[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v11 05/11] x86/mm: add HYPERVISOR_memory_op to acquire guest resources



Certain memory resources associated with a guest are not necessarily
present in the guest P2M.

This patch adds the boilerplate for new memory op to allow such a resource
to be priv-mapped directly, by either a PV or HVM tools domain.

NOTE: Whilst the new op is not intrinsicly specific to the x86 architecture,
      I have no means to test it on an ARM platform and so cannot verify
      that it functions correctly. Hence it is currently only implemented
      for x86.

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Cc: Tim Deegan <tim@xxxxxxx>
Cc: Wei Liu <wei.liu2@xxxxxxxxxx>

v11:
 - Addressed more comments from Jan.

v9:
 - Addressed more comments from Jan.

v8:
 - Move the code into common as requested by Jan.
 - Make the gmfn_list handle a 64-bit type to avoid limiting the MFN
   range for a 32-bit tools domain.
 - Add missing pad.
 - Add compat code.
 - Make this patch deal with purely boilerplate.
 - Drop George's A-b and Wei's R-b because the changes are non-trivial,
   and update Cc list now the boilerplate is common.

v5:
 - Switched __copy_to/from_guest_offset() to copy_to/from_guest_offset().
---
 tools/flask/policy/modules/xen.if   |   4 +-
 xen/arch/x86/mm/p2m.c               |   3 +-
 xen/common/compat/memory.c          | 145 ++++++++++++++++++++++++++++++++++--
 xen/common/memory.c                 |  90 ++++++++++++++++++++++
 xen/include/asm-x86/p2m.h           |   3 +
 xen/include/public/memory.h         |  43 ++++++++++-
 xen/include/xlat.lst                |   1 +
 xen/include/xsm/dummy.h             |   6 ++
 xen/include/xsm/xsm.h               |   6 ++
 xen/xsm/dummy.c                     |   1 +
 xen/xsm/flask/hooks.c               |   6 ++
 xen/xsm/flask/policy/access_vectors |   2 +
 12 files changed, 300 insertions(+), 10 deletions(-)

diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index 55437496f6..07cba8a15d 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -52,7 +52,8 @@ define(`create_domain_common', `
                        settime setdomainhandle getvcpucontext set_misc_info };
        allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
                        set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
-                       psr_cmt_op psr_cat_op soft_reset set_gnttab_limits };
+                       psr_cmt_op psr_cat_op soft_reset set_gnttab_limits
+                       resource_map };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
        allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
@@ -152,6 +153,7 @@ define(`device_model', `
        allow $1 $2_target:domain { getdomaininfo shutdown };
        allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack 
};
        allow $1 $2_target:hvm { getparam setparam hvmctl cacheattr dm };
+       allow $1 $2_target:domain2 resource_map;
 ')
 
 # make_device_model(priv, dm_dom, hvm_dom)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index c72a3cdebb..71bb9b4f93 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1132,8 +1132,7 @@ static int set_typed_p2m_entry(struct domain *d, unsigned 
long gfn_l,
 }
 
 /* Set foreign mfn in the given guest's p2m table. */
-static int set_foreign_p2m_entry(struct domain *d, unsigned long gfn,
-                                 mfn_t mfn)
+int set_foreign_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn)
 {
     return set_typed_p2m_entry(d, gfn, mfn, PAGE_ORDER_4K, p2m_map_foreign,
                                p2m_get_hostp2m(d)->default_access);
diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
index 35bb259808..031d1a48ae 100644
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -71,6 +71,7 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
             struct xen_remove_from_physmap *xrfp;
             struct xen_vnuma_topology_info *vnuma;
             struct xen_mem_access_op *mao;
+            struct xen_mem_acquire_resource *mar;
         } nat;
         union {
             struct compat_memory_reservation rsrv;
@@ -79,6 +80,7 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
             struct compat_add_to_physmap_batch atpb;
             struct compat_vnuma_topology_info vnuma;
             struct compat_mem_access_op mao;
+            struct compat_mem_acquire_resource mar;
         } cmp;
 
         set_xen_guest_handle(nat.hnd, COMPAT_ARG_XLAT_VIRT_BASE);
@@ -395,6 +397,71 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
         }
 #endif
 
