Prototype to use QEMU for PV guest framebuffer

Prototype to use QEMU for PV guest framebuffer

[Daniel P. Berrange]

[-- Attachment #1: Type: text/plain, Size: 4651 bytes --]

As many of us are all too painfully aware we have completely different VNC 
server implementations for paravirt vs fullyvirt Xen guests. The former 
based on libvncserver, the latter integrated into QEMU. There are many new
and interesting ideas being tried out in the VNC server space in particular
wrt to virtualization and having to implement them all twice is not very
desirable.  Also libvncserver code is terrible - many bad thread race 
conditions that are near impossible to diagnose, let alone solve :-(

At the summit there were a couple of suggestions, either taking the VNC
server code from QEMU and splicing it into the xenfb daemon. Another was
to take the QEMU VNC code and put it into a library that can be used by
both QEMU & xenfb. Neither of those is a particularly appealing prospect.

Then Anthony Liguori suggested a 3rd approach, which was to add a new QEMU
machine type to the x86 target, and simply disable all the emulated hardwre
and just make use of QEMU infrastructure for the VNC server, select() event 
loop and display state.

This sounded very intriguing so I did a little experimentation today doing
exactly that. First of all I've copied  tools/xenfb/xenfb.c into the 
qemu/hw/xenfb.c file. Next I added a qemu/hw/xen.c file to provide the 
implementation of the QEMU machine type - called 'xenpv'. 

All the interesting code (all 100 lines of it) is in hw/xen.c in the
xen_init_pv method - which is called when using the '-M xenpv' command
line arg. 

The first thing this does is get the domain ID - to avoid touching QEMU's
command line args, I just use an environ variable XEN_DOMID to pass this
in.

The main_loop() in qemu/vl.c assumes there is always one CPU created in
the VM, but for our purposes we're not doing any CPU emulation merely 
using the event loop/display state. So to workaround this assumption I
create a single CPUState  *  instance, and permanently disable it by 
setting 'cpu->hflags = HF_HALTED_MASK'. Seems to do the job.

Next, up we attach to the guest PVFB frontend - just using the existing code
for this - qemu/hw/xenfb.c (formerly xen-unstable/tools/xenfb/xenfb.c).

Now we register a QEMU graphical console, a mouse event receiver, a
keyboard event receiver, and register the xenstored and event channel
file handles with QEMU's event loop.

Finally, initialize QEMU's display state to match the PVFB framebuffer
config (ie 800x600x32).

Pushing mouse & keyboard events through from QEMU to PVFB frontend is
trivial. The only bit I'm unhappy about is that QEMU can't access the
guest framebuffer directly. The DisplayState * struct has its own copy
of the framebuffer - allocated by the VNC or SDL impls in QEMU - and
so whenever the guest framebuffer changes, we have to memcpy() the data
from the guest into the QEMU framebuffer. Still, this is no worse than
what the HVM guests already do. Its probably not too hard to change the
QEMU impl of VNC / SDL to use the guest framebuffer directly if we did
a little re-factoring. I wanted to keep it simple for now & not change
any of the upstream QEMU code.

This attached patch is against the current upstream QEMU  CVS code, not Xen's 
ioemu, since I wanted to work against pristine QEMU codebase & avoid any
potential wierd iteractions with HVM stuff added to ioemu. The diff is

$ diffstat ~/xen-qemu-pvfb-machine.patch
 Makefile.target |    3 
 b/hw/xen.c      |  113 +++++++
 b/hw/xenfb.c    |  822 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 b/hw/xenfb.h    |   35 ++
 vl.c            |    1 
 vl.h            |    3 
 6 files changed, 976 insertions(+), 1 deletion(-)

So, you can see a mere 113 lines of new code to make this work - xenfb.c 
is the existnig tools/xenfb/xenfb.c file with minor tweaks. And we get to
delete 20,000 lines of terrible libvncserver code !

Apply the patch to QEMU CVS checkout, configure to build an x86 target,
and once done you can run with 

  # XEN_DOMID=31 ./i386-softmmu/qemu -M xenpv -hda /dev/null -vnc :0

The -hda flag is just to keep QEMU's command line parse quiet - it wants
at least one disk.

You can also run in SDL mode

  # XEN_DOMID=31 ./i386-softmmu/qemu -M xenpv -hda /dev/null

Thoughts... ?  If there's positive feedback on this approach I'll develop
the patch further & properly integrate with XenD & domain create/teardown.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

[-- Attachment #2: xen-qemu-pvfb-machine.patch --]
[-- Type: text/plain, Size: 26007 bytes --]

diff -r 37f6e57ef2c2 Makefile.target
--- a/Makefile.target	Wed Jul 25 11:08:50 2007 -0400
+++ b/Makefile.target	Fri Jul 27 13:36:11 2007 -0400
@@ -423,10 +423,11 @@ ifeq ($(TARGET_BASE_ARCH), i386)
 ifeq ($(TARGET_BASE_ARCH), i386)
 # Hardware support
 VL_OBJS+= ide.o pckbd.o ps2.o vga.o $(SOUND_HW) dma.o $(AUDIODRV)
-VL_OBJS+= fdc.o mc146818rtc.o serial.o i8259.o i8254.o pcspk.o pc.o
+VL_OBJS+= fdc.o mc146818rtc.o serial.o i8259.o i8254.o pcspk.o pc.o xen.o xenfb.o
 VL_OBJS+= cirrus_vga.o apic.o parallel.o acpi.o piix_pci.o
 VL_OBJS+= usb-uhci.o smbus_eeprom.o vmmouse.o vmware_vga.o
 CPPFLAGS += -DHAS_AUDIO -DHAS_AUDIO_CHOICE
+LIBS += -lxenctrl -lxenstore
 endif
 ifeq ($(TARGET_BASE_ARCH), ppc)
 VL_OBJS+= ppc.o ide.o pckbd.o ps2.o vga.o $(SOUND_HW) dma.o $(AUDIODRV)
diff -r 37f6e57ef2c2 hw/xen.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/hw/xen.c	Fri Jul 27 15:56:59 2007 -0400
@@ -0,0 +1,113 @@
+#include "vl.h"
+#include "xenfb.h"
+
+void xen_pvfb_update(void *opaque) { }
+void xen_pvfb_invalidate(void *opaque) { }
+void xen_pvfb_screen_dump(void *opaque, const char *name) { }
+
+static void xen_pvfb_guest(struct xenfb *xenfb, int x, int y, int w, int h)
+{
+  DisplayState *ds = (DisplayState *)xenfb->user_data;
+  int line;
+
+  for (line = y ; line < (y+h) ; line++) {
+    memcpy(ds->data + (line * ds->linesize) + (x*ds->depth/8),
+	   xenfb->pixels + (line*xenfb->row_stride) + (x*xenfb->depth/8),
+	   w * xenfb->depth/8);
+  }
+  dpy_update(ds, x, y, w, h);
+}
+static void xen_put_keycode(void *opaque, int keycode)
+{
+
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+  xenfb_send_key(xenfb, keycode & 0x80 ? 0 : 1, keycode & 0x7f);
+}
+
+static void xen_mouse_event(void *opaque, 
+                            int dx, int dy, int dz, int buttons_state)
+{
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+
+  xenfb_send_motion(xenfb, dx, dy);
+  xenfb_send_buttons(xenfb, buttons_state);
+}
+
+static void xen_init_pv(int ram_size, int vga_ram_size, int boot_device,
+                        DisplayState *ds, const char **fd_filename, 
+                        int snapshot, 
+                        const char *kernel_filename, 
+                        const char *kernel_cmdline,
+                        const char *initrd_filename,
+                        const char *cpu_model)
+{
+  struct xenfb *xenfb;
+  CPUState *env;
+  int domid = 31;
+  char *domidstr, *tmp;
+
+  domidstr = getenv("XEN_DOMID");
+  if (!domidstr)
+      exit(1);
+  domid = strtol(domidstr, &tmp, 10);
+
+  if (!domid && tmp == domidstr)
+      exit(1);
+
+  /* Create a single halted CPU to just keep main_loop() happy */
+  env = cpu_init();
+  env->hflags |= HF_HALTED_MASK;
+
+  /* Prepare PVFB state */
+  xenfb = xenfb_new();
+  if (xenfb == NULL) {
+    fprintf(stderr, "Could not create framebuffer (%s)\n",
+	    strerror(errno));
+    exit(1);
+  }
+
+  /* Talk to the guest */
+  if (xenfb_attach_dom(xenfb, domid) < 0) {
+    fprintf(stderr, "Could not connect to domain (%s)\n",
+	    strerror(errno));
+    exit(1);
+  }
+  xenfb->update = xen_pvfb_guest;
+  xenfb->user_data = ds;
+
+  /* Tell QEMU to allocate a graphical console */
+  graphic_console_init(ds,
+		       xen_pvfb_update,
+		       xen_pvfb_invalidate,
+		       xen_pvfb_screen_dump,
+		       xenfb);
+
+  /* Register our keyboard & mouse handlers */
+  qemu_add_kbd_event_handler(xen_put_keycode, xenfb);
+  qemu_add_mouse_event_handler(xen_mouse_event, xenfb, 0, "Xen PVFB Mouse");
+
+
+  /* Listen for events from the guest */
+  xenfb_register_events(xenfb);
+
+  /* Setup QEMU display */
+  dpy_resize(ds, xenfb->width, xenfb->height);
+
+  /* Initialize the local framebuffer from the guest's FB */
+  xen_pvfb_guest(xenfb, 0, 0, xenfb->width, xenfb->height);
+}
+
+
+QEMUMachine xenpv_machine = {
+    "xenpv",
+    "Xen Paravirtualized PC",
+    xen_init_pv
+};
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: nil
+ * End:
+ */
diff -r 37f6e57ef2c2 hw/xenfb.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/hw/xenfb.c	Fri Jul 27 15:54:23 2007 -0400
@@ -0,0 +1,822 @@
+#include <stdarg.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <xenctrl.h>
+#include <xen/io/xenbus.h>
+#include <xen/io/fbif.h>
+#include <xen/io/kbdif.h>
+#include <xen/io/protocols.h>
+#include <sys/select.h>
+#include <stdbool.h>
+#include <xen/event_channel.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <xs.h>
+#include <linux/input.h>
+
+#include "xenfb.h"
+#include "vl.h"
+
+// FIXME defend against malicious frontend?
+
+struct xenfb_device {
+	const char *devicetype;
+	char nodename[64];	/* backend xenstore dir */
+	char otherend[64];	/* frontend xenstore dir */
+	int otherend_id;	/* frontend domid */
+	enum xenbus_state state; /* backend state */
+	void *page;		/* shared page */
+	evtchn_port_t port;
+	struct xenfb_private *xenfb;
+};
+
+struct xenfb_private {
+	struct xenfb pub;
+	int evt_xch;		/* event channel driver handle */
+	int xc;			/* hypervisor interface handle */
+	struct xs_handle *xsh;	/* xs daemon handle */
+	struct xenfb_device fb, kbd;
+	size_t fb_len;		/* size of framebuffer */
+	char protocol[64];	/* frontend protocol */
+        int state;
+};
+
+static void xenfb_detach_dom(struct xenfb_private *);
+
+static char *xenfb_path_in_dom(struct xs_handle *xsh,
+			       char *buf, size_t size,
+			       unsigned domid, const char *fmt, ...)
+{
+	va_list ap;
+	char *domp = xs_get_domain_path(xsh, domid);
+	int n;
+
+        if (domp == NULL)
+		return NULL;
+
+	n = snprintf(buf, size, "%s/", domp);
+	free(domp);
+	if (n >= size)
+		return NULL;
+
+	va_start(ap, fmt);
+	n += vsnprintf(buf + n, size - n, fmt, ap);
+	va_end(ap);
+	if (n >= size)
+		return NULL;
+
+	return buf;
+}
+
+static int xenfb_xs_scanf1(struct xs_handle *xsh,
+			   const char *dir, const char *node,
+			   const char *fmt, void *dest)
+{
+	char buf[1024];
+	char *p;
+	int ret;
+
+	if (snprintf(buf, sizeof(buf), "%s/%s", dir, node) >= sizeof(buf)) {
+		errno = ENOENT;
+		return -1;
+        }
+	p = xs_read(xsh, XBT_NULL, buf, NULL);
+	if (!p) {
+		errno = ENOENT;
+		return -1;
+        }
+	ret = sscanf(p, fmt, dest);
+	free(p);
+	if (ret != 1) {
+		errno = EDOM;
+		return -1;
+        }
+	return ret;
+}
+
+static int xenfb_xs_printf(struct xs_handle *xsh,
+			   const char *dir, const char *node, char *fmt, ...)
+{
+	va_list ap;
+	char key[1024];
+	char val[1024];
+	int n;
+
+	if (snprintf(key, sizeof(key), "%s/%s", dir, node) >= sizeof(key)) {
+		errno = ENOENT;
+		return -1;
+        }
+
+	va_start(ap, fmt);
+	n = vsnprintf(val, sizeof(val), fmt, ap);
+	va_end(ap);
+	if (n >= sizeof(val)) {
+		errno = ENOSPC; /* close enough */
+		return -1;
+	}
+
+	if (!xs_write(xsh, XBT_NULL, key, val, n))
+		return -1;
+	return 0;
+}
+
+static void xenfb_device_init(struct xenfb_device *dev,
+			      const char *type,
+			      struct xenfb_private *xenfb)
+{
+	dev->devicetype = type;
+	dev->otherend_id = -1;
+	dev->port = -1;
+	dev->xenfb = xenfb;
+}
+
+int xenfb_device_set_domain(struct xenfb_device *dev, int domid)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+
+	dev->otherend_id = domid;
+
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->otherend, sizeof(dev->otherend),
+			       domid, "device/%s/0", dev->devicetype)) {
+		errno = ENOENT;
+		return -1;
+	}
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->nodename, sizeof(dev->nodename),
+			       0, "backend/%s/%d/0", dev->devicetype, domid)) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	return 0;
+}
+
+struct xenfb *xenfb_new(void)
+{
+	struct xenfb_private *xenfb = malloc(sizeof(*xenfb));
+	int serrno;
+
+	if (xenfb == NULL)
+		return NULL;
+
+	memset(xenfb, 0, sizeof(*xenfb));
+	xenfb->evt_xch = xenfb->xc = -1;
+	xenfb_device_init(&xenfb->fb, "vfb", xenfb);
+	xenfb_device_init(&xenfb->kbd, "vkbd", xenfb);
+
+	xenfb->evt_xch = xc_evtchn_open();
+	if (xenfb->evt_xch == -1)
+		goto fail;
+
+	xenfb->xc = xc_interface_open();
+	if (xenfb->xc == -1)
+		goto fail;
+
+	xenfb->xsh = xs_daemon_open();
+	if (!xenfb->xsh)
+		goto fail;
+
+	return &xenfb->pub;
+
+ fail:
+	serrno = errno;
+	xenfb_delete(&xenfb->pub);
+	errno = serrno;
+	return NULL;
+}
+
+/* Remove the backend area in xenbus since the framebuffer really is
+   going away. */
+void xenfb_teardown(struct xenfb *xenfb_pub)
+{
+       struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->fb.nodename);
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->kbd.nodename);
+}
+
+
+void xenfb_delete(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	xenfb_detach_dom(xenfb);
+	if (xenfb->xc >= 0)
+		xc_interface_close(xenfb->xc);
+	if (xenfb->evt_xch >= 0)
+		xc_evtchn_close(xenfb->evt_xch);
+	if (xenfb->xsh)
+		xs_daemon_close(xenfb->xsh);
+	free(xenfb);
+}
+
+static enum xenbus_state xenfb_read_state(struct xs_handle *xsh,
+					  const char *dir)
+{
+	int ret, state;
+
+	ret = xenfb_xs_scanf1(xsh, dir, "state", "%d", &state);
+	if (ret < 0)
+		return XenbusStateUnknown;
+
+	if ((unsigned)state > XenbusStateClosed)
+		state = XenbusStateUnknown;
+	return state;
+}
+
+static int xenfb_switch_state(struct xenfb_device *dev,
+			      enum xenbus_state state)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+
+	if (xenfb_xs_printf(xsh, dev->nodename, "state", "%d", state) < 0)
+		return -1;
+	dev->state = state;
+	return 0;
+}
+
+static int xenfb_wait_for_state(struct xs_handle *xsh, const char *dir,
+				unsigned awaited)
+{
+	unsigned state, dummy;
+	char **vec;
+
+	awaited |= 1 << XenbusStateUnknown;
+
+	for (;;) {
+		state = xenfb_read_state(xsh, dir);
+		if ((1 << state) & awaited)
+			return state;
+
+		vec = xs_read_watch(xsh, &dummy);
+		if (!vec)
+			return -1;
+		free(vec);
+	}
+}
+
+static int xenfb_wait_for_backend_creation(struct xenfb_device *dev)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	int state;
+
+	if (!xs_watch(xsh, dev->nodename, ""))
+		return -1;
+	state = xenfb_wait_for_state(xsh, dev->nodename,
+			(1 << XenbusStateInitialising)
+			| (1 << XenbusStateClosed)
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			| (1 << XenbusStateInitWait)
+			| (1 << XenbusStateConnected)
+			| (1 << XenbusStateClosing)
+#endif
+			);
+	xs_unwatch(xsh, dev->nodename, "");
+
+	switch (state) {
+#if 1
+	case XenbusStateInitWait:
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialising); /* FIXME */
+#endif
+	case XenbusStateInitialising:
+	case XenbusStateClosing:
+	case XenbusStateClosed:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static int xenfb_hotplug(struct xenfb_device *dev)
+{
+	if (xenfb_xs_printf(dev->xenfb->xsh, dev->nodename,
+			    "hotplug-status", "connected"))
+		return -1;
+	return 0;
+}
+
+static int xenfb_wait_for_frontend_initialised(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			(1 << XenbusStateInitialised)
+			| (1 << XenbusStateConnected)
+#else
+			1 << XenbusStateInitialised,
+#endif
+			)) {
+#if 1
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialised); /* FIXME */
+#endif
+	case XenbusStateInitialised:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_copy_mfns(int mode, int count, unsigned long *dst, void *src)
+{
+	uint32_t *src32 = src;
+	uint64_t *src64 = src;
+	int i;
+
+	for (i = 0; i < count; i++)
+		dst[i] = (mode == 32) ? src32[i] : src64[i];
+}
+
+static int xenfb_map_fb(struct xenfb_private *xenfb, int domid)
+{
+	struct xenfb_page *page = xenfb->fb.page;
+	int n_fbmfns;
+	int n_fbdirs;
+	unsigned long *pgmfns = NULL;
+	unsigned long *fbmfns = NULL;
+	void *map, *pd;
+	int mode, ret = -1;
+
+	/* default to native */
+	pd = page->pd;
+	mode = sizeof(unsigned long) * 8;
+
+	if (0 == strlen(xenfb->protocol)) {
+		/*
+		 * Undefined protocol, some guesswork needed.
+		 *
+		 * Old frontends which don't set the protocol use
+		 * one page directory only, thus pd[1] must be zero.
+		 * pd[1] of the 32bit struct layout and the lower
+		 * 32 bits of pd[0] of the 64bit struct layout have
+		 * the same location, so we can check that ...
+		 */
+		uint32_t *ptr32 = NULL;
+		uint32_t *ptr64 = NULL;
+#if defined(__i386__)
+		ptr32 = (void*)page->pd;
+		ptr64 = ((void*)page->pd) + 4;
+#elif defined(__x86_64__)
+		ptr32 = ((void*)page->pd) - 4;
+		ptr64 = (void*)page->pd;
+#endif
+		if (ptr32) {
+			if (0 == ptr32[1]) {
+				mode = 32;
+				pd   = ptr32;
+			} else {
+				mode = 64;
+				pd   = ptr64;
+			}
+		}
+#if defined(__x86_64__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_32)) {
+		/* 64bit dom0, 32bit domU */
+		mode = 32;
+		pd   = ((void*)page->pd) - 4;
+#elif defined(__i386__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_64)) {
+		/* 32bit dom0, 64bit domU */
+		mode = 64;
+		pd   = ((void*)page->pd) + 4;
+#endif
+	}
+
+	n_fbmfns = (xenfb->fb_len + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+	n_fbdirs = n_fbmfns * mode / 8;
+	n_fbdirs = (n_fbdirs + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+
+	pgmfns = malloc(sizeof(unsigned long) * n_fbdirs);
+	fbmfns = malloc(sizeof(unsigned long) * n_fbmfns);
+	if (!pgmfns || !fbmfns)
+		goto out;
+
+	/*
+	 * Bug alert: xc_map_foreign_batch() can fail partly and
+	 * return a non-null value.  This is a design flaw.  When it
+	 * happens, we happily continue here, and later crash on
+	 * access.
+	 */
+	xenfb_copy_mfns(mode, n_fbdirs, pgmfns, pd);
+	map = xc_map_foreign_batch(xenfb->xc, domid,
+				   PROT_READ, pgmfns, n_fbdirs);
+	if (map == NULL)
+		goto out;
+	xenfb_copy_mfns(mode, n_fbmfns, fbmfns, map);
+	munmap(map, n_fbdirs * XC_PAGE_SIZE);
+
+	xenfb->pub.pixels = xc_map_foreign_batch(xenfb->xc, domid,
+				PROT_READ | PROT_WRITE, fbmfns, n_fbmfns);
+	if (xenfb->pub.pixels == NULL)
+		goto out;
+
+	ret = 0; /* all is fine */
+
+ out:
+	if (pgmfns)
+		free(pgmfns);
+	if (fbmfns)
+		free(fbmfns);
+	return ret;
+}
+
+static int xenfb_bind(struct xenfb_device *dev)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+	unsigned long mfn;
+	evtchn_port_t evtchn;
+
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "page-ref", "%lu",
+			    &mfn) < 0)
+		return -1;
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "event-channel", "%u",
+			    &evtchn) < 0)
+		return -1;
+
+	dev->port = xc_evtchn_bind_interdomain(xenfb->evt_xch,
+					       dev->otherend_id, evtchn);
+	if (dev->port == -1)
+		return -1;
+
+	dev->page = xc_map_foreign_range(xenfb->xc, dev->otherend_id,
+			XC_PAGE_SIZE, PROT_READ | PROT_WRITE, mfn);
+	if (dev->page == NULL)
+		return -1;
+
+	return 0;
+}
+
+static void xenfb_unbind(struct xenfb_device *dev)
+{
+	if (dev->page) {
+		munmap(dev->page, XC_PAGE_SIZE);
+		dev->page = NULL;
+	}
+        if (dev->port >= 0) {
+		xc_evtchn_unbind(dev->xenfb->evt_xch, dev->port);
+		dev->port = -1;
+	}
+}
+
+static int xenfb_wait_for_frontend_connected(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+				     1 << XenbusStateConnected)) {
+	case XenbusStateConnected:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_dev_fatal(struct xenfb_device *dev, int err,
+			    const char *fmt, ...)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	va_list ap;
+	char errdir[80];
+	char buf[1024];
+	int n;
+
+	fprintf(stderr, "%s ", dev->nodename); /* somewhat crude */
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	if (err)
+		fprintf(stderr, " (%s)", strerror(err));
+	putc('\n', stderr);
+
+	if (!xenfb_path_in_dom(xsh, errdir, sizeof(errdir), 0,
+			       "error/%s", dev->nodename))
+		goto out;	/* FIXME complain */
+
+	va_start(ap, fmt);
+	n = snprintf(buf, sizeof(buf), "%d ", err);
+	snprintf(buf + n, sizeof(buf) - n, fmt, ap);
+	va_end(ap);
+
+	if (xenfb_xs_printf(xsh, buf, "error", "%s", buf) < 0)
+		goto out;	/* FIXME complain */
+
+ out:
+	xenfb_switch_state(dev, XenbusStateClosing);
+}
+
+int xenfb_attach_dom(struct xenfb *xenfb_pub, int domid)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	struct xs_handle *xsh = xenfb->xsh;
+	int val, serrno;
+	struct xenfb_page *fb_page;
+
+	xenfb_detach_dom(xenfb);
+
+	xenfb_device_set_domain(&xenfb->fb, domid);
+	xenfb_device_set_domain(&xenfb->kbd, domid);
+
+	if (xenfb_wait_for_backend_creation(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_backend_creation(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_printf(xsh, xenfb->kbd.nodename, "feature-abs-pointer", "1"))
+		goto error;
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateInitWait))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateInitWait))
+		goto error;
+
+	if (xenfb_hotplug(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_hotplug(&xenfb->kbd) < 0)
+		goto error;
+
+	if (!xs_watch(xsh, xenfb->fb.otherend, ""))
+		goto error;
+	if (!xs_watch(xsh, xenfb->kbd.otherend, ""))
+		goto error;
+
+	if (xenfb_wait_for_frontend_initialised(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_frontend_initialised(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_bind(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_bind(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "feature-update",
+			    "%d", &val) < 0)
+		val = 0;
+	if (!val) {
+		errno = ENOTSUP;
+		goto error;
+	}
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "protocol", "%63s",
+			    xenfb->protocol) < 0)
+		xenfb->protocol[0] = '\0';
+	xenfb_xs_printf(xsh, xenfb->fb.nodename, "request-update", "1");
+
+	/* TODO check for permitted ranges */
+	fb_page = xenfb->fb.page;
+	xenfb->pub.depth = fb_page->depth;
+	xenfb->pub.width = fb_page->width;
+	xenfb->pub.height = fb_page->height;
+	/* TODO check for consistency with the above */
+	xenfb->fb_len = fb_page->mem_length;
+	xenfb->pub.row_stride = fb_page->line_length;
+
+	if (xenfb_map_fb(xenfb, domid) < 0)
+		goto error;
+
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateConnected))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateConnected))
+		goto error;
+
+	if (xenfb_wait_for_frontend_connected(&xenfb->kbd) < 0)
+		goto error;
+	if (xenfb_xs_scanf1(xsh, xenfb->kbd.otherend, "request-abs-pointer",
+			    "%d", &val) < 0)
+		val = 0;
+	xenfb->pub.abs_pointer_wanted = val;
+
+	return 0;
+
+ error:
+	serrno = errno;
+	xenfb_detach_dom(xenfb);
+	xenfb_dev_fatal(&xenfb->fb, serrno, "on fire");
+	xenfb_dev_fatal(&xenfb->kbd, serrno, "on fire");
+        errno = serrno;
+        return -1;
+}
+
+static void xenfb_detach_dom(struct xenfb_private *xenfb)
+{
+	xenfb_unbind(&xenfb->fb);
+	xenfb_unbind(&xenfb->kbd);
+	if (xenfb->pub.pixels) {
+		munmap(xenfb->pub.pixels, xenfb->fb_len);
+		xenfb->pub.pixels = NULL;
+	}
+}
+
+static void xenfb_on_fb_event(struct xenfb_private *xenfb)
+{
+	uint32_t prod, cons;
+	struct xenfb_page *page = xenfb->fb.page;
+
+	prod = page->out_prod;
+	if (prod == page->out_cons)
+		return;
+	rmb();			/* ensure we see ring contents up to prod */
+	for (cons = page->out_cons; cons != prod; cons++) {
+		union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+
+		switch (event->type) {
+		case XENFB_TYPE_UPDATE:
+                    if (xenfb->pub.update)
+			xenfb->pub.update(&xenfb->pub,
+					  event->update.x, event->update.y,
+					  event->update.width, event->update.height);
+                    break;
+		}
+	}
+	mb();			/* ensure we're done with ring contents */
+	page->out_cons = cons;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->fb.port);
+}
+
+static void xenfb_on_kbd_event(struct xenfb_private *xenfb)
+{
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	/* We don't understand any keyboard events, so just ignore them. */
+	if (page->out_prod == page->out_cons)
+		return;
+	page->out_cons = page->out_prod;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+static int xenfb_on_state_change(struct xenfb_device *dev)
+{
+	enum xenbus_state state;
+
+	state = xenfb_read_state(dev->xenfb->xsh, dev->otherend);
+
+	switch (state) {
+	case XenbusStateUnknown:
+		/* There was an error reading the frontend state.  The
+		   domain has probably gone away; in any case, there's
+		   not much point in us continuing. */
+		return -1;
+	case XenbusStateInitialising:
+	case XenbusStateInitWait:
+	case XenbusStateInitialised:
+	case XenbusStateConnected:
+		break;
+	case XenbusStateClosing:
+		xenfb_unbind(dev);
+		xenfb_switch_state(dev, state);
+		break;
+	case XenbusStateClosed:
+		xenfb_switch_state(dev, state);
+	}
+	return 0;
+}
+
+static void xenfb_dispatch_channel(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	evtchn_port_t port;
+	
+	port = xc_evtchn_pending(xenfb->evt_xch);
+	if (port == -1)
+		return;
+
+	if (port == xenfb->fb.port)
+		xenfb_on_fb_event(xenfb);
+	else if (port == xenfb->kbd.port)
+		xenfb_on_kbd_event(xenfb);
+  
+	if (xc_evtchn_unmask(xenfb->evt_xch, port) == -1)
+		return;
+}
+
+static void xenfb_dispatch_store(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	char **vec;
+	int r;
+	unsigned dummy;
+
+	vec = xs_read_watch(xenfb->xsh, &dummy);
+	free(vec);
+	r = xenfb_on_state_change(&xenfb->fb);
+	if (r == 0)
+		r = xenfb_on_state_change(&xenfb->kbd);
+	if (r == -1)
+		exit(1);
+	/* XXX better error handling ?*/
+}
+
+
+int xenfb_register_events(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	int fd1 = xc_evtchn_fd(xenfb->evt_xch);
+	int fd2 = xs_fileno(xenfb->xsh);
+
+	if (qemu_set_fd_handler2(fd1, NULL, xenfb_dispatch_channel, NULL, xenfb_pub) < 0)
+		return -1;
+	if (qemu_set_fd_handler2(fd2, NULL, xenfb_dispatch_store, NULL, xenfb_pub) < 0)
+		return -1;
+
+	return 0;
+}
+
+static int xenfb_kbd_event(struct xenfb_private *xenfb,
+			   union xenkbd_in_event *event)
+{
+	uint32_t prod;
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	if (xenfb->kbd.state != XenbusStateConnected)
+		return 0;
+
+	prod = page->in_prod;
+	if (prod - page->in_cons == XENKBD_IN_RING_LEN) {
+		errno = EAGAIN;
+		return -1;
+	}
+
+	mb();			/* ensure ring space available */
+	XENKBD_IN_RING_REF(page, prod) = *event;
+	wmb();			/* ensure ring contents visible */
+	page->in_prod = prod + 1;
+	return xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+int xenfb_send_key(struct xenfb *xenfb_pub, bool down, int keycode)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+	printf("Key %d down %d\n", keycode, down);
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_KEY;
+	event.key.pressed = down ? 1 : 0;
+	event.key.keycode = keycode;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+static const int btnmap[] = {
+        BTN_LEFT, BTN_RIGHT, BTN_MIDDLE, BTN_SIDE,
+        BTN_EXTRA, BTN_FORWARD, BTN_BACK, BTN_TASK
+};
+
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	int i;
+	for (i = 0 ; i < 8 ; i++) {
+		int lastDown = xenfb->state & (1 << i);
+		int down = state & (1 << i);
+		if (down == lastDown)
+			continue;
+	  
+		if (xenfb_send_key(xenfb_pub, down, BTN_LEFT+i) < 0)
+			return -1;
+	}
+
+	xenfb->state = state;
+	return 0;
+}
+
+int xenfb_send_motion(struct xenfb *xenfb_pub, int rel_x, int rel_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_MOTION;
+	event.motion.rel_x = rel_x;
+	event.motion.rel_y = rel_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+int xenfb_send_position(struct xenfb *xenfb_pub, int abs_x, int abs_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_POS;
+	event.pos.abs_x = abs_x;
+	event.pos.abs_y = abs_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 37f6e57ef2c2 hw/xenfb.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/hw/xenfb.h	Fri Jul 27 15:05:38 2007 -0400
@@ -0,0 +1,35 @@
+#ifndef _XENFB_H_
+#define _XENFB_H_
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+struct xenfb
+{
+	void *pixels;
+
+	int row_stride;
+	int depth;
+	int width;
+	int height;
+	int abs_pointer_wanted;
+
+	void *user_data;
+
+	void (*update)(struct xenfb *xenfb, int x, int y, int width, int height);
+};
+
+struct xenfb *xenfb_new(void);
+void xenfb_delete(struct xenfb *xenfb);
+void xenfb_teardown(struct xenfb *xenfb);
+
+int xenfb_attach_dom(struct xenfb *xenfb, int domid);
+
+int xenfb_register_events(struct xenfb *xenfb_pub);
+
+int xenfb_send_key(struct xenfb *xenfb, bool down, int keycode);
+int xenfb_send_motion(struct xenfb *xenfb, int rel_x, int rel_y);
+int xenfb_send_position(struct xenfb *xenfb, int abs_x, int abs_y);
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state);
+
+#endif
diff -r 37f6e57ef2c2 vl.c
--- a/vl.c	Wed Jul 25 11:08:50 2007 -0400
+++ b/vl.c	Fri Jul 27 15:18:47 2007 -0400
@@ -6966,6 +6966,7 @@ void register_machines(void)
 #if defined(TARGET_I386)
     qemu_register_machine(&pc_machine);
     qemu_register_machine(&isapc_machine);
+    qemu_register_machine(&xenpv_machine);
 #elif defined(TARGET_PPC)
     qemu_register_machine(&heathrow_machine);
     qemu_register_machine(&core99_machine);
diff -r 37f6e57ef2c2 vl.h
--- a/vl.h	Wed Jul 25 11:08:50 2007 -0400
+++ b/vl.h	Fri Jul 27 13:15:26 2007 -0400
@@ -1150,6 +1150,9 @@ extern QEMUMachine isapc_machine;
 extern QEMUMachine isapc_machine;
 extern int fd_bootchk;
 
