From: Qing He <qing.he@intel.com>
To: xen-devel@lists.xensource.com
Cc: Qing He <qing.he@intel.com>
Subject: [PATCH 04/17] vmx: nest: domain and vcpu flags
Date: Thu, 22 Apr 2010 17:41:16 +0800 [thread overview]
Message-ID: <1271929289-18572-5-git-send-email-qing.he@intel.com> (raw)
In-Reply-To: <1271929289-18572-1-git-send-email-qing.he@intel.com>
Introduce a domain create flag to allow user to set availability
of nested virtualization.
The flag will be used to disable all reporting and function
facilities, improving guest security.
Another per vcpu flag is used to indicate whether the vcpu
is in L1 or L2 context.
Signed-off-by: Qing He <qing.he@intel.com>
---
arch/x86/domain.c | 4 ++++
common/domctl.c | 5 ++++-
include/asm-x86/hvm/domain.h | 1 +
include/asm-x86/hvm/vcpu.h | 2 ++
include/public/domctl.h | 3 +++
include/xen/sched.h | 3 +++
6 files changed, 17 insertions(+), 1 deletion(-)
diff -r a0bbec37b529 -r 6f0f41f80285 xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/arch/x86/domain.c Thu Apr 22 22:30:00 2010 +0800
@@ -413,6 +413,10 @@
d->arch.s3_integrity = !!(domcr_flags & DOMCRF_s3_integrity);
+ d->arch.hvm_domain.nesting_avail =
+ is_hvm_domain(d) &&
+ (domcr_flags & DOMCRF_nesting);
+
INIT_LIST_HEAD(&d->arch.pdev_list);
d->arch.relmem = RELMEM_not_started;
diff -r a0bbec37b529 -r 6f0f41f80285 xen/common/domctl.c
--- a/xen/common/domctl.c Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/common/domctl.c Thu Apr 22 22:30:00 2010 +0800
@@ -393,7 +393,8 @@
if ( supervisor_mode_kernel ||
(op->u.createdomain.flags &
~(XEN_DOMCTL_CDF_hvm_guest | XEN_DOMCTL_CDF_hap |
- XEN_DOMCTL_CDF_s3_integrity | XEN_DOMCTL_CDF_oos_off)) )
+ XEN_DOMCTL_CDF_s3_integrity | XEN_DOMCTL_CDF_oos_off |
+ XEN_DOMCTL_CDF_nesting)) )
break;
dom = op->domain;
@@ -429,6 +430,8 @@
domcr_flags |= DOMCRF_s3_integrity;
if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_oos_off )
domcr_flags |= DOMCRF_oos_off;
+ if ( op->u.createdomain.flags & XEN_DOMCTL_CDF_nesting )
+ domcr_flags |= DOMCRF_nesting;
ret = -ENOMEM;
d = domain_create(dom, domcr_flags, op->u.createdomain.ssidref);
diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/asm-x86/hvm/domain.h
--- a/xen/include/asm-x86/hvm/domain.h Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/include/asm-x86/hvm/domain.h Thu Apr 22 22:30:00 2010 +0800
@@ -93,6 +93,7 @@
bool_t mem_sharing_enabled;
bool_t qemu_mapcache_invalidate;
bool_t is_s3_suspended;
+ bool_t nesting_avail;
union {
struct vmx_domain vmx;
diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/asm-x86/hvm/vcpu.h
--- a/xen/include/asm-x86/hvm/vcpu.h Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/include/asm-x86/hvm/vcpu.h Thu Apr 22 22:30:00 2010 +0800
@@ -70,6 +70,8 @@
bool_t debug_state_latch;
bool_t single_step;
+ bool_t in_nesting;
+
u64 asid_generation;
u32 asid;
diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/public/domctl.h
--- a/xen/include/public/domctl.h Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/include/public/domctl.h Thu Apr 22 22:30:00 2010 +0800
@@ -64,6 +64,9 @@
/* Disable out-of-sync shadow page tables? */
#define _XEN_DOMCTL_CDF_oos_off 3
#define XEN_DOMCTL_CDF_oos_off (1U<<_XEN_DOMCTL_CDF_oos_off)
+ /* Is nested virtualization allowed */
+#define _XEN_DOMCTL_CDF_nesting 4
+#define XEN_DOMCTL_CDF_nesting (1U<<_XEN_DOMCTL_CDF_nesting)
};
typedef struct xen_domctl_createdomain xen_domctl_createdomain_t;
DEFINE_XEN_GUEST_HANDLE(xen_domctl_createdomain_t);
diff -r a0bbec37b529 -r 6f0f41f80285 xen/include/xen/sched.h
--- a/xen/include/xen/sched.h Thu Apr 22 21:49:38 2010 +0800
+++ b/xen/include/xen/sched.h Thu Apr 22 22:30:00 2010 +0800
@@ -393,6 +393,9 @@
/* DOMCRF_oos_off: dont use out-of-sync optimization for shadow page tables */
#define _DOMCRF_oos_off 4
#define DOMCRF_oos_off (1U<<_DOMCRF_oos_off)
+ /* DOMCRF_nesting: Create a domain that allows nested virtualization . */
+#define _DOMCRF_nesting 5
+#define DOMCRF_nesting (1U<<_DOMCRF_nesting)
/*
* rcu_lock_domain_by_id() is more efficient than get_domain_by_id().
