Permalink
Commits on Jan 6, 2019
  1. arm64: account SMC fast path

    rralf authored and jan-kiszka committed Jan 3, 2019
    Housekeeping: Don't forget to account the fast path. This still fits
    into the interrupt vector entry.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. arm-common: crash cell on unhandled SMC traps

    rralf authored and jan-kiszka committed Jan 3, 2019
    Crash a cell if it calls an unhandled SMC functions.
    
    There are two reason why to do this:
      - Not all SMC calls have return values. If the hypervisor returns with
        UNHANDLED, the guest may silently fail as it takes wrong
        assumptions. (This is what already happened to us)
      - A guest may only invoke SMC functions which it has discovered
        before. If there are new functions that we might have to implement
        in future, the crash will lead us the way.
    
    Note that the default handler crashes the cell in case of
    ARCH_SMCCC_WORKAROUND_1, as the default handler path will only be taken
    in case of default interrupt vectors, where the workaround is not
    available.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    [Jan: preserve function_id variable for better readability]
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. arm64: implement a fast path for the Spectre v2 workaround

    rralf authored and jan-kiszka committed Jan 3, 2019
    In case of an EL1 abort, call the mitigation, and try to return to the
    guest as fast as possible, if it explicitely called the mitigation.
    Otherwise, handle the trap as usual.
    
    The whole hot path of the workaround fits into the interrupt vector
    slot, we just have to outsource the regular exit path to el1_trap.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jan 4, 2019
  1. arm-common: implement SMCCC feature discovery

    rralf authored and jan-kiszka committed Jan 3, 2019
    Finally, report supported features to guests. This will only affect
    non-root cells. The root-cell boots with absence of jailhouse and will,
    thus, use the features it already discovered.
    
    This is not the case for non-root cells. Report availability of
    mitigations properly.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. arm64: Mitigate CVE 2017-5715 (aka Spectre v2)

    rralf authored and jan-kiszka committed Jan 3, 2019
    Define an alternative exit vector. This exit vector will be used if
    SMCCC_ARCH_WORKAROUND_1 is available, and makes the assumption that
    mitigations are required if the workaround is available.
    
    Technically, the mitigations takes place in the monitor, its implementation
    depends on the processor. Refer [1].
    
    Similarly to KVM, Jailhouse calls the monitor's mitigation on each exit: IRQs
    and guest aborts.
    
    [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. arm64: Initialise SMCCC backend

    rralf authored and jan-kiszka committed Jan 3, 2019
    by discovering its features.
    
    The first step is to check the PSCI version. Don't even try to do any
    SMCCC calls without having checked the proper PSCI version (current QEMU
    horribly crashes).
    
    Probe if SMCCC_ARCH_FEATURES is available. If so, probe for
    SMCCC_ARCH_WORKAROUND_1 and expose its availability by setting a flag
    inside the percpu structure.
    
    The availability is stored per-cpu, as we might have big.LITTLE systems,
    where only a subset of cores need mitigations.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. arm, arm64: add stubs for SMC calls

    rralf authored and jan-kiszka committed Jan 3, 2019
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  5. arm64: introduce macro helpers that generate irq vectors

    rralf authored and jan-kiszka committed Jan 3, 2019
    Logically, we can split up the vmexit_handler in two parts: the early phase,
    after which x0-x4 may be clobbered, and the entry phase, that pushes the rest
    of the context and enters the exit handler.
    
    These two phases can be rolled out via macros. Later, we use these macro to add
    additional (i.e., calling SMCCC_ARCH_WORKAROUND_1) code between the phases.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  6. arm64: remove arch_handle_exit

    rralf authored and jan-kiszka committed Jan 3, 2019
    The final step: remove arch_handle_exit, and dispatch things directly in
    assembly. As a consequence, we get a faster exit path, as we save the
    double-dispatching.
    
    We also save one instruction inside the interrupt vector. :-)
    
    For the union registers, replace the exit_reason with __padding. For easier
    handling, the padding is located at the beginning of the structure.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  7. arm64: traps: refactor arch_dump_exit to arch_el2_abt

    rralf authored and jan-kiszka committed Jan 3, 2019
    Step three of removing arch_handle_exit().
    