+/* xen.c */
+extern QEMUMachine xenpv_machine;
+
 void ioport_set_a20(int enable);
 int ioport_get_a20(void);
 

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Prototype to use QEMU for PV guest framebuffer

[Anthony Liguori]

Daniel P. Berrange wrote:
> As many of us are all too painfully aware we have completely different VNC 
> server implementations for paravirt vs fullyvirt Xen guests. The former 
> based on libvncserver, the latter integrated into QEMU. There are many new
> and interesting ideas being tried out in the VNC server space in particular
> wrt to virtualization and having to implement them all twice is not very
> desirable.  Also libvncserver code is terrible - many bad thread race 
> conditions that are near impossible to diagnose, let alone solve :-(
> 
> At the summit there were a couple of suggestions, either taking the VNC
> server code from QEMU and splicing it into the xenfb daemon. Another was
> to take the QEMU VNC code and put it into a library that can be used by
> both QEMU & xenfb. Neither of those is a particularly appealing prospect.
> 
> Then Anthony Liguori suggested a 3rd approach, which was to add a new QEMU
> machine type to the x86 target, and simply disable all the emulated hardwre
> and just make use of QEMU infrastructure for the VNC server, select() event 
> loop and display state.
> 
> This sounded very intriguing so I did a little experimentation today doing
> exactly that. First of all I've copied  tools/xenfb/xenfb.c into the 
> qemu/hw/xenfb.c file. Next I added a qemu/hw/xen.c file to provide the 
> implementation of the QEMU machine type - called 'xenpv'. 
> 
> All the interesting code (all 100 lines of it) is in hw/xen.c in the
> xen_init_pv method - which is called when using the '-M xenpv' command
> line arg. 
> 
> The first thing this does is get the domain ID - to avoid touching QEMU's
> command line args, I just use an environ variable XEN_DOMID to pass this
> in.
> 
> The main_loop() in qemu/vl.c assumes there is always one CPU created in
> the VM, but for our purposes we're not doing any CPU emulation merely 
> using the event loop/display state. So to workaround this assumption I
> create a single CPUState  *  instance, and permanently disable it by 
> setting 'cpu->hflags = HF_HALTED_MASK'. Seems to do the job.
> 
> Next, up we attach to the guest PVFB frontend - just using the existing code
> for this - qemu/hw/xenfb.c (formerly xen-unstable/tools/xenfb/xenfb.c).
> 
> Now we register a QEMU graphical console, a mouse event receiver, a
> keyboard event receiver, and register the xenstored and event channel
> file handles with QEMU's event loop.
> 
> Finally, initialize QEMU's display state to match the PVFB framebuffer
> config (ie 800x600x32).
> 
> Pushing mouse & keyboard events through from QEMU to PVFB frontend is
> trivial. The only bit I'm unhappy about is that QEMU can't access the
> guest framebuffer directly. The DisplayState * struct has its own copy
> of the framebuffer - allocated by the VNC or SDL impls in QEMU - and
> so whenever the guest framebuffer changes, we have to memcpy() the data
> from the guest into the QEMU framebuffer.

The DisplayState driver (VNC or SDL) chooses what the depth and format 
of this ds->data buffer should be.  The PVFB expects a certain format so 
you would have to do more than just a memcpy().  You'll have to be able 
to translate between the xenfb format and the ds->data format.

This is very cool stuff though!  Since QEMU already supports VNC and 
SDL, we don't need to maintain any additional pvfb backends.

Regards,

Anthony Liguori

> Still, this is no worse than
> what the HVM guests already do. Its probably not too hard to change the
> QEMU impl of VNC / SDL to use the guest framebuffer directly if we did
> a little re-factoring. I wanted to keep it simple for now & not change
> any of the upstream QEMU code.
> 
> This attached patch is against the current upstream QEMU  CVS code, not Xen's 
> ioemu, since I wanted to work against pristine QEMU codebase & avoid any
> potential wierd iteractions with HVM stuff added to ioemu. The diff is

RE: Prototype to use QEMU for PV guest framebuffer

[Ian Pratt]

> Pushing mouse & keyboard events through from QEMU to PVFB frontend is
> trivial. The only bit I'm unhappy about is that QEMU can't access the
> guest framebuffer directly. The DisplayState * struct has its own copy
> of the framebuffer - allocated by the VNC or SDL impls in QEMU - and
> so whenever the guest framebuffer changes, we have to memcpy() the
data
> from the guest into the QEMU framebuffer. Still, this is no worse than
> what the HVM guests already do. Its probably not too hard to change
the
> QEMU impl of VNC / SDL to use the guest framebuffer directly if we did
> a little re-factoring. I wanted to keep it simple for now & not change
> any of the upstream QEMU code.
> 
> This attached patch is against the current upstream QEMU  CVS code,
not
> Xen's ioemu, since I wanted to work against pristine QEMU codebase &
avoid
> any potential wierd iteractions with HVM stuff added to ioemu. The
diff is

It'll certainly be good to see the back of libvncserver.

Could you investigate whether this patch applies to qemu-dm easily
enough?

Thanks,
Ian

Re: Prototype to use QEMU for PV guest framebuffer

[Daniel P. Berrange]

[-- Attachment #1: Type: text/plain, Size: 4083 bytes --]

On Sun, Jul 29, 2007 at 11:03:09PM +0100, Ian Pratt wrote:
> > Pushing mouse & keyboard events through from QEMU to PVFB frontend is
> > trivial. The only bit I'm unhappy about is that QEMU can't access the
> > guest framebuffer directly. The DisplayState * struct has its own copy
> > of the framebuffer - allocated by the VNC or SDL impls in QEMU - and
> > so whenever the guest framebuffer changes, we have to memcpy() the
> data
> > from the guest into the QEMU framebuffer. Still, this is no worse than
> > what the HVM guests already do. Its probably not too hard to change
> the
> > QEMU impl of VNC / SDL to use the guest framebuffer directly if we did
> > a little re-factoring. I wanted to keep it simple for now & not change
> > any of the upstream QEMU code.
> > 
> > This attached patch is against the current upstream QEMU  CVS code,
> not
> > Xen's ioemu, since I wanted to work against pristine QEMU codebase &
> avoid
> > any potential wierd iteractions with HVM stuff added to ioemu. The
> diff is
> 
> It'll certainly be good to see the back of libvncserver.
> 
> Could you investigate whether this patch applies to qemu-dm easily
> enough?

The answer was yes & no :-)  Although we've got a separate target for
QEMU, there's still a bunch of stuff in the main vl.c that is specific
to HVM guests - the memory map initialization basically.

The way I've approached this problem is to define two QEMU machines

  $ ./ioemu/i386-dm/qemu-dm -M ?
  Supported machines are:
  xenfv      Xen Fullyvirtualized PC (default)
  xenpv      Xen Paravirtualized PC

The little bit of HVM specific stuff from vl.c I've moved into the machine 
specific init function in  hw/xenfv.c

As with my first prototype the hw/xenpv.c file provides a machine for Xen
paravirt guests which merely talks the PVFB protocol. The only change from
my previous patch is that it now does pixel swizzling if the guest display
depth is not the same as the QEMU display depth.

