| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The emacs variable to set the C style from a local variable block is
c-file-style, not c-set-style.
Signed-off-by: David Vrabel <david.vrabel@citrix.com
|
| |
|
|
|
|
|
|
|
| |
Performance is not an issue with printk(), so let the function do
minimally more work and instead save a byte per affected format
specifier.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: Wei, Gang <gang.wei@intel.com>
tboot may be trying to put APs waiting in MWAIT loops before launching
Xen. Xen could check the new flag field in v6 tboot shared page for the
hint. If TB_FLAG_AP_WAKE_SUPPORT bit in flag field is set, Xen BSP have
to write the monitored memory(g_tboot_shared->ap_wake_trigger) to bring
APs out of MWAIT loops. The sipi vector should be written in
g_tboot_shared->ap_wake_addr before waking up APs.
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
Signed-off-by: Shane Wang <shane.wang@intel.com>
Signed-off-by: Gang Wei <gang.wei@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
|
| |
|
|
|
|
| |
Signed-off-by: Gang Wei <gang.wei@intel.com>
Acked-by: Joseph Cihula <joseph.cihula@intel.com>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The former is the runtime equivalent of NR_CPUS (and users of NR_CPUS,
where necessary, get adjusted accordingly), while the latter is for the
sole use of determining the allocation size when dynamically allocating
CPU masks (done later in this series).
Adjust accessors to use either of the two to bound their bitmap
operations - which one gets used depends on whether accessing the bits
in the gap between nr_cpu_ids and nr_cpumask_bits is benign but more
efficient.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
| |
With tboot_s3_resume() running before console_resume(), the error
messages so far printed by it are mostly guaranteed to go into
nirwana. Latch MACs into a static variable instead, and issue the
messages right before calling panic().
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch moves some more, mostly data, extern declarations into
header files. I haven't been as strict as I was with functions;
in particular there are a number of declarations of assembler labels
that are only used in one place. I've also left a few compat-mode
tricks, and all the magic in symbols.c
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
| |
This also includes the removal of some entirely unused functions.
The patch builds upon the makefile adjustments done in the earlier
sent patch titled "move more kernel decompression bits to .init.*
sections".
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
| |
Fix up the fallout.
Signed-off-by: Keir Fraser <keir@xen.org>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few places in Xen where we walk a domain's page lists
without holding the page_alloc lock. They race with updates to the
page lists, which are normally rare but can be quite common under PoD
when the domain is close to its memory limit and the PoD reclaimer is
busy. This patch protects those places by taking the page_alloc lock.
I think this is OK for the two debug-key printouts - they don't run
from irq context and look deadlock-free. The tboot change seems safe
too unless tboot shutdown functions are called from irq context or
with the page_alloc lock held. The p2m one is the scariest but there
are already code paths in PoD that take the page_alloc lock with the
p2m lock held so it's no worse than existing code.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
|
| |
|
|
|
|
|
| |
Various function we may call assert this fact. We just want to restart
the system.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
| |
At the same time, the data area starts life zeroed.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch is to fix S3 resume failure with Intel TXT/tboot launched,
brought by c/s 21108. Don't printk anything between two
tboot_gen_xenheap_integrity() calls for release build or debug build.
Or else xen heap will be changed, which causes that memory integrity
will be lost on S3 resume.
Signed-off-by: Shane Wang <shane.wang@intel.com>
|
| |
|
|
|
|
|
| |
Those unmapped pages cause page fault when MACing them and finally
cause S3 failure.
Signed-off-by: Shane Wang <shane.wang@intel.com>
|
| |
|
|
|
|
|
| |
Make various data items const or __read_mostly where
possible/reasonable.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch used fixmap to get TXT heap base/size and SINIT base/size
from TXT pub config registers (whose address starts from 0xfed20000),
and get DMAR table copy from TXT heap (whose address may start from
0x7d520000) for tboot, instead of using map_pages_to_xen(), which will
cause panic on x86_32.
