This series implements separation of dom0 into separate hardware and
control domains. It uses the capabilities idea from Hyperlaunch -
hardware, control, and xenstore. It's been tested with dom0 as hardware
& xenstore, dom1 as control, and dom2 as a domU.
Running hardware and xenstore together eases the implementation.
Xenstore permissions were tested with a hyperlaunched xenstore stubdom.
C xenstored is needed to use grant mapping instead of foreign mapping -
this is especially needed for hwdom to provide the xenstore to control.
Xen seeds the xenstore grant entries since init-dom0less in hardware
domain does not have permission to map the grant table.
There is a dependency on an ImageBuilder update to generate the
capability device tree nodes. An update for the automation is in the
last commit - not to be commited.
The early patches re-work dom0less code to allow construction of hwdom.
There are some changes to expose the capabilities to the toolstack.
xenstored is changed to track dom0_domid (hwdom) and priv_domid. This
works for only a single one of each.
Then there are a bunch of changes to the XSM dummy policy. The sysctls
are the most problematic. With a coarse grain policy, they are allowed
for both hwdom and control. Flask can be used for fine grain control.
Finally, an automation test is added.
Daniel P. Smith (1):
xen: introduce hardware domain create flag
Jason Andryuk (22):
xen/arm: Factor out construct_hwdom()
xen/arm: dom0less hwdom construction
xen/arm: dom0less use domid 0 for hwdom
xen/arm: Add capabilities to dom0less
xen/domctl: Expose privileged and hardware capabilities
tools/libxl: Expose hardware and privileged flags
xen/arm: dom0less seed xenstore grant table entry
tools/init-dom0less: Only seed legacy xenstore grants
xen/arm: dom0less delay xenstore initialization
tools/xenstored: Automatically set dom0_domid and priv_domid
tools/xl: Print domain capabilities with verbose
xsm/dummy: Allow XS_PRIV XEN_SYSCTL_getdomaininfolist
xsm/dummy: Allow XS_PRIV to call get_hvm_param
xen/xsm: Add XSM_HW_PRIV
xsm/dummy: Allow hwdom xen_version
xsm/dummy: Allow hwdom more - except targeting control
xsm/dummy: Allow hwdom SYSCTL_readconsole/physinfo
xsm/dummy: Allow sysctls to both hardware and control
xsm/silo: Support hwdom/control domains
automation/dom0less-arm64: Use double quotes
automation: Add arm64 hardware/control split test
DO NOT COMMIT: automation: updated imagebuilder
automation/gitlab-ci/test.yaml | 8 +
.../scripts/qemu-smoke-dom0less-arm64.sh | 87 ++++++++--
docs/man/xl.1.pod.in | 3 +-
docs/misc/arm/device-tree/booting.txt | 11 ++
tools/helpers/init-dom0less.c | 10 +-
tools/include/libxl.h | 16 ++
tools/libs/light/libxl_domain.c | 2 +
tools/libs/light/libxl_types.idl | 2 +
tools/xenstored/domain.c | 16 ++
tools/xl/xl_info.c | 24 ++-
xen/arch/arm/dom0less-build.c | 164 +++++++++++++-----
xen/arch/arm/domain.c | 3 +-
xen/arch/arm/domain_build.c | 35 ++--
xen/arch/arm/hvm.c | 2 +-
xen/arch/arm/include/asm/dom0less-build.h | 2 +
xen/arch/arm/include/asm/domain_build.h | 2 +
xen/arch/arm/platform_hypercall.c | 2 +-
xen/arch/x86/hvm/hvm.c | 8 +-
xen/arch/x86/msi.c | 2 +-
xen/arch/x86/physdev.c | 12 +-
xen/arch/x86/platform_hypercall.c | 2 +-
xen/arch/x86/setup.c | 3 +-
xen/common/domain.c | 2 +-
xen/common/domctl.c | 2 +
xen/common/grant_table.c | 10 ++
xen/common/sysctl.c | 2 +-
xen/drivers/passthrough/pci.c | 5 +-
xen/drivers/pci/physdev.c | 2 +-
xen/include/public/bootfdt.h | 27 +++
xen/include/public/domctl.h | 6 +
xen/include/xen/domain.h | 2 +
xen/include/xen/grant_table.h | 8 +
xen/include/xsm/dummy.h | 55 ++++--
xen/include/xsm/xsm.h | 1 +
xen/xsm/silo.c | 9 +-
35 files changed, 431 insertions(+), 116 deletions(-)
create mode 100644 xen/include/public/bootfdt.h
--
2.48.1