So, in summary this does look like it'll work fairly well for PVFB.  The
patch attached is my latest work-in-progress

 b/tools/ioemu/hw/xenfb.c             |  822 +++++++++++++++++++++++++++++++++++
 b/tools/ioemu/hw/xenfb.h             |   35 +
 b/tools/ioemu/hw/xenfv.c             |  258 ++++++++++
 b/tools/ioemu/hw/xenpv.c             |  157 ++++++
 tools/ioemu/Makefile.target          |    6 
 tools/ioemu/target-i386-dm/helper2.c |    3 
 tools/ioemu/vl.c                     |  242 ----------
 tools/ioemu/vl.h                     |    4 
 12 files changed, 1287 insertions(+), 240 deletions(-)



Taking this idea of using QEMU for PV services a little further it occured
to me that if we could figure out a way to get the bootloaders to be run
from QEMU instead of XenD then we would be able to interact with pygrub
remotely over the graphical VNC console - currently you can only use it 
over the text serial console on the local host. It might also require that
we have QEMU handling the guest console directly instead of xenconsoled.
ie so that QEMU could make the bootloader (pygrub) available on both VNC & 
a PTY at the same time. This would also mean the serial console could take 
advantage of QEMU's support for accessing it via UDP, or TCP, or TCP+telnet, 
as well as local PTYs.

Finally, I notice that ioemu/patches/qemu-dm disables the QEMU code which
lets you boot a linux kernel+initrd directly, instead of using the MBR
to run a bootloader. Is there any particular reason why this can't be made
to work for Xen HVM guests ? The ability to boot a kenrel+initrd directly
is very handy for some deployment & installation scenarios - eg to automate
an anaconda installer, passing in command line args to kickstart, without
needing to modify a CDROM iso, or use PXE.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

[-- Attachment #2: xen-qemu-machine.patch --]
[-- Type: text/plain, Size: 45763 bytes --]

