From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel De Graaf Subject: Re: [PATCH 6/7] xen: Allow hardare domain != dom0 Date: Fri, 11 Apr 2014 14:22:53 -0400 Message-ID: <534832FD.8000105@tycho.nsa.gov> References: <1395921128-7086-1-git-send-email-dgdegra@tycho.nsa.gov> <1395921128-7086-7-git-send-email-dgdegra@tycho.nsa.gov> <5347CE550200007800007E5E@nat28.tlf.novell.com> <5348053A.9040703@tycho.nsa.gov> <5348244E02000078000080C2@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------050501020903070908010301" Return-path: In-Reply-To: <5348244E02000078000080C2@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Keir Fraser , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org This is a multi-part message in MIME format. --------------050501020903070908010301 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 04/11/2014 11:20 AM, Jan Beulich wrote: >>>> On 11.04.14 at 17:07, wrote: >> On 04/11/2014 05:13 AM, Jan Beulich wrote: >>>>>> On 27.03.14 at 12:52, wrote: >>>> @@ -794,7 +795,7 @@ void watchdog_domain_destroy(struct domain *d); >>>> * (that is, this would not be suitable for a driver domain) >>>> * - There is never a reason to deny dom0 access to this >>>> */ >>>> -#define is_hardware_domain(_d) ((_d)->domain_id == 0) >>>> +#define is_hardware_domain(d) ((d)->domain_id == hardware_domid) >>> >>> This macro should imo evaluate to true for Dom0 until the hardware >>> domain go created, i.e. you should compare _d with hardware_domain >>> rather than their IDs. With that the definition of hardware_domid can >>> then also be moved inside the #ifdef requested above. >> >> This isn't quite as simple as changing the function since there are >> some places where is_hardware_domain needs to return false for domain 0 >> when a hardware domain is used. Also, the hardware_domain variable is >> not set until domain_create returns, so there are a few places where the >> domain ID still needs to be checked explicitly. It should be possible >> to create an is_hardware_domid function for those cases, if comparing to >> hardware_domain is preferred for most cases; I think that would belong in >> a new patch 5.5/7 (i.e. 6/8 in v4). >> >> Otherwise, I think the is_hardware_domain definition should be: >> >> #ifdef CONFIG_LATE_HWDOM >> #define is_hardware_domain(_d) ((_d)->domain_id == hardware_domid) >> #else >> #define is_hardware_domain(_d) ((_d)->domain_id == 0) >> #endif >> >> This also allows hardware_domid to be declared inside the #ifdef. > > But that still wouldn't necessarily do the correct thing for any use of > the macro before that new special case code in domain_create() got > run. Maybe my thinking of this is wrong, but as I tried to state above, > I would expect Dom0 to be the hardware domain up to the point > where the intended hardware domain gets created, at which point all > state Dom0 obtained because of having been the de-facto hardware > domain get transferred to hardware_domain. I agree with this in most cases, and I think the few places where that is not true should be changed to make them more explicit. This must include all checks in domain_create and those in functions called from domain_create, because (d == hardware_domain) is always false inside domain_create. An initial version of this patch is below, but unless there are objections I plan to integrate it into patch 1 to avoid doing (d->domain_id == 0) => is_hardware_domain => is_hardware_domain_by_id for the ARM code. ------------------------------>8------------------------ Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id In order to better handle the period when domain 0 is running but has not yet built a late hardware domain, change is_hardware_domain to do what its name implies: check that the passed domain is the hardware domain. To address some cases where this variable is not set (in particular, during the creation of domain 0 this variable will still be NULL), the old check is retained with the name is_hardware_domain_by_id. Signed-off-by: Daniel De Graaf --- xen/arch/arm/domain.c | 2 +- xen/arch/arm/gic.c | 2 +- xen/arch/arm/vgic.c | 2 +- xen/arch/arm/vtimer.c | 2 +- xen/arch/arm/vuart.c | 2 +- xen/common/domain.c | 4 ++-- xen/include/xen/sched.h | 9 ++++++++- 7 files changed, 15 insertions(+), 8 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index ccccb77..4f235e4 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags) * Only use it for the hardware domain because the linux kernel may not * support multi-platform. */ - if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) ) + if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) ) goto fail; return 0; diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c index 8168b7b..5c16aba 100644 --- a/xen/arch/arm/gic.c +++ b/xen/arch/arm/gic.c @@ -868,7 +868,7 @@ int gicv_setup(struct domain *d) * The hardware domain gets the hardware address. * Guests get the virtual platform layout. */ - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) { d->arch.vgic.dbase = gic.dbase; d->arch.vgic.cbase = gic.cbase; diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c index 4a7f8c0..cc795e0 100644 --- a/xen/arch/arm/vgic.c +++ b/xen/arch/arm/vgic.c @@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d) /* Currently nr_lines in vgic and gic doesn't have the same meanings * Here nr_lines = number of SPIs */ - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) d->arch.vgic.nr_lines = gic_number_lines() - 32; else d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */ diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c index cb690bb..4dcb80d 100644 --- a/xen/arch/arm/vtimer.c +++ b/xen/arch/arm/vtimer.c @@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d) int vcpu_vtimer_init(struct vcpu *v) { struct vtimer *t = &v->arch.phys_timer; - bool_t d0 = is_hardware_domain(v->domain); + bool_t d0 = is_hardware_domain_by_id(v->domain); /* * Hardware domain uses the hardware interrupts, guests get the virtual diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c index c02a8a9..cf9745c 100644 --- a/xen/arch/arm/vuart.c +++ b/xen/arch/arm/vuart.c @@ -46,7 +46,7 @@ int domain_vuart_init(struct domain *d) { - ASSERT( is_hardware_domain(d) ); + ASSERT( is_hardware_domain_by_id(d) ); d->arch.vuart.info = serial_vuart_info(SERHND_DTUART); if ( !d->arch.vuart.info ) diff --git a/xen/common/domain.c b/xen/common/domain.c index c4720a9..4036e69 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -237,7 +237,7 @@ struct domain *domain_create( else if ( domcr_flags & DOMCRF_pvh ) d->guest_type = guest_type_pvh; - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) { d->is_pinned = opt_dom0_vcpus_pin; d->disable_migrate = 1; @@ -262,7 +262,7 @@ struct domain *domain_create( d->is_paused_by_controller = 1; atomic_inc(&d->pause_count); - if ( !is_hardware_domain(d) ) + if ( !is_hardware_domain_by_id(d) ) d->nr_pirqs = nr_static_irqs + extra_domU_irqs; else d->nr_pirqs = nr_static_irqs + extra_dom0_irqs; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index cbbe8a4..34447f1 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d); * (that is, this would not be suitable for a driver domain) * - There is never a reason to deny dom0 access to this */ -#define is_hardware_domain(_d) ((_d)->domain_id == 0) +#define is_hardware_domain(_d) ((_d) == hardware_domain) + +/* + * Check for the hardware domain based on domain ID, not using the global + * hardware_domain variable. This is necessary inside domain_create where + * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM. + */ +#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0) /* This check is for functionality specific to a control domain */ #define is_control_domain(_d) ((_d)->is_privileged) -- 1.9.0 --------------050501020903070908010301 Content-Type: text/x-patch; name="0006-xen-introduce-is_hardware_domain_by_id.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0006-xen-introduce-is_hardware_domain_by_id.patch" >>From 8271965e73890ce25b86f31045b2c1784bd04273 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Fri, 11 Apr 2014 13:46:24 -0400 Subject: [PATCH RFC 6/8] xen: introduce is_hardware_domain_by_id In order to better handle the period when domain 0 is running but has not yet built a late hardware domain, change is_hardware_domain to do what its name implies: check that the passed domain is the hardware domain. To address some cases where this variable is not set (in particular, during the creation of domain 0 this variable will still be NULL), the old check is retained with the name is_hardware_domain_by_id. Signed-off-by: Daniel De Graaf --- xen/arch/arm/domain.c | 2 +- xen/arch/arm/gic.c | 2 +- xen/arch/arm/vgic.c | 2 +- xen/arch/arm/vtimer.c | 2 +- xen/arch/arm/vuart.c | 2 +- xen/common/domain.c | 4 ++-- xen/include/xen/sched.h | 9 ++++++++- 7 files changed, 15 insertions(+), 8 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index ccccb77..4f235e4 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -528,7 +528,7 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags) * Only use it for the hardware domain because