Re: [Xen-devel] fail to register IRQ for virtualization exception

[Big Strong]

Or should I modify the linux kernel to add support for handling #VE
exception?

2016-09-02 16:35 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> Sorry for that. Could you give any suggestions on how to register the IRQ
> handler for #VE?
>
> 2016-09-02 15:52 GMT+08:00 Jan Beulich <jbeul...@suse.com>:
>
>> >>> On 02.09.16 at 04:59, <fangtu...@gmail.com> wrote:
>> > I'm recently trying to utilize the virtualization exception (#VE)
>> feature.
>> > As the document says, #VE is handled by guest interrupt handler. The IRQ
>> > number of #VE is 20. However, when I tried to register an IRQ handler
>> for
>> > #VE, it returns errno -22, which means invalid arguments.
>> >
>> > request_irq(20, ve_handler, IRQF_NO_SUSPEND, "ve", NULL)
>> >
>> > Is there anything wrong?
>>
>> You're mixing up exception vectors and IRQ numbers.
>>
>> Jan
>>
>>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] fail to register IRQ for virtualization exception

[Big Strong]

Sorry for that. Could you give any suggestions on how to register the IRQ
handler for #VE?

2016-09-02 15:52 GMT+08:00 Jan Beulich :

> >>> On 02.09.16 at 04:59,  wrote:
> > I'm recently trying to utilize the virtualization exception (#VE)
> feature.
> > As the document says, #VE is handled by guest interrupt handler. The IRQ
> > number of #VE is 20. However, when I tried to register an IRQ handler for
> > #VE, it returns errno -22, which means invalid arguments.
> >
> > request_irq(20, ve_handler, IRQF_NO_SUSPEND, "ve", NULL)
> >
> > Is there anything wrong?
>
> You're mixing up exception vectors and IRQ numbers.
>
> Jan
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] fail to register IRQ for virtualization exception

[Big Strong]

Hello.

I'm recently trying to utilize the virtualization exception (#VE) feature.
As the document says, #VE is handled by guest interrupt handler. The IRQ
number of #VE is 20. However, when I tried to register an IRQ handler for
#VE, it returns errno -22, which means invalid arguments.

request_irq(20, ve_handler, IRQF_NO_SUSPEND, "ve", NULL)

Is there anything wrong?

To handle this system reserved exception, should I modify the linux kernel
instead of using loadable kernel module (LKM)? As the IRQ number 20 is not
defined in linux kernel (traps.h), also no exception handling function is
defined (traps.c). As it is defined as a system reserved exception, so I
can't register it using LKM?

BTW, I've already enabled #VE feature using HVMOP_altp2m_vcpu_enable_notify.

The attachment is the definition of #VE from Intel Manual.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] handle virtualization exception

[Big Strong]

To handle this system reserved exception, should I modify the linux kernel
instead of using loadable kernel module? Is there any suggestions?

2016-06-01 11:08 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> Virtualization exception is a fault exception caused by specific type of
> EPT violations. The vector is 20, which is not defined in linux kernel
> (traps.h), also no exception handling function is defined (traps.c). So is
> there any way to implement it as a LKM? As it is needed to
> set virtualization-exception information area and virtualization exception
> handler ((for example, by executing the EPTP-switching VM function), it is
> inflexible to implement it in linux kernel directly.
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] handle virtualization exception

[Big Strong]

Virtualization exception is a fault exception caused by specific type of
EPT violations. The vector is 20, which is not defined in linux kernel
(traps.h), also no exception handling function is defined (traps.c). So is
there any way to implement it as a LKM? As it is needed to
set virtualization-exception information area and virtualization exception
handler ((for example, by executing the EPTP-switching VM function), it is
inflexible to implement it in linux kernel directly.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

Should the VMFUNC and #VE must run in kernel mode? I.E. as a linux kernel
module or windows driver? if it is, how to invoke hypercall from the domU
kernel, by ioctl(fd, IOCTL_PRIVCMD_HYPERCALL, hypercall) or directly issue
0x82 interrupt?

2016-05-17 20:05 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> I just set the domid to DOMID_SELF to pass the check, but another problem
> is how to assign the gfn used to store #ve infomation. As I'm doing all the
> things in user space, directly assign a new physical page seems impossible.
> While LKM can do that with kmalloc and virt_to_phys, it cannot call user
> space functions of libxc. Is there a libxc function to translate the
> virtual address of malloc() to physical address?
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] unable to create domain after enabling XSM

[Big Strong]

Thanks very much, it turns out to be the problem of modules.conf. I turn
the xen module off for mistake, I'm very sorry for the time you spend.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

I just set the domid to DOMID_SELF to pass the check, but another problem
is how to assign the gfn used to store #ve infomation. As I'm doing all the
things in user space, directly assign a new physical page seems impossible.
While LKM can do that with kmalloc and virt_to_phys, it cannot call user
space functions of libxc. Is there a libxc function to translate the
virtual address of malloc() to physical address?

2016-05-16 23:05 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> To solve that, I install xen and tools in the guest, so as to access its
> domain id and vcpu info to overcome the 'domain is null' error. Now the
> problem is solved, but errors comes at 'domain != DOMID_SELF' checking
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5238>.
> The DOMID_SELF is always 32752 (0x7FF0), while a.domain is the domid of the
> guest, which induce the checking failed and exit. Any helps?
>
>
> 2016-05-16 17:06 GMT+08:00 Big Strong <fangtu...@gmail.com>:
>
>> Your opinion is inspiring. During the past days, I've tried to directly
>> call HVMOP_altp2m_vcpu_enable_notify in guest by ioctl, this time it fails
>> for "domain is null" checking.
>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5167>
>>  I
>> thought it might because the guest is not able to achieve the vcpu info
>> of its current state
>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5164>.
>> While in dom0, this is not a problem. But dom0 is unable to
>> call  HVMOP_altp2m_vcpu_enable_notify for the guest. How can I solve this
>> contradiction?
>>
>> 2016-05-12 23:17 GMT+08:00 Wei Liu <wei.l...@citrix.com>:
>>
>>> On Thu, May 12, 2016 at 09:00:12PM +0800, Big Strong wrote:
>>> > I'm still not very clear why would do_altp2m_op change the domain to
>>> > current domain (which is dom0 in my case) when the cmd is
>>> > HVMOP_altp2m_vcpu_enable_notify
>>> > <
>>> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6198
>>> >.
>>> > As to my case, it would prevent the dom0 to set the #ve info page for
>>> other
>>> > domUs because the check of is_hvm_domain would fail
>>> > <
>>> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6204
>>> >and
>>> > the function will returns directly.
>>> >
>>>
>>> Maybe the intent of that HVMOP is to get called directly by the guest
>>> that is interested in such event?
>>>
>>> I looks like a natural restriction to me because the vcpu needs to set
>>> up handler for #ve AIUI. It's not likely that Dom0 can do this for
>>> arbitrary guest.
>>>
>>> Wei.
>>>
>>
>>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] unable to create domain after enabling XSM

[Big Strong]

I should add the xsm=policy option to the end of the xen.cfg instead of as
an option. Sorry for the fault.

However, another problem is that when I modified the policy and reload it
using '*xl loadpolicy*', the policy seemed not working.

The policy I add is *'allow domU_t security_t:security check_context; allow
domU_t domU_t_self:hvm gethvmc;*', and it is successfully loaded.

But executing XEN_DOMCTL_gethvmcontext_partial in domU_t would still cause
the following violations:

*(XEN) avc:  denied  { gethvmc } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
tclass=hvm*

Rebooting xen with the new policy doesn't work too. BTW, the domU_t I
created is a HVM, I hope that is not the problem.