diff -r 9261686d840c tools/ioemu/Makefile.target
--- a/tools/ioemu/Makefile.target	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/Makefile.target	Wed Aug 01 15:36:10 2007 -0400
@@ -391,9 +391,9 @@ ifeq ($(TARGET_BASE_ARCH), i386)
 # Hardware support
 VL_OBJS+= ide.o pckbd.o ps2.o vga.o $(SOUND_HW) dma.o $(AUDIODRV)
 ifeq ($(ARCH),ia64)
-VL_OBJS+= fdc.o mc146818rtc.o serial.o pc.o
-else
-VL_OBJS+= fdc.o serial.o pc.o
+VL_OBJS+= fdc.o mc146818rtc.o serial.o pc.o xenpv.o xenfv.o xenfb.o
+else
+VL_OBJS+= fdc.o serial.o pc.o xenpv.o xenfv.o xenfb.o
 endif
 VL_OBJS+= cirrus_vga.o mixeng.o parallel.o acpi.o
 VL_OBJS+= usb-uhci.o smbus_eeprom.o
diff -r 9261686d840c tools/ioemu/hw/xenfb.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfb.c	Mon Jul 30 17:51:22 2007 -0400
@@ -0,0 +1,822 @@
+#include <stdarg.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <xenctrl.h>
+#include <xen/io/xenbus.h>
+#include <xen/io/fbif.h>
+#include <xen/io/kbdif.h>
+#include <xen/io/protocols.h>
+#include <sys/select.h>
+#include <stdbool.h>
+#include <xen/event_channel.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <xs.h>
+#include <linux/input.h>
+
+#include "xenfb.h"
+#include "vl.h"
+
+// FIXME defend against malicious frontend?
+
+struct xenfb_device {
+	const char *devicetype;
+	char nodename[64];	/* backend xenstore dir */
+	char otherend[64];	/* frontend xenstore dir */
+	int otherend_id;	/* frontend domid */
+	enum xenbus_state state; /* backend state */
+	void *page;		/* shared page */
+	evtchn_port_t port;
+	struct xenfb_private *xenfb;
+};
+
+struct xenfb_private {
+	struct xenfb pub;
+	int evt_xch;		/* event channel driver handle */
+	int xc;			/* hypervisor interface handle */
+	struct xs_handle *xsh;	/* xs daemon handle */
+	struct xenfb_device fb, kbd;
+	size_t fb_len;		/* size of framebuffer */
+	char protocol[64];	/* frontend protocol */
+        int state;
+};
+
+static void xenfb_detach_dom(struct xenfb_private *);
+
+static char *xenfb_path_in_dom(struct xs_handle *xsh,
+			       char *buf, size_t size,
+			       unsigned domid, const char *fmt, ...)
+{
+	va_list ap;
+	char *domp = xs_get_domain_path(xsh, domid);
+	int n;
+
+        if (domp == NULL)
+		return NULL;
+
+	n = snprintf(buf, size, "%s/", domp);
+	free(domp);
+	if (n >= size)
+		return NULL;
+
+	va_start(ap, fmt);
+	n += vsnprintf(buf + n, size - n, fmt, ap);
+	va_end(ap);
+	if (n >= size)
+		return NULL;
+
+	return buf;
+}
+
+static int xenfb_xs_scanf1(struct xs_handle *xsh,
+			   const char *dir, const char *node,
+			   const char *fmt, void *dest)
+{
+	char buf[1024];
+	char *p;
+	int ret;
+
+	if (snprintf(buf, sizeof(buf), "%s/%s", dir, node) >= sizeof(buf)) {
+		errno = ENOENT;
+		return -1;
+        }
+	p = xs_read(xsh, XBT_NULL, buf, NULL);
+	if (!p) {
+		errno = ENOENT;
+		return -1;
+        }
+	ret = sscanf(p, fmt, dest);
+	free(p);
+	if (ret != 1) {
+		errno = EDOM;
+		return -1;
+        }
+	return ret;
+}
+
+static int xenfb_xs_printf(struct xs_handle *xsh,
+			   const char *dir, const char *node, char *fmt, ...)
+{
+	va_list ap;
+	char key[1024];
+	char val[1024];
+	int n;
+
+	if (snprintf(key, sizeof(key), "%s/%s", dir, node) >= sizeof(key)) {
+		errno = ENOENT;
+		return -1;
+        }
+
+	va_start(ap, fmt);
+	n = vsnprintf(val, sizeof(val), fmt, ap);
+	va_end(ap);
+	if (n >= sizeof(val)) {
+		errno = ENOSPC; /* close enough */
+		return -1;
+	}
+
+	if (!xs_write(xsh, XBT_NULL, key, val, n))
+		return -1;
+	return 0;
+}
+
+static void xenfb_device_init(struct xenfb_device *dev,
+			      const char *type,
+			      struct xenfb_private *xenfb)
+{
+	dev->devicetype = type;
+	dev->otherend_id = -1;
+	dev->port = -1;
+	dev->xenfb = xenfb;
+}
+
+int xenfb_device_set_domain(struct xenfb_device *dev, int domid)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+
+	dev->otherend_id = domid;
+
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->otherend, sizeof(dev->otherend),
+			       domid, "device/%s/0", dev->devicetype)) {
+		errno = ENOENT;
+		return -1;
+	}
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->nodename, sizeof(dev->nodename),
+			       0, "backend/%s/%d/0", dev->devicetype, domid)) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	return 0;
+}
+
+struct xenfb *xenfb_new(void)
+{
+	struct xenfb_private *xenfb = malloc(sizeof(*xenfb));
+	int serrno;
+
+	if (xenfb == NULL)
+		return NULL;
+
+	memset(xenfb, 0, sizeof(*xenfb));
+	xenfb->evt_xch = xenfb->xc = -1;
+	xenfb_device_init(&xenfb->fb, "vfb", xenfb);
+	xenfb_device_init(&xenfb->kbd, "vkbd", xenfb);
+
+	xenfb->evt_xch = xc_evtchn_open();
+	if (xenfb->evt_xch == -1)
+		goto fail;
+
+	xenfb->xc = xc_interface_open();
+	if (xenfb->xc == -1)
+		goto fail;
+
+	xenfb->xsh = xs_daemon_open();
+	if (!xenfb->xsh)
+		goto fail;
+
+	return &xenfb->pub;
+
+ fail:
+	serrno = errno;
+	xenfb_delete(&xenfb->pub);
+	errno = serrno;
+	return NULL;
+}
+
+/* Remove the backend area in xenbus since the framebuffer really is
+   going away. */
+void xenfb_teardown(struct xenfb *xenfb_pub)
+{
+       struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->fb.nodename);
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->kbd.nodename);
+}
+
+
+void xenfb_delete(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	xenfb_detach_dom(xenfb);
+	if (xenfb->xc >= 0)
+		xc_interface_close(xenfb->xc);
+	if (xenfb->evt_xch >= 0)
+		xc_evtchn_close(xenfb->evt_xch);
+	if (xenfb->xsh)
+		xs_daemon_close(xenfb->xsh);
+	free(xenfb);
+}
+
+static enum xenbus_state xenfb_read_state(struct xs_handle *xsh,
+					  const char *dir)
+{
+	int ret, state;
+
+	ret = xenfb_xs_scanf1(xsh, dir, "state", "%d", &state);
+	if (ret < 0)
+		return XenbusStateUnknown;
+
+	if ((unsigned)state > XenbusStateClosed)
+		state = XenbusStateUnknown;
+	return state;
+}
+
+static int xenfb_switch_state(struct xenfb_device *dev,
+			      enum xenbus_state state)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+
+	if (xenfb_xs_printf(xsh, dev->nodename, "state", "%d", state) < 0)
+		return -1;
+	dev->state = state;
+	return 0;
+}
+
+static int xenfb_wait_for_state(struct xs_handle *xsh, const char *dir,
+				unsigned awaited)
+{
+	unsigned state, dummy;
+	char **vec;
+
+	awaited |= 1 << XenbusStateUnknown;
+
+	for (;;) {
+		state = xenfb_read_state(xsh, dir);
+		if ((1 << state) & awaited)
+			return state;
+
+		vec = xs_read_watch(xsh, &dummy);
+		if (!vec)
+			return -1;
+		free(vec);
+	}
+}
+
+static int xenfb_wait_for_backend_creation(struct xenfb_device *dev)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	int state;
+
+	if (!xs_watch(xsh, dev->nodename, ""))
+		return -1;
+	state = xenfb_wait_for_state(xsh, dev->nodename,
+			(1 << XenbusStateInitialising)
+			| (1 << XenbusStateClosed)
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			| (1 << XenbusStateInitWait)
+			| (1 << XenbusStateConnected)
+			| (1 << XenbusStateClosing)
+#endif
+			);
+	xs_unwatch(xsh, dev->nodename, "");
+
+	switch (state) {
+#if 1
+	case XenbusStateInitWait:
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialising); /* FIXME */
+#endif
+	case XenbusStateInitialising:
+	case XenbusStateClosing:
+	case XenbusStateClosed:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static int xenfb_hotplug(struct xenfb_device *dev)
+{
+	if (xenfb_xs_printf(dev->xenfb->xsh, dev->nodename,
+			    "hotplug-status", "connected"))
+		return -1;
+	return 0;
+}
+
+static int xenfb_wait_for_frontend_initialised(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			(1 << XenbusStateInitialised)
+			| (1 << XenbusStateConnected)
+#else
+			1 << XenbusStateInitialised,
+#endif
+			)) {
+#if 1
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialised); /* FIXME */
+#endif
+	case XenbusStateInitialised:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_copy_mfns(int mode, int count, unsigned long *dst, void *src)
+{
+	uint32_t *src32 = src;
+	uint64_t *src64 = src;
+	int i;
+
+	for (i = 0; i < count; i++)
+		dst[i] = (mode == 32) ? src32[i] : src64[i];
+}
+
+static int xenfb_map_fb(struct xenfb_private *xenfb, int domid)
+{
+	struct xenfb_page *page = xenfb->fb.page;
+	int n_fbmfns;
+	int n_fbdirs;
+	unsigned long *pgmfns = NULL;
+	unsigned long *fbmfns = NULL;
+	void *map, *pd;
+	int mode, ret = -1;
+
+	/* default to native */
+	pd = page->pd;
+	mode = sizeof(unsigned long) * 8;
+
+	if (0 == strlen(xenfb->protocol)) {
+		/*
+		 * Undefined protocol, some guesswork needed.
+		 *
+		 * Old frontends which don't set the protocol use
+		 * one page directory only, thus pd[1] must be zero.
+		 * pd[1] of the 32bit struct layout and the lower
+		 * 32 bits of pd[0] of the 64bit struct layout have
+		 * the same location, so we can check that ...
+		 */
+		uint32_t *ptr32 = NULL;
+		uint32_t *ptr64 = NULL;
+#if defined(__i386__)
+		ptr32 = (void*)page->pd;
+		ptr64 = ((void*)page->pd) + 4;
+#elif defined(__x86_64__)
+		ptr32 = ((void*)page->pd) - 4;
+		ptr64 = (void*)page->pd;
+#endif
+		if (ptr32) {
+			if (0 == ptr32[1]) {
+				mode = 32;
+				pd   = ptr32;
+			} else {
+				mode = 64;
+				pd   = ptr64;
+			}
+		}
+#if defined(__x86_64__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_32)) {
+		/* 64bit dom0, 32bit domU */
+		mode = 32;
+		pd   = ((void*)page->pd) - 4;
+#elif defined(__i386__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_64)) {
+		/* 32bit dom0, 64bit domU */
+		mode = 64;
+		pd   = ((void*)page->pd) + 4;
+#endif
+	}
+
+	n_fbmfns = (xenfb->fb_len + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+	n_fbdirs = n_fbmfns * mode / 8;
+	n_fbdirs = (n_fbdirs + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+
+	pgmfns = malloc(sizeof(unsigned long) * n_fbdirs);
+	fbmfns = malloc(sizeof(unsigned long) * n_fbmfns);
+	if (!pgmfns || !fbmfns)
+		goto out;
+
+	/*
+	 * Bug alert: xc_map_foreign_batch() can fail partly and
+	 * return a non-null value.  This is a design flaw.  When it
+	 * happens, we happily continue here, and later crash on
+	 * access.
+	 */
+	xenfb_copy_mfns(mode, n_fbdirs, pgmfns, pd);
+	map = xc_map_foreign_batch(xenfb->xc, domid,
+				   PROT_READ, pgmfns, n_fbdirs);
+	if (map == NULL)
+		goto out;
+	xenfb_copy_mfns(mode, n_fbmfns, fbmfns, map);
+	munmap(map, n_fbdirs * XC_PAGE_SIZE);
+
+	xenfb->pub.pixels = xc_map_foreign_batch(xenfb->xc, domid,
+				PROT_READ | PROT_WRITE, fbmfns, n_fbmfns);
+	if (xenfb->pub.pixels == NULL)
+		goto out;
+
+	ret = 0; /* all is fine */
+
+ out:
+	if (pgmfns)
+		free(pgmfns);
+	if (fbmfns)
+		free(fbmfns);
+	return ret;
+}
+
+static int xenfb_bind(struct xenfb_device *dev)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+	unsigned long mfn;
+	evtchn_port_t evtchn;
+
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "page-ref", "%lu",
+			    &mfn) < 0)
+		return -1;
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "event-channel", "%u",
+			    &evtchn) < 0)
+		return -1;
+
+	dev->port = xc_evtchn_bind_interdomain(xenfb->evt_xch,
+					       dev->otherend_id, evtchn);
+	if (dev->port == -1)
+		return -1;
+
+	dev->page = xc_map_foreign_range(xenfb->xc, dev->otherend_id,
+			XC_PAGE_SIZE, PROT_READ | PROT_WRITE, mfn);
+	if (dev->page == NULL)
+		return -1;
+
+	return 0;
+}
+
+static void xenfb_unbind(struct xenfb_device *dev)
+{
+	if (dev->page) {
+		munmap(dev->page, XC_PAGE_SIZE);
+		dev->page = NULL;
+	}
+        if (dev->port >= 0) {
+		xc_evtchn_unbind(dev->xenfb->evt_xch, dev->port);
+		dev->port = -1;
+	}
+}
+
+static int xenfb_wait_for_frontend_connected(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+				     1 << XenbusStateConnected)) {
+	case XenbusStateConnected:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_dev_fatal(struct xenfb_device *dev, int err,
+			    const char *fmt, ...)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	va_list ap;
+	char errdir[80];
+	char buf[1024];
+	int n;
+
+	fprintf(stderr, "%s ", dev->nodename); /* somewhat crude */
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	if (err)
+		fprintf(stderr, " (%s)", strerror(err));
+	putc('\n', stderr);
+
+	if (!xenfb_path_in_dom(xsh, errdir, sizeof(errdir), 0,
+			       "error/%s", dev->nodename))
+		goto out;	/* FIXME complain */
+
+	va_start(ap, fmt);
+	n = snprintf(buf, sizeof(buf), "%d ", err);
+	snprintf(buf + n, sizeof(buf) - n, fmt, ap);
+	va_end(ap);
+
+	if (xenfb_xs_printf(xsh, buf, "error", "%s", buf) < 0)
+		goto out;	/* FIXME complain */
+
+ out:
+	xenfb_switch_state(dev, XenbusStateClosing);
+}
+
+int xenfb_attach_dom(struct xenfb *xenfb_pub, int domid)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	struct xs_handle *xsh = xenfb->xsh;
+	int val, serrno;
+	struct xenfb_page *fb_page;
+
+	xenfb_detach_dom(xenfb);
+
+	xenfb_device_set_domain(&xenfb->fb, domid);
+	xenfb_device_set_domain(&xenfb->kbd, domid);
+
+	if (xenfb_wait_for_backend_creation(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_backend_creation(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_printf(xsh, xenfb->kbd.nodename, "feature-abs-pointer", "1"))
+		goto error;
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateInitWait))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateInitWait))
+		goto error;
+
+	if (xenfb_hotplug(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_hotplug(&xenfb->kbd) < 0)
+		goto error;
+
+	if (!xs_watch(xsh, xenfb->fb.otherend, ""))
+		goto error;
+	if (!xs_watch(xsh, xenfb->kbd.otherend, ""))
+		goto error;
+
+	if (xenfb_wait_for_frontend_initialised(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_frontend_initialised(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_bind(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_bind(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "feature-update",
+			    "%d", &val) < 0)
+		val = 0;
+	if (!val) {
+		errno = ENOTSUP;
+		goto error;
+	}
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "protocol", "%63s",
+			    xenfb->protocol) < 0)
+		xenfb->protocol[0] = '\0';
+	xenfb_xs_printf(xsh, xenfb->fb.nodename, "request-update", "1");
+
+	/* TODO check for permitted ranges */
+	fb_page = xenfb->fb.page;
+	xenfb->pub.depth = fb_page->depth;
+	xenfb->pub.width = fb_page->width;
+	xenfb->pub.height = fb_page->height;
+	/* TODO check for consistency with the above */
+	xenfb->fb_len = fb_page->mem_length;
+	xenfb->pub.row_stride = fb_page->line_length;
+
+	if (xenfb_map_fb(xenfb, domid) < 0)
+		goto error;
+
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateConnected))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateConnected))
+		goto error;
+
+	if (xenfb_wait_for_frontend_connected(&xenfb->kbd) < 0)
+		goto error;
+	if (xenfb_xs_scanf1(xsh, xenfb->kbd.otherend, "request-abs-pointer",
+			    "%d", &val) < 0)
+		val = 0;
+	xenfb->pub.abs_pointer_wanted = val;
+
+	return 0;
+
+ error:
+	serrno = errno;
+	xenfb_detach_dom(xenfb);
+	xenfb_dev_fatal(&xenfb->fb, serrno, "on fire");
+	xenfb_dev_fatal(&xenfb->kbd, serrno, "on fire");
+        errno = serrno;
+        return -1;
+}
+
+static void xenfb_detach_dom(struct xenfb_private *xenfb)
+{
+	xenfb_unbind(&xenfb->fb);
+	xenfb_unbind(&xenfb->kbd);
+	if (xenfb->pub.pixels) {
+		munmap(xenfb->pub.pixels, xenfb->fb_len);
+		xenfb->pub.pixels = NULL;
+	}
+}
+
+static void xenfb_on_fb_event(struct xenfb_private *xenfb)
+{
+	uint32_t prod, cons;
+	struct xenfb_page *page = xenfb->fb.page;
+
+	prod = page->out_prod;
+	if (prod == page->out_cons)
+		return;
+	rmb();			/* ensure we see ring contents up to prod */
+	for (cons = page->out_cons; cons != prod; cons++) {
+		union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+
+		switch (event->type) {
+		case XENFB_TYPE_UPDATE:
+                    if (xenfb->pub.update)
+			xenfb->pub.update(&xenfb->pub,
+					  event->update.x, event->update.y,
+					  event->update.width, event->update.height);
+                    break;
+		}
+	}
+	mb();			/* ensure we're done with ring contents */
+	page->out_cons = cons;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->fb.port);
+}
+
+static void xenfb_on_kbd_event(struct xenfb_private *xenfb)
+{
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	/* We don't understand any keyboard events, so just ignore them. */
+	if (page->out_prod == page->out_cons)
+		return;
+	page->out_cons = page->out_prod;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+static int xenfb_on_state_change(struct xenfb_device *dev)
+{
+	enum xenbus_state state;
+
+	state = xenfb_read_state(dev->xenfb->xsh, dev->otherend);
+
+	switch (state) {
+	case XenbusStateUnknown:
+		/* There was an error reading the frontend state.  The
+		   domain has probably gone away; in any case, there's
+		   not much point in us continuing. */
+		return -1;
+	case XenbusStateInitialising:
+	case XenbusStateInitWait:
+	case XenbusStateInitialised:
+	case XenbusStateConnected:
+		break;
+	case XenbusStateClosing:
+		xenfb_unbind(dev);
+		xenfb_switch_state(dev, state);
+		break;
+	case XenbusStateClosed:
+		xenfb_switch_state(dev, state);
+	}
+	return 0;
+}
+
+static void xenfb_dispatch_channel(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	evtchn_port_t port;
+	
+	port = xc_evtchn_pending(xenfb->evt_xch);
+	if (port == -1)
+		return;
+
+	if (port == xenfb->fb.port)
+		xenfb_on_fb_event(xenfb);
+	else if (port == xenfb->kbd.port)
+		xenfb_on_kbd_event(xenfb);
+  
+	if (xc_evtchn_unmask(xenfb->evt_xch, port) == -1)
+		return;
+}
+
+static void xenfb_dispatch_store(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	char **vec;
+	int r;
+	unsigned dummy;
+
+	vec = xs_read_watch(xenfb->xsh, &dummy);
+	free(vec);
+	r = xenfb_on_state_change(&xenfb->fb);
+	if (r == 0)
+		r = xenfb_on_state_change(&xenfb->kbd);
+	if (r == -1)
+		exit(1);
+	/* XXX better error handling ?*/
+}
+
+
+int xenfb_register_events(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	int fd1 = xc_evtchn_fd(xenfb->evt_xch);
+	int fd2 = xs_fileno(xenfb->xsh);
+
+	if (qemu_set_fd_handler2(fd1, NULL, xenfb_dispatch_channel, NULL, xenfb_pub) < 0)
+		return -1;
+	if (qemu_set_fd_handler2(fd2, NULL, xenfb_dispatch_store, NULL, xenfb_pub) < 0)
+		return -1;
+
+	return 0;
+}
+
+static int xenfb_kbd_event(struct xenfb_private *xenfb,
+			   union xenkbd_in_event *event)
+{
+	uint32_t prod;
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	if (xenfb->kbd.state != XenbusStateConnected)
+		return 0;
+
+	prod = page->in_prod;
+	if (prod - page->in_cons == XENKBD_IN_RING_LEN) {
+		errno = EAGAIN;
+		return -1;
+	}
+
+	mb();			/* ensure ring space available */
+	XENKBD_IN_RING_REF(page, prod) = *event;
+	wmb();			/* ensure ring contents visible */
+	page->in_prod = prod + 1;
+	return xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+int xenfb_send_key(struct xenfb *xenfb_pub, bool down, int keycode)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_KEY;
+	event.key.pressed = down ? 1 : 0;
+	event.key.keycode = keycode;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+static const int btnmap[] = {
+        BTN_LEFT, BTN_RIGHT, BTN_MIDDLE, BTN_SIDE,
+        BTN_EXTRA, BTN_FORWARD, BTN_BACK, BTN_TASK
+};
+
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	int i;
+	for (i = 0 ; i < 8 ; i++) {
+		int lastDown = xenfb->state & (1 << i);
+		int down = state & (1 << i);
+		if (down == lastDown)
+			continue;
+	  
+		if (xenfb_send_key(xenfb_pub, down, BTN_LEFT+i) < 0)
+			return -1;
+	}
+
+	xenfb->state = state;
+	return 0;
+}
+
+int xenfb_send_motion(struct xenfb *xenfb_pub, int rel_x, int rel_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_MOTION;
+	event.motion.rel_x = rel_x;
+	event.motion.rel_y = rel_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+int xenfb_send_position(struct xenfb *xenfb_pub, int abs_x, int abs_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_POS;
+	event.pos.abs_x = abs_x;
+	event.pos.abs_y = abs_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 9261686d840c tools/ioemu/hw/xenfb.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfb.h	Mon Jul 30 17:51:22 2007 -0400
@@ -0,0 +1,35 @@
+#ifndef _XENFB_H_
+#define _XENFB_H_
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+struct xenfb
+{
+	void *pixels;
+
+	int row_stride;
+	int depth;
+	int width;
+	int height;
+	int abs_pointer_wanted;
+
+	void *user_data;
+
+	void (*update)(struct xenfb *xenfb, int x, int y, int width, int height);
+};
+
+struct xenfb *xenfb_new(void);
+void xenfb_delete(struct xenfb *xenfb);
+void xenfb_teardown(struct xenfb *xenfb);
+
+int xenfb_attach_dom(struct xenfb *xenfb, int domid);
+
+int xenfb_register_events(struct xenfb *xenfb_pub);
+
+int xenfb_send_key(struct xenfb *xenfb, bool down, int keycode);
+int xenfb_send_motion(struct xenfb *xenfb, int rel_x, int rel_y);
+int xenfb_send_position(struct xenfb *xenfb, int abs_x, int abs_y);
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state);
+
+#endif
diff -r 9261686d840c tools/ioemu/hw/xenfv.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfv.c	Wed Aug 01 19:35:23 2007 -0400
@@ -0,0 +1,258 @@
+
+#include "vl.h"
+#include <xen/hvm/params.h>
+#include <sys/mman.h>
+
+
+#if defined(MAPCACHE)
+
+#if defined(__i386__) 
+#define MAX_MCACHE_SIZE    0x40000000 /* 1GB max for x86 */
+#define MCACHE_BUCKET_SHIFT 16
+#elif defined(__x86_64__)
+#define MAX_MCACHE_SIZE    0x1000000000 /* 64GB max for x86_64 */
+#define MCACHE_BUCKET_SHIFT 20
+#endif
+
+#define MCACHE_BUCKET_SIZE (1UL << MCACHE_BUCKET_SHIFT)
+
+#define BITS_PER_LONG (sizeof(long)*8)
+#define BITS_TO_LONGS(bits) \
+    (((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
+#define DECLARE_BITMAP(name,bits) \
+    unsigned long name[BITS_TO_LONGS(bits)]
+#define test_bit(bit,map) \
+    (!!((map)[(bit)/BITS_PER_LONG] & (1UL << ((bit)%BITS_PER_LONG))))
+
+struct map_cache {
+    unsigned long paddr_index;
+    uint8_t      *vaddr_base;
+    DECLARE_BITMAP(valid_mapping, MCACHE_BUCKET_SIZE>>PAGE_SHIFT);
+};
+
+static struct map_cache *mapcache_entry;
+static unsigned long nr_buckets;
+
+/* For most cases (>99.9%), the page address is the same. */
+static unsigned long last_address_index = ~0UL;
+static uint8_t      *last_address_vaddr;
+
+static int qemu_map_cache_init(void)
+{
+    unsigned long size;
+
+    nr_buckets = (((MAX_MCACHE_SIZE >> PAGE_SHIFT) +
+                   (1UL << (MCACHE_BUCKET_SHIFT - PAGE_SHIFT)) - 1) >>
+                  (MCACHE_BUCKET_SHIFT - PAGE_SHIFT));
+    fprintf(logfile, "qemu_map_cache_init nr_buckets = %lx\n", nr_buckets);
+
+    /*
+     * Use mmap() directly: lets us allocate a big hash table with no up-front
+     * cost in storage space. The OS will allocate memory only for the buckets
+     * that we actually use. All others will contain all zeroes.
+     */
+    size = nr_buckets * sizeof(struct map_cache);
+    size = (size + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
+    mapcache_entry = mmap(NULL, size, PROT_READ|PROT_WRITE,
+                          MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+    if (mapcache_entry == MAP_FAILED) {
+        errno = ENOMEM;
+        return -1;
+    }
+
+    return 0;
+}
+
+static void qemu_remap_bucket(struct map_cache *entry,
+                              unsigned long address_index)
+{
+    uint8_t *vaddr_base;
+    unsigned long pfns[MCACHE_BUCKET_SIZE >> PAGE_SHIFT];
+    unsigned int i, j;
+
+    if (entry->vaddr_base != NULL) {
+        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
+        if (errno) {
+            fprintf(logfile, "unmap fails %d\n", errno);
+            exit(-1);
+        }
+    }
+
+    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i++)
+        pfns[i] = (address_index << (MCACHE_BUCKET_SHIFT-PAGE_SHIFT)) + i;
+
+    vaddr_base = xc_map_foreign_batch(xc_handle, domid, PROT_READ|PROT_WRITE,
+                                      pfns, MCACHE_BUCKET_SIZE >> PAGE_SHIFT);
+    if (vaddr_base == NULL) {
+        fprintf(logfile, "xc_map_foreign_batch error %d\n", errno);
+        exit(-1);
+    }
+
+    entry->vaddr_base  = vaddr_base;
+    entry->paddr_index = address_index;
+
+    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i += BITS_PER_LONG) {
+        unsigned long word = 0;
+        j = ((i + BITS_PER_LONG) > (MCACHE_BUCKET_SIZE >> PAGE_SHIFT)) ?
+            (MCACHE_BUCKET_SIZE >> PAGE_SHIFT) % BITS_PER_LONG : BITS_PER_LONG;
+        while (j > 0)
+            word = (word << 1) | !(pfns[i + --j] & 0xF0000000UL);
+        entry->valid_mapping[i / BITS_PER_LONG] = word;
+    }
+}
+
+uint8_t *qemu_map_cache(target_phys_addr_t phys_addr)
+{
+    struct map_cache *entry;
+    unsigned long address_index  = phys_addr >> MCACHE_BUCKET_SHIFT;
+    unsigned long address_offset = phys_addr & (MCACHE_BUCKET_SIZE-1);
+
+    if (address_index == last_address_index)
+        return last_address_vaddr + address_offset;
+
+    entry = &mapcache_entry[address_index % nr_buckets];
+
+    if (entry->vaddr_base == NULL || entry->paddr_index != address_index ||
+        !test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
+        qemu_remap_bucket(entry, address_index);
+
+    if (!test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
+        return NULL;
+
+    last_address_index = address_index;
+    last_address_vaddr = entry->vaddr_base;
+
+    return last_address_vaddr + address_offset;
+}
+
+void qemu_invalidate_map_cache(void)
+{
+    unsigned long i;
+
+    mapcache_lock();
+
+    for (i = 0; i < nr_buckets; i++) {
+        struct map_cache *entry = &mapcache_entry[i];
+
+        if (entry->vaddr_base == NULL)
+            continue;
+
+        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
+        if (errno) {
+            fprintf(logfile, "unmap fails %d\n", errno);
+            exit(-1);
+        }
+
+        entry->paddr_index = 0;
+        entry->vaddr_base  = NULL;
+    }
+
+    last_address_index =  ~0UL;
+    last_address_vaddr = NULL;
+
+    mapcache_unlock();
+}
+
+#endif /* defined(MAPCACHE) */
+
+
+static void xen_init_fv(uint64_t ram_size, int vga_ram_size, char *boot_device,
+			DisplayState *ds, const char **fd_filename, 
+			int snapshot, 
+			const char *kernel_filename, 
+			const char *kernel_cmdline,
+			const char *initrd_filename)
+{
+    unsigned long ioreq_pfn;
+    extern void *shared_page;
+    extern void *buffered_io_page;
+#ifdef __ia64__
+    unsigned long nr_pages;
+    xen_pfn_t *page_array;
+    extern void *buffered_pio_page;
+#endif
+
+    xc_handle = xc_interface_open();
+
+#if defined(__i386__) || defined(__x86_64__)
+
+    if (qemu_map_cache_init()) {
+        fprintf(logfile, "qemu_map_cache_init returned: error %d\n", errno);
+        exit(-1);
+    }
+
+    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_IOREQ_PFN, &ioreq_pfn);
+    fprintf(logfile, "shared page at pfn %lx\n", ioreq_pfn);
+    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE, ioreq_pfn);
+    if (shared_page == NULL) {
+        fprintf(logfile, "map shared IO page returned error %d\n", errno);
+        exit(-1);
+    }
+
+    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_BUFIOREQ_PFN, &ioreq_pfn);
+    fprintf(logfile, "buffered io page at pfn %lx\n", ioreq_pfn);
+    buffered_io_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                            PROT_READ|PROT_WRITE, ioreq_pfn);
+    if (buffered_io_page == NULL) {
+        fprintf(logfile, "map buffered IO page returned error %d\n", errno);
+        exit(-1);
+    }
+
+#elif defined(__ia64__)
+
+    nr_pages = ram_size/PAGE_SIZE;
+
+    page_array = (xen_pfn_t *)malloc(nr_pages * sizeof(xen_pfn_t));
+    if (page_array == NULL) {
+        fprintf(logfile, "malloc returned error %d\n", errno);
+        exit(-1);
+    }
+
+    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       IO_PAGE_START >> PAGE_SHIFT);
+
+    buffered_io_page =xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       BUFFER_IO_PAGE_START >> PAGE_SHIFT);
+
+    buffered_pio_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       BUFFER_PIO_PAGE_START >> PAGE_SHIFT);
+
+    for (i = 0; i < nr_pages; i++)
+        page_array[i] = i;
+	
+    /* VTI will not use memory between 3G~4G, so we just pass a legal pfn
+       to make QEMU map continuous virtual memory space */
+    if (ram_size > MMIO_START) {	
+        for (i = 0 ; i < (MEM_G >> PAGE_SHIFT); i++)
+            page_array[(MMIO_START >> PAGE_SHIFT) + i] =
+                (STORE_PAGE_START >> PAGE_SHIFT); 
+    }
+
+    phys_ram_base = xc_map_foreign_batch(xc_handle, domid,
+                                         PROT_READ|PROT_WRITE,
+                                         page_array, nr_pages);
+    if (phys_ram_base == 0) {
+        fprintf(logfile, "xc_map_foreign_batch returned error %d\n", errno);
+        exit(-1);
+    }
+    free(page_array);
+#endif
+
+    timeoffset_get();
+
+    pc_machine.init(ram_size, vga_ram_size, boot_device,
+		    ds, fd_filename, snapshot,
+		    kernel_filename, kernel_cmdline,
+		    initrd_filename);
+}
+
+
+QEMUMachine xenfv_machine = {
+    "xenfv",
+    "Xen Fullyvirtualized PC",
+    xen_init_fv,
+};
diff -r 9261686d840c tools/ioemu/hw/xenpv.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenpv.c	Wed Aug 01 18:50:25 2007 -0400
@@ -0,0 +1,157 @@
+#include "vl.h"
+#include "xenfb.h"
+
+/* A convenient function for munging pixels between different depths */
+#define BLT(SRC_T,DST_T,RLS,GLS,BLS,RRS,GRS,BRS,RM,GM,BM)		\
+    for (line = y ; line < h ; line++) {				\
+	SRC_T *src = (SRC_T *)(xenfb->pixels + (line*xenfb->row_stride) + (x*xenfb->depth/8)); \
+	DST_T *dst = (DST_T *)(ds->data + (line*ds->linesize) + (x*ds->depth/8)); \
+	int col;							\
+	for (col = x ; col < w ; col++) {				\
+	    *dst = (((*src >> RRS)&RM) << RLS) |			\
+		(((*src >> GRS)&GM) << GLS) |				\
+		(((*src >> GRS)&BM) << BLS);				\
+	    src++;							\
+	    dst++;							\
+	} \
+    }
+
+
+/* This copies data from the guest framebuffer region, into QEMU's copy
+ * NB. QEMU's copy is stored in the pixel format of a) the local X server (SDL case)
+ * or b) the current VNC client pixel format.
+ */
+static void xen_pvfb_guest(struct xenfb *xenfb, int x, int y, int w, int h)
+{
+  DisplayState *ds = (DisplayState *)xenfb->user_data;
+  int line;
+
+  if (xenfb->depth == ds->depth) { /* Perfect match can use fast path */
+      for (line = y ; line < (y+h) ; line++) {
+	  memcpy(ds->data + (line * ds->linesize) + (x*ds->depth/8),
+		 xenfb->pixels + (line*xenfb->row_stride) + (x*xenfb->depth/8),
+		 w * xenfb->depth/8);
+      }
+  } else { /* Mismatch requires slow pixel swizzling */
+      if (xenfb->depth == 8) {
+	  if (ds->depth == 16) {
+	      BLT(uint8_t, uint16_t,   5, 2, 0,   11, 5, 0,   7, 7, 3);
+	  } else if (ds->depth == 32) {
+	      BLT(uint8_t, uint32_t,   5, 2, 0,   16, 8, 0,   7, 7, 3);
+	  }
+      } else if (xenfb->depth == 16) {
+	  if (ds->depth == 8) {
+	      BLT(uint16_t, uint8_t,    11, 5, 0,   5, 2, 0,    31, 63, 31);
+	  } else if (ds->depth == 32) {
+	      BLT(uint16_t, uint32_t,   11, 5, 0,   16, 8, 0,   31, 63, 31);
+	  }
+      } else if (xenfb->depth == 32) {
+	  if (ds->depth == 8) {
+	      BLT(uint32_t, uint8_t,    16, 8, 0,   5, 2, 0,    255, 255, 255);
+	  } else if (ds->depth == 16) {
+	      BLT(uint32_t, uint16_t,   16, 8, 0,   11, 5, 0,   255, 255, 255);
+	  }
+      }
+  }
+  dpy_update(ds, x, y, w, h);
+}
+
+/* Send a keypress from the client to the guest OS */
+static void xen_put_keycode(void *opaque, int keycode)
+{
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+  xenfb_send_key(xenfb, keycode & 0x80 ? 0 : 1, keycode & 0x7f);
+}
+
+/* Send a mouse event from the client to the guest OS */
+static void xen_mouse_event(void *opaque,
+                            int dx, int dy, int dz, int buttons_state)
+{
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+  DisplayState *ds = (DisplayState *)xenfb->user_data;
+  if (xenfb->abs_pointer_wanted)
+      xenfb_send_position(xenfb,
+			dx*ds->width/0x7fff,
+			dy*ds->height/0x7fff);
+  else
+      xenfb_send_motion(xenfb, dx, dy);
+  xenfb_send_buttons(xenfb, buttons_state);
+}
+
+/* QEMU display state changed, so refresh the framebuffer copy */
+void xen_pvfb_update(void *opaque) {
+    struct xenfb *xenfb = (struct xenfb *)opaque;
+    xen_pvfb_guest(xenfb, 0, 0, xenfb->width, xenfb->height);
+}
+/* QEMU display state changed, so refresh the framebuffer copy */
+void xen_pvfb_invalidate(void *opaque) {
+    struct xenfb *xenfb = (struct xenfb *)opaque;
+    xen_pvfb_guest(xenfb, 0, 0, xenfb->width, xenfb->height);
+}
+void xen_pvfb_screen_dump(void *opaque, const char *name) { }
+
+/* The Xen PV machine currently provides
+ *   - a virtual framebuffer
+ *   - ....
+ */
+static void xen_init_pv(uint64_t ram_size, int vga_ram_size, char *boot_device,
+                        DisplayState *ds, const char **fd_filename,
+                        int snapshot,
+                        const char *kernel_filename,
+                        const char *kernel_cmdline,
+                        const char *initrd_filename)
+{
+    struct xenfb *xenfb;
+    extern int domid;
+
+    /* Prepare PVFB state */
+    xenfb = xenfb_new();
+    if (xenfb == NULL) {
+	fprintf(stderr, "Could not create framebuffer (%s)\n",
+		strerror(errno));
+	exit(1);
+    }
+
+    /* Talk to the guest */
+    if (xenfb_attach_dom(xenfb, domid) < 0) {
+	fprintf(stderr, "Could not connect to domain (%s)\n",
+		strerror(errno));
+	exit(1);
+    }
+    xenfb->update = xen_pvfb_guest;
+    xenfb->user_data = ds;
+
+    /* Tell QEMU to allocate a graphical console */
+    graphic_console_init(ds,
+			 xen_pvfb_update,
+			 xen_pvfb_invalidate,
+			 xen_pvfb_screen_dump,
+			 xenfb);
+
+    /* Register our keyboard & mouse handlers */
+    qemu_add_kbd_event_handler(xen_put_keycode, xenfb);
+    qemu_add_mouse_event_handler(xen_mouse_event, xenfb,
+				 xenfb->abs_pointer_wanted,
+				 "Xen PVFB Mouse");
+
+    /* Listen for events from the guest */
+    xenfb_register_events(xenfb);
+
+    /* Setup QEMU display */
+    dpy_resize(ds, xenfb->width, xenfb->height);
+}
+
+
+QEMUMachine xenpv_machine = {
+    "xenpv",
+    "Xen Paravirtualized PC",
+    xen_init_pv
+};
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: nil
+ * End:
+ */
diff -r 9261686d840c tools/ioemu/target-i386-dm/helper2.c
--- a/tools/ioemu/target-i386-dm/helper2.c	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/target-i386-dm/helper2.c	Wed Aug 01 18:53:13 2007 -0400
@@ -622,7 +622,8 @@ int main_loop(void)
 				       cpu_single_env);
     qemu_mod_timer(buffered_io_timer, qemu_get_clock(rt_clock));
 
