diff mbox

[Xen-devel,v6,17/22] arm/gic: Add a new callback to deny Dom0 access to GIC regions

Message ID 1458207668-12012-18-git-send-email-zhaoshenglong@huawei.com
State New
Headers show

Commit Message

Shannon Zhao March 17, 2016, 9:41 a.m. UTC 
From: Shannon Zhao <shannon.zhao@linaro.org>

Add a new member in gic_hw_operations which is used to deny Dom0 access
to GIC regions.

Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
---
v6: use SZ_64K for GICv3 distributor 
---
 xen/arch/arm/gic-v2.c     | 31 +++++++++++++++++++++++++++++++
 xen/arch/arm/gic-v3.c     | 45 +++++++++++++++++++++++++++++++++++++++++++++
 xen/arch/arm/gic.c        |  5 +++++
 xen/include/asm-arm/gic.h |  3 +++
 4 files changed, 84 insertions(+)

Comments

Julien Grall March 22, 2016, 7:33 p.m. UTC | #1 
Hi Shannon,

On 17/03/16 09:41, Shannon Zhao wrote:
> From: Shannon Zhao <shannon.zhao@linaro.org>
>
> Add a new member in gic_hw_operations which is used to deny Dom0 access
> to GIC regions.
>
> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
> ---
> v6: use SZ_64K for GICv3 distributor
> ---
>   xen/arch/arm/gic-v2.c     | 31 +++++++++++++++++++++++++++++++
>   xen/arch/arm/gic-v3.c     | 45 +++++++++++++++++++++++++++++++++++++++++++++
>   xen/arch/arm/gic.c        |  5 +++++
>   xen/include/asm-arm/gic.h |  3 +++
>   4 files changed, 84 insertions(+)
>
> diff --git a/xen/arch/arm/gic-v2.c b/xen/arch/arm/gic-v2.c
> index 02db5f2..186f944 100644
> --- a/xen/arch/arm/gic-v2.c
> +++ b/xen/arch/arm/gic-v2.c
> @@ -22,6 +22,7 @@
>   #include <xen/init.h>
>   #include <xen/mm.h>
>   #include <xen/irq.h>
> +#include <xen/iocap.h>
>   #include <xen/sched.h>
>   #include <xen/errno.h>
>   #include <xen/softirq.h>
> @@ -714,6 +715,31 @@ static u32 gicv2_make_hwdom_madt(const struct domain *d, u32 offset)
>       return table_len;
>   }
>
> +static int gicv2_iomem_deny_access(const struct domain *d)
> +{
> +    int rc;
> +    unsigned long gfn, nr;
> +
> +    gfn = dbase >> PAGE_SHIFT;
> +    rc = iomem_deny_access(d, gfn, gfn + 1);
> +    if ( rc )
> +        return rc;
> +
> +    gfn = hbase >> PAGE_SHIFT;
> +    rc = iomem_deny_access(d, gfn, gfn + 1);
> +    if ( rc )
> +        return rc;
> +
> +    gfn = cbase >> PAGE_SHIFT;
> +    nr = DIV_ROUND_UP(csize, PAGE_SIZE);
> +    rc = iomem_deny_access(d, gfn, gfn + nr);
> +    if ( rc )
> +        return rc;
> +
> +    gfn = vbase >> PAGE_SHIFT;
> +    return iomem_deny_access(d, gfn, gfn + nr);
> +}
> +
>   static int __init
>   gic_acpi_parse_madt_cpu(struct acpi_subtable_header *header,
>                           const unsigned long end)
> @@ -809,6 +835,10 @@ static u32 gicv2_make_hwdom_madt(const struct domain *d, u32 offset)
>   {
>       return 0;
>   }
> +static int gicv2_iomem_deny_access(const struct domain *d)
> +{
> +    return 0;
> +}

I don't see any benefits to have iomem_deny_access only implemented when 
CONFIG_ACPI is built.

Because in this case, you will also deny the iomem when Xen is booting 
using device tree.

