[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v10 2/5] xen: change VIRQ_CONSOLE to VIRQ_DOMAIN to allow non-hwdom binding
- To: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
- From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Feb 2026 10:07:33 -0500
- Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771427258; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=SLiF2dzEyNveNiVrCEoCf3nJAv8q/LyeCq3ExQJQuB4=; b=GnFVMCAeA05Lvc3vcVnAL+SgdCQRztfx43iCMlgshHXaZxlFA1k0Fsi14hJn8oeB5iDCaRKY1gByUkmrXJrIjDz9sgF67D2AjSpdHvAXYISd7K6VAtO9rxSi+mVvGLwlQMtEsLHJVQZYcmFZaITsaZLNakfUrb9UdSzXFGSmpNA=
- Arc-seal: i=1; a=rsa-sha256; t=1771427258; cv=none; d=zohomail.com; s=zohoarc; b=MdXFggL9Jv86EBPvlQJvKF4D+lOwWk37N/jR09q7SdI841lGo2up72Bki3oPRkPOMZ0OcGE0WFl6CQTtJdnPTbPjPmVWgrTW4+Ef4yL1PIkrBnRdQhmktVypD/RnlcSjREo9iCXBOal7WjDYUn94E7mePKsS/oE+RxrC6FPhKa4=
- Autocrypt: addr=dpsmith@xxxxxxxxxxxxxxxxxxxx; keydata= xsJuBFYrueARCACPWL3r2bCSI6TrkIE/aRzj4ksFYPzLkJbWLZGBRlv7HQLvs6i/K4y/b4fs JDq5eL4e9BdfdnZm/b+K+Gweyc0Px2poDWwKVTFFRgxKWq9R7McwNnvuZ4nyXJBVn7PTEn/Z G7D08iZg94ZsnUdeXfgYdJrqmdiWA6iX9u84ARHUtb0K4r5WpLUMcQ8PVmnv1vVrs/3Wy/Rb foxebZNWxgUiSx+d02e3Ad0aEIur1SYXXv71mqKwyi/40CBSHq2jk9eF6zmEhaoFi5+MMMgX X0i+fcBkvmT0N88W4yCtHhHQds+RDbTPLGm8NBVJb7R5zbJmuQX7ADBVuNYIU8hx3dF3AQCm 601w0oZJ0jGOV1vXQgHqZYJGHg5wuImhzhZJCRESIwf+PJxik7TJOgBicko1hUVOxJBZxoe0 x+/SO6tn+s8wKlR1Yxy8gYN9ZRqV2I83JsWZbBXMG1kLzV0SAfk/wq0PAppA1VzrQ3JqXg7T MZ3tFgxvxkYqUP11tO2vrgys+InkZAfjBVMjqXWHokyQPpihUaW0a8mr40w9Qui6DoJj7+Gg DtDWDZ7Zcn2hoyrypuht88rUuh1JuGYD434Q6qwQjUDlY+4lgrUxKdMD8R7JJWt38MNlTWvy rMVscvZUNc7gxcmnFUn41NPSKqzp4DDRbmf37Iz/fL7i01y7IGFTXaYaF3nEACyIUTr/xxi+ MD1FVtEtJncZNkRn7WBcVFGKMAf+NEeaeQdGYQ6mGgk++i/vJZxkrC/a9ZXme7BhWRP485U5 sXpFoGjdpMn4VlC7TFk2qsnJi3yF0pXCKVRy1ukEls8o+4PF2JiKrtkCrWCimB6jxGPIG3lk 3SuKVS/din3RHz+7Sr1lXWFcGYDENmPd/jTwr1A1FiHrSj+u21hnJEHi8eTa9029F1KRfocp ig+k0zUEKmFPDabpanI323O5Tahsy7hwf2WOQwTDLvQ+eqQu40wbb6NocmCNFjtRhNZWGKJS b5GrGDGu/No5U6w73adighEuNcCSNBsLyUe48CE0uTO7eAL6Vd+2k28ezi6XY4Y0mgASJslb NwW54LzSSM0uRGFuaWVsIFAuIFNtaXRoIDxkcHNtaXRoQGFwZXJ0dXNzb2x1dGlvbnMuY29t PsJ6BBMRCAAiBQJWK7ngAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBTc6WbYpR8 KrQ9AP94+xjtFfJ8gj5c7PVx06Zv9rcmFUqQspZ5wSEkvxOuQQEAg6qEsPYegI7iByLVzNEg 7B7fUG7pqWIfMqFwFghYhQzOwU0EViu54BAIAL6MXXNlrJ5tRUf+KMBtVz1LJQZRt/uxWrCb T06nZjnbp2UcceuYNbISOVHGXTzu38r55YzpkEA8eURQf+5hjtvlrOiHxvpD+Z6WcpV6rrMB kcAKWiZTQihW2HoGgVB3gwG9dCh+n0X5OzliAMiGK2a5iqnIZi3o0SeW6aME94bSkTkuj6/7 OmH9KAzK8UnlhfkoMg3tXW8L6/5CGn2VyrjbB/rcrbIR4mCQ+yCUlocuOjFCJhBd10AG1IcX OXUa/ux+/OAV9S5mkr5Fh3kQxYCTcTRt8RY7+of9RGBk10txi94dXiU2SjPbassvagvu/hEi twNHms8rpkSJIeeq0/cAAwUH/jV3tXpaYubwcL2tkk5ggL9Do+/Yo2WPzXmbp8vDiJPCvSJW rz2NrYkd/RoX+42DGqjfu8Y04F9XehN1zZAFmCDUqBMa4tEJ7kOT1FKJTqzNVcgeKNBGcT7q 27+wsqbAerM4A0X/F/ctjYcKwNtXck1Bmd/T8kiw2IgyeOC+cjyTOSwKJr2gCwZXGi5g+2V8 NhJ8n72ISPnOh5KCMoAJXmCF+SYaJ6hIIFARmnuessCIGw4ylCRIU/TiXK94soilx5aCqb1z ke943EIUts9CmFAHt8cNPYOPRd20pPu4VFNBuT4fv9Ys0iv0XGCEP+sos7/pgJ3gV3pCOric p15jV4PCYQQYEQgACQUCViu54AIbDAAKCRBTc6WbYpR8Khu7AP9NJrBUn94C/3PeNbtQlEGZ NV46Mx5HF0P27lH3sFpNrwD/dVdZ5PCnHQYBZ287ZxVfVr4Zuxjo5yJbRjT93Hl0vMY=
- Cc: Stefano Stabellini <stefano.stabellini@xxxxxxx>, grygorii_strashko@xxxxxxxx, anthony.perard@xxxxxxxxxx, michal.orzel@xxxxxxx, julien@xxxxxxx, roger.pau@xxxxxxxxxx, jason.andryuk@xxxxxxx, victorm.lira@xxxxxxx, andrew.cooper3@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
- Delivery-date: Wed, 18 Feb 2026 15:07:56 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2/13/26 15:09, Stefano Stabellini wrote:
On Tue, 10 Feb 2026, Jan Beulich wrote:
On 10.02.2026 00:23, Stefano Stabellini wrote:
On Mon, 9 Feb 2026, Jan Beulich wrote:
On 05.02.2026 00:37, Stefano Stabellini wrote:
Today only hwdom can bind VIRQ_CONSOLE. This patch changes the virq from
global to VIRQ_DOMAIN to allow other domains to bind to it.
Note that Linux silently falls back to polling when binding fails, which
masks the issue.
Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxx>
Technically this is an ABI change, and hence I'm uncertain it can go without
