Changes since V3:
> - Change var name form altp2m_idx to idx to shorten line length
> - Add bounds check for idx
> - Update commit message
> - Add comment in xenctrl.h.
>
> Changes since V2:
> - Drop hap_enabled() check
> - Reduce the indentation depth in hvm.c
> - Fix assignment indentation
> - Drop pad2.
>
> Changes since V1:
> - Drop double view from title.
> ---
> tools/libxc/include/xenctrl.h | 7 +++++++
> tools/libxc/xc_altp2m.c | 24 +++++++++++++++++++++++
> xen/arch/x86/hvm/hvm.c | 14 ++++++++++++++
> xen/arch/x86/hvm/vmx/vmx.c | 2 +-
> xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++
> xen/arch/x86/mm/p2m-ept.c | 1 +
> xen/arch/x86/mm/p2m.c | 34 +++++++++++++++++++++++++++++++--
> xen/include/asm-x86/domain.h | 1 +
> xen/include/asm-x86/p2m.h | 4 ++++
> xen/include/public/hvm/hvm_op.h | 9 +++++++++
> 10 files changed, 108 insertions(+), 3 deletions(-)
>
> diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
> index fc6e57a1a0..2e6e652678 100644
> --- a/tools/libxc/include/xenctrl.h
> +++ b/tools/libxc/include/xenctrl.h
> @@ -1943,6 +1943,13 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid,
> xen_pfn_t new_gfn);
> int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
> uint32_t vcpuid, uint16_t *p2midx);
> +/*
> + * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
> + * Note: If altp2m mode is set to mixed the guest is able to change the view
> + * visibility and then call vmfunc.
> + */
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible);
>
> /**
> * Mem paging operations.
> diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
> index 46fb725806..6987c9541f 100644
> --- a/tools/libxc/xc_altp2m.c
> +++ b/tools/libxc/xc_altp2m.c
> @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
> xc_hypercall_buffer_free(handle, arg);
> return rc;
> }
> +
> +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
> + uint16_t view_id, bool visible)
> +{
> + int rc;
> +
> + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
> +
> + arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
> + if ( arg == NULL )
> + return -1;
> +
> + arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
> + arg->cmd = HVMOP_altp2m_set_visibility;
> + arg->domain = domid;
> + arg->u.set_visibility.altp2m_idx = view_id;
> + arg->u.set_visibility.visible = visible;
> +
> + rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
> + HYPERCALL_BUFFER_AS_ARG(arg));
> +
> + xc_hypercall_buffer_free(handle, arg);
> + return rc;
> +}
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index a3d115b650..375e9cf368 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -4511,6 +4511,7 @@ static int do_altp2m_op(
> case HVMOP_altp2m_get_mem_access:
> case HVMOP_altp2m_change_gfn:
> case HVMOP_altp2m_get_p2m_idx:
> + case HVMOP_altp2m_set_visibility:
> break;
>
> default:
> @@ -4788,6 +4789,19 @@ static int do_altp2m_op(
> break;
> }
>
> + case HVMOP_altp2m_set_visibility:
> + {
> + unsigned int idx = a.u.set_visibility.altp2m_idx;
> +
> + if ( a.u.set_visibility.pad )
> + rc = -EINVAL;
> + else if ( !altp2m_active(d) )
> + rc = -EOPNOTSUPP;
> + else
> + rc = p2m_set_altp2m_view_visibility(d, idx,
> + a.u.set_visibility.visible);
> + }
> +
> default:
> ASSERT_UNREACHABLE();
> }
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index d265ed46ad..bb44ef39a1 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
> {
> v->arch.hvm.vmx.secondary_exec_control |= mask;
> __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
> - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
> + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp));
>
> if ( cpu_has_vmx_virt_exceptions )
> {
> diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
> index a6d5e39b02..372c84da9b 100644
> --- a/xen/arch/x86/mm/hap/hap.c
> +++ b/xen/arch/x86/mm/hap/hap.c
> @@ -493,8 +493,17 @@ int hap_enable(struct domain *d, u32 mode)
> goto out;
> }
>
> + if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
> + {
> + rv = -ENOMEM;
> + goto out;
> + }
> +
> for ( i = 0; i < MAX_EPTP; i++ )
> + {
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> + }
>
> for ( i = 0; i < MAX_ALTP2M; i++ )
> {
> @@ -528,6 +537,12 @@ void hap_final_teardown(struct domain *d)
> d->arch.altp2m_eptp = NULL;
> }
>
> + if ( d->arch.altp2m_working_eptp )
> + {
> + free_xenheap_page(d->arch.altp2m_working_eptp);
> + d->arch.altp2m_working_eptp = NULL;
> + }
> +
> for ( i = 0; i < MAX_ALTP2M; i++ )