    There's *no* way the default case can ever occur: The exit reason is a
    hard-coded constant value inside the interrupt vector that will never have an
    value outside its limited range. No need for special treatment of the default
    handler, we can safely remove the arch_dump_exit() call.
    
    With this, arch_dump_exit() only has one single caller left, so fold all
    constant arguments inside the function itself, and refactor its name to
    arch_el2_abt().
    
    However, leave the panic_park() for the default handler for now, it's a
    bug if it is called.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  8. arm64: Don't call vmreturn from arch_handle_exit

    rralf authored and jan-kiszka committed Jan 3, 2019
    This is the second step to get rid of arch_handle_exit(). There's no need to
    call vmreturn() from arch_handle_exit(). Let's move this to assembly.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  9. arm64: move vmexit_total increase to assembly

    rralf authored and jan-kiszka committed Jan 3, 2019
    This is the first step to get rid of arch_handle_exit().
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  10. arm64: reorder store of registers in exit path

    rralf authored and jan-kiszka committed Jan 3, 2019
    If we want to call SMCCC very early in the exit path, we have to store x0-x3
    as early as possible. Rearrange the exit path accordingly.
    
    Due to the structure of union registers, we also have to push x4 while not
    necessarily required. But this makes things easier at the moment. Nevertheless,
    we will benefit from that later: we will use x4 to hold variables that need to
    be preserved between SMC calls.
    
    Additionally, decorate things with a few comments.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Dec 20, 2018
  1. arm-common: rework psci interface

    rralf authored and jan-kiszka committed Dec 20, 2018
    Rename some macros, and, in particular, use the same naming scheme as Linux.
    This scheme highlights in which version a particular function was introduced.
    
    With this, let's also introduce PSCI version {en,de}coder macros. We will later
    benefit from this macros.
    
    No functional change.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Dec 19, 2018
  1. arm64: microoptimise exit path

    rralf authored and jan-kiszka committed Dec 18, 2018
    Similar to 6b02cd0 ("inmates: arm64: save registers on irq entry"), use
    immediate values to address the absolute offset within the stack when storing
    registers.
    
    This is a bit more efficient that the previous push-decrement stack
    pattern: While "stp xm, xn, [sp, #-16]!" results in a store followed by
    a decrement of the stack pointer, "stp xm, xn, [sp, #(1 * 16)]"
    addresses the absolute location inside the stack directly saves the
    decrement of sp.
    
    This patch also reverses the order of registers when being pushed. We will
    later utilise this.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Nov 13, 2018
  1. arm, arm64: use proper return types for traps

    rralf authored and jan-kiszka committed Nov 5, 2018
    There is a enum type for the return value of traps: enum trap_return. Use the
    proper return type, wherever it is used.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. arm, arm64: consolidate traps.h

    rralf authored and jan-kiszka committed Nov 5, 2018
    traps.h are almost the same for both arm architectures. The only differences
    are struct traps_context and an additional routine (access_cell_regs) on armv7.
    
    Common routines and definitions have their home inside arm-common, so
    de-duplicate redundant definitions and give them a new home.
    
    No functional change.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Oct 21, 2018
  1. arm-common: account for SMC exits

    rralf authored and jan-kiszka committed Oct 18, 2018
    Statistics on ARM currently has some imbalances: the total number of
    exits doesn't equal the sum of the fine granular exit counters: we
    aren't accounting for SMCCC exits.
    
    Fix this by adding a new statistic counter for SMCCC.
    
    PSCI exits are already accounted inside psci_dispatch(), move SMCCC
    accounting to the dispatcher routine handle_smc().
    
    Fixes: 7688e96 ("arm-common: Rework handling of SMC")
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Aug 17, 2018
  1. core: consolidate arch_resume_cpu / arch_resume_cpu

    rralf authored and jan-kiszka committed Aug 14, 2018
    No need to duplicate code, we now have the same path on all
    architectures.
    