2016-05-17 16:33 GMT+08:00 Jan Beulich :

> >>> On 16.05.16 at 17:00,  wrote:
> > Actually I did that, but the policy is not loaded at all. 'xl list -Z'
> show
> > no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0'
> is
> > ingnored during booting. (the policy file is moved to the same directory
> as
> > xen.cfg)
>
> If you suspect it to be ignored, then please provide logs so we
> can identify _where_ it gets ignored: The early EFI loader should
> be pulling it into memory (note that the respective messages will
> only be visible in a serial log if you also enable serial output for
> EFI itself), and then XSM should be consuming it. Which of the
> two goes wrong would be quite helpful to know, the more that it
> looks like this works for others (e.g. Konrad).
>
> Jan
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

To solve that, I install xen and tools in the guest, so as to access its
domain id and vcpu info to overcome the 'domain is null' error. Now the
problem is solved, but errors comes at 'domain != DOMID_SELF' checking
<http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5238>.
The DOMID_SELF is always 32752 (0x7FF0), while a.domain is the domid of the
guest, which induce the checking failed and exit. Any helps?

2016-05-16 17:06 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> Your opinion is inspiring. During the past days, I've tried to directly
> call HVMOP_altp2m_vcpu_enable_notify in guest by ioctl, this time it fails
> for "domain is null" checking.
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5167>
>  I
> thought it might because the guest is not able to achieve the vcpu info
> of its current state
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5164>.
> While in dom0, this is not a problem. But dom0 is unable to
> call  HVMOP_altp2m_vcpu_enable_notify for the guest. How can I solve this
> contradiction?
>
> 2016-05-12 23:17 GMT+08:00 Wei Liu <wei.l...@citrix.com>:
>
>> On Thu, May 12, 2016 at 09:00:12PM +0800, Big Strong wrote:
>> > I'm still not very clear why would do_altp2m_op change the domain to
>> > current domain (which is dom0 in my case) when the cmd is
>> > HVMOP_altp2m_vcpu_enable_notify
>> > <
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6198
>> >.
>> > As to my case, it would prevent the dom0 to set the #ve info page for
>> other
>> > domUs because the check of is_hvm_domain would fail
>> > <
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6204
>> >and
>> > the function will returns directly.
>> >
>>
>> Maybe the intent of that HVMOP is to get called directly by the guest
>> that is interested in such event?
>>
>> I looks like a natural restriction to me because the vcpu needs to set
>> up handler for #ve AIUI. It's not likely that Dom0 can do this for
>> arbitrary guest.
>>
>> Wei.
>>
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] unable to create domain after enabling XSM

[Big Strong]

Actually I did that, but the policy is not loaded at all. 'xl list -Z' show
no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0' is
ingnored during booting. (the policy file is moved to the same directory as
xen.cfg)

2016-05-16 21:43 GMT+08:00 Konrad Rzeszutek Wilk <konrad.w...@oracle.com>:

> On Mon, May 16, 2016 at 10:43:49AM +0100, Andrew Cooper wrote:
> > On 16/05/16 09:54, Big Strong wrote:
> > > Problem solved by booting xen with grub instead of efi. The deep
> > > reason is unknown.
> >
> > Ah - that is very useful to know, and now obvious.  EFI has no concept
> > of modules, which probably means the XSM policy doesn't get loaded.
>
> It does. You just add in xen.cfg:
> [konrad@x230 efi]$ more xen.cfg
> [global]
> default=xtt
>
> [xtt]
> options=console=com1,vga com1=115200,8n1 loglvl=all guest_loglvl=all
> kernel=vmlinuz console=hvc0
> ramdisk=initramfs.cpio.gz
> xsm=xenpolicy
>
> The 'xsm' attribute.
> ?
> >
> > FWIW, there is a plan to change how XSM policies are done in the future,
> > by embedding the policy at build time.
> >
> > ~Andrew
>
> > ___
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

Your opinion is inspiring. During the past days, I've tried to directly
call HVMOP_altp2m_vcpu_enable_notify in guest by ioctl, this time it fails
for "domain is null" checking.
<http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5167>
I
thought it might because the guest is not able to achieve the vcpu info of
its current state
<http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=7492030a131a4212d9ca8e700621b2c8836867a9;hb=4f6aea066fe2cf3bf4929d6dac1e558071566f73#l5164>.
While in dom0, this is not a problem. But dom0 is unable to
call  HVMOP_altp2m_vcpu_enable_notify for the guest. How can I solve this
contradiction?

2016-05-12 23:17 GMT+08:00 Wei Liu <wei.l...@citrix.com>:

> On Thu, May 12, 2016 at 09:00:12PM +0800, Big Strong wrote:
> > I'm still not very clear why would do_altp2m_op change the domain to
> > current domain (which is dom0 in my case) when the cmd is
> > HVMOP_altp2m_vcpu_enable_notify
> > <
> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6198
> >.
> > As to my case, it would prevent the dom0 to set the #ve info page for
> other
> > domUs because the check of is_hvm_domain would fail
> > <
> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6204
> >and
> > the function will returns directly.
> >
>
> Maybe the intent of that HVMOP is to get called directly by the guest
> that is interested in such event?
>
> I looks like a natural restriction to me because the vcpu needs to set
> up handler for #ve AIUI. It's not likely that Dom0 can do this for
> arbitrary guest.
>
> Wei.
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] unable to create domain after enabling XSM

[Big Strong]

Problem solved by booting xen with grub instead of efi. The deep reason is
unknown.

2016-05-16 11:08 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> As you suggested, I used xen 4.7.0-rc2 to test it again and the problem
> still exists.
>
> $ sudo xl create xen-config/win7
>> Parsing config from xen-config/win7
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to add
>> device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk
>> devices
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to
>> remove device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy
>> failed for 1
>> libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
>> libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy
>> guest with domid 1
>> libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1
>> failed
>
>
> Denied behaviors:
>
> ~$ sudo xl dmesg | grep avc
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>
>
> Corresponding rules:
>
> ~$ sudo xl dmesg | grep avc | audit2allow
>> #= dom0_t ==
>> allow dom0_t self:event send;
>
>
> When I tried to add this rule to xen.te, it says
>
> libsepol.check_assertion_helper: neverallow on line 2023 violated by allow
>> dom0_t dom0_t:event { send };
>>
>
> So I comment the following restriction in policy.conf and recompile flask
> policy with the new rule added.
>
> neverallow * ~event_type:event { create send status };
>
>
> This time no rule violations are generated by checking 'xl dmesg| grep
> avc', but the errors in the very first place when creating domU (both hvm
> and pv, with or without seclabel) still exist.
>
> Basic info of xen configuration:
>
> $ sudo xl info
>> host   : storage
>> release: 3.19.0
>> version: #1 SMP Tue Dec 8 09:27:36 CST 2015
>> machine: x86_64
>> nr_cpus: 6
>> max_cpu_id : 143
>> nr_nodes

Re: [Xen-devel] unable to create domain after enabling XSM

[Big Strong]