+        case XENMEM_acquire_resource:
+        {
+            xen_ulong_t *xen_frame_list = (xen_ulong_t *)(nat.mar + 1);
+            unsigned int max_nr_frames;
+
+            if ( copy_from_guest(&cmp.mar, compat, 1) ||
+                 !compat_handle_okay(cmp.mar.frame_list,
+                                     cmp.mar.nr_frames) )
+                return -EFAULT;
+
+            /*
+             * The number of frames handled is currently limited to a
+             * small number by the underlying implementation, so the
+             * scratch space should be sufficient for bouncing the
+             * frame addresses.
+             */
+            max_nr_frames = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.mar)) /
+                sizeof(*xen_frame_list);
+
+            /* If the number of frames does exceed the maximum that can
+             * be bounced then -E2BIG is returned, but to satisfy the
+             * semantics of the hypercall then we need to get the
+             * maximum number of frames support by the implementation.
+             * This can be done by set nr_frames to zero.
+             */
+            if ( cmp.mar.nr_frames > max_nr_frames )
+            {
+                cmp.mar.nr_frames = 0;
+
+                /*
+                 * Stash the maximum number of frames that can be bounced
+                 * in xen_frame_list[0]. It is needed in the return path.
+                 */
+                xen_frame_list[0] = max_nr_frames;
+            }
+            else if ( cmp.mar.nr_frames == 0 )
+            {
+                /*
+                 * Make sure that xen_frame_list[0] is zero in the case
+                 * when the caller set nr_frames to zero, so that we
+                 * can distinguish this case from the above on return.
+                 */
+                xen_frame_list[0] = 0;
+            }
+
+            for ( i = 0; i < cmp.mar.nr_frames; i++ )
+            {
+                compat_ulong_t frame;
+
+                if ( __copy_from_compat_offset(&frame, cmp.mar.frame_list,
+                                               i, 1) )
+                    return -EFAULT;
+
+                xen_frame_list[i] = frame;
+            }
+
+#define XLAT_mem_acquire_resource_HNDL_frame_list(_d_, _s_) \
+            set_xen_guest_handle((_d_)->frame_list, xen_frame_list)
+
+            XLAT_mem_acquire_resource(nat.mar, &cmp.mar);
+
+#undef XLAT_mem_acquire_resource_HNDL_frame_list
+
+            break;
+        }
         default:
             return compat_arch_memory_op(cmd, compat);
         }
@@ -402,14 +469,56 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
         rc = do_memory_op(cmd, nat.hnd);
         if ( rc < 0 )
         {
-            if ( rc == -ENOBUFS && op == XENMEM_get_vnumainfo )
+            switch ( op)
             {
-                cmp.vnuma.nr_vnodes = nat.vnuma->nr_vnodes;
-                cmp.vnuma.nr_vcpus = nat.vnuma->nr_vcpus;
-                cmp.vnuma.nr_vmemranges = nat.vnuma->nr_vmemranges;
-                if ( __copy_to_guest(compat, &cmp.vnuma, 1) )
-                    rc = -EFAULT;
+            case XENMEM_get_vnumainfo:
+                if ( rc == -ENOBUFS )
+                {
+                    cmp.vnuma.nr_vnodes = nat.vnuma->nr_vnodes;
+                    cmp.vnuma.nr_vcpus = nat.vnuma->nr_vcpus;
+                    cmp.vnuma.nr_vmemranges = nat.vnuma->nr_vmemranges;
+                    if ( __copy_to_guest(compat, &cmp.vnuma, 1) )
+                        rc = -EFAULT;
+                }
+
+                break;
+
+            case XENMEM_acquire_resource:
+            {
+                xen_ulong_t *xen_frame_list = (xen_ulong_t *)(nat.mar + 1);
+
+                if ( rc == -EINVAL && xen_frame_list[0] != 0 )
+                {
+                    /*
+                     * The value of nr_frames passed to the implementation
+                     * was not the value passed by the caller, it was
+                     * overridden.
+                     * The value in xen_frame_list[0] is the maximum
+                     * number of frames that can be bounced so we need
+                     * to set cmp.nr_frames to the minimum of this and
+                     * the maximum number of frames allowed by the
+                     * implementation before passing back to the caller.
+                     */
+                    cmp.mar.nr_frames = min_t(unsigned int,
+                                              xen_frame_list[0],
+                                              nat.mar->nr_frames);
+                    rc = -E2BIG;
+                }
+
+                /* In either of these cases nr_frames is an OUT value */
+                if ( rc == -EINVAL || rc == -E2BIG )
+                {
+                    if ( copy_to_guest(compat, &cmp.mar, 1) )
+                        rc = -EFAULT;
+                }
+
+                break;
+            }
+            default:
+                break;
             }
+
+            /* Break out of the do loop */
             break;
         }
 
@@ -535,6 +644,30 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
                 rc = -EFAULT;
             break;
 