    Additionally, suspend_cpu() is only called in hypervisor/control.c.
    Restrict its visibility and make it static.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. core: introduce arch_send_event

    rralf authored and jan-kiszka committed Aug 16, 2018
    Prepares consolidation of arch_cpu_resume/suspend. With this, we have
    the same path on all architectures for suspending CPUs. This allows us
    to consolidate code in the next step.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 22, 2018
  1. configs: assign 16 CPUs to our virtual arm64 target

    rralf authored and jan-kiszka committed Jul 18, 2018
    We have no other target with more than eight CPUs, but we should test
    that. Increase the number of CPUs of our qemu arm64 target.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. arm-common: gic-v3: dynamically determine redistributor region size

    rralf authored and jan-kiszka committed Jul 18, 2018
    At the moment, we constantly map 0x100000 for the redistributor region.
    This is too small for GICv3 if we have more than eight CPUs.
    
    For the moment, it is sufficient to map a larger region, depending on
    the number of the highest cpu id of the system.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. arm-common: gicv3: probe early for the gic version

    rralf authored and jan-kiszka committed Jul 18, 2018
    No need to do this for each CPU. We're currently overwriting a global
    variable anyway. Let's do this one time in gic_v3_init instead of
    gic_v3_cpu_init.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. arm-common: improve calculation of redistributor size

    rralf authored and jan-kiszka committed Jul 18, 2018
    No need for setting redist_size in every iteration. The version of the
    GIC won't change once we know if we probed for v3 or v4.
    
    Additionally, use some defines for the size of the redistributor.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 18, 2018
  1. core: arm64: Fix gicv3_get_cpu_target

    rralf authored and jan-kiszka committed Jul 17, 2018
    Shifting has precedence. But we need to shift _after_ we applied the
    bitmask. Otherwise, the bitmask will applied after shifting the bits.
    This is wrong.
    
    This raises an error if we have more than eight CPUs: The eighth CPU
    will be target 256, which will be masked out and result in 0.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 15, 2018
  1. inmates: x86: surround printk by __attribute__((format))

    rralf authored and jan-kiszka committed Jul 13, 2018
    And fix all errors that popped up.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 13, 2018
  1. inmate: arm-common: remove heartbeat

    rralf authored and jan-kiszka committed Jul 13, 2018
    We now have the virtual console, which has the same effect as the
    heartbeat, if used. No need for the heartbeat any longer.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 9, 2018
  1. inmates: arm64: save registers on irq entry

    rralf authored and jan-kiszka committed Jul 6, 2018
    At the moment, we don't save register context if we enter an IRQ in our
    inmates on ARMv8. We really should...
    
    gic-demo, e.g., only works as we enter wfi state after arming the timer
    and never leave it. Any more complex non-interrupt code executing on a
    CPU will immediatly fail, as we mess up registers.
    
    Note: Saving and restoring registers is done via
    __attribute__((interrupt("IRQ")) of vector_irq() on ARMv7
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 6, 2018
  1. Documentation: remove documentation for board configuration

    rralf authored and jan-kiszka committed Jul 4, 2018
    This is now done via cell configrations. Remove documentation.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. inmates: consolidate console_init()

    rralf authored and jan-kiszka committed Jul 2, 2018
    We can now consolidate console_init() for all architectures. But there
    are still some minor differences for different architectures:
      - x86 might want to use PIO accessors
      - arm might want to enable clocks
    
    Introduce an arch_console_init() routine that does arch-specific
    initalisation before the eventual uart initialisation.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Commits on Jul 5, 2018
  1. Documentation: Update documentation

    rralf authored and jan-kiszka committed Jun 27, 2018
    We made quite a few changes to the debug output subsystem that want to
    be documented.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  2. core: Amend documentation of jailhouse_header

    rralf authored and jan-kiszka committed Jun 27, 2018
    Due to the way ARM64 is using trampoline pages, we currently don't
    support clock gating on ARM64 on hypervisor side.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  3. inmates: lib: Consolidate printk.c

    rralf authored and jan-kiszka committed Jun 27, 2018
    Besides initialisation, x86 and arm-common now share the same debug
    output paths. Consolidate them.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  4. inmates: x86: Use common 8250 driver

    rralf authored and jan-kiszka committed Jun 27, 2018
    arm-common and x86 share the same driver for the 8250 driver. Let's use it on
    x86 as well.
    
    Furthermore, for parameterising driver settings use the information that is
    passed via the comm region.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  5. inmates: x86: Use virtual console as additional console

    rralf authored and jan-kiszka committed Jun 27, 2018
    Similar to ARM systems, use the virtual console as a secondary,
    additional console.
    
    Signed-off-by: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>