As the number of external contributions to Jailhouse grows, the need
for some formal coding style to ease review process and integration
arise. This is the first attempt to summarize what's have been discussed
on jailhouse-dev@googlegroups.com mailing list so far.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: clarify include block separation] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Fri, 12 Sep 2014 17:05:31 +0000 (19:05 +0200)]
tools: config-create: rename parse_cmdline to parse_kernel_cmdline
`parse_cmdline` is quite missleading in the context of a script with
command-line parameters. Thus better name it for what it does, parse the
kernel command line.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Henning Schild [Fri, 17 Oct 2014 17:19:29 +0000 (19:19 +0200)]
pci: fix msix device list remove-code
In pci_remove_device we want to remove only one device from the list.
The current code truncates our device list and drops the tail, fix that
by just unchaining one element.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Some systems may use 32-bit PM timer (as defined by TMR_VAL_EXT feature
flag in FADT), however pm_timer_read() assumes it is always 24-bit. Where
this assumption is wrong, return value becomes incorrect, and the error
grows over time leading to obscure bugs, including lockups in the hypervisor.
To fix this, TMR_VAL_EXT is made part of platform config and is passed to
inmates in the communication region. Config generator was also adapted
to parse FADT to get TMR_VAL_EXT value for target system. pm_timer_init()
function was also introduced to the inmates framework to the overflow value.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: mark jailhouse_comm_region as packed] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When an IOAPIC redirection entry is masked, only lower half of the register
is written. This causes the upper half to contain stale data when the entry
is unmasked. On systems that don't do interrupt remapping (currently, QEMU
and AMD) this may result in interrupts being lost or delivered to the wrong
destination.
Fix this by unconditionally writing the upper half of the register when
it is unmasked.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Finally, page fault handling in guests was generalized and can now
be called for any vendor. To communicate page fault details between
vendor-specific and generic code, struct vcpu_pf_intercept was introduced,
and vcpu_get_guest_paging_structures() was made public (i.e. non-static).
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
I/O VM exit handling code can now be used for any vendor.
This implies introducing struct vcpu_io_intercept to communicate
intercepted instruction properties like the port number and access
size between vendor-specific and generic code.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Hypercall handling code can now be used for any vendor.
This implies implementing accessor to EFER, RFLAGS, CS and RIP,
(commonly referred to as "execution state") and also making
vcpu_deactivate_vmm() non-static.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Refactor generic bits of vcpu_cell_{init,exit}
vcpu_cell_init() and vcpu_cell_exit() functions contain some code that is
the same regardless virtualization technology used. So they were moved to
the newly-introduced vcpu.c, calling vcpu_vendor_cell_init() and
vcpu_vendor_cell_exit() for vendor-specific actions.
This also implies introducing the first data abstraction structure, and the
first vendor-specific data wrapper function: vcpu_vendor_get_cell_io_bitmap().
More to follow.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Switchable guest code access for mmio_parse()
mmio_parse() and related infrastructure use link-time resolved (rather
than hardcoded) static function to access guest memory. This way,
vendor-specific code can provide an accelerated implementation if available.
map_code_page() helper routine is now superseded by vcpu_get_inst_bytes() with
different call semantics. The function returns a pointer to the first byte
available and accepts the number of bytes to map (or otherwise make available)
to the hypervisor. It can adjust this value (it is now done to save an
unnecessary page table walk) as described inside the commit.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Removed direct references to VMX functions from the APIC code,
which is generic by its design. NMI handlers are now defined in
corresponding vendor-specific code (presently, only vmx.c), and
resolved at the link time.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
entry.S was split between vendor-neutral code (arch_entry, interrupt handlers),
and vendor-specific code for handling VM exists. This helps to avoid #ifdefs later,
when SVM entry point will be introduced.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In preparation to support different vendor-specific implementations for
virtualization features, public functions for VMX/VTD were renamed.
"vmx_" and "vtd_" prefixes are now superseded with "vcpu_" and "iommu_",
and new header files were introduced to hold the declarations.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Real mode certainly has no paging, but having these structures in place make
guest memory access more uniform. Future AMD code will need to read guest
instructions for cells running in real mode.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Original set_cs() implementation relied on rex64/ljmp instruction. However,
AMD64 doesn't support 64-bit offsets in far jump (there is no rex-prefixed
version), and the offset used by Jailhouse is more than 32-bit long.
An alternative method that relies on lretq is used to switch CS now. It is
known to work both on Intel and AMD.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 29 Sep 2014 06:55:24 +0000 (08:55 +0200)]
driver: Use hypervisor's version.h
Let the driver module depend on the hypervisor subdir. This allows us to
reuse the version.h generated by the hypervisor build also for the
driver. They were identical.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 20:28:46 +0000 (22:28 +0200)]
x86: Disentangle circular dependency of percpu.h and vmx.h
Move the struct vmcs to where it really belongs: vmx.h. This requires
including of the latter file from percpu.h. Enable this via a forward-
declaration of struct per_cpu in vmx.h. And now that we split things up,
we can move the vmx_state enum as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 08:11:57 +0000 (10:11 +0200)]
core: Factor out generic jailhouse/types.h
Some types in the architecture-specific header are in fact generic. Move
them into a separate header and include this one directly from now on.
