Jan Kiszka [Mon, 29 Sep 2014 06:55:24 +0000 (08:55 +0200)]
driver: Use hypervisor's version.h
Let the driver module depend on the hypervisor subdir. This allows us to
reuse the version.h generated by the hypervisor build also for the
driver. They were identical.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 20:28:46 +0000 (22:28 +0200)]
x86: Disentangle circular dependency of percpu.h and vmx.h
Move the struct vmcs to where it really belongs: vmx.h. This requires
including of the latter file from percpu.h. Enable this via a forward-
declaration of struct per_cpu in vmx.h. And now that we split things up,
we can move the vmx_state enum as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 08:11:57 +0000 (10:11 +0200)]
core: Factor out generic jailhouse/types.h
Some types in the architecture-specific header are in fact generic. Move
them into a separate header and include this one directly from now on.
Document cpu_set at this chance according to doxygen style.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds doxygen-style documentation for public parts of the page
management subsystem. Again we place documentation of architecture-
provided entities in the generic header.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:33:25 +0000 (18:33 +0200)]
core: Document PCI subsystem interfaces
Convert existing kernel-doc comments to doxygen style and add missing
functions and structure descriptions for public interfaces. Architecture
specific functions are documented in the headers to avoid duplications
at the implementation site.
No functional changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:30:39 +0000 (18:30 +0200)]
core: Prefix arch-specific PCI functions properly
Add the "arch_"-prefix to pci_suppress_msi, pci_update_msi and
pci_update_msix_vector. This clearly signals that those functions have
to be implemented by the architecture support.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 13:06:40 +0000 (15:06 +0200)]
Documentation: Add Doxygen infrastructure
We diverge from Linux kernel style and use Doxygen as our code
documentation generator, see [1] for the reasoning. This adds the
required build infrastructure. Run "make docs" to trigger it (not
automatically done via other targets).
inmates: pci: allow pci_find_device to discover multiple devices
Systems can have more than one PCI device with the same vendor/device
id pair. Change the discovery helper to allow searching for more than
just the first bdf.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
It turned out to break 32-bit architectures: At least core_size and
entry must be of the size the hypervisor uses for pointer, otherwise
link-time initialization of those fields fail.
We will need a more sophisticated solution if including the header in
i386 mode is really necessary.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:24:10 +0000 (18:24 +0200)]
tooling: Fix gen_version_h to query git support for the correct repository
The initial git availability check ran in the kernel directory instead
of the Jailhouse source tree. Fix it by moving the cd before it. Also
quote the input path properly at this chance.
Reported-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:27 +0000 (15:08 +0200)]
core: make the jailhouse-header arch-independent
The header of jailhouse is defined with arch-dependent types such as
`unsigned long` which on linux varies in size. Because this header can
be considered the "communication"-relay with the environment, it should
be type-safe on any arch. Thus change all types into fixed-size-types.
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: adjusted jailhouse_entry to keep unsigned int] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:26 +0000 (15:08 +0200)]
x86: make the x86 types-definitions work on either x86-32 and x86-64
For Intel TXT we will need to work in 32bit mode for a limited amount of
time. To make sure we can use certain headers and definitions safely in
both modes, change the definition of `u64` to use `long long` instead of
`long` (which changes its length depending on the arch).
Furthermore, the x86-header defines a macro BITS_PER_LONG, currently we
define this always as `64`. To make this usable for the TXT-stub, hide
this behind an `ifndef`. The current hypervisor-code won't be affected
by this change and we can define this for the TXT-stub with our tooling,
thus make the header usable in both modes.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
tools: config create: change the way input files are handled
Switch from automatically generated lists of input files to
hand-maintained ones. Generating the lists turned out to make the code
less readable. All the parse-functions would have to be called just to
collect theire opens.
Now we still use the input_open wrapper to prefix the opens with the
root_dir and we make sure that the file one is trying to open is listed
as an input file and will therefore be collected by the collector.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 20 Sep 2014 11:21:39 +0000 (13:21 +0200)]
core/driver: Rework obtaining of maximum number of CPUs
num_possible_cpus() actually counts the possible CPUs and does not
necessarily return the maximum CPU ID + 1, the value Jailhouse needs.
