From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>, xen-devel@lists.xen.org
Subject: Re: [PATCH 6/7] xen: Allow hardare domain != dom0
Date: Fri, 11 Apr 2014 14:22:53 -0400 [thread overview]
Message-ID: <534832FD.8000105@tycho.nsa.gov> (raw)
In-Reply-To: <5348244E02000078000080C2@nat28.tlf.novell.com>
[-- Attachment #1: Type: text/plain, Size: 7703 bytes --]
On 04/11/2014 11:20 AM, Jan Beulich wrote:
>>>> On 11.04.14 at 17:07, <dgdegra@tycho.nsa.gov> wrote:
>> On 04/11/2014 05:13 AM, Jan Beulich wrote:
>>>>>> On 27.03.14 at 12:52, <dgdegra@tycho.nsa.gov> wrote:
>>>> @@ -794,7 +795,7 @@ void watchdog_domain_destroy(struct domain *d);
>>>> * (that is, this would not be suitable for a driver domain)
>>>> * - There is never a reason to deny dom0 access to this
>>>> */
>>>> -#define is_hardware_domain(_d) ((_d)->domain_id == 0)
>>>> +#define is_hardware_domain(d) ((d)->domain_id == hardware_domid)
>>>
>>> This macro should imo evaluate to true for Dom0 until the hardware
>>> domain go created, i.e. you should compare _d with hardware_domain
>>> rather than their IDs. With that the definition of hardware_domid can
>>> then also be moved inside the #ifdef requested above.
>>
>> This isn't quite as simple as changing the function since there are
>> some places where is_hardware_domain needs to return false for domain 0
>> when a hardware domain is used. Also, the hardware_domain variable is
>> not set until domain_create returns, so there are a few places where the
>> domain ID still needs to be checked explicitly. It should be possible
>> to create an is_hardware_domid function for those cases, if comparing to
>> hardware_domain is preferred for most cases; I think that would belong in
>> a new patch 5.5/7 (i.e. 6/8 in v4).
>>
>> Otherwise, I think the is_hardware_domain definition should be:
>>
>> #ifdef CONFIG_LATE_HWDOM
>> #define is_hardware_domain(_d) ((_d)->domain_id == hardware_domid)
>> #else
>> #define is_hardware_domain(_d) ((_d)->domain_id == 0)
>> #endif
>>
>> This also allows hardware_domid to be declared inside the #ifdef.
>
> But that still wouldn't necessarily do the correct thing for any use of
> the macro before that new special case code in domain_create() got
> run. Maybe my thinking of this is wrong, but as I tried to state above,
> I would expect Dom0 to be the hardware domain up to the point
> where the intended hardware domain gets created, at which point all
> state Dom0 obtained because of having been the de-facto hardware
> domain get transferred to hardware_domain.
I agree with this in most cases, and I think the few places where that
is not true should be changed to make them more explicit. This must
include all checks in domain_create and those in functions called from
domain_create, because (d == hardware_domain) is always false inside
domain_create. An initial version of this patch is below, but unless
there are objections I plan to integrate it into patch 1 to avoid doing
(d->domain_id == 0) => is_hardware_domain => is_hardware_domain_by_id
for the ARM code.
------------------------------>8------------------------
Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id
In order to better handle the period when domain 0 is running but has
not yet built a late hardware domain, change is_hardware_domain to do
what its name implies: check that the passed domain is the hardware
domain. To address some cases where this variable is not set (in
particular, during the creation of domain 0 this variable will still be
NULL), the old check is retained with the name is_hardware_domain_by_id.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/arch/arm/domain.c | 2 +-
xen/arch/arm/gic.c | 2 +-
xen/arch/arm/vgic.c | 2 +-
xen/arch/arm/vtimer.c | 2 +-
xen/arch/arm/vuart.c | 2 +-
xen/common/domain.c | 4 ++--
xen/include/xen/sched.h | 9 ++++++++-
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index ccccb77..4f235e4 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
* Only use it for the hardware domain because the linux kernel may not
* support multi-platform.
*/
- if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
+ if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) )
goto fail;
return 0;
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 8168b7b..5c16aba 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -868,7 +868,7 @@ int gicv_setup(struct domain *d)
* The hardware domain gets the hardware address.
* Guests get the virtual platform layout.