Document cpu_set at this chance according to doxygen style.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds doxygen-style documentation for public parts of the page
management subsystem. Again we place documentation of architecture-
provided entities in the generic header.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:33:25 +0000 (18:33 +0200)]
core: Document PCI subsystem interfaces
Convert existing kernel-doc comments to doxygen style and add missing
functions and structure descriptions for public interfaces. Architecture
specific functions are documented in the headers to avoid duplications
at the implementation site.
No functional changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:30:39 +0000 (18:30 +0200)]
core: Prefix arch-specific PCI functions properly
Add the "arch_"-prefix to pci_suppress_msi, pci_update_msi and
pci_update_msix_vector. This clearly signals that those functions have
to be implemented by the architecture support.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 13:06:40 +0000 (15:06 +0200)]
Documentation: Add Doxygen infrastructure
We diverge from Linux kernel style and use Doxygen as our code
documentation generator, see [1] for the reasoning. This adds the
required build infrastructure. Run "make docs" to trigger it (not
automatically done via other targets).
inmates: pci: allow pci_find_device to discover multiple devices
Systems can have more than one PCI device with the same vendor/device
id pair. Change the discovery helper to allow searching for more than
just the first bdf.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
It turned out to break 32-bit architectures: At least core_size and
entry must be of the size the hypervisor uses for pointer, otherwise
link-time initialization of those fields fail.
We will need a more sophisticated solution if including the header in
i386 mode is really necessary.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:24:10 +0000 (18:24 +0200)]
tooling: Fix gen_version_h to query git support for the correct repository
The initial git availability check ran in the kernel directory instead
of the Jailhouse source tree. Fix it by moving the cd before it. Also
quote the input path properly at this chance.
Reported-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:27 +0000 (15:08 +0200)]
core: make the jailhouse-header arch-independent
The header of jailhouse is defined with arch-dependent types such as
`unsigned long` which on linux varies in size. Because this header can
be considered the "communication"-relay with the environment, it should
be type-safe on any arch. Thus change all types into fixed-size-types.
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: adjusted jailhouse_entry to keep unsigned int] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:26 +0000 (15:08 +0200)]
x86: make the x86 types-definitions work on either x86-32 and x86-64
For Intel TXT we will need to work in 32bit mode for a limited amount of
time. To make sure we can use certain headers and definitions safely in
both modes, change the definition of `u64` to use `long long` instead of
`long` (which changes its length depending on the arch).
Furthermore, the x86-header defines a macro BITS_PER_LONG, currently we
define this always as `64`. To make this usable for the TXT-stub, hide
this behind an `ifndef`. The current hypervisor-code won't be affected
by this change and we can define this for the TXT-stub with our tooling,
thus make the header usable in both modes.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
tools: config create: change the way input files are handled
Switch from automatically generated lists of input files to
hand-maintained ones. Generating the lists turned out to make the code
less readable. All the parse-functions would have to be called just to
collect theire opens.
Now we still use the input_open wrapper to prefix the opens with the
root_dir and we make sure that the file one is trying to open is listed
as an input file and will therefore be collected by the collector.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 20 Sep 2014 11:21:39 +0000 (13:21 +0200)]
core/driver: Rework obtaining of maximum number of CPUs
num_possible_cpus() actually counts the possible CPUs and does not
necessarily return the maximum CPU ID + 1, the value Jailhouse needs.
Fix this by deriving that value from the root cell's CPU set. Rename
the header field correspondingly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 19 Sep 2014 05:53:06 +0000 (07:53 +0200)]
core: Validate CPU ID before using it
Currently, Linux ensures that we have enough room in the per-CPU data
area when calling the entry function with a specific CPU ID. That will
change as we will allocate only as much as required for a given system
configuration. To avoid that we would then dereference some out of
bounds CPU data because of an invalid CPU ID, always perform the ID
check before using the data structure.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 19 Sep 2014 07:17:29 +0000 (09:17 +0200)]
core: Calculate core and per-CPU data region size differently
Use pointer arithmetic to obtain the size of the region that contains
the hypervisor core and the per-CPU data structures. system_config tells
us where it ends.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The qemu VM will have a floppy drive and we can not tell Qemu to not
emulate one. Now if the guest kernel has a driver for a floppy drive we
can get violations on "jailhouse enable". Of the shelf distro kernels
will have floppy support so we need to whitelist the floppy ports in the
qemu root cell config.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds a simple Ethernet ping-ping via Intel E1000-based NICs. Run
two instances in the same network, and the first will become the test
controller while the second instance to show up will be the target.
Round trip times will be measured and dumped by the controller. This can
surely be further improved, and there are still some stability issues
(measurement stops on lost packet). It's a start.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:17 +0000 (14:53 +0200)]
tooling: extracts common install-definitions into a central include
After adding install-rules to the tools- and root-Makefile we have some
redundancies in some variables and definitions (e.g.: $(INSTALL)). To fix
this, extract all duplications and general definitions concerning the
install-process into one central Makefile-include `install.mk`.
