date:20221222

[xen-4.13-testing test] 175453: tolerable FAIL - PUSHED

2022-12-22 Thread osstest service owner

flight 175453 xen-4.13-testing real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175453/

Failures :-/ but no regressions.

Tests which are failing intermittently (not blocking):
 test-amd64-amd64-xl-qemuu-debianhvm-i386-xsm 12 debian-hvm-install fail in 
175440 pass in 175453
 test-amd64-i386-pair 11 xen-install/dst_host   fail pass in 175440
 test-armhf-armhf-xl-rtds 18 guest-start/debian.repeat  fail pass in 175440

Tests which did not succeed, but are not blocking:
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 174675
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 174675
 test-amd64-i386-xl-qemut-win7-amd64 19 guest-stop fail like 174675
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 174675
 test-amd64-i386-xl-qemut-ws16-amd64 19 guest-stop fail like 174675
 test-amd64-amd64-xl-qemut-win7-amd64 19 guest-stopfail like 174675
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 174675
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 174675
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 174675
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 174675
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 174675
 test-amd64-amd64-xl-qemut-ws16-amd64 19 guest-stopfail like 174675
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-arm64-arm64-xl-credit2  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-multivcpu 15 migrate-support-checkfail  never pass
 test-armhf-armhf-xl-multivcpu 16 saverestore-support-checkfail  never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-rtds 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-rtds 16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-cubietruck 15 migrate-support-checkfail never pass
 test-armhf-armhf-xl-cubietruck 16 saverestore-support-checkfail never pass
 test-arm64-arm64-libvirt-raw 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  14 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt-qcow2 14 migrate-support-checkfail never pass
 test-armhf-armhf-libvirt-raw 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  15 saverestore-support-checkfail

[linux-linus test] 175451: regressions - FAIL

2022-12-22 Thread osstest service owner

flight 175451 linux-linus real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175451/

Regressions :-(

Tests which did not succeed and are blocking,
including tests which could not be run:
 test-amd64-amd64-xl-qemuu-ws16-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-coresched-amd64-xl  8 xen-bootfail REGR. vs. 173462
 test-amd64-amd64-xl-qemut-win7-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-dom0pvh-xl-amd 14 guest-start   fail REGR. vs. 173462
 test-amd64-amd64-xl-vhd   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-qemuu-nested-amd  8 xen-bootfail REGR. vs. 173462
 test-amd64-amd64-qemuu-nested-intel  8 xen-boot  fail REGR. vs. 173462
 test-amd64-amd64-xl-pvhv2-amd  8 xen-bootfail REGR. vs. 173462
 test-amd64-amd64-xl-qemut-ws16-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-qemut-debianhvm-amd64  8 xen-bootfail REGR. vs. 173462
 test-amd64-amd64-freebsd12-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-freebsd11-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 8 xen-boot fail REGR. vs. 
173462
 test-amd64-amd64-xl-qemuu-debianhvm-i386-xsm  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-credit2   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-pair12 xen-boot/src_hostfail REGR. vs. 173462
 test-amd64-amd64-xl-pvhv2-intel  8 xen-boot  fail REGR. vs. 173462
 test-amd64-amd64-xl-qemut-stubdom-debianhvm-amd64-xsm 8 xen-boot fail REGR. 
vs. 173462
 test-amd64-amd64-xl-qemuu-dmrestrict-amd64-dmrestrict 8 xen-boot fail REGR. 
vs. 173462
 test-amd64-amd64-xl-qemuu-win7-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-pair13 xen-boot/dst_hostfail REGR. vs. 173462
 test-amd64-amd64-xl-shadow8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-libvirt-raw  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-libvirt-qcow2  8 xen-boot   fail REGR. vs. 173462
 test-amd64-amd64-libvirt-pair 12 xen-boot/src_host   fail REGR. vs. 173462
 test-amd64-amd64-libvirt-pair 13 xen-boot/dst_host   fail REGR. vs. 173462
 test-arm64-arm64-xl   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-libvirt  8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-libvirt-raw  8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-xl-credit1   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-multivcpu  8 xen-bootfail REGR. vs. 173462
 test-amd64-amd64-xl-pvshim8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-examine  8 reboot   fail REGR. vs. 173462
 test-amd64-amd64-dom0pvh-xl-intel 14 guest-start fail REGR. vs. 173462
 test-arm64-arm64-xl-credit2   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-xsm   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-libvirt-xsm  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-qemuu-ovmf-amd64  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-qemuu-debianhvm-amd64  8 xen-bootfail REGR. vs. 173462
 test-armhf-armhf-xl-credit2   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-qemut-debianhvm-i386-xsm  8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-xl   8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-examine  8 reboot   fail REGR. vs. 173462
 test-amd64-amd64-xl   8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-credit1   8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-libvirt  8 xen-boot fail REGR. vs. 173462
 test-amd64-amd64-xl-qemuu-debianhvm-amd64-shadow 8 xen-boot fail REGR. vs. 
173462
 test-amd64-amd64-examine-uefi  8 reboot  fail REGR. vs. 173462
 test-amd64-amd64-examine-bios  8 reboot  fail REGR. vs. 173462
 test-amd64-amd64-examine  8 reboot   fail REGR. vs. 173462
 test-amd64-amd64-pygrub   8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-xl-vhd   8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-xl-xsm   8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-xl-seattle   8 xen-boot fail REGR. vs. 173462
 test-arm64-arm64-libvirt-xsm  8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-libvirt-qcow2  8 xen-boot   fail REGR. vs. 173462
 test-armhf-armhf-xl-multivcpu  8 xen-bootfail REGR. vs. 173462
 test-armhf-armhf-xl-credit1   8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-libvirt-raw  8 xen-boot fail REGR. vs. 173462
 test-armhf-armhf-xl-arndale   8 xen-boot

Re: Porting Xen in raspberry pi4B

2022-12-22 Thread Stefano Stabellini

Hi Vipul,

Great that you managed to setup a debugging environment. The logs look
very promising: it looks like xenfb.c is handling events as expected.
So it would apparently seem that xen-fbfront.c -> xenfb.c connection is
working.

So the next step is the xenfb.c -> ./ui/vnc.c is working.

It could be that the pixels and mouse events arrive just fine in
xenfb.c, but then there is an issue with exporting them to the vncserver
implementation inside QEMU, which is ./ui/vnc.c. The interesting
functions there are qemu_create_displaysurface,
qemu_create_displaysurface_from, dpy_gfx_replace_surface,
dpy_gfx_update, and dpy_gfx_check_format.

Specifically dpy_gfx_update should cause VNC to render the new area.

qemu_create_displaysurface_from let VNC use the xenfb buffer directly
with VNC, rather than using a secondary buffer and memory copies.
Interestingly, dpy_gfx_check_format should be used to check if it is
appropriate to share the buffer (qemu_create_displaysurface_from) or not
(qemu_create_displaysurface) but we don't call it.

I think it would be good to add a call to dpy_gfx_check_format in
xenfb_update where we call qemu_create_displaysurface_from and also add
a printk.

You can try to disable the buffer sharing by replacing
qemu_create_displaysurface_from with qemu_create_displaysurface. You can
also try to use another QEMU UI like SDL to see if the problem is
specific to VNC only.

Cheers,

Stefano


On Mon, 19 Dec 2022, Vipul Suneja wrote:
> Hi Stefano,
> 
> Thanks!
> 
> I could prepare a patch for adding debug printf logs in xenfb.c & re-compile 
> QEMU in yocto image. Just for reference, I have included logs
> in all the functions.
> Attaching qemu log file, could see the entry & exit logs coming up for 
> "xenfb_handle_events" & "xenfb_map_fb" also after the host machine
> boots up. Can you please further assist, which parameters has to be cross 
> checked or any other input as per logs?  
> 
> Thanks & Regards,
> Vipul Kumar
> 
> On Thu, Dec 15, 2022 at 4:17 AM Stefano Stabellini  
> wrote:
>   Hi Vipul,
> 
>   For QEMU you actually need to follow the Yocto build process to update
>   the QEMU binary. That is because QEMU is a userspace application with
>   lots of library dependencies so we cannot just do "make" with a
>   cross-compiler like in the case of Xen.
> 
>   So you need to make changes to QEMU and then add those changes as a
>   patch to the Yocto QEMU build recipe, or configure Yocto to your local
>   tree to build QEMU. I am not a Yocto expert and the Yocto community
>   would be a better place to ask for advice there. You can see from here
>   some instructions on how to build Xen using a local tree, see the usage
>   of EXTERNALSRC (note that this is *not* what you need: you need to build
>   QEMU with a local tree, not Xen. But I thought that the wikipage might
>   still be a starting point)
> 
>   https://wiki.xenproject.org/wiki/Xen_on_ARM_and_Yocto
> 
>   Cheers,
> 
>   Stefano
> 
> 
>   On Thu, 15 Dec 2022, Vipul Suneja wrote:
>   > Hi Stefano,
>   >
>   > Thanks!
>   >
>   > I could see QEMU 6.2.0 compiled & installed in the host image 
> xen-image-minimal. I could find xenfb.c source file also &
>   modified the same
>   > with debug logs.
>   > I have set up a cross compile environment, did 'make clean' & 'make 
> all' to recompile but it's failing. In case i am doing
>   wrong, Can you
>   > please assist me
>   > with the correct steps to compile qemu? Below are the error logs:
>   >
>   >
>   
> agl@agl-OptiPlex-7010:~/Automotive/ADAS_Infotainment/Platform/Poky_Kirkstone/build/tmp/work/cortexa72-poky-linux/qemu/6.2.0-r0/build$
>   make
>   > all
>   > [1/3864] Compiling C object libslirp.a.p/slirp_src_arp_table.c.o
>   > [2/3864] Compiling C object 
> subprojects/libvhost-user/libvhost-user.a.p/libvhost-user.c.o
>   > [3/3864] Linking static target 
> subprojects/libvhost-user/libvhost-user.a
>   > [4/3864] Compiling C object libslirp.a.p/slirp_src_vmstate.c.o
>   > [5/3864] Compiling C object libslirp.a.p/slirp_src_dhcpv6.c.o
>   > [6/3864] Compiling C object libslirp.a.p/slirp_src_dnssearch.c.o
>   > [7/3864] Compiling C object libslirp.a.p/slirp_src_bootp.c.o
>   > [8/3864] Compiling C object libslirp.a.p/slirp_src_cksum.c.o
>   > [9/3864] Compiling C object libslirp.a.p/slirp_src_if.c.o
>   > [10/3864] Compiling C object libslirp.a.p/slirp_src_ip6_icmp.c.o
>   > [11/3864] Compiling C object libslirp.a.p/slirp_src_ip6_input.c.o
>   > [12/3864] Compiling C object libslirp.a.p/slirp_src_ip6_output.c.o
>   > [13/3864] Compiling C object libslirp.a.p/slirp_src_ip_icmp.c.o
>   > [14/3864] Compiling C object libslirp.a.p/slirp_src_ip_input.c.o
>   > [15/3864] Compiling C object libslirp.a.p/slirp_src_ip_output.c.o
>   > [16/3864] Compiling C object

Re: [XEN v1 2/9] xen/arm: Define translate_dt_address_size() for the translation between u64 and paddr_t

2022-12-22 Thread Stefano Stabellini

On Sat, 17 Dec 2022, Julien Grall wrote:
> On 17/12/2022 00:46, Stefano Stabellini wrote:
> > On Fri, 16 Dec 2022, Julien Grall wrote:
> > > Hi Ayan,
> > > 
> > > On 15/12/2022 19:32, Ayan Kumar Halder wrote:
> > > > paddr_t may be u64 or u32 depending of the type of architecture.
> > > > Thus, while translating between u64 and paddr_t, one should check that
> > > > the
> > > > truncated bits are 0. If not, then raise an appropriate error.
> > > 
> > > I am not entirely convinced this extra helper is worth it. If the user
> > > can't
> > > provide 32-bit address in the DT, then there are also a lot of other part
> > > that
> > > can go wrong.
> > > 
> > > Bertrand, Stefano, what do you think?
> > 
> > In general, it is not Xen's job to protect itself against bugs in device
> > tree. However, if Xen spots a problem in DT and prints a helpful message
> > that is better than just crashing because it gives a hint to the
> > developer about what the problem is.
> 
> I agree with the principle. In practice this needs to be weight out with the
> long-term maintenance.
> 
> > 
> > In this case, I think a BUG_ON would be sufficient.
> 
> BUG_ON() is the same as panic(). They both should be used only when there are
> no way to recover (see CODING_STYLE).
> 
> If we parse the device-tree at boot, then BUG_ON() is ok. However, if we need
> to parse it after boot (e.g. the DT overlay from Vikram), then we should
> definitely not call BUG_ON() for checking DT input.

yeah, I wasn't thinking of that series


> The correct way is like Ayan did by checking returning an error and let
> the caller deciding what to do.
> 
> My concern with his approach is the extra amount of code in each caller to
> check it (even with a new helper).
> 
> I am not fully convinced that checking the addresses in the DT is that useful.

I am also happy not to do it to be honest


> However, if you both want to do it, then I think it would be best to introduce
> wrappers over the Device-Tree ones that will check the truncation.
> 
> For example, we could introduce dt_device_get_address_checked()
> that will call dt_device_get_address() and then check for 32-bit truncation.
> 
> For the function device_tree_get_reg(), this helper was aimed to deal with
> just Physical address 'reg' very early. So we can modify the prototype and
> update the function to check for 32-bit truncation.
> 
> Note that I am suggesting a different approach for the two helpers because the
> former is generic and it is not clear to me whether this could be used in
> another context than physical address.

Re: [PATCH v1] xen/pvcalls: free active map buffer on pvcalls_front_free_map

2022-12-22 Thread Stefano Stabellini

On Tue, 20 Dec 2022, Oleksii Moisieiev wrote:
> Data buffer for active map is allocated in alloc_active_ring and freed
> in free_active_ring function, which is used only for the error
> cleanup. pvcalls_front_release is calling pvcalls_front_free_map which
> ends foreign access for this buffer, but doesn't free allocated pages.
> Call free_active_ring to clean all allocated resources.
> 
> Signed-off-by: Oleksii Moisieiev 

Reviewed-by: Stefano Stabellini 


> ---
>  drivers/xen/pvcalls-front.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c
> index 1826e8e67125..9b569278788a 100644
> --- a/drivers/xen/pvcalls-front.c
> +++ b/drivers/xen/pvcalls-front.c
> @@ -225,6 +225,8 @@ static irqreturn_t pvcalls_front_event_handler(int irq, 
> void *dev_id)
>   return IRQ_HANDLED;
>  }
>  
> +static void free_active_ring(struct sock_mapping *map);
> +
>  static void pvcalls_front_free_map(struct pvcalls_bedata *bedata,
>  struct sock_mapping *map)
>  {
> @@ -240,7 +242,7 @@ static void pvcalls_front_free_map(struct pvcalls_bedata 
> *bedata,
>   for (i = 0; i < (1 << PVCALLS_RING_ORDER); i++)
>   gnttab_end_foreign_access(map->active.ring->ref[i], NULL);
>   gnttab_end_foreign_access(map->active.ref, NULL);
> - free_page((unsigned long)map->active.ring);
> + free_active_ring(map);
>  
>   kfree(map);
>  }
> -- 
> 2.25.1
>

[PATCH v6 2/5] x86: Remove MEMORY_NUM_TYPES and NO_HARDCODE_MEM_TYPE

2022-12-22 Thread Demi Marie Obenour

No functional change intended.