>   #endif
>
>   static int __init gicv2_init(void)
> @@ -902,6 +932,7 @@ const static struct gic_hw_operations gicv2_ops = {
>       .read_apr            = gicv2_read_apr,
>       .make_hwdom_dt_node  = gicv2_make_hwdom_dt_node,
>       .make_hwdom_madt     = gicv2_make_hwdom_madt,
> +    .iomem_deny_access   = gicv2_iomem_deny_access,
>   };
>
>   /* Set up the GIC */
> diff --git a/xen/arch/arm/gic-v3.c b/xen/arch/arm/gic-v3.c
> index d9fce4b..7f9634d 100644
> --- a/xen/arch/arm/gic-v3.c
> +++ b/xen/arch/arm/gic-v3.c
> @@ -27,6 +27,7 @@
>   #include <xen/cpu.h>
>   #include <xen/mm.h>
>   #include <xen/irq.h>
> +#include <xen/iocap.h>
>   #include <xen/sched.h>
>   #include <xen/errno.h>
>   #include <xen/delay.h>
> @@ -1278,6 +1279,45 @@ static u32 gicv3_make_hwdom_madt(const struct domain *d, u32 offset)
>       return table_len;
>   }
>
> +static int gicv3_iomem_deny_access(const struct domain *d)
> +{
> +    int rc, i;
> +    unsigned long gfn, nr;
> +
> +    gfn = dbase >> PAGE_SHIFT;
> +    nr = DIV_ROUND_UP(SZ_64K, PAGE_SIZE);
> +    rc = iomem_deny_access(d, gfn, gfn + nr);
> +    if ( rc )
> +        return rc;
> +
> +    for ( i = 0; i < gicv3.rdist_count; i++ )
> +    {
> +        gfn = gicv3.rdist_regions[i].base >> PAGE_SHIFT;
> +        nr = DIV_ROUND_UP(gicv3.rdist_regions[i].size, PAGE_SIZE);
> +        rc = iomem_deny_access(d, gfn, gfn + nr);
> +        if ( rc )
> +            return rc;
> +    }
> +
> +    if ( cbase != INVALID_PADDR )
> +    {
> +        gfn = cbase >> PAGE_SHIFT;
> +        nr = DIV_ROUND_UP(csize, PAGE_SIZE);
> +        rc = iomem_deny_access(d, gfn, gfn + nr);
> +        if ( rc )
> +            return rc;
> +    }
> +
> +    if ( vbase != INVALID_PADDR )
> +    {
> +        gfn = vbase >> PAGE_SHIFT;
> +        nr = DIV_ROUND_UP(csize, PAGE_SIZE);
> +        return iomem_deny_access(d, gfn, gfn + nr);
> +    }
> +
> +    return 0;
> +}
> +
>   static int __init
>   gic_acpi_parse_madt_cpu(struct acpi_subtable_header *header,
>                           const unsigned long end)
> @@ -1426,6 +1466,10 @@ static u32 gicv3_make_hwdom_madt(const struct domain *d, u32 offset)
>   {
>       return 0;
>   }
> +static int gicv3_iomem_deny_access(const struct domain *d)
> +{
> +    return 0;
> +}

Ditto

>   #endif
>
>   /* Set up the GIC */
> @@ -1521,6 +1565,7 @@ static const struct gic_hw_operations gicv3_ops = {
>       .secondary_init      = gicv3_secondary_cpu_init,
>       .make_hwdom_dt_node  = gicv3_make_hwdom_dt_node,
>       .make_hwdom_madt     = gicv3_make_hwdom_madt,
> +    .iomem_deny_access   = gicv3_iomem_deny_access,
>   };
>
>   static int __init gicv3_dt_preinit(struct dt_device_node *node, const void *data)
> diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
> index 6d32432..65022ee 100644
> --- a/xen/arch/arm/gic.c
> +++ b/xen/arch/arm/gic.c
> @@ -744,6 +744,11 @@ u32 gic_make_hwdom_madt(const struct domain *d, u32 offset)
>       return gic_hw_ops->make_hwdom_madt(d, offset);
>   }
>
> +int gic_iomem_deny_access(const struct domain *d)
> +{
> +    return gic_hw_ops->iomem_deny_access(d);
> +}
> +
>   /*
>    * Local variables:
>    * mode: C
> diff --git a/xen/include/asm-arm/gic.h b/xen/include/asm-arm/gic.h
> index 4cf003d..932fc02 100644
> --- a/xen/include/asm-arm/gic.h
> +++ b/xen/include/asm-arm/gic.h
> @@ -360,6 +360,8 @@ struct gic_hw_operations {
>                                 const struct dt_device_node *gic, void *fdt);
>       /* Create MADT table for the hardware domain */
>       u32 (*make_hwdom_madt)(const struct domain *d, u32 offset);
> +    /* Deny access to GIC regions */
> +    int (*iomem_deny_access)(const struct domain *d);
>   };
>
>   void register_gic_ops(const struct gic_hw_operations *ops);
> @@ -367,6 +369,7 @@ int gic_make_hwdom_dt_node(const struct domain *d,
>                              const struct dt_device_node *gic,
>                              void *fdt);
>   u32 gic_make_hwdom_madt(const struct domain *d, u32 offset);
> +int gic_iomem_deny_access(const struct domain *d);
>
>   #endif /* __ASSEMBLY__ */
>   #endif
>