Fix this by deriving that value from the root cell's CPU set. Rename
the header field correspondingly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 19 Sep 2014 05:53:06 +0000 (07:53 +0200)]
core: Validate CPU ID before using it
Currently, Linux ensures that we have enough room in the per-CPU data
area when calling the entry function with a specific CPU ID. That will
change as we will allocate only as much as required for a given system
configuration. To avoid that we would then dereference some out of
bounds CPU data because of an invalid CPU ID, always perform the ID
check before using the data structure.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 19 Sep 2014 07:17:29 +0000 (09:17 +0200)]
core: Calculate core and per-CPU data region size differently
Use pointer arithmetic to obtain the size of the region that contains
the hypervisor core and the per-CPU data structures. system_config tells
us where it ends.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The qemu VM will have a floppy drive and we can not tell Qemu to not
emulate one. Now if the guest kernel has a driver for a floppy drive we
can get violations on "jailhouse enable". Of the shelf distro kernels
will have floppy support so we need to whitelist the floppy ports in the
qemu root cell config.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds a simple Ethernet ping-ping via Intel E1000-based NICs. Run
two instances in the same network, and the first will become the test
controller while the second instance to show up will be the target.
Round trip times will be measured and dumped by the controller. This can
surely be further improved, and there are still some stability issues
(measurement stops on lost packet). It's a start.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:17 +0000 (14:53 +0200)]
tooling: extracts common install-definitions into a central include
After adding install-rules to the tools- and root-Makefile we have some
redundancies in some variables and definitions (e.g.: $(INSTALL)). To fix
this, extract all duplications and general definitions concerning the
install-process into one central Makefile-include `install.mk`.
This also unifies the way directories are created for
installation-rules. Previously we would just create them every time
without checking if that is needed. Now we add them as prerequisite to
the install-rule and generate a rule for each of them in `install.mk`.
This way `make` will figure out if the need to be created. This also
lowers the verboseness of the Makefile.
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: moved install.mk to scripts folder] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:16 +0000 (14:53 +0200)]
tooling: add recursive tools-build and proper install-rules to the root Makefile
To build the jailhouse-tools, one has to make separate make-calls in
each their directory. This is fixed by adding simple recursive rules to
the root-Makefile. This also makes sure, that we always build both and
don't get incompatible versions during development.
This patch also adds proper install-rules to the root-Makefile. We added
them to our tools-Makefile, so we should also add them here. This only
concerns the hypervisor-image-file at the moment.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:15 +0000 (14:53 +0200)]
tooling: split Kbuild-related rules from the main Makefile
Split all parts of the main Makefile, that are only related to the
kernel build-system, into their own file (Kbuild). When invokes, this
file will be search first for additional rules by the kernel
build-system.
The remaining rules in our own root-Makefile will not be seen by the
kernel build-system anymore and thus are easier to extend.
Also, change some variable-names to fit those suggested by the
kernel-documentation (Documentation/kbuild/modules.txt).
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In dash echo is a builtin that does not support -e as a result we did
generate broken header files on Ubuntu and newer Debian systems.
For make_relaese just enforce bash as the shell of our choice.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 28 Aug 2014 11:32:35 +0000 (13:32 +0200)]
tools: Add Version information to command line tool
Dump the static version tag from the management tool when invoked with
"--version". We don't need precise git-based tracking here as interfaces
are fairly decoupled now.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 28 Aug 2014 11:36:18 +0000 (13:36 +0200)]
tools: Remove dependency of jailhouse tool on cell-config.h
Two things caused jailhouse.h and, thus, tools/jailhouse.c to depend on
the cell configuration header: the definition of the JAILHOUSE_ENABLE
IOCTL and the maximum cell name length in config files.
The first dependency is not only unneeded (the command line tool passed
the an uninterpreted blob via JAILHOUSE_ENABLE), it also made the driver
ABI change each time we updated the config format. So replace the
reference to struct jailhouse_system in JAILHOUSE_ENABLE with a symbolic
"void *".
The second dependency is also unneeded: While the name length used in
configs and, thus, also inside the driver to reference cells should be
identical to the lengths we use in struct jailhouse_cell_id, there is no
hard dependency. In the worst case (different lengths), we would fail to
address cells by name. However, these lengths are unlikely to change. So
simply define our own name length for that struct and test for
deviations during the driver build.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:35:15 +0000 (20:35 +0200)]
tools: Add installation rules
This installs the jailhouse tool, its helper scripts and the template
files to standard, configurable directories. We patch the config
generator on installation so that the target version is aware of the
chosen data directory.