Signed-off-by: Shane Wang <shane.wang@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a variant of map_domain_page() directly getting passed a
struct page_info * argument, based on the observation that in many
places the argument to this function so far simply was the result of
page_to_mfn(). This is meaningful for the x86-64 case where
map_domain_page() really just is an invocation of mfn_to_virt(), and
hence the combined mfn_to_virt(page_to_mfn()) now represents a
needless round trip conversion compressed -> uncompressed ->
compressed of the MFN representation.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduces a virtual space conserving transformation on the MFN thus
far used to index 1:1 mapping and frame table, removing the largest
range of contiguous bits (below the most significant one) which are
zero for all valid MFNs from the MFN representation, to be used to
index into those arrays, thereby cutting the virtual range these
tables must cover approximately by half with each bit removed.
Since this should account for hotpluggable memory (in order to not
requiring a re-write when that gets supported), the determination of
which bits are candidates for removal must not be based on the E820
information, but instead has to use the SRAT. That in turn requires a
change to the ordering of steps done during early boot.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Shane Wang <shane.wang@intel.com>
|
| |
|
|
|
| |
Signed-off-by: Qing He <qing.he@intel.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
| |
The original patch left in a debug return value from one of the memory
integrity checks. This patch returns the correct error code in case of a
failure. This was re-tested to ensure that it still passes for the
expected case.
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
S3 and verification on resume.
The MAC algorithm is called VMAC and was developed by Ted Krovetz and
Wei Dai (more details are in the files). It is based on a universal hash
function. The universal hash is passed through a pseudo-random function,
implemented using AES. More details can be found at
http://fastcrypto.org/vmac/. =
The AES code comes from the OpenBSD implementation (which is derived
from the implementation referenced in VMAC site).
As Xen does not have a good source of entropy to generate its own key
(for the keyed hash), it uses the key that tboot passes in.
Although the code attempts to MAC all of a domain's pages (code/data,
VT-d tables) based on its s3_integrity flag, some of a domain's memory may
always be MAC'ed, e.g. shadow page tables. Only xenheap pages that are in
use are MAC'ed. We believe that the memory MAC'ed by the Xen code and the
ranges passed to tboot to MAC cover all of the memory whose integrity needs
to be protected on S3. Any suggestions or ranges that we missed are
welcome.
Signed-off-by: Shane Wang <shane.wang@intel.com>
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
| |
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
|
|
|
| |
explicitly disallow them itself.
Signed-off-by: Shane Wang <shane.wang@intel.com>
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
|
|
|
|
| |
When launched from tboot, utilise tboot interface to provide integrity
protection to the hypervisor during S3
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
ACKed-by: Shane Wang <shane.wang@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
New versions of tboot support ACPI GAS (Generic Address Structure) for
handling sleep states. This required a change to the tboot_shared_t
data structure that is not backwards compatible. This patch requires
that new version makes use of GAS when invoking tboot on shutdown.
Signed-off-by: Shane Wang <shane.wang@intel.com>
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
|
|
|
| |
tboot removed the shutdown_entry32 and shutdown_entry64 from
tboot_shared_t and now has just a single shutdown_entry field.
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
| |
|
|
|
|
|
| |
mappings. tboot is not registered as RAM in e820 tables, and hence
will not be mapped anyway (fails memory_is_conventional_ram() check).
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
| |
physcial memory address
Otherwise, the address overflows on PAE system with memory size > 4G.
Signed-off-by: Yang, Xiaowei <xiaowei.yang@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This a step forward to fix the security hole introduced by dom0's 1:1
mapping VT-d table: remove the critical code and data from it. The
more flexible solution is to update dom0's VT-d table on demand as what
will be done for other PV domains. However, there could bring a
performance issue even with software optimization. Iotlb flush of some
hardware is time-consuming.
Signed-off-by: Yang, Xiaowei <xiaowei.yang@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates the Xen to work with the latest version (20071128)
of Trusted Boot (tboot). This version of tboot now resides at 16MB
(instead of the previous <1MB), in addition to several other
enhancements. By residing at 16MB, this version of tboot will be
protected from access by dom0.
This patch allows Xen to correctly map the tboot shutdown code that it
must trampoline into for a clean shutdown (without this patch Xen will
fault on shutdown). This patch will also work with the previous
version of tboot.
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
|
|
Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
|