Regards,
Shannon Zhao March 24, 2016, 3:03 p.m. UTC | #2 
On 2016年03月24日 20:45, Stefano Stabellini wrote:
> On Tue, 22 Mar 2016, Julien Grall wrote:
>> > Hi Shannon,
>> > 
>> > On 17/03/16 09:41, Shannon Zhao wrote:
>>> > > From: Shannon Zhao <shannon.zhao@linaro.org>
>>> > > 
>>> > > Add a new member in gic_hw_operations which is used to deny Dom0 access
>>> > > to GIC regions.
>>> > > 
>>> > > Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
>>> > > ---
>>> > > v6: use SZ_64K for GICv3 distributor
>>> > > ---
>>> > >   xen/arch/arm/gic-v2.c     | 31 +++++++++++++++++++++++++++++++
>>> > >   xen/arch/arm/gic-v3.c     | 45
>>> > > +++++++++++++++++++++++++++++++++++++++++++++
>>> > >   xen/arch/arm/gic.c        |  5 +++++
>>> > >   xen/include/asm-arm/gic.h |  3 +++
>>> > >   4 files changed, 84 insertions(+)
>>> > > 
>>> > > diff --git a/xen/arch/arm/gic-v2.c b/xen/arch/arm/gic-v2.c
>>> > > index 02db5f2..186f944 100644
>>> > > --- a/xen/arch/arm/gic-v2.c
>>> > > +++ b/xen/arch/arm/gic-v2.c
>>> > > @@ -22,6 +22,7 @@
>>> > >   #include <xen/init.h>
>>> > >   #include <xen/mm.h>
>>> > >   #include <xen/irq.h>
>>> > > +#include <xen/iocap.h>
>>> > >   #include <xen/sched.h>
>>> > >   #include <xen/errno.h>
>>> > >   #include <xen/softirq.h>
>>> > > @@ -714,6 +715,31 @@ static u32 gicv2_make_hwdom_madt(const struct domain
>>> > > *d, u32 offset)
>>> > >       return table_len;
>>> > >   }
>>> > > 
>>> > > +static int gicv2_iomem_deny_access(const struct domain *d)
>>> > > +{
>>> > > +    int rc;
>>> > > +    unsigned long gfn, nr;
>>> > > +
>>> > > +    gfn = dbase >> PAGE_SHIFT;
>>> > > +    rc = iomem_deny_access(d, gfn, gfn + 1);
>>> > > +    if ( rc )
>>> > > +        return rc;
>>> > > +
>>> > > +    gfn = hbase >> PAGE_SHIFT;
>>> > > +    rc = iomem_deny_access(d, gfn, gfn + 1);
>>> > > +    if ( rc )
>>> > > +        return rc;
>>> > > +
>>> > > +    gfn = cbase >> PAGE_SHIFT;
>>> > > +    nr = DIV_ROUND_UP(csize, PAGE_SIZE);
>>> > > +    rc = iomem_deny_access(d, gfn, gfn + nr);
>>> > > +    if ( rc )
>>> > > +        return rc;
>>> > > +
>>> > > +    gfn = vbase >> PAGE_SHIFT;
>>> > > +    return iomem_deny_access(d, gfn, gfn + nr);
>>> > > +}
>>> > > +
>>> > >   static int __init
>>> > >   gic_acpi_parse_madt_cpu(struct acpi_subtable_header *header,
>>> > >                           const unsigned long end)
>>> > > @@ -809,6 +835,10 @@ static u32 gicv2_make_hwdom_madt(const struct domain
>>> > > *d, u32 offset)
>>> > >   {
>>> > >       return 0;
>>> > >   }
>>> > > +static int gicv2_iomem_deny_access(const struct domain *d)
>>> > > +{
>>> > > +    return 0;
>>> > > +}
>> > 
>> > I don't see any benefits to have iomem_deny_access only implemented when
>> > CONFIG_ACPI is built.
>> > 
>> > Because in this case, you will also deny the iomem when Xen is booting using
>> > device tree.
> That's true, it would be better to do that for device tree too.
> 
Ok, I'll move it out of the CONFIG_ACPI. But calling it for device tree
would be another patch I think.