-    qemu_set_fd_handler(evtchn_fd, cpu_handle_ioreq, NULL, env);
+    if (evtchn_fd != -1)
+      qemu_set_fd_handler(evtchn_fd, cpu_handle_ioreq, NULL, env);
 
     while (!(vm_running && suspend_requested))
         /* Wait up to 10 msec. */
diff -r 9261686d840c tools/ioemu/vl.c
--- a/tools/ioemu/vl.c	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/vl.c	Wed Aug 01 19:36:53 2007 -0400
@@ -89,7 +89,7 @@
 
 #include "exec-all.h"
 
-#include <xen/hvm/params.h>
+
 #define DEFAULT_NETWORK_SCRIPT "/etc/xen/qemu-ifup"
 #define DEFAULT_BRIDGE "xenbr0"
 #ifdef __sun__
@@ -6647,8 +6647,13 @@ void register_machines(void)
 void register_machines(void)
 {
 #if defined(TARGET_I386)
+#ifndef CONFIG_DM
     qemu_register_machine(&pc_machine);
     qemu_register_machine(&isapc_machine);
+#else
+    qemu_register_machine(&xenfv_machine);
+    qemu_register_machine(&xenpv_machine);
+#endif
 #elif defined(TARGET_PPC)
     qemu_register_machine(&heathrow_machine);
     qemu_register_machine(&core99_machine);
@@ -6865,156 +6870,6 @@ void suspend(int sig)
     suspend_requested = 1;
 }
 
-#if defined(MAPCACHE)
-
-#if defined(__i386__) 
-#define MAX_MCACHE_SIZE    0x40000000 /* 1GB max for x86 */
-#define MCACHE_BUCKET_SHIFT 16
-#elif defined(__x86_64__)
-#define MAX_MCACHE_SIZE    0x1000000000 /* 64GB max for x86_64 */
-#define MCACHE_BUCKET_SHIFT 20
-#endif
-
-#define MCACHE_BUCKET_SIZE (1UL << MCACHE_BUCKET_SHIFT)
-
-#define BITS_PER_LONG (sizeof(long)*8)
-#define BITS_TO_LONGS(bits) \
-    (((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
-#define DECLARE_BITMAP(name,bits) \
-    unsigned long name[BITS_TO_LONGS(bits)]
-#define test_bit(bit,map) \
-    (!!((map)[(bit)/BITS_PER_LONG] & (1UL << ((bit)%BITS_PER_LONG))))
-
-struct map_cache {
-    unsigned long paddr_index;
-    uint8_t      *vaddr_base;
-    DECLARE_BITMAP(valid_mapping, MCACHE_BUCKET_SIZE>>PAGE_SHIFT);
-};
-
-static struct map_cache *mapcache_entry;
-static unsigned long nr_buckets;
-
-/* For most cases (>99.9%), the page address is the same. */
-static unsigned long last_address_index = ~0UL;
-static uint8_t      *last_address_vaddr;
-
-static int qemu_map_cache_init(void)
-{
-    unsigned long size;
-
-    nr_buckets = (((MAX_MCACHE_SIZE >> PAGE_SHIFT) +
-                   (1UL << (MCACHE_BUCKET_SHIFT - PAGE_SHIFT)) - 1) >>
-                  (MCACHE_BUCKET_SHIFT - PAGE_SHIFT));
-    fprintf(logfile, "qemu_map_cache_init nr_buckets = %lx\n", nr_buckets);
-
-    /*
-     * Use mmap() directly: lets us allocate a big hash table with no up-front
-     * cost in storage space. The OS will allocate memory only for the buckets
-     * that we actually use. All others will contain all zeroes.
-     */
-    size = nr_buckets * sizeof(struct map_cache);
-    size = (size + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
-    mapcache_entry = mmap(NULL, size, PROT_READ|PROT_WRITE,
-                          MAP_SHARED|MAP_ANONYMOUS, 0, 0);
-    if (mapcache_entry == MAP_FAILED) {
-        errno = ENOMEM;
-        return -1;
-    }
-
-    return 0;
-}
-
-static void qemu_remap_bucket(struct map_cache *entry,
-                              unsigned long address_index)
-{
-    uint8_t *vaddr_base;
-    unsigned long pfns[MCACHE_BUCKET_SIZE >> PAGE_SHIFT];
-    unsigned int i, j;
-
-    if (entry->vaddr_base != NULL) {
-        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
-        if (errno) {
-            fprintf(logfile, "unmap fails %d\n", errno);
-            exit(-1);
-        }
-    }
-
-    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i++)
-        pfns[i] = (address_index << (MCACHE_BUCKET_SHIFT-PAGE_SHIFT)) + i;
-
-    vaddr_base = xc_map_foreign_batch(xc_handle, domid, PROT_READ|PROT_WRITE,
-                                      pfns, MCACHE_BUCKET_SIZE >> PAGE_SHIFT);
-    if (vaddr_base == NULL) {
-        fprintf(logfile, "xc_map_foreign_batch error %d\n", errno);
-        exit(-1);
-    }
-
-    entry->vaddr_base  = vaddr_base;
-    entry->paddr_index = address_index;
-
-    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i += BITS_PER_LONG) {
-        unsigned long word = 0;
-        j = ((i + BITS_PER_LONG) > (MCACHE_BUCKET_SIZE >> PAGE_SHIFT)) ?
-            (MCACHE_BUCKET_SIZE >> PAGE_SHIFT) % BITS_PER_LONG : BITS_PER_LONG;
-        while (j > 0)
-            word = (word << 1) | !(pfns[i + --j] & 0xF0000000UL);
-        entry->valid_mapping[i / BITS_PER_LONG] = word;
-    }
-}
-
-uint8_t *qemu_map_cache(target_phys_addr_t phys_addr)
-{
-    struct map_cache *entry;
-    unsigned long address_index  = phys_addr >> MCACHE_BUCKET_SHIFT;
-    unsigned long address_offset = phys_addr & (MCACHE_BUCKET_SIZE-1);
-
-    if (address_index == last_address_index)
-        return last_address_vaddr + address_offset;
-
-    entry = &mapcache_entry[address_index % nr_buckets];
-
-    if (entry->vaddr_base == NULL || entry->paddr_index != address_index ||
-        !test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
-        qemu_remap_bucket(entry, address_index);
-
-    if (!test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
-        return NULL;
-
-    last_address_index = address_index;
-    last_address_vaddr = entry->vaddr_base;
-
-    return last_address_vaddr + address_offset;
-}
-
-void qemu_invalidate_map_cache(void)
-{
-    unsigned long i;
-
-    mapcache_lock();
-
-    for (i = 0; i < nr_buckets; i++) {
-        struct map_cache *entry = &mapcache_entry[i];
-
-        if (entry->vaddr_base == NULL)
-            continue;
-
-        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
-        if (errno) {
-            fprintf(logfile, "unmap fails %d\n", errno);
-            exit(-1);
-        }
-
-        entry->paddr_index = 0;
-        entry->vaddr_base  = NULL;
-    }
-
-    last_address_index =  ~0UL;
-    last_address_vaddr = NULL;
-
-    mapcache_unlock();
-}
-
-#endif /* defined(MAPCACHE) */
 
 int main(int argc, char **argv)
 {
@@ -7049,14 +6904,6 @@ int main(int argc, char **argv)
     char usb_devices[MAX_USB_CMDLINE][128];
     int usb_devices_index;
     int fds[2];
-    unsigned long ioreq_pfn;
-    extern void *shared_page;
-    extern void *buffered_io_page;
-#ifdef __ia64__
-    unsigned long nr_pages;
-    xen_pfn_t *page_array;
-    extern void *buffered_pio_page;
-#endif
 
     char qemu_dm_logfilename[128];
     
@@ -7708,83 +7555,6 @@ int main(int argc, char **argv)
 	}
 	phys_ram_size += ret;
     }
-#endif /* !CONFIG_DM */
-
-#ifdef CONFIG_DM
-
-    xc_handle = xc_interface_open();
-
-#if defined(__i386__) || defined(__x86_64__)
-
-    if (qemu_map_cache_init()) {
-        fprintf(logfile, "qemu_map_cache_init returned: error %d\n", errno);
-        exit(-1);
-    }
-
-    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_IOREQ_PFN, &ioreq_pfn);
-    fprintf(logfile, "shared page at pfn %lx\n", ioreq_pfn);
-    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE, ioreq_pfn);
-    if (shared_page == NULL) {
-        fprintf(logfile, "map shared IO page returned error %d\n", errno);
-        exit(-1);
-    }
-
-    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_BUFIOREQ_PFN, &ioreq_pfn);
-    fprintf(logfile, "buffered io page at pfn %lx\n", ioreq_pfn);
-    buffered_io_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                            PROT_READ|PROT_WRITE, ioreq_pfn);
-    if (buffered_io_page == NULL) {
-        fprintf(logfile, "map buffered IO page returned error %d\n", errno);
-        exit(-1);
-    }
-
-#elif defined(__ia64__)
-
-    nr_pages = ram_size/PAGE_SIZE;
-
-    page_array = (xen_pfn_t *)malloc(nr_pages * sizeof(xen_pfn_t));
-    if (page_array == NULL) {
-        fprintf(logfile, "malloc returned error %d\n", errno);
-        exit(-1);
-    }
-
-    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       IO_PAGE_START >> PAGE_SHIFT);
-
-    buffered_io_page =xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       BUFFER_IO_PAGE_START >> PAGE_SHIFT);
-
-    buffered_pio_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       BUFFER_PIO_PAGE_START >> PAGE_SHIFT);
-
-    for (i = 0; i < nr_pages; i++)
-        page_array[i] = i;
-	
-    /* VTI will not use memory between 3G~4G, so we just pass a legal pfn
-       to make QEMU map continuous virtual memory space */
-    if (ram_size > MMIO_START) {	
-        for (i = 0 ; i < (MEM_G >> PAGE_SHIFT); i++)
-            page_array[(MMIO_START >> PAGE_SHIFT) + i] =
-                (STORE_PAGE_START >> PAGE_SHIFT); 
-    }
-
-    phys_ram_base = xc_map_foreign_batch(xc_handle, domid,
-                                         PROT_READ|PROT_WRITE,
-                                         page_array, nr_pages);
-    if (phys_ram_base == 0) {
-        fprintf(logfile, "xc_map_foreign_batch returned error %d\n", errno);
-        exit(-1);
-    }
-    free(page_array);
-#endif
-
-    timeoffset_get();
-
-#else  /* !CONFIG_DM */
 
     phys_ram_base = qemu_vmalloc(phys_ram_size);
     if (!phys_ram_base) {
diff -r 9261686d840c tools/ioemu/vl.h
--- a/tools/ioemu/vl.h	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/vl.h	Wed Aug 01 19:35:19 2007 -0400
@@ -1118,6 +1118,10 @@ extern void pci_piix4_acpi_init(PCIBus *
 /* pc.c */
 extern QEMUMachine pc_machine;
 extern QEMUMachine isapc_machine;
+#ifdef CONFIG_DM
+extern QEMUMachine xenfv_machine;
+extern QEMUMachine xenpv_machine;
+#endif
 extern int fd_bootchk;
 
 void ioport_set_a20(int enable);

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Prototype to use QEMU for PV guest framebuffer

[Daniel P. Berrange]

[-- Attachment #1: Type: text/plain, Size: 3778 bytes --]

On Thu, Aug 02, 2007 at 01:00:50AM +0100, Daniel P. Berrange wrote:
> On Sun, Jul 29, 2007 at 11:03:09PM +0100, Ian Pratt wrote:
> > 
> > It'll certainly be good to see the back of libvncserver.
> > 
> > Could you investigate whether this patch applies to qemu-dm easily
> > enough?
> 
> The answer was yes & no :-)  Although we've got a separate target for
> QEMU, there's still a bunch of stuff in the main vl.c that is specific
> to HVM guests - the memory map initialization basically.
> 
> The way I've approached this problem is to define two QEMU machines
> 
>   $ ./ioemu/i386-dm/qemu-dm -M ?
>   Supported machines are:
>   xenfv      Xen Fullyvirtualized PC (default)
>   xenpv      Xen Paravirtualized PC
> 
> The little bit of HVM specific stuff from vl.c I've moved into the machine 
> specific init function in  hw/xenfv.c
> 
> As with my first prototype the hw/xenpv.c file provides a machine for Xen
> paravirt guests which merely talks the PVFB protocol. The only change from
> my previous patch is that it now does pixel swizzling if the guest display
> depth is not the same as the QEMU display depth.
> 
> So, in summary this does look like it'll work fairly well for PVFB.  The
> patch attached is my latest work-in-progress
> 
>  b/tools/ioemu/hw/xenfb.c             |  822 +++++++++++++++++++++++++++++++++++
>  b/tools/ioemu/hw/xenfb.h             |   35 +
>  b/tools/ioemu/hw/xenfv.c             |  258 ++++++++++
>  b/tools/ioemu/hw/xenpv.c             |  157 ++++++
>  tools/ioemu/Makefile.target          |    6 
>  tools/ioemu/target-i386-dm/helper2.c |    3 
>  tools/ioemu/vl.c                     |  242 ----------
>  tools/ioemu/vl.h                     |    4 
>  12 files changed, 1287 insertions(+), 240 deletions(-)
> 
> 
> 
> Taking this idea of using QEMU for PV services a little further it occured
> to me that if we could figure out a way to get the bootloaders to be run
> from QEMU instead of XenD then we would be able to interact with pygrub
> remotely over the graphical VNC console - currently you can only use it 
> over the text serial console on the local host. It might also require that
> we have QEMU handling the guest console directly instead of xenconsoled.
> ie so that QEMU could make the bootloader (pygrub) available on both VNC & 
> a PTY at the same time. This would also mean the serial console could take 
> advantage of QEMU's support for accessing it via UDP, or TCP, or TCP+telnet, 
> as well as local PTYs.

Here's a further iteration of the patch which demonstrates how QEMU can
provide the guest console too. I launch it with this:

  qemu-dm -M xenpv -d 6 -vnc :0 -serial pty

A couple of open issues

 - QEMU doesn't let us poll() on write event for its character device sinks,
   so in theory we could be loosing data if the pty were to give EAGAIN.
   I think it should be possible to address this fairly easily.

 - The xenconsoled has persistent logging of guest & HV. For the latter we
   could just strip xenconsoled to merely provide HV logging, or even move
   that into XenD since its such a tiny amount of code. For guest logging
   QEMU can use '-serial file:/path' but then you can't use it via the pty
   Probably could extend QEMU command line syntax '-serial pty;file:/path'
   to open and PTY & log at the same time.

Those minor details aside though, this seems to work quite well - the code
is only 400 lines, compared to about 1200 lines in xenconsoled.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

[-- Attachment #2: xen-qemu-machine-2.patch --]
[-- Type: text/plain, Size: 58367 bytes --]

