Jan Kiszka [Wed, 30 Jul 2014 18:54:38 +0000 (20:54 +0200)]
core/configs/tools: Remove ACPI support from hypervisor
The is no more user of the APCI table lookup. Remove this code as well
as the config memory region in the configuration files. Update the
config generator accordingly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 30 Jul 2014 16:15:43 +0000 (18:15 +0200)]
configs/tools: Describe DMAR units in config files
This prepares to switch from ACPI parsing to config file based DMAR unit
discovery. For simplicity reasons, we limit the number of supported DMAR
units to 8. Can be extended or made dynamic when needed.
Update the h87i config accordingly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 30 Jul 2014 15:15:46 +0000 (17:15 +0200)]
configs: Require Q35 machine model for QEMU-based test setup
With the introduction of config-based MMCONFIG parameters, it becomes
impossible to have one QEMU config for both its PC machines. Restrict
us to the one that will soon gain VT-d support: Q35.
Update README to reflect these requirements and changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 4 Aug 2014 08:41:52 +0000 (10:41 +0200)]
core: Disable PCI devices on removal
Switch off any bus master, MMIO and PIO dispatching when removing a
device from a cell. Also try to suppress INTx signals (not all devices
may respect this).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 4 Aug 2014 06:29:26 +0000 (08:29 +0200)]
core: Fix PCI device runtime ownership tracking
Trigger PCI device addition and removal from the PCI core and update the
cell field in the device state in order to track active ownership. The
vtd module now only provides callbacks to update its tables when adding
or removing a device.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 29 Jul 2014 18:34:24 +0000 (20:34 +0200)]
core: Introduce PCI device state
We will have to store a number of runtime state information for PCI
devices, specifically its owner. Allocate these states as an array
during cell creation and release them on cell destruction.
We can already use the structure to keep a reference to the cell the
device belongs to. This avoids having to pass this around over multiple
hops. It will also be used soon to encode runtime ownership by setting
or clearing the reference.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 29 Jul 2014 18:45:23 +0000 (20:45 +0200)]
core: Only perform PCI config space writes on PCI_ACCESS_PERFORM
If we emulate a config space write, we may be able to skip the physical
access completely. To model this, rename PCI_ACCESS_EMULATE to
PCI_ACCESS_DONE which signals to the caller of the moderation functions
that no physical access should be performed.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 3 Aug 2014 19:11:37 +0000 (21:11 +0200)]
core: Pass value directly to pci_cfg_write_moderate
Convert pass-by-reference to pass-by-value for the value
pci_cfg_write_moderate should handle. Reason: either we will emulate and
write in the context of the moderation, or we let the original value
pass as-is.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 27 Jul 2014 17:38:48 +0000 (19:38 +0200)]
core/configs/tools: Switch PCI configuration format to single BDF value
There is no value in splitting up the PCI device address in the config
format into bus and devfn. Fold them into a single value that can easier
be matched and is also easily be split up again via new helper macros
whenever needed.
This generates some work for locally maintained config file, sorry.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 27 Jul 2014 15:42:24 +0000 (17:42 +0200)]
core: Fix calculation of MMCONFIG region size
The PCI Firmware Specification says: "For PCI-X and PCI Express
platforms utilizing the enhanced configuration access method, the base
address of the memory mapped configuration space always corresponds to
bus number 0 (regardless of the start bus number decoded by the host
bridge) [...]." So drop the start bus from the size calculation.
Moreover, we had an off-by-one regarding end bus to size translation.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 27 Jul 2014 06:41:25 +0000 (08:41 +0200)]
inmates: pci-demo: Clear STATESTS before triggering the MSI
STATESTS may still have pending events which could prevent a MSI
delivery after controller reset. That reset doesn't clear them, so do
this explicitly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 3 Aug 2014 17:55:31 +0000 (19:55 +0200)]
x86: Block write access to IA32_APIC_BASE MSR
The hypervisor depends on a consistent APIC mode. So prevent that a cell
can mess it up. As the APIC is kept in the same state across cell
assignments, no cell has a need to change it.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 26 Jul 2014 06:17:46 +0000 (08:17 +0200)]
x86: Filter LVT delivery modes
Do not allow cells to program anything else than Fixed or NMI mode. NMIs
will still be swallowed by the hypervisor NMI interception path, so perf
& Co. remain broken.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 26 Jul 2014 05:45:22 +0000 (07:45 +0200)]
x86: Filter writes to reserved APIC register bits
Set up a bitmap for all xAPIC/x2APIC register that marks reserved bits
(or complete registers). Check to-be-written values against this bitmap
before executing accesses in hypervisor context.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 24 Jul 2014 17:16:59 +0000 (19:16 +0200)]
x86: Prevent getting stuck while trying to clear the APIC
If some interrupt source (typically a level-triggered IOAPIC pin)
continuously sends messages to the APIC we are trying to clear from
pending bits in ISR and IRR, we will get stuck in the hypervisor in an
interrupt storm.