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->arch.vgic.dbase = gic.dbase;
d->arch.vgic.cbase = gic.cbase;
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0..cc795e0 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
/* Currently nr_lines in vgic and gic doesn't have the same meanings
* Here nr_lines = number of SPIs
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
d->arch.vgic.nr_lines = gic_number_lines() - 32;
else
d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
index cb690bb..4dcb80d 100644
--- a/xen/arch/arm/vtimer.c
+++ b/xen/arch/arm/vtimer.c
@@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d)
int vcpu_vtimer_init(struct vcpu *v)
{
struct vtimer *t = &v->arch.phys_timer;
- bool_t d0 = is_hardware_domain(v->domain);
+ bool_t d0 = is_hardware_domain_by_id(v->domain);
/*
* Hardware domain uses the hardware interrupts, guests get the virtual
diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
index c02a8a9..cf9745c 100644
--- a/xen/arch/arm/vuart.c
+++ b/xen/arch/arm/vuart.c
@@ -46,7 +46,7 @@
int domain_vuart_init(struct domain *d)
{
- ASSERT( is_hardware_domain(d) );
+ ASSERT( is_hardware_domain_by_id(d) );
d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
if ( !d->arch.vuart.info )
diff --git a/xen/common/domain.c b/xen/common/domain.c
index c4720a9..4036e69 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -237,7 +237,7 @@ struct domain *domain_create(
else if ( domcr_flags & DOMCRF_pvh )
d->guest_type = guest_type_pvh;
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->is_pinned = opt_dom0_vcpus_pin;
d->disable_migrate = 1;
@@ -262,7 +262,7 @@ struct domain *domain_create(
d->is_paused_by_controller = 1;
atomic_inc(&d->pause_count);
- if ( !is_hardware_domain(d) )
+ if ( !is_hardware_domain_by_id(d) )
d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
else
d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cbbe8a4..34447f1 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain(_d) ((_d) == hardware_domain)
+
+/*
+ * Check for the hardware domain based on domain ID, not using the global
+ * hardware_domain variable. This is necessary inside domain_create where
+ * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
+ */
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
--
1.9.0
[-- Attachment #2: 0006-xen-introduce-is_hardware_domain_by_id.patch --]
[-- Type: text/x-patch, Size: 5043 bytes --]
>From 8271965e73890ce25b86f31045b2c1784bd04273 Mon Sep 17 00:00:00 2001
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 11 Apr 2014 13:46:24 -0400
Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id
In order to better handle the period when domain 0 is running but has
not yet built a late hardware domain, change is_hardware_domain to do
what its name implies: check that the passed domain is the hardware
domain. To address some cases where this variable is not set (in
particular, during the creation of domain 0 this variable will still be
NULL), the old check is retained with the name is_hardware_domain_by_id.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/arch/arm/domain.c | 2 +-
xen/arch/arm/gic.c | 2 +-
xen/arch/arm/vgic.c | 2 +-
xen/arch/arm/vtimer.c | 2 +-
xen/arch/arm/vuart.c | 2 +-
xen/common/domain.c | 4 ++--
xen/include/xen/sched.h | 9 ++++++++-
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index ccccb77..4f235e4 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
* Only use it for the hardware domain because the linux kernel may not
* support multi-platform.
*/
- if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) )
+ if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) )
goto fail;
return 0;
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 8168b7b..5c16aba 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -868,7 +868,7 @@ int gicv_setup(struct domain *d)
* The hardware domain gets the hardware address.
* Guests get the virtual platform layout.
