Theses are the broad changes needed for a split hardware / control
domain.  I'm mainly focused on the XSM changes, but there are additional
xenstored and init-dom0less changes to make things work.

An earlier posting gave device_model privileges to hardware domain.  For
this posting, it was split out into a new capability.  This way the
operator can choose where to run the device models without making the
hardware domain have the permissions.

The first patch add XSM_HW_PRIV for the hardware hypercalls.  In this
posting, the control domain cannot call these hypercalls.

There is also a new XEN_DOMCTL_CDF_not_hypercall_target flag.  This is
used to mark a domain that cannot be the target of hypercalls.  This is
useful for ensuring a domain has freedom from interference from control
and device model domains.  The control domain can still issue
XSM_DM_PRIV hypercalls.

SILO is changed to allow hardware and xenstore to service domUs.
Xenstore and hardware will use grants for PV interfaces.

xenstored runs in the xenstore domain.  C xenstored is updated to read
the event channel from the domU's grant.  C xenstored must also be used
since it uses grants instead of foreign mapping.

init-dom0less is run from control domain.  auto-introduction of domains
is needed for this to work.  init-dom0less issues xs_introduce_domain
over the xenbus, so it must be functional for control to issue it.

The special casing in "xsm/dummy: Allow HVMOP_get_param for control
domain" is needed for init-dom0less to know if it should or should not
configure xenstore for dom0less xen.enhanced = "no-xenstore".

There are some cosmetic errors from xl related to SYSCTL_physinfo.
libxl: error: libxl_utils.c:818:libxl_cpu_bitmap_alloc: failed to retrieve the maximum number of cpus

Jason Andryuk (17):
  xen/xsm: Add XSM_HW_PRIV
  xsm/silo: Support hardware & xenstore domains
  xen: Add DOMAIN_CAPS_DEVICE_MODEL & XEN_DOMCTL_CDF_device_model
  xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target
  xen/dom0less: Workaround XSM for evtchn_alloc_unbound
  xen/xsm: Expand XSM_XS_PRIV for untargetable domains
  xsm/dummy: Allow HVMOP_get_param for control domain
  public/io: xs_wire: Include event channel in interface page
  xen/dom0less: store xenstore event channel in page
  tools/xenstored: Read event channel from xenstored page
  xen: Add capabilities to get_domain_state
  tools/manage: Expose domain capabilities
  tools/xenstored: Delay firing special watches
  tools/xenstored: Auto-introduce domains
  tools/init-dom0less: Factor out xenstore setup
  tools/init-dom0less: Configure already-introduced domains
  tools/init-dom0less: Continue on error

 docs/misc/arm/device-tree/booting.txt   |  6 ++
 tools/helpers/init-dom0less.c           | 78 +++++++++++++++----------
 tools/include/xenmanage.h               | 14 ++++-
 tools/libs/manage/core.c                | 21 +++++--
 tools/ocaml/libs/xc/xenctrl.ml          |  2 +
 tools/ocaml/libs/xc/xenctrl.mli         |  2 +
 tools/xenstored/core.c                  |  7 ++-
 tools/xenstored/core.h                  |  1 +
 tools/xenstored/domain.c                | 65 ++++++++++++++++-----
 tools/xenstored/domain.h                |  2 +-
 xen/arch/arm/domain.c                   |  4 +-
 xen/arch/arm/platform_hypercall.c       |  2 +-
 xen/arch/x86/msi.c                      |  2 +-
 xen/arch/x86/physdev.c                  | 12 ++--
 xen/arch/x86/platform_hypercall.c       |  2 +-
 xen/common/device-tree/dom0less-build.c | 25 ++++++++
 xen/common/domain.c                     | 11 +++-
 xen/drivers/passthrough/pci.c           |  5 +-
 xen/drivers/pci/physdev.c               |  2 +-
 xen/include/public/bootfdt.h            | 18 +++++-
 xen/include/public/domctl.h             | 13 ++++-
 xen/include/public/io/xs_wire.h         |  7 +++
 xen/include/xen/sched.h                 | 21 +++++++
 xen/include/xsm/dummy.h                 | 34 +++++++----
 xen/include/xsm/xsm.h                   |  1 +
 xen/xsm/silo.c                          | 15 ++++-
 26 files changed, 285 insertions(+), 87 deletions(-)

-- 
2.50.0