T02:48:51.573Z]  D0   w event
> backend/vbd/1/51712/online 81CA73E0
> [20160516T02:48:51.573Z]  A12  w event
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:48:51.573Z]  D0   w event
> backend/vbd/1/51712/removable 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event
> backend/vbd/1/51712/bootable 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event   backend/vbd/1/51712/state
> 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event   backend/vbd/1/51712/dev
> 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event   backend/vbd/1/51712/type
> 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event   backend/vbd/1/51712/mode
> 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event
> backend/vbd/1/51712/device-type 81CA73E0
> [20160516T02:48:51.573Z]  D0   w event
> backend/vbd/1/51712/discard-enable 81CA73E0
> [20160516T02:49:01.581Z]  A12  unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:49:01.585Z]  A12.4rm
>  /local/domain/1/device/vbd/51712
> [20160516T02:49:01.585Z]  A12.4rm/local/domain/1/device/vbd
> [20160516T02:49:01.586Z]  A12.4write
> /local/domain/0/backend/vbd/1/51712/online 0
> [20160516T02:49:01.586Z]  A12.4write
> /local/domain/0/backend/vbd/1/51712/state 5
> [20160516T02:49:01.586Z]  A12.4commit
> [20160516T02:49:01.586Z]  D0   w event
> backend/vbd/1/51712/online 81CA73E0
> [20160516T02:49:01.586Z]  D0   w event   backend/vbd/1/51712/state
> 81CA73E0
> [20160516T02:49:01.587Z]  A12  watch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:01.587Z]  A12  w event
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.596Z]  A12  unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.598Z]  A12.5rm
>  /local/domain/1/device/vbd/51712
> [20160516T02:49:11.598Z]  A12.5rm
>  /local/domain/0/backend/vbd/1/51712
> [20160516T02:49:11.599Z]  A12.5rm
>  /local/domain/0/backend/vbd/1
> [20160516T02:49:11.599Z]  A12.5rm
>  /local/domain/0/backend/vbd
> [20160516T02:49:11.600Z]  A12.5rm/local/domain/0/backend
> [20160516T02:49:11.600Z]  A12.5commit
> [20160516T02:49:11.600Z]  A5   w event   backend/qnic/0
> be:0x7fea03f3bc24:0:0x7fea04383ba0
> [20160516T02:49:11.600Z]  D0   w event   backend/vbd/1/51712
> 81CA73E0
> [20160516T02:49:11.600Z]  A5   w event   backend/qdisk/0
> be:0x7fea03f3bc1e:0:0x7fea04377780
> [20160516T02:49:11.601Z]  A5   w event   backend/vfb/0
> be:0x7fea03f3bc1a:0:0x7fea0437bb20
> [20160516T02:49:11.601Z]  A5   w event   backend/vkbd/0
> be:0x7fea03f3bc15:0:0x7fea0437bac0
> [20160516T02:49:11.601Z]  A5   w event   backend/console/0
> be:0x7fea03f3bc0d:0:0x7fea0437a580
> [20160516T02:49:11.602Z]  A12  rm
>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:49:11.602Z]  A12  rm/local/domain/1
> [20160516T02:49:11.602Z]  A4   w event   /local/domain/1/console
> dom1
> [20160516T02:49:11.603Z]  A12  rm/libxl/1
> [20160516T02:49:11.603Z]  A12      rm    /local/domain/1/hvmloader
> [20160516T02:49:11.992Z]  D1   endconn
> [20160516T02:49:11.992Z]  A4   w event   @releaseDomain domlist
> [20160516T02:49:11.992Z]  A4   unwatch   /local/domain/1/console
> dom1
> [20160516T02:49:11.995Z]  A12  endconn
> [20160516T02:49:28.875Z]  A13  newconn
> [20160516T02:49:28.880Z]  A13  endconn
> [20160516T02:49:43.894Z]  D0   w event   backend/vbd/1
> 81CA73E0
> [20160516T02:50:13.918Z]  D0   w event   backend/vbd/1
> 81CA73E0
> [20160516T02:50:43.942Z]  D0   w event   backend/vbd/1
> 81CA73E0
> [20160516T02:51:13.967Z]  D0   w event   backend/vbd/1
> 81CA73E0
> [20160516T02:51:43.992Z]  D0   w event   backend/vbd/1
> 81CA73E0


If you need any further information, please feel free to ask. Any
suggestions will be appreciated.

2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.coop...@citrix.com>:

> On 15/05/16 15:25, Big Strong wrote:
>
> Hi,
>
> I've configured xen 4.6.0 with xsm enabled and use the default flask
> policy to boot the dom0.
>
>
> For issues like this, please always use the latest stable branch, in this
> case making that Xen 4.6.1+.  It is entirely possible that bugfixes have
> been backported.
>
> In this case, can you try current master (or 4.7.0-rc2)? Some of these
> errors have definitely been fixed in the 4.7 dev period.
>
> ~Andrew
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] unable to create domain after enabling XSM

[Big Strong]

Hi,

I've configured xen 4.6.0 with xsm enabled and use the default flask policy
to boot the dom0.
However, when I tried to create a domU, it will fail for following reasons:

>
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  granted  { load_policy } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t
> tclass=security
> (XEN) avc:  granted  { load_policy } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t
> tclass=security


So I added following rules to xen.te, which is achived by 'sudo xl dmesg |
grep avc | audit2allow'

>
> allow dom0_t xen_t:domain getdomaininfo;
> allow dom0_t xen_t:event send;
> allow dom0_t xen_t:grant copy;
> allow dom0_t xen_t:hvm { trackdirtyvram irqlevel };
> allow dom0_t xen_t:domain { destroy pause };
> allow dom0_t self:event send;


And recompiled the flask policy and load it using 'xl loadpolicy', however,
the creation of domU (both hvm and pv, with or without seclable) will still
fail for the following reasons, even though there are no avc violations.

$ sudo xl create ~/xen-config/ubuntu-hvm3
> Parsing config from /home/john/xen-config/ubuntu-hvm
> libxl: error: libxl_device.c:952:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/5/51712
> libxl: error: libxl_device.c:952:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/5/5632
> libxl: error: libxl_create.c:1174:domcreate_launch_dm: unable to add disk
> devices
> libxl: error: libxl_dm.c:1956:kill_device_model: unable to find device
> model pid in /local/domain/5/image/device-model-pid
> libxl: error: libxl.c:1628:libxl__destroy_domid:
> libxl__destroy_device_model failed for 5
> libxl: error: libxl_device.c:952:device_backend_callback: unable to remove
> device with path /local/domain/0/backend/vbd/5/51712
> libxl: error: libxl_device.c:952:device_backend_callback: unable to remove
> device with path /local/domain/0/backend/vbd/5/5632
> libxl: error: libxl.c:1665:devices_destroy_cb: libxl__devices_destroy
> failed for 5
> libxl: error: libxl.c:1591:libxl__destroy_domid: non-existant domain 5
> libxl: error: libxl.c:1549:domain_destroy_callback: unable to destroy
> guest with domid 5
> libxl: error: libxl.c:1476:domain_destroy_cb: destruction of domain 5
> failed


When the xsm is disabled, the creation succeed. What are these errors mean
anyway?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

I'm still not very clear why would do_altp2m_op change the domain to
current domain (which is dom0 in my case) when the cmd is
HVMOP_altp2m_vcpu_enable_notify
<http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6198>.
As to my case, it would prevent the dom0 to set the #ve info page for other
domUs because the check of is_hvm_domain would fail
<http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;hb=743289d0296268fe6bad64531a24d8053afeb062#l6204>and
the function will returns directly.