Note that installing the bash completion is left up to the user. There
is apparently no distro-independent way to achieve this.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:33:21 +0000 (20:33 +0200)]
tools: Hide some secondary build commands
By default, hide commands that are not essential for following the build
(or installation) process. Those can still be revealed by specifying
V=1. chmod is a first candidate.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:28:33 +0000 (20:28 +0200)]
tools: config-create: Add support for using a data directory
Once installed, the jailhouse-config-create has to be able to use a data
directory for finding its templates. That dir will typically be
different from the one where the script is located. Prepare for this by
providing a datadir variable assignment that can be patched during
installation.
When running from the source tree, we continue to use that directory as
default template dir.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 19:03:14 +0000 (21:03 +0200)]
tools: jailhouse: Use a libexec subdir for extension scripts
We want our extension scripts to be under a standard directory, namely
$libexecdir/<package>. As libexecdir may be overwritten during
installation, accept it from the Makefile via a define.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 27 Aug 2014 17:40:52 +0000 (19:40 +0200)]
tools: add bash-completion for the jailhouse-tool
Because `jailhouse` is the main user-interface to the VM and some
command-chains are quite verbose (create, enable, cell create, cell
load, ...) it is very convenient to have a working bash-completion for
it.
This completes all current uses, although it is very static in some
places (as is the jh-tool) - some argument are only expected at certain
positions, etc.
For it to work, you need to have the `jailhouse`-tool in your
PATH-variable (obviously for the tool itself to work, you will likely
also need all other tools in PATH). Then just run
> . tools/jailhouse_bashcompletion
and it should work. You also need the bash-completion package installed
on your distribution and activated in your bash, otherwise the
source-operation will do nothing. For more details please read the
header of the file.
Known Bug: cell-namens as argument for the cell-subcommands can't contain
spaces
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: removed restriction to .bin files] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 26 Aug 2014 16:50:15 +0000 (18:50 +0200)]
tools: config-create: Place hypervisor and inmates at default addresses
If no location is specified and no memmap is found, use the default
address 0x3b000000 for the hypervisor and inmates region. This reduces
the need for adapting the included cell demo configs.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 12 Aug 2014 08:09:02 +0000 (10:09 +0200)]
Update TODO
Remove recently added features, and also support for HPET MSIs (unused
on modern CPUs with proper APICs). Add a check for virtualized
environment (safety requirement) and the to-be-clarified topic NMI
status/control port.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 24 Aug 2014 22:23:39 +0000 (00:23 +0200)]
configs/README: Fix and update QEMU config and demo description
The config file was no longer in sync with the setup described in the
README. Morever, we should include the HDA audio device in the QEMU
command line so that the pci-demo can be run. Update and enhance the
step-wise introduction in the README accordingly.
Include the virtio-9p-pci device in the config although we are not
referring to it in the README. It's an optional device at 00:1f.7, used
for local testings only.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 24 Aug 2014 23:00:33 +0000 (01:00 +0200)]
configs: Release only ports 0x60, 0x61 and 0x64 to root cells
The i8042 is now moderated, just the NMI control registers needs a
second look and thought. Other ports in the range 0x60..0x67 should be
unused or are not wired up.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 24 Aug 2014 18:53:10 +0000 (20:53 +0200)]
x86: Add i8042 moderation
To avoid that a cell can trigger a system reset or fiddle with the A20
gate via the keyboard controller i8042, intercept the command register
access. This happens for all cells, even when port access is granted.
The filter will only perform the access on behalf of the cell if port
access is granted in the cell's PIO bitmap - and the output port of the
i8042 is not touched as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 24 Aug 2014 18:49:40 +0000 (20:49 +0200)]
x86: Prepare PIO error reporting for multiple filters
To prepare the addition of the i8042 filter, rework the PIO access error
reporting so that only unhandled errors are printed by the dispatcher.
The PCI config space handler is extended to dump a specific message.
This pattern is analogous to MMIO handling.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 22 Aug 2014 05:24:03 +0000 (07:24 +0200)]
core: Remove cpu_data parameter from panic_stop/halt functions
In many cases, we had no chance to pass a proper cpu_data to these
functions anyway. These days we have this_*() and can make use of it
also for panic stopping/halting.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 19 Aug 2014 13:47:47 +0000 (15:47 +0200)]
x86: Emulate interrupt remapping support to enable x2APIC usage
If we want to use x2APIC on real hardware (virtual machines do not have
this limitation), interrupt remapping has to be enabled. As we take over
hardware control from Linux, we either have to switch the APIC modes on
handover (tricky specifically for x2APIC->xAPIC) or let Linux boot with
interrupt remapping already enable. We choose the latter way as the
cleaner one that also allow us to run Linux without xAPIC emulation
(non-root cells are expected to use the x2APIC unconditionally).