diff -r 9261686d840c tools/ioemu/Makefile.target
--- a/tools/ioemu/Makefile.target	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/Makefile.target	Wed Aug 01 20:57:23 2007 -0400
@@ -391,9 +391,9 @@ ifeq ($(TARGET_BASE_ARCH), i386)
 # Hardware support
 VL_OBJS+= ide.o pckbd.o ps2.o vga.o $(SOUND_HW) dma.o $(AUDIODRV)
 ifeq ($(ARCH),ia64)
-VL_OBJS+= fdc.o mc146818rtc.o serial.o pc.o
-else
-VL_OBJS+= fdc.o serial.o pc.o
+VL_OBJS+= fdc.o mc146818rtc.o serial.o pc.o xenpv.o xenfv.o xenfb.o xencons.o
+else
+VL_OBJS+= fdc.o serial.o pc.o xenpv.o xenfv.o xenfb.o xencons.o
 endif
 VL_OBJS+= cirrus_vga.o mixeng.o parallel.o acpi.o
 VL_OBJS+= usb-uhci.o smbus_eeprom.o
diff -r 9261686d840c tools/ioemu/hw/xencons.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xencons.c	Wed Aug 01 21:44:09 2007 -0400
@@ -0,0 +1,409 @@
+/*
+ *  Copyright (C) International Business Machines  Corp., 2005
+ *  Author(s): Anthony Liguori <aliguori@us.ibm.com>
+ *
+ *  Copyright (C) Red Hat 2007
+ *
+ *  Xen Console
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; under version 2 of the License.
+ * 
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ * 
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <xs.h>
+#include <xen/io/console.h>
+#include <xenctrl.h>
+
+#include <malloc.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/select.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <termios.h>
+#include <stdarg.h>
+#include <sys/mman.h>
+#include "vl.h"
+
+#define MAX(a, b) (((a) > (b)) ? (a) : (b))
+#define MIN(a, b) (((a) < (b)) ? (a) : (b))
+
+/* Each 10 bits takes ~ 3 digits, plus one, plus one for nul terminator. */
+#define MAX_STRLEN(x) ((sizeof(x) * CHAR_BIT + CHAR_BIT-1) / 10 * 3 + 2)
+
+#define dolog(val, fmt, ...) fprintf(stderr, fmt "\n", ## __VA_ARGS__)
+
+extern struct xs_handle *xsh;
+
+struct buffer
+{
+	uint8_t *data;
+	size_t consumed;
+	size_t size;
+	size_t capacity;
+	size_t max_capacity;
+};
+
+struct domain
+{
+	int domid;
+	struct buffer buffer;
+
+	char *conspath;
+	char *serialpath;
+	int use_consolepath;
+	int ring_ref;
+	evtchn_port_t local_port;
+	evtchn_port_t remote_port;
+	int xce_handle;
+	struct xencons_interface *interface;
+	CharDriverState *chr;
+};
+
+
+static void buffer_append(struct domain *dom)
+{
+	struct buffer *buffer = &dom->buffer;
+	XENCONS_RING_IDX cons, prod, size;
+	struct xencons_interface *intf = dom->interface;
+
+	cons = intf->out_cons;
+	prod = intf->out_prod;
+	mb();
+
+	size = prod - cons;
+	if ((size == 0) || (size > sizeof(intf->out)))
+		return;
+
+	if ((buffer->capacity - buffer->size) < size) {
+		buffer->capacity += (size + 1024);
+		buffer->data = realloc(buffer->data, buffer->capacity);
+		if (buffer->data == NULL) {
+			dolog(LOG_ERR, "Memory allocation failed");
+			exit(ENOMEM);
+		}
+	}
+
+	while (cons != prod)
+		buffer->data[buffer->size++] = intf->out[
+			MASK_XENCONS_IDX(cons++, intf->out)];
+
+	mb();
+	intf->out_cons = cons;
+	xc_evtchn_notify(dom->xce_handle, dom->local_port);
+
+	if (buffer->max_capacity &&
+	    buffer->size > buffer->max_capacity) {
+		/* Discard the middle of the data. */
+
+		size_t over = buffer->size - buffer->max_capacity;
+		uint8_t *maxpos = buffer->data + buffer->max_capacity;
+
+		memmove(maxpos - over, maxpos, over);
+		buffer->data = realloc(buffer->data, buffer->max_capacity);
+		buffer->size = buffer->capacity = buffer->max_capacity;
+
+		if (buffer->consumed > buffer->max_capacity - over)
+			buffer->consumed = buffer->max_capacity - over;
+	}
+}
+
+static void buffer_advance(struct buffer *buffer, size_t len)
+{
+	buffer->consumed += len;
+	if (buffer->consumed == buffer->size) {
+		buffer->consumed = 0;
+		buffer->size = 0;
+	}
+}
+
+/* Takes tuples of names, scanf-style args, and void **, NULL terminated. */
+int xs_gather(struct xs_handle *xs, const char *dir, ...)
+{
+	va_list ap;
+	const char *name;
+	char *path;
+	int ret = 0;
+
+	va_start(ap, dir);
+	while (ret == 0 && (name = va_arg(ap, char *)) != NULL) {
+		const char *fmt = va_arg(ap, char *);
+		void *result = va_arg(ap, void *);
+		char *p;
+
+		if (asprintf(&path, "%s/%s", dir, name) == -1) {
+			ret = ENOMEM;
+			break;
+		}
+		p = xs_read(xsh, XBT_NULL, path, NULL);
+		free(path);
+		if (p == NULL) {
+			ret = ENOENT;
+			break;
+		}
+		if (fmt) {
+			if (sscanf(p, fmt, result) == 0)
+				ret = EINVAL;
+			free(p);
+		} else
+			*(char **)result = p;
+	}
+	va_end(ap);
+	return ret;
+}
+
+static int domain_create_ring(struct domain *dom)
+{
+	int err, remote_port, ring_ref, rc;
+
+	err = xs_gather(xsh, dom->serialpath,
+			"ring-ref", "%u", &ring_ref,
+			"port", "%i", &remote_port,
+			NULL);
+	if (err) {
+		err = xs_gather(xsh, dom->conspath,
+				"ring-ref", "%u", &ring_ref,
+				"port", "%i", &remote_port,
+				NULL);
+		if (err)
+			goto out;
+		dom->use_consolepath = 1;
+	} else
+		dom->use_consolepath = 0;
+
+	if ((ring_ref == dom->ring_ref) && (remote_port == dom->remote_port))
+		goto out;
+
+	if (ring_ref != dom->ring_ref) {
+		if (dom->interface != NULL)
+			munmap(dom->interface, getpagesize());
+		dom->interface = xc_map_foreign_range(
+			xc_handle, dom->domid, getpagesize(),
+			PROT_READ|PROT_WRITE,
+			(unsigned long)ring_ref);
+		if (dom->interface == NULL) {
+			err = EINVAL;
+			goto out;
+		}
+		dom->ring_ref = ring_ref;
+	}
+
+	dom->local_port = -1;
+	dom->remote_port = -1;
+
+	/* Opening evtchn independently for each console is a bit
+	 * wasteful, but that's how the code is structured... */
+	dom->xce_handle = xc_evtchn_open();
+	if (dom->xce_handle == -1) {
+		err = errno;
+		goto out;
+	}
+ 
+	rc = xc_evtchn_bind_interdomain(dom->xce_handle,
+		dom->domid, remote_port);
+
+	if (rc == -1) {
+		err = errno;
+		xc_evtchn_close(dom->xce_handle);
+		dom->xce_handle = -1;
+		goto out;
+	}
+	dom->local_port = rc;
+	dom->remote_port = remote_port;
+
+ out:
+	return err;
+}
+
+static bool watch_domain(struct domain *dom)
+{
+	char domid_str[3 + MAX_STRLEN(dom->domid)];
+	bool success;
+
+	sprintf(domid_str, "dom%u", dom->domid);
+	success = xs_watch(xsh, dom->serialpath, domid_str);
+	if (success) {
+		success = xs_watch(xsh, dom->conspath, domid_str);
+		if (success)
+			domain_create_ring(dom);
+	}
+
+	return success;
+}
+
+
+static struct domain *create_domain(int domid, CharDriverState *chr)
+{
+	struct domain *dom;
+	char *s;
+
+	dom = (struct domain *)malloc(sizeof(struct domain));
+	if (dom == NULL) {
+		dolog(LOG_ERR, "Out of memory %s:%s():L%d",
+		      __FILE__, __FUNCTION__, __LINE__);
+		exit(ENOMEM);
+	}
+
+	dom->domid = domid;
+	dom->chr = chr;
+
+	dom->serialpath = xs_get_domain_path(xsh, dom->domid);
+	s = realloc(dom->serialpath, strlen(dom->serialpath) +
+		    strlen("/serial/0") + 1);
+	if (s == NULL)
+		goto out;
+	dom->serialpath = s;
+	strcat(dom->serialpath, "/serial/0");
+
+	dom->conspath = xs_get_domain_path(xsh, dom->domid);
+	s = realloc(dom->conspath, strlen(dom->conspath) +
+		    strlen("/console") + 1);
+	if (s == NULL)
+		goto out;
+	dom->conspath = s;
+	strcat(dom->conspath, "/console");
+
+	dom->buffer.data = 0;
+	dom->buffer.consumed = 0;
+	dom->buffer.size = 0;
+	dom->buffer.capacity = 0;
+	dom->buffer.max_capacity = 0;
+
+	dom->ring_ref = -1;
+	dom->local_port = -1;
+	dom->remote_port = -1;
+	dom->interface = NULL;
+	dom->xce_handle = -1;
+
+	if (!watch_domain(dom))
+		goto out;
+
+	return dom;
+ out:
+	free(dom->serialpath);
+	free(dom->conspath);
+	free(dom);
+	return NULL;
+}
+
+
+static int ring_free_bytes(struct domain *dom)
+{
+	struct xencons_interface *intf = dom->interface;
+	XENCONS_RING_IDX cons, prod, space;
+
+	cons = intf->in_cons;
+	prod = intf->in_prod;
+	mb();
+
+	space = prod - cons;
+	if (space > sizeof(intf->in))
+		return 0; /* ring is screwed: ignore it */
+
+	return (sizeof(intf->in) - space);
+}
+
+static int xencons_can_receive(void *opaque)
+{
+	struct domain *dom = (struct domain *)opaque;
+	/* XXX QEMU just treats this as a boolean - it should note
+	 * how many bytes we want */
+	return ring_free_bytes(dom);
+}
+
+static void xencons_receive(void *opaque, const uint8_t *buf, int len)
+{
+	struct domain *dom = (struct domain *)opaque;
+	int i, max;
+	struct xencons_interface *intf = dom->interface;
+	XENCONS_RING_IDX prod;
+
+	/*
+	 * XXX we ought to be able to tell QEMU how many bytes we're happy to get
+	 */
+	max = ring_free_bytes(dom);
+	if (max < len)
+		len = max;
+
+	prod = intf->in_prod;
+	for (i = 0; i < len; i++) {
+		intf->in[MASK_XENCONS_IDX(prod++, intf->in)] =
+			buf[i];
+	}
+	wmb();
+	intf->in_prod = prod;
+	xc_evtchn_notify(dom->xce_handle, dom->local_port);
+}
+
+static void xencons_send(struct domain *dom)
+{
+	ssize_t len;
+	len = qemu_chr_write(dom->chr, dom->buffer.data + dom->buffer.consumed,
+			     dom->buffer.size - dom->buffer.consumed);
+ 	if (len < 1) {
+		dolog(LOG_DEBUG, "Write failed on domain %d: %zd, %d\n",
+		      dom->domid, len, errno);
+	} else {
+		buffer_advance(&dom->buffer, len);
+	}
+}
+
+static void xencons_ring_read(void *opaque)
+{
+	evtchn_port_t port;
+	struct domain *dom = (struct domain *)opaque;
+
+	if ((port = xc_evtchn_pending(dom->xce_handle)) == -1)
+		return;
+
+	buffer_append(dom);
+
+	(void)xc_evtchn_unmask(dom->xce_handle, port);
+
+	/* XXX QEMU needs to let us get an event when the channel
+	 * is writable without getting EAGAIN & thus throwing away
+	 * data
+	 */
+	if (dom->buffer.size - dom->buffer.consumed)
+		xencons_send(dom);
+}
+
+
+int xencons_init(int domid, CharDriverState *chr)
+{
+	struct domain *dom = create_domain(domid, chr);
+
+	if (!dom)
+		return -1;
+
+	if (qemu_set_fd_handler2(dom->xce_handle, NULL, xencons_ring_read, NULL, dom) < 0)
+		return -1;
+
+	qemu_chr_add_handlers(chr, xencons_can_receive, xencons_receive,
+			      NULL, dom);
+
+
+	return 0;
+}
+
+
+/*
+ * Local variables:
+ *  c-file-style: "linux"
+ *  indent-tabs-mode: t
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 9261686d840c tools/ioemu/hw/xencons.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xencons.h	Wed Aug 01 21:17:49 2007 -0400
@@ -0,0 +1,24 @@
+/*
+ *  Copyright (C) International Business Machines  Corp., 2005
+ *  Author(s): Anthony Liguori <aliguori@us.ibm.com>
+ *
+ *  Copyright (C) Red Hat 2007
+ *
+ *  Xen Console
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; under version 2 of the License.
+ * 
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ * 
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+
+extern int xencons_init(int domid, CharDriverState *chr);
diff -r 9261686d840c tools/ioemu/hw/xenfb.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfb.c	Wed Aug 01 20:49:01 2007 -0400
@@ -0,0 +1,822 @@
+#include <stdarg.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <xenctrl.h>
+#include <xen/io/xenbus.h>
+#include <xen/io/fbif.h>
+#include <xen/io/kbdif.h>
+#include <xen/io/protocols.h>
+#include <sys/select.h>
+#include <stdbool.h>
+#include <xen/event_channel.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <xs.h>
+#include <linux/input.h>
+
+#include "xenfb.h"
+#include "vl.h"
+
+// FIXME defend against malicious frontend?
+
+struct xenfb_device {
+	const char *devicetype;
+	char nodename[64];	/* backend xenstore dir */
+	char otherend[64];	/* frontend xenstore dir */
+	int otherend_id;	/* frontend domid */
+	enum xenbus_state state; /* backend state */
+	void *page;		/* shared page */
+	evtchn_port_t port;
+	struct xenfb_private *xenfb;
+};
+
+struct xenfb_private {
+	struct xenfb pub;
+	int evt_xch;		/* event channel driver handle */
+	int xc;			/* hypervisor interface handle */
+	struct xs_handle *xsh;	/* xs daemon handle */
+	struct xenfb_device fb, kbd;
+	size_t fb_len;		/* size of framebuffer */
+	char protocol[64];	/* frontend protocol */
+        int state;
+};
+
+static void xenfb_detach_dom(struct xenfb_private *);
+
+static char *xenfb_path_in_dom(struct xs_handle *xsh,
+			       char *buf, size_t size,
+			       unsigned domid, const char *fmt, ...)
+{
+	va_list ap;
+	char *domp = xs_get_domain_path(xsh, domid);
+	int n;
+
+        if (domp == NULL)
+		return NULL;
+
+	n = snprintf(buf, size, "%s/", domp);
+	free(domp);
+	if (n >= size)
+		return NULL;
+
+	va_start(ap, fmt);
+	n += vsnprintf(buf + n, size - n, fmt, ap);
+	va_end(ap);
+	if (n >= size)
+		return NULL;
+
+	return buf;
+}
+
+static int xenfb_xs_scanf1(struct xs_handle *xsh,
+			   const char *dir, const char *node,
+			   const char *fmt, void *dest)
+{
+	char buf[1024];
+	char *p;
+	int ret;
+
+	if (snprintf(buf, sizeof(buf), "%s/%s", dir, node) >= sizeof(buf)) {
+		errno = ENOENT;
+		return -1;
+        }
+	p = xs_read(xsh, XBT_NULL, buf, NULL);
+	if (!p) {
+		errno = ENOENT;
+		return -1;
+        }
+	ret = sscanf(p, fmt, dest);
+	free(p);
+	if (ret != 1) {
+		errno = EDOM;
+		return -1;
+        }
+	return ret;
+}
+
+static int xenfb_xs_printf(struct xs_handle *xsh,
+			   const char *dir, const char *node, char *fmt, ...)
+{
+	va_list ap;
+	char key[1024];
+	char val[1024];
+	int n;
+
+	if (snprintf(key, sizeof(key), "%s/%s", dir, node) >= sizeof(key)) {
+		errno = ENOENT;
+		return -1;
+        }
+
+	va_start(ap, fmt);
+	n = vsnprintf(val, sizeof(val), fmt, ap);
+	va_end(ap);
+	if (n >= sizeof(val)) {
+		errno = ENOSPC; /* close enough */
+		return -1;
+	}
+
+	if (!xs_write(xsh, XBT_NULL, key, val, n))
+		return -1;
+	return 0;
+}
+
+static void xenfb_device_init(struct xenfb_device *dev,
+			      const char *type,
+			      struct xenfb_private *xenfb)
+{
+	dev->devicetype = type;
+	dev->otherend_id = -1;
+	dev->port = -1;
+	dev->xenfb = xenfb;
+}
+
+int xenfb_device_set_domain(struct xenfb_device *dev, int domid)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+
+	dev->otherend_id = domid;
+
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->otherend, sizeof(dev->otherend),
+			       domid, "device/%s/0", dev->devicetype)) {
+		errno = ENOENT;
+		return -1;
+	}
+	if (!xenfb_path_in_dom(xenfb->xsh,
+			       dev->nodename, sizeof(dev->nodename),
+			       0, "backend/%s/%d/0", dev->devicetype, domid)) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	return 0;
+}
+
+struct xenfb *xenfb_new(void)
+{
+	struct xenfb_private *xenfb = malloc(sizeof(*xenfb));
+	int serrno;
+
+	if (xenfb == NULL)
+		return NULL;
+
+	memset(xenfb, 0, sizeof(*xenfb));
+	xenfb->evt_xch = xenfb->xc = -1;
+	xenfb_device_init(&xenfb->fb, "vfb", xenfb);
+	xenfb_device_init(&xenfb->kbd, "vkbd", xenfb);
+
+	xenfb->evt_xch = xc_evtchn_open();
+	if (xenfb->evt_xch == -1)
+		goto fail;
+
+	xenfb->xc = xc_interface_open();
+	if (xenfb->xc == -1)
+		goto fail;
+
+	xenfb->xsh = xs_daemon_open();
+	if (!xenfb->xsh)
+		goto fail;
+
+	return &xenfb->pub;
+
+ fail:
+	serrno = errno;
+	xenfb_delete(&xenfb->pub);
+	errno = serrno;
+	return NULL;
+}
+
+/* Remove the backend area in xenbus since the framebuffer really is
+   going away. */
+void xenfb_teardown(struct xenfb *xenfb_pub)
+{
+       struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->fb.nodename);
+       xs_rm(xenfb->xsh, XBT_NULL, xenfb->kbd.nodename);
+}
+
+
+void xenfb_delete(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	xenfb_detach_dom(xenfb);
+	if (xenfb->xc >= 0)
+		xc_interface_close(xenfb->xc);
+	if (xenfb->evt_xch >= 0)
+		xc_evtchn_close(xenfb->evt_xch);
+	if (xenfb->xsh)
+		xs_daemon_close(xenfb->xsh);
+	free(xenfb);
+}
+
+static enum xenbus_state xenfb_read_state(struct xs_handle *xsh,
+					  const char *dir)
+{
+	int ret, state;
+
+	ret = xenfb_xs_scanf1(xsh, dir, "state", "%d", &state);
+	if (ret < 0)
+		return XenbusStateUnknown;
+
+	if ((unsigned)state > XenbusStateClosed)
+		state = XenbusStateUnknown;
+	return state;
+}
+
+static int xenfb_switch_state(struct xenfb_device *dev,
+			      enum xenbus_state state)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+
+	if (xenfb_xs_printf(xsh, dev->nodename, "state", "%d", state) < 0)
+		return -1;
+	dev->state = state;
+	return 0;
+}
+
+static int xenfb_wait_for_state(struct xs_handle *xsh, const char *dir,
+				unsigned awaited)
+{
+	unsigned state, dummy;
+	char **vec;
+
+	awaited |= 1 << XenbusStateUnknown;
+
+	for (;;) {
+		state = xenfb_read_state(xsh, dir);
+		if ((1 << state) & awaited)
+			return state;
+
+		vec = xs_read_watch(xsh, &dummy);
+		if (!vec)
+			return -1;
+		free(vec);
+	}
+}
+
+static int xenfb_wait_for_backend_creation(struct xenfb_device *dev)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	int state;
+
+	if (!xs_watch(xsh, dev->nodename, ""))
+		return -1;
+	state = xenfb_wait_for_state(xsh, dev->nodename,
+			(1 << XenbusStateInitialising)
+			| (1 << XenbusStateClosed)
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			| (1 << XenbusStateInitWait)
+			| (1 << XenbusStateConnected)
+			| (1 << XenbusStateClosing)
+#endif
+			);
+	xs_unwatch(xsh, dev->nodename, "");
+
+	switch (state) {
+#if 1
+	case XenbusStateInitWait:
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialising); /* FIXME */
+#endif
+	case XenbusStateInitialising:
+	case XenbusStateClosing:
+	case XenbusStateClosed:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static int xenfb_hotplug(struct xenfb_device *dev)
+{
+	if (xenfb_xs_printf(dev->xenfb->xsh, dev->nodename,
+			    "hotplug-status", "connected"))
+		return -1;
+	return 0;
+}
+
+static int xenfb_wait_for_frontend_initialised(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+#if 1 /* TODO fudging state to permit restarting; to be removed */
+			(1 << XenbusStateInitialised)
+			| (1 << XenbusStateConnected)
+#else
+			1 << XenbusStateInitialised,
+#endif
+			)) {
+#if 1
+	case XenbusStateConnected:
+		printf("Fudging state to %d\n", XenbusStateInitialised); /* FIXME */
+#endif
+	case XenbusStateInitialised:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_copy_mfns(int mode, int count, unsigned long *dst, void *src)
+{
+	uint32_t *src32 = src;
+	uint64_t *src64 = src;
+	int i;
+
+	for (i = 0; i < count; i++)
+		dst[i] = (mode == 32) ? src32[i] : src64[i];
+}
+
+static int xenfb_map_fb(struct xenfb_private *xenfb, int domid)
+{
+	struct xenfb_page *page = xenfb->fb.page;
+	int n_fbmfns;
+	int n_fbdirs;
+	unsigned long *pgmfns = NULL;
+	unsigned long *fbmfns = NULL;
+	void *map, *pd;
+	int mode, ret = -1;
+
+	/* default to native */
+	pd = page->pd;
+	mode = sizeof(unsigned long) * 8;
+
+	if (0 == strlen(xenfb->protocol)) {
+		/*
+		 * Undefined protocol, some guesswork needed.
+		 *
+		 * Old frontends which don't set the protocol use
+		 * one page directory only, thus pd[1] must be zero.
+		 * pd[1] of the 32bit struct layout and the lower
+		 * 32 bits of pd[0] of the 64bit struct layout have
+		 * the same location, so we can check that ...
+		 */
+		uint32_t *ptr32 = NULL;
+		uint32_t *ptr64 = NULL;
+#if defined(__i386__)
+		ptr32 = (void*)page->pd;
+		ptr64 = ((void*)page->pd) + 4;
+#elif defined(__x86_64__)
+		ptr32 = ((void*)page->pd) - 4;
+		ptr64 = (void*)page->pd;
+#endif
+		if (ptr32) {
+			if (0 == ptr32[1]) {
+				mode = 32;
+				pd   = ptr32;
+			} else {
+				mode = 64;
+				pd   = ptr64;
+			}
+		}
+#if defined(__x86_64__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_32)) {
+		/* 64bit dom0, 32bit domU */
+		mode = 32;
+		pd   = ((void*)page->pd) - 4;
+#elif defined(__i386__)
+	} else if (0 == strcmp(xenfb->protocol, XEN_IO_PROTO_ABI_X86_64)) {
+		/* 32bit dom0, 64bit domU */
+		mode = 64;
+		pd   = ((void*)page->pd) + 4;
+#endif
+	}
+
+	n_fbmfns = (xenfb->fb_len + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+	n_fbdirs = n_fbmfns * mode / 8;
+	n_fbdirs = (n_fbdirs + (XC_PAGE_SIZE - 1)) / XC_PAGE_SIZE;
+
+	pgmfns = malloc(sizeof(unsigned long) * n_fbdirs);
+	fbmfns = malloc(sizeof(unsigned long) * n_fbmfns);
+	if (!pgmfns || !fbmfns)
+		goto out;
+
+	/*
+	 * Bug alert: xc_map_foreign_batch() can fail partly and
+	 * return a non-null value.  This is a design flaw.  When it
+	 * happens, we happily continue here, and later crash on
+	 * access.
+	 */
+	xenfb_copy_mfns(mode, n_fbdirs, pgmfns, pd);
+	map = xc_map_foreign_batch(xenfb->xc, domid,
+				   PROT_READ, pgmfns, n_fbdirs);
+	if (map == NULL)
+		goto out;
+	xenfb_copy_mfns(mode, n_fbmfns, fbmfns, map);
+	munmap(map, n_fbdirs * XC_PAGE_SIZE);
+
+	xenfb->pub.pixels = xc_map_foreign_batch(xenfb->xc, domid,
+				PROT_READ | PROT_WRITE, fbmfns, n_fbmfns);
+	if (xenfb->pub.pixels == NULL)
+		goto out;
+
+	ret = 0; /* all is fine */
+
+ out:
+	if (pgmfns)
+		free(pgmfns);
+	if (fbmfns)
+		free(fbmfns);
+	return ret;
+}
+
+static int xenfb_bind(struct xenfb_device *dev)
+{
+	struct xenfb_private *xenfb = dev->xenfb;
+	unsigned long mfn;
+	evtchn_port_t evtchn;
+
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "page-ref", "%lu",
+			    &mfn) < 0)
+		return -1;
+	if (xenfb_xs_scanf1(xenfb->xsh, dev->otherend, "event-channel", "%u",
+			    &evtchn) < 0)
+		return -1;
+
+	dev->port = xc_evtchn_bind_interdomain(xenfb->evt_xch,
+					       dev->otherend_id, evtchn);
+	if (dev->port == -1)
+		return -1;
+
+	dev->page = xc_map_foreign_range(xenfb->xc, dev->otherend_id,
+			XC_PAGE_SIZE, PROT_READ | PROT_WRITE, mfn);
+	if (dev->page == NULL)
+		return -1;
+
+	return 0;
+}
+
+static void xenfb_unbind(struct xenfb_device *dev)
+{
+	if (dev->page) {
+		munmap(dev->page, XC_PAGE_SIZE);
+		dev->page = NULL;
+	}
+        if (dev->port >= 0) {
+		xc_evtchn_unbind(dev->xenfb->evt_xch, dev->port);
+		dev->port = -1;
+	}
+}
+
+static int xenfb_wait_for_frontend_connected(struct xenfb_device *dev)
+{
+	switch (xenfb_wait_for_state(dev->xenfb->xsh, dev->otherend,
+				     1 << XenbusStateConnected)) {
+	case XenbusStateConnected:
+		break;
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xenfb_dev_fatal(struct xenfb_device *dev, int err,
+			    const char *fmt, ...)
+{
+	struct xs_handle *xsh = dev->xenfb->xsh;
+	va_list ap;
+	char errdir[80];
+	char buf[1024];
+	int n;
+
+	fprintf(stderr, "%s ", dev->nodename); /* somewhat crude */
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	if (err)
+		fprintf(stderr, " (%s)", strerror(err));
+	putc('\n', stderr);
+
+	if (!xenfb_path_in_dom(xsh, errdir, sizeof(errdir), 0,
+			       "error/%s", dev->nodename))
+		goto out;	/* FIXME complain */
+
+	va_start(ap, fmt);
+	n = snprintf(buf, sizeof(buf), "%d ", err);
+	snprintf(buf + n, sizeof(buf) - n, fmt, ap);
+	va_end(ap);
+
+	if (xenfb_xs_printf(xsh, buf, "error", "%s", buf) < 0)
+		goto out;	/* FIXME complain */
+
+ out:
+	xenfb_switch_state(dev, XenbusStateClosing);
+}
+
+int xenfb_attach_dom(struct xenfb *xenfb_pub, int domid)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	struct xs_handle *xsh = xenfb->xsh;
+	int val, serrno;
+	struct xenfb_page *fb_page;
+
