Jan Kiszka [Mon, 4 Jan 2016 10:17:11 +0000 (11:17 +0100)]
inmates: Add support for command line parameters
This provides support for parsing string, integer (long long type) and
boolean command line parameters. The former two need to be in the form
of "name=value" so that cmdline_parse_str/int will return the extracted
value. Boolean parameters are just of the form "name", and
cmdline_parse_bool will return true if this pattern is found. Parameters
need to be separated by blanks.
The parameters can be passed to the inmate by loading the string at an
architecture-specific location. That is 0xf0000 on x86 and 0x100 on ARM
so far. Note that the inmate has to reserve an appropriately sized
buffer via the CMDLINE_BUFFER macro.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sat, 2 Jan 2016 14:52:08 +0000 (15:52 +0100)]
inmates: arm: Initialize bss programmatically
Aligns ARM with x86: initialize bss with a small assembly loop before
inmate_main is invoked. This allows to move it after other sections,
effectively removing it from the image file.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 7 Jan 2016 07:54:17 +0000 (08:54 +0100)]
x86: Properly roll back failing IOAPIC cell initialization
We have to release already allocated resources if ioapic_get_or_add_phys
fails. At least the arch.ioapics array should be freed again, but
possibly also previously claimed root cell IOAPIC pins.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 27 Dec 2015 18:02:43 +0000 (19:02 +0100)]
x86: Rename local result variable
The return value of vtd_emulate_inv_int is not of the typical "0 or
negative error code" but actually returns an IR table index on success.
Avoid any confusions by using the more neutral variable name "result".
No functional changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 24 Sep 2015 19:53:06 +0000 (21:53 +0200)]
tools: config-create: Add stubs for extended capabilities
Scan the extended capability space of PCI express devices and leave
a stub for anything that is detected. For SR-IOV, the size is already
encoded, other capabilities still need to be filled. This doesn't expand
write permission to any capability yet, standard or extended.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 24 Sep 2015 19:48:05 +0000 (21:48 +0200)]
core: Tag PCI express extended capability IDs via highest bit
PCI express extended capabilities span a separate ID space. In order to
use the same jailhouse_pci_capability structure as for PCI capabilities
and also to avoid extending the ID field, reserve the highest bit 15 to
tag extended IDs. PCI so far only uses the lowest 5 bits and apparently
expands linearly, so we won't see any conflicts in the foreseeable
future.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 11 Aug 2015 04:35:11 +0000 (06:35 +0200)]
x86: vmx: Micro-cleanup in vcpu_vendor_cell_init
Return the error code directly instead of take the indirect route via
pre-initialized err variable. Avoids that some refactoring once destroys
this relationship.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 21 Dec 2015 23:29:14 +0000 (00:29 +0100)]
x86: Report only unhandled PIO accesses in the common handler
This aligns vcpu_handle_io_access to vcpu_handle_mmio_access again which
got lost in 46ad4efeb8: errors detected by handlers are already reported
there.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 21 Dec 2015 23:53:45 +0000 (00:53 +0100)]
x86: Intercept #AC and #DB to prevent guest-triggered microcode loops
This addresses CVE-2015-5307 and CVE-2015-8104 [1] for Jailhouse:
malicious cells may bring VCPUs into a state where the CPU will
infinitely loop over microcode, providing the hypervisor no chance to
interrupt these loops anymore. For this we have to intercept the #DB and
the exceptions to the cell.
If a guest is trapped in an exception loop can be detected by checking
the exception exit statistics which are now recorded: a large number of
exception exists per second (>1 million typically) will indicate this.
Jan Kiszka [Mon, 21 Dec 2015 23:50:36 +0000 (00:50 +0100)]
x86: Enhance x86_handle_events to x86_check_events
There is now quite some commonality between svm and vmx when it comes to
checking for pending events. Move those parts into x86_check_events,
which becomes the extended version of x86_handle_events. Only a small
difference is now left behind in vmx_check_events(): the preemption
timer has to be disabled before the check.