IR emulation requires both the interpretation of the interrupt remapping
table that Linux uses (vtd_get_remapped_root_int) as well as basic
queued invalidation emulation (vtd_emulate_qi_request). We also need to
handle FSTS register reads, but we simply return 0 here and let
Jailhouse report all faults.
Physical address provided by Linux via registers and data structures are
mapped on demand into the hypervisor. This avoids that we create a
static mapping that depends on Linux-controlled parameters (would be bad
for check-summing). We also make sure this way that the addressed memory
still belongs to Linux.
Returning IR and QI to Linux is more complex than stealing it because we
not only have to load overwritten registers with their original values:
the Invalidation Queue Head cannot be set by software. Instead, we need
to inject dummy invalidation wait requests until the hardware reaches
the value Linux expects.
Note that this IR emulation feature is solely designed to be used by the
root cell. Non-root cells have to continue to program the virtualized
interrupt registers of assigned devices.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 11:50:39 +0000 (13:50 +0200)]
core: Validate access mode on guest page mappings
This extends [arch_]page_map_gphys2phys and also page_map_gvirt2gphys to
accept the required access mode for the target address and make them
validate if the guest would succeed when doing this on its own.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 11:46:31 +0000 (13:46 +0200)]
core: Extend entry_valid paging callback to check for flags
Generalize the entry_valid callback of paging_structures to test for a
given set of flags, not only the present flag. This will allow us to
validate the access mode on guest and 2nd-level page table walks. For
now we just continue to test PAGE_PRESENT_FLAGS.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 08:35:40 +0000 (10:35 +0200)]
core: Switch cell_create to page_map_get_guest_pages
This consolidates the code and provides us guest address validation. The
latter is not yet critical as the configuration file may mess up much
more, but it's nice to have and may be beneficial once we can validate
configurations in some Linux-independent way.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 22 Aug 2014 07:11:19 +0000 (09:11 +0200)]
core: Remove cpu_data parameter from page_map_get_guest_pages
page_map_get_guest_pages is only allowed to work against the current
CPU. Now that we have this_cpu_data(), we can remove that parameter
from page_map_get_guest_pages to encode this in the API.
This also affects some (indirect) callers positively.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 07:16:48 +0000 (09:16 +0200)]
core: Enhance page_map_get_guest_page(s)
Generalize page_map_get_guest_page to map multiple pages in a single
run. Moreover, accept both guest-physical and guest-virtual addresses as
input: if pg_structs is NULL, a physical address is provided.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 21:08:44 +0000 (23:08 +0200)]
core: Introduce accessors for current per_cpu fields
Reserve a register for a quick lookup of fields in the current per_cpu
data structure and enable the address, cpu_id and cell for such direct
access. The accessors are named this_<field>().
This will allow us to avoid passing context references around to deeply
nested users.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 21 Aug 2014 04:47:35 +0000 (06:47 +0200)]
x86: Introduce x2apic_filter_logical_dest
This helper matches a logical destination mask, redirection hint
enabled, against a cell CPU set and removes all the CPUs from the mask
that are not part of the cell. This can be used to filter/validate IRTE
parameters before programming them.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 22 Aug 2014 06:22:18 +0000 (08:22 +0200)]
core: Let arch_init_late decide when to map memory regions
When VT-d emulation is used on x86, will have to access the root cell's
memory during interrupt handover. This requires us to map the memory
regions right after vtd_init.
To enable this, move the decision when to map the regions into the hands
of arch_init_late. We provide map_root_memory_regions for this.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 20 Aug 2014 17:28:12 +0000 (19:28 +0200)]
core: Reorder CPU initialization during setup
Make sure all CPUs are initialized prior to running the late setup. On
x86, we need the APIC map to be fully populated before performing the
VT-d handover.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 20 Aug 2014 07:08:01 +0000 (09:08 +0200)]
core/configs/tools: Report IOMMU association of devices via config file
We will need this information for emulating VT-d for the root cell:
Add an iommu field to the PCI device config structure and encode the
unit number in the id field of the IOAPIC's irqchip structure.
The config generator fills the fields according to the DMAR ACPI table.
However, we do not yet understand all exotic forms of Device Scope
structures.
If it turns out that there are PCI devices without any IOMMU
association, refuse to generate a config file - such systems are
unsupported (with the temporary exception of AMD platforms).
Update the h87i config accordingly. QEMU currently only exposes a single
DMAR unit, thus the implicit zero-initialization is fine. As the IOMMU
number is only used in the context of the root cell, ioapic-demo and
pci-demo require no updates as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>