Xen project Mailing List

Re: [PATCH v3 16/16] x86/hyperlaunch: add capabilities to boot domain

From: Alejandro Vallejo <agarciav@xxxxxxx>

Date: Tue, 15 Apr 2025 13:22:05 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y4oLhbG+2YnehDsmZwj+uRcPVWI8k8GPJD2dGDiForo=; b=tIhL6JrtHlFZp9BQ3STboDjZXSYA7PCAAYm2P7k1CvU3qlBRfVXQ3WSozRBGyQ8jfu7R8tMlzg/EPB0XHRvakdL+Kjzi1kIr93ZdSPHomCqte1KFfEW5/vqV2k4SfdreKM2bacZS6viUbxIS5zt7ZI8B/dN+gMiZqi8YO1/EkbGBm2Vbl+eoQ4HwKYUF2Cbddthnwfsct7chav5WkHmqKMldqJtKOC8F4ic70XSYS1InJdXf/HP4ZlCLqoyxlBv4ZB0+eFOOdqQuQoJXudD2v4rGcQgkELaMeYL7rVktkA0Id9gnncn1v8HpDw04772fAyXmwCtqdSpx3SOLztRVVQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uC0KxWtJiZEhWogMkVaKS3ZpkvjzR0Ycb+GZWayi61zHWKAT+HFyIttaZFz5/0x5oYyQawmMb3mVj3AB7VEvH4zVsisYhIHNMh/3iUMgatlPa1hSmXQuC4HShqMqL0hZne8YPf9grus4uP8CMA7njGJ3aGYNn58UsmPL3AStAy1ajrKZah3AaN/qHDLTwLO1WqrOY1F/TUXqR3iEOqc9/QJQ+zukjD8ViAqPxrwxvXkCBIS7LL/eSx/q3iZDf3Eelgb4dJ0zARvVCpL9F+/zY309b9KpAGotfyGAnBF01zeQUWe8OA71/XQkleALfF3FcpSLXvtxV0tYotgNN1kylQ==

Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>

Delivery-date: Tue, 15 Apr 2025 12:22:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue Apr 15, 2025 at 7:38 AM BST, Jan Beulich wrote: > On 14.04.2025 21:31, Alejandro Vallejo wrote: >> On Thu Apr 10, 2025 at 1:18 PM BST, Jan Beulich wrote: >>> On 08.04.2025 18:07, Alejandro Vallejo wrote: >>>> --- a/xen/arch/x86/domain-builder/fdt.c >>>> +++ b/xen/arch/x86/domain-builder/fdt.c >>>> @@ -257,6 +257,18 @@ static int __init process_domain_node( >>>> bd->max_vcpus = val; >>>> printk(" max vcpus: %d\n", bd->max_vcpus); >>>> } >>>> + else if ( strncmp(prop_name, "capabilities", name_len) == 0 ) >>>> + { >>>> + if ( fdt_prop_as_u32(prop, &bd->capabilities) != 0 ) >>>> + { >>>> + printk(" failed processing domain id for domain %s\n", >>>> name); >>>> + return -EINVAL; >>>> + } >>>> + printk(" caps: "); >>>> + if ( bd->capabilities & BUILD_CAPS_CONTROL ) >>>> + printk("c"); >>>> + printk("\n"); >>>> + } >>> >>> Like for the other patch: What about other bits being set in the value read? >> >> I take it that the non-worded suggestion is to have a mask of reserved >> bits for each case and check they are not set (giving a warning if they are)? > > Whether a warning is sufficient I can't tell. I would have expected such to be > outright rejected. > >>>> --- a/xen/arch/x86/setup.c >>>> +++ b/xen/arch/x86/setup.c >>>> @@ -1006,6 +1006,7 @@ static struct domain *__init create_dom0(struct >>>> boot_info *bi) >>>> { >>>> char *cmdline = NULL; >>>> size_t cmdline_size; >>>> + unsigned int create_flags = 0; >>>> struct xen_domctl_createdomain dom0_cfg = { >>>> .flags = IS_ENABLED(CONFIG_TBOOT) ? XEN_DOMCTL_CDF_s3_integrity : >>>> 0, >>>> .max_evtchn_port = -1, >>>> @@ -1037,7 +1038,10 @@ static struct domain *__init create_dom0(struct >>>> boot_info *bi) >>>> if ( bd->domid == DOMID_INVALID ) >>>> /* Create initial domain. Not d0 for pvshim. */ >>>> bd->domid = get_initial_domain_id(); >>>> - d = domain_create(bd->domid, &dom0_cfg, pv_shim ? 0 : CDF_privileged); >>>> + if ( bd->capabilities & BUILD_CAPS_CONTROL ) >>>> + create_flags |= CDF_privileged; >>> >>> Seeing that builder_init() in the non-DT case sets the new bit >>> unconditionally, >>> isn't the shim's only domain suddenly getting CDF_privileged set this way? >>> Oh, >>> no, you then ... >>> >>>> + d = domain_create(bd->domid, &dom0_cfg, >>>> + pv_shim ? 0 : create_flags); >>> >>> ... hide the flag here. Any reason to have the intermediate variable in the >>> first place >> >> Well, the logic would end up fairly convoluted otherwise. As things >> stand this can be encoded in an if-else fashion with 2 calls, but >> there's 2 capability flags coming that need integrating together. >> >> This is just avoiding further code motion down the line. > > Is it? > > - d = domain_create(bd->domid, &dom0_cfg, pv_shim ? 0 : CDF_privileged); > + d = domain_create(bd->domid, &dom0_cfg, > + ((bd->capabilities & BUILD_CAPS_CONTROL) && !pv_shim > + ? CDF_privileged : 0)); > > isn't really worse (imo), Not sure I agree. Long conditions on ternary operators makes the control flow harder to follow. A nicer alternative that also removes the auxiliary variable is to have a helper to convert from bootcaps to whatever createdomainflags are required. That'd extend naturally for more bits. > but is highlighting the problem more clearly: Why > would the shim have BUILD_CAPS_CONTROL set in the first place? Without that > the statement would remain pretty similar to what it was before. If the commandline is parsed early enough (I see the early parse path in head.S?) it would be better to add this logic to builder_init() and prevent the capability from reaching the boot_domain in the first place. Then there's no exception for the pv shim. Cheers, Alejandro

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.