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->arch.vgic.dbase = gic.dbase;
d->arch.vgic.cbase = gic.cbase;
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0..cc795e0 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d)
/* Currently nr_lines in vgic and gic doesn't have the same meanings
* Here nr_lines = number of SPIs
*/
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
d->arch.vgic.nr_lines = gic_number_lines() - 32;
else
d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */
diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c
index cb690bb..4dcb80d 100644
--- a/xen/arch/arm/vtimer.c
+++ b/xen/arch/arm/vtimer.c
@@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d)
int vcpu_vtimer_init(struct vcpu *v)
{
struct vtimer *t = &v->arch.phys_timer;
- bool_t d0 = is_hardware_domain(v->domain);
+ bool_t d0 = is_hardware_domain_by_id(v->domain);
/*
* Hardware domain uses the hardware interrupts, guests get the virtual
diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c
index c02a8a9..cf9745c 100644
--- a/xen/arch/arm/vuart.c
+++ b/xen/arch/arm/vuart.c
@@ -46,7 +46,7 @@
int domain_vuart_init(struct domain *d)
{
- ASSERT( is_hardware_domain(d) );
+ ASSERT( is_hardware_domain_by_id(d) );
d->arch.vuart.info = serial_vuart_info(SERHND_DTUART);
if ( !d->arch.vuart.info )
diff --git a/xen/common/domain.c b/xen/common/domain.c
index c4720a9..4036e69 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -237,7 +237,7 @@ struct domain *domain_create(
else if ( domcr_flags & DOMCRF_pvh )
d->guest_type = guest_type_pvh;
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain_by_id(d) )
{
d->is_pinned = opt_dom0_vcpus_pin;
d->disable_migrate = 1;
@@ -262,7 +262,7 @@ struct domain *domain_create(
d->is_paused_by_controller = 1;
atomic_inc(&d->pause_count);
- if ( !is_hardware_domain(d) )
+ if ( !is_hardware_domain_by_id(d) )
d->nr_pirqs = nr_static_irqs + extra_domU_irqs;
else
d->nr_pirqs = nr_static_irqs + extra_dom0_irqs;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cbbe8a4..34447f1 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny dom0 access to this
*/
-#define is_hardware_domain(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain(_d) ((_d) == hardware_domain)
+
+/*
+ * Check for the hardware domain based on domain ID, not using the global
+ * hardware_domain variable. This is necessary inside domain_create where
+ * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
+ */
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
--
1.9.0
[-- Attachment #3: 0007-xen-Allow-hardware-domain-dom0.patch --]
[-- Type: text/x-patch, Size: 11513 bytes --]
>From 1cb71b69284ce002c299ea3a3dfa061cad78e7f7 Mon Sep 17 00:00:00 2001
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 6 May 2011 15:13:22 -0400
Subject: [PATCH RFC 7/8] xen: Allow hardware domain != dom0
This adds a hypervisor command line option "hardware_dom=" which takes a
domain ID. When the domain with this ID is created, it will be used
as the hardware domain.
This is intended to be used when domain 0 is a dedicated stub domain for
domain building, allowing the hardware domain to be de-privileged and
act only as a driver domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
---
docs/misc/xen-command-line.markdown | 10 +++++++++
xen/arch/x86/domain_build.c | 4 +++-
xen/common/domain.c | 5 +++++
xen/common/domctl.c | 41 +++++++++++++++++++++++++++++++++++++
xen/common/rangeset.c | 40 ++++++++++++++++++++++++++++++++++++
xen/include/xen/rangeset.h | 3 +++
xen/include/xen/sched.h | 10 +++++++--
xen/include/xsm/dummy.h | 6 ++++++
xen/include/xsm/xsm.h | 6 ++++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 2 ++
12 files changed, 132 insertions(+), 3 deletions(-)
diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 87de2dc..6f5064f 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -590,6 +590,16 @@ Paging (HAP).
Flag to enable 2 MB host page table support for Hardware Assisted
Paging (HAP).
+### hardware\_dom
+> `= <domid>`
+
+> Default: `0`
+
+Enable late hardware domain creation using the specified domain ID. This is
+intended to be used when domain 0 is a stub domain which builds a disaggregated
+system including a hardware domain with the specified domain ID. This option is
+supported only when compiled with CONFIG\_XSM on x86.
+
### hpetbroadcast
> `= <boolean>`
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index 08c40f8..1b61687 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1150,7 +1150,9 @@ int __init construct_dom0(
printk(" Xen warning: dom0 kernel broken ELF: %s\n",
elf_check_broken(&elf));
- iommu_hwdom_init(hardware_domain);
+ if ( is_hardware_domain_by_id(d) )
+ iommu_hwdom_init(d);
+
return 0;
out:
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 4036e69..2561236 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -61,6 +61,11 @@ struct domain *domain_list;
struct domain *hardware_domain __read_mostly;
+#ifdef CONFIG_LATE_HWDOM
+domid_t hardware_domid __read_mostly;
+integer_param("hardware_dom", hardware_domid);
+#endif
+
struct vcpu *idle_vcpu[NR_CPUS] __read_mostly;
vcpu_info_t dummy_vcpu_info;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index af3614b..c77fe99 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -472,6 +472,47 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
break;
}
+#ifdef CONFIG_LATE_HWDOM
+ if ( is_hardware_domain_by_id(d) )
+ {
+ struct domain *dom0 = hardware_domain;
+ ASSERT(dom0->domain_id == 0);
+
+ ret = xsm_init_hardware_domain(XSM_HOOK, d);
+ if ( ret )
+ {
+ domain_kill(d);
+ d = NULL;
+ break;
+ }
+
+ printk("Initialising hardware domain %d\n", hardware_domid);
+ hardware_domain = d;
+
+ /*
+ * Hardware resource ranges for domain 0 have been set up from
+ * various sources intended to restrict the hardware domain's
+ * access. Apply these ranges to the actual hardware domain.
