Jan Kiszka [Sat, 14 Jun 2014 06:36:57 +0000 (08:36 +0200)]
core/driver: Extend "CPU Get State" to "CPU Get Info" hypercall
Add a second argument to control which per-cpu information shall be
retrieved via JAILHOUSE_HC_CPU_GET_INFO. For now there will only be
JAILHOUSE_CPU_INFO_STATE, providing the original hypercall service.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 13 Jun 2014 13:08:27 +0000 (15:08 +0200)]
core: Clean up jailhouse_system_config_size
Instead of open-coding the content of struct jailhouse_system for
calculating its size, simply adjust sizeof(*system) by that part of
system->system that is already included in jailhouse_cell_config_size().
Simplifies future extensions of struct jailhouse_system.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 2 Jun 2014 10:17:48 +0000 (12:17 +0200)]
x86: Add support for IOAPIC access control
This adds basic access control to the IOAPIC. Based on the IRQ chip
configuration, we permit or deny writing to redirection table entries.
This may require integration with interrupt remapping later on.
We furthermore allow reads from other valid IOAPIC registers but deny
any other write accesses.
EOI writing is currently passed through. This will have to be revisited
as well when interrupt remapping is added.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 2 Jun 2014 10:11:27 +0000 (12:11 +0200)]
core/configs: Change IRQ line access control modeling
Change the configuration file to manage access to IRQ lines at IRQ chip
level. Each IRQ chip config entry consists an address, typically the
chip's MMIO address, a unique identifier that will be used for interrupt
remapping on x86, and a bitmap controlling access to individual IRQ pins
of that chip. This will simplify access control checks to IRQ chips.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 11 Jun 2014 17:31:16 +0000 (19:31 +0200)]
x86: Park a CPU when a VM entry failed
Do not give up a CPU if only VM entry failed. For whatever reason, we
may have loaded an invalid CPU state from which we can still recover by
resetting the virtual CPU. This also simplifies the exit handling.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 6 Jun 2014 07:05:11 +0000 (09:05 +0200)]
x86: Refactor vtd constant definitions
Make use of BIT_MASK and refactor the constant definitions used for vtd
into a consistent form that is more easily verifiable against the spec.
Drop some unused constants.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 5 Jun 2014 14:42:36 +0000 (16:42 +0200)]
core: Generic memory region mapping for cell creation with rollback on errors
Pull the memory region mappings that currently happen in vmx and vtd
into generic code paths. This allows us to properly roll back on errors
during cell creation.
We now perform the arch-specific cell initialization first, then
transfer CPUs and finally remap the memory regions. For the rollback, we
can simply use the infrastructure available for cell destruction, both
at generic level as well as inside vmx/vtd.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 15 Jun 2014 05:35:26 +0000 (07:35 +0200)]
core: Do not flush hypervisor TLB on unrelated page table changes
Only when working against the hypervisor page table in page_map_create
and page_map_destroy, we actually need to flush TLBs. Other page tables
require arch-specific flushings that we perform on arch_config_commit.
This measurably speeds up Jailhouse activation, e.g., when a significant
number of EPT and VT-d page table changes are performed.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 15 Jun 2014 05:17:42 +0000 (07:17 +0200)]
x86: Drop TLB flushes on cell configuration changes
The host TLB only requires flushing on hypervisor page table changes.
These only happen on the CPU that performs guest configurations changes
and only for mapping regions that are per-CPU. This is already handled
by flushes in page_map_create/destroy.
Hypervisor page mappings that are relevant for all CPUs are created
during setup. This is done on the setup master CPU before any other CPU
is initializing and flushing its caches by switching to the hypervisor
page table.
So we can drop x86_tlb_flush_all altogether. Rename the flush_caches
flag to flush_virt_caches to reflect that we only request guest-to-host
cache invalidations.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 6 Jun 2014 09:08:03 +0000 (11:08 +0200)]
core: Introduce arch_config_commit
This function allows us to consistently flush affected caches after
configuration changes. We did this after cell creation, partially did it
after destruction, but forgot about it on load/start. Flushing is now
extended to the CPU performing the changes as well as all CPUs of a
created or destroyed cell.