Thanks,
Julien Grall March 24, 2016, 3:39 p.m. UTC | #3 
Hi Shannon,

On 24/03/16 15:03, Shannon Zhao wrote:
> On 2016年03月24日 20:45, Stefano Stabellini wrote:
>> On Tue, 22 Mar 2016, Julien Grall wrote:
>>>>>> @@ -809,6 +835,10 @@ static u32 gicv2_make_hwdom_madt(const struct domain
>>>>>> *d, u32 offset)
>>>>>>    {
>>>>>>        return 0;
>>>>>>    }
>>>>>> +static int gicv2_iomem_deny_access(const struct domain *d)
>>>>>> +{
>>>>>> +    return 0;
>>>>>> +}
>>>>
>>>> I don't see any benefits to have iomem_deny_access only implemented when
>>>> CONFIG_ACPI is built.
>>>>
>>>> Because in this case, you will also deny the iomem when Xen is booting using
>>>> device tree.
>> That's true, it would be better to do that for device tree too.
>>
> Ok, I'll move it out of the CONFIG_ACPI. But calling it for device tree
> would be another patch I think.

Oh right. However my point is this function is not ACPI specific at all. 
So there is no need to compile out when ACPI is disabled.

Regards,
diff mbox

Patch

diff --git a/xen/arch/arm/gic-v2.c b/xen/arch/arm/gic-v2.c
index 02db5f2..186f944 100644
--- a/xen/arch/arm/gic-v2.c
+++ b/xen/arch/arm/gic-v2.c
@@ -22,6 +22,7 @@ 
 #include <xen/init.h>
 #include <xen/mm.h>
 #include <xen/irq.h>
+#include <xen/iocap.h>
 #include <xen/sched.h>
 #include <xen/errno.h>
 #include <xen/softirq.h>
@@ -714,6 +715,31 @@  static u32 gicv2_make_hwdom_madt(const struct domain *d, u32 offset)
     return table_len;
 }
 
+static int gicv2_iomem_deny_access(const struct domain *d)
+{
+    int rc;
+    unsigned long gfn, nr;
+
+    gfn = dbase >> PAGE_SHIFT;
+    rc = iomem_deny_access(d, gfn, gfn + 1);
+    if ( rc )
+        return rc;
+
+    gfn = hbase >> PAGE_SHIFT;
+    rc = iomem_deny_access(d, gfn, gfn + 1);
+    if ( rc )
+        return rc;
+
+    gfn = cbase >> PAGE_SHIFT;
+    nr = DIV_ROUND_UP(csize, PAGE_SIZE);
+    rc = iomem_deny_access(d, gfn, gfn + nr);
+    if ( rc )
+        return rc;
+
+    gfn = vbase >> PAGE_SHIFT;
+    return iomem_deny_access(d, gfn, gfn + nr);
+}
+
 static int __init
 gic_acpi_parse_madt_cpu(struct acpi_subtable_header *header,
                         const unsigned long end)
@@ -809,6 +835,10 @@  static u32 gicv2_make_hwdom_madt(const struct domain *d, u32 offset)
 {
     return 0;
 }
+static int gicv2_iomem_deny_access(const struct domain *d)
+{
+    return 0;
+}
 #endif
 
 static int __init gicv2_init(void)
@@ -902,6 +932,7 @@  const static struct gic_hw_operations gicv2_ops = {
     .read_apr            = gicv2_read_apr,
     .make_hwdom_dt_node  = gicv2_make_hwdom_dt_node,
     .make_hwdom_madt     = gicv2_make_hwdom_madt,
+    .iomem_deny_access   = gicv2_iomem_deny_access,
 };
 