+        case XENMEM_acquire_resource:
+        {
+            xen_ulong_t *xen_frame_list = (xen_ulong_t *)(nat.mar + 1);
+            compat_ulong_t *compat_frame_list =
+                (compat_ulong_t *)(nat.mar + 1);
+
+            /* NOTE: the compat array overwrites the native array */
+            for ( i = 0; i < cmp.mar.nr_frames; i++ )
+            {
+                compat_ulong_t frame = xen_frame_list[i];
+
+                if ( frame != xen_frame_list[i] )
+                    return -ERANGE;
+
+                compat_frame_list[i] = frame;
+            }
+
+            if ( __copy_to_compat_offset(cmp.mar.frame_list, 0,
+                                         compat_frame_list,
+                                         cmp.mar.nr_frames) )
+                return -EFAULT;
+
+            break;
+        }
         default:
             domain_crash(current->domain);
             split = 0;
diff --git a/xen/common/memory.c b/xen/common/memory.c
index ad987e0f29..a88fc83565 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -965,6 +965,88 @@ static long xatp_permission_check(struct domain *d, 
unsigned int space)
     return xsm_add_to_physmap(XSM_TARGET, current->domain, d);
 }
 
+static int acquire_resource(XEN_GUEST_HANDLE_PARAM(void) arg)
+{
+    struct domain *d, *currd = current->domain;
+    xen_mem_acquire_resource_t xmar;
+    unsigned long mfn_list[2];
+    int rc;
+
+    if ( copy_from_guest(&xmar, arg, 1) )
+        return -EFAULT;
+
+    if ( xmar.pad != 0 )
+        return -EINVAL;
+
+    if ( xmar.nr_frames == 0 ||
+         xmar.nr_frames > ARRAY_SIZE(mfn_list) )
+    {
+        rc = xmar.nr_frames == 0 ? -EINVAL : -E2BIG;
+        xmar.nr_frames = ARRAY_SIZE(mfn_list);
+
+        if ( copy_to_guest(arg, &xmar, 1) )
+            return -EFAULT;
+
+        return rc;
+    }
+
+    d = rcu_lock_domain_by_any_id(xmar.domid);
+    if ( d == NULL )
+        return -ESRCH;
+
+    rc = xsm_domain_resource_map(XSM_DM_PRIV, d);
+    if ( rc )
+        goto out;
+
+    switch ( xmar.type )
+    {
+    default:
+        rc = -EOPNOTSUPP;
+        break;
+    }
+
+    if ( rc )
+        goto out;
+
+    if ( !paging_mode_translate(currd) )
+    {
+        if ( copy_to_guest(xmar.frame_list, mfn_list, xmar.nr_frames) )
+            rc = -EFAULT;
+    }
+    else
+    {
+        xen_pfn_t gfn_list[ARRAY_SIZE(mfn_list)];
+        unsigned int i;
+
+        rc = -EFAULT;
+        if ( copy_from_guest(gfn_list, xmar.frame_list,
+                             ARRAY_SIZE(gfn_list)) )
+            goto out;
+
+        for ( i = 0; i < xmar.nr_frames; i++ )
+        {
+            rc = set_foreign_p2m_entry(currd, gfn_list[i],
+                                       _mfn(mfn_list[i]));
+            if ( rc )
+            {
+                while ( i-- != 0 )
+                {
+                    int ignore;
+
+                    ignore = guest_physmap_remove_page(
+                        currd, _gfn(gfn_list[i]), _mfn(mfn_list[i]), 0);
+                }
+
+                goto out;
+            }
+        }
+    }
+
+ out:
+    rcu_unlock_domain(d);
+    return rc;
+}
+
 long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
 {
     struct domain *d, *curr_d = current->domain;
@@ -1406,6 +1488,14 @@ long do_memory_op(unsigned long cmd, 
XEN_GUEST_HANDLE_PARAM(void) arg)
     }
 #endif
 
+    case XENMEM_acquire_resource:
+#ifdef CONFIG_X86
+        rc = acquire_resource(arg);
+#else
+        rc = -EOPNOTSUPP;
+#endif
+        break;
+
     default:
         rc = arch_memory_op(cmd, arg);
         break;
diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
index 17b1d0c8d3..44f7ec088c 100644
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -620,6 +620,9 @@ void p2m_memory_type_changed(struct domain *d);
 int p2m_is_logdirty_range(struct p2m_domain *, unsigned long start,
                           unsigned long end);
 
+/* Set foreign entry in the p2m table (for priv-mapping) */
+int set_foreign_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn);
+
 /* Set mmio addresses in the p2m table (for pass-through) */
 int set_mmio_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn,
                        unsigned int order, p2m_access_t access);
diff --git a/xen/include/public/memory.h b/xen/include/public/memory.h
index 29386df98b..b7cf753d75 100644
--- a/xen/include/public/memory.h
+++ b/xen/include/public/memory.h
@@ -599,6 +599,47 @@ struct xen_reserved_device_memory_map {
 typedef struct xen_reserved_device_memory_map xen_reserved_device_memory_map_t;
 DEFINE_XEN_GUEST_HANDLE(xen_reserved_device_memory_map_t);
 