This change also enables the split-up of IOMMU activation and related
root cell and memory region mapping setup, a precondition for generic
memory region mapping.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 5 Jun 2014 14:36:42 +0000 (16:36 +0200)]
x86: Guard vtd_add_device_to_cell against addition of existing devices
Avoid that we add an already registered device to a cell, specifically
that we report this to the console. This case can happen soon when
rolling back failed cell creations.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 5 Jun 2014 16:25:39 +0000 (18:25 +0200)]
core/configs: Clean up config structure alignment/packing
Instead of spreading aligned(1), we rather need to pack all config
structures and also the containers we define in the config files
themselves. Clean this up, also dropping the now unneeded padding from
jailhouse_cell_desc.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 6 Jun 2014 14:19:39 +0000 (16:19 +0200)]
x86: Fold vmx/vtd_root_cell_shrink into vmx/vtd_cell_init
This primarily fixes a regression of 46ab6c2f1e: Due to that reordering,
we were first adding devices to a new cell, then removing them from the
root cell which effectively disabled them in the context table.
Analyzing the content of vmx/vtd_root_cell_shrink, we are better off
folding them into the corresponding cell_init functions. We fix the
ordering issue while doing this.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 6 Jun 2014 16:58:53 +0000 (18:58 +0200)]
x86: Make vtd_remove_device_from_cell more robust against non-existent devices
Do not crash if we call vtd_remove_device_from_cell for a device that is
not added to a cell, and there is even no corresponding context table.
This allows to use vtd_remove_device_from_cell e.g. for rollbacks of
half-done configurations after an error occurred.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 14 Jun 2014 07:36:08 +0000 (09:36 +0200)]
x86: Rework evaluation of MSR_IA32_VMX_TRUE_*_CTLS
The SDM recommends to keep default1-class controls enabled if they are
unknown to the VMM. This applies to most of those bits. Even worse, by
using the TRUE_*_CTLS, we kept DEBUG_CONTROLS saving/loading disabled on
most machines, corrupting the related states on vmexit.
Switch to the "untrue" capability MSRs, except for CR3 loading/storing,
which will ensure that default1 bits are kept enabled also on future
CPUs.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 6 Jun 2014 06:07:01 +0000 (08:07 +0200)]
core: Add BIT_MASK macro and document BYTE_MASK
BIT_MASK will help defining constants according to hardware
specifications when bits [m:n] (m > n) form a field in a register or
data structure entry. Document also the BYTE_MASK macro at this chance.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 2 Jun 2014 10:09:53 +0000 (12:09 +0200)]
x86: Further improve EPT error reporting
Avoid double error reporting in vmx_handle_ept_violation if an access
handler already did this. Also correct the access direction message, it
was inverted.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 3 Jun 2014 15:38:20 +0000 (17:38 +0200)]
x86: Avoid crashes under QEMU due to missing DMAR units
Make sure we do not crash in the hypervisor when adding or removing
cells with PCI devices under QEMU. These hacks will be removed once
emulated VT-d is available.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 14 May 2014 09:40:10 +0000 (11:40 +0200)]
x86: Improve reporting of EPT violations
Report details about the EPT violation also when the MMIO parser fails.
At this chance, remove the term "EPT" from the print-out. This is an
invalid MMIO or RAM access.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 14 May 2014 09:14:04 +0000 (11:14 +0200)]
x86: Fix assembly constraints of write_gdtr/idtr
Copy & paste mistake: write_gdtr and write_idtr do not return anything
in descriptor table structure, they read from it. This broke the
hypervisor setup with certain optimizing compilers, noticed in
particular with old gcc 4.4.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 13 May 2014 14:36:46 +0000 (16:36 +0200)]
core: Fix tear-down order in setup error path
We have to do the arch shutdown before the restoring the CPU state to
Linux as we will otherwise lack required mapping for MMIO access. On
x86, VT-d shutdown will then cause a crash.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 9 May 2014 16:08:20 +0000 (18:08 +0200)]
tools: Fix loading of multiple images
Regression of regression fix c7fc4f1b04: We were incrementing the image
pointer twice, once in the loop control statement and the second time in
the loop body. Remove the latter.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 6 May 2014 15:16:52 +0000 (17:16 +0200)]
x86: Reset virtual CPU before parking it
We may bring the vCPU in an invalid state by setting HLT condition,
namely when SS.DPL != 0. Instead of fix this case and risking to miss
another, simply do a full reset which brings the vCPU to a known-good
state.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 5 May 2014 17:21:06 +0000 (19:21 +0200)]
core: Avoid exposing register set to pci_mmio_access_handler
This handler is generic and should not assume anything about how
registers can be accessed. At this chance, replace the open-coded MMIO
accesses with the appropriate helpers.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Ivan Kolchin [Tue, 22 Apr 2014 13:19:04 +0000 (17:19 +0400)]
core: Add support for a guest to access memory-mapped PCI configuration space
This patch is continuation of PIO support to request PCI config space.