 /* Set up the GIC */
diff --git a/xen/arch/arm/gic-v3.c b/xen/arch/arm/gic-v3.c
index d9fce4b..7f9634d 100644
--- a/xen/arch/arm/gic-v3.c
+++ b/xen/arch/arm/gic-v3.c
@@ -27,6 +27,7 @@ 
 #include <xen/cpu.h>
 #include <xen/mm.h>
 #include <xen/irq.h>
+#include <xen/iocap.h>
 #include <xen/sched.h>
 #include <xen/errno.h>
 #include <xen/delay.h>
@@ -1278,6 +1279,45 @@  static u32 gicv3_make_hwdom_madt(const struct domain *d, u32 offset)
     return table_len;
 }
 
+static int gicv3_iomem_deny_access(const struct domain *d)
+{
+    int rc, i;
+    unsigned long gfn, nr;
+
+    gfn = dbase >> PAGE_SHIFT;
+    nr = DIV_ROUND_UP(SZ_64K, PAGE_SIZE);
+    rc = iomem_deny_access(d, gfn, gfn + nr);
+    if ( rc )
+        return rc;
+
+    for ( i = 0; i < gicv3.rdist_count; i++ )
+    {
+        gfn = gicv3.rdist_regions[i].base >> PAGE_SHIFT;
+        nr = DIV_ROUND_UP(gicv3.rdist_regions[i].size, PAGE_SIZE);
+        rc = iomem_deny_access(d, gfn, gfn + nr);
+        if ( rc )
+            return rc;
+    }
+
+    if ( cbase != INVALID_PADDR )
+    {
+        gfn = cbase >> PAGE_SHIFT;
+        nr = DIV_ROUND_UP(csize, PAGE_SIZE);
+        rc = iomem_deny_access(d, gfn, gfn + nr);
+        if ( rc )
+            return rc;
+    }
+
+    if ( vbase != INVALID_PADDR )
+    {
+        gfn = vbase >> PAGE_SHIFT;
+        nr = DIV_ROUND_UP(csize, PAGE_SIZE);
+        return iomem_deny_access(d, gfn, gfn + nr);
+    }
+
+    return 0;
+}
+
 static int __init
 gic_acpi_parse_madt_cpu(struct acpi_subtable_header *header,
                         const unsigned long end)
@@ -1426,6 +1466,10 @@  static u32 gicv3_make_hwdom_madt(const struct domain *d, u32 offset)
 {
     return 0;
 }
+static int gicv3_iomem_deny_access(const struct domain *d)
+{
+    return 0;
+}
 #endif
 
 /* Set up the GIC */
@@ -1521,6 +1565,7 @@  static const struct gic_hw_operations gicv3_ops = {
     .secondary_init      = gicv3_secondary_cpu_init,
     .make_hwdom_dt_node  = gicv3_make_hwdom_dt_node,
     .make_hwdom_madt     = gicv3_make_hwdom_madt,
+    .iomem_deny_access   = gicv3_iomem_deny_access,
 };
 
 static int __init gicv3_dt_preinit(struct dt_device_node *node, const void *data)
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 6d32432..65022ee 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -744,6 +744,11 @@  u32 gic_make_hwdom_madt(const struct domain *d, u32 offset)
     return gic_hw_ops->make_hwdom_madt(d, offset);
 }
 
+int gic_iomem_deny_access(const struct domain *d)
+{
+    return gic_hw_ops->iomem_deny_access(d);
+}
+
 /*
  * Local variables:
  * mode: C
diff --git a/xen/include/asm-arm/gic.h b/xen/include/asm-arm/gic.h
index 4cf003d..932fc02 100644
--- a/xen/include/asm-arm/gic.h
+++ b/xen/include/asm-arm/gic.h
@@ -360,6 +360,8 @@  struct gic_hw_operations {
                               const struct dt_device_node *gic, void *fdt);
     /* Create MADT table for the hardware domain */
     u32 (*make_hwdom_madt)(const struct domain *d, u32 offset);
+    /* Deny access to GIC regions */
+    int (*iomem_deny_access)(const struct domain *d);
 };
 
 void register_gic_ops(const struct gic_hw_operations *ops);
@@ -367,6 +369,7 @@  int gic_make_hwdom_dt_node(const struct domain *d,
                            const struct dt_device_node *gic,
                            void *fdt);
 u32 gic_make_hwdom_madt(const struct domain *d, u32 offset);
+int gic_iomem_deny_access(const struct domain *d);
 
 #endif /* __ASSEMBLY__ */
 #endif