Antonios Motakis [Fri, 17 Jun 2016 12:37:30 +0000 (14:37 +0200)]
core: panic_stop: print current cell only if it has been set
Currently during a panic, panic_stop will print the current cell
on the CPU where the panic occurred. However, if the hypervisor
panics sufficiently early during initialization, we may end up in
a situation where the root cell has not been initialized. This can
easily cause a trap loop, making the panic output less useful.
Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Dmitry Voytik [Fri, 17 Jun 2016 12:37:29 +0000 (14:37 +0200)]
driver: sync I-cache, D-cache and memory
Syncronize I-cache with D-cache after loading the hypervisor
image or a cell image. This must be done in arm64 according to
ARMv8 ARM spec. See page 1712, D3.4.6 "Non-cacheable accesses
and instruction caches".
This patch fixes coherency problems observed on real HW targets.
On x86 this operation is a NOP.
Antonios Motakis [Fri, 17 Jun 2016 12:37:29 +0000 (14:37 +0200)]
driver: ioremap the hypervisor firmware to any kernel address
At the moment the Linux driver maps the Jailhouse binary to
JAILHOUSE_BASE. The underlying assumption is that Linux may map the
firmware (in the Linux kernel space), to the same virtual address it
has been built to run from.
This assumption is unworkable on ARMv8 processors running in AArch64
mode. Kernel memory is allocated in a high address region, that is
not addressable from EL2, where the hypervisor will run from.
This patch removes the assumption, by introducing the
JAILHOUSE_BORROW_ROOT_PT define, which signals the behavior of the
current architectures.
We also turn the entry point in the header, into an offset from the
Jailhouse load address, so we can enter the image regardless of
where it will be mapped.
Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 23 Jun 2016 06:31:02 +0000 (08:31 +0200)]
arm: Fix byte-wise write access to GICD_ITARGETSRn
While expanding byte accesses to full words, we forgot to adjust the
address as well. This led to unaligned word accesses on writes, followed
by hypervisor aborts.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 19 Jun 2016 18:54:59 +0000 (20:54 +0200)]
gitignore: Remove user-specific rules
A project's .gitignore should be about project-specific rules, shared by
everyone compiling it. So, instead of adding more and more rules for
user-specific editors or tools, remove them completely and no longer
accept new ones. Users can easily define local rules, see gitignore man
page.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 16 Jun 2016 16:25:58 +0000 (18:25 +0200)]
arm: Enable / disable maintenance interrupt in distributor
We did not get any maintenance interrupts so far because we didn't
enable the source in the distributor so far. Fix this, but also disable
it again when shutting down.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 16 Jun 2016 14:28:19 +0000 (16:28 +0200)]
arm: Enable maintenance interrupt also from irqchip_set_pending
In case we set an interrupt pending for the local CPU and cannot queue
it with the hardware, make sure the maintenance interrupt is on.
Otherwise, we risk to delay guest interrupts or cause the guest to get
stuck.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 16 Jun 2016 09:07:46 +0000 (11:07 +0200)]
arm: Convert software queue of pending interrupts into a ring
This massively simplifies the code and reduces the memory usage in
struct per_cpu. However, adding interrupt priorities later on may
require another rework.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 16 Jun 2016 08:33:33 +0000 (10:33 +0200)]
arm: Make sure to not queue interrupt that were rejected as duplicates
If the inject_irq callback detect that an interrupt is already queued
in some list register, do not insert it into the software queue, thus
coalesce the event like real hardware does.
The change in the return code of inject_irq is more cosmetic, to reflect
the meaning better.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 14 Jun 2016 05:30:09 +0000 (07:30 +0200)]
arm: Disable maintenance interrupt on successful injection
We enable the maintenance interrupt when all list registers are in use.
However, there was no disabling of it again. Apparently, it rarely
triggered in the field, otherwise we would have seen a lot of
maintenance interrupt storms, thus locked-up systems.
This introduces another callback to enable or disable the maintenance
interrupt. It is now controlled by irqchip_inject_pending, the function
that is also called when handling a maintenance interrupt.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 13 Jun 2016 09:47:22 +0000 (11:47 +0200)]
arm: Use asm-defines.h for struct per_cpu members
Port the logic over from x86 and also drop CHECK_ASSUMPTION here.
The only slightly ugly detail: the PERCPU_SIZE_SHIFT define is now
duplicated in both asm/percpu.h instances because there is no good
generic header yet to hold it. Can be cleaned up later on.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
cyng93 [Sat, 11 Jun 2016 00:40:46 +0000 (08:40 +0800)]
Documentation: More BananaPi documentation
This patch include more details about how to setup Jailhouse on a BananaPi-M1 board.