+ *
+ * Because the lists are being swapped, a side effect of this
+ * operation is that Domain 0's rangesets are cleared. Since
+ * domain 0 should not be accessing the hardware when it constructs
+ * a hardware domain, this should not be a problem. Both lists
+ * may be modified after this hypercall returns if a more complex
+ * device model is desired.
+ *
+ * Since late hardware domain initialization is only supported on
+ * x86, the reference to arch.ioport_caps does not need its own
+ * preprocessor conditional.
+ */
+ rangeset_swap(d->irq_caps, dom0->irq_caps);
+ rangeset_swap(d->iomem_caps, dom0->iomem_caps);
+ rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps);
+
+ iommu_hwdom_init(d);
+ }
+#endif
+
ret = 0;
memcpy(d->handle, op->u.createdomain.handle,
diff --git a/xen/common/rangeset.c b/xen/common/rangeset.c
index f09c0c4..52fae1f 100644
--- a/xen/common/rangeset.c
+++ b/xen/common/rangeset.c
@@ -438,3 +438,43 @@ void rangeset_domain_printk(
spin_unlock(&d->rangesets_lock);
}
+
+void rangeset_swap(struct rangeset *a, struct rangeset *b)
+{
+ struct list_head tmp;
+ if (&a < &b)
+ {
+ spin_lock(&a->lock);
+ spin_lock(&b->lock);
+ }
+ else
+ {
+ spin_lock(&b->lock);
+ spin_lock(&a->lock);
+ }
+ memcpy(&tmp, &a->range_list, sizeof(tmp));
+ memcpy(&a->range_list, &b->range_list, sizeof(tmp));
+ memcpy(&b->range_list, &tmp, sizeof(tmp));
+ if ( a->range_list.next == &b->range_list )
+ {
+ a->range_list.next = &a->range_list;
+ a->range_list.prev = &a->range_list;
+ }
+ else
+ {
+ a->range_list.next->prev = &a->range_list;
+ a->range_list.prev->next = &a->range_list;
+ }
+ if ( b->range_list.next == &a->range_list )
+ {
+ b->range_list.next = &b->range_list;
+ b->range_list.prev = &b->range_list;
+ }
+ else
+ {
+ b->range_list.next->prev = &b->range_list;
+ b->range_list.prev->next = &b->range_list;
+ }
+ spin_unlock(&a->lock);
+ spin_unlock(&b->lock);
+}
diff --git a/xen/include/xen/rangeset.h b/xen/include/xen/rangeset.h
index 1e16a6b..805ebde 100644
--- a/xen/include/xen/rangeset.h
+++ b/xen/include/xen/rangeset.h
@@ -73,4 +73,7 @@ void rangeset_printk(
void rangeset_domain_printk(
struct domain *d);
+/* swap contents */
+void rangeset_swap(struct rangeset *a, struct rangeset *b);
+
#endif /* __XEN_RANGESET_H__ */
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 34447f1..50937db 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -46,6 +46,12 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t);
/* A global pointer to the hardware domain (usually DOM0). */
extern struct domain *hardware_domain;
+#ifdef CONFIG_LATE_HWDOM
+extern domid_t hardware_domid;
+#else
+#define hardware_domid 0
+#endif
+
#ifndef CONFIG_COMPAT
#define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG
#else
@@ -795,7 +801,7 @@ void watchdog_domain_destroy(struct domain *d);
* Use this check when the following are both true:
* - Using this feature or interface requires full access to the hardware
* (that is, this would not be suitable for a driver domain)
- * - There is never a reason to deny dom0 access to this
+ * - There is never a reason to deny the hardware domain access to this
*/
#define is_hardware_domain(_d) ((_d) == hardware_domain)
@@ -804,7 +810,7 @@ void watchdog_domain_destroy(struct domain *d);
* hardware_domain variable. This is necessary inside domain_create where
* hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM.