2016-05-12 0:26 GMT+08:00 Sahita, Ravi <ravi.sah...@intel.com>:

> Hi Fangtuo,
>
>
>
> #VE can be setup to be delivered to any dom that is a HVM.
>
>
>
> Ravi
>
>
>
> *From:* Big Strong [mailto:fangtu...@gmail.com]
> *Sent:* Wednesday, May 11, 2016 8:38 AM
> *To:* Wei Liu <wei.l...@citrix.com>
> *Cc:* Tamas K Lengyel <tamas.k.leng...@gmail.com>; Sahita, Ravi <
> ravi.sah...@intel.com>; Xen-devel <xen-devel@lists.xen.org>
> *Subject:* Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail
>
>
>
> Is that a bug or does #ve info page can only exist on dom0? If this is
> true, why would there be a is_hvm_domain check which will stop the
> execution of xc_altp2m_vcpu_enable_notify?
>
>
>
> 2016-05-11 15:56 GMT+08:00 Big Strong <fangtu...@gmail.com>:
>
> From what I analyzed, can I draw a concolusion that the current
> implementation of do_altp2m_op means #ve info page can only be set on dom0
> memory and the dom0 must be a hvm? This seems like ridiculous as dom0 is a
> special pv guest.
>
>
>
> 2016-05-11 11:37 GMT+08:00 Big Strong <fangtu...@gmail.com>:
>
> Further debugging shows that the domain is changed to domain 0 during the
> check of whether the cmd of do_altp2m_op
> is HVMOP_altp2m_vcpu_enable_notify, located at here
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6198>.
> As domain 0 is a pv guest, it causes the is_hvm_domain
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
> check failed, and thus the execution never goes to
> HVMOP_altp2m_vcpu_enable_notify
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6267>,
> which in the end cause xc_altp2m_set_vcpu_enable_notify fail. Why would *the
> logic of do_altp2m_op change the domain to dom0 when the cmd of
> do_altp2m_op is HVMOP_altp2m_vcpu_enable_notify*?
>
>
>
> Thanks for the suggestion, after adding printk to all the routines
> of xc_altp2m_set_vcpu_enable_notify, it turns out that the problem is
> because* the check of is_hvm_domain()
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
> failed* in function do_altp2m_op()
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6179>.
> However, I've already configure the VM to build as a HVM by adding option
> "builder=hvm" in the config file, but for unknown reason the .printk of
> domain->type is guest_type_pv. I've tried both windows and linux as the
> guest VM, both failed for the same reason. Any ideas?
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

Is that a bug or does #ve info page can only exist on dom0? If this is
true, why would there be a is_hvm_domain check which will stop the
execution of xc_altp2m_vcpu_enable_notify?

2016-05-11 15:56 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> From what I analyzed, can I draw a concolusion that the current
> implementation of do_altp2m_op means #ve info page can only be set on dom0
> memory and the dom0 must be a hvm? This seems like ridiculous as dom0 is a
> special pv guest.
>
> 2016-05-11 11:37 GMT+08:00 Big Strong <fangtu...@gmail.com>:
>
>> Further debugging shows that the domain is changed to domain 0 during the
>> check of whether the cmd of do_altp2m_op
>> is HVMOP_altp2m_vcpu_enable_notify, located at here
>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6198>.
>> As domain 0 is a pv guest, it causes the is_hvm_domain
>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
>> check failed, and thus the execution never goes to
>> HVMOP_altp2m_vcpu_enable_notify
>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6267>,
>> which in the end cause xc_altp2m_set_vcpu_enable_notify fail. Why would *the
>> logic of do_altp2m_op change the domain to dom0 when the cmd of
>> do_altp2m_op is HVMOP_altp2m_vcpu_enable_notify*?
>>
>> Thanks for the suggestion, after adding printk to all the routines
>>>> of xc_altp2m_set_vcpu_enable_notify, it turns out that the problem is
>>>> because* the check of is_hvm_domain()
>>>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
>>>> failed* in function do_altp2m_op()
>>>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6179>.
>>>> However, I've already configure the VM to build as a HVM by adding option
>>>> "builder=hvm" in the config file, but for unknown reason the .printk of
>>>> domain->type is guest_type_pv. I've tried both windows and linux as the
>>>> guest VM, both failed for the same reason. Any ideas?
>>>>
>>>
>>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>From what I analyzed, can I draw a concolusion that the current
implementation of do_altp2m_op means #ve info page can only be set on dom0
memory and the dom0 must be a hvm? This seems like ridiculous as dom0 is a
special pv guest.

2016-05-11 11:37 GMT+08:00 Big Strong <fangtu...@gmail.com>:

> Further debugging shows that the domain is changed to domain 0 during the
> check of whether the cmd of do_altp2m_op
> is HVMOP_altp2m_vcpu_enable_notify, located at here
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6198>.
> As domain 0 is a pv guest, it causes the is_hvm_domain
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
> check failed, and thus the execution never goes to
> HVMOP_altp2m_vcpu_enable_notify
> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6267>,
> which in the end cause xc_altp2m_set_vcpu_enable_notify fail. Why would *the
> logic of do_altp2m_op change the domain to dom0 when the cmd of
> do_altp2m_op is HVMOP_altp2m_vcpu_enable_notify*?
>
> Thanks for the suggestion, after adding printk to all the routines
>>> of xc_altp2m_set_vcpu_enable_notify, it turns out that the problem is
>>> because* the check of is_hvm_domain()
>>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6204>
>>> failed* in function do_altp2m_op()
>>> <http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/hvm.c;h=615fa8908375aaad452e2be69fe183c2a12b82bf;hb=b24ad7ba911a9f0688ab179736476e44c52144f1#l6179>.
>>> However, I've already configure the VM to build as a HVM by adding option
>>> "builder=hvm" in the config file, but for unknown reason the .printk of
>>> domain->type is guest_type_pv. I've tried both windows and linux as the
>>> guest VM, both failed for the same reason. Any ideas?
>>>
>>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

Further debugging shows that the domain is changed to domain 0 during the
check of whether the cmd of do_altp2m_op
is HVMOP_altp2m_vcpu_enable_notify, located at here
.
As domain 0 is a pv guest, it causes the is_hvm_domain

check failed, and thus the execution never goes to
HVMOP_altp2m_vcpu_enable_notify
,
which in the end cause xc_altp2m_set_vcpu_enable_notify fail. Why would the
logic of do_altp2m_op change the domain to dom0 when the cmd
is do_altp2m_op is HVMOP_altp2m_vcpu_enable_notify?

Thanks for the suggestion, after adding printk to all the routines
>> of xc_altp2m_set_vcpu_enable_notify, it turns out that the problem is
>> because the check of is_hvm_domain()
>> 
>> failed in function do_altp2m_op()
>> .
>> However, I've already configure the VM to build as a HVM by adding option
>> "builder=hvm" in the config file, but for unknown reason the .printk of
>> domain->type is guest_type_pv. I've tried both windows and linux as the
>> guest VM, both failed for the same reason. Any ideas?
>>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> I think you need to add more printk to find out.
>
> Wei.
>

Thanks for the suggestion, after adding printk to all the routines
of xc_altp2m_set_vcpu_enable_notify, it turns out that the problem is
because the check of is_hvm_domain()

failed in function do_altp2m_op()
.
However, I've already configure the VM to build as a HVM by adding option
"builder=hvm" in the config file, but for unknown reason the .printk of
domain->type is guest_type_pv. I've tried both windows and linux as the
guest VM, both failed for the same reason. Any ideas?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> You need to have appropriate log level set.
>
> Try adding loglvl=all guest_loglvl=all to your xen command line and
> reboot.
>
> Wei.
>

I've enabled all the log level just as you said, but no outputs happen at
 HVMOP_altp2m_vcpu_enable_notify section of do_altp2m_op function, so does
that means the function are not called at all?

case HVMOP_altp2m_vcpu_enable_notify:
> {
> struct vcpu *curr = current;
> p2m_type_t p2mt;
> if ( a.u.enable_notify.pad || a.domain != DOMID_SELF ||
>  a.u.enable_notify.vcpu_id != curr->vcpu_id )
> {
> rc = -EINVAL;
>
> * gdprintk(XENLOG_INFO, "enable_notify args error pad:%d domain:%d vcpu:%d
> curr->vcpu:%d\n",**a.u.enable_notify.pad, a.domain,
> a.u.enable_notify.vcpu_id, curr->vcpu_id);*
> }
> if ( (gfn_x(vcpu_altp2m(curr).veinfo_gfn) != INVALID_GFN) ||
>  (mfn_x(get_gfn_query_unlocked(curr->domain,
> a.u.enable_notify.gfn, )) == INVALID_MFN) )
> {
> return -EINVAL;
>* gdprintk(XENLOG_INFO, "veinfo page is invalid\n");*
> }
> vcpu_altp2m(curr).veinfo_gfn = _gfn(a.u.enable_notify.gfn);
> altp2m_vcpu_update_vmfunc_ve(curr);
> *gdprintk(XENLOG_INFO, "veinfo page set successfully\n");*
> break;
> }
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> You should put in some extra gdprintk's into the altp2m path of Xen to see
> how far it gets when you try to enable VE. That would enable us to pinpoint
> where it gets stuck exactly.
>
> Tamas
>
I've added gdprintk into HVMOP_altp2m_vcpu_enable_notify section of
do_altp2m_op function, but no output is generated using "xl dmesg". Is
there any other place where gdprintk prints?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> libxc functions always return -1 when it fails. You need the specific
> errno to know what went wrong.


