arch/x86: use XSM hooks for get_pg_owner access checks

There are three callers of get_pg_owner: * do_mmuext_op, which does not have XSM hooks on all subfunctions * do_mmu_update, which has hooks that are inefficient * do_update_va_mapping_otherdomain, which has a simple XSM hook In order to preserve return values for the do_mmuext_op hypercall, an additional XSM hook is required to check the operation even for those subfunctions that do not use the pg_owner field. This also covers the MMUEXT_UNPIN_TABLE operation which did previously have an XSM hook. The XSM hooks in do_mmu_update were capable of replacing the checks in get_pg_owner; however, the hooks are buried in the inner loop of the function - not very good for performance when XSM is enabled and these turn in to indirect function calls. This patch removes the PTE from the hooks and replaces it with a bitfield describing what accesses are being requested. The XSM hook can then be called only when additional bits are set instead of once per iteration of the loop. This patch results in a change in the FLASK permissions used for mapping an MMIO page: the target for the permisison check on the memory mapping is no longer resolved to the device-specific type, and is instead either the domain's own type or domio_t (depending on if the domain uses DOMID_SELF or DOMID_IO in the map command). Device-specific access is still controlled via the "resource use" permisison checked at domain creation (or device hotplug). Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org> Committed-by: Keir Fraser <keir@xen.org>
author: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2013-01-11 10:39:58 +0000
committer: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2013-01-11 10:39:58 +0000
commit: aaba7a677dfc5e42aa4064565948cb2632f83dd5 (patch)
tree: 7bbde147754b565d210197065dee9010148aed28 /xen/arch/x86/mm.c
parent: 79cd41ecce31b91f0456b57ca1b3cdacde405388 (diff)
download: xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.tar.gz
xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.tar.bz2
xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.zip
1 files changed, 31 insertions, 22 deletions
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index c8e39c0a87..19117e24c3 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2605,11 +2605,6 @@ static struct domain *get_pg_owner(domid_t domid)
         pg_owner = rcu_lock_domain(dom_io);
         break;
     case DOMID_XEN:
-        if ( !IS_PRIV(curr) )
-        {
-            MEM_LOG("Cannot set foreign dom");
-            break;
-        }
         pg_owner = rcu_lock_domain(dom_xen);
         break;
     default:
@@ -2618,12 +2613,6 @@ static struct domain *get_pg_owner(domid_t domid)
             MEM_LOG("Unknown domain '%u'", domid);
             break;
         }
-        if ( !IS_PRIV_FOR(curr, pg_owner) )
-        {
-            MEM_LOG("Cannot set foreign dom");
-            rcu_unlock_domain(pg_owner);
-            pg_owner = NULL;
-        }
         break;
     }
 
@@ -2711,6 +2700,13 @@ long do_mmuext_op(
         goto out;
     }
 
+    rc = xsm_mmuext_op(d, pg_owner);
+    if ( rc )
+    {
+        rcu_unlock_domain(pg_owner);
+        goto out;
+    }
+
     for ( i = 0; i < count; i++ )
     {
         if ( hypercall_preempt_check() )
@@ -3153,6 +3149,8 @@ long do_mmu_update(
     struct vcpu *v = current;
     struct domain *d = v->domain, *pt_owner = d, *pg_owner;
     struct domain_mmap_cache mapcache;
+    uint32_t xsm_needed = 0;
+    uint32_t xsm_checked = 0;
 
     if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
     {
@@ -3184,11 +3182,6 @@ long do_mmu_update(
             rc = -EINVAL;
             goto out;
         }
-        if ( !IS_PRIV_FOR(d, pt_owner) )
-        {
-            rc = -ESRCH;
-            goto out;
-        }
     }
 
     if ( (pg_owner = get_pg_owner((uint16_t)foreigndom)) == NULL )
@@ -3228,9 +3221,20 @@ long do_mmu_update(
         {
             p2m_type_t p2mt;
 
-            rc = xsm_mmu_normal_update(d, pt_owner, pg_owner, req.val);
-            if ( rc )
-                break;
+            xsm_needed |= XSM_MMU_NORMAL_UPDATE;
+            if ( get_pte_flags(req.val) & _PAGE_PRESENT )
+            {
+                xsm_needed |= XSM_MMU_UPDATE_READ;
+                if ( get_pte_flags(req.val) & _PAGE_RW )
+                    xsm_needed |= XSM_MMU_UPDATE_WRITE;
+            }
+            if ( xsm_needed != xsm_checked )
+            {
+                rc = xsm_mmu_update(d, pt_owner, pg_owner, xsm_needed);
+                if ( rc )
+                    break;
+                xsm_checked = xsm_needed;
+            }
             rc = -EINVAL;
 
             req.ptr -= cmd;
@@ -3342,9 +3346,14 @@ long do_mmu_update(
             mfn = req.ptr >> PAGE_SHIFT;
             gpfn = req.val;
 
-            rc = xsm_mmu_machphys_update(d, pg_owner, mfn);
-            if ( rc )
-                break;
+            xsm_needed |= XSM_MMU_MACHPHYS_UPDATE;
+            if ( xsm_needed != xsm_checked )
+            {
+                rc = xsm_mmu_update(d, NULL, pg_owner, xsm_needed);
+                if ( rc )
+                    break;
+                xsm_checked = xsm_needed;
+            }
 
             if ( unlikely(!get_page_from_pagenr(mfn, pg_owner)) )
             {
author	Daniel De Graaf <dgdegra@tycho.nsa.gov>	2013-01-11 10:39:58 +0000
committer	Daniel De Graaf <dgdegra@tycho.nsa.gov>	2013-01-11 10:39:58 +0000
commit	aaba7a677dfc5e42aa4064565948cb2632f83dd5 (patch)
tree	7bbde147754b565d210197065dee9010148aed28 /xen/arch/x86/mm.c
parent	79cd41ecce31b91f0456b57ca1b3cdacde405388 (diff)
download	xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.tar.gz xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.tar.bz2 xen-aaba7a677dfc5e42aa4064565948cb2632f83dd5.zip