Signed-off-by: Demi Marie Obenour 
---
Changes since v2:

- Keep MTRR_NUM_TYPES and adjust commit message accordingly
---
 xen/arch/x86/hvm/mtrr.c | 18 +-
 xen/arch/x86/include/asm/mtrr.h |  2 --
 xen/arch/x86/mm/shadow/multi.c  |  2 +-
 3 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
index 
093103f6c768cf64f880d1b20e1c14f5918c1250..05e978041d62fd0d559462de181a04bef8a5bca9
 100644
--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
@@ -38,7 +38,7 @@ static const uint8_t pat_entry_2_pte_flags[8] = {
 
 /* Effective mm type lookup table, according to MTRR and PAT. */
 static const uint8_t mm_type_tbl[MTRR_NUM_TYPES][X86_NUM_MT] = {
-#define RS MEMORY_NUM_TYPES
+#define RS MTRR_NUM_TYPES
 #define UC X86_MT_UC
 #define WB X86_MT_WB
 #define WC X86_MT_WC
@@ -66,9 +66,9 @@ static const uint8_t mm_type_tbl[MTRR_NUM_TYPES][X86_NUM_MT] 
= {
  * Reverse lookup table, to find a pat type according to MTRR and effective
  * memory type. This table is dynamically generated.
  */
-static uint8_t __read_mostly mtrr_epat_tbl[MTRR_NUM_TYPES][MEMORY_NUM_TYPES] =
-{ [0 ... MTRR_NUM_TYPES-1] =
-{ [0 ... MEMORY_NUM_TYPES-1] = INVALID_MEM_TYPE }
+static uint8_t __read_mostly mtrr_epat_tbl[MTRR_NUM_TYPES][MTRR_NUM_TYPES] =
+{ [0 ... MTRR_NUM_TYPES - 1] =
+{ [0 ... MTRR_NUM_TYPES - 1] = INVALID_MEM_TYPE }
 };
 
 /* Lookup table for PAT entry of a given PAT value in host PAT. */
@@ -85,7 +85,7 @@ static int __init cf_check hvm_mtrr_pat_init(void)
 {
 unsigned int tmp = mm_type_tbl[i][j];
 
-if ( tmp < MEMORY_NUM_TYPES )
+if ( tmp < MTRR_NUM_TYPES )
 mtrr_epat_tbl[i][tmp] = j;
 }
 }
@@ -317,11 +317,11 @@ static uint8_t effective_mm_type(struct mtrr_state *m,
  uint8_t gmtrr_mtype)
 {
 uint8_t mtrr_mtype, pat_value;
-   
+
 /* if get_pat_flags() gives a dedicated MTRR type,
  * just use it
- */ 
-if ( gmtrr_mtype == NO_HARDCODE_MEM_TYPE )
+ */
+if ( gmtrr_mtype == MTRR_NUM_TYPES )
 mtrr_mtype = mtrr_get_type(m, gpa, 0);
 else
 mtrr_mtype = gmtrr_mtype;
@@ -346,7 +346,7 @@ uint32_t get_pat_flags(struct vcpu *v,
 /* 1. Get the effective memory type of guest physical address,
  * with the pair of guest MTRR and PAT
  */
-guest_eff_mm_type = effective_mm_type(g, pat, gpaddr, 
+guest_eff_mm_type = effective_mm_type(g, pat, gpaddr,
   gl1e_flags, gmtrr_mtype);
 /* 2. Get the memory type of host physical address, with MTRR */
 shadow_mtrr_type = mtrr_get_type(_state, spaddr, 0);
diff --git a/xen/arch/x86/include/asm/mtrr.h b/xen/arch/x86/include/asm/mtrr.h
index 
e4f6ca6048334b2094a1836cc2f298453641232f..4b7f840a965954cc4b59698327a37e47026893a4
 100644
--- a/xen/arch/x86/include/asm/mtrr.h
+++ b/xen/arch/x86/include/asm/mtrr.h
@@ -4,8 +4,6 @@
 #include 
 
 #define MTRR_NUM_TYPES   X86_MT_UCM
-#define MEMORY_NUM_TYPES MTRR_NUM_TYPES
-#define NO_HARDCODE_MEM_TYPE MTRR_NUM_TYPES
 
 #define NORMAL_CACHE_MODE  0
 #define NO_FILL_CACHE_MODE 2
diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index 
f5f7ff021bd9e057c5b6f6329de7acb5ef05d58f..1faf9940db6b0afefc5977c00c00fb6a39cd27d2
 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -578,7 +578,7 @@ _sh_propagate(struct vcpu *v,
 gflags,
 gfn_to_paddr(target_gfn),
 mfn_to_maddr(target_mfn),
-NO_HARDCODE_MEM_TYPE);
+MTRR_NUM_TYPES);
 }
 }
 
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[PATCH v6 4/5] x86/mm: Reject invalid cacheability in PV guests by default

2022-12-22 Thread Demi Marie Obenour

Setting cacheability flags that are not ones specified by Xen is a bug
in the guest.  By default, return -EINVAL if a guests attempts to do
this.  The invalid-cacheability= Xen command-line flag allows the
administrator to allow such attempts or to produce

Suggested-by: Andrew Cooper 
Signed-off-by: Demi Marie Obenour 
---
Changes since v5:
- Make parameters static and __ro_after_init.
- Replace boolean parameter allow_invalid_cacheability with string
  parameter invalid-cacheability.
- Move parameter definitions to near where they are used.
- Add documentation.

Changes since v4:
- Remove pointless BUILD_BUG_ON().
- Add comment explaining why an exception is being injected.

Changes since v3:
- Add Andrew Cooper’s Suggested-by
---
 docs/misc/xen-command-line.pandoc | 11 ++
 xen/arch/x86/mm.c | 60 ++-
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/docs/misc/xen-command-line.pandoc 
b/docs/misc/xen-command-line.pandoc
index 
424b12cfb27d6ade2ec63eacb8afe5df82465451..0230a7bc17cbd4362a42ea64cea695f31f5e0f86
 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1417,6 +1417,17 @@ detection of systems known to misbehave upon accesses to 
that port.
 ### idle_latency_factor (x86)
 > `= `
 
+### invalid-cacheability (x86)
+> `= allow | deny | trap`
+
+> Default: `deny` in release builds, otherwise `trap`
+
+Specify what happens when a PV guest tries to use one of the reserved entries 
in
+the PAT.  `deny` causes the attempt to be rejected with -EINVAL, `allow` allows
+the attempt, and `trap` causes a general protection fault to be raised.
+Currently, the reserved entries are marked as uncacheable in Xen's PAT, but 
this
+will change if new memory types are added, so guests must not rely on it.
+
 ### ioapic_ack (x86)
 > `= old | new`
 
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 
65ba0f58ed8c26ac0343528303851739981c03bd..bacfb776d688f68dcbf79d83723fff329b75fd18
 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1324,6 +1324,37 @@ static int put_page_from_l4e(l4_pgentry_t l4e, mfn_t 
l4mfn, unsigned int flags)
 return put_pt_page(l4e_get_page(l4e), mfn_to_page(l4mfn), flags);
 }
 
+enum {
+INVALID_CACHEABILITY_ALLOW,
+INVALID_CACHEABILITY_DENY,
+INVALID_CACHEABILITY_TRAP,
+};
+
+#ifdef NDEBUG
+#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_DENY
+#else
+#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_TRAP
+#endif
+
+static __ro_after_init uint8_t invalid_cacheability =
+INVALID_CACHEABILITY_DEFAULT;
+
+static int __init cf_check set_invalid_cacheability(const char *str)
+{
+if (strcmp("allow", str) == 0)
+invalid_cacheability = INVALID_CACHEABILITY_ALLOW;
+else if (strcmp("deny", str) == 0)
+invalid_cacheability = INVALID_CACHEABILITY_DENY;
+else if (strcmp("trap", str) == 0)
+invalid_cacheability = INVALID_CACHEABILITY_TRAP;
+else
+return -EINVAL;
+
+return 0;
+}
+
+custom_param("invalid-cacheability", set_invalid_cacheability);
+
 static int promote_l1_table(struct page_info *page)
 {
 struct domain *d = page_get_owner(page);
@@ -1343,7 +1374,34 @@ static int promote_l1_table(struct page_info *page)
 }
 else
 {
-switch ( ret = get_page_from_l1e(pl1e[i], d, d) )
+l1_pgentry_t l1e = pl1e[i];
+
+if ( invalid_cacheability != INVALID_CACHEABILITY_ALLOW )
+{
+switch ( l1e.l1 & PAGE_CACHE_ATTRS )
+{
+case _PAGE_WB:
+case _PAGE_UC:
+case _PAGE_UCM:
+case _PAGE_WC:
+case _PAGE_WT:
+case _PAGE_WP:
+break;
+default:
+/*
+ * If we get here, a PV guest tried to use one of the
+ * reserved values in Xen's PAT.  This indicates a bug
+ * in the guest.  If requested by the user, inject #GP
+ * to cause the guest to log a stack trace.
+ */
+if ( invalid_cacheability == INVALID_CACHEABILITY_TRAP )
+pv_inject_hw_exception(TRAP_gp_fault, 0);
+ret = -EINVAL;
+goto fail;
+}
+}
+
+switch ( ret = get_page_from_l1e(l1e, d, d) )
 {
 default:
 goto fail;
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[PATCH v6 3/5] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Demi Marie Obenour

It may be desirable to change Xen's PAT for various reasons.  This
requires changes to several _PAGE_* macros as well.  Add static
assertions to check that XEN_MSR_PAT is consistent with the _PAGE_*
macros, and that _PAGE_WB is 0 as required by Linux.

Signed-off-by: Demi Marie Obenour 
---
Changes since v5:
- Remove unhelpful comment.
- Move a BUILD_BUG_ON.
- Use fewer hardcoded constants in PTE_FLAGS_TO_CACHEATTR.
- Fix coding style.

Changes since v4:
- Add lots of comments explaining what the various BUILD_BUG_ON()s mean.

Changes since v3:
- Refactor some macros
- Avoid including a string literal in BUILD_BUG_ON
---
 xen/arch/x86/mm.c | 70 +++
 1 file changed, 70 insertions(+)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 
3558ca215b02a517d55d75329d645ae5905424e4..65ba0f58ed8c26ac0343528303851739981c03bd
 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
 return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
 }
 
+
+/*
+ * A bunch of static assertions to check that the XEN_MSR_PAT is valid
+ * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
+ */
 static void __init __maybe_unused build_assertions(void)
 {
 /*
@@ -6361,6 +6366,71 @@ static void __init __maybe_unused build_assertions(void)
  * using different PATs will not work.
  */
 BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
+
+/*
+ * _PAGE_WB must be zero for several reasons, not least because Linux
+ * PV guests assume it.
+ */
+BUILD_BUG_ON(_PAGE_WB);
+
+#define PAT_ENTRY(v)   
\
+(BUILD_BUG_ON_ZERO(((v) < 0) || ((v) > 7)) +   
\
+ (0xFF & (XEN_MSR_PAT >> (8 * (v)
+
+/* Validate at compile-time that v is a valid value for a PAT entry */
+#define CHECK_PAT_ENTRY_VALUE(v)   
\
+BUILD_BUG_ON((v) < 0 || (v) > 7 || 
\
+ (v) == X86_MT_RSVD_2 || (v) == X86_MT_RSVD_3)
+
+/* Validate at compile-time that PAT entry v is valid */
+#define CHECK_PAT_ENTRY(v) CHECK_PAT_ENTRY_VALUE(PAT_ENTRY(v))
+
+/*
+ * If one of these trips, the corresponding entry in XEN_MSR_PAT is 
invalid.
+ * This would cause Xen to crash (with #GP) at startup.
+ */
+CHECK_PAT_ENTRY(0);
+CHECK_PAT_ENTRY(1);
+CHECK_PAT_ENTRY(2);
+CHECK_PAT_ENTRY(3);
+CHECK_PAT_ENTRY(4);
+CHECK_PAT_ENTRY(5);
+CHECK_PAT_ENTRY(6);
+CHECK_PAT_ENTRY(7);
+
+#undef CHECK_PAT_ENTRY
+#undef CHECK_PAT_ENTRY_VALUE
+
+/* Macro version of pte_flags_to_cacheattr(), for use in BUILD_BUG_ON()s */
+#define PTE_FLAGS_TO_CACHEATTR(pte_value)  
\
+pte_value) & _PAGE_PAT) >> 5) |
\
+ (((pte_value) & (_PAGE_PCD | _PAGE_PWT)) >> 3))
+
+/* Check that a PAT-related _PAGE_* macro is correct */
+#define CHECK_PAGE_VALUE(page_value) do {  
\
+/* Check that the _PAGE_* macros only use bits from PAGE_CACHE_ATTRS */
\
+BUILD_BUG_ON(((_PAGE_ ## page_value) & PAGE_CACHE_ATTRS) !=
\
+ (_PAGE_ ## page_value));  
\
+/* Check that the _PAGE_* are consistent with XEN_MSR_PAT */   
\
+BUILD_BUG_ON(PAT_ENTRY(PTE_FLAGS_TO_CACHEATTR(_PAGE_ ## page_value)) !=
\
+ (X86_MT_ ## page_value)); 
\
+} while ( false )
+
+/*
+ * If one of these trips, the corresponding _PAGE_* macro is inconsistent
+ * with XEN_MSR_PAT.  This would cause Xen to use incorrect cacheability
+ * flags, with results that are unknown and possibly harmful.
+ */
+CHECK_PAGE_VALUE(WT);
+CHECK_PAGE_VALUE(WB);
+CHECK_PAGE_VALUE(WC);
+CHECK_PAGE_VALUE(UC);
+CHECK_PAGE_VALUE(UCM);
+CHECK_PAGE_VALUE(WP);
+
+#undef CHECK_PAGE_VALUE
+#undef PAGE_FLAGS_TO_CACHEATTR
+#undef PAT_ENTRY
 }
 
 /*
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[PATCH v6 5/5] x86: Use Linux's PAT

2022-12-22 Thread Demi Marie Obenour

This is purely for testing, to see if it works around a bug in i915.  It
is not intended to be merged.

NOT-signed-off-by: DO NOT MERGE
---
 xen/arch/x86/include/asm/page.h  |  4 ++--
 xen/arch/x86/include/asm/processor.h | 10 +-
 xen/arch/x86/mm.c|  8 
 3 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/xen/arch/x86/include/asm/page.h b/xen/arch/x86/include/asm/page.h
index 
b585235d064a567082582c8e92a4e8283fd949ca..ab9b46f1d0901e50a83fd035ff28d1bda0b781a2
 100644
--- a/xen/arch/x86/include/asm/page.h
+++ b/xen/arch/x86/include/asm/page.h
@@ -333,11 +333,11 @@ void efi_update_l4_pgtable(unsigned int l4idx, 
l4_pgentry_t);
 
 /* Memory types, encoded under Xen's choice of MSR_PAT. */
 #define _PAGE_WB (0)
-#define _PAGE_WT (_PAGE_PWT)
+#define _PAGE_WC (_PAGE_PWT)
 #define _PAGE_UCM(_PAGE_PCD)
 #define _PAGE_UC (_PAGE_PCD | _PAGE_PWT)
-#define _PAGE_WC (_PAGE_PAT)
 #define _PAGE_WP (_PAGE_PAT | _PAGE_PWT)
+#define _PAGE_WT (_PAGE_PAT | _PAGE_PCD | _PAGE_PWT)
 
 /*
  * Debug option: Ensure that granted mappings are not implicitly unmapped.
diff --git a/xen/arch/x86/include/asm/processor.h 
b/xen/arch/x86/include/asm/processor.h
index 
60b902060914584957db8afa5c7c1e6abdad4d13..3993d5638626f0948bb7ac8192d2eda187eb1bdb
 100644
--- a/xen/arch/x86/include/asm/processor.h
+++ b/xen/arch/x86/include/asm/processor.h
@@ -94,16 +94,16 @@
 
 /*
  * Host IA32_CR_PAT value to cover all memory types.  This is not the default
- * MSR_PAT value, and is an ABI with PV guests.
+ * MSR_PAT value, and is needed by the Linux i915 driver.
  */
 #define XEN_MSR_PAT ((_AC(X86_MT_WB,  ULL) << 0x00) | \
- (_AC(X86_MT_WT,  ULL) << 0x08) | \
+ (_AC(X86_MT_WC,  ULL) << 0x08) | \
  (_AC(X86_MT_UCM, ULL) << 0x10) | \
  (_AC(X86_MT_UC,  ULL) << 0x18) | \
- (_AC(X86_MT_WC,  ULL) << 0x20) | \
+ (_AC(X86_MT_WB,  ULL) << 0x20) | \
  (_AC(X86_MT_WP,  ULL) << 0x28) | \
- (_AC(X86_MT_UC,  ULL) << 0x30) | \
- (_AC(X86_MT_UC,  ULL) << 0x38))
+ (_AC(X86_MT_UCM, ULL) << 0x30) | \
+ (_AC(X86_MT_WT,  ULL) << 0x38))
 
 #ifndef __ASSEMBLY__
 
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 
bacfb776d688f68dcbf79d83723fff329b75fd18..ea8c69e66c48419031add2e02da0a8eb6af8e49a
 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -6417,14 +6417,6 @@ unsigned long get_upper_mfn_bound(void)
  */
 static void __init __maybe_unused build_assertions(void)
 {
-/*
- * If this trips, any guests that blindly rely on the public API in xen.h
- * (instead of reading the PAT from Xen, as Linux 3.19+ does) will be
- * broken.  Furthermore, live migration of PV guests between Xen versions
- * using different PATs will not work.
- */
-BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
-
 /*
  * _PAGE_WB must be zero for several reasons, not least because Linux
  * PV guests assume it.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[PATCH v6 1/5] x86/mm: Avoid hard-coding PAT in get_page_from_l1e()

2022-12-22 Thread Demi Marie Obenour

get_page_from_l1e() relied on Xen's choice of PAT, which is brittle in
the face of future PAT changes.  Instead, compute the actual cacheability
used by the CPU and switch on that, as this will work no matter what PAT
Xen uses.

No functional change intended.  This code is itself questionable and may
be removed in the future, but removing it would be an observable
behavior change and so is out of scope for this patch series.

Signed-off-by: Demi Marie Obenour 
Reviewed-by: Jan Beulich 
---
Changes since v5:
- Make comment in get_page_from_l1e() future-proof.
- Explicitly state how known-uncacheable and potentially-cacheable types
  are handled.

Changes since v4:
- Do not add new pte_flags_to_cacheability() helper, as this code may be
  removed in the near future and so adding a new helper for it is a bad
  idea.
- Do not BUG() in the event of an unexpected cacheability.  This cannot
  happen, but it is simpler to force such types to UC than to prove that
  the BUG() is not reachable.

Changes since v3:
- Compute and use the actual cacheability as seen by the processor.