+/*
+ * Get the pages for a particular guest resource, so that they can be
+ * mapped directly by a tools domain.
+ */
+#define XENMEM_acquire_resource 28
+struct xen_mem_acquire_resource {
+    /* IN - the domain whose resource is to be mapped */
+    domid_t domid;
+    /* IN - the type of resource */
+    uint16_t type;
+    /*
+     * IN - a type-specific resource identifier, which must be zero
+     *      unless stated otherwise.
+     */
+    uint32_t id;
+    /* IN/OUT - As an IN parameter number of (4K) frames of the resource
+     *          to be mapped. However, if the specified value is 0 then
+     *          -EINVAL will be returned and this field will be set to the
+     *          maximum value supported by the implementation. Also,
+     *          if the specified value exceeds the implementaton limit
+     *          then -E2BIG will be returned and, similarly, this field
+     *          will be set the maximum value supported by the
+     *          implementation.
+     */
+    uint32_t nr_frames;
+    uint32_t pad;
+    /* IN - the index of the initial frame to be mapped. This parameter
+     *      is optional if nr_frames is 0.
+     */
+    uint64_aligned_t frame;
+    /* IN/OUT - If the tools domain is PV then, upon return, frame_list
+     *          will be populated with the MFNs of the resource.
+     *          If the tools domain is HVM then it is expected that, on
+     *          entry, frame_list will be populated with a list of GFNs
+     *          that will be mapped to the MFNs of the resource.
+     *          This parameter is optional if nr_frames is 0.
+     */
+    XEN_GUEST_HANDLE(xen_ulong_t) frame_list;
+};
+typedef struct xen_mem_acquire_resource xen_mem_acquire_resource_t;
+
 #endif /* defined(__XEN__) || defined(__XEN_TOOLS__) */
 
 /*
@@ -650,7 +691,7 @@ struct xen_vnuma_topology_info {
 typedef struct xen_vnuma_topology_info xen_vnuma_topology_info_t;
 DEFINE_XEN_GUEST_HANDLE(xen_vnuma_topology_info_t);
 
-/* Next available subop number is 28 */
+/* Next available subop number is 29 */
 
 #endif /* __XEN_PUBLIC_MEMORY_H__ */
 
diff --git a/xen/include/xlat.lst b/xen/include/xlat.lst
index 0f17000ea7..5835872334 100644
--- a/xen/include/xlat.lst
+++ b/xen/include/xlat.lst
@@ -83,6 +83,7 @@
 !      memory_map                      memory.h
 !      memory_reservation              memory.h
 !      mem_access_op                   memory.h
+!      mem_acquire_resource            memory.h
 !      pod_target                      memory.h
 !      remove_from_physmap             memory.h
 !      reserved_device_memory_map      memory.h
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index ba89ea4bc1..8f04d59a3e 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -724,3 +724,9 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG 
uint32_t op)
         return xsm_default_action(XSM_PRIV, current->domain, NULL);
     }
 }
+
+static XSM_INLINE int xsm_domain_resource_map(XSM_DEFAULT_ARG struct domain *d)
+{
+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
+    return xsm_default_action(action, current->domain, d);
+}
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 7f7feffc68..d0db860ae0 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -180,6 +180,7 @@ struct xsm_operations {
     int (*dm_op) (struct domain *d);
 #endif
     int (*xen_version) (uint32_t cmd);
+    int (*domain_resource_map) (struct domain *d);
 };
 
 #ifdef CONFIG_XSM
@@ -692,6 +693,11 @@ static inline int xsm_xen_version (xsm_default_t def, 
uint32_t op)
     return xsm_ops->xen_version(op);
 }
 
+static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
+{
+    return xsm_ops->domain_resource_map(d);
+}
+
 #endif /* XSM_NO_WRAPPERS */
 
 #ifdef CONFIG_MULTIBOOT
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 479b103614..6e751199ee 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -157,4 +157,5 @@ void __init xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, dm_op);
 #endif
     set_to_dummy_if_null(ops, xen_version);
+    set_to_dummy_if_null(ops, domain_resource_map);
 }
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 7b005af834..7e9efcd865 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1718,6 +1718,11 @@ static int flask_xen_version (uint32_t op)
     }
 }
 
+static int flask_domain_resource_map(struct domain *d)
+{
+    return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__RESOURCE_MAP);
+}
+
 long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
 int compat_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
 
@@ -1851,6 +1856,7 @@ static struct xsm_operations flask_ops = {
     .dm_op = flask_dm_op,
 #endif
     .xen_version = flask_xen_version,
+    .domain_resource_map = flask_domain_resource_map,
 };
 
 void __init flask_init(const void *policy_buffer, size_t policy_size)
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index 3a2d863b8f..341ade1f7d 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -250,6 +250,8 @@ class domain2
     psr_cat_op
 # XEN_DOMCTL_set_gnttab_limits
     set_gnttab_limits
+# XENMEM_resource_map
+    resource_map
 }
 
 # Similar to class domain, but primarily contains domctls related to HVM 
domains
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.