that aspect being at least mentioned, perhaps even its implications properly
discussed.
I am not sure if it qualifies as an ABI change or not but I am happy to
expand the commit message in any way you might suggest.
The jist of it is already in the commit message, really the key element
is that VIRQ_CONSOLE can be bound by multiple domains.
Aside from spelling out "this is an ABI change" what do you have in
mind?
What I mean is discussion of the implications for domains using the vIRQ.
Previously most domains would have attempts to bind this vIRQ rejected.
Technically it is possible that kernels had code paths blindly doing the
binding, relying on it to work only when running as Dom0. And really, you
appear to break XEN_DOMCTL_set_virq_handler when used with VIRQ_CONSOLE,
without which its binding wasn't possible at all before (except for the
hardware domain, which get_global_virq_handler() falls back to when no
other domain is set). Or am I mis-reading things, as I can't spot any use
of VIRQ_CONSOLE under tools/, whereas I would have expected provisions
for (host) console handling to be delegated to a separate control or
console domain? Of course other toolstacks (the XAPI-based one for
example) might actually have such provisions.
And then there's the XSM question: XEN_DOMCTL_set_virq_handler obviously
is subject to XSM checking. The same isn't true for VIRQ_DOMAIN-type
vIRQ-s. Yet this vIRQ isn't supposed to be universally available to
every DomU. Instead the ->console->input_allowed checking is kind of
substituting such a check, which iirc Daniel said (in more general
context) shouldn't ever be done. IOW in patch 5 you're actually effecting
policy, which should be XSM's job aiui.
Bottom line: The patch may need to be more involved, but at the very
least the description would need updating to justify it being as simple
as it is right now.
What do you think of this:
---
xen/console: change VIRQ_CONSOLE from global to per-domain
Previously VIRQ_CONSOLE was a global VIRQ (VIRQ_GLOBAL type), meaning
only the hardware domain (or a domain explicitly set via
XEN_DOMCTL_set_virq_handler) could bind it. Any other domain attempting
to bind would fail with -EBUSY because get_global_virq_handler() would
return hwdom by default.
This patch changes VIRQ_CONSOLE to VIRQ_DOMAIN type, allowing any domain
to bind it independently, similar to VIRQ_ARGO. The console notification
is now sent via send_guest_domain_virq() directly to the focus domain
rather than through send_global_virq().
Implications:
1. Guest kernels that previously called bind on VIRQ_CONSOLE blindly
will now succeed. Linux handles binding failure gracefully by falling
back to polling, so this should not cause regressions.
2. XEN_DOMCTL_set_virq_handler can no longer be used with VIRQ_CONSOLE.
The domctl explicitly rejects non-VIRQ_GLOBAL types. This means
toolstacks that relied on set_virq_handler to delegate console handling
to a separate console domain will need to use a different mechanism.
Note: No known in-tree toolstack uses set_virq_handler with VIRQ_CONSOLE.
3. VIRQ_DOMAIN bindings are not subject to XSM checks beyond the
standard event channel allocation policy. Access control for console
input is enforced via the per-domain console->input_allowed flag,
which is set for:
- The hardware domain (by default in domain_create())
- dom0less domains on ARM (in construct_domU())
- The PV shim domain on x86 (in pv_shim_setup_dom())
- Domains with vpl011 using the Xen backend (in domain_vpl011_init())
Actually this goes back to the concern I have raised many times,
is_hardware_domain() always serves a double purpose. The explicit check
that the domain is where the hardware is, but also the implicit access
control check that it is allowed to do the hardware access. The implicit
access control check is a subversion of XSM and the reality is that the
input_allowed flag is just unmasking this subversion for an explicit
access control check outside the purview of xsm.
v/r,
dps
|