Just like x86_handle_events, also x86_check_events only works against
the caller's CPU. So remove the cpu_data parameter at this chance.
We can remove the "sipi_vector = -1" after x86_enter_wait_for_sipi now
because we no longer return that value from x86_check_events, and
sipi_vector is not evaluated elsewhere because cpu_data->wait_for_sipi
is true.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Ralf Ramsauer [Tue, 27 Oct 2015 16:26:24 +0000 (17:26 +0100)]
Respect size of io bitmap in vcpu_cell_init()
Previous code copied the IO bitmap without respect to its actual size.
This patch simplifies the copying process and respects the size of the
destination.
vcpu functions were using sizeof() to determine the size of dynamically
allocated I/O bitmap, which won't work. Assign this value statically per
sub-architecture (Intel or AMD).
Xuguo Wang [Thu, 15 Oct 2015 07:13:26 +0000 (15:13 +0800)]
Documentation: articles: LJ-article-04-2015.txt
This document is used for the newbies, so I think the words must
accurate, and command must correct, but in the section of "Configs and
inmates", a command like this :
sudo tools/jailhouse cell stat apic-demo
but actually the right command is :
sudo tools/jailhouse cell stats apic-demo
So I send this patch.
Reported-by: Xuguo Wang <huddy1985@gmail.com> Signed-off-by: Xuguo Wang <huddy1985@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 15 Oct 2015 08:53:20 +0000 (10:53 +0200)]
ci: Update Travis Ubuntu environment
The utopic packages are no longer available, we need vivid. It's also a
good point to try out the beta environment based on trusty in to hope to
reduce the number of updates.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 25 Sep 2015 17:47:18 +0000 (19:47 +0200)]
x86: svm: Fix broken FS base on deactivation
After f93e23934b, we no longer call vmsave, thus will also not find the
right FS base there. This caused sporadic crashes of "jailhouse disable"
on return to userspace.
Fix it by loading the value from the corresponding MSR.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Fri, 18 Sep 2015 16:02:10 +0000 (18:02 +0200)]
core: pci: Fix MMCONFIG handling for root cell
Reorder the initialization in pci_init so that MMCONFIG is set up before
pci_cell_init is invoked for the root cell. Calling pci_cell_init
earlier has the undesired effect that the MMCONFIG region is not
registered for the root cell, and all related accesses will fail with
generic MMIO errors.
Jan Kiszka [Wed, 16 Sep 2015 07:22:23 +0000 (09:22 +0200)]
inmates: x86: Add support for TSC-based timing
Provide a service to calibrate the TSC against the PM timer and read out
the current time in nanoseconds. This service is much faster than the
slow PM timer, and it's also not affected by chipset-induced delays.
Note that the simplistic algorithm only supports measuring relative time
spans of a couple of seconds.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Antonios Motakis [Wed, 12 Aug 2015 16:21:58 +0000 (18:21 +0200)]
core: printk: include asm/bitops.h directly
Currently the implementation in hypervisor/printk.c assumes asm/bitops.h
will be included by asm/spinlock.h. Since this implementation is using
bitops directly, we include the right header file.
Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com>
[Jan: adjust to alphabetic ordering] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Ralf Ramsauer [Thu, 13 Aug 2015 23:23:58 +0000 (01:23 +0200)]
hypervisor, driver: Added signature for .cell files
Inserted signature field in struct jailhouse_cell_desc and
jailhouse_system. Jailhouse kernel driver will refuse loading
a system configuration as a cell configuration et vice versa.
Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
[Jan: also adjust Linux loader script] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 10:05:20 +0000 (12:05 +0200)]
arm: Migrate irqchips to generic MMIO dispatcher
Register the GIC distributor and, for the GICv3, also the redistributor
regions with the generic MMIO dispatcher. This allows to drop the GIC-
specific MMIO dispatching from arch_handle_dabt.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 09:44:53 +0000 (11:44 +0200)]
arm: Prepare generic MMIO dispatching
Hook up the generic MMIO dispatcher into arch_handle_dabt without
removing existing handlers. This allows for a step-wise migration of
subsystems to the new dispatcher.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 09:25:49 +0000 (11:25 +0200)]
core, x86: pci: Migrate MSI-X emulation to generic MMIO dispatcher
Register the MMIO BARs of PCI devices with the generic MMIO dispatcher
and remove direct invocation of pci_mmio_access_handler from
vcpu_handle_mmio_access. This particularly avoid having to scan all
PCI devices of a cell with MSI-X support to find out the target of an
MSI-X access.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 09:16:32 +0000 (11:16 +0200)]
core: pci: Migrate MMCONFIG access handling to the new MMIO dispatcher
Register the MMCONFIG memory region, if available, with the generic MMIO
dispatcher and drop the related handler invocation from
pci_mmio_access_handler.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 6 Jul 2015 07:20:03 +0000 (09:20 +0200)]
core: ivshmem: Move functions unmodified
We will need ivshmem_write_doorbell, ivshmem_register_mmio and
ivshmem_msix_mmio earlier in the code. Move them up unmodified to
prepare this. No functional change.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 08:34:19 +0000 (10:34 +0200)]
x86: Prepare generic MMIO dispatching
Hook up the generic MMIO dispatcher into vcpu_handle_mmio_access without
removing existing handlers. This allows for a step-wise migration of
subsystems to the new dispatcher. Note that the return values of current
handlers are compatible with the mmio_result enum.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 07:19:08 +0000 (09:19 +0200)]
core: Add generic MMIO access dispatching
This introduces the infrastructure for generically dispatching MMIO
accesses. Handlers can now be registered for MMIO regions on a pre-cell
basis, removing the need for probing multiple handlers that decide
themselves if they are in charge.
The backing data structures consist of two sorted tables: one is
describing the region locations and sizes, the other one is holding, in
identical order, the handler and a corresponding opaque parameter.
Dispatching works lock-free and can even run in parallel with region
registration or removal. That latter two steps are protected against
concurrent invocation via a per-cell spinlock.
In order to preallocate sufficient space during cell setup, arch
architecture has to implement arch_mmio_count_regions that calculates
the maximum number of MMIO regions a cell may register during its
lifetime, typically based on static values and the cell configuration.
So far these functions are implemented as dummies because the MMIO
infrastructure is not yet used.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Move ARM's mmio_access structure into the generic MMIO header and polish
it for broader use. It will become the keystone of generic MMIO access
dispatching.
No functional changes, but a lot of variable and field renamings in
order to align ARM in advance with the naming scheme's we will use
throughout the whole core soon.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Aug 2015 05:42:54 +0000 (07:42 +0200)]
arm: Rework arch_mmio_access to arm_mmio_perform_access
First, this is an ARM-specific function, so "arch" is an improper
prefix. And then we always ignored the return value anyway. Drop it and
instead report unsupported sizes via a printk (a candidate for BUG() if
we ever decide to add that).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 29 Jul 2015 07:48:09 +0000 (09:48 +0200)]
x86: vtd: Use pci_get_assigned_device to look up interrupt invalidation targets
Stop using the virtual device list which will be removed eventually and
switch to the pci_get_assigned_device service. It is a bit slower than
the current approach, but we don't consider the emulation of interrupt
invalidation requests as fast path. On the positive side, this change
will allow to simplify the PCI layer a bit.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 8 Jul 2015 04:45:39 +0000 (06:45 +0200)]
core: Split struct cell into generic and arch-dependent parts
ARM already did this, now also introduce this split at top level: move
all arch-specific cell states into the substructure arch_cell. This
refactoring simplifies the management of common cell states across all
architectures.