+	xenfb_detach_dom(xenfb);
+
+	xenfb_device_set_domain(&xenfb->fb, domid);
+	xenfb_device_set_domain(&xenfb->kbd, domid);
+
+	if (xenfb_wait_for_backend_creation(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_backend_creation(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_printf(xsh, xenfb->kbd.nodename, "feature-abs-pointer", "1"))
+		goto error;
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateInitWait))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateInitWait))
+		goto error;
+
+	if (xenfb_hotplug(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_hotplug(&xenfb->kbd) < 0)
+		goto error;
+
+	if (!xs_watch(xsh, xenfb->fb.otherend, ""))
+		goto error;
+	if (!xs_watch(xsh, xenfb->kbd.otherend, ""))
+		goto error;
+
+	if (xenfb_wait_for_frontend_initialised(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_wait_for_frontend_initialised(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_bind(&xenfb->fb) < 0)
+		goto error;
+	if (xenfb_bind(&xenfb->kbd) < 0)
+		goto error;
+
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "feature-update",
+			    "%d", &val) < 0)
+		val = 0;
+	if (!val) {
+		errno = ENOTSUP;
+		goto error;
+	}
+	if (xenfb_xs_scanf1(xsh, xenfb->fb.otherend, "protocol", "%63s",
+			    xenfb->protocol) < 0)
+		xenfb->protocol[0] = '\0';
+	xenfb_xs_printf(xsh, xenfb->fb.nodename, "request-update", "1");
+
+	/* TODO check for permitted ranges */
+	fb_page = xenfb->fb.page;
+	xenfb->pub.depth = fb_page->depth;
+	xenfb->pub.width = fb_page->width;
+	xenfb->pub.height = fb_page->height;
+	/* TODO check for consistency with the above */
+	xenfb->fb_len = fb_page->mem_length;
+	xenfb->pub.row_stride = fb_page->line_length;
+
+	if (xenfb_map_fb(xenfb, domid) < 0)
+		goto error;
+
+	if (xenfb_switch_state(&xenfb->fb, XenbusStateConnected))
+		goto error;
+	if (xenfb_switch_state(&xenfb->kbd, XenbusStateConnected))
+		goto error;
+
+	if (xenfb_wait_for_frontend_connected(&xenfb->kbd) < 0)
+		goto error;
+	if (xenfb_xs_scanf1(xsh, xenfb->kbd.otherend, "request-abs-pointer",
+			    "%d", &val) < 0)
+		val = 0;
+	xenfb->pub.abs_pointer_wanted = val;
+
+	return 0;
+
+ error:
+	serrno = errno;
+	xenfb_detach_dom(xenfb);
+	xenfb_dev_fatal(&xenfb->fb, serrno, "on fire");
+	xenfb_dev_fatal(&xenfb->kbd, serrno, "on fire");
+        errno = serrno;
+        return -1;
+}
+
+static void xenfb_detach_dom(struct xenfb_private *xenfb)
+{
+	xenfb_unbind(&xenfb->fb);
+	xenfb_unbind(&xenfb->kbd);
+	if (xenfb->pub.pixels) {
+		munmap(xenfb->pub.pixels, xenfb->fb_len);
+		xenfb->pub.pixels = NULL;
+	}
+}
+
+static void xenfb_on_fb_event(struct xenfb_private *xenfb)
+{
+	uint32_t prod, cons;
+	struct xenfb_page *page = xenfb->fb.page;
+
+	prod = page->out_prod;
+	if (prod == page->out_cons)
+		return;
+	rmb();			/* ensure we see ring contents up to prod */
+	for (cons = page->out_cons; cons != prod; cons++) {
+		union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+
+		switch (event->type) {
+		case XENFB_TYPE_UPDATE:
+                    if (xenfb->pub.update)
+			xenfb->pub.update(&xenfb->pub,
+					  event->update.x, event->update.y,
+					  event->update.width, event->update.height);
+                    break;
+		}
+	}
+	mb();			/* ensure we're done with ring contents */
+	page->out_cons = cons;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->fb.port);
+}
+
+static void xenfb_on_kbd_event(struct xenfb_private *xenfb)
+{
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	/* We don't understand any keyboard events, so just ignore them. */
+	if (page->out_prod == page->out_cons)
+		return;
+	page->out_cons = page->out_prod;
+	xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+static int xenfb_on_state_change(struct xenfb_device *dev)
+{
+	enum xenbus_state state;
+
+	state = xenfb_read_state(dev->xenfb->xsh, dev->otherend);
+
+	switch (state) {
+	case XenbusStateUnknown:
+		/* There was an error reading the frontend state.  The
+		   domain has probably gone away; in any case, there's
+		   not much point in us continuing. */
+		return -1;
+	case XenbusStateInitialising:
+	case XenbusStateInitWait:
+	case XenbusStateInitialised:
+	case XenbusStateConnected:
+		break;
+	case XenbusStateClosing:
+		xenfb_unbind(dev);
+		xenfb_switch_state(dev, state);
+		break;
+	case XenbusStateClosed:
+		xenfb_switch_state(dev, state);
+	}
+	return 0;
+}
+
+static void xenfb_dispatch_channel(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	evtchn_port_t port;
+	
+	port = xc_evtchn_pending(xenfb->evt_xch);
+	if (port == -1)
+		return;
+
+	if (port == xenfb->fb.port)
+		xenfb_on_fb_event(xenfb);
+	else if (port == xenfb->kbd.port)
+		xenfb_on_kbd_event(xenfb);
+  
+	if (xc_evtchn_unmask(xenfb->evt_xch, port) == -1)
+		return;
+}
+
+static void xenfb_dispatch_store(void *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	char **vec;
+	int r;
+	unsigned dummy;
+
+	vec = xs_read_watch(xenfb->xsh, &dummy);
+	free(vec);
+	r = xenfb_on_state_change(&xenfb->fb);
+	if (r == 0)
+		r = xenfb_on_state_change(&xenfb->kbd);
+	if (r == -1)
+		exit(1);
+	/* XXX better error handling ?*/
+}
+
+
+int xenfb_register_events(struct xenfb *xenfb_pub)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	int fd1 = xc_evtchn_fd(xenfb->evt_xch);
+	int fd2 = xs_fileno(xenfb->xsh);
+
+	if (qemu_set_fd_handler2(fd1, NULL, xenfb_dispatch_channel, NULL, xenfb_pub) < 0)
+		return -1;
+	if (qemu_set_fd_handler2(fd2, NULL, xenfb_dispatch_store, NULL, xenfb_pub) < 0)
+		return -1;
+
+	return 0;
+}
+
+static int xenfb_kbd_event(struct xenfb_private *xenfb,
+			   union xenkbd_in_event *event)
+{
+	uint32_t prod;
+	struct xenkbd_page *page = xenfb->kbd.page;
+
+	if (xenfb->kbd.state != XenbusStateConnected)
+		return 0;
+
+	prod = page->in_prod;
+	if (prod - page->in_cons == XENKBD_IN_RING_LEN) {
+		errno = EAGAIN;
+		return -1;
+	}
+
+	mb();			/* ensure ring space available */
+	XENKBD_IN_RING_REF(page, prod) = *event;
+	wmb();			/* ensure ring contents visible */
+	page->in_prod = prod + 1;
+	return xc_evtchn_notify(xenfb->evt_xch, xenfb->kbd.port);
+}
+
+int xenfb_send_key(struct xenfb *xenfb_pub, bool down, int keycode)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_KEY;
+	event.key.pressed = down ? 1 : 0;
+	event.key.keycode = keycode;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+static const int btnmap[] = {
+        BTN_LEFT, BTN_RIGHT, BTN_MIDDLE, BTN_SIDE,
+        BTN_EXTRA, BTN_FORWARD, BTN_BACK, BTN_TASK
+};
+
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+
+	int i;
+	for (i = 0 ; i < 8 ; i++) {
+		int lastDown = xenfb->state & (1 << i);
+		int down = state & (1 << i);
+		if (down == lastDown)
+			continue;
+	  
+		if (xenfb_send_key(xenfb_pub, down, BTN_LEFT+i) < 0)
+			return -1;
+	}
+
+	xenfb->state = state;
+	return 0;
+}
+
+int xenfb_send_motion(struct xenfb *xenfb_pub, int rel_x, int rel_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_MOTION;
+	event.motion.rel_x = rel_x;
+	event.motion.rel_y = rel_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+
+int xenfb_send_position(struct xenfb *xenfb_pub, int abs_x, int abs_y)
+{
+	struct xenfb_private *xenfb = (struct xenfb_private *)xenfb_pub;
+	union xenkbd_in_event event;
+
+	memset(&event, 0, XENKBD_IN_EVENT_SIZE);
+	event.type = XENKBD_TYPE_POS;
+	event.pos.abs_x = abs_x;
+	event.pos.abs_y = abs_y;
+
+	return xenfb_kbd_event(xenfb, &event);
+}
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 9261686d840c tools/ioemu/hw/xenfb.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfb.h	Mon Jul 30 17:51:22 2007 -0400
@@ -0,0 +1,35 @@
+#ifndef _XENFB_H_
+#define _XENFB_H_
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+struct xenfb
+{
+	void *pixels;
+
+	int row_stride;
+	int depth;
+	int width;
+	int height;
+	int abs_pointer_wanted;
+
+	void *user_data;
+
+	void (*update)(struct xenfb *xenfb, int x, int y, int width, int height);
+};
+
+struct xenfb *xenfb_new(void);
+void xenfb_delete(struct xenfb *xenfb);
+void xenfb_teardown(struct xenfb *xenfb);
+
+int xenfb_attach_dom(struct xenfb *xenfb, int domid);
+
+int xenfb_register_events(struct xenfb *xenfb_pub);
+
+int xenfb_send_key(struct xenfb *xenfb, bool down, int keycode);
+int xenfb_send_motion(struct xenfb *xenfb, int rel_x, int rel_y);
+int xenfb_send_position(struct xenfb *xenfb, int abs_x, int abs_y);
+int xenfb_send_buttons(struct xenfb *xenfb_pub, int state);
+
+#endif
diff -r 9261686d840c tools/ioemu/hw/xenfv.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenfv.c	Wed Aug 01 21:27:53 2007 -0400
@@ -0,0 +1,256 @@
+
+#include "vl.h"
+#include <xen/hvm/params.h>
+#include <sys/mman.h>
+
+
+#if defined(MAPCACHE)
+
+#if defined(__i386__) 
+#define MAX_MCACHE_SIZE    0x40000000 /* 1GB max for x86 */
+#define MCACHE_BUCKET_SHIFT 16
+#elif defined(__x86_64__)
+#define MAX_MCACHE_SIZE    0x1000000000 /* 64GB max for x86_64 */
+#define MCACHE_BUCKET_SHIFT 20
+#endif
+
+#define MCACHE_BUCKET_SIZE (1UL << MCACHE_BUCKET_SHIFT)
+
+#define BITS_PER_LONG (sizeof(long)*8)
+#define BITS_TO_LONGS(bits) \
+    (((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
+#define DECLARE_BITMAP(name,bits) \
+    unsigned long name[BITS_TO_LONGS(bits)]
+#define test_bit(bit,map) \
+    (!!((map)[(bit)/BITS_PER_LONG] & (1UL << ((bit)%BITS_PER_LONG))))
+
+struct map_cache {
+    unsigned long paddr_index;
+    uint8_t      *vaddr_base;
+    DECLARE_BITMAP(valid_mapping, MCACHE_BUCKET_SIZE>>PAGE_SHIFT);
+};
+
+static struct map_cache *mapcache_entry;
+static unsigned long nr_buckets;
+
+/* For most cases (>99.9%), the page address is the same. */
+static unsigned long last_address_index = ~0UL;
+static uint8_t      *last_address_vaddr;
+
+static int qemu_map_cache_init(void)
+{
+    unsigned long size;
+
+    nr_buckets = (((MAX_MCACHE_SIZE >> PAGE_SHIFT) +
+                   (1UL << (MCACHE_BUCKET_SHIFT - PAGE_SHIFT)) - 1) >>
+                  (MCACHE_BUCKET_SHIFT - PAGE_SHIFT));
+    fprintf(logfile, "qemu_map_cache_init nr_buckets = %lx\n", nr_buckets);
+
+    /*
+     * Use mmap() directly: lets us allocate a big hash table with no up-front
+     * cost in storage space. The OS will allocate memory only for the buckets
+     * that we actually use. All others will contain all zeroes.
+     */
+    size = nr_buckets * sizeof(struct map_cache);
+    size = (size + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
+    mapcache_entry = mmap(NULL, size, PROT_READ|PROT_WRITE,
+                          MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+    if (mapcache_entry == MAP_FAILED) {
+        errno = ENOMEM;
+        return -1;
+    }
+
+    return 0;
+}
+
+static void qemu_remap_bucket(struct map_cache *entry,
+                              unsigned long address_index)
+{
+    uint8_t *vaddr_base;
+    unsigned long pfns[MCACHE_BUCKET_SIZE >> PAGE_SHIFT];
+    unsigned int i, j;
+
+    if (entry->vaddr_base != NULL) {
+        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
+        if (errno) {
+            fprintf(logfile, "unmap fails %d\n", errno);
+            exit(-1);
+        }
+    }
+
+    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i++)
+        pfns[i] = (address_index << (MCACHE_BUCKET_SHIFT-PAGE_SHIFT)) + i;
+
+    vaddr_base = xc_map_foreign_batch(xc_handle, domid, PROT_READ|PROT_WRITE,
+                                      pfns, MCACHE_BUCKET_SIZE >> PAGE_SHIFT);
+    if (vaddr_base == NULL) {
+        fprintf(logfile, "xc_map_foreign_batch error %d\n", errno);
+        exit(-1);
+    }
+
+    entry->vaddr_base  = vaddr_base;
+    entry->paddr_index = address_index;
+
+    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i += BITS_PER_LONG) {
+        unsigned long word = 0;
+        j = ((i + BITS_PER_LONG) > (MCACHE_BUCKET_SIZE >> PAGE_SHIFT)) ?
+            (MCACHE_BUCKET_SIZE >> PAGE_SHIFT) % BITS_PER_LONG : BITS_PER_LONG;
+        while (j > 0)
+            word = (word << 1) | !(pfns[i + --j] & 0xF0000000UL);
+        entry->valid_mapping[i / BITS_PER_LONG] = word;
+    }
+}
+
+uint8_t *qemu_map_cache(target_phys_addr_t phys_addr)
+{
+    struct map_cache *entry;
+    unsigned long address_index  = phys_addr >> MCACHE_BUCKET_SHIFT;
+    unsigned long address_offset = phys_addr & (MCACHE_BUCKET_SIZE-1);
+
+    if (address_index == last_address_index)
+        return last_address_vaddr + address_offset;
+
+    entry = &mapcache_entry[address_index % nr_buckets];
+
+    if (entry->vaddr_base == NULL || entry->paddr_index != address_index ||
+        !test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
+        qemu_remap_bucket(entry, address_index);
+
+    if (!test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
+        return NULL;
+
+    last_address_index = address_index;
+    last_address_vaddr = entry->vaddr_base;
+
+    return last_address_vaddr + address_offset;
+}
+
+void qemu_invalidate_map_cache(void)
+{
+    unsigned long i;
+
+    mapcache_lock();
+
+    for (i = 0; i < nr_buckets; i++) {
+        struct map_cache *entry = &mapcache_entry[i];
+
+        if (entry->vaddr_base == NULL)
+            continue;
+
+        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
+        if (errno) {
+            fprintf(logfile, "unmap fails %d\n", errno);
+            exit(-1);
+        }
+
+        entry->paddr_index = 0;
+        entry->vaddr_base  = NULL;
+    }
+
+    last_address_index =  ~0UL;
+    last_address_vaddr = NULL;
+
+    mapcache_unlock();
+}
+
+#endif /* defined(MAPCACHE) */
+
+
+static void xen_init_fv(uint64_t ram_size, int vga_ram_size, char *boot_device,
+			DisplayState *ds, const char **fd_filename, 
+			int snapshot, 
+			const char *kernel_filename, 
+			const char *kernel_cmdline,
+			const char *initrd_filename)
+{
+    unsigned long ioreq_pfn;
+    extern void *shared_page;
+    extern void *buffered_io_page;
+#ifdef __ia64__
+    unsigned long nr_pages;
+    xen_pfn_t *page_array;
+    extern void *buffered_pio_page;
+#endif
+
+#if defined(__i386__) || defined(__x86_64__)
+
+    if (qemu_map_cache_init()) {
+        fprintf(logfile, "qemu_map_cache_init returned: error %d\n", errno);
+        exit(-1);
+    }
+
+    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_IOREQ_PFN, &ioreq_pfn);
+    fprintf(logfile, "shared page at pfn %lx\n", ioreq_pfn);
+    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE, ioreq_pfn);
+    if (shared_page == NULL) {
+        fprintf(logfile, "map shared IO page returned error %d\n", errno);
+        exit(-1);
+    }
+
+    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_BUFIOREQ_PFN, &ioreq_pfn);
+    fprintf(logfile, "buffered io page at pfn %lx\n", ioreq_pfn);
+    buffered_io_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                            PROT_READ|PROT_WRITE, ioreq_pfn);
+    if (buffered_io_page == NULL) {
+        fprintf(logfile, "map buffered IO page returned error %d\n", errno);
+        exit(-1);
+    }
+
+#elif defined(__ia64__)
+
+    nr_pages = ram_size/PAGE_SIZE;
+
+    page_array = (xen_pfn_t *)malloc(nr_pages * sizeof(xen_pfn_t));
+    if (page_array == NULL) {
+        fprintf(logfile, "malloc returned error %d\n", errno);
+        exit(-1);
+    }
+
+    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       IO_PAGE_START >> PAGE_SHIFT);
+
+    buffered_io_page =xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       BUFFER_IO_PAGE_START >> PAGE_SHIFT);
+
+    buffered_pio_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                       PROT_READ|PROT_WRITE,
+                                       BUFFER_PIO_PAGE_START >> PAGE_SHIFT);
+
+    for (i = 0; i < nr_pages; i++)
+        page_array[i] = i;
+	
+    /* VTI will not use memory between 3G~4G, so we just pass a legal pfn
+       to make QEMU map continuous virtual memory space */
+    if (ram_size > MMIO_START) {	
+        for (i = 0 ; i < (MEM_G >> PAGE_SHIFT); i++)
+            page_array[(MMIO_START >> PAGE_SHIFT) + i] =
+                (STORE_PAGE_START >> PAGE_SHIFT); 
+    }
+
+    phys_ram_base = xc_map_foreign_batch(xc_handle, domid,
+                                         PROT_READ|PROT_WRITE,
+                                         page_array, nr_pages);
+    if (phys_ram_base == 0) {
+        fprintf(logfile, "xc_map_foreign_batch returned error %d\n", errno);
+        exit(-1);
+    }
+    free(page_array);
+#endif
+
+    timeoffset_get();
+
+    pc_machine.init(ram_size, vga_ram_size, boot_device,
+		    ds, fd_filename, snapshot,
+		    kernel_filename, kernel_cmdline,
+		    initrd_filename);
+}
+
+
+QEMUMachine xenfv_machine = {
+    "xenfv",
+    "Xen Fullyvirtualized PC",
+    xen_init_fv,
+};
diff -r 9261686d840c tools/ioemu/hw/xenpv.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/hw/xenpv.c	Wed Aug 01 21:18:43 2007 -0400
@@ -0,0 +1,184 @@
+/*
+ *  Copyright (C) Red Hat 2007
+ *
+ *  Xen Paravirt Guest Machine
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; under version 2 of the License.
+ * 
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ * 
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include "vl.h"
+#include "xenfb.h"
+#include "xencons.h"
+
+/* A convenient function for munging pixels between different depths */
+#define BLT(SRC_T,DST_T,RLS,GLS,BLS,RRS,GRS,BRS,RM,GM,BM)		\
+    for (line = y ; line < h ; line++) {				\
+	SRC_T *src = (SRC_T *)(xenfb->pixels + (line*xenfb->row_stride) + (x*xenfb->depth/8)); \
+	DST_T *dst = (DST_T *)(ds->data + (line*ds->linesize) + (x*ds->depth/8)); \
+	int col;							\
+	for (col = x ; col < w ; col++) {				\
+	    *dst = (((*src >> RRS)&RM) << RLS) |			\
+		(((*src >> GRS)&GM) << GLS) |				\
+		(((*src >> GRS)&BM) << BLS);				\
+	    src++;							\
+	    dst++;							\
+	} \
+    }
+
+
+/* This copies data from the guest framebuffer region, into QEMU's copy
+ * NB. QEMU's copy is stored in the pixel format of a) the local X server (SDL case)
+ * or b) the current VNC client pixel format.
+ */
+static void xen_pvfb_guest(struct xenfb *xenfb, int x, int y, int w, int h)
+{
+  DisplayState *ds = (DisplayState *)xenfb->user_data;
+  int line;
+
+  if (xenfb->depth == ds->depth) { /* Perfect match can use fast path */
+      for (line = y ; line < (y+h) ; line++) {
+	  memcpy(ds->data + (line * ds->linesize) + (x*ds->depth/8),
+		 xenfb->pixels + (line*xenfb->row_stride) + (x*xenfb->depth/8),
+		 w * xenfb->depth/8);
+      }
+  } else { /* Mismatch requires slow pixel swizzling */
+      if (xenfb->depth == 8) {
+	  if (ds->depth == 16) {
+	      BLT(uint8_t, uint16_t,   5, 2, 0,   11, 5, 0,   7, 7, 3);
+	  } else if (ds->depth == 32) {
+	      BLT(uint8_t, uint32_t,   5, 2, 0,   16, 8, 0,   7, 7, 3);
+	  }
+      } else if (xenfb->depth == 16) {
+	  if (ds->depth == 8) {
+	      BLT(uint16_t, uint8_t,    11, 5, 0,   5, 2, 0,    31, 63, 31);
+	  } else if (ds->depth == 32) {
+	      BLT(uint16_t, uint32_t,   11, 5, 0,   16, 8, 0,   31, 63, 31);
+	  }
+      } else if (xenfb->depth == 32) {
+	  if (ds->depth == 8) {
+	      BLT(uint32_t, uint8_t,    16, 8, 0,   5, 2, 0,    255, 255, 255);
+	  } else if (ds->depth == 16) {
+	      BLT(uint32_t, uint16_t,   16, 8, 0,   11, 5, 0,   255, 255, 255);
+	  }
+      }
+  }
+  dpy_update(ds, x, y, w, h);
+}
+
+/* Send a keypress from the client to the guest OS */
+static void xen_put_keycode(void *opaque, int keycode)
+{
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+  xenfb_send_key(xenfb, keycode & 0x80 ? 0 : 1, keycode & 0x7f);
+}
+
+/* Send a mouse event from the client to the guest OS */
+static void xen_mouse_event(void *opaque,
+                            int dx, int dy, int dz, int buttons_state)
+{
+  struct xenfb *xenfb = (struct xenfb*)opaque;
+  DisplayState *ds = (DisplayState *)xenfb->user_data;
+  if (xenfb->abs_pointer_wanted)
+      xenfb_send_position(xenfb,
+			dx*ds->width/0x7fff,
+			dy*ds->height/0x7fff);
+  else
+      xenfb_send_motion(xenfb, dx, dy);
+  xenfb_send_buttons(xenfb, buttons_state);
+}
+
+/* QEMU display state changed, so refresh the framebuffer copy */
+void xen_pvfb_update(void *opaque) {
+    struct xenfb *xenfb = (struct xenfb *)opaque;
+    xen_pvfb_guest(xenfb, 0, 0, xenfb->width, xenfb->height);
+}
+/* QEMU display state changed, so refresh the framebuffer copy */
+void xen_pvfb_invalidate(void *opaque) {
+    struct xenfb *xenfb = (struct xenfb *)opaque;
+    xen_pvfb_guest(xenfb, 0, 0, xenfb->width, xenfb->height);
+}
+void xen_pvfb_screen_dump(void *opaque, const char *name) { }
+
+/* The Xen PV machine currently provides
+ *   - a virtual framebuffer
+ *   - ....
+ */
+static void xen_init_pv(uint64_t ram_size, int vga_ram_size, char *boot_device,
+                        DisplayState *ds, const char **fd_filename,
+                        int snapshot,
+                        const char *kernel_filename,
+                        const char *kernel_cmdline,
+                        const char *initrd_filename)
+{
+    struct xenfb *xenfb;
+    extern int domid;
+
+    /* Prepare PVFB state */
+    xenfb = xenfb_new();
+    if (xenfb == NULL) {
+	fprintf(stderr, "Could not create framebuffer (%s)\n",
+		strerror(errno));
+	exit(1);
+    }
+
+    /* Talk to the guest */
+    if (xenfb_attach_dom(xenfb, domid) < 0) {
+	fprintf(stderr, "Could not connect to domain (%s)\n",
+		strerror(errno));
+	exit(1);
+    }
+    xenfb->update = xen_pvfb_guest;
+    xenfb->user_data = ds;
+
+    /* Tell QEMU to allocate a graphical console */
+    graphic_console_init(ds,
+			 xen_pvfb_update,
+			 xen_pvfb_invalidate,
+			 xen_pvfb_screen_dump,
+			 xenfb);
+
+    /* Register our keyboard & mouse handlers */
+    qemu_add_kbd_event_handler(xen_put_keycode, xenfb);
+    qemu_add_mouse_event_handler(xen_mouse_event, xenfb,
+				 xenfb->abs_pointer_wanted,
+				 "Xen PVFB Mouse");
+
+    /* Listen for events from the guest */
+    xenfb_register_events(xenfb);
+
+    /* Setup QEMU display */
+    dpy_resize(ds, xenfb->width, xenfb->height);
+
+    if (serial_hds[0]) {
+	if (xencons_init(domid, serial_hds[0]) < 0) {
+	    fprintf(stderr, "Could not connect to domain console\n");
+	    exit(1);
+	}
+    }
+}
+
+
+QEMUMachine xenpv_machine = {
+    "xenpv",
+    "Xen Paravirtualized PC",
+    xen_init_pv
+};
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: nil
+ * End:
+ */
diff -r 9261686d840c tools/ioemu/target-i386-dm/helper2.c
--- a/tools/ioemu/target-i386-dm/helper2.c	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/target-i386-dm/helper2.c	Wed Aug 01 18:53:13 2007 -0400
@@ -622,7 +622,8 @@ int main_loop(void)
 				       cpu_single_env);
     qemu_mod_timer(buffered_io_timer, qemu_get_clock(rt_clock));
 