> p2m_teardown(d->arch.altp2m_p2m[i]);
> }
> diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
> index eb0f0edfef..6539ca619b 100644
> --- a/xen/arch/x86/mm/p2m-ept.c
> +++ b/xen/arch/x86/mm/p2m-ept.c
> @@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
> ept = &p2m->ept;
> ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
> d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
> + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
> }
>
> unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
> diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
> index d93c418bcf..0526bff5b2 100644
> --- a/xen/arch/x86/mm/p2m.c
> +++ b/xen/arch/x86/mm/p2m.c
> @@ -2515,6 +2515,7 @@ void p2m_flush_altp2m(struct domain *d)
> {
> p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
> }
>
> altp2m_list_unlock(d);
> @@ -2634,7 +2635,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
> {
> p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
> d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
> - mfn_x(INVALID_MFN);
> + mfn_x(INVALID_MFN);
> + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
> + mfn_x(INVALID_MFN);
> rc = 0;
> }
> }
> @@ -2661,7 +2664,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
> rc = -EINVAL;
> altp2m_list_lock(d);
>
> - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
> + if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
> {
> for_each_vcpu( d, v )
> if ( idx != vcpu_altp2m(v).p2midx )
> @@ -3145,6 +3148,33 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve,
>
> return rc;
> }
> +
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int altp2m_idx,
> + uint8_t visible)
> +{
> + int rc = 0;
> +
> + altp2m_list_lock(d);
> +
> + /*
> + * Eptp index is correlated with altp2m index and should not exceed
> + * min(MAX_ALTP2M, MAX_EPTP).
> + */
> + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
> + mfn_x(INVALID_MFN) )
> + rc = -EINVAL;
> + else if ( visible )
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)];
> + else
> + d->arch.altp2m_working_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] =
> + mfn_x(INVALID_MFN);
> +
> + altp2m_list_unlock(d);
> +
> + return rc;
> +}
> #endif
>
> /*
> diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
> index 105adf96eb..800e12eae5 100644
> --- a/xen/include/asm-x86/domain.h
> +++ b/xen/include/asm-x86/domain.h
> @@ -327,6 +327,7 @@ struct arch_domain
> struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
> mm_lock_t altp2m_list_lock;
> uint64_t *altp2m_eptp;
> + uint64_t *altp2m_working_eptp;
> #endif
>
> /* NB. protected by d->event_lock and by irq_desc[irq].lock */
> diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
> index a2c6049834..ace3573ae8 100644
> --- a/xen/include/asm-x86/p2m.h
> +++ b/xen/include/asm-x86/p2m.h
> @@ -898,6 +898,10 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx,
> int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn,
> mfn_t mfn, unsigned int page_order,
> p2m_type_t p2mt, p2m_access_t p2ma);
> +
> +/* Set a specific p2m view visibility */
> +int p2m_set_altp2m_view_visibility(struct domain *d, unsigned int idx,
> + uint8_t visible);
> #else
> struct p2m_domain *p2m_get_altp2m(struct vcpu *v);
> static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) {}
> diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
> index b599d3cbd0..870ec52060 100644
> --- a/xen/include/public/hvm/hvm_op.h
> +++ b/xen/include/public/hvm/hvm_op.h
> @@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
> uint16_t altp2m_idx;
> };
>
> +struct xen_hvm_altp2m_set_visibility {
> + uint16_t altp2m_idx;
> + uint8_t visible;
> + uint8_t pad;
> +};
> +
> struct xen_hvm_altp2m_op {
> uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */
> uint32_t cmd;
> @@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
> #define HVMOP_altp2m_get_p2m_idx 14
> /* Set the "Supress #VE" bit for a range of pages */
> #define HVMOP_altp2m_set_suppress_ve_multi 15
> +/* Set visibility for a given altp2m view */
> +#define HVMOP_altp2m_set_visibility 16
> domid_t domain;
> uint16_t pad1;
> uint32_t pad2;
> @@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
> struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi;
> struct xen_hvm_altp2m_vcpu_disable_notify disable_notify;
> struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx;
> + struct xen_hvm_altp2m_set_visibility set_visibility;
> uint8_t pad[64];
> } u;
> };
>
© 2016 - 2026 Red Hat, Inc.