Basically this documentation covered:
1. Installation of Bananian(BananaPi offical OS) on BananaPi
2. Modifying U-boot configuration on BananaPi to run Jailhouse.
3. Update Bananian to newer kernel so Jailhouse could works.
- Compiling Kernel.
- Installing Kernel.
4. Installing Jailhouse on BananaPi.
5. Simple demo/test: Running Jailhouse with Freertos-cell on BananaPi.
Signed-off-by: CHING-YI NG <cyng93@gmail.com>
[Jan: removed external media link showing FUSE selection - not needed] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 11 Jun 2016 17:00:13 +0000 (19:00 +0200)]
x86: Add missing include to amd_iommu.h
Reported by header-check script: We need this in the header due to the
use of struct jailhouse_memory. Consequently, we can remove the include
from the corresponding amd_iommu.c.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Xuguo Wang [Tue, 31 May 2016 03:44:16 +0000 (11:44 +0800)]
inmates/lib: cmdline.c
There is no point in checking for *p == 0 in the while loop,
after over the blanks, then checking for the parameters, if
find, return true, otherwise continue check the parameters,
if to the end of the cmdline, return false.
Signed-off-by: Xuguo Wang <huddy1985@gmail.com>
[Jan: also removed curly braces] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Georg Schiesser [Fri, 20 May 2016 18:07:06 +0000 (20:07 +0200)]
tools: fix missing hardware-check after make install
Add the new hardware-check script to the HELPERS, such that
"make install" will install it properly, just like the other
scripts, into: $DESTDIR/usr/local/libexec/jailhouse/
Signed-off-by: Georg Schiesser <georg.schiesser@opentech.at> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 18 May 2016 23:17:13 +0000 (01:17 +0200)]
tools: Add hardware feature check
The hypervisor itself is not very helpful when it comes to analyzing
feature deficits of the target platform. This adds another extension
script to the jailhouse command which checks the hardware using the
same key criteria that also the hypervisor applied.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Georg Schiesser [Tue, 10 May 2016 21:40:10 +0000 (23:40 +0200)]
tools: fix gcc sign-compare warnings
Cosmetic change to avoid multiple gcc sign-compare warnings between
signed int argc and unsigned int arg_num, both being small and
non-negative. Alternatively, we could use unsigned int argc or
disable the warning with gcc -Wno-sign-compare.
Signed-off-by: Georg Schiesser <georg.schiesser@opentech.at>
[Jan: reordered lines for visual pleasure] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Georg Schiesser [Tue, 10 May 2016 21:39:42 +0000 (23:39 +0200)]
configs: fixed typo in e1000-demo pio_bitmap
The pio_bitmap initialization incorrectly assigns overlapping ranges to
different values, similar to commit 886ca63f. As Jan pointed out:
"Fortunately, it was harmless because succeeding initializations
overwrote this exceeding one."
see also: https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html
Signed-off-by: Georg Schiesser <georg.schiesser@opentech.at> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 7 May 2016 17:02:28 +0000 (19:02 +0200)]
x86: Block DMA from unlisted devices in AMD IOMMU
Invalid device table entries in the AMD IOMMU mean that those devices
are actually allowed to perform DMA requests and issue interrupts. We
have to avoid this case because only devices listed in a config are
permitted to do so. We already achieve this effect when removing an
existing device from the table, but we have to ensure it also for any
unlisted device.
Devices with IDs not covered by any table are blocked by the IOMMU, see
AMD I/O Virtualization Technology spec, 2.2.2.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 9 May 2016 17:55:45 +0000 (19:55 +0200)]
x86: Use safer pattern with AMD IOMMU to block DMA requests
The AMD IOMMU spec is not 100% clear if a device table entry with V=1
but TV=0 implies that DMA requests from that device are blocked. Play
safe and use the pattern that Linux uses as well: TV=1, Mode=0 and IW as
well as IR cleared.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
driver: fix unsigned long overflow in leave_hypervisor
When shutting down the hypervisor, in the leave_hypervisor
function, the Linux driver touches every hypervisor page, to
ensure all pages are mapped. However, the current implementation
assumes hv_core_and_percpu_size is aligned to PAGE_SIZE. This may
not be the case, if PAGE_SIZE is different on the hypervisor side.
This can cause an unsigned long overflow, leading to an infinite
loop of touching successive pages starting from hypervisor_mem.
The loop will be broken as soon as Linux tries to touch an invalid
page, leading to a kernel crash.
Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
core: map the zero page to the full hypervisor memory region
During initialization, in init_early, the hypervisor maps the
memory used by the hypervisor with empty pages for the root cell.
However, if the root cell tries to access the region used by the
hypervisor, this is only safe if both sides agree on PAGE_SIZE.
It is a long shot to try to guess the granularity used by the
root cell; the safest bet is to map the full range that has been
allocated for the hypervisor to use.
Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 1 Mar 2016 22:31:31 +0000 (23:31 +0100)]
x86: Unify AMD page tables for CPU and IOMMU
This exploits AMD's architecture feature that you can reuse the nested
page tables also for the IOMMU.
Both tables have the same depth (4), share the same address fields, the
valid bit - but all other bits are separate. Therefore, we need to
enhance the NPT paging handlers so that they fold both bit sets into an
entry.
The rewards are saving of several lines of code as well as a bunch of
hypervisor pages (typically some dozen).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Add iommu_pending_faults() for amd_iommu. This looks into
Hardware Event Register first, and then loops over the event log
printing what's in it. This way, we don't miss errors that happen
when event logging is unavailable.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: Cleanups] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Add functions to read event logs AMD IOMMU provides and print their
contents. The latter is rather basic, but decoding all possible log
entries is hairy, so we'd better wait and collect stats which
problems occur most often.
Jan Kiszka [Wed, 15 Jul 2015 19:34:47 +0000 (00:34 +0500)]
x86: Add iommu_commit_config() for amd_iommu
Implement functions to apply configuration for an IOMMU.
In case something goes wrong, we need to trigger an NMI, which
amd_iommu_init_fault_nmi() configures.
Based on patch by Valentine Sinitsyn.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 15 Jul 2015 19:13:05 +0000 (00:13 +0500)]
x86: Add device management functions for amd_iommu
Implement iommu_add_pci_device() for amd_iommu.
Basically, this is all about filling DTE entry. However, there is no way
to allocate device tables sparsely with ADM IOMMU. To save some memory,
Device Table Segmentation (Revision 2.6 and up) is used whenever possible,
and this adds some infrastructure.
Based on patch by Valentine Sinitsyn.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Add basic infrastructure (heavily influenced by Linux amd_iommu driver)
to submit commands to AMD IOMMU command buffer. For now, having only
INVALIDATE_IOMMU_PAGES and COMPLETION_WAIT seems to be sufficient.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: Cleanups, simplification of draining] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 1 Mar 2016 06:15:38 +0000 (07:15 +0100)]
x86: Extend bit range returned by x86_64_get_flags
In order to support also the AMD IOMMU with x86_64_paging, we extend
the set of bits returned by get_flags handler. We now include all bits
ignored by the MMU, which includes the bits relevant for the AMD IOMMU.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 13 Mar 2015 17:41:02 +0000 (22:41 +0500)]
core, configs, tools: Add AMD-specific fields to struct jailhouse_iommu
For AMD, we also need to store the PCI address, capability offset and
IOMMU feature bits coming from ACPI (overwriting what the hardware
reports) in the cell configuration file.
Based on patches by Valentine Sinitsyn.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Feb 2016 09:19:54 +0000 (10:19 +0100)]
x86: Filter out physical address that can't be handled by DMAR units
Make sure that we do not try to program DMAR page tables with physical
addresses beyond the supported range (39 or 48 bits, depending on the
page table levels).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 20 Feb 2016 18:10:22 +0000 (19:10 +0100)]
x86: Account for DMAR units with multi-page register sets
The fault reporting registers we use may be placed in a 2nd or even 3rd
page. Account for such cases by using the MMIO region size now provided
via the system config.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 20 Feb 2016 18:09:49 +0000 (19:09 +0100)]
core, configs, tools: Prepare for variable IOMMU register set sizes
Introduce a size field to struct jailhouse_iommu and fill it via the
config generator. The information can be retrieved from the ACPI tables
for AMD. On Intel, we need to study the Linux mappings, thus we need to
demand that DMAR is enabled now while retrieving system information.
Based on patches by Valentine Sinitsyn.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
For both AMD and Intel, we need to store not only base address but also
a size to map the complete MMIO region. Moreover, AMD requires a number
of PCI device parameters for the IOMMU. Introduce struct jailhouse_iommu
that will encapsulate all required data.
Based on patches by Valentine Sinitsyn.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 3 Feb 2016 17:55:23 +0000 (18:55 +0100)]
inmates: e1000-demo: Enable queues explicitly
Newer NICs require us to enable the RX and TX queue. Although they
should be on after reset, at least the I350 refuses to work otherwise.
As the related bit is harmless or even unused on older NICs, do this
unconditionally (just like ipxe does).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 26 Jan 2016 08:27:40 +0000 (09:27 +0100)]
x86: Make debug UART port configurable via system config
We already allow to enable a VGA console via the system config, so let's
make the UART port configurable this way as well: phys_start will hold
the port, and flags must not have JAILHOUSE_MEM_IO set, in order to
differentiate us from the memory-mapped VGA console. And by leaving
phys_start at 0, we can even turn off the console now.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
projects / jailhouse.git / log