Permalink
Commits on Sep 24, 2018
  1. Bump version number

    jan-kiszka committed Sep 24, 2018
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Sep 22, 2018
  1. configs: zynqmp-zcu102: Add physical PCI host controller

    jan-kiszka committed Sep 22, 2018
    This allows access to the mmconfig space of the physical PCI bus.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Sep 17, 2018
  1. configs: Set PCI domain in ESPRESSObin config

    jan-kiszka committed Sep 17, 2018
    This requires a tiny dts patch which will be shipped along with the
    Jailhouse kernel queue and will also be part of jailhouse-images. On the
    pro side, it provides a stable PCI address of the virtual host
    controller and the attached devices.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. configs: Use fixed PCI domain for hikey

    jan-kiszka committed Sep 17, 2018
    This board has no other PCI controllers, so we can just use the default
    domain 0.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Sep 9, 2018
  1. tools, Documentation: Adjust pyjailhouse import boilerplate documenta…

    jan-kiszka committed Sep 9, 2018
    …tion
    
    Move the comment when local imports must have happened before the line
    that prevent them. Also fix the Python syntax in the example boilerplate
    code.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. build: Clean pyjailhouse from from compiled files

    jan-kiszka committed Sep 9, 2018
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. README, tools: Update 'jailhouse hardware check' documentation

    jan-kiszka committed Sep 9, 2018
    The SYSCONFIG parameter is history now.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Sep 4, 2018
  1. inmates: x86: Add SMI counter evaluation to apic-demo

    jan-kiszka committed Aug 29, 2018
    This can provide hints why latencies are not as low as expected, even
    without any hypervisor exits.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Aug 27, 2018
  1. kbuild: Account for changes in 4.19

    jan-kiszka committed Aug 27, 2018
    LDFLAGS became KBUILD_LDFLAGS. Set/extend them both.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Aug 18, 2018
  1. pyjailhouse: Avoid parallel installation

    jan-kiszka committed Aug 18, 2018
    pip dislikes to run in parallel to kbuild because it can get confused by
    temporary artifacts the latter generates:
    
    [...]
    make[1]: Entering directory '/home/builder/jailhouse/git'
    install -d -m 755 /home/builder/jailhouse/git/debian/jailhouse/lib/firmware
    install -d -m 755 /home/builder/jailhouse/git/debian/jailhouse/usr/libexec/jailhouse
    python -m pip install --upgrade --force-reinstall --root=/home/builder/jailhouse/git/debian/jailhouse .
    install -m 644 inmates/tools/x86/*.bin /home/builder/jailhouse/git/debian/jailhouse/usr/libexec/jailhouse
    Processing /home/builder/jailhouse/git
      CHK     /home/builder/jailhouse/git/hypervisor/include/generated/config.mk
      CHK     /home/builder/jailhouse/git/hypervisor/include/generated/version.h
    Exception:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
        status = self.run(options, args)
      File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 353, in run
        wb.build(autobuilding=True)
      File "/usr/lib/python2.7/dist-packages/pip/wheel.py", line 749, in build
        self.requirement_set.prepare_files(self.finder)
      File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 380, in prepare_files
        ignore_dependencies=self.ignore_dependencies))
      File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 620, in _prepare_file
        session=self.session, hashes=hashes)
      File "/usr/lib/python2.7/dist-packages/pip/download.py", line 809, in unpack_url
        unpack_file_url(link, location, download_dir, hashes=hashes)
      File "/usr/lib/python2.7/dist-packages/pip/download.py", line 686, in unpack_file_url
        shutil.copytree(link_path, location, symlinks=True)
      File "/usr/lib/python2.7/shutil.py", line 208, in copytree
        raise Error, errors
    Error: [('/home/builder/jailhouse/git/.3844.tmp', '/tmp/pip-SJsW0O-build/.3844.tmp', "[Errno 2] No such file or directory: '/home/builder/jailhouse/git/.3844.tmp'")]
    Makefile:57: recipe for target 'pyjailhouse_install' failed
    [...]
    