Yeah, I know it means a failure. Actually, I noticed that there is a
comment at the source code of xen
,
which says :

"This is a bit odd to me that it acts on current..  it return -1 directly"

which is exactly about xc_altp2m_set_vcpu_enable_notify.  In my case,
xc_altp2m_set_vcpu_enable_notify always return -1 just as the author
comments.Besides, I've also found no existing usage about this function all
over the Internet. So I'm wondering if this function actually works or not.
Anyway, why would the author comments that? @Ian @Tamas


Do you have any difficulty debugging Xen? We might be able to give some
> pointers on how to do that.


Yeah, I've enabled debug option when compiling xen, what else steps should
I take to use a remote gdb to debug xen instead of dom0 or domU?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> A bit more information on this. There is a on-going discussion on the
> errno topic on xen-devel. The safe bet is that if you use errno in the
> os it is probably in the os name space. If you get errno from hypercall
> struct it should be in xen's name space.
>
> Wei.
>

I don't know what is the cause of the vmfunc error, but I'm afraid that
this is not caused by xc_altp2m_set_vcpu_enable_notify, as I can't
reproduce the error using the code below:

#include 
> #include 
> int main(int argc, char *argv[]){
> domid_t domid;
> int vcpuid;
> int rc = -1;
> if (argc != 3)
> {
> printf("arguments error, please input domid vcpuid\n");
> return -1;
> }
> else
> {
> domid = atoi(argv[1]);
> vcpuid = atoi(argv[2]);
> }
>


xen_pfn_t new_gfn;
>


//increase memory reservation for guest
> rc = xc_domain_increase_reservation_exact(xci, domid, 1,
> 0, 0, _gfn);
> if(rc<0)
> {
> printf("fail to increase memory reservation\n");
> return -1;
> }
> printf("added memory:%ld\n",new_gfn);
>


//map the memory to guest memory space
> rc = xc_domain_populate_physmap_exact(xci, domid, 1, 0, 0, _gfn);
> if(rc<0)
> {
> printf("fail to map increased memory\n");
> return -1;
> }
>


//set #VE info area in VMCS

   * rc = xc_altp2m_set_vcpu_enable_notify(xci, domid, vcpuid, new_gfn);*
> if(rc<0)
> {
> printf("fail to set #ve info page:%ld \n",new_gfn);
> return -1;
> }
> printf("succeed setting #ve info for page:%ld\n",new_gfn);
>

> //enable #VE in VMCS

rc = xc_altp2m_set_domain_state(xci,domid,1);
> if(rc<0)
> {
> printf("error enabing #VE\n");
> return -1;
> }
> return 0;


 The code always stops at the xc_altp2m_set_vcpu_enable_notify, which is
used to assign the new page as #VE info page. As I can't debug the Xen
source code, I don't why xc_altp2m_set_vcpu_enable_notify always return -1.
Any ideas?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] rdmsr general protection error

[Big Strong]

I want to test if my processor support VMFUNC which is described as:
>
>
> The IA32_VMX_VMFUNC MSR exists only on processors that support the
> 1-setting of the “activate secondary controls” VM-execution control (only if*
> bit 63 of the IA32_VMX_PROCBASED_CTLS MSR is 1*) and the 1-setting of the
> “enable VM functions” secondary processor-based VM-execution control (only
> if* bit 45 of the IA32_VMX_PROCBASED_CTLS2 MSR is 1*).


So in order to do that, I need to use rdmsr as follows:

//IA32_VMX_PROCBASED_CTLS
>  __asm__ __volatile__("rdmsr" : "=a" (eax), "=d" (edx) : "c" (0x482));

//IA32_VMX_PROCBASED_CTLS 2

 __asm__ __volatile__("rdmsr" : "=a" (eax), "=d" (edx) : "c" (0x48B));


But both the rdmsr instruction would cause a #GP, even when I run it from
the native linux as a root user and without xen running.

So is there a way to use the rdmsr in dom0?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

>
> Check the errno please, thats' where the information is stored.


I looked up in the source code of xen 4.6, and find that errno 4 indicates
"Interrupted system call
",
I'm not sure if it is the cause.

Another information about VMFUNC error is from the Intel Manual:

25.5.5.2 General Operation of the VMFUNC Instruction
> The VMFUNC instruction causes an invalid-opcode exception (#UD) if the
> “enable VM functions” VM-execution
> controls is 0 or the value of EAX is greater than 63 (only VM functions
> 0–63 can be enable). Otherwise, the
> instruction causes a VM exit if the bit at position EAX is 0 in the
> VM-function controls (the selected VM function is
> not enabled). If such a VM exit occurs, the basic exit reason used is 59
> (3BH), indicating “VMFUNC”, and the length
> of the VMFUNC instruction is saved into the VM-exit instruction-length
> field. If the instruction causes neither an
> invalid-opcode exception nor a VM exit due to a disabled VM function, it
> performs the functionality of the
> VM function specified by the value in EAX.


 i.e. In conditions when guest software invoked a VM function with the
VMFUNC instruction and the VM function either was not
enabled or generated a function-specific condition causing a VM exit.

But I've already enabled VM function and the conditions described in the
manual are not true (EAX is 0), so I'm still not clear the real reason
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] xc_altp2m_set_vcpu_enable_notify fail

[Big Strong]

I've successfully add a new physical page to guest and trying to use it as
the virtualization exception (#VE) infomation page. However, the function:
xc_altp2m_set_vcpu_enable_notify(xci, domid, vcpuid, gfn)
failed for unknown reason (return -1). The only related info I can get is
by `dmesg`:

[605716.546390] vmfunc[16835]: segfault at 0 ip 004009fb sp
> 7fff3a7b87a0 error 4 in vmfunc[40+1000]
> [605781.162125] vmfunc[16840]: segfault at 0 ip 004009fb sp
> 7fffd84c86d0 error 4 in vmfunc[40+1000]
> [606113.290934] vmfunc[16860]: segfault at 0 ip 004009fb sp
> 7fffaa076fb0 error 4 in vmfunc[40+1000]
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how to set up a #VE

[Big Strong]

>
> You can always just add a new page to the domain to be used for #VE.

It's there a method to directly assign physical pages to guest from dom0?
Using xc_map_foreign_address just like libvmi?