Changes since v2:
- Improve commit message.
---
 xen/arch/x86/mm.c | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 
1bda1ba697b434b6c884f17e599aa9b6d3b3dd76..3558ca215b02a517d55d75329d645ae5905424e4
 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -959,14 +959,16 @@ get_page_from_l1e(
 flip = _PAGE_RW;
 }
 
-switch ( l1f & PAGE_CACHE_ATTRS )
+switch ( 0xFF & (XEN_MSR_PAT >> (8 * pte_flags_to_cacheattr(l1f))) )
 {
-case 0: /* WB */
-flip |= _PAGE_PWT | _PAGE_PCD;
+case X86_MT_UC:
+case X86_MT_UCM:
+case X86_MT_WC:
+/* not cacheable, allow */
 break;
-case _PAGE_PWT: /* WT */
-case _PAGE_PWT | _PAGE_PAT: /* WP */
-flip |= _PAGE_PCD | (l1f & _PAGE_PAT);
+default:
+/* potentially cacheable, force to UC */
+flip |= ((l1f & PAGE_CACHE_ATTRS) ^ _PAGE_UC);
 break;
 }
 
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[PATCH v6 0/5] Make PAT handling less brittle

2022-12-22 Thread Demi Marie Obenour

While working on Qubes OS Marek found out that there were some PAT hacks
in the Linux i195 driver.  I decided to make Xen use Linux’s PAT to see
if it solved the graphics glitches that were observed; it did.  This
required a substantial amount of preliminary work that is useful even
without using Linux’s PAT.

Patches 1 through 4 are the preliminary work and I would like them to be
accepted into upstream Xen.  Patch 4 does break ABI by rejecting the
unused PAT entries, but this will only impact buggy PV guests and can be
disabled with a Xen command-line option.  Patch 5 actually switches to
Linux’s PAT and is NOT intended to be merged (at least for now) as it
would at a minimum break migration of PV guests from hosts that do not
have the patch.

Only patches 4 and 5 actually change Xen’s observable behavior.
Patch 1 is a prerequisite that removes the last place where Xen
hard-codes its current PAT value.  Patch 2 is strictly cleanup.  Patch 3
makes changing the PAT much less error-prone, as problems with the PAT
or with the associated _PAGE_* constants will be detected at compile
time.

Demi Marie Obenour (5):
  x86/mm: Avoid hard-coding PAT in get_page_from_l1e()
  x86: Remove MEMORY_NUM_TYPES and NO_HARDCODE_MEM_TYPE
  x86/mm: make code robust to future PAT changes
  x86/mm: Reject invalid cacheability in PV guests by default
  x86: Use Linux's PAT

 docs/misc/xen-command-line.pandoc|  11 ++
 xen/arch/x86/hvm/mtrr.c  |  18 ++--
 xen/arch/x86/include/asm/mtrr.h  |   2 -
 xen/arch/x86/include/asm/page.h  |   4 +-
 xen/arch/x86/include/asm/processor.h |  10 +-
 xen/arch/x86/mm.c| 146 ---
 xen/arch/x86/mm/shadow/multi.c   |   2 +-
 7 files changed, 162 insertions(+), 31 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[ovmf test] 175461: all pass - PUSHED

2022-12-22 Thread osstest service owner

flight 175461 ovmf real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175461/

Perfect :-)
All tests in this flight passed as required
version targeted for testing:
 ovmf d8d4abdff9096a69ff59d96ac4a8dd0e19e5cbcc
baseline version:
 ovmf 538ac013d6a673842d780c88b7b3c21730260e8e

Last test of basis   175458  2022-12-22 13:44:17 Z0 days
Testing same since   175461  2022-12-22 18:12:21 Z0 days1 attempts


People who touched revisions under test:
  Guo Dong 

jobs:
 build-amd64-xsm  pass
 build-i386-xsm   pass
 build-amd64  pass
 build-i386   pass
 build-amd64-libvirt  pass
 build-i386-libvirt   pass
 build-amd64-pvopspass
 build-i386-pvops pass
 test-amd64-amd64-xl-qemuu-ovmf-amd64 pass
 test-amd64-i386-xl-qemuu-ovmf-amd64  pass



sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports, and of osstest in general, is at
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master

Test harness code can be found at
http://xenbits.xen.org/gitweb?p=osstest.git;a=summary


Pushing revision :

To xenbits.xen.org:/home/xen/git/osstest/ovmf.git
   538ac013d6..d8d4abdff9  d8d4abdff9096a69ff59d96ac4a8dd0e19e5cbcc -> 
xen-tested-master

Re: [RFC PATCH 01/18] arm: cppcheck: misra rule 20.7 deviations for alternative.h

2022-12-22 Thread Stefano Stabellini

On Thu, 22 Dec 2022, Jan Beulich wrote:
> On 22.12.2022 03:01, Stefano Stabellini wrote:
> > What do you guys think? Nice automatic 20.7 scans for all patches and
> > for staging, but with the undesirable false-positive comments, or
> > no-20.7 scans but no comments in the tree?
> 
> Anything automatic which then also bugs submitters about issues should
> have as few false positives as possible. Otherwise people may quickly
> get into the habit of ignoring such reports.

You have a point. That said, it would be easy to spot false positives in
new patches once we start from a clean slate, but then if we merge the
patch we would also have to add a deviation comment for the false
positive.

All in all, maybe it is best to skip checking for 20.7 for now in
gitlab-ci.

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Stefano Stabellini

On Thu, 22 Dec 2022, Julien Grall wrote:
> > What other hypervisors might or might not do should not be a factor in
> > this discussion and it would be best to leave it aside.
> 
> To be honest, Demi has a point. At the moment, VMF is a very niche use-case
> (see more below). So you would end up to use less than 10% of the normal Xen
> on Arm code. A lot of people will likely wonder why using Xen in this case?

[...]

> >  From an AMD/Xilinx point of view, most of our customers using Xen in
> > productions today don't use any hypercalls in one or more of their VMs.
> This suggests a mix of guests are running (some using hypercalls and other
> not). It would not be possible if you were using VMF.

It is true that the current limitations are very restrictive.

In embedded, we have a few pure static partitioning deployments where no
hypercalls are required (Linux is using hypercalls today but it could do
without), so maybe VMF could be enabled, but admittedly in those cases
the main focus today is safety and fault tolerance, rather than
confidential computing.


> > Xen is great for these use-cases and it is rather common in embedded.
> > It is certainly a different configuration from what most are come to
> > expect from Xen on the server/desktop x86 side. There is no question
> > that guests without hypercalls are important for Xen on ARM. >
> > As a Xen community we have a long history and strong interest in making
> > Xen more secure and also, more recently, safer (in the ISO 26262
> > safety-certification sense). The VMF work is very well aligned with both
> > of these efforts and any additional burder to attackers is certainly
> > good for Xen.
> 
> I agree that we have a strong focus on making Xen more secure. However, we
> also need to look at the use cases for it. As it stands, there will no:
>   - IOREQ use (don't think about emulating TPM)
>   - GICv3 ITS
>   - stage-1 SMMUv3
>   - decoding of instructions when there is no syndrome
>   - hypercalls (including event channels)
>   - dom0
> 
> That's a lot of Xen features that can't be used. Effectively you will make Xen
> more "secure" for a very few users.

Among these, the main problems affecting AMD/Xilinx users today would be:
- decoding of instructions
- hypercalls, especially event channels

Decoding of instructions would affect all our deployments. For
hypercalls, even in static partitioning deployments, sometimes event
channels are used for VM-to-VM notifications.


> > Now the question is what changes are necessary and how to make them to
> > the codebase. And if it turns out that some of the changes are not
> > applicable or too complex to accept, the decision will be made purely
> > from a code maintenance point of view and will have nothing to do with
> > VMs making no hypercalls being unimportant (i.e. if we don't accept one
> > or more patches is not going to have anything to do with the use-case
> > being unimportant or what other hypervisors might or might not do).
> I disagree, I think this is also about use cases. On the paper VMF look very
> great, but so far it still has a big flaw (the TTBR can be changed) and it
> would restrict a lot what you can do.

We would need to be very clear in the commit messages and documentation
that with the current version of VMF we do *not* achieve confidential
computing and we do *not* offer protections comparable to AMD SEV. It is
still possible for Xen to access guest data, it is just a bit harder.

>From an implementation perspective, if we can find a way to implement it
that would be easy to maintain, then it might still be worth it. It
would probably take only a small amount of changes on top of the "Remove
the directmap" series to make it so "map_domain_page" doesn't work
anymore after boot.

That might be worth exploring if you and Jackson agree?


One thing that would make it much more widely applicable is your idea of
hypercalls bounce buffers. VMF might work with hypercalls if the guest
always uses the same buffer to pass hypercalls parameters to Xen. That
one buffer could remain mapped in Xen for the lifetime of the VM and the
VM would know to use it only to pass parameters to Xen.

[libvirt test] 175450: tolerable all pass - PUSHED

2022-12-22 Thread osstest service owner

flight 175450 libvirt real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175450/

Failures :-/ but no regressions.

Tests which did not succeed, but are not blocking:
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175436
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175436
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 175436
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-arm64-arm64-libvirt 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt 16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-qcow2 14 migrate-support-checkfail never pass
 test-arm64-arm64-libvirt-qcow2 15 saverestore-support-checkfail never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt 15 migrate-support-checkfail   never pass
 test-armhf-armhf-libvirt-raw 14 migrate-support-checkfail   never pass
 test-armhf-armhf-libvirt-qcow2 14 migrate-support-checkfail never pass

version targeted for testing:
 libvirt  d7d405664599772af6fe00d5a6f6256889617f9d
baseline version:
 libvirt  4102acc608819b15658ca3e37ceca7c89efae16b

Last test of basis   175436  2022-12-21 04:20:17 Z1 days
Testing same since   175450  2022-12-22 04:20:19 Z0 days1 attempts


People who touched revisions under test:
  Marek Marczykowski-Górecki 
  Michal Privoznik 

jobs:
 build-amd64-xsm  pass
 build-arm64-xsm  pass
 build-i386-xsm   pass
 build-amd64  pass
 build-arm64  pass
 build-armhf  pass
 build-i386   pass
 build-amd64-libvirt  pass
 build-arm64-libvirt  pass
 build-armhf-libvirt  pass
 build-i386-libvirt   pass
 build-amd64-pvopspass
 build-arm64-pvopspass
 build-armhf-pvopspass
 build-i386-pvops pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm   pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsmpass
 test-amd64-amd64-libvirt-xsm pass
 test-arm64-arm64-libvirt-xsm pass
 test-amd64-i386-libvirt-xsm  pass
 test-amd64-amd64-libvirt pass
 test-arm64-arm64-libvirt pass
 test-armhf-armhf-libvirt pass
 test-amd64-i386-libvirt  pass
 test-amd64-amd64-libvirt-pairpass
 test-amd64-i386-libvirt-pair pass
 test-arm64-arm64-libvirt-qcow2   pass
 test-armhf-armhf-libvirt-qcow2   pass
 test-arm64-arm64-libvirt-raw pass
 test-armhf-armhf-libvirt-raw pass
 test-amd64-i386-libvirt-raw  pass
 test-amd64-amd64-libvirt-vhd pass



sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports,

[xen-4.17-testing test] 175447: tolerable FAIL - PUSHED

2022-12-22 Thread osstest service owner

flight 175447 xen-4.17-testing real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175447/

Failures :-/ but no regressions.

Tests which did not succeed, but are not blocking:
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 175096
 test-amd64-i386-xl-qemut-win7-amd64 19 guest-stop fail like 175096
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 175096
 test-amd64-amd64-xl-qemut-win7-amd64 19 guest-stopfail like 175096
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175096
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 175096
 test-amd64-amd64-xl-qemut-ws16-amd64 19 guest-stopfail like 175096
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 175096
 test-amd64-i386-xl-qemut-ws16-amd64 19 guest-stop fail like 175096
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175096
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 175096
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 175096
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-multivcpu 15 migrate-support-checkfail  never pass
 test-armhf-armhf-xl-multivcpu 16 saverestore-support-checkfail  never pass
 test-armhf-armhf-xl  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-cubietruck 15 migrate-support-checkfail never pass
 test-armhf-armhf-xl-cubietruck 16 saverestore-support-checkfail never pass
 test-armhf-armhf-xl-rtds 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-rtds 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  14 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt-qcow2 14 migrate-support-checkfail never pass
 test-armhf-armhf-libvirt-raw 14 migrate-support-checkfail   never pass

version targeted for testing:
 xen  c4972a4272690384b15d5706f2a833aed636895e
baseline version:
 xen

[ovmf test] 175458: all pass - PUSHED

2022-12-22 Thread osstest service owner

flight 175458 ovmf real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175458/

Perfect :-)
All tests in this flight passed as required
version targeted for testing:
 ovmf 538ac013d6a673842d780c88b7b3c21730260e8e
baseline version:
 ovmf ec87305f90d90096aac2a4d91e3f6556e2ecd6b9

Last test of basis   175452  2022-12-22 07:10:57 Z0 days
Testing same since   175458  2022-12-22 13:44:17 Z0 days1 attempts


People who touched revisions under test:
  Min M Xu 
  Min Xu 

jobs:
 build-amd64-xsm  pass
 build-i386-xsm   pass
 build-amd64  pass
 build-i386   pass
 build-amd64-libvirt  pass
 build-i386-libvirt   pass
 build-amd64-pvopspass
 build-i386-pvops pass
 test-amd64-amd64-xl-qemuu-ovmf-amd64 pass
 test-amd64-i386-xl-qemuu-ovmf-amd64  pass



sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports, and of osstest in general, is at
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master

Test harness code can be found at
http://xenbits.xen.org/gitweb?p=osstest.git;a=summary


Pushing revision :

To xenbits.xen.org:/home/xen/git/osstest/ovmf.git
   ec87305f90..538ac013d6  538ac013d6a673842d780c88b7b3c21730260e8e -> 
xen-tested-master

[xen-unstable test] 175446: FAIL

2022-12-22 Thread osstest service owner

flight 175446 xen-unstable real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175446/

Failures and problems with tests :-(

Tests which did not succeed and are blocking,
including tests which could not be run:
 test-amd64-i386-migrupgrade  broken  in 175434
 test-amd64-i386-xl-qemut-stubdom-debianhvm-amd64-xsm  broken in 
175434
 test-amd64-i386-xl-qemut-debianhvm-i386-xsm   broken in 175434
 test-amd64-i386-xl-pvshimbroken  in 175434
 test-amd64-i386-libvirt-pair broken  in 175434

Tests which are failing intermittently (not blocking):
 test-amd64-i386-xl-pvshim5 host-install(5) broken in 175434 pass in 175446
 test-amd64-i386-libvirt-pair 6 host-install/src_host(6) broken in 175434 pass 
in 175446
 test-amd64-i386-migrupgrade 6 host-install/src_host(6) broken in 175434 pass 
in 175446
 test-amd64-i386-xl-qemut-stubdom-debianhvm-amd64-xsm 5 host-install(5) broken 
in 175434 pass in 175446
 test-amd64-i386-xl-qemut-debianhvm-i386-xsm 5 host-install(5) broken in 175434 
pass in 175446
 test-amd64-amd64-examine-uefi  5 host-install  broken in 175434 pass in 175446
 test-amd64-i386-freebsd10-i386  7 xen-installfail in 175434 pass in 175446
 test-amd64-amd64-examine-uefi 4 memdisk-try-append fail in 175434 pass in 
175446
 test-amd64-i386-xl-qemuu-debianhvm-amd64  7 xen-installfail pass in 175434
 test-amd64-amd64-qemuu-freebsd12-amd64 19 guest-localmigrate/x10 fail pass in 
175434
 test-amd64-i386-xl-vhd   21 guest-start/debian.repeat  fail pass in 175434

Tests which did not succeed, but are not blocking:
 test-amd64-amd64-xl-qemut-win7-amd64 19 guest-stopfail like 175399
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 175399
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 175399
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 175399
 test-amd64-i386-xl-qemut-ws16-amd64 19 guest-stop fail like 175399
 test-amd64-i386-xl-qemut-win7-amd64 19 guest-stop fail like 175399
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175399
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 175399
 test-amd64-amd64-xl-qemut-ws16-amd64 19 guest-stopfail like 175399
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175399
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 175399
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 175399
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  14 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  15 migrate-support-checkfail

Re: [RFC PATCH] xen/common: cache colored buddy allocator for domains

2022-12-22 Thread Carlo Nonato

Hi Jan

On Wed, Dec 7, 2022 at 12:52 PM Jan Beulich  wrote:
>
> On 22.10.2022 18:08, Carlo Nonato wrote:
> > This commit replaces the colored allocator for domains with a simple buddy
> > allocator indexed also by colors, so that it can allocate pages based on
> > some coloring configuration.
> >
> > It applies on top of Arm cache coloring (v3) as sent to the mailing list.
> >
> > This has two benefits:
> >  - order can now be greater than 0 if the color config contains a
> >sufficient number of adjacent colors starting from an order aligned
> >one;
>
> But still not large enough to reach the order needed for large page
> mappings, aiui?

Yeah, but that's because it's difficult, AFAIK, to have a platform with that
number of colors (e.g. level-2 mappings requires 512 adjacent colors, so a
32 MiB cache).

Using large pages should be possible only when all colors are selected for a
domain, but this implementation isn't that smart. The maximum order is
determined only by the number of colors of the platform
(e.g. 32 colors := order 5).
Anyway the colored allocator is useless if a domain can use all colors, so
in that situation I would switch to the normal buddy.

> >  - same benefits of the normal buddy: constant time alloc and free
> >(constant with respect to the number of pages, not for the number of
> >colors);
> >
> > But also one "big" cons:
> >  - given the way Xen queries the allocator, it can only serve larger pages
> >first and only when a domain runs out of those, it can go with the 
> > smaller
> >ones. Let's say that domain 0 has 31 colors out of 32 total (0-30 out of
> >0-31). The order-4 pages (0-15) are allocated first and then the order-3
> >(16-23, since 0-7 and 8-15 are all already allocated), and then order-2
> >and so on. The result is... the domain practically uses only one half of
> >the colors that it should.
>
> What's unclear to me is how big of a con this is, i.e. how reasonable it is
> for someone to configure a domain to use all except one of the colors (and
> not, say, half of them).

Well that was just an extreme example, but many configurations are affected.
Basically the best configuration is one that is "aligned" to a power of 2
(e.g. 0-3, 4-7, 16-31). Everything else that "mixes" powers of 2 (e.g. 0-5,
4-9, 16-18) will see this behavior where bigger chunks are preferred and it
practically makes the domain use less of its cache partitions.

The user could be warned about this in the docs, but it would also require
extensive testing to see if there are any other drawbacks.

> Jan

Thanks.

- Carlo Nonato

Re: [PATCH v3 4/9] tools/xl: add support for cache coloring configuration

2022-12-22 Thread Carlo Nonato

Hi Anthony,

On Thu, Nov 24, 2022 at 4:21 PM Anthony PERARD
 wrote:
>
> On Sat, Oct 22, 2022 at 05:51:15PM +0200, Carlo Nonato wrote:
> > diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
> > index b2901e04cf..5f53cec8bf 100644
> > --- a/docs/man/xl.cfg.5.pod.in
> > +++ b/docs/man/xl.cfg.5.pod.in
> > @@ -2880,6 +2880,16 @@ Currently, only the "sbsa_uart" model is supported 
> > for ARM.
> >
> >  =back
> >
> > +=over 4
> > +
> > +=item B
>
> Instead of COLORS_RANGE, maybe NUMBER_RANGE? Or just RANGE?

RANGE seems good.

> > +Specify the LLC color configuration for the guest. B can be 
> > either
> > +a single color value or a hypen-separated closed interval of colors
> > +(such as "0-4").
>
> Does "yellow-blue" works? Or "red-violet", to have a rainbow? :-)
>
> So, "colors" as the name of a new configuration option isn't going to
> work. To me, that would refer to VM managment, like maybe help to
> categorise VM in some kind of tools, and not a part of the configuration
> of the domain.
>
> Could you invent a name that is more specific? Maybe "cache_colors" or
> something, or "vcpu_cache_colors".

What about llc_colors? LLC stands for Last Level Cache and I'm trying to use
it everywhere else since it's what is really implemented (not any cache is
colored, just the last level) and it's shorter than cache_colors.

> > +=back
> > +
> >  =head3 x86
> >
> >  =over 4
> > diff --git a/tools/libs/light/libxl_create.c 
> > b/tools/libs/light/libxl_create.c
> > index b9dd2deedf..94c511912c 100644
> > --- a/tools/libs/light/libxl_create.c
> > +++ b/tools/libs/light/libxl_create.c
> > @@ -615,6 +615,7 @@ int libxl__domain_make(libxl__gc *gc, 
> > libxl_domain_config *d_config,
> >  struct xs_permissions rwperm[1];
> >  struct xs_permissions noperm[1];
> >  xs_transaction_t t = 0;
> > +DECLARE_HYPERCALL_BUFFER(unsigned int, colors);
> >
> >  /* convenience aliases */
> >  libxl_domain_create_info *info = _config->c_info;
> > @@ -676,6 +677,16 @@ int libxl__domain_make(libxl__gc *gc, 
> > libxl_domain_config *d_config,
> >  goto out;
> >  }
> >
> > +if (d_config->b_info.num_colors) {
> > +size_t bytes = sizeof(unsigned int) * 
> > d_config->b_info.num_colors;
> > +colors = xc_hypercall_buffer_alloc(ctx->xch, colors, bytes);
>
> Hypercall stuff is normally done in another library, libxenctrl (or
> maybe others like libxenguest). Is there a reason to do that here?

I moved this in xc_domain_create().

> > +memcpy(colors, d_config->b_info.colors, bytes);
> > +set_xen_guest_handle(create.arch.colors, colors);
> > +create.arch.num_colors = d_config->b_info.num_colors;
> > +create.arch.from_guest = 1;
>
> "arch" stuff is better dealt with in libxl__arch_domain_prepare_config().
> (unless it isn't arch specific in the next revision of the series)

Yes, removing arch specific parts is the current way of implementing it.

> > +LOG(DEBUG, "Setup %u domain colors", 
> > d_config->b_info.num_colors);
>
>
>
> > +}
> > +
> >  for (;;) {
> >  uint32_t local_domid;
> >  bool recent;
> > @@ -922,6 +933,7 @@ retry_transaction:
> >  rc = 0;
> >   out:
> >  if (t) xs_transaction_end(ctx->xsh, t, 1);
> > +if (colors) xc_hypercall_buffer_free(ctx->xch, colors);
> >  return rc;
> >  }
> >
> > diff --git a/tools/libs/light/libxl_types.idl 
> > b/tools/libs/light/libxl_types.idl
> > index d634f304cd..642173af1a 100644
> > --- a/tools/libs/light/libxl_types.idl
> > +++ b/tools/libs/light/libxl_types.idl
> > @@ -557,6 +557,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
> >  ("ioports",  Array(libxl_ioport_range, "num_ioports")),
> >  ("irqs", Array(uint32, "num_irqs")),
> >  ("iomem",Array(libxl_iomem_range, "num_iomem")),
> > +("colors",   Array(uint32, "num_colors")),
>
> So the colors is added to arch specific config in
> xen_domctl_createdomain, maybe we should do the same here and move it to
> the "arch_arm" struct. Or if that is declared common in hypervisor, then
> it is file to leave it here.

Yes, it will be declared in common.

> Also, "colors" needs to be rename to something more specific.
>
> >  ("claim_mode",libxl_defbool),
> >  ("event_channels",   uint32),
> >  ("kernel",   string),
> > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
> > index 1b5381cef0..e6b2c7acff 100644
> > --- a/tools/xl/xl_parse.c
> > +++ b/tools/xl/xl_parse.c
> > @@ -1220,8 +1220,9 @@ void parse_config_data(const char *config_source,
> >  XLU_ConfigList *cpus, *vbds, *nics, *pcis, *cvfbs, *cpuids, *vtpms,
> > *usbctrls, *usbdevs, *p9devs, *vdispls, 
> > *pvcallsifs_devs;
> >  XLU_ConfigList *channels, *ioports, *irqs, *iomem, *viridian, *dtdevs,
> > -   *mca_caps;
> > -int num_ioports, num_irqs, num_iomem,

[linux-5.4 test] 175445: FAIL

2022-12-22 Thread osstest service owner

flight 175445 linux-5.4 real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175445/

Failures and problems with tests :-(

Tests which did not succeed and are blocking,
including tests which could not be run:
 test-amd64-amd64-xl-qemut-debianhvm-amd64 broken in 175407
 test-amd64-amd64-xl-credit2  broken  in 175407
 test-amd64-i386-qemuu-rhel6hvm-intel  broken in 175407
 test-amd64-amd64-xl-qemuu-debianhvm-amd64-shadow  broken in 175433
 test-amd64-amd64-xl-qemuu-debianhvm-amd64 broken in 175433
 test-amd64-amd64-xl  broken  in 175433
 test-amd64-amd64-xl-qemuu-ovmf-amd64  broken in 175433
 test-amd64-i386-pair broken  in 175433
 test-amd64-i386-xl-qemuu-ws16-amd64   broken in 175433

Tests which are failing intermittently (not blocking):
 test-amd64-i386-qemuu-rhel6hvm-intel 5 host-install(5) broken in 175407 pass 
in 175445
 test-amd64-amd64-xl-credit2  5 host-install(5) broken in 175407 pass in 175445
 test-amd64-amd64-xl-qemut-debianhvm-amd64 5 host-install(5) broken in 175407 
pass in 175445
 test-amd64-amd64-xl  5 host-install(5) broken in 175433 pass in 175445
 test-amd64-amd64-xl-qemuu-debianhvm-amd64 5 host-install(5) broken in 175433 
pass in 175445
 test-amd64-amd64-xl-qemuu-ovmf-amd64 5 host-install(5) broken in 175433 pass 
in 175445
 test-amd64-i386-xl-qemuu-ws16-amd64 5 host-install(5) broken in 175433 pass in 
175445
 test-amd64-amd64-xl-qemuu-debianhvm-amd64-shadow 5 host-install(5) broken in 
175433 pass in 175445
 test-amd64-i386-examine   5 host-install   broken in 175433 pass in 175445
 test-amd64-i386-pair 7 host-install/dst_host(7) broken in 175433 pass in 175445
 test-armhf-armhf-xl-multivcpu 14 guest-start fail in 175407 pass in 175445
 test-armhf-armhf-xl-credit1 18 guest-start/debian.repeat fail in 175433 pass 
in 175407
 test-armhf-armhf-xl-rtds 14 guest-start  fail in 175433 pass in 175445
 test-arm64-arm64-examine  8 reboot fail pass in 175433
 test-armhf-armhf-xl  18 guest-start/debian.repeat  fail pass in 175433
 test-armhf-armhf-xl-credit1  14 guest-startfail pass in 175433
 test-armhf-armhf-xl-vhd  13 guest-startfail pass in 175433

Tests which did not succeed, but are not blocking:
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check fail blocked in 
175197
 test-amd64-i386-xl-qemuu-debianhvm-i386-xsm 12 debian-hvm-install fail in 
175407 like 175197
 test-armhf-armhf-xl-vhd 14 migrate-support-check fail in 175433 never pass
 test-armhf-armhf-xl-vhd 15 saverestore-support-check fail in 175433 never pass
 test-armhf-armhf-xl-credit1 15 migrate-support-check fail in 175433 never pass
 test-armhf-armhf-xl-credit1 16 saverestore-support-check fail in 175433 never 
pass
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 175197
 test-amd64-i386-xl-qemut-win7-amd64 19 guest-stop fail like 175197
 test-armhf-armhf-xl-multivcpu 18 guest-start/debian.repeatfail like 175197
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 175197
 test-amd64-amd64-xl-qemut-win7-amd64 19 guest-stopfail like 175197
 test-armhf-armhf-xl-credit2  18 guest-start/debian.repeatfail  like 175197
 test-armhf-armhf-xl-rtds 18 guest-start/debian.repeatfail  like 175197
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175197
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 175197
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 175197
 test-amd64-amd64-xl-qemut-ws16-amd64 19 guest-stopfail like 175197
 test-amd64-i386-xl-qemut-ws16-amd64 19 guest-stop fail like 175197
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175197
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 175197
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm

Re: [PATCH 12/22] xen/arm: fixmap: Rename the fixmap slots to follow the x86 convention

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Julien Grall 
> 
> At the moment the fixmap slots are prefixed differently between arm and
> x86.
> 
> Some of them (e.g. the PMAP slots) are used in common code. So it would
> be better if they are named the same way to avoid having to create
> aliases.
> 
> I have decided to use the x86 naming because they are less change. So
> all the Arm fixmap slots will now be prefixed with FIX rather than
> FIXMAP.
> 
> Signed-off-by: Julien Grall 

Reviewed-by: Jan Beulich

Re: [PATCH 11/22] x86: add a boot option to enable and disable the direct map

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Hongyan Xia 
> 
> Also add a helper function to retrieve it. Change arch_mfns_in_direct_map
> to check this option before returning.

I think the abstract parts of this want to be generic right away. I can't
see why Arm would not suffer from the same issue that this work is trying
to address.

> This is added as a boot command line option, not a Kconfig to allow
> the user to experiment the feature without rebuild the hypervisor.

I think there wants to be a (generic) Kconfig piece here, to control the
default of the option. Plus a 2nd, prompt-less element which an arch can
select to force the setting to always-on, suppressing the choice of
default. That 2nd control would then be used to compile out the
boolean_param() for Arm for the time being.

That said, I think this change comes too early in the series, or there is
something missing. As said in reply to patch 10, while there the mapcache
is being initialized for the idle domain, I don't think it can be used
just yet. Read through mapcache_current_vcpu() to understand why I think
that way, paying particular attention to the ASSERT() near the end. In
preparation of this patch here I think the mfn_to_virt() uses have to all
disappear from map_domain_page(). Perhaps yet more strongly all
..._to_virt() (except fix_to_virt() and friends) and __va() have to
disappear up front from x86 and any code path which can be taken on x86
(which may simply mean purging all respective x86 #define-s, without
breaking the build in any way).

Jan

Re: [PATCH 10/22] x86/mapcache: initialise the mapcache for the idle domain

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Hongyan Xia 
> 
> In order to use the mapcache in the idle domain, we also have to
> populate its page tables in the PERDOMAIN region, and we need to move
> mapcache_domain_init() earlier in arch_domain_create().
> 
> Note, commit 'x86: lift mapcache variable to the arch level' has
> initialised the mapcache for HVM domains. With this patch, PV, HVM,
> idle domains now all initialise the mapcache.

But they can't use it yet, can they? This needs saying explicitly, or
else one is going to make wrong implications.

> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -732,6 +732,8 @@ int arch_domain_create(struct domain *d,
>  
>  spin_lock_init(>arch.e820_lock);
>  
> +mapcache_domain_init(d);
> +
>  /* Minimal initialisation for the idle domain. */
>  if ( unlikely(is_idle_domain(d)) )
>  {
> @@ -829,8 +831,6 @@ int arch_domain_create(struct domain *d,
>  
>  psr_domain_init(d);
>  
> -mapcache_domain_init(d);

You move this ahead of error paths taking the "goto out" route, so
adjustments to affected error paths are going to be needed to avoid
memory leaks.

> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -5963,6 +5963,9 @@ int create_perdomain_mapping(struct domain *d, unsigned 
> long va,
>  l3tab = __map_domain_page(pg);
>  clear_page(l3tab);
>  d->arch.perdomain_l3_pg = pg;
> +if ( is_idle_domain(d) )
> +idle_pg_table[l4_table_offset(PERDOMAIN_VIRT_START)] =
> +l4e_from_page(pg, __PAGE_HYPERVISOR_RW);

Hmm, having an idle domain check here isn't very nice. I agree putting
it in arch_domain_create()'s respective conditional isn't very neat
either, but personally I'd consider this at least a little less bad.
And the layering violation aspect isn't much worse than that of setting
d->arch.ctxt_switch there as well.

Jan

Re: [PATCH 09/22] x86: lift mapcache variable to the arch level

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Wei Liu 
> 
> It is going to be needed by HVM and idle domain as well, because without
> the direct map, both need a mapcache to map pages.
> 
> This only lifts the mapcache variable up. Whether we populate the
> mapcache for a domain is unchanged in this patch.
> 
> Signed-off-by: Wei Liu 
> Signed-off-by: Wei Wang 
> Signed-off-by: Hongyan Xia 
> Signed-off-by: Julien Grall 

Reviewed-by: Jan Beulich

[xen-unstable-smoke test] 175455: tolerable all pass - PUSHED

2022-12-22 Thread osstest service owner

flight 175455 xen-unstable-smoke real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175455/

Failures :-/ but no regressions.

Tests which did not succeed, but are not blocking:
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass

version targeted for testing:
 xen  43b5d7b14c569e2deaf6a2863cfa44351061ad80
baseline version:
 xen  9c57a297378932249c3edefa5065c838f47cb3fb

Last test of basis   175449  2022-12-22 02:00:30 Z0 days
Testing same since   175455  2022-12-22 10:00:28 Z0 days1 attempts


People who touched revisions under test:
  Jan Beulich 
  Luca Fancellu 

jobs:
 build-arm64-xsm  pass
 build-amd64  pass
 build-armhf  pass
 build-amd64-libvirt  pass
 test-armhf-armhf-xl  pass
 test-arm64-arm64-xl-xsm  pass
 test-amd64-amd64-xl-qemuu-debianhvm-amd64pass
 test-amd64-amd64-libvirt pass



sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports, and of osstest in general, is at
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master

Test harness code can be found at
http://xenbits.xen.org/gitweb?p=osstest.git;a=summary


Pushing revision :

To xenbits.xen.org:/home/xen/git/xen.git
   9c57a29737..43b5d7b14c  43b5d7b14c569e2deaf6a2863cfa44351061ad80 -> smoke

Re: [PATCH 08/22] x86/pv: rewrite how building PV dom0 handles domheap mappings

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Hongyan Xia 
> 
> Building a PV dom0 is allocating from the domheap but uses it like the
> xenheap. This is clearly wrong. Fix.

"Clearly wrong" would mean there's a bug here, at lest under certain
conditions. But there isn't: Even on huge systems, due to running on
idle page tables, all memory is mapped at present.

> @@ -711,22 +715,32 @@ int __init dom0_construct_pv(struct domain *d,
>  v->arch.pv.event_callback_cs= FLAT_COMPAT_KERNEL_CS;
>  }
>  
> +#define UNMAP_MAP_AND_ADVANCE(mfn_var, virt_var, maddr) \
> +do {\
> +UNMAP_DOMAIN_PAGE(virt_var);\

Not much point using the macro when ...

> +mfn_var = maddr_to_mfn(maddr);  \
> +maddr += PAGE_SIZE; \
> +virt_var = map_domain_page(mfn_var);\

... the variable gets reset again to non-NULL unconditionally right
away.

> +} while ( false )

This being a local macro and all use sites passing mpt_alloc as the
last argument, I think that parameter wants dropping, which would
improve readability.

> @@ -792,9 +808,9 @@ int __init dom0_construct_pv(struct domain *d,
>  if ( !l3e_get_intpte(*l3tab) )
>  {
>  maddr_to_page(mpt_alloc)->u.inuse.type_info = 
> PGT_l2_page_table;
> -l2tab = __va(mpt_alloc); mpt_alloc += PAGE_SIZE;
> -clear_page(l2tab);
> -*l3tab = l3e_from_paddr(__pa(l2tab), L3_PROT);
> +UNMAP_MAP_AND_ADVANCE(l2start_mfn, l2start, mpt_alloc);
> +clear_page(l2start);
> +*l3tab = l3e_from_mfn(l2start_mfn, L3_PROT);

The l2start you map on the last iteration here can be re-used ...

> @@ -805,9 +821,17 @@ int __init dom0_construct_pv(struct domain *d,
>  unmap_domain_page(l2t);
>  }

... in the code the tail of which is visible here, eliminating a
redundant map/unmap pair.

> @@ -977,8 +1001,12 @@ int __init dom0_construct_pv(struct domain *d,
>   * !CONFIG_VIDEO case so the logic here can be simplified.
>   */
>  if ( pv_shim )
> +{
> +l4start = map_domain_page(l4start_mfn);
>  pv_shim_setup_dom(d, l4start, v_start, vxenstore_start, 
> vconsole_start,
>vphysmap_start, si);
> +UNMAP_DOMAIN_PAGE(l4start);
> +}

The, at the first glance, redundant re-mapping of the L4 table here could
do with explaining in the description. However, I further wonder in how
far in shim mode eliminating the direct map is actually useful. Which is
to say that I question the need for this change in the first place. Or
wait - isn't this (unlike the rest of this patch) actually a bug fix? At
this point we're on the domain's page tables, which may not cover the
page the L4 is allocated at (if a truly huge shim was configured). So I
guess the change is needed but wants breaking out, allowing to at least
consider whether to backport it.

Jan

[qemu-mainline test] 175443: tolerable FAIL - PUSHED

2022-12-22 Thread osstest service owner

flight 175443 qemu-mainline real [real]
flight 175456 qemu-mainline real-retest [real]
http://logs.test-lab.xenproject.org/osstest/logs/175443/
http://logs.test-lab.xenproject.org/osstest/logs/175456/

Failures :-/ but no regressions.

Tests which are failing intermittently (not blocking):
 test-amd64-i386-qemuu-rhel6hvm-amd  7 xen-install   fail pass in 175456-retest

Tests which did not succeed, but are not blocking:
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 175394
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175394
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 175394
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 175394
 test-amd64-amd64-libvirt-vhd 19 guest-start/debian.repeatfail  like 175394
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175394
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 175394
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 175394
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 175394
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-arm64-arm64-xl-credit1  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-armhf-armhf-xl-arndale  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-multivcpu 15 migrate-support-checkfail  never pass
 test-armhf-armhf-xl-multivcpu 16 saverestore-support-checkfail  never pass
 test-armhf-armhf-xl  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 14 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  14 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-xl-rtds 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-rtds 16 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt 15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-cubietruck 15 migrate-support-checkfail never pass
 test-armhf-armhf-xl-cubietruck 16 saverestore-support-checkfail never pass
 test-armhf-armhf-xl-credit2  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit2  16 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt-raw 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-vhd  15 saverestore-support-checkfail   never pass
 test-armhf-armhf-libvirt-qcow2 14 migrate-support-checkfail never pass

version targeted for testing:
 qemuu8540a1f69578afb3b37866b1ce5bec46a9f6efbc
baseline version:
 qemuu

Re: [PATCH 07/22] x86/pv: domheap pages should be mapped while relocating initrd

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> From: Wei Liu 
> 
> Xen shouldn't use domheap page as if they were xenheap pages. Map and
> unmap pages accordingly.
> 
> Signed-off-by: Wei Liu 
> Signed-off-by: Wei Wang 
> Signed-off-by: Julien Grall 
> 
> 
> 
> Changes since Hongyan's version:
> * Add missing newline after the variable declaration
> ---
>  xen/arch/x86/pv/dom0_build.c | 18 --
>  1 file changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c
> index a62f0fa2ef29..c837b2d96f89 100644
> --- a/xen/arch/x86/pv/dom0_build.c
> +++ b/xen/arch/x86/pv/dom0_build.c
> @@ -611,18 +611,32 @@ int __init dom0_construct_pv(struct domain *d,
>  if ( d->arch.physaddr_bitsize &&
>   ((mfn + count - 1) >> (d->arch.physaddr_bitsize - PAGE_SHIFT)) )
>  {
> +unsigned long nr_pages;
> +unsigned long len = initrd_len;
> +
>  order = get_order_from_pages(count);
>  page = alloc_domheap_pages(d, order, MEMF_no_scrub);
>  if ( !page )
>  panic("Not enough RAM for domain 0 initrd\n");
> +
> +nr_pages = 1UL << order;

I don't think this needs establishing here and ...

>  for ( count = -count; order--; )
>  if ( count & (1UL << order) )
>  {
>  free_domheap_pages(page, order);
>  page += 1UL << order;
> +nr_pages -= 1UL << order;

... updating here. Doing so just once ...

>  }
> -memcpy(page_to_virt(page), mfn_to_virt(initrd->mod_start),
> -   initrd_len);
> +

... here ought to suffice, assuming this 2nd variable is needed at all
(alongside "len").

> +for ( i = 0; i < nr_pages; i++, len -= PAGE_SIZE )
> +{
> +void *p = __map_domain_page(page + i);
> +
> +memcpy(p, mfn_to_virt(initrd_mfn + i),
> +   min(len, (unsigned long)PAGE_SIZE));
> +unmap_domain_page(p);
> +}

You're half open-coding copy_domain_page() without saying anywhere why
the remaining mfn_to_virt() is okay to keep. If you used
copy_domain_page(), no such remark would need adding in the description.

Jan

Re: [PATCH 06/22] x86: map/unmap pages in restore_all_guests

2022-12-22 Thread Jan Beulich

On 16.12.2022 12:48, Julien Grall wrote:
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -165,7 +165,24 @@ restore_all_guest:
>  and   %rsi, %rdi
>  and   %r9, %rsi
>  add   %rcx, %rdi
> -add   %rcx, %rsi
> +
> + /*
> +  * Without a direct map, we have to map first before copying. We 
> only
> +  * need to map the guest root table but not the per-CPU root_pgt,
> +  * because the latter is still a xenheap page.
> +  */
> +pushq %r9
> +pushq %rdx
> +pushq %rax
> +pushq %rdi
> +mov   %rsi, %rdi
> +shr   $PAGE_SHIFT, %rdi
> +callq map_domain_page
> +mov   %rax, %rsi
> +popq  %rdi
> +/* Stash the pointer for unmapping later. */
> +pushq %rax
> +
>  mov   $ROOT_PAGETABLE_FIRST_XEN_SLOT, %ecx
>  mov   root_table_offset(SH_LINEAR_PT_VIRT_START)*8(%rsi), %r8
>  mov   %r8, root_table_offset(SH_LINEAR_PT_VIRT_START)*8(%rdi)
> @@ -177,6 +194,14 @@ restore_all_guest:
>  sub   $(ROOT_PAGETABLE_FIRST_XEN_SLOT - \
>  ROOT_PAGETABLE_LAST_XEN_SLOT - 1) * 8, %rdi
>  rep movsq
> +
> +/* Unmap the page. */
> +popq  %rdi
> +callq unmap_domain_page
> +popq  %rax
> +popq  %rdx
> +popq  %r9

While the PUSH/POP are part of what I dislike here, I think this wants
doing differently: Establish a mapping when putting in place a new guest
page table, and use the pointer here. This could be a new per-domain
mapping, to limit its visibility.

Jan

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 10:21:57AM +, Julien Grall wrote:
> 
> 
> On 22/12/2022 10:14, Demi Marie Obenour wrote:
> > On Thu, Dec 22, 2022 at 09:52:11AM +, Julien Grall wrote:
> > > Hi Stefano,
> > > 
> > > On 22/12/2022 00:38, Stefano Stabellini wrote:
> > > > On Tue, 20 Dec 2022, Smith, Jackson wrote:
> > > > > > Hi Stefano,
> > > > > > 
> > > > > > On 16/12/2022 01:46, Stefano Stabellini wrote:
> > > > > > > On Thu, 15 Dec 2022, Julien Grall wrote:
> > > > > > > > > > On 13/12/2022 19:48, Smith, Jackson wrote:
> > > > > > > > > Yes, we are familiar with the "secret-free hypervisor" work. 
> > > > > > > > > As
> > > > > you
> > > > > > > > > point out, both our work and the secret-free hypervisor 
> > > > > > > > > remove the
> > > > > > > > > directmap region to mitigate the risk of leaking sensitive 
> > > > > > > > > guest
> > > > > > > > > secrets. However, our work is slightly different because it
> > > > > > > > > additionally prevents attackers from tricking Xen into 
> > > > > > > > > remapping a
> > > > > > guest.
> > > > > > > > 
> > > > > > > > I understand your goal, but I don't think this is achieved (see
> > > > > > > > above). You would need an entity to prevent write to TTBR0_EL2 
> > > > > > > > in
> > > > > > > > order to fully protect it.
> > > > > > > 
> > > > > > > Without a way to stop Xen from reading/writing TTBR0_EL2, we
> > > > > > cannot
> > > > > > > claim that the guest's secrets are 100% safe.
> > > > > > > 
> > > > > > > But the attacker would have to follow the sequence you outlines
> > > > > > above
> > > > > > > to change Xen's pagetables and remap guest memory before
> > > > > > accessing it.
> > > > > > > It is an additional obstacle for attackers that want to steal 
> > > > > > > other
> > > > > > guests'
> > > > > > > secrets. The size of the code that the attacker would need to 
> > > > > > > inject
> > > > > > > in Xen would need to be bigger and more complex.
> > > > > > 
> > > > > > Right, that's why I wrote with a bit more work. However, the nuance
> > > > > > you mention doesn't seem to be present in the cover letter:
> > > > > > 
> > > > > > "This creates what we call "Software Enclaves", ensuring that an
> > > > > > adversary with arbitrary code execution in the hypervisor STILL 
> > > > > > cannot
> > > > > > read/write guest memory."
> > > > > > 
> > > > > > So if the end goal if really to protect against *all* sort of
> > > > > arbitrary
> > > > > > code,
> > > > > > then I think we should have a rough idea how this will look like in
> > > > > Xen.
> > > > > > 
> > > > > >From a brief look, it doesn't look like it would be possible to
> > > > > prevent
> > > > > > modification to TTBR0_EL2 (even from EL3). We would need to
> > > > > > investigate if there are other bits in the architecture to help us.
> > > > > > 
> > > > > > > 
> > > > > > > Every little helps :-)
> > > > > > 
> > > > > > I can see how making the life of the attacker more difficult is
> > > > > > appealing.
> > > > > > Yet, the goal needs to be clarified and the risk with the approach
> > > > > > acknowledged (see above).
> > > > > > 
> > > > > 
> > > > > You're right, we should have mentioned this weakness in our first 
> > > > > email.
> > > > > Sorry about the oversight! This is definitely still a limitation that 
> > > > > we
> > > > > have not yet overcome. However, we do think that the increase in
> > > > > attacker workload that you and Stefano are discussing could still be
> > > > > valuable to security conscious Xen users.
> > > > > 
> > > > > It would nice to find additional architecture features that we can use
> > > > > to close this hole on arm, but there aren't any that stand out to me
> > > > > either.
> > > > > 
> > > > > With this limitation in mind, what are the next steps we should take 
> > > > > to
> > > > > support this feature for the xen community? Is this increase in 
> > > > > attacker
> > > > > workload meaningful enough to justify the inclusion of VMF in Xen?
> > > > 
> > > > I think it could be valuable as an additional obstacle for the attacker
> > > > to overcome. The next step would be to port your series on top of
> > > > Julien's "Remove the directmap" patch series
> > > > https://marc.info/?l=xen-devel=167119090721116
> > > > 
> > > > Julien, what do you think?
> > > 
> > > If we want Xen to be used in confidential compute, then we need a 
> > > compelling
> > > story and prove that we are at least as secure as other hypervisors.
> > > 
> > > So I think we need to investigate a few areas:
> > > * Can we protect the TTBR? I don't think this can be done with the HW.
> > > But maybe I overlook it.
> > 
> > This can be done by running most of Xen at a lower EL, and having only a
> > small trusted (and hopefully formally verified) kernel run at EL2.
> 
> This is what I hinted in my 3rd bullet. :) I didn't consider this for the
> first bullet because the goal of this question is to figure out whether we
> can leave all Xen running in EL2 and

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Julien Grall





On 22/12/2022 10:14, Demi Marie Obenour wrote:

On Thu, Dec 22, 2022 at 09:52:11AM +, Julien Grall wrote:

Hi Stefano,

On 22/12/2022 00:38, Stefano Stabellini wrote:

On Tue, 20 Dec 2022, Smith, Jackson wrote:

Hi Stefano,

On 16/12/2022 01:46, Stefano Stabellini wrote:

On Thu, 15 Dec 2022, Julien Grall wrote:

On 13/12/2022 19:48, Smith, Jackson wrote:

Yes, we are familiar with the "secret-free hypervisor" work. As

you

point out, both our work and the secret-free hypervisor remove the
directmap region to mitigate the risk of leaking sensitive guest
secrets. However, our work is slightly different because it
additionally prevents attackers from tricking Xen into remapping a

guest.


I understand your goal, but I don't think this is achieved (see
above). You would need an entity to prevent write to TTBR0_EL2 in
order to fully protect it.


Without a way to stop Xen from reading/writing TTBR0_EL2, we

cannot

claim that the guest's secrets are 100% safe.

But the attacker would have to follow the sequence you outlines

above

to change Xen's pagetables and remap guest memory before

accessing it.

It is an additional obstacle for attackers that want to steal other

guests'

secrets. The size of the code that the attacker would need to inject
in Xen would need to be bigger and more complex.


Right, that's why I wrote with a bit more work. However, the nuance
you mention doesn't seem to be present in the cover letter:

"This creates what we call "Software Enclaves", ensuring that an
adversary with arbitrary code execution in the hypervisor STILL cannot
read/write guest memory."

So if the end goal if really to protect against *all* sort of

arbitrary

code,
then I think we should have a rough idea how this will look like in

Xen.


   From a brief look, it doesn't look like it would be possible to

prevent

modification to TTBR0_EL2 (even from EL3). We would need to
investigate if there are other bits in the architecture to help us.



Every little helps :-)


I can see how making the life of the attacker more difficult is
appealing.
Yet, the goal needs to be clarified and the risk with the approach
acknowledged (see above).



You're right, we should have mentioned this weakness in our first email.
Sorry about the oversight! This is definitely still a limitation that we
have not yet overcome. However, we do think that the increase in
attacker workload that you and Stefano are discussing could still be
valuable to security conscious Xen users.

It would nice to find additional architecture features that we can use
to close this hole on arm, but there aren't any that stand out to me
either.

With this limitation in mind, what are the next steps we should take to
support this feature for the xen community? Is this increase in attacker
workload meaningful enough to justify the inclusion of VMF in Xen?


I think it could be valuable as an additional obstacle for the attacker
to overcome. The next step would be to port your series on top of
Julien's "Remove the directmap" patch series
https://marc.info/?l=xen-devel=167119090721116

Julien, what do you think?


If we want Xen to be used in confidential compute, then we need a compelling
story and prove that we are at least as secure as other hypervisors.

So I think we need to investigate a few areas:
* Can we protect the TTBR? I don't think this can be done with the HW.
But maybe I overlook it.


This can be done by running most of Xen at a lower EL, and having only a
small trusted (and hopefully formally verified) kernel run at EL2.


This is what I hinted in my 3rd bullet. :) I didn't consider this for 
the first bullet because the goal of this question is to figure out 
whether we can leave all Xen running in EL2 and still have the same 
guarantee.


Cheers,

--
Julien Grall

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 09:52:11AM +, Julien Grall wrote:
> Hi Stefano,
> 
> On 22/12/2022 00:38, Stefano Stabellini wrote:
> > On Tue, 20 Dec 2022, Smith, Jackson wrote:
> > > > Hi Stefano,
> > > > 
> > > > On 16/12/2022 01:46, Stefano Stabellini wrote:
> > > > > On Thu, 15 Dec 2022, Julien Grall wrote:
> > > > > > > > On 13/12/2022 19:48, Smith, Jackson wrote:
> > > > > > > Yes, we are familiar with the "secret-free hypervisor" work. As
> > > you
> > > > > > > point out, both our work and the secret-free hypervisor remove the
> > > > > > > directmap region to mitigate the risk of leaking sensitive guest
> > > > > > > secrets. However, our work is slightly different because it
> > > > > > > additionally prevents attackers from tricking Xen into remapping a
> > > > guest.
> > > > > > 
> > > > > > I understand your goal, but I don't think this is achieved (see
> > > > > > above). You would need an entity to prevent write to TTBR0_EL2 in
> > > > > > order to fully protect it.
> > > > > 
> > > > > Without a way to stop Xen from reading/writing TTBR0_EL2, we
> > > > cannot
> > > > > claim that the guest's secrets are 100% safe.
> > > > > 
> > > > > But the attacker would have to follow the sequence you outlines
> > > > above
> > > > > to change Xen's pagetables and remap guest memory before
> > > > accessing it.
> > > > > It is an additional obstacle for attackers that want to steal other
> > > > guests'
> > > > > secrets. The size of the code that the attacker would need to inject
> > > > > in Xen would need to be bigger and more complex.
> > > > 
> > > > Right, that's why I wrote with a bit more work. However, the nuance
> > > > you mention doesn't seem to be present in the cover letter:
> > > > 
> > > > "This creates what we call "Software Enclaves", ensuring that an
> > > > adversary with arbitrary code execution in the hypervisor STILL cannot
> > > > read/write guest memory."
> > > > 
> > > > So if the end goal if really to protect against *all* sort of
> > > arbitrary
> > > > code,
> > > > then I think we should have a rough idea how this will look like in
> > > Xen.
> > > > 
> > > >   From a brief look, it doesn't look like it would be possible to
> > > prevent
> > > > modification to TTBR0_EL2 (even from EL3). We would need to
> > > > investigate if there are other bits in the architecture to help us.
> > > > 
> > > > > 
> > > > > Every little helps :-)
> > > > 
> > > > I can see how making the life of the attacker more difficult is
> > > > appealing.
> > > > Yet, the goal needs to be clarified and the risk with the approach
> > > > acknowledged (see above).
> > > > 
> > > 
> > > You're right, we should have mentioned this weakness in our first email.
> > > Sorry about the oversight! This is definitely still a limitation that we
> > > have not yet overcome. However, we do think that the increase in
> > > attacker workload that you and Stefano are discussing could still be
> > > valuable to security conscious Xen users.
> > > 
> > > It would nice to find additional architecture features that we can use
> > > to close this hole on arm, but there aren't any that stand out to me
> > > either.
> > > 
> > > With this limitation in mind, what are the next steps we should take to
> > > support this feature for the xen community? Is this increase in attacker
> > > workload meaningful enough to justify the inclusion of VMF in Xen?
> > 
> > I think it could be valuable as an additional obstacle for the attacker
> > to overcome. The next step would be to port your series on top of
> > Julien's "Remove the directmap" patch series
> > https://marc.info/?l=xen-devel=167119090721116
> > 
> > Julien, what do you think?
> 
> If we want Xen to be used in confidential compute, then we need a compelling
> story and prove that we are at least as secure as other hypervisors.
> 
> So I think we need to investigate a few areas:
>* Can we protect the TTBR? I don't think this can be done with the HW.
> But maybe I overlook it.

This can be done by running most of Xen at a lower EL, and having only a
small trusted (and hopefully formally verified) kernel run at EL2.

>* Can VMF be extended to more use-cases? For instances, for hypercalls,
> we could have bounce buffer.
>* If we can't fully secure VMF, can the attack surface be reduced (e.g.
> disable hypercalls at runtime/compile time)? Could we use a different
> architecture (I am thinking something like pKVM [1])?
> 
> Cheers,
> 
> [1] https://lwn.net/Articles/836693/

pKVM has been formally verified already, in the form of seKVM.  So there
very much is precident for this.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


signature.asc
Description: PGP signature

Re: [PATCH v5 09/10] x86/mm: Reject invalid cacheability in PV guests by default

2022-12-22 Thread Jan Beulich

On 22.12.2022 10:55, Demi Marie Obenour wrote:
> On Thu, Dec 22, 2022 at 10:48:02AM +0100, Jan Beulich wrote:
>> Also wasn't there talk of having this behavior in debug hypervisors
>> only? Without that restriction I'm yet less happy with the change ...
> 
> My understanding was that Andrew preferred the behavior to be turned on
> in release hypervisors too.  I am inclined to agree with Andrew, if for
> no other reason than that those working on guest OSs do not generally
> use debug hypervisors if they are not also working on Xen itself.

That's likely a mistake then, at least for work on PV guest OSes. In
particular PV memory management code is sprinkled with gdprintk(),
in an attempt to help those people understand why some operation has
failed.

Jan

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Jan Beulich

On 22.12.2022 11:00, Demi Marie Obenour wrote:
> On Thu, Dec 22, 2022 at 10:54:48AM +0100, Jan Beulich wrote:
>> On 22.12.2022 10:50, Demi Marie Obenour wrote:
>>> On Thu, Dec 22, 2022 at 10:35:08AM +0100, Jan Beulich wrote:
 On 20.12.2022 02:07, Demi Marie Obenour wrote:
> @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
> build_assertions(void)
>   * using different PATs will not work.
>   */
>  BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
> +
> +/*
> + * _PAGE_WB must be zero for several reasons, not least because Linux
> + * assumes it.
> + */
> +BUILD_BUG_ON(_PAGE_WB);

 Strictly speaking this is a requirement only for PV guests. We may not
 want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
 the code comment (and then also the part of the description referring
 to this) will imo want to say so.
>>>
>>> Does Xen itself depend on this?
>>
>> With the wording in the description I was going from the assumption that
>> you have audited code and found that we properly use _PAGE_* constants
>> everywhere.
> 
> There could be other hard-coded uses of magic numbers I haven’t found,
> and _PAGE_WB is currently zero so I would be quite surpised if no code
> in Xen omits it.  Linux also has a BUILD_BUG_ON() to check the same
> thing.

Fair enough - please adjust description and comment text accordingly then.

Jan

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 10:54:48AM +0100, Jan Beulich wrote:
> On 22.12.2022 10:50, Demi Marie Obenour wrote:
> > On Thu, Dec 22, 2022 at 10:35:08AM +0100, Jan Beulich wrote:
> >> On 20.12.2022 02:07, Demi Marie Obenour wrote:
> >>> --- a/xen/arch/x86/mm.c
> >>> +++ b/xen/arch/x86/mm.c
> >>> @@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
> >>>  return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
> >>>  }
> >>>  
> >>> +
> >>> +/*
> >>> + * A bunch of static assertions to check that the XEN_MSR_PAT is valid
> >>> + * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
> >>> + */
> >>>  static void __init __maybe_unused build_assertions(void)
> >>>  {
> >>>  /*
> >>> @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
> >>> build_assertions(void)
> >>>   * using different PATs will not work.
> >>>   */
> >>>  BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
> >>> +
> >>> +/*
> >>> + * _PAGE_WB must be zero for several reasons, not least because Linux
> >>> + * assumes it.
> >>> + */
> >>> +BUILD_BUG_ON(_PAGE_WB);
> >>
> >> Strictly speaking this is a requirement only for PV guests. We may not
> >> want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
> >> the code comment (and then also the part of the description referring
> >> to this) will imo want to say so.
> > 
> > Does Xen itself depend on this?
> 
> With the wording in the description I was going from the assumption that
> you have audited code and found that we properly use _PAGE_* constants
> everywhere.

There could be other hard-coded uses of magic numbers I haven’t found,
and _PAGE_WB is currently zero so I would be quite surpised if no code
in Xen omits it.  Linux also has a BUILD_BUG_ON() to check the same
thing.

> >>> +} while (0)
> >>> +
> >>> +/*
> >>> + * If one of these trips, the corresponding _PAGE_* macro is 
> >>> inconsistent
> >>> + * with XEN_MSR_PAT.  This would cause Xen to use incorrect 
> >>> cacheability
> >>> + * flags, with results that are undefined and probably harmful.
> >>
> >> Why "undefined"? They may be wrong / broken, but the result is still well-
> >> defined afaict.
> > 
> > “undefined” is meant as “one has violated a core assumption that
> > higher-level stuff depends on, so things can go arbitrarily wrong,
> > including e.g. corrupting memory or data”.  Is this accurate?  Should I
> > drop the dependent clause, or do you have a suggestion for something
> > better?
> 
> s/undefined/unknown/ ?

Will fix in v6.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


signature.asc
Description: PGP signature

Re: [PATCH v5 02/10] x86/mm: Avoid hard-coding PAT in get_page_from_l1e()

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 10:51:08AM +0100, Jan Beulich wrote:
> On 20.12.2022 09:19, Jan Beulich wrote:
> > On 20.12.2022 02:07, Demi Marie Obenour wrote:
> >> get_page_from_l1e() relied on Xen's choice of PAT, which is brittle in
> >> the face of future PAT changes.  Instead, compute the actual cacheability
> >> used by the CPU and switch on that, as this will work no matter what PAT
> >> Xen uses.
> >>
> >> No functional change intended.  This code is itself questionable and may
> >> be removed in the future, but removing it would be an observable
> >> behavior change and so is out of scope for this patch series.
> >>
> >> Signed-off-by: Demi Marie Obenour 
> >> ---
> >> Changes since v4:
> >> - Do not add new pte_flags_to_cacheability() helper, as this code may be
> >>   removed in the near future and so adding a new helper for it is a bad
> >>   idea.
> >> - Do not BUG() in the event of an unexpected cacheability.  This cannot
> >>   happen, but it is simpler to force such types to UC than to prove that
> >>   the BUG() is not reachable.
> >>
> >> Changes since v3:
> >> - Compute and use the actual cacheability as seen by the processor.
> >>
> >> Changes since v2:
> >> - Improve commit message.
> >> ---
> >>  xen/arch/x86/mm.c | 14 --
> >>  1 file changed, 8 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> >> index 
> >> 78b1972e4170ca9c37c6e64e76e66a7da87f..dba6c77ef2f7ed7fcb7f7e526583ccadd35e62cc
> >>  100644
> >> --- a/xen/arch/x86/mm.c
> >> +++ b/xen/arch/x86/mm.c
> >> @@ -959,14 +959,16 @@ get_page_from_l1e(
> >>  flip = _PAGE_RW;
> >>  }
> >>  
> >> -switch ( l1f & PAGE_CACHE_ATTRS )
> >> +switch ( 0xFF & (XEN_MSR_PAT >> (8 * 
> >> pte_flags_to_cacheattr(l1f))) )
> >>  {
> >> -case 0: /* WB */
> >> -flip |= _PAGE_PWT | _PAGE_PCD;
> >> +case X86_MT_UC:
> >> +case X86_MT_UCM:
> >> +case X86_MT_WC:
> >> +/* not cacheable */
> >>  break;
> >> -case _PAGE_PWT: /* WT */
> >> -case _PAGE_PWT | _PAGE_PAT: /* WP */
> >> -flip |= _PAGE_PCD | (l1f & _PAGE_PAT);
> >> +default:
> >> +/* cacheable */
> >> +flip |= ((l1f & PAGE_CACHE_ATTRS) ^ _PAGE_UC);
> >>  break;
> > 
> > In v4 the comment here was "cacheable, force to UC". The latter aspect is
> > quite relevant (and iirc also what Andrew had asked for to have as a
> > comment). But with this now being the default case, the comment (in either
> > this or the earlier form) would become stale. A forward compatible way of
> > wording this would e.g. be "force any other type to UC". With an adjustment
> > along these lines (which I think could be done while committing)
> > Reviewed-by: Jan Beulich 
> 
> If you had replied signaling your consent (and perhaps the preferred by you
> wording), I would have committed this. Now it's going to be v6 afaic ...
> 
> Jan

Sorry about that.  "potentially cacheable, force to UC" is the wording
I have planned for v6, along with "not cacheable, allow" in the other
case.  Feel free to go ahead and commit if you want.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


signature.asc
Description: PGP signature

Re: [PATCH v5 09/10] x86/mm: Reject invalid cacheability in PV guests by default

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 10:48:02AM +0100, Jan Beulich wrote:
> On 20.12.2022 02:07, Demi Marie Obenour wrote:
> > --- a/xen/arch/x86/mm.c
> > +++ b/xen/arch/x86/mm.c
> > @@ -145,6 +145,8 @@
> >  
> >  #ifdef CONFIG_PV
> >  #include "pv/mm.h"
> > +bool allow_invalid_cacheability;
> 
> static and __ro_after_init please (the former not the least with Misra
> in mind).

Will fix in v6.

> > +boolean_param("allow_invalid_cacheability", allow_invalid_cacheability);
> >  #endif
> 
> Any new command line option will need to come with an entry in
> docs/misc/xen-command-line.pandoc. Furthermore we're trying to avoid
> underscores in command line option names, when dashes serve the
> purpose quite fine.

Will fix in v6.

> Also please add a blank line at least between #include and your
> addition. Personally I would find it more natural if such a single-use
> control was defined next to the place it is used, i.e. 

Will fix in v6.

> > @@ -1343,7 +1345,33 @@ static int promote_l1_table(struct page_info *page)
> >  }
> >  else
> >  {
> 
> ... here.

Will move in v6.

> > -switch ( ret = get_page_from_l1e(pl1e[i], d, d) )
> > +l1_pgentry_t l1e = pl1e[i];
> > +
> > +if ( !allow_invalid_cacheability )
> > +{
> > +switch ( l1e.l1 & PAGE_CACHE_ATTRS )
> > +{
> > +case _PAGE_WB:
> > +case _PAGE_UC:
> > +case _PAGE_UCM:
> > +case _PAGE_WC:
> > +case _PAGE_WT:
> > +case _PAGE_WP:
> > +break;
> > +default:
> 
> Nit (style): Blank line please between non-fall-through case blocks.

Will fix in v6.

> > +/*
> > + * If we get here, a PV guest tried to use one of the
> > + * reserved values in Xen's PAT.  This indicates a bug 
> > in
> > + * the guest, so inject #GP to cause the guest to log a
> > + * stack trace.
> > + */
> 
> And likely make it die. Which, yes, ...
> 
> > +pv_inject_hw_exception(TRAP_gp_fault, 0);
> > +ret = -EINVAL;
> 
> ... also may or may not be the result of returning failure here (if the
> guest "checks" for errors by using a BUG()-like construct), but that's
> then more of its own fault than not coping with a non-architectural #GP.

Is there really any architectural behavior here?

> Also wasn't there talk of having this behavior in debug hypervisors
> only? Without that restriction I'm yet less happy with the change ...

My understanding was that Andrew preferred the behavior to be turned on
in release hypervisors too.  I am inclined to agree with Andrew, if for
no other reason than that those working on guest OSs do not generally
use debug hypervisors if they are not also working on Xen itself.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


signature.asc
Description: PGP signature

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Jan Beulich

On 22.12.2022 10:50, Demi Marie Obenour wrote:
> On Thu, Dec 22, 2022 at 10:35:08AM +0100, Jan Beulich wrote:
>> On 20.12.2022 02:07, Demi Marie Obenour wrote:
>>> --- a/xen/arch/x86/mm.c
>>> +++ b/xen/arch/x86/mm.c
>>> @@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
>>>  return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
>>>  }
>>>  
>>> +
>>> +/*
>>> + * A bunch of static assertions to check that the XEN_MSR_PAT is valid
>>> + * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
>>> + */
>>>  static void __init __maybe_unused build_assertions(void)
>>>  {
>>>  /*
>>> @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
>>> build_assertions(void)
>>>   * using different PATs will not work.
>>>   */
>>>  BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
>>> +
>>> +/*
>>> + * _PAGE_WB must be zero for several reasons, not least because Linux
>>> + * assumes it.
>>> + */
>>> +BUILD_BUG_ON(_PAGE_WB);
>>
>> Strictly speaking this is a requirement only for PV guests. We may not
>> want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
>> the code comment (and then also the part of the description referring
>> to this) will imo want to say so.
> 
> Does Xen itself depend on this?

With the wording in the description I was going from the assumption that
you have audited code and found that we properly use _PAGE_* constants
everywhere.

>>> +} while (0)
>>> +
>>> +/*
>>> + * If one of these trips, the corresponding _PAGE_* macro is 
>>> inconsistent
>>> + * with XEN_MSR_PAT.  This would cause Xen to use incorrect 
>>> cacheability
>>> + * flags, with results that are undefined and probably harmful.
>>
>> Why "undefined"? They may be wrong / broken, but the result is still well-
>> defined afaict.
> 
> “undefined” is meant as “one has violated a core assumption that
> higher-level stuff depends on, so things can go arbitrarily wrong,
> including e.g. corrupting memory or data”.  Is this accurate?  Should I
> drop the dependent clause, or do you have a suggestion for something
> better?

s/undefined/unknown/ ?

Jan

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Julien Grall


Hi Stefano,

On 22/12/2022 00:38, Stefano Stabellini wrote:

On Tue, 20 Dec 2022, Smith, Jackson wrote:

Hi Stefano,

On 16/12/2022 01:46, Stefano Stabellini wrote:

On Thu, 15 Dec 2022, Julien Grall wrote:

On 13/12/2022 19:48, Smith, Jackson wrote:

Yes, we are familiar with the "secret-free hypervisor" work. As

you

point out, both our work and the secret-free hypervisor remove the
directmap region to mitigate the risk of leaking sensitive guest
secrets. However, our work is slightly different because it
additionally prevents attackers from tricking Xen into remapping a

guest.


I understand your goal, but I don't think this is achieved (see
above). You would need an entity to prevent write to TTBR0_EL2 in
order to fully protect it.


Without a way to stop Xen from reading/writing TTBR0_EL2, we

cannot

claim that the guest's secrets are 100% safe.

But the attacker would have to follow the sequence you outlines

above

to change Xen's pagetables and remap guest memory before

accessing it.

It is an additional obstacle for attackers that want to steal other

guests'

secrets. The size of the code that the attacker would need to inject
in Xen would need to be bigger and more complex.


Right, that's why I wrote with a bit more work. However, the nuance
you mention doesn't seem to be present in the cover letter:

"This creates what we call "Software Enclaves", ensuring that an
adversary with arbitrary code execution in the hypervisor STILL cannot
read/write guest memory."

So if the end goal if really to protect against *all* sort of

arbitrary

code,
then I think we should have a rough idea how this will look like in

Xen.


  From a brief look, it doesn't look like it would be possible to

prevent

modification to TTBR0_EL2 (even from EL3). We would need to
investigate if there are other bits in the architecture to help us.



Every little helps :-)


I can see how making the life of the attacker more difficult is
appealing.
Yet, the goal needs to be clarified and the risk with the approach
acknowledged (see above).



You're right, we should have mentioned this weakness in our first email.
Sorry about the oversight! This is definitely still a limitation that we
have not yet overcome. However, we do think that the increase in
attacker workload that you and Stefano are discussing could still be
valuable to security conscious Xen users.

It would nice to find additional architecture features that we can use
to close this hole on arm, but there aren't any that stand out to me
either.

With this limitation in mind, what are the next steps we should take to
support this feature for the xen community? Is this increase in attacker
workload meaningful enough to justify the inclusion of VMF in Xen?


I think it could be valuable as an additional obstacle for the attacker
to overcome. The next step would be to port your series on top of
Julien's "Remove the directmap" patch series
https://marc.info/?l=xen-devel=167119090721116

Julien, what do you think?


If we want Xen to be used in confidential compute, then we need a 
compelling story and prove that we are at least as secure as other 
hypervisors.


So I think we need to investigate a few areas:
   * Can we protect the TTBR? I don't think this can be done with the 
HW. But maybe I overlook it.
   * Can VMF be extended to more use-cases? For instances, for 
hypercalls, we could have bounce buffer.
   * If we can't fully secure VMF, can the attack surface be reduced 
(e.g. disable hypercalls at runtime/compile time)? Could we use a 
different architecture (I am thinking something like pKVM [1])?


Cheers,

[1] https://lwn.net/Articles/836693/

--
Julien Grall

Re: [PATCH v5 02/10] x86/mm: Avoid hard-coding PAT in get_page_from_l1e()

2022-12-22 Thread Jan Beulich

On 20.12.2022 09:19, Jan Beulich wrote:
> On 20.12.2022 02:07, Demi Marie Obenour wrote:
>> get_page_from_l1e() relied on Xen's choice of PAT, which is brittle in
>> the face of future PAT changes.  Instead, compute the actual cacheability
>> used by the CPU and switch on that, as this will work no matter what PAT
>> Xen uses.
>>
>> No functional change intended.  This code is itself questionable and may
>> be removed in the future, but removing it would be an observable
>> behavior change and so is out of scope for this patch series.
>>
>> Signed-off-by: Demi Marie Obenour 
>> ---
>> Changes since v4:
>> - Do not add new pte_flags_to_cacheability() helper, as this code may be
>>   removed in the near future and so adding a new helper for it is a bad
>>   idea.
>> - Do not BUG() in the event of an unexpected cacheability.  This cannot
>>   happen, but it is simpler to force such types to UC than to prove that
>>   the BUG() is not reachable.
>>
>> Changes since v3:
>> - Compute and use the actual cacheability as seen by the processor.
>>
>> Changes since v2:
>> - Improve commit message.
>> ---
>>  xen/arch/x86/mm.c | 14 --
>>  1 file changed, 8 insertions(+), 6 deletions(-)
>>
>> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
>> index 
>> 78b1972e4170ca9c37c6e64e76e66a7da87f..dba6c77ef2f7ed7fcb7f7e526583ccadd35e62cc
>>  100644
>> --- a/xen/arch/x86/mm.c
>> +++ b/xen/arch/x86/mm.c
>> @@ -959,14 +959,16 @@ get_page_from_l1e(
>>  flip = _PAGE_RW;
>>  }
>>  
>> -switch ( l1f & PAGE_CACHE_ATTRS )
>> +switch ( 0xFF & (XEN_MSR_PAT >> (8 * pte_flags_to_cacheattr(l1f))) )
>>  {
>> -case 0: /* WB */
>> -flip |= _PAGE_PWT | _PAGE_PCD;
>> +case X86_MT_UC:
>> +case X86_MT_UCM:
>> +case X86_MT_WC:
>> +/* not cacheable */
>>  break;
>> -case _PAGE_PWT: /* WT */
>> -case _PAGE_PWT | _PAGE_PAT: /* WP */
>> -flip |= _PAGE_PCD | (l1f & _PAGE_PAT);
>> +default:
>> +/* cacheable */
>> +flip |= ((l1f & PAGE_CACHE_ATTRS) ^ _PAGE_UC);
>>  break;
> 
> In v4 the comment here was "cacheable, force to UC". The latter aspect is
> quite relevant (and iirc also what Andrew had asked for to have as a
> comment). But with this now being the default case, the comment (in either
> this or the earlier form) would become stale. A forward compatible way of
> wording this would e.g. be "force any other type to UC". With an adjustment
> along these lines (which I think could be done while committing)
> Reviewed-by: Jan Beulich 

If you had replied signaling your consent (and perhaps the preferred by you
wording), I would have committed this. Now it's going to be v6 afaic ...

Jan

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Demi Marie Obenour

On Thu, Dec 22, 2022 at 10:35:08AM +0100, Jan Beulich wrote:
> On 20.12.2022 02:07, Demi Marie Obenour wrote:
> > It may be desirable to change Xen's PAT for various reasons.  This
> > requires changes to several _PAGE_* macros as well.  Add static
> > assertions to check that XEN_MSR_PAT is consistent with the _PAGE_*
> > macros, and that _PAGE_WB is 0 as required by Linux.
> 
> In line with the code comment, perhaps add (not just)"?

Will reword in v6.

> > --- a/xen/arch/x86/mm.c
> > +++ b/xen/arch/x86/mm.c
> > @@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
> >  return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
> >  }
> >  
> > +
> > +/*
> > + * A bunch of static assertions to check that the XEN_MSR_PAT is valid
> > + * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
> > + */
> >  static void __init __maybe_unused build_assertions(void)
> >  {
> >  /*
> > @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
> > build_assertions(void)
> >   * using different PATs will not work.
> >   */
> >  BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
> > +
> > +/*
> > + * _PAGE_WB must be zero for several reasons, not least because Linux
> > + * assumes it.
> > + */
> > +BUILD_BUG_ON(_PAGE_WB);
> 
> Strictly speaking this is a requirement only for PV guests. We may not
> want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
> the code comment (and then also the part of the description referring
> to this) will imo want to say so.

Does Xen itself depend on this?

> > +/* A macro to convert from cache attributes to actual cacheability */
> > +#define PAT_ENTRY(v) (0xFF & (XEN_MSR_PAT >> (8 * (v
> 
> I don't think the comment is appropriate here. All you do is extract a
> slot from the hard-coded PAT value we use.

Will drop in v6.

> > +/* Validate at compile-time that v is a valid value for a PAT entry */
> > +#define CHECK_PAT_ENTRY_VALUE(v)   
> > \
> > +BUILD_BUG_ON((v) < 0 || (v) > 7 || 
> > \
> 
> PAT_ENTRY() won't produce negative values, so I don't think "(v) < 0" is
> really needed here. And the "(v) > 7" will imo want replacing by
> "(v) >= X86_NUM_MT".

Will fix in v6.

> > + (v) == X86_MT_RSVD_2 || (v) == X86_MT_RSVD_3)
> > +
> > +/* Validate at compile-time that PAT entry v is valid */
> > +#define CHECK_PAT_ENTRY(v) do {
> > \
> > +BUILD_BUG_ON((v) < 0 || (v) > 7);  
> > \
> 
> I think this would better be part of PAT_ENTRY(), as the validity of the
> shift there depends on it. If this check is needed in the first place,
> seeing that the macro is #undef-ed right after use below, and hence the
> checks only cover the eight invocations of the macro right here.
> 
> > +CHECK_PAT_ENTRY_VALUE(PAT_ENTRY(v));   
> > \
> > +} while (0);
> 
> Nit (style): Missing blanks around 0 and perhaps better nowadays to use
> "false" in such constructs. (Because of other comments this may go away
> here anyway, but there's another similar instance below).

Will fix in v6.

> > +/*
> > + * If one of these trips, the corresponding entry in XEN_MSR_PAT is 
> > invalid.
> > + * This would cause Xen to crash (with #GP) at startup.
> > + */
> > +CHECK_PAT_ENTRY(0);
> > +CHECK_PAT_ENTRY(1);
> > +CHECK_PAT_ENTRY(2);
> > +CHECK_PAT_ENTRY(3);
> > +CHECK_PAT_ENTRY(4);
> > +CHECK_PAT_ENTRY(5);
> > +CHECK_PAT_ENTRY(6);
> > +CHECK_PAT_ENTRY(7);
> > +
> > +#undef CHECK_PAT_ENTRY
> > +#undef CHECK_PAT_ENTRY_VALUE
> > +
> > +/* Macro version of page_flags_to_cacheattr(), for use in 
> > BUILD_BUG_ON()s */
> 
> DYM pte_flags_to_cacheattr()? At which point the macro name wants to
> match and its parameter may also better be named "pte_value"?

Indeed so.

> > +#define PAGE_FLAGS_TO_CACHEATTR(page_value)
> > \
> > +page_value) >> 5) & 4) | (((page_value) >> 3) & 3))
> 
> Hmm, yet more uses of magic literal numbers.

I wanted to keep the definition as close to that of
pte_flags_to_cacheattr() as possible.

> > +/* Check that a PAT-related _PAGE_* macro is correct */
> > +#define CHECK_PAGE_VALUE(page_value) do {  
> > \
> > +/* Check that the _PAGE_* macros only use bits from PAGE_CACHE_ATTRS 
> > */\
> > +BUILD_BUG_ON(((_PAGE_##page_value) & PAGE_CACHE_ATTRS) !=  
> > \
> > +  (_PAGE_##page_value));   
> > \
> 
> Nit (style): One too many blanks used for indentation.

Will fix in v6.

> > +/* Check that the _PAGE_* are consistent with XEN_MSR_PAT */   
> > \
> > +BUILD_BUG_ON(PAT_ENTRY(PAGE_FLAGS_TO_CACHEATTR(_PAGE_##page_value)) != 
> > \
> > +

Re: [PATCH v5 09/10] x86/mm: Reject invalid cacheability in PV guests by default

2022-12-22 Thread Jan Beulich

On 20.12.2022 02:07, Demi Marie Obenour wrote:
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -145,6 +145,8 @@
>  
>  #ifdef CONFIG_PV
>  #include "pv/mm.h"
> +bool allow_invalid_cacheability;

static and __ro_after_init please (the former not the least with Misra
in mind).

> +boolean_param("allow_invalid_cacheability", allow_invalid_cacheability);
>  #endif

Any new command line option will need to come with an entry in
docs/misc/xen-command-line.pandoc. Furthermore we're trying to avoid
underscores in command line option names, when dashes serve the
purpose quite fine.

Also please add a blank line at least between #include and your
addition. Personally I would find it more natural if such a single-use
control was defined next to the place it is used, i.e. 

> @@ -1343,7 +1345,33 @@ static int promote_l1_table(struct page_info *page)
>  }
>  else
>  {

... here.

> -switch ( ret = get_page_from_l1e(pl1e[i], d, d) )
> +l1_pgentry_t l1e = pl1e[i];
> +
> +if ( !allow_invalid_cacheability )
> +{
> +switch ( l1e.l1 & PAGE_CACHE_ATTRS )
> +{
> +case _PAGE_WB:
> +case _PAGE_UC:
> +case _PAGE_UCM:
> +case _PAGE_WC:
> +case _PAGE_WT:
> +case _PAGE_WP:
> +break;
> +default:

Nit (style): Blank line please between non-fall-through case blocks.

> +/*
> + * If we get here, a PV guest tried to use one of the
> + * reserved values in Xen's PAT.  This indicates a bug in
> + * the guest, so inject #GP to cause the guest to log a
> + * stack trace.
> + */

And likely make it die. Which, yes, ...

> +pv_inject_hw_exception(TRAP_gp_fault, 0);
> +ret = -EINVAL;

... also may or may not be the result of returning failure here (if the
guest "checks" for errors by using a BUG()-like construct), but that's
then more of its own fault than not coping with a non-architectural #GP.

Also wasn't there talk of having this behavior in debug hypervisors
only? Without that restriction I'm yet less happy with the change ...

Jan

[xen-4.16-testing test] 175442: trouble: broken/fail/pass

2022-12-22 Thread osstest service owner

flight 175442 xen-4.16-testing real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175442/

Failures and problems with tests :-(

Tests which did not succeed and are blocking,
including tests which could not be run:
 test-amd64-i386-xl-qemut-debianhvm-i386-xsm broken
 test-amd64-i386-xl-qemut-debianhvm-i386-xsm 5 host-install(5) broken REGR. vs. 
175155
 test-amd64-i386-xl-xsm   broken  in 175427
 test-amd64-i386-freebsd10-amd64   broken in 175427
 test-amd64-i386-xl-qemut-stubdom-debianhvm-amd64-xsm  broken in 
175427
 test-amd64-i386-xl-qemuu-ovmf-amd64   broken in 175427
 test-amd64-i386-xl-vhd   broken  in 175427

Tests which are failing intermittently (not blocking):
 test-amd64-i386-xl-vhd   5 host-install(5) broken in 175427 pass in 175442
 test-amd64-i386-xl-qemut-stubdom-debianhvm-amd64-xsm 5 host-install(5) broken 
in 175427 pass in 175442
 test-amd64-i386-xl-xsm   5 host-install(5) broken in 175427 pass in 175442
 test-amd64-i386-freebsd10-amd64 5 host-install(5) broken in 175427 pass in 
175442
 test-amd64-i386-xl-qemuu-ovmf-amd64 5 host-install(5) broken in 175427 pass in 
175442
 test-amd64-i386-livepatch 7 xen-install  fail in 175427 pass in 175442
 test-amd64-amd64-xl-qemuu-debianhvm-i386-xsm 12 debian-hvm-install fail pass 
in 175427
 test-arm64-arm64-libvirt-raw 12 debian-di-install  fail pass in 175427

Tests which did not succeed, but are not blocking:
 test-arm64-arm64-libvirt-raw 14 migrate-support-check fail in 175427 never pass
 test-arm64-arm64-libvirt-raw 15 saverestore-support-check fail in 175427 never 
pass
 test-amd64-amd64-xl-qemut-win7-amd64 19 guest-stopfail like 175155
 test-amd64-amd64-xl-qemuu-win7-amd64 19 guest-stopfail like 175155
 test-armhf-armhf-libvirt 16 saverestore-support-checkfail  like 175155
 test-amd64-amd64-xl-qemuu-ws16-amd64 19 guest-stopfail like 175155
 test-amd64-amd64-qemuu-nested-amd 20 debian-hvm-install/l1/l2 fail like 175155
 test-armhf-armhf-libvirt-qcow2 15 saverestore-support-check   fail like 175155
 test-armhf-armhf-libvirt-raw 15 saverestore-support-checkfail  like 175155
 test-amd64-i386-xl-qemut-win7-amd64 19 guest-stop fail like 175155
 test-amd64-i386-xl-qemuu-win7-amd64 19 guest-stop fail like 175155
 test-amd64-i386-xl-qemuu-ws16-amd64 19 guest-stop fail like 175155
 test-amd64-i386-xl-qemut-ws16-amd64 19 guest-stop fail like 175155
 test-amd64-amd64-xl-qemut-ws16-amd64 19 guest-stopfail like 175155
 test-amd64-i386-xl-pvshim14 guest-start  fail   never pass
 test-arm64-arm64-xl-seattle  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-seattle  16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt  15 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt 15 migrate-support-checkfail   never pass
 test-amd64-i386-libvirt-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 15 migrate-support-checkfail   never pass
 test-arm64-arm64-libvirt-xsm 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-xsm  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-thunderx 16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit1  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl-credit2  16 saverestore-support-checkfail   never pass
 test-arm64-arm64-xl  15 migrate-support-checkfail   never pass
 test-arm64-arm64-xl  16 saverestore-support-checkfail   never pass
 test-amd64-amd64-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 13 migrate-support-check 
fail never pass
 test-armhf-armhf-xl-arndale  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-arndale  16 saverestore-support-checkfail   never pass
 test-amd64-i386-libvirt-raw  14 migrate-support-checkfail   never pass
 test-amd64-amd64-libvirt-vhd 14 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-multivcpu 15 migrate-support-checkfail  never pass
 test-armhf-armhf-xl-multivcpu 16 saverestore-support-checkfail  never pass
 test-armhf-armhf-xl-credit1  15 migrate-support-checkfail   never pass
 test-armhf-armhf-xl-credit1  16 saverestore-support-checkfail   never pass

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

2022-12-22 Thread Jan Beulich

On 20.12.2022 02:07, Demi Marie Obenour wrote:
> It may be desirable to change Xen's PAT for various reasons.  This
> requires changes to several _PAGE_* macros as well.  Add static
> assertions to check that XEN_MSR_PAT is consistent with the _PAGE_*
> macros, and that _PAGE_WB is 0 as required by Linux.

In line with the code comment, perhaps add (not just)"?

> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
>  return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
>  }
>  
> +
> +/*
> + * A bunch of static assertions to check that the XEN_MSR_PAT is valid
> + * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
> + */
>  static void __init __maybe_unused build_assertions(void)
>  {
>  /*
> @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
> build_assertions(void)
>   * using different PATs will not work.
>   */
>  BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
> +
> +/*
> + * _PAGE_WB must be zero for several reasons, not least because Linux
> + * assumes it.
> + */
> +BUILD_BUG_ON(_PAGE_WB);

Strictly speaking this is a requirement only for PV guests. We may not
want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
the code comment (and then also the part of the description referring
to this) will imo want to say so.

> +/* A macro to convert from cache attributes to actual cacheability */
> +#define PAT_ENTRY(v) (0xFF & (XEN_MSR_PAT >> (8 * (v

I don't think the comment is appropriate here. All you do is extract a
slot from the hard-coded PAT value we use.

> +/* Validate at compile-time that v is a valid value for a PAT entry */
> +#define CHECK_PAT_ENTRY_VALUE(v) 
>   \
> +BUILD_BUG_ON((v) < 0 || (v) > 7 ||   
>   \

PAT_ENTRY() won't produce negative values, so I don't think "(v) < 0" is
really needed here. And the "(v) > 7" will imo want replacing by
"(v) >= X86_NUM_MT".

> + (v) == X86_MT_RSVD_2 || (v) == X86_MT_RSVD_3)
> +
> +/* Validate at compile-time that PAT entry v is valid */
> +#define CHECK_PAT_ENTRY(v) do {  
>   \
> +BUILD_BUG_ON((v) < 0 || (v) > 7);
>   \

I think this would better be part of PAT_ENTRY(), as the validity of the
shift there depends on it. If this check is needed in the first place,
seeing that the macro is #undef-ed right after use below, and hence the
checks only cover the eight invocations of the macro right here.

> +CHECK_PAT_ENTRY_VALUE(PAT_ENTRY(v)); 
>   \
> +} while (0);

Nit (style): Missing blanks around 0 and perhaps better nowadays to use
"false" in such constructs. (Because of other comments this may go away
here anyway, but there's another similar instance below).

> +/*
> + * If one of these trips, the corresponding entry in XEN_MSR_PAT is 
> invalid.
> + * This would cause Xen to crash (with #GP) at startup.
> + */
> +CHECK_PAT_ENTRY(0);
> +CHECK_PAT_ENTRY(1);
> +CHECK_PAT_ENTRY(2);
> +CHECK_PAT_ENTRY(3);
> +CHECK_PAT_ENTRY(4);
> +CHECK_PAT_ENTRY(5);
> +CHECK_PAT_ENTRY(6);
> +CHECK_PAT_ENTRY(7);
> +
> +#undef CHECK_PAT_ENTRY
> +#undef CHECK_PAT_ENTRY_VALUE
> +
> +/* Macro version of page_flags_to_cacheattr(), for use in 
> BUILD_BUG_ON()s */

DYM pte_flags_to_cacheattr()? At which point the macro name wants to
match and its parameter may also better be named "pte_value"?

> +#define PAGE_FLAGS_TO_CACHEATTR(page_value)  
>   \
> +page_value) >> 5) & 4) | (((page_value) >> 3) & 3))

Hmm, yet more uses of magic literal numbers.

> +/* Check that a PAT-related _PAGE_* macro is correct */
> +#define CHECK_PAGE_VALUE(page_value) do {
>   \
> +/* Check that the _PAGE_* macros only use bits from PAGE_CACHE_ATTRS */  
>   \
> +BUILD_BUG_ON(((_PAGE_##page_value) & PAGE_CACHE_ATTRS) !=
>   \
> +  (_PAGE_##page_value)); 
>   \

Nit (style): One too many blanks used for indentation.

> +/* Check that the _PAGE_* are consistent with XEN_MSR_PAT */ 
>   \
> +BUILD_BUG_ON(PAT_ENTRY(PAGE_FLAGS_TO_CACHEATTR(_PAGE_##page_value)) !=   
>   \
> + (X86_MT_##page_value)); 
>   \

Nit (style): Nowadays we tend to consider ## a binary operator just like
e.g. +, and hence it wants to be surrounded by blanks.

> +} while (0)
> +
> +/*
> + * If one of these trips, the corresponding _PAGE_* macro is inconsistent
> + * with XEN_MSR_PAT.  This would cause Xen to use incorrect cacheability
> + * flags, with results that are undefined and probably harmful.

Why "undefined"? They may be wrong / broken,

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

2022-12-22 Thread Julien Grall


Hi Stefano,

On 22/12/2022 00:53, Stefano Stabellini wrote:

On Tue, 20 Dec 2022, Demi Marie Obenour wrote:

On Tue, Dec 20, 2022 at 10:17:24PM +, Smith, Jackson wrote:

Hi Stefano,

On 16/12/2022 01:46, Stefano Stabellini wrote:

On Thu, 15 Dec 2022, Julien Grall wrote:

On 13/12/2022 19:48, Smith, Jackson wrote:

Yes, we are familiar with the "secret-free hypervisor" work. As

you

point out, both our work and the secret-free hypervisor remove the
directmap region to mitigate the risk of leaking sensitive guest
secrets. However, our work is slightly different because it
additionally prevents attackers from tricking Xen into remapping a

guest.


I understand your goal, but I don't think this is achieved (see
above). You would need an entity to prevent write to TTBR0_EL2 in
order to fully protect it.


Without a way to stop Xen from reading/writing TTBR0_EL2, we

cannot

claim that the guest's secrets are 100% safe.

But the attacker would have to follow the sequence you outlines

above

to change Xen's pagetables and remap guest memory before

accessing it.

It is an additional obstacle for attackers that want to steal other

guests'

secrets. The size of the code that the attacker would need to inject
in Xen would need to be bigger and more complex.


Right, that's why I wrote with a bit more work. However, the nuance
you mention doesn't seem to be present in the cover letter:

"This creates what we call "Software Enclaves", ensuring that an
adversary with arbitrary code execution in the hypervisor STILL cannot
read/write guest memory."

So if the end goal if really to protect against *all* sort of

arbitrary

code,
then I think we should have a rough idea how this will look like in

Xen.


  From a brief look, it doesn't look like it would be possible to

prevent

modification to TTBR0_EL2 (even from EL3). We would need to
investigate if there are other bits in the architecture to help us.



Every little helps :-)


I can see how making the life of the attacker more difficult is
appealing.
Yet, the goal needs to be clarified and the risk with the approach
acknowledged (see above).



You're right, we should have mentioned this weakness in our first email.
Sorry about the oversight! This is definitely still a limitation that we
have not yet overcome. However, we do think that the increase in
attacker workload that you and Stefano are discussing could still be
valuable to security conscious Xen users.

It would nice to find additional architecture features that we can use
to close this hole on arm, but there aren't any that stand out to me
either.

With this limitation in mind, what are the next steps we should take to
support this feature for the xen community? Is this increase in attacker
workload meaningful enough to justify the inclusion of VMF in Xen?


Personally, I don’t think so.  The kinds of workloads VMF is usable
for (no hypercalls) are likely easily portable to other hypervisors,
including formally verified microkernels such as seL4 that provide...


What other hypervisors might or might not do should not be a factor in
this discussion and it would be best to leave it aside.


To be honest, Demi has a point. At the moment, VMF is a very niche 
use-case (see more below). So you would end up to use less than 10% of 
the normal Xen on Arm code. A lot of people will likely wonder why using 
Xen in this case?




 From an AMD/Xilinx point of view, most of our customers using Xen in
productions today don't use any hypercalls in one or more of their VMs.
This suggests a mix of guests are running (some using hypercalls and 
other not). It would not be possible if you were using VMF.



Xen is great for these use-cases and it is rather common in embedded.
It is certainly a different configuration from what most are come to
expect from Xen on the server/desktop x86 side. There is no question
that guests without hypercalls are important for Xen on ARM. >
As a Xen community we have a long history and strong interest in making
Xen more secure and also, more recently, safer (in the ISO 26262
safety-certification sense). The VMF work is very well aligned with both
of these efforts and any additional burder to attackers is certainly
good for Xen.


I agree that we have a strong focus on making Xen more secure. However, 
we also need to look at the use cases for it. As it stands, there will no:

  - IOREQ use (don't think about emulating TPM)
  - GICv3 ITS
  - stage-1 SMMUv3
  - decoding of instructions when there is no syndrome
  - hypercalls (including event channels)
  - dom0

That's a lot of Xen features that can't be used. Effectively you will 
make Xen more "secure" for a very few users.




Now the question is what changes are necessary and how to make them to
the codebase. And if it turns out that some of the changes are not
applicable or too complex to accept, the decision will be made purely
from a code maintenance point of view and will have nothing to do with
VMs making no hypercalls being

[ovmf test] 175452: all pass - PUSHED

2022-12-22 Thread osstest service owner

flight 175452 ovmf real [real]
http://logs.test-lab.xenproject.org/osstest/logs/175452/

Perfect :-)
All tests in this flight passed as required
version targeted for testing:
 ovmf ec87305f90d90096aac2a4d91e3f6556e2ecd6b9
baseline version:
 ovmf 129404f6e4395008ac0045e7e627edbba2a1e064

Last test of basis   175448  2022-12-22 01:42:28 Z0 days
Testing same since   175452  2022-12-22 07:10:57 Z0 days1 attempts


People who touched revisions under test:
  KasimX Liu 

jobs:
 build-amd64-xsm  pass
 build-i386-xsm   pass
 build-amd64  pass
 build-i386   pass
 build-amd64-libvirt  pass
 build-i386-libvirt   pass
 build-amd64-pvopspass
 build-i386-pvops pass
 test-amd64-amd64-xl-qemuu-ovmf-amd64 pass
 test-amd64-i386-xl-qemuu-ovmf-amd64  pass



sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports, and of osstest in general, is at
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master
http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master

Test harness code can be found at
http://xenbits.xen.org/gitweb?p=osstest.git;a=summary


Pushing revision :

To xenbits.xen.org:/home/xen/git/osstest/ovmf.git
   129404f6e4..ec87305f90  ec87305f90d90096aac2a4d91e3f6556e2ecd6b9 -> 
xen-tested-master

Re: [RFC PATCH 01/18] arm: cppcheck: misra rule 20.7 deviations for alternative.h

2022-12-22 Thread Jan Beulich

On 22.12.2022 03:01, Stefano Stabellini wrote:
> What do you guys think? Nice automatic 20.7 scans for all patches and
> for staging, but with the undesirable false-positive comments, or
> no-20.7 scans but no comments in the tree?

Anything automatic which then also bugs submitters about issues should
have as few false positives as possible. Otherwise people may quickly
get into the habit of ignoring such reports.

Jan

Re: [PATCH 0/6] enforce use of G_GNUC_PRINTF annotations

2022-12-22 Thread Paolo Bonzini

Queued, thanks.

Paolo

Re: [Intel-gfx] [cache coherency bug] i915 and PAT attributes

2022-12-22 Thread Ville Syrjälä

On Fri, Dec 16, 2022 at 03:30:13PM +, Andrew Cooper wrote:
> On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > Hi,
> >
> > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > with "modesetting" driver.
> >
> > After some iterations of debugging, we narrowed it down to i915 handling
> > caching. The main difference is that PAT is setup differently on Xen PV
> > than on native Linux. Normally, Linux does have appropriate abstraction
> > for that, but apparently something related to i915 doesn't play well
> > with it. The specific difference is:
> > native linux:
> > x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT
> > xen pv:
> > x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WC  WP  UC  UC
> >   ~~  ~~  ~~  ~~
> >
> > The specific impact depends on kernel version and the hardware. The most
> > severe issues I see on >=ADL, but some older hardware is affected too -
> > sometimes only if composition is disabled in the window manager.
> > Some more information is collected at
> > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > duplicates...).
> >
> > Kind-of related commit is here:
> > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > there too.
> >
> > Any ideas?
> >
> > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > Linux:
> > -8<-
> > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > index 66a209f7eb86..319ab60c8d8c 100644
> > --- a/arch/x86/mm/pat/memtype.c
> > +++ b/arch/x86/mm/pat/memtype.c
> > @@ -400,8 +400,8 @@ void pat_init(void)
> >  * The reserved slots are unused, but mapped to their
> >  * corresponding types in the presence of PAT errata.
> >  */
> > -   pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > +   pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC)   | PAT(7, UC);
> > }
> >  
> > if (!pat_bp_initialized) {
> > -8<-
> >
> 
> Hello, can anyone help please?
> 
> Intel's CI has taken this reproducer of the bug, and confirmed the
> regression. 
> https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> 
> We're reasonably confident that it is an i915 bug (given the repro with
> no Xen in the mix), but we're out of any further ideas.

I don't think we have any code that assumes anything about the PAT,
apart from WC being available (which seems like it should still be
the case with your modified PAT). I suppose you'll just have to 
start digging from pgprot_writecombine()/noncached() and make sure
everything ends up using the correct PAT entry.

-- 
Ville Syrjälä
Intel

Re: [PATCH 6/8] x86/shadow: adjust and move sh_type_to_size[]

2022-12-22 Thread Jan Beulich

On 21.12.2022 19:58, Andrew Cooper wrote:
> On 21/12/2022 1:27 pm, Jan Beulich wrote:
>> Drop the SH_type_none entry - there are no allocation attempts with
>> this type, and there also shouldn't be any. Adjust the shadow_size()
>> alternative path to match that change. Also generalize two related
>> assertions.
>>
>> While there move the entire table and the respective part of the comment
>> there to hvm.c, resulting in one less #ifdef. In the course of the
>> movement switch to using designated initializers.
>>
>> Signed-off-by: Jan Beulich 
> 
> Reviewed-by: Andrew Cooper , although ...

Thanks.

>> --- a/xen/arch/x86/mm/shadow/hvm.c
>> +++ b/xen/arch/x86/mm/shadow/hvm.c
>> @@ -33,6 +33,37 @@
>>  
>>  #include "private.h"
>>  
>> +/*
>> + * This table shows the allocation behaviour of the different modes:
>> + *
>> + * Xen paging  64b  64b  64b
>> + * Guest paging32b  pae  64b
>> + * PV or HVM   HVM  HVM   *
>> + * Shadow paging   pae  pae  64b
>> + *
>> + * sl1 size 8k   4k   4k
>> + * sl2 size16k   4k   4k
>> + * sl3 size --4k
>> + * sl4 size --4k
>> + */
>> +const uint8_t sh_type_to_size[] = {
>> +[SH_type_l1_32_shadow]   = 2,
>> +[SH_type_fl1_32_shadow]  = 2,
>> +[SH_type_l2_32_shadow]   = 4,
>> +[SH_type_l1_pae_shadow]  = 1,
>> +[SH_type_fl1_pae_shadow] = 1,
>> +[SH_type_l2_pae_shadow]  = 1,
>> +[SH_type_l1_64_shadow]   = 1,
>> +[SH_type_fl1_64_shadow]  = 1,
>> +[SH_type_l2_64_shadow]   = 1,
>> +[SH_type_l2h_64_shadow]  = 1,
>> +[SH_type_l3_64_shadow]   = 1,
>> +[SH_type_l4_64_shadow]   = 1,
>> +[SH_type_p2m_table]  = 1,
>> +[SH_type_monitor_table]  = 1,
>> +[SH_type_oos_snapshot]   = 1,
> 
> ... this feels like it's wanting to turn into a (1 + ...) expression.  I
> can't see anything that prevents us from reordering the SH_type
> constants, but
> 
> 1 + (idx == 1 /* l1 */ || idx == /* fl1 */) + 2 * (idx == 3 /* l2 */);
> 
> doesn't obviously simplify further.

But that would then undermine the cases where the function returns 0,
which the two (generalized in this change) assertions actually check
for not having got back. This would also become relevant for the l2h
slot, which - if not right here (see the respective remark) - will
become zero in a subsequent patch when !PV32.

Jan

Re: [PATCH 3/8] x86/paging: move update_paging_modes() hook

2022-12-22 Thread Jan Beulich

On 21.12.2022 18:43, Andrew Cooper wrote:
> On 21/12/2022 1:25 pm, Jan Beulich wrote:
>> The hook isn't mode dependent, hence it's misplaced in struct
>> paging_mode. (Or alternatively I see no reason why the alloc_page() and
>> free_page() hooks don't also live there.) Move it to struct
>> paging_domain.
>>
>> While there rename the hook and HAP's as well as shadow's hook functions
>> to use singular; I never understood why plural was used. (Renaming in
>> particular the wrapper would be touching quite a lot of other code.)
> 
> There are always two modes; Xen's, and the guest's.
> 
> This was probably more visible back in the 32-bit days, but remnants of
> it are still around with the fact that struct vcpu needs to be below the
> 4G boundary for the PDPTRs for when the guest isn't in Long Mode.
> 
> HAP also hides it fairly well given the uniformity of EPT/NPT (and
> always 4 levels in a 64-bit Xen), but I suspect it will become more
> visible again when we start supporting LA57.

So does this boil down to a request to undo the rename? Or undo it just
for shadow code (as the HAP function really does only one thing)? As to
LA57, I'm not convinced it'll become more visible again then, but of
course without actually doing that work it's all hand-waving anyway.

>> --- a/xen/arch/x86/mm/shadow/none.c
>> +++ b/xen/arch/x86/mm/shadow/none.c
>> @@ -27,6 +32,9 @@ int shadow_domain_init(struct domain *d)
>>  };
>>  
>>  paging_log_dirty_init(d, _none_ops);
>> +
>> +d->arch.paging.update_paging_mode = _update_paging_mode;
>> +
>>  return is_hvm_domain(d) ? -EOPNOTSUPP : 0;
> 
> I know you haven't changed the logic here, but this hook looks broken. 
> Why do we fail it right at the end for HVM domains?

It's been a long time, but I guess my thinking back then was that it's
better to put in place pointers which other code may rely on being non-
NULL.

Jan

52 matches

Mail list logo