Avoid this by limiting the number of handled interrupts to the number of
vectors we have. When reaching this limit, simply raise TPR to break out
of the loop. It's cleared again on exit from apic_clear, and the code
booting the CPU can handle the then pending interrupt itself. That's
almost like real hardware would behave (low-prio IRR bits may remain set
due to a stuck high-prio interrupt). However, only buggy SMP cells will
once be able to trigger this, IOAPIC pins of exitings cells will soon be
masked to prevent this scenario.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 23 Jul 2014 07:19:27 +0000 (09:19 +0200)]
core: Moderate access to PCI capabilities
Make use of the capability configuration and permit write access only to
explicitly configured capabilities. Read access is harmless as it is
free of side effects.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 20 Jul 2014 09:45:37 +0000 (11:45 +0200)]
tools/configs: Describe PCI capabilities in config files
Instead of parsing the PCI config spaces in the hypervisor, offload this
to the configuration generator. It will produce a (logically) linked
list of capabilities per device, their ID, start and length. Each
capability can furthermore be marked as writable by the cell.
Note that identical capability lists shared between multiple devices
will automatically folded into a single one. The user can duplicate and
customize them individually in a manual post-processing step.
Configurations are updated for QEMU, the H87i and the pci-demo cell.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 20 Jul 2014 22:13:15 +0000 (00:13 +0200)]
tools: config-create: Simplify optional file handling and generator mode
Stop passing exceptions from input_open to its callers: An optional file
can be returned as empty (derived from /dev/null), same on failures
during collector creation. The typical mode for input_open is 'r', so we
can save passing this explicitly in most cases. Same for optional which
is generally False.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 20 Jul 2014 18:01:10 +0000 (20:01 +0200)]
tools: config-create: Return empty dir list when running in generator mode
No point in returning valid results here. The files in this directory
may not be accessible for normal users, and then the collector
generation will fail prematurely.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 22 Jul 2014 16:48:19 +0000 (18:48 +0200)]
core: Fix error handling of MMCONFIG setup
If we have an MMCONFIG region, we must either successfully map it or
fail the initialization. Succeeding without setting up pci_space will
cause crashes later on when accessing it on behalf of a cell.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 22 Jul 2014 16:37:40 +0000 (18:37 +0200)]
x86: Enable unwinding from exception handler
Preserve the .eh_frame section for the linked hypervisor objection and
only remove it from the binary. Then add .cfi directives to the
exception entry code. This enables to use a debugger for unwinding from
the exception handler to the causing function and beyond (not perfect
due to missing stack frames, though).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 21 Jul 2014 18:22:08 +0000 (20:22 +0200)]
core: Rework PCI config space access handling
Move more logic into generic code by extending the write handler to
pci_cfg_write_moderate and introducing pci_cfg_read_moderate. These
handlers are responsible for any config space access, including to
unowned or non-existent devices. They can reject the access, return an
emulated value on read or a real value to be written to hardware, or
they instruct the caller to perform the access directly.
We already pass a reference to the issuing cell to the access handlers.
It stays unused for now but will be needed by succeeding changes. So
add it now to avoid changing API and callers once again later on.
This commit lays the foundation for capability access moderation and,
specifically, MSI/MSI-X emulation.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 20 Jul 2014 10:29:08 +0000 (12:29 +0200)]
configs: Clean up PIO bitmaps
Remove unneeded access permissions to PIC1 from all config. DMA and IDE
access is only relevant to QEMU in PIIX2 mode, so drop this from real
machines and the config template. ACPI access is also not needed during
typical operation, nor is it safe.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 23 Jul 2014 15:49:30 +0000 (17:49 +0200)]
x86: Re-park CPU while in wait-for-SIPI state
We may receive IPIs, e.g. to stop the CPU, while in wait-for-SIPI state.
In this case, we must park the CPU again before leaving
x86_handle_events. Currently, we resume CPU execution erroneously.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
tools: config-create: set default root cell name to RootCell
The cell name could end up as an empty string because it was derived
from optional input files. In fact just giving the root cell a fixed
default name seems to make more sense than to generate a name or require
users to provide one.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
tools: config-create: refuse to generate config if jailhouse is enabled
The input files used by the configuration generator might look different
on a system where jailhouse is enabled. Think missing cpus, pci devices etc.
Refuse to work with potentially corrupt input data.
Jan Kiszka [Fri, 18 Jul 2014 07:50:21 +0000 (09:50 +0200)]
inmates: Add PCI services to inmates framework
Provide library services for PCI config space access, bus scanning,
capability scanning (non-extended only so far) and MSI vector
programming (MSI-X to be added later).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 17 Jul 2014 18:50:33 +0000 (20:50 +0200)]
inmates: Add IOAPIC demo
Simply demonstration and test for using the IOAPIC within an non-root
cell: Rob the ACPI IRQ and wait for events on this line, e.g. a power
button push. Read the warning before using it.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 17 Jul 2014 15:18:21 +0000 (17:18 +0200)]
inmates: Add memory services to inmates framework
This adds a primitive memory allocator (without release) and a page
mapper (without unmap) to the inmates library. MMIO accessors are also
included. Those used for intercepted resources are encoded in assembly
to ensure that only supported instructions are used. With these
services, inmates can now access memory-mapped devices.
The allocator uses the lower memory starting from the first page.
Document this as well as the remaining memory layout.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 16 Jul 2014 19:49:25 +0000 (21:49 +0200)]
inmates: Factor our interrupt library services
This simplifies registering interrupt handlers and also moves the EOI
ACK into library code. Only 64-bit support so far. Still, we need to fix
the definition of s64/u64 and make read/write_msr compatible with 32-bit
builds.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 16 Jul 2014 11:46:49 +0000 (13:46 +0200)]
inmates: Map Comm Region always at 0x100000 for inmates framework
Standardize mapping and access to the Comm Region within the inmates
framework. Reduces the work to be done for new inmates. We will move it
higher once paging services are available so that larger inmates can be
created.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 16 Jul 2014 11:05:42 +0000 (13:05 +0200)]
inmates: Refactor folder structure
Move common code into inmates/lib and showcases into a inmates/demos to
prepare for a reusable and extensible inmates framework. Also split
along architecture dependencies, we will get code for non-x86 as well
one day.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 21 Jul 2014 06:48:07 +0000 (08:48 +0200)]
x86: Handle more SIB cases in MMIO instruction parser
This adds, among other things, support for using r12 as address register
in MMIO accesses. And it actually simplifies the code. We can ignore SS
and index in MOD 0 as these only affect the memory address we obtain
differently.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 17 Jul 2014 18:48:12 +0000 (20:48 +0200)]
x86: Add support for REX.B to MMIO instruction parser
In none of the supported modes, REX.B is relevant for us because we
obtain the memory address - which it influences by selecting the address
register - differently. Therefore, we can ignore this bit, extending the
set of supported MMIO instructions.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 8 Jul 2014 06:06:21 +0000 (08:06 +0200)]
x86: Fix argument widths of hypercall ABI
The x86 hypercall ABI defined 64-bit arguments and return codes so far.
However, our interface header took and returned only 32 bits. This
slipped through unnoticed because usually no physical addresses beyond
4G are passed to the Cell Create hypercall, the only place where it
practically matters.
Fix the issue and extend the ABI to support also 32-bit callers. We
define hypercall code and return value to be 32 bits, argument width are
now corresponding the the callers mode: 64 bits in IA-32e mode, 32 bits
otherwise. While the root cell still has to be in 64-bit mode, non-root
cells in other modes are now fine to invoke the hypercalls as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 7 Jul 2014 17:01:00 +0000 (19:01 +0200)]
x86: Clear APIC on every SIPI event
The current logic only ensures that we clear the APIC when the CPU
enters the virtual wait-for-SIPI state. However, this does not cover the
case when we transfer a CPU from the root to a non-root cell. We only
stop the CPU for this, and reset it directly via a pseudo SIPI. This
change moves the clearing to the point where we are about to deliver the
SIPI.
The change has the positive side effect of moving potentially costly
APIC clearing out of the control_lock.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Adding a helper script to generate a configuration for the root cell.
The script can also generate another script to collect all the necessary
files on a remote machine.
Both scripts can be accessed through the jailhouse command.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Jul 2014 14:41:17 +0000 (16:41 +0200)]
configs: Add Q35 machine support to QEMU VM
Add required PCI devices to the QEMU config so that it both works with
the default i440FX and the newer Q35 machine. This is transitional until
Q35 gains VT-d support, then we will drop i440FX bits.
Open the whole 0xC0xx port range for PCI devices to be more tolerant
regarding ordering or other changes.
At this chance, drop the unneeded permission to talk to the first legacy
PIC.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Jul 2014 09:32:14 +0000 (11:32 +0200)]
inmates/configs: Pick up PM timer address from Comm Region
Instead of probing it, use the information that is now provided via the
Communication Region. This requires to map the region also into the
tiny-demo cell.
We can now drop all explicit port permissions from the inmate's cell
configurations as this is now done automatically by the hypervisor.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Jul 2014 09:06:07 +0000 (11:06 +0200)]
x86: Provide PM timer access to all cells
Export the PM timer address via the Communication Region to non-root
cells and allow access to that port for all cells. This is safe as the
PM timer hardware is specified to be read-only.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Jul 2014 09:37:48 +0000 (11:37 +0200)]
x86: Allow to specify the PM timer address via the system configuration
This enables the hypervisor to forward the information to non-root cells
and to permit access to the resource. We could also parse the ACPI table
in the hypervisor, but this approach is much simpler.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 5 Jul 2014 06:48:59 +0000 (08:48 +0200)]
x86: Drop redundant vmx_invept
No need to call invept also on vmx_cell_init. We already perform this
for all cpus involved in a cell creation (root and new cell cpus) via
arch_config_commit.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>