Now it can be reached via MMIO. So, filtering logics is pretty similar.
Read accesses to PCI config is allowed just for devices which are owned.
Write accesses are regulated in accordance with white-list.
There are some limitations though as follows:
- Just 4-bytes operations are supported
- Guest must use only instructions 0x6b and 0x89 (read/write through intermediate
registers)
- All-1's write not supported
Signed-off-by: Ivan Kolchin <ivan.kolchin@siemens.com>
[Jan: style adjustments] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 5 May 2014 11:03:51 +0000 (13:03 +0200)]
core: Perform arch shutdown on setup errors
Ensure that we clean up all arch resources and settings if we fail
half-way through the setup process. This specifically affects the VT-d
activation that has to be taken back if some CPU initialization failed.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 14 Apr 2014 10:25:24 +0000 (12:25 +0200)]
Update README with description of new commands and config lock feature
Describe the new command sequence required to create and start a cell.
Also introduce the special behaviors of the apic-demo, explaining both
cell reloading and cell configuration lock this way.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 19:43:55 +0000 (21:43 +0200)]
tools: Add cell list sub-command
This provides a pretty-printer for the sysfs cell information. It is
implemented as a Python script, called by the jailhouse tool on "cell
list". This helps to keep the tool complexity down.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 11:17:10 +0000 (13:17 +0200)]
tools: Add cell shutdown sub-command
We can easily provide cell shutdown semantic by requesting to reload a
cell without passing any images. Defining a separate command is cleaner
than reusing cell load.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 9 Apr 2014 11:02:38 +0000 (13:02 +0200)]
driver/tools: Break up cell creation
Reduce the functionality of the cell create IOCTL to just assigning the
cell resources, removing support for loading and starting the cell from
this service. For those steps we now have separate IOCTLs. Extend the
command line tool accordingly so that cell creation becomes three steps:
Jan Kiszka [Sat, 3 May 2014 10:33:42 +0000 (12:33 +0200)]
driver: Factor out common cell_management_prologue helper
Common to the beginning of cell management IOCTLs are
- sanitizing the cell name passed to the driver
- acquiring the driver lock
- testing, if the hypervisor is active
- finding the target cell
Put all this in a functions to reduce code duplications.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 09:50:26 +0000 (11:50 +0200)]
driver: Cache cell memory regions for image loading
Drop dependency on cell configuration for image loading by replicating
all cell memory regions to struct cell. This will allow to split cell
creation and image loading later on.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 7 Apr 2014 19:05:13 +0000 (21:05 +0200)]
core: Add Cell Set Loadable hypercall
Provide the new hypercall "Cell Set Loadable". It has the semantic of
shutting down an existing cell and remapping all its memory regions that
are marked loadable back to the root cell. On cell start, all its
loadable regions that are mapped to the root cell will be unmapped from
it again.