This also unifies the way directories are created for
installation-rules. Previously we would just create them every time
without checking if that is needed. Now we add them as prerequisite to
the install-rule and generate a rule for each of them in `install.mk`.
This way `make` will figure out if the need to be created. This also
lowers the verboseness of the Makefile.
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: moved install.mk to scripts folder] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:16 +0000 (14:53 +0200)]
tooling: add recursive tools-build and proper install-rules to the root Makefile
To build the jailhouse-tools, one has to make separate make-calls in
each their directory. This is fixed by adding simple recursive rules to
the root-Makefile. This also makes sure, that we always build both and
don't get incompatible versions during development.
This patch also adds proper install-rules to the root-Makefile. We added
them to our tools-Makefile, so we should also add them here. This only
concerns the hypervisor-image-file at the moment.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 3 Sep 2014 12:53:15 +0000 (14:53 +0200)]
tooling: split Kbuild-related rules from the main Makefile
Split all parts of the main Makefile, that are only related to the
kernel build-system, into their own file (Kbuild). When invokes, this
file will be search first for additional rules by the kernel
build-system.
The remaining rules in our own root-Makefile will not be seen by the
kernel build-system anymore and thus are easier to extend.
Also, change some variable-names to fit those suggested by the
kernel-documentation (Documentation/kbuild/modules.txt).
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In dash echo is a builtin that does not support -e as a result we did
generate broken header files on Ubuntu and newer Debian systems.
For make_relaese just enforce bash as the shell of our choice.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 28 Aug 2014 11:32:35 +0000 (13:32 +0200)]
tools: Add Version information to command line tool
Dump the static version tag from the management tool when invoked with
"--version". We don't need precise git-based tracking here as interfaces
are fairly decoupled now.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 28 Aug 2014 11:36:18 +0000 (13:36 +0200)]
tools: Remove dependency of jailhouse tool on cell-config.h
Two things caused jailhouse.h and, thus, tools/jailhouse.c to depend on
the cell configuration header: the definition of the JAILHOUSE_ENABLE
IOCTL and the maximum cell name length in config files.
The first dependency is not only unneeded (the command line tool passed
the an uninterpreted blob via JAILHOUSE_ENABLE), it also made the driver
ABI change each time we updated the config format. So replace the
reference to struct jailhouse_system in JAILHOUSE_ENABLE with a symbolic
"void *".
The second dependency is also unneeded: While the name length used in
configs and, thus, also inside the driver to reference cells should be
identical to the lengths we use in struct jailhouse_cell_id, there is no
hard dependency. In the worst case (different lengths), we would fail to
address cells by name. However, these lengths are unlikely to change. So
simply define our own name length for that struct and test for
deviations during the driver build.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:35:15 +0000 (20:35 +0200)]
tools: Add installation rules
This installs the jailhouse tool, its helper scripts and the template
files to standard, configurable directories. We patch the config
generator on installation so that the target version is aware of the
chosen data directory.
Note that installing the bash completion is left up to the user. There
is apparently no distro-independent way to achieve this.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:33:21 +0000 (20:33 +0200)]
tools: Hide some secondary build commands
By default, hide commands that are not essential for following the build
(or installation) process. Those can still be revealed by specifying
V=1. chmod is a first candidate.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 18:28:33 +0000 (20:28 +0200)]
tools: config-create: Add support for using a data directory
Once installed, the jailhouse-config-create has to be able to use a data
directory for finding its templates. That dir will typically be
different from the one where the script is located. Prepare for this by
providing a datadir variable assignment that can be patched during
installation.
When running from the source tree, we continue to use that directory as
default template dir.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 27 Aug 2014 19:03:14 +0000 (21:03 +0200)]
tools: jailhouse: Use a libexec subdir for extension scripts
We want our extension scripts to be under a standard directory, namely
$libexecdir/<package>. As libexecdir may be overwritten during
installation, accept it from the Makefile via a define.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Wed, 27 Aug 2014 17:40:52 +0000 (19:40 +0200)]
tools: add bash-completion for the jailhouse-tool
Because `jailhouse` is the main user-interface to the VM and some
command-chains are quite verbose (create, enable, cell create, cell
load, ...) it is very convenient to have a working bash-completion for
it.
This completes all current uses, although it is very static in some
places (as is the jh-tool) - some argument are only expected at certain
positions, etc.
For it to work, you need to have the `jailhouse`-tool in your
PATH-variable (obviously for the tool itself to work, you will likely
also need all other tools in PATH). Then just run
> . tools/jailhouse_bashcompletion
and it should work. You also need the bash-completion package installed
on your distribution and activated in your bash, otherwise the
source-operation will do nothing. For more details please read the
header of the file.
Known Bug: cell-namens as argument for the cell-subcommands can't contain
spaces
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: removed restriction to .bin files] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>