the linux kernel may not * support multi-platform. */ - if ( is_hardware_domain(d) && (rc = domain_vuart_init(d)) ) + if ( is_hardware_domain_by_id(d) && (rc = domain_vuart_init(d)) ) goto fail; return 0; diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c index 8168b7b..5c16aba 100644 --- a/xen/arch/arm/gic.c +++ b/xen/arch/arm/gic.c @@ -868,7 +868,7 @@ int gicv_setup(struct domain *d) * The hardware domain gets the hardware address. * Guests get the virtual platform layout. */ - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) { d->arch.vgic.dbase = gic.dbase; d->arch.vgic.cbase = gic.cbase; diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c index 4a7f8c0..cc795e0 100644 --- a/xen/arch/arm/vgic.c +++ b/xen/arch/arm/vgic.c @@ -82,7 +82,7 @@ int domain_vgic_init(struct domain *d) /* Currently nr_lines in vgic and gic doesn't have the same meanings * Here nr_lines = number of SPIs */ - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) d->arch.vgic.nr_lines = gic_number_lines() - 32; else d->arch.vgic.nr_lines = 0; /* We don't need SPIs for the guest */ diff --git a/xen/arch/arm/vtimer.c b/xen/arch/arm/vtimer.c index cb690bb..4dcb80d 100644 --- a/xen/arch/arm/vtimer.c +++ b/xen/arch/arm/vtimer.c @@ -54,7 +54,7 @@ int vcpu_domain_init(struct domain *d) int vcpu_vtimer_init(struct vcpu *v) { struct vtimer *t = &v->arch.phys_timer; - bool_t d0 = is_hardware_domain(v->domain); + bool_t d0 = is_hardware_domain_by_id(v->domain); /* * Hardware domain uses the hardware interrupts, guests get the virtual diff --git a/xen/arch/arm/vuart.c b/xen/arch/arm/vuart.c index c02a8a9..cf9745c 100644 --- a/xen/arch/arm/vuart.c +++ b/xen/arch/arm/vuart.c @@ -46,7 +46,7 @@ int domain_vuart_init(struct domain *d) { - ASSERT( is_hardware_domain(d) ); + ASSERT( is_hardware_domain_by_id(d) ); d->arch.vuart.info = serial_vuart_info(SERHND_DTUART); if ( !d->arch.vuart.info ) diff --git a/xen/common/domain.c b/xen/common/domain.c index c4720a9..4036e69 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -237,7 +237,7 @@ struct domain *domain_create( else if ( domcr_flags & DOMCRF_pvh ) d->guest_type = guest_type_pvh; - if ( is_hardware_domain(d) ) + if ( is_hardware_domain_by_id(d) ) { d->is_pinned = opt_dom0_vcpus_pin; d->disable_migrate = 1; @@ -262,7 +262,7 @@ struct domain *domain_create( d->is_paused_by_controller = 1; atomic_inc(&d->pause_count); - if ( !is_hardware_domain(d) ) + if ( !is_hardware_domain_by_id(d) ) d->nr_pirqs = nr_static_irqs + extra_domU_irqs; else d->nr_pirqs = nr_static_irqs + extra_dom0_irqs; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index cbbe8a4..34447f1 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -797,7 +797,14 @@ void watchdog_domain_destroy(struct domain *d); * (that is, this would not be suitable for a driver domain) * - There is never a reason to deny dom0 access to this */ -#define is_hardware_domain(_d) ((_d)->domain_id == 0) +#define is_hardware_domain(_d) ((_d) == hardware_domain) + +/* + * Check for the hardware domain based on domain ID, not using the global + * hardware_domain variable. This is necessary inside domain_create where + * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM. + */ +#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0) /* This check is for functionality specific to a control domain */ #define is_control_domain(_d) ((_d)->is_privileged) -- 1.9.0 --------------050501020903070908010301 Content-Type: text/x-patch; name="0007-xen-Allow-hardware-domain-dom0.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0007-xen-Allow-hardware-domain-dom0.patch" >>From 1cb71b69284ce002c299ea3a3dfa061cad78e7f7 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Fri, 6 May 2011 15:13:22 -0400 Subject: [PATCH RFC 7/8] xen: Allow hardware domain != dom0 This adds a hypervisor command line option "hardware_dom=" which takes a domain ID. When the domain with this ID is created, it will be used as the hardware domain. This is intended to be used when domain 0 is a dedicated stub domain for domain building, allowing the hardware domain to be de-privileged and act only as a driver domain. Signed-off-by: Daniel De Graaf Acked-by: Keir Fraser Cc: Jan Beulich --- docs/misc/xen-command-line.markdown | 10 +++++++++ xen/arch/x86/domain_build.c | 4 +++- xen/common/domain.c | 5 +++++ xen/common/domctl.c | 41 +++++++++++++++++++++++++++++++++++++ xen/common/rangeset.c | 40 ++++++++++++++++++++++++++++++++++++ xen/include/xen/rangeset.h | 3 +++ xen/include/xen/sched.h | 10 +++++++-- xen/include/xsm/dummy.h | 6 ++++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 2 ++ xen/xsm/flask/hooks.c | 6 ++++++ xen/xsm/flask/policy/access_vectors | 2 ++ 12 files changed, 132 insertions(+), 3 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 87de2dc..6f5064f 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -590,6 +590,16 @@ Paging (HAP). Flag to enable 2 MB host page table support for Hardware Assisted Paging (HAP). +### hardware\_dom +> `= ` + +> Default: `0` + +Enable late hardware domain creation using the specified domain ID. This is +intended to be used when domain 0 is a stub domain which builds a disaggregated +system including a hardware domain with the specified domain ID. This option is +supported only when compiled with CONFIG\_XSM on x86. + ### hpetbroadcast > `= ` diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c index 08c40f8..1b61687 100644 --- a/xen/arch/x86/domain_build.c +++ b/xen/arch/x86/domain_build.c @@ -1150,7 +1150,9 @@ int __init construct_dom0( printk(" Xen warning: dom0 kernel broken ELF: %s\n", elf_check_broken(&elf)); - iommu_hwdom_init(hardware_domain); + if ( is_hardware_domain_by_id(d) ) + iommu_hwdom_init(d); + return 0; out: diff --git a/xen/common/domain.c b/xen/common/domain.c index 4036e69..2561236 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -61,6 +61,11 @@ struct domain *domain_list; struct domain *hardware_domain __read_mostly; +#ifdef CONFIG_LATE_HWDOM +domid_t hardware_domid __read_mostly; +integer_param("hardware_dom", hardware_domid); +#endif + struct vcpu *idle_vcpu[NR_CPUS] __read_mostly; vcpu_info_t dummy_vcpu_info; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index af3614b..c77fe99 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -472,6 +472,47 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; } +#ifdef CONFIG_LATE_HWDOM + if ( is_hardware_domain_by_id(d) ) + { + struct domain *dom0 = hardware_domain; + ASSERT(dom0->domain_id == 0); + + ret = xsm_init_hardware_domain(XSM_HOOK, d); + if ( ret ) + { + domain_kill(d); + d = NULL; + break; + } + + printk("Initialising hardware domain %d\n", hardware_domid); + hardware_domain = d; + + /* + * Hardware resource ranges for domain 0 have been set up from + * various sources intended to restrict the hardware domain's + * access. Apply these ranges to the actual hardware domain. + * + * Because the lists are being swapped, a side effect of this + * operation is that Domain 0's rangesets are cleared. Since + * domain 0 should not be accessing the hardware when it constructs + * a hardware domain, this should not be a problem. Both lists + * may be modified after this hypercall returns if a more complex + * device model is desired. + * + * Since late hardware domain initialization is only supported on + * x86, the reference to arch.ioport_caps does not need its own + * preprocessor conditional. + */ + rangeset_swap(d->irq_caps, dom0->irq_caps); + rangeset_swap(d->iomem_caps, dom0->iomem_caps); + rangeset_swap(d->arch.ioport_caps, dom0->arch.ioport_caps); + + iommu_hwdom_init(d); + } +#endif + ret = 0; memcpy(d->handle, op->u.createdomain.handle, diff --git a/xen/common/rangeset.c b/xen/common/rangeset.c index f09c0c4..52fae1f 100644 --- a/xen/common/rangeset.c +++ b/xen/common/rangeset.c @@ -438,3 +438,43 @@ void rangeset_domain_printk( spin_unlock(&d->rangesets_lock); } + +void rangeset_swap(struct rangeset *a, struct rangeset *b) +{ + struct list_head tmp; + if (&a < &b) + { + spin_lock(&a->lock); + spin_lock(&b->lock); + } + else + { + spin_lock(&b->lock); + spin_lock(&a->lock); + } + memcpy(&tmp, &a->range_list, sizeof(tmp)); + memcpy(&a->range_list, &b->range_list, sizeof(tmp)); + memcpy(&b->range_list, &tmp, sizeof(tmp)); + if ( a->range_list.next == &b->range_list ) + { + a->range_list.next = &a->range_list; + a->range_list.prev = &a->range_list; + } + else + { + a->range_list.next->prev = &a->range_list; + a->range_list.prev->next = &a->range_list; + } + if ( b->range_list.next == &a->range_list ) + { + b->range_list.next = &b->range_list; + b->range_list.prev = &b->range_list; + } + else + { + b->range_list.next->prev = &b->range_list; + b->range_list.prev->next = &b->range_list; + } + spin_unlock(&a->lock); + spin_unlock(&b->lock); +} diff --git a/xen/include/xen/rangeset.h b/xen/include/xen/rangeset.h index 1e16a6b..805ebde 100644 --- a/xen/include/xen/rangeset.h +++ b/xen/include/xen/rangeset.h @@ -73,4 +73,7 @@ void rangeset_printk( void rangeset_domain_printk( struct domain *d); +/* swap contents */ +void rangeset_swap(struct rangeset *a, struct rangeset *b); + #endif /* __XEN_RANGESET_H__ */ diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 34447f1..50937db 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -46,6 +46,12 @@ DEFINE_XEN_GUEST_HANDLE(vcpu_runstate_info_compat_t); /* A global pointer to the hardware domain (usually DOM0). */ extern struct domain *hardware_domain; +#ifdef CONFIG_LATE_HWDOM +extern domid_t hardware_domid; +#else +#define hardware_domid 0 +#endif + #ifndef CONFIG_COMPAT #define BITS_PER_EVTCHN_WORD(d) BITS_PER_XEN_ULONG #else @@ -795,7 +801,7 @@ void watchdog_domain_destroy(struct domain *d); * Use this check when the following are both true: * - Using this feature or interface requires full access to the hardware * (that is, this would not be suitable for a driver domain) - * - There is never a reason to deny dom0 access to this + * - There is never a reason to deny the hardware domain access to this */ #define is_hardware_domain(_d) ((_d) == hardware_domain) @@ -804,7 +810,7 @@ void watchdog_domain_destroy(struct domain *d); * hardware_domain variable. This is necessary inside domain_create where * hardware_domain is NULL and for some checks implementing CONFIG_LATE_HWDOM. */ -#define is_hardware_domain_by_id(_d) ((_d)->domain_id == 0) +#define is_hardware_domain_by_id(_d) ((_d)->domain_id == hardware_domid) /* This check is for functionality specific to a control domain */ #define is_control_domain(_d) ((_d)->is_privileged) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index e722155..8ca1117 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -299,6 +299,12 @@ static XSM_INLINE char *xsm_show_security_evtchn(struct domain *d, const struct return NULL; } +static XSM_INLINE int xsm_init_hardware_domain(XSM_DEFAULT_ARG struct domain *d) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, d); +} + static XSM_INLINE int xsm_get_pod_target(XSM_DEFAULT_ARG struct domain *d) { XSM_ASSERT_ACTION(XSM_PRIV); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 2cd3a3b..ef1c584 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -82,6 +82,7 @@ struct xsm_operations { int (*alloc_security_evtchn) (struct evtchn *chn); void (*free_security_evtchn) (struct evtchn *chn); char *(*show_security_evtchn) (struct domain *d, const struct evtchn *chn); + int (*init_hardware_domain) (struct domain *d); int (*get_pod_target) (struct domain *d); int (*set_pod_target) (struct domain *d); @@ -311,6 +312,11 @@ static inline char *xsm_show_security_evtchn (struct domain *d, const struct evt return xsm_ops->show_security_evtchn(d, chn); } +static inline int xsm_init_hardware_domain (xsm_default_t def, struct domain *d) +{ + return xsm_ops->init_hardware_domain(d); +} + static inline int xsm_get_pod_target (xsm_default_t def, struct domain *d) { return xsm_ops->get_pod_target(d); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index b79e10f..c2804f2 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -58,6 +58,8 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, alloc_security_evtchn); set_to_dummy_if_null(ops, free_security_evtchn); set_to_dummy_if_null(ops, show_security_evtchn); + set_to_dummy_if_null(ops, init_hardware_domain); + set_to_dummy_if_null(ops, get_pod_target); set_to_dummy_if_null(ops, set_pod_target); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 4ce31c9..f1a4a2d 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -327,6 +327,11 @@ static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *c return ctx; } +static int flask_init_hardware_domain(struct domain *d) +{ + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CREATE_HARDWARE_DOMAIN); +} + static int flask_grant_mapref(struct domain *d1, struct domain *d2, uint32_t flags) { @@ -1500,6 +1505,7 @@ static struct xsm_operations flask_ops = { .alloc_security_evtchn = flask_alloc_security_evtchn, .free_security_evtchn = flask_free_security_evtchn, .show_security_evtchn = flask_show_security_evtchn, + .init_hardware_domain = flask_init_hardware_domain, .get_pod_target = flask_get_pod_target, .set_pod_target = flask_set_pod_target, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index a0ed13d..32371a9 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -198,6 +198,8 @@ class domain2 set_max_evtchn # XEN_DOMCTL_cacheflush cacheflush +# Creation of the hardware domain when it is not dom0 + create_hardware_domain } # Similar to class domain, but primarily contains domctls related to HVM domains -- 1.9.0 --------------050501020903070908010301 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------050501020903070908010301--