2016-04-28 23:07 GMT+08:00 Tamas K Lengyel <tamas.k.leng...@gmail.com>:

>
>
> On Thu, Apr 28, 2016 at 8:36 AM, Big Strong <fangtu...@gmail.com> wrote:
>
>> I want to set up an EPT page so as to trigger the #VE for testing
>> purpose. However, some problems are met.
>>
>> As the Intel Manual said, there are many conditions to trigger a #VE:
>>
>> a)  If an access to a guest-physical address causes an EPT
>> violation, bit 63 (0) of exactly one of the EPT paging-structure entries
>> used to translate that address is used to determine *whether the EPT
>> violation is convertible*: either an entry that is not present (if the
>> guest-physical address does not translate to a physical address) or an
>> entry that maps a page (if it does).
>>
>> b)  A convertible EPT violation instead causes a virtualization
>> exception if the following all hold:
>>
>> • CR0.PE = 1;
>>
>> • the logical processor is not in the process of delivering an event
>> through the IDT; and
>>
>> • the 32 bits at offset 4 in the virtualization-exception information
>> area are all 0.
>> In xc_altp2m.c, there is a function xc_altp2m_set_vcpu_enable_notify
>> which is used to set up the #VE information area. However, as the arguments
>> gfn is a physical address (of the guest?), how can I safely assign an
>> unused physical memory space to store #VE info?
>>
>
> You can always just add a new page to the domain to be used for #VE.
>
>
>>
>> Besides, there is no xenctrl interface for setting the suprress_ve bit
>> (63) of the EPT PTE, which is needed to trigger #VE. Even though I can set
>> that with ept_set_entry function, this is an internal function of Xen and
>> unavailble to dom0.
>>
>
> It's undocumented enough (and it took me a bit to find as well) but if you
> use xc_altp2m_set_mem_access and have used xc_altp2m_set_vcpu_enable_notify
> before, then those EPT PTE entries will be converted to #VE automatically.
>
> Tamas
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] how to set up a #VE

[Big Strong]

I want to set up an EPT page so as to trigger the #VE for testing purpose.
However, some problems are met.

As the Intel Manual said, there are many conditions to trigger a #VE:

a)  If an access to a guest-physical address causes an EPT violation, bit
63 (0) of exactly one of the EPT paging-structure entries used to translate
that address is used to determine *whether the EPT violation is convertible*:
either an entry that is not present (if the guest-physical address does not
translate to a physical address) or an entry that maps a page (if it does).

b)  A convertible EPT violation instead causes a virtualization
exception if the following all hold:

• CR0.PE = 1;

• the logical processor is not in the process of delivering an event
through the IDT; and

• the 32 bits at offset 4 in the virtualization-exception information area
are all 0.
In xc_altp2m.c , there is a function
xc_altp2m_set_vcpu_enable_notify which is used to set up the #VE
information area. However, as the arguments gfn is a physical address (of
the guest?), how can I safely assign an unused physical memory space to
store #VE info?

Besides, there is no xenctrl interface for setting the suprress_ve bit (63)
of the EPT PTE, which is needed to trigger #VE. Even though I can set that
with ept_set_entry function, this is an internal function of Xen and
unavailble to dom0.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] no definition of virtualization exception in exception table

[Big Strong]

Got it. Thanks for the replying.

2016-04-28 17:03 GMT+08:00 Andrew Cooper <andrew.coop...@citrix.com>:

> On 28/04/16 09:53, George Dunlap wrote:
> > On Thu, Apr 28, 2016 at 3:37 AM, Big Strong <fangtu...@gmail.com> wrote:
> >> There is a #VE exception defined in p2086 of Intel Software Development
> >> Manual, however, no definition of exception handler is availble in Xen
> 4.6.
> >> Should I define the handler by myself by modifying the source code of
> xen,
> >> or is there a way to define the handler of the reserved IDT vectors
> (0-31,
> >> #VE is 20) without modifying the source code?
> > What are you actually trying to do?
> >
> > Xen shouldn't be generating #VEs itself, so it doesn't need a #VE
> > handler.  Those should only be generated by guests in HVM mode (if I'm
> > remembering things correctly).  In those cases the #VE will either be
> > delivered directly to the guest, or it will cause a VMEXIT.
>
> Correct.  #VE occurs from a EPT permission violation when appropriate
> controls are set up, and are either become a VMEXIT or an in-guest #VE
> depending on the .surpress_ve bit in a leaf epte.
>
> Unless you are nesting Xen inside another hypervisor on Intel hardware,
> and have opted in to receiving #VE's, you won't encounter any.
>
> ~Andrew
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] no definition of virtualization exception in exception table

[Big Strong]

There is a #VE exception defined in p2086 of Intel Software Development
Manual, however, no definition of exception handler is availble in Xen 4.6.
Should
I define the handler by myself by modifying the source code of xen, or is
there a way to define the handler of the reserved IDT vectors (0-31, #VE is
20) without modifying the source code?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] vcpu state are all paused

[Big Strong]

After update dom0 kernel to 3.19, all vcpus act normal. Thanks very much.

2015-12-07 21:02 GMT+08:00 Jan Beulich <jbeul...@suse.com>:

> >>> On 07.12.15 at 13:56, <andrew.coop...@citrix.com> wrote:
> > On 07/12/15 12:39, Big Strong wrote:
> >> I set the xen.efi directly boot without grub2 to be able to list all
> >> the cpu cores.
> >> However, after that all the vcpus are in paused state except one for
> dom0.
> >>
> >> ~$ sudo xl vcpu-list
> >> NameID  VCPU   CPU State   Time(s)
> >> Affinity (Hard / Soft)
> >> Domain-0 0 00   r--  64.7
> >>  0 / all
> >> Domain-0 0 1-   *--p *
> >> 0.0  1 / all
> >> Domain-0 0 2-   -*-p*
> >> 0.0  2 / all
> >> Domain-0 0 3-   -*-p *
> >> 0.0  3 / all
> >> ubuntu-hvm   1 05   -b-  16.9
> >>  4-5 / all
> >>
> >>
> >> The full logs during xen booting is at
> http://paste.ubuntu.com/13786410/
> >> It looks like some of the ACPI tables are disabled and there is two
> >> errors:
> >> "ACPI BIOS Error (bug): A valid RSDP was not found
> (20131115/tbxfroot-211)
> >> ioapic: probe of :00:05.4 failed with error -22"
> >> I'm not sure if it's a users' problem or dev problem. If I'm wrong,
> >> please point it out. Any help will be great appreciated.
> >
> > Xen itself gets a proper set of ACPI tables and boots sensibly.
> > However, dom0 fails to retrieve any APCI tables.
>
> Because 3.13 doesn't have Dom0 EFI support yet; this got
> introduced in 3.17.
>
> Jan
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] vcpu state are all paused

[Big Strong]

I set the xen.efi directly boot without grub2 to be able to list all the
cpu cores.
However, after that all the vcpus are in paused state except one for dom0.

~$ sudo xl vcpu-list
> NameID  VCPU   CPU State   Time(s)
> Affinity (Hard / Soft)
> Domain-0 0 00   r--  64.7  0 / all
> Domain-0 0 1-   *--p *  0.0  1 /
> all
> Domain-0 0 2-   -*-p*   0.0  2 /
> all
> Domain-0 0 3-   -*-p *  0.0  3 /
> all
> ubuntu-hvm   1 05   -b-  16.9  4-5 /
> all


The full logs during xen booting is at http://paste.ubuntu.com/13786410/
It looks like some of the ACPI tables are disabled and there is two errors:

"ACPI BIOS Error (bug): A valid RSDP was not found (20131115/tbxfroot-211)

ioapic: probe of :00:05.4 failed with error -22"

I'm not sure if it's a users' problem or dev problem. If I'm wrong, please
point it out. Any help will be great appreciated.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] what is in a hypercall page?

[Big Strong]

Is hypercall page a reference (api) to hypercall functions (handlers) or a
standalone hypercall function collections? Can anybody tell me what is the
code in the page?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] can I read or write the physical memory of a nested xen?