    Avoid that situation by running pip after all other installation steps.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Aug 15, 2018
  1. x86: Harden non-present mappings against L1TF

    jan-kiszka committed Aug 15, 2018
    Foreshadow(-NG) has been published, and while we are already pretty well
    hardened by avoiding to share cores and by hiding sensitive data of
    remote cells when running in hypervisor mode, we can and probably should
    do better: I key aspect of CVE-2018-3620 and CVE-2018-3646 is that Intel
    CPUs ignore the present bit when speculatively using PTEs. Therefore, a
    simple and practically cost-free mitigation is to ensure that
    non-present page table entries point to non-present physical addresses.
    We can easily achieve that by folding invalid address bits into
    PAGE_NONPRESENT_FLAGS.
    
    This change primarily affects the hiding of the per-CPU mappings in the
    hypervisor address space after setup. However, we also modify the
    clear_entry callback to do the same, although there is currently no case
    in the hypervisor address space where we hide sensitive data via
    paging_destroy - better safe than sorry /wrt potential future changes.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Aug 12, 2018
  1. core: mmio: Plug potentially dangerous race between lookup and modifi…

    jan-kiszka committed Jul 25, 2018
    …cation
    
    Houston, I think we had a problem here:
    
     CPU 1                                   CPU 2
     -----                                   -----
     copy_region(..., 1, 2)
                                             mmio_handle_access()
                                                 find_region(...) = 1
     copy_region(..., 0, 1)
         mmio_handlers[1].handler = handler0
                                                 use mmio_handlers[1]:
                                                     handler0(arg1)
         mmio_handlers[1].arg = arg0
    
    And handler0 will interpret arg1 as if it were arg0, possibly using a
    completely different type. Yeah, lockless is easy ... to get wrong.
    
    What we need here to avoid taking a lock in mmio_handle_access and while
    still being safe is some revision counting with a retry in case a
    mmio access dispatch races with a modification of the list (could be
    triggered by the guest via a reconfiguration of ivshmem mmio regions).
    And this is what this patch does:
    
    The mmio_generation counter is incremented to an odd value before
    beginning a change to the list. Then the modifications are done, the
    list size is adjusted, and finally the generation counter is incremented
    again - all properly serialized via memory barriers. That's the writer
    side.
    
    On the reader side, we capture the generation counter before starting a
    lookup. If it is already odd at that time, we wait for the modification
    to finish. That is because we may otherwise capture an inconsistent
    state before the writing side has incremented the counter again.
    
    While walking the list in find_regions, we check the counter after each
    iteration to avoid that we miss a shrink or an expansion. After we find
    a matching entry, we capture all relevant data before we check the
    generation counter once again. That ensures the the caller of
    find_region will get a consistent snapshot of the matching region index,
    its base address and its handler function with argument.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. arm: Clean up vmreturn assembly

    jan-kiszka committed Jul 22, 2018
    Micro-optimization, saving one instruction. Leave a comment about the
    reason for the add at this chance.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. arm: Ensure double-word alignment of stack after entry

    jan-kiszka committed Jul 22, 2018
    This issue was sleeping since day #1 of ARM support: The ARM calling
    convention requires the stack to be double-word aligned on public
    interfaces, e.g. when calling a subfunction. We failed to ensure this
    both when calling entry() as well as arch_handle_exit().
    
    This had no immediate negative impact, but was causing at least one
    subtle effect: variable argument lists are expecting to find 64-bit
    values double-word aligned on the stack, and that requirement was
    violated. Therefore, printing long long variables was broken in the
    hypervisor.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. arm-common: Fix 3-level virt-to-phys translations

    jan-kiszka committed Jul 22, 2018
    This small mistake in injecting the page offset into the returned
    physical address was easily able to invalidate various virt-to-phys
    translations. We were lucky it didn't bite use harder so far.
    