next prev parent reply other threads:[~2010-04-22 9:41 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 9:41 [PATCH 00/17][RFC] Nested virtualization for VMX Qing He
2010-04-22 9:41 ` [PATCH 01/17] vmx: nest: fix CR4.VME in update_guest_cr Qing He
2010-05-20 9:26 ` Tim Deegan
2010-05-20 9:36 ` Qing He
2010-04-22 9:41 ` [PATCH 02/17] vmx: nest: rename host_vmcs Qing He
2010-04-22 9:41 ` [PATCH 03/17] vmx: nest: wrapper for control update Qing He
2010-05-20 9:34 ` Tim Deegan
2010-05-20 9:46 ` Qing He
2010-05-20 12:57 ` Keir Fraser
2010-04-22 9:41 ` Qing He [this message]
2010-05-20 9:37 ` [PATCH 04/17] vmx: nest: domain and vcpu flags Tim Deegan
2010-05-20 9:51 ` Christoph Egger
2010-05-20 9:54 ` Qing He
2010-05-20 10:55 ` Tim Deegan
2010-05-20 12:53 ` Qing He
2010-05-20 14:06 ` Christoph Egger
2010-04-22 9:41 ` [PATCH 05/17] vmx: nest: nested control structure Qing He
2010-04-22 9:41 ` [PATCH 06/17] vmx: nest: virtual vmcs layout Qing He
2010-04-22 9:41 ` [PATCH 07/17] vmx: nest: handling VMX instruction exits Qing He
2010-05-20 10:53 ` Tim Deegan
2010-05-20 13:28 ` Qing He
2010-04-22 9:41 ` [PATCH 08/17] vmx: nest: L1 <-> L2 context switch Qing He
2010-05-20 11:11 ` Tim Deegan
2010-05-20 13:49 ` Qing He
2010-05-21 9:19 ` Tim Deegan
2010-05-21 10:31 ` Qing He
2010-05-25 15:27 ` Tim Deegan
2010-04-22 9:41 ` [PATCH 09/17] vmx: nest: interrupt Qing He
2010-05-20 11:21 ` Tim Deegan
2010-05-20 15:55 ` Qing He
2010-04-22 9:41 ` [PATCH 10/17] vmx: nest: VMExit handler in L2 Qing He
2010-05-20 11:44 ` Tim Deegan
2010-05-20 16:06 ` Qing He
2010-05-21 8:42 ` Tim Deegan
2010-05-21 10:35 ` Qing He
2010-05-25 15:34 ` Tim Deegan
2010-04-22 9:41 ` [PATCH 11/17] vmx: nest: L2 tsc Qing He
2010-05-20 11:47 ` Tim Deegan
2010-05-20 16:07 ` Qing He
2010-04-22 9:41 ` [PATCH 12/17] vmx: nest: CR0.TS and #NM Qing He
2010-04-22 9:41 ` [PATCH 13/17] vmx: nest: capability reporting MSRs Qing He
2010-05-20 11:52 ` Tim Deegan
2010-04-22 9:41 ` [PATCH 14/17] vmx: nest: enable virtual VMX Qing He
2010-04-22 9:41 ` [PATCH 15/17] vmx: nest: virtual ept for nested Qing He
2010-05-20 12:21 ` Tim Deegan
2010-05-21 10:24 ` Qing He
2010-05-25 16:02 ` Tim Deegan
2010-04-22 9:41 ` [PATCH 16/17] vmx: nest: hvmtrace " Qing He
2010-04-22 9:41 ` [PATCH 17/17] tools: nest: allow enabling nesting Qing He
2010-04-22 10:15 ` [PATCH 00/17][RFC] Nested virtualization for VMX Christoph Egger
2010-04-23 10:10 ` He, Qing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1271929289-18572-5-git-send-email-qing.he@intel.com \
--to=qing.he@intel.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).