[Big Strong]

I installed a nested xen (L1) on xen (L0). Is it possible to read or write
the physical memory of L1 from dom0 of L0? Is the L1 directly access the
physical memory or need to translate through L0?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] How to recognize which guest issues the hypercall?

[Big Strong]

Thanks for your replying and sorry for the behavior. Can I get that using
libxc? Because I can't access the structure directly from dom0.

2015-11-25 18:44 GMT+08:00 George Dunlap <dunl...@umich.edu>:

> On Wed, Nov 25, 2015 at 7:18 AM, Big Strong <fangtu...@gmail.com> wrote:
> > I write a program to intercept all hypercalls happend on a xen
> hypervisor.
> > How can I know which domain called the hypercall? Is it possible to
> obtain
> > it from the registers?
>
> Why are you cross-posting this to both xen-users and xen-devel?  This
> is obviously a development question.
>
> At any given time, "current" will point to the vcpu struct of the
> currently-running vcpu; current->domain will point to the domain
> struct.  That should get you started.
>
>  -George
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] How to recognize which guest issues the hypercall?

[Big Strong]

I write a program to intercept all hypercalls happend on a xen hypervisor.
How can I know which domain called the hypercall? Is it possible to obtain
it from the registers?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] What kind of page mode can Xen use?

[Big Strong]

What kind of page mode can Xen use? What's the default page size of xen or
how can I get it? Is hugetable used? I'm using a x64 CPU and the xen
version is 4.4.2
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] how to boot from multiple xen version?

[big strong]

I've installed xen4.4 on ubuntu1404 with aptitude. Recently, in order to
test the Xen4.6, I manually compiled and installed Xen4.6 without remove
the Xen4.4. Now the machine cannot boot normally. I mean booting stop at a
sceen shows:
>
>
> Loading Xen Xen.
> WARNING: No Console will be available to OS.
> Loading linux 3.13.0-24-generic ...
> Loading initial ramdisk ...


Actually, I'm ok with this. Because I can still connect the dom0 using ssh
before installing Xen 4.6. But after the installing, the network cannot be
connected,

This is the grub.cfg file in /boot/grub/:

#
>
> # DO NOT EDIT THIS FILE
>
> #
>
> # It is automatically generated by grub-mkconfig using templates
> # from /etc/grub.d and settings from /etc/default/grub
> #
> ### BEGIN /etc/grub.d/00_header ###
> if [ -s $prefix/grubenv ]; then
>   set have_grubenv=true
>   load_env
> fi
> if [ "${next_entry}" ] ; then
>set default="${next_entry}"
>set next_entry=
>save_env next_entry
>set boot_once=true
> else
>set default="Ubuntu GNU/Linux, with Xen hypervisor"
> fi
> if [ x"${feature_menuentry_id}" = xy ]; then
>   menuentry_id_option="--id"
> else
>   menuentry_id_option=""
> fi
> export menuentry_id_option
> if [ "${prev_saved_entry}" ]; then
>   set saved_entry="${prev_saved_entry}"
>   save_env saved_entry
>   set prev_saved_entry=
>   save_env prev_saved_entry
>   set boot_once=true
> fi
> function savedefault {
>   if [ -z "${boot_once}" ]; then
> saved_entry="${chosen}"
> save_env saved_entry
>   fi
> }
> function recordfail {
>   set recordfail=1
>   if [ -n "${have_grubenv}" ]; then if [ -z "${boot_once}" ]; then
> save_env recordfail; fi; fi
> }
> function load_video {
>   if [ x$feature_all_video_module = xy ]; then
> insmod all_video
>   else
> insmod efi_gop
> insmod efi_uga
> insmod ieee1275_fb
> insmod vbe
> insmod vga
> insmod video_bochs
> insmod video_cirrus
>   fi
> }
> if [ x$feature_default_font_path = xy ] ; then
>font=unicode
> else
> insmod part_gpt
> insmod lvm
> insmod ext2
> set
> root='lvmid/D6XXXa-yAcw-xbjd-5AXp-wzhu-gzU1-7avET9/kiowbS-lgZx-J4Us-toiX-mc4m-xZgB-2dA2JA'
> if [ x$feature_platform_search_hint = xy ]; then
>   search --no-floppy --fs-uuid --set=root
> --hint='lvmid/D6XXXa-yAcw-xbjd-5AXp-wzhu-gzU1-7avET9/kiowbS-lgZx-J4Us-toiX-mc4m-xZgB-2dA2JA'
>  0f4768d7-64dd-4e80-819d-1f58b4150505
> else
>   search --no-floppy --fs-uuid --set=root
> 0f4768d7-64dd-4e80-819d-1f58b4150505
> fi
> font="/usr/share/grub/unicode.pf2"
> fi
> if loadfont $font ; then
>   set gfxmode=auto
>   load_video
>   insmod gfxterm
>   set locale_dir=$prefix/locale
>   set lang=en_HK
>   insmod gettext
> fi
> terminal_output gfxterm
> if [ "${recordfail}" = 1 ] ; then
>   set timeout=-1
> else
>   if [ x$feature_timeout_style = xy ] ; then
> set timeout_style=menu
> set timeout=2
>   # Fallback normal timeout code in case the timeout_style feature is
>   # unavailable.
>   else
> set timeout=2
>   fi
> fi
> ### END /etc/grub.d/00_header ###
> ### BEGIN /etc/grub.d/05_debian_theme ###
> set menu_color_normal=white/black
> set menu_color_highlight=black/light-gray
> ### END /etc/grub.d/05_debian_theme ###
> ### BEGIN /etc/grub.d/09_linux_xen ###
> menuentry 'Ubuntu GNU/Linux, with Xen hypervisor' --class ubuntu --class
> gnu-linux --class gnu --class os --class xen $menuentry_id_option
> 'xen-gnulinux-simple-0f4768d7-64dd-4e80-819d-1f58b4150505' {
> insmod part_gpt
> insmod ext2
> set root='hd0,gpt2'
> if [ x$feature_platform_search_hint = xy ]; then
>   search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2
> --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2
>  0a900dc0-5839-4ffc-9b16-f5f513ae2d99
> else
>   search --no-floppy --fs-uuid --set=root
> 0a900dc0-5839-4ffc-9b16-f5f513ae2d99
> fi
> echo'Loading Xen xen ...'
> if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
> xen_rm_opts=
> else
> xen_rm_opts="no-real-mode edd=off"
> fi
> multiboot   /xen.gz placeholder  dom0_mem=8192M,max:8192M
> ${xen_rm_opts}
> echo'Loading Linux 3.13.0-24-generic ...'
> module  /vmlinuz-3.13.0-24-generic placeholder
> root=/dev/mapper/storage--vg-root ro
> echo'Loading initial ramdisk ...'
> module  --nounzip   /initrd.img-3.13.0-24-generic
> }
> submenu 'Advanced options for Ubuntu GNU/Linux (with Xen hypervisor)'
> $menuentry_id_option
> 'gnulinux-advanced-0f4768d7-64dd-4e80-819d-1f58b4150505' {
> submenu 'Xen hypervisor, version xen' $menuentry_id_option
> 'xen-hypervisor-xen-0f4768d7-64dd-4e80-819d-1f58b4150505' {
> menuentry 'Ubuntu GNU/Linux, with Xen xen and Linux
> 3.13.0-24-generic' --class ubuntu --class gnu-linux --class gnu --class os
> --class xen $menuentry_id_option
> 'xen-gnulinux-3.13.0-24-generic-advanced-0f4768d7-64dd-4e80-819d-1f58b4150505'
> {

Re: [Xen-devel] how can I find hypercall page address?

[big strong]

Sorry for replying so late. Libvmi is used to substract information of
guest, such as system calls. But I don't think it can be used to intercept
hypercalls as hypercall is a behavior between guest and hypervisor while
syscall is a behavior between guest applications and guest kernel. Anyway,
trying to intercept hypercalls need firstly locate the address of
hypercalls. Could you provides any hints any that?