    It was indirectly discovered by check_mmu_map() on the Orange Pi Zero:
    jailhouse_base_phys suddenly received an invalid virt-to-phys
    translation because the hiding of private per-cpu structures broke up
    the 2-level hypervisor core mapping into a 3-level mapping. That invalid
    physical address let check_mmu_map() fail.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  5. configs: qemu-arm64: Set PCI domain

    jan-kiszka committed Jun 14, 2018
    Upcoming QEMU 3.0 contains a change that injects linux,pci-domain into
    the device tree it hands out to the guest. So we also need to set the
    domain in the overlay for the virtual PCI host controller, otherwise
    Linux refuses the fragment as invalid.
    
    This change will make the config incompatible with older QEMU versions.
    However, 3.0 will also contain some relevant fixes to the GIC emulation
    so that lifting our version requirement is reasonable.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  6. x86: Wait on init_signaled to arrive

    jan-kiszka committed Jul 19, 2018
    This particularly ensures that Linux guests do not consider CPUs dead
    because of the potential high latency between submitting INIT and
    getting the target CPU into wait_for_sipi state. On real hardware, the
    Delivery Status bit which is polled by Linux synchronizes the sender.
    Emulating this would be way more complex than making the INIT IPI
    submission synchronous. Delaying this is fine because kicking off
    secondary CPUs should never be a hot path.
    
    In case of cross-posting between cores or when there is a management
    request pending, we have to check for events and process them while
    waiting for INIT to arrive.
    
    The issue manifested in failing to online CPUs again under the root cell
    Linux on an Intel NUC6CAY (Apollo Lake Atom).
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 22, 2018
  1. x86: Do not send an INIT request if there is already one pending

    jan-kiszka committed Jul 19, 2018
    This is redundant, though harmless. At most, we get an NMI IPI on the
    target side when it already completed the handling of init_signaled. But
    it's cleaner and clearer to avoid that scenario in the first place.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. x86: Simplify x86_check_events()

    jan-kiszka committed Jul 19, 2018
    We do not need to loop over the INIT signal because it cannot arrive
    multiple times while the loop is running if we put the INIT check after
    the suspension check. This makes the rest analogous to the arm-common
    version.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. arm-common: Simplify check_events()

    jan-kiszka committed Jul 19, 2018
    The pattern we actually need is:
    
    1. check if suspension requests are pending and keep handling them as
       long as they are
    2. handle park requests, they should take precedence
    3. in the absence of park requests, handle reset requests
    
    So this removes the unneeded suspension loop around all three. The
    pattern is also supposed to be transferred to x86.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 16, 2018
  1. core: Respect ongoing panic also in virtual console

    jan-kiszka committed Jul 16, 2018
    This is analogously to UART and framebuffer drivers. If the panic
    happens for non-root CPUs, we can still analyze them via the virtual
    console, provided they were not mangled.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 15, 2018
  1. Revert "inmates: x86: move stop label to the top"

    jan-kiszka committed Jul 15, 2018
    This reverts commit 91ac3ca.
    
    We need this for SMP: The secondary entry handler may return and expects
    us to stop the CPU then.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. configs: x86: Add missing console definition to smp and e1000e demos

    jan-kiszka committed Jul 15, 2018
    Fixes: 8198734 ("inmates: x86: Add consoles to inmate definition")
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. configs: x86: Allow virtual console in demo inmates

    jan-kiszka committed Jul 15, 2018
    Useful on platforms that do not have UART.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 12, 2018
  1. tools: Allow to build jailhouse-config-collect independent of PYTHON_…

    jan-kiszka committed Jul 12, 2018
    …PIP_USABLE
    
    This allows to generate the config collector on a host that has no
    sufficient pip support to install the Python tools - which can be
    perfectly fine.
    
    Reported-by: Henning Schild <henning.schild@siemens.com>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. x86: Remove VGA debug console support

    jan-kiszka committed Jul 10, 2018
    VGA is considered legacy by now, and - if at all - it is only available
    anymore when booting a system in legacy mode. Therefore, it's getting
    harder and harder to make use of this console. At the same time, we now
    have a modern alternative with the EFI framebuffer driver.
    