The common struct cell is now defined in jailhouse/cell.h. From now on,
asm/cell.h shall only be included directly by jailhouse/cell.h.
Generic PCI-related fields are moved into the common structure even
though ARM will not use them. That happens for two reasons:
- 2 of the 3 fields will be removed soon and the remaining one will be
negligible
- ARM is expected to gain PCI support as well one day
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 28 Jun 2015 16:45:09 +0000 (18:45 +0200)]
core: Rework cleanup on cell destruction
Rename destroy_cpu_set to cell_exit and move it into
cell_destroy_internal. The background is that this function will be used
for more cleanups, and the refactoring will avoid cleanup code
duplications.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 9 Aug 2015 19:41:36 +0000 (21:41 +0200)]
x86: Do not call vcpu_cell_exit after failing vcpu_vendor_cell_init
Regression of 328e10028d: vcpu_cell_init does not allocate any
resources prior to calling vcpu_vendor_cell_init. So there is no point
of calling vcpu_cell_exit if the vendor init functions failed, because
the latter is already rolling back. Even worse, the I/O bitmap will not
have been allocated, and vcpu_cell_exit will run into a NULL pointer
dereference.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Describe so far undocumented functions and also the communication region
structure.
For the latter, we have to expand the generic COMM_REGION_GENERIC_HEADER
macro during a doxygen run. This is achieved by including the generic
header from within the arch-specific one, but only for doxygen
processing. This special treatment is required because doxygen processes
each file directly, even if it should have been processed indirectly
already (here asm/jailhouse_hypercall.h via jailhouse/hypercall.h).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 14 Jul 2015 05:16:50 +0000 (07:16 +0200)]
core, inmates: Move \r injection into console_write / arch_dbg_write
This moves the injection of \r on \n into the console_write and
arch_dbg_write implementations, causing some minor duplication but also
fixing injection for %s strings. Furthermore, this allows to skip the
injection for consoles the may not need it.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 14 Jul 2015 05:29:35 +0000 (07:29 +0200)]
arm: Use more panic_printk for fatal error messages
Fatal errors that will leave CPUs unusable and may occur in parallel on
multiple CPUs should be reported via panic_printk to maintain
readability of the output. Adjust some locations for unexpected HYP
exits and failing PSCI_CPU_OFF.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 13 Jul 2015 07:06:54 +0000 (09:06 +0200)]
arm: Unmap virtual GIC on cell destruction
This fixes a leak on cell destruction because we left the GICv2 mapped,
thus didn't free all paging structures. This also means we need to run
the irqchip cleanup before the cell MMU destruction.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 13 Jul 2015 07:01:51 +0000 (09:01 +0200)]
arm: Account for errors during irqchip cell_init
The cell_init callback of GICv2 should report the result of the mapping
request, thus needs a channel to return an error code. Extend the call
chain accordingly.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 13 Jul 2015 06:40:52 +0000 (08:40 +0200)]
arm: Fix arm_page_table_empty
The size of a pt_entry_t is a reference to an entry, not the entry type
itself. So we were calculating with an entry size of 4 instead of 8,
overrunning the table during empty checks. This specifically caused
page leakages during cell destruction.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 12 Jul 2015 08:25:21 +0000 (10:25 +0200)]
arm: smp: Concentrate non-PSCI logic in Versatile Express module
We only keep the non-PSCI CPU hotplug support around for the sake of
old Versatile Express boards/models. No new boards will be accepted that
do not support the PSCI standard. Therefore, concentrate all functions
that were once considered reusable in the smp-vexpress module, folding
them into their only callers.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Sun, 12 Jul 2015 08:22:46 +0000 (10:22 +0200)]
arm: Fix coding style of asm blocks
This aligns them with our (kernel) coding style: indent multi-line asm
blocks, end each line with \n\t in multi-line blocks, remove the ending
in single-line statements. No functional changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
projects / jailhouse.git / log