*/
-#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0)
+#define is_hardware_domain_by_id(_d) ((_d)->domain_id == hardware_domid)
/* This check is for functionality specific to a control domain */
#define is_control_domain(_d) ((_d)->is_privileged)
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index e722155..8ca1117 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -299,6 +299,12 @@ static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct
return NULL;
}
+static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_HOOK);
+ return xsm_default_action(action, current->domain, d);
+}
+
static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d)
{
XSM_ASSERT_ACTION(XSM_PRIV);
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 2cd3a3b..ef1c584 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -82,6 +82,7 @@ struct xsm_operations {
int (*alloc_security_evtchn) (struct evtchn *chn);
void (*free_security_evtchn) (struct evtchn *chn);
char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn);
+ int (*init_hardware_domain) (struct domain *d);
int (*get_pod_target) (struct domain *d);
int (*set_pod_target) (struct domain *d);
@@ -311,6 +312,11 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt
return xsm_ops->show_security_evtchn(d, chn);
}
+static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->init_hardware_domain(d);
+}
+
static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d)
{
return xsm_ops->get_pod_target(d);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index b79e10f..c2804f2 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -58,6 +58,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, alloc_security_evtchn);
set_to_dummy_if_null(ops, free_security_evtchn);
set_to_dummy_if_null(ops, show_security_evtchn);
+ set_to_dummy_if_null(ops, init_hardware_domain);
+
set_to_dummy_if_null(ops, get_pod_target);
set_to_dummy_if_null(ops, set_pod_target);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 4ce31c9..f1a4a2d 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -327,6 +327,11 @@ static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *c
return ctx;
}
+static int flask_init_hardware_domain(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CREATE_HARDWARE_DOMAIN);
+}
+
static int flask_grant_mapref(struct domain *d1, struct domain *d2,
uint32_t flags)
{
@@ -1500,6 +1505,7 @@ static struct xsm_operations flask_ops = {
.alloc_security_evtchn = flask_alloc_security_evtchn,
.free_security_evtchn = flask_free_security_evtchn,
.show_security_evtchn = flask_show_security_evtchn,
+ .init_hardware_domain = flask_init_hardware_domain,
.get_pod_target = flask_get_pod_target,
.set_pod_target = flask_set_pod_target,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index a0ed13d..32371a9 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -198,6 +198,8 @@ class domain2
set_max_evtchn
# XEN_DOMCTL_cacheflush
cacheflush
+# Creation of the hardware domain when it is not dom0
+ create_hardware_domain
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.9.0
[-- Attachment #4: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2014-04-11 18:22 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-27 11:52 [PATCH v3 0/7] xen: Hardware domain support Daniel De Graaf
2014-03-27 11:52 ` [PATCH 1/7] xen: use domid check in is_hardware_domain Daniel De Graaf
2014-03-27 15:31 ` Ian Campbell
2014-03-27 11:52 ` [PATCH 2/7] xen/iommu: Move dom0 setup code to __hwdom_init Daniel De Graaf
2014-03-27 11:52 ` [PATCH 3/7] xen: prevent 0 from being used as a dynamic domid Daniel De Graaf
2014-03-27 11:52 ` [PATCH 4/7] xen: rename dom0 to hardware_domain Daniel De Graaf
2014-03-27 12:20 ` Egger, Christoph
2014-03-27 12:48 ` Daniel De Graaf
2014-03-27 15:46 ` Egger, Christoph
2014-03-27 15:33 ` Ian Campbell
2014-03-27 11:52 ` [PATCH 5/7] xen: rename various functions referencing dom0 Daniel De Graaf
2014-03-27 15:34 ` Ian Campbell
2014-03-27 15:47 ` Daniel De Graaf
2014-03-27 11:52 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
2014-04-11 9:13 ` Jan Beulich
2014-04-11 15:07 ` Daniel De Graaf
2014-04-11 15:20 ` Jan Beulich
2014-04-11 18:22 ` Daniel De Graaf [this message]
2014-04-14 7:56 ` Jan Beulich
2014-04-14 20:12 ` Daniel De Graaf
2014-03-27 11:52 ` [PATCH 7/7] tools/libxl: Allow dom0 to be destroyed Daniel De Graaf
2014-03-27 15:35 ` Ian Campbell
2014-04-02 15:08 ` Ian Jackson
2014-04-10 15:58 ` [PATCH v3 0/7] xen: Hardware domain support Keir Fraser
-- strict thread matches above, loose matches on Subject: below --
2014-03-18 21:34 [PATCH v2 " Daniel De Graaf
2014-03-18 21:34 ` [PATCH 6/7] xen: Allow hardare domain != dom0 Daniel De Graaf
2014-03-19 9:15 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534832FD.8000105@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).