    CC: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. core: Map EFI framebuffer buffer with PAGE_FLAG_FRAMEBUFFER

    jan-kiszka committed Jul 10, 2018
    This accelerates the access significantly.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. core: Add PAGE_FLAG_FRAMEBUFFER mapping type

    jan-kiszka committed Jul 9, 2018
    This introduces PAGE_FLAG_FRAMEBUFFER as alternative to PAGE_FLAG_DEVICE
    to account for mapping differences of framebuffer-like devices. So far
    it only makes a difference on x86 where we switch to write-combining
    mode.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  5. x86: Add EFI framebuffer debug console

    jan-kiszka committed Jul 9, 2018
    All modern UEFI system come with the so-called Graphic Output Protocol
    which provides a simple framebuffer device. This can also be used as
    alternative to UART-based debug consoles. And it can replace the VGA
    console which is no longer working on such systems (VGA is legacy).
    
    As we are now filling a graphic buffer, we are in need of a console
    font. The altc-8x16 we use here was taken from KBD version 2.0.4
    (https://www.kernel.org/pub/linux/utils/kbd) and is licensed under
    GPL-2.0-or-later. Leave a note about this also in the LICENSING file.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 9, 2018
  1. Documentation: Update memory-layer.txt to per-CPU paging strategy

    jan-kiszka committed Jun 10, 2018
    This describes the memory layout after the per-CPU paging changes. It
    also explains how these changes aim at making Jailhouse robust against
    Spectre attacks, run by one cell on the data of another cell.
    
    This also adds a section about the debug console mapping which is
    dynamic and, well, fragile. Will eventually die when we eliminate
    JAILHOUSE_BORROW_ROOT_PT.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. core: Move temporary mapping area into CPU-local region

    jan-kiszka committed Jan 15, 2018
    Move the area where we temporarily map guest memory in front of the
    per-cpu region. This makes the mapping private for each CPU, no other
    can peek into it anymore.
    
    This change also brings in a number of simplification, starting with the
    calculation of the mapping address which is now static. Furthermore, we
    no longer need to reserve space in the common remapping area. And then
    we can share a generic LOCAL_CPU_BASE definition via jailhouse/paging.h.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. core: Prepare jailhouse/paging.h for use by assembly code

    jan-kiszka committed May 1, 2018
    We will move LOCAL_CPU_BASE here, prepare for it.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. arm: Hide private per-cpu section during hypervisor operation

    jan-kiszka committed May 1, 2018
    Turn off access to the private per-cpu section before the final
    activation of the hypervisor. This prevents that one CPU can potentially
    speculate about the private content of per-cpu sections of others.
    
    We do not need to worry about the shutdown, though: The stack is
    switched atomically with the MMU settings.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  5. arm64: Hide private per-cpu section during hypervisor operation

    jan-kiszka committed May 1, 2018
    Turn off access to the private per-cpu section before the final
    activation of the hypervisor. This prevents that one CPU can potentially
    speculate about the private content of per-cpu sections of others.
    
    We do not need to worry about the stack during the shutdown, it is
    switched atomically with the MMU settings. But we still need to enable
    access to the per-cpu section because arch_shutdown_self() will flush
    it via its virtual address prior to turning off the MMU.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  6. x86: Hide private per-cpu section during hypervisor operation

    jan-kiszka committed May 1, 2018
    Turn off access to the private per-cpu section before the final
    activation of the hypervisor. This prevents that one CPU can potentially
    speculate about the private content of per-cpu sections of others.
    
    Stack migration has to happen earlier now, before disabling the common
    access rather. So far we used the migrated stack pointer only on the
    first VM exit.
    
    Before we switch the hypervisor off, access needs to be granted again
    because the page table switch and the stack migration aren't atomic.
    
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>