2015-08-11 17:21 GMT+08:00 Andrew Cooper andrew.coop...@citrix.com:

 On 11/08/15 03:44, big strong wrote:

 My goal is to intercept hyprcalls to detect malicious calls. So I need
 firstly find where the hypercalls are.


 As I have said before, a guest may have an arbitrary number of hypercall
 pages.  Furthermore, the hypercall page is merely a convenience; nothing
 prevents a guest manually issuing hypercalls.

 My plan is to locate hypercall page first, then walk through the hypercall
 page to get address of hyperccalls. If there is any other solutions, please
 let me know. Thanks very much.


 It sounds like you want VM introspection, but it doesn't work like this.
 try http://libvmi.com/ as a starting point.

 ~Andrew


 2015-08-10 23:04 GMT+08:00 Dario Faggioli dario.faggi...@citrix.com:

 On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
  I think I've stated clearly what I want to do.
 
 Well...
 
  |I want to locate the hypercall page address when creating a new domU,
  so as to locate hypercalls.
 
 Ok. What for?

 Dario

 --
 This happens because I choose it to happen! (Raistlin Majere)
 -
 Dario Faggioli, Ph.D, http://about.me/dario.faggioli
 Senior Software Engineer, Citrix Systems RD Ltd., Cambridge (UK)




___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how can I find hypercall page address?

[big strong]

My goal is to intercept hyprcalls to detect malicious calls. So I need
firstly find where the hypercalls are. My plan is to locate hypercall page
first, then walk through the hypercall page to get address of hyperccalls.
If there is any other solutions, please let me know. Thanks very much.

2015-08-10 23:04 GMT+08:00 Dario Faggioli dario.faggi...@citrix.com:

 On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
  I think I've stated clearly what I want to do.
 
 Well...
 
  |I want to locate the hypercall page address when creating a new domU,
  so as to locate hypercalls.
 
 Ok. What for?

 Dario

 --
 This happens because I choose it to happen! (Raistlin Majere)
 -
 Dario Faggioli, Ph.D, http://about.me/dario.faggioli
 Senior Software Engineer, Citrix Systems RD Ltd., Cambridge (UK)

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how can I find hypercall page address?

[big strong]

I think I've stated clearly what I want to do.

|I want to locate the hypercall page address when creating a new domU, so
as to locate hypercalls. Is it possible?

2015-08-07 21:06 GMT+08:00 Andrew Cooper andrew.coop...@citrix.com:

 On 07/08/15 02:52, big strong wrote:

 Or how can I get the address of hypercall page belonging to a running domU?


 Please do not top post.

 A domain may create an arbitrary quantity of hypercall pages, at any
 address of their choosing.

 You have not explained why you want this information.

 ~Andrew


 2015-08-07 9:45 GMT+08:00 big strong fangtu...@gmail.com:

 I want to locate the hypercall page address when creating a new domU, so
 as to locate hypercalls. Is it possible?

 2015-08-06 17:49 GMT+08:00 Andrew Cooper andrew.coop...@citrix.com:

 On 06/08/15 10:46, big strong wrote:

 The old version of Xen contains information about hypercall page like:

 xl dmesg
 ..
 (XEN) HVM10: Allocated Xen hypercall page at 169ff000
 ...

 But the new edition seems to miss this information.


 Correct.  The information is not interesting or useful.

 How can I get the similar information then?


 What are you trying to do?

 ~Andrew





___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how can I find hypercall page address?

[big strong]

Or how can I get the address of hypercall page belonging to a running domU?

2015-08-07 9:45 GMT+08:00 big strong fangtu...@gmail.com:

 I want to locate the hypercall page address when creating a new domU, so
 as to locate hypercalls. Is it possible?

 2015-08-06 17:49 GMT+08:00 Andrew Cooper andrew.coop...@citrix.com:

 On 06/08/15 10:46, big strong wrote:

 The old version of Xen contains information about hypercall page like:

 xl dmesg
 ..
 (XEN) HVM10: Allocated Xen hypercall page at 169ff000
 ...

 But the new edition seems to miss this information.


 Correct.  The information is not interesting or useful.

 How can I get the similar information then?


 What are you trying to do?

 ~Andrew



___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] how to locate the hypercall address in memory?

[big strong]

As syscalls can be located with the help of symbol files, is it possible to
do it to hypercalls too?
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how to locate the hypercall address in memory?

[big strong]

could you explain that in detail? As syscall tracing, we usually locate the
kernel module first, then find the address of specific syscall function in
that module with the help of symbol files. How could this be applied to
hypercalls then?

2015-07-14 19:56 GMT+08:00 Jan Beulich jbeul...@suse.com:

  On 14.07.15 at 09:10, fangtu...@gmail.com wrote:
  As syscalls can be located with the help of symbol files, is it possible
 to
  do it to hypercalls too?

 Sure.

 Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how to locate the hypercall address in memory?

[big strong]

All right, what is the base address of hypercalls table? And which file
contains the offset of each hypercall?

2015-07-14 20:36 GMT+08:00 Jan Beulich jbeul...@suse.com:

  On 14.07.15 at 13:59, fangtu...@gmail.com wrote:
  could you explain that in detail? As syscall tracing, we usually locate
 the
  kernel module first, then find the address of specific syscall function
 in
  that module with the help of symbol files. How could this be applied to
  hypercalls then?

 You'd do whatever you do with the kernel binary with the hypervisor
 one instead (plus you don't even need to care about modules there).

 Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how to locate the hypercall address in memory?

[big strong]

I've read the hypercall related code, such as entry.S hypervisor.h ,etc.
But the problem is that hypercall functions are implemented in different
files while linux package syscalls into glibc and windows ntoskrnl. There
is a hypercall table defined in entry.S. But I havn't found any offsets
related information. Besides, I've learned that hypercall page is mapped to
a fixed address when the guest is initialized, but which address it is and
is this address the base address of hypercall table?

2015-07-14 21:38 GMT+08:00 Jan Beulich jbeul...@suse.com:

  On 14.07.15 at 15:31, fangtu...@gmail.com wrote:
  All right, what is the base address of hypercalls table? And which file
  contains the offset of each hypercall?

 Did you at least _try_ to find the answer yourself, e.g. by
 grep-ing the hypervisor source for some obvious strings?

 Jan

  2015-07-14 20:36 GMT+08:00 Jan Beulich jbeul...@suse.com:
 
   On 14.07.15 at 13:59, fangtu...@gmail.com wrote:
   could you explain that in detail? As syscall tracing, we usually
 locate
  the
   kernel module first, then find the address of specific syscall
 function
  in
   that module with the help of symbol files. How could this be applied
 to
   hypercalls then?
 
  You'd do whatever you do with the kernel binary with the hypervisor
  one instead (plus you don't even need to care about modules there).
 
  Jan
 
 




___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] how to locate the hypercall address in memory?

[big strong]

http://wiki.xen.org/wiki/Asking_Xen_Devel_Questions The page cannot open

2015-07-14 22:02 GMT+08:00 Ian Campbell ian.campb...@citrix.com:

 On Tue, 2015-07-14 at 14:38 +0100, Jan Beulich wrote:
   On 14.07.15 at 15:31, fangtu...@gmail.com wrote:
   All right, what is the base address of hypercalls table? And which file
   contains the offset of each hypercall?
 
  Did you at least _try_ to find the answer yourself, e.g. by
  grep-ing the hypervisor source for some obvious strings?

 big strong,

 I would recommend that you read
 http://wiki.xen.org/wiki/Asking_Xen_Devel_Questions

 Ian.



___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel