GitLab

- Xenstore transactions are communicated via string messages.
- Clients ask for permissions on particular nodes.
- With capabilities, we'll need to convert capabilities to permission
  strings that clients expect.

It primarily includes changes to xenstore client and xenstore deamon.
I'll continue to make changes. Not everything is patched yet.

- Guest Domains now need capabilities to boot.
- cap_check is enforced.
- checkpoint for Demo.

Changes include -

1) xl recognizes setcap command for capabilities.
2) Domain0 has all the capabilities now.
3) New domain is granted capabilities from domain 0.

- Debugging printk since boot fails.
- Xen properly builds now. Still need to see why boot fails.

* There are no separate capability spaces. Atleast for now we think we don't need them.
* There is a capability space per domain. It makes it easier to manage capabilities this way.
* We have a CAP_BOOT_INFO page that is guarded by hypervisor and is shared with only privileged domains.
* CAP_BOOT_INFO has capabilities for all the resources known to the hypervisor at boot time. It is populated
  once during boot time. And is made read-only.
* Dom0 initially inherits all the capabilities when it boots for now. We'll change this behavior later.
* We expose only 3 hypercalls - cap_create, cap_grant and cap_check.
* cap_create will make it easier for applications to create capabilities for their purpose. They have to manage these capabilities.
* cap_grant will grant capabilities from one domain to another.
* cap_check will simply check if the domain has the given capability.
* Right now, only hypercall capabilities have been populated. We'll populate more later.

- Initially we want to pass a cap_flag which is on/off.
- And a cap_hypercalls to limit hypercalls.
- Still exploring the right interfaces.

- Made changes to capability identifies.

Add a trace record for every hypercall inside a multicall.  These use
a new event ID (with a different sub-class ) so they may be filtered
out if only the calls into hypervisor are of interest.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

Trace hypercalls using a more useful trace record format.

The EIP field is removed (it was always somewhere in the hypercall
page) and include selected hypercall arguments (e.g., the number of
calls in a multicall, and the number of PTE updates in an mmu_update
etc.).  12 bits in the first extra word are used to indicate which
arguments are present in the record and what size they are (32 or
64-bit).

This is an incompatible record format so a new event ID is used so
tools can distinguish between the two formats.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

We want to add additional sub-classes for TRC_PV tracepoints and to be
able to only capture these new sub-classes.  This cannot currently be
done as the existing tracepoints all use a sub-class of 0xf.

So, redefine the PV events to use a new sub-class.  All the current
tracepoints are tracing entry points to the hypervisor so the
sub-class is named TRC_PV_ENTRY.

This change does not affect xenalyze as that only looks at the main
class and the event number and does not use the sub-class field.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

 - Basic skeleton code works at this point.

- Now make is happy but the test application cannot get xc_handle.

Currently it is assumed PCI device BAR access < 4G memory. If there is
such a device whose BAR size is larger than 4G, it must access > 4G
memory address.  This patch enable the 64bits big BAR support on
hvmloader.
Signed-off-by: Xiantao Zhang <xiantao.zhang@intel.com>
Signed-off-by: Xudong Hao <xudong.hao@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

This is based upon my inspection of a system with a single PV domain
and a single HVM domain running and is therefore very incomplete.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

- Added a test code to test the changes.
- This skeleton code is to understand the control flow in xen.
- At this point, I'm troubled by make errors.
- Need to fix make errors still.

Intel latest SDM (17.13.3) release a new MSR CPUID.7.0.EBX[1]=1
indicates TSC_ADJUST MSR 0x3b is supported.

This patch expose it to hvm guest.
Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

This patch provides vMCE save/restore when migration.
1. MCG_CAP is well-defined. However, considering future cap extension,
   we keep save/restore logic that Jan implement at c/s 24887;
2. MCi_CTL2 initialized by guestos when booting, so need save/restore
   otherwise guest would surprise;
3. Other MSRs do not need save/restore since they are either error-
   related and pointless to save/restore, or, unified among all vMCE
   platform;
Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>

- fix handling of partial data in XEN_DOMCTL_set_ext_vcpucontext
- fix adjustment of xen_domctl_ext_vcpucontext
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

We mostly did this as we went along, only a couple of minor number
bumps were missed http://marc.info/?l=xen-devel&m=134366054929255&w=2:
 - Bumped libxl from 1.0.0 -> 1.0.1
 - Bumped libxenstore from 3.0.1 -> 3.0.2
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

The MUST macro calls exit(3) on failure but we need to cleanup and
resume.
Signed-off-by: Bastian Blank <waldi@debian.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

If a bootloader entry in menu.lst has no additional kernel command line
options listed and the domU.cfg has 'bootargs="--args=something"' the
additional arguments from the config file are not passed to the kernel.
The reason for that incorrect behaviour is that run_grub appends arg
only if the parsed config file has arguments listed.

Fix this by appending args from image section and the config file separatly.
To avoid adding to a NoneType initialize grubcfg['args'] to an empty string.
This does not change behaviour but simplifies the code which appends the
string.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

This adds the ability to change a domain's XSM label after creation.
The new label will be used for all future access checks; however,
existing event channels and memory mappings will remain valid even if
their creation would be denied by the new label.

With appropriate security policy and hooks in the domain builder, this
can be used to create domains that the domain builder does not have
access to after building. It can also be used to allow a domain to
drop privileges - for example, prior to launching a user-supplied
kernel loaded by a pv-grub stubdom.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

This field was only used to populate the ssid of dom0, which can be
handled explicitly in the domain creation hook. This also removes the
unnecessary permission check on the creation of dom0.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

The ability to declare common permission blocks shared across multiple
classes is not currently used in Xen. Currently, support for this
feature is broken in the header generation scripts, and it is not
expected that this feature will be used in the future, so remove the
dead code.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Redefine usage of pthread_cleanup_push and _pop, to explicitly call free for
heap objects in error paths.

By the way, set a suitable errno value for an error path that had none.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Lots of functions loop over a list of domain and others take a domid as
a parameter, shadowing the global one and leading to all sorts of
confusion.

Therefore remove the global domid and explicitly pass it around as
necessary.

Adds a domid to the parameters for many functions and switches many
others from taking a char * domain specifier to taking a domid, pushing
the domid lookup to the toplevel.

Replaces some open-coded domain_qualifier_to_domid error checking with
find_domain.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
[ ijc -- annotate find_domain() with warn_unused_result and fix the
         handful of errors. ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Takes care of everything other than the global domid clashes.

Avoid galobal functions
  - stime(2)
  - time(2)
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

It was convenient to invent $(CFLAGS_LIBXL) to do this.

Various renamings to avoid shadowing standard functions:
  - index(3)
  - listen(2)
  - link(2)
  - abort(3)
  - abs(3)

Reduced the scope of some variables to avoid conflicts.

Change to libxc is due to the nested hypercall buf macros in
set_xen_guest_handle (used in libxl) using the same local private vars.

Build tested only.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

xl frequently just calls exit(3), especially on error. Try to clean
up some of our global state to make tools like valgrind more useful.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

Specifically, what values are or aren't accepted as CPU identifier, and
how the values get interpreted should be consistent across sub-commands
(intended behavior now: non-negative values are okay, and along with
omitting the argument, specifying "all" will also be accepted).

For error handling, error messages should get consistently issued to
stderr, and the tool should now (hopefully) produce an exit code of
zero only in the (partial) success case (there may still be a small
number of questionable cases).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

These fields need to be valid at all times. Hypervisor ensures this
even across 32/64-bit guest transitions.

This fixes a bug where wallclock time is incorrect for booting 32-bit
HVM guests.

This should be backported to Xen 4.1 and 4.2.
Signed-off-by: Keir Fraser <keir@xen.org>
Tested-and-Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>