This enables reloading of non-root cells without the so far required
cell destruction/recreation cycle. It also allows us to drop support for
loading before cell creation which would make the user interface more
consistent.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 8 Apr 2014 15:03:59 +0000 (17:03 +0200)]
core: Allow remap_to_root_cell to bail out on errors
When soon using remap_to_root_cell in scenarios that shall report
potential errors of this function, we need to make it return those. As
we still want to use it were errors are both unlikely and cannot be
handled properly, introduce a parameter that controls the error
behavior: ABORT_ON_ERROR or WARN_ON_ERROR.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Apr 2014 06:00:15 +0000 (08:00 +0200)]
core: Add reconfiguration completion notification
Send an information message to all non-root cells after a cell
reconfiguration is completed. This allows non-root cells to react on
this event, e.g. by freezing the configuration after the expected set of
cells was created.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 3 Apr 2014 08:22:55 +0000 (10:22 +0200)]
core/driver: Add reconfiguration lock
Introduce the concept of a reconfiguration lock. A cell can activate
this lock by changing its state to "Running/Locked". The lock is checked
by the hypervisor before changing the system configuration via creating
or destroying a cell. This gives cells participating in the
Communication Region protocol the chance to prevent reconfigurations,
thus freezing the system setup. A cell that is supposed to be destroy
does not participate in this voting because it will already receive the
shutdown request.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 3 Apr 2014 09:18:19 +0000 (11:18 +0200)]
core/inmates: Generalize message channel of comm region
Prepare the message channel for further message types by generalizing
the replies: requests can be denied or accepted, there is a specific
code to be sent back on reception of unknown messages, and messages can
also be for information only. This allows to factor out a reusable
cell_send_message service.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 28 Mar 2014 16:37:55 +0000 (17:37 +0100)]
core/configs: Rename cell flag "Unmanaged Exit" to "Passive Comm Region"
The purpose of this flag is to enable simple cells that do not actively
participate in the Communication Region protocols. The fact that we can
be shut down without prior consultation is one result of this but will
not be the only one in the future. Moreover, we may once use the Comm
Region to pass read-only information to the cells - without requiring
every cell to use the region actively or even map it.
Rename the flag to reflect its refined semantic.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 6 Apr 2014 09:57:55 +0000 (11:57 +0200)]
inmates: Wait for idle UART before starting APIC demo
Cosmetic change to avoid unreadable output on the so far shared first
serial console. This become necessary after we moved the output of cell
start after the submission of reset signals to the cell CPUs.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 26 Mar 2014 18:15:30 +0000 (19:15 +0100)]
core/driver: Introduce and use Cell Start hypercall
This breaks up creation and start of execution of the a cell, a
precondition for enabling cell reload without destruction/recreation.
The new Cell Start hypercall can also be used to restart an already
running cell, thus access control needs to be applied.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 10:49:58 +0000 (12:49 +0200)]
configs: Align demo cell names to file names
Avoid spaces in the name and align them to their file names to make them
more convenient for command line use - now that we accept names for
addressing cells.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 06:13:38 +0000 (08:13 +0200)]
driver/tools: Switch to ID/name-based cell addressing
No longer request to cell config file for destroying a cell. Rather
use its name or its hypervisor-assigned ID. Numerical parameters are
assumed to be IDs unless --name is prepended.
This pattern will be used in all upcoming cell management commands.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 06:18:19 +0000 (08:18 +0200)]
tools: Rework help function in jailhouse tool
Instead of invoking exit() at each caller site of help(), move it into
that function but also avoid return a non-zero status code when --help
was requested properly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 2 May 2014 09:57:14 +0000 (11:57 +0200)]
driver: Catch invalid CPU mask on cell creation
The hypervisor will detect itself when a CPU is to be assigned to a new
cell that does not belong to the root cell. However, our bookkeeping
will become messed up when we rely on this. So catch it before touching
the root cell.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 2 May 2014 09:37:59 +0000 (11:37 +0200)]
driver: Use cell's cpus_assigned to offline/online CPUs
Avoid the cell config for CPU list iteration, rather use what we store
in the cell structure anyway: cpus_assigned. This helps to overcome
dependencies on the config passed on other management commands than cell
create.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
It does not matter for the list of CPUs assigned to the root cell if a
CPU is currently online or not - the hypervisor will revoke access
unconditionally. Consequently, we also have to restore all those CPUs.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 3 May 2014 12:53:46 +0000 (14:53 +0200)]
core: Drop "Parking CPU" printk from cell_destroy
Reporting that a CPU of a to-be-destroyed cell was parked does not
provide much information. We do not consistently print messages in other
cases when we park CPUs, and the CPU will quickly be resume by Linux
after cell destruction.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 26 Mar 2014 18:10:53 +0000 (19:10 +0100)]
core: Drop printk from cell_suspend
This message lacks corresponding resumption printouts. As we will create
even more of them when breaking up the cell management hypercalls, it's
cleaner to drop this debug output.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 13 Apr 2014 06:30:53 +0000 (08:30 +0200)]
core/driver: Remove multi-arg support for hypercalls
There is no scenario is sight where we may need to pass more than one
argument to a hypercall. So remove the related infrastructure and update
the ABI documentation for zero or single-argument hypercalls only.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>