-    qemu_set_fd_handler(evtchn_fd, cpu_handle_ioreq, NULL, env);
+    if (evtchn_fd != -1)
+      qemu_set_fd_handler(evtchn_fd, cpu_handle_ioreq, NULL, env);
 
     while (!(vm_running && suspend_requested))
         /* Wait up to 10 msec. */
diff -r 9261686d840c tools/ioemu/vl.c
--- a/tools/ioemu/vl.c	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/vl.c	Wed Aug 01 21:28:21 2007 -0400
@@ -89,7 +89,7 @@
 
 #include "exec-all.h"
 
-#include <xen/hvm/params.h>
+
 #define DEFAULT_NETWORK_SCRIPT "/etc/xen/qemu-ifup"
 #define DEFAULT_BRIDGE "xenbr0"
 #ifdef __sun__
@@ -6647,8 +6647,13 @@ void register_machines(void)
 void register_machines(void)
 {
 #if defined(TARGET_I386)
+#ifndef CONFIG_DM
     qemu_register_machine(&pc_machine);
     qemu_register_machine(&isapc_machine);
+#else
+    qemu_register_machine(&xenfv_machine);
+    qemu_register_machine(&xenpv_machine);
+#endif
 #elif defined(TARGET_PPC)
     qemu_register_machine(&heathrow_machine);
     qemu_register_machine(&core99_machine);
@@ -6865,156 +6870,6 @@ void suspend(int sig)
     suspend_requested = 1;
 }
 
-#if defined(MAPCACHE)
-
-#if defined(__i386__) 
-#define MAX_MCACHE_SIZE    0x40000000 /* 1GB max for x86 */
-#define MCACHE_BUCKET_SHIFT 16
-#elif defined(__x86_64__)
-#define MAX_MCACHE_SIZE    0x1000000000 /* 64GB max for x86_64 */
-#define MCACHE_BUCKET_SHIFT 20
-#endif
-
-#define MCACHE_BUCKET_SIZE (1UL << MCACHE_BUCKET_SHIFT)
-
-#define BITS_PER_LONG (sizeof(long)*8)
-#define BITS_TO_LONGS(bits) \
-    (((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
-#define DECLARE_BITMAP(name,bits) \
-    unsigned long name[BITS_TO_LONGS(bits)]
-#define test_bit(bit,map) \
-    (!!((map)[(bit)/BITS_PER_LONG] & (1UL << ((bit)%BITS_PER_LONG))))
-
-struct map_cache {
-    unsigned long paddr_index;
-    uint8_t      *vaddr_base;
-    DECLARE_BITMAP(valid_mapping, MCACHE_BUCKET_SIZE>>PAGE_SHIFT);
-};
-
-static struct map_cache *mapcache_entry;
-static unsigned long nr_buckets;
-
-/* For most cases (>99.9%), the page address is the same. */
-static unsigned long last_address_index = ~0UL;
-static uint8_t      *last_address_vaddr;
-
-static int qemu_map_cache_init(void)
-{
-    unsigned long size;
-
-    nr_buckets = (((MAX_MCACHE_SIZE >> PAGE_SHIFT) +
-                   (1UL << (MCACHE_BUCKET_SHIFT - PAGE_SHIFT)) - 1) >>
-                  (MCACHE_BUCKET_SHIFT - PAGE_SHIFT));
-    fprintf(logfile, "qemu_map_cache_init nr_buckets = %lx\n", nr_buckets);
-
-    /*
-     * Use mmap() directly: lets us allocate a big hash table with no up-front
-     * cost in storage space. The OS will allocate memory only for the buckets
-     * that we actually use. All others will contain all zeroes.
-     */
-    size = nr_buckets * sizeof(struct map_cache);
-    size = (size + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
-    mapcache_entry = mmap(NULL, size, PROT_READ|PROT_WRITE,
-                          MAP_SHARED|MAP_ANONYMOUS, 0, 0);
-    if (mapcache_entry == MAP_FAILED) {
-        errno = ENOMEM;
-        return -1;
-    }
-
-    return 0;
-}
-
-static void qemu_remap_bucket(struct map_cache *entry,
-                              unsigned long address_index)
-{
-    uint8_t *vaddr_base;
-    unsigned long pfns[MCACHE_BUCKET_SIZE >> PAGE_SHIFT];
-    unsigned int i, j;
-
-    if (entry->vaddr_base != NULL) {
-        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
-        if (errno) {
-            fprintf(logfile, "unmap fails %d\n", errno);
-            exit(-1);
-        }
-    }
-
-    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i++)
-        pfns[i] = (address_index << (MCACHE_BUCKET_SHIFT-PAGE_SHIFT)) + i;
-
-    vaddr_base = xc_map_foreign_batch(xc_handle, domid, PROT_READ|PROT_WRITE,
-                                      pfns, MCACHE_BUCKET_SIZE >> PAGE_SHIFT);
-    if (vaddr_base == NULL) {
-        fprintf(logfile, "xc_map_foreign_batch error %d\n", errno);
-        exit(-1);
-    }
-
-    entry->vaddr_base  = vaddr_base;
-    entry->paddr_index = address_index;
-
-    for (i = 0; i < MCACHE_BUCKET_SIZE >> PAGE_SHIFT; i += BITS_PER_LONG) {
-        unsigned long word = 0;
-        j = ((i + BITS_PER_LONG) > (MCACHE_BUCKET_SIZE >> PAGE_SHIFT)) ?
-            (MCACHE_BUCKET_SIZE >> PAGE_SHIFT) % BITS_PER_LONG : BITS_PER_LONG;
-        while (j > 0)
-            word = (word << 1) | !(pfns[i + --j] & 0xF0000000UL);
-        entry->valid_mapping[i / BITS_PER_LONG] = word;
-    }
-}
-
-uint8_t *qemu_map_cache(target_phys_addr_t phys_addr)
-{
-    struct map_cache *entry;
-    unsigned long address_index  = phys_addr >> MCACHE_BUCKET_SHIFT;
-    unsigned long address_offset = phys_addr & (MCACHE_BUCKET_SIZE-1);
-
-    if (address_index == last_address_index)
-        return last_address_vaddr + address_offset;
-
-    entry = &mapcache_entry[address_index % nr_buckets];
-
-    if (entry->vaddr_base == NULL || entry->paddr_index != address_index ||
-        !test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
-        qemu_remap_bucket(entry, address_index);
-
-    if (!test_bit(address_offset>>PAGE_SHIFT, entry->valid_mapping))
-        return NULL;
-
-    last_address_index = address_index;
-    last_address_vaddr = entry->vaddr_base;
-
-    return last_address_vaddr + address_offset;
-}
-
-void qemu_invalidate_map_cache(void)
-{
-    unsigned long i;
-
-    mapcache_lock();
-
-    for (i = 0; i < nr_buckets; i++) {
-        struct map_cache *entry = &mapcache_entry[i];
-
-        if (entry->vaddr_base == NULL)
-            continue;
-
-        errno = munmap(entry->vaddr_base, MCACHE_BUCKET_SIZE);
-        if (errno) {
-            fprintf(logfile, "unmap fails %d\n", errno);
-            exit(-1);
-        }
-
-        entry->paddr_index = 0;
-        entry->vaddr_base  = NULL;
-    }
-
-    last_address_index =  ~0UL;
-    last_address_vaddr = NULL;
-
-    mapcache_unlock();
-}
-
-#endif /* defined(MAPCACHE) */
 
 int main(int argc, char **argv)
 {
@@ -7049,14 +6904,6 @@ int main(int argc, char **argv)
     char usb_devices[MAX_USB_CMDLINE][128];
     int usb_devices_index;
     int fds[2];
-    unsigned long ioreq_pfn;
-    extern void *shared_page;
-    extern void *buffered_io_page;
-#ifdef __ia64__
-    unsigned long nr_pages;
-    xen_pfn_t *page_array;
-    extern void *buffered_pio_page;
-#endif
 
     char qemu_dm_logfilename[128];
     
@@ -7699,7 +7546,9 @@ int main(int argc, char **argv)
     /* init the memory */
     phys_ram_size = ram_size + vga_ram_size + bios_size;
 
-#ifndef CONFIG_DM
+#ifdef CONFIG_DM
+    xc_handle = xc_interface_open();
+#else
     for (i = 0; i < nb_option_roms; i++) {
 	int ret = get_image_size(option_rom[i]);
 	if (ret == -1) {
@@ -7708,83 +7557,6 @@ int main(int argc, char **argv)
 	}
 	phys_ram_size += ret;
     }
-#endif /* !CONFIG_DM */
-
-#ifdef CONFIG_DM
-
-    xc_handle = xc_interface_open();
-
-#if defined(__i386__) || defined(__x86_64__)
-
-    if (qemu_map_cache_init()) {
-        fprintf(logfile, "qemu_map_cache_init returned: error %d\n", errno);
-        exit(-1);
-    }
-
-    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_IOREQ_PFN, &ioreq_pfn);
-    fprintf(logfile, "shared page at pfn %lx\n", ioreq_pfn);
-    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE, ioreq_pfn);
-    if (shared_page == NULL) {
-        fprintf(logfile, "map shared IO page returned error %d\n", errno);
-        exit(-1);
-    }
-
-    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_BUFIOREQ_PFN, &ioreq_pfn);
-    fprintf(logfile, "buffered io page at pfn %lx\n", ioreq_pfn);
-    buffered_io_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                            PROT_READ|PROT_WRITE, ioreq_pfn);
-    if (buffered_io_page == NULL) {
-        fprintf(logfile, "map buffered IO page returned error %d\n", errno);
-        exit(-1);
-    }
-
-#elif defined(__ia64__)
-
-    nr_pages = ram_size/PAGE_SIZE;
-
-    page_array = (xen_pfn_t *)malloc(nr_pages * sizeof(xen_pfn_t));
-    if (page_array == NULL) {
-        fprintf(logfile, "malloc returned error %d\n", errno);
-        exit(-1);
-    }
-
-    shared_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       IO_PAGE_START >> PAGE_SHIFT);
-
-    buffered_io_page =xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       BUFFER_IO_PAGE_START >> PAGE_SHIFT);
-
-    buffered_pio_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
-                                       PROT_READ|PROT_WRITE,
-                                       BUFFER_PIO_PAGE_START >> PAGE_SHIFT);
-
-    for (i = 0; i < nr_pages; i++)
-        page_array[i] = i;
-	
-    /* VTI will not use memory between 3G~4G, so we just pass a legal pfn
-       to make QEMU map continuous virtual memory space */
-    if (ram_size > MMIO_START) {	
-        for (i = 0 ; i < (MEM_G >> PAGE_SHIFT); i++)
-            page_array[(MMIO_START >> PAGE_SHIFT) + i] =
-                (STORE_PAGE_START >> PAGE_SHIFT); 
-    }
-
-    phys_ram_base = xc_map_foreign_batch(xc_handle, domid,
-                                         PROT_READ|PROT_WRITE,
-                                         page_array, nr_pages);
-    if (phys_ram_base == 0) {
-        fprintf(logfile, "xc_map_foreign_batch returned error %d\n", errno);
-        exit(-1);
-    }
-    free(page_array);
-#endif
-
-    timeoffset_get();
-
-#else  /* !CONFIG_DM */
 
     phys_ram_base = qemu_vmalloc(phys_ram_size);
     if (!phys_ram_base) {
diff -r 9261686d840c tools/ioemu/vl.h
--- a/tools/ioemu/vl.h	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/vl.h	Wed Aug 01 19:35:19 2007 -0400
@@ -1118,6 +1118,10 @@ extern void pci_piix4_acpi_init(PCIBus *
 /* pc.c */
 extern QEMUMachine pc_machine;
 extern QEMUMachine isapc_machine;
+#ifdef CONFIG_DM
+extern QEMUMachine xenfv_machine;
+extern QEMUMachine xenpv_machine;
+#endif
 extern int fd_bootchk;
 
 void ioport_set_a20(int enable);
diff -r 9261686d840c tools/ioemu/xenstore.c
--- a/tools/ioemu/xenstore.c	Tue Jun 26 12:40:37 2007 +0100
+++ b/tools/ioemu/xenstore.c	Wed Aug 01 20:59:53 2007 -0400
@@ -17,7 +17,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 
-static struct xs_handle *xsh = NULL;
+struct xs_handle *xsh = NULL;
 static char *media_filename[MAX_DISKS + MAX_SCSI_DISKS];
 static QEMUTimer *insert_timer = NULL;
 

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel