Per trusty design, trusty requires a monotonic increasing
secure tick(TSC) at run time. This secure tick will used
to mitigate password/pin force attack, control key expiration,
etc.
Currently, the TSC_OFFSET is enabled. And guest will got
(host_tsc + tsc_offset) when execute rdtsc/rdtscp/rdmsr to
aquire tsc value. The host_tsc is always keeping increasing
during the runtime.
So initialize tsc_offset of trusty to 0 will ensure the
secure tick feature.
Signed-off-by: Qi Yadong <yadong.qi@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
eptp should be record as PA.
this patch changed nworld_eptp, sworld_eptp and m2p eptp to PA type,
necessary HPA2HVA/HVA2HPA transition is used for them after the change.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
- read/write page table entries should use VA which defined as "void *"
- the address data in page table entries should us PA which defined as
"uint64_t"
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
The cpu model name of "Intel(R) Celeron(R) CPU J3455 @ 1.50GHz" is used for
APL NUC which is in Acrn official suport list.
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Currently acrn partitions cpus between SOS and UOS, so the default
policy is to allow guest managing CPU px state. However we would
not blindly passthrough perf_ctrl MSR to guest. Instead guest access
is always trapped and validated by acrn hypervisor before forwarding
to pcpu. Doing so leaves room for future power budget control in
hypervisor, e.g. limiting turbo percentage that a cpu can enter.
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
We can use this interface for VHM to pass per-cpu power state data
to guest per its request.
For now the vcpu power state is per-vm, this could be changed if
per-cpu power state support is required in the future.
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
The vm px info would be used for guest Pstate control.
Currently it is copied from host boot cpu.
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
The patch takes Intel ATOM A3960 as example that hard code all Px info
which is needed for Px control into Acrn HV and load it in boot process.
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
The cpu model name would be used to distinguish which hard coded data
need to be loaded to boot_cpu_data;
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
all callers for fetch_page_table_offset should already make sure
it will not come to an unknown table_leve, so just panic here.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
- walk_paging_struct should return sub_table_addr, if something wrong,
it return NULL
- update_page_table_entry should return adjusted_size, if something wrong
it return 0
the change is valid under release version, as at that time, ASSERT in
walk_paging_struct is empty.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
- remove unused map_params in get_table_entry
- add error return for both, which is valid under release version,
as at that time, ASSERT in get_table_entry is empty.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
function break_page_table should return next_level_page_size, if
something wrong, it return 0.
the change is valid for release version, as at that time ASSERT()
in break_page_table is empty.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
function map_mem_region should return mapped_size, if something wrong,
it return 0.
the change is valid for release version, as at that time ASSERT()
in map_mem_region is empty.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
add error return for all, which is valid under release version,
as at that time, ASSERT in modify_paging is empty.
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Previously with the help from gcc, __builtin_return_address(0) is
used as the guest entry address, but it can't work well with gcc 7.3
and leads to the guest unable to return to UEFI correctly.
Let's get it explicitly.
Signed-off-by: Jack Ren <jack.ren@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Enable compilation test for Fedora 26 and Ubuntu 16.04. The tests
will run for all combinations of RELEASE={0|1} and PLATFORM={sbl|uefi}
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Enable the Travis CI testing for all combinations of variables
that can be set at compile-time. I.e. RELEASE={0|1} and
PLATFORM={0|1}
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Documentation for parameters must match exactly in spelling and case.
Parameter named "vcpu" was incorrectly documented as "VCPU", and
parameter named "param" was documented as "param's".
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
malloc: allocate a block of memory, the contents of the block are undefined.
calloc: allocate a block of memory for an array of num elements and initializes all its bits to zero.
Signed-off-by: yechunliang <yechunliangcn@163.com>
Add check_continuous_hpa API:
when create secure world,if the physical
address is not continuous, will assert.
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
This patch added API destroy_secure_world, which will do:
-- clear trusty memory space
-- restore memory to SOS ept mapping
It will be called when VM is destroyed, furthermore, ept of
Secure world will be destroyed as well.
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Remove TODO comments since it has been done below the comments.
Typo fix: startup_info --> startup_param.
Signed-off-by: Qi Yadong <yadong.qi@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
1.it doesn't support VMX for guest OS
2.for MSR out of control, inject GP to guest OS.
Signed-off-by: Minggui Cao <minggui.cao@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
--add free_paging_struct api, used for free page tables
it will clear memory before free.
--add HPA2HVA translation when free ept memory
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Before this patch, HV accesses PML4E of secure world when the PML4
doesn't exist,will access null pointer.
Fix as follow:
Before the copy of PDPTE,will allocate memory and write PML4E,
then copy the PDPTE.
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Per SDM Vol. 2:
If CPUID.80000008H:EAX[7:0] is supported, the maximum physical address
number supported should come from this field.
This patch gets the maximum physical address number from CPUID leaf
0x80000008 and calculates the physical address mask when the leaf is
available.
Currently ACRN does not support platforms w/o this leaf and will panic
on such platforms.
Also call get_cpu_capabilities() earlier since the physical address mask
is required for initializing paging.
Signed-off-by: Junjie Mao <junjie.mao@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Per SDM:
When CPUID executes with EAX set to 80000000H, the processor returns
the highest value the processor recognizes for returning extended
processor information. The value is returned in the EAX register and is
processor specific.
This patch caches this value in the global cpuinfo_x86.cpuid_leaves. This
value will be used to check the availability of any CPUID extended
function.
Signed-off-by: Junjie Mao <junjie.mao@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Assignment of structures are implemented using memcpy which is not
available in the hypervisor. This patch convert such assignment to an
explicit memcpy_s() call.
Signed-off-by: Junjie Mao <junjie.mao@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
enable TSC offset in VMX, so if TSC MSR is changed by guest OS,
write a caculated value into TSC-offset, then host TSC will not be changed.
Signed-off-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Zhao Yakui <yakui.zhao@intel.com>
Reviewed-by: He, Min <min.he@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
enable Xsave feature and pass-through it to guests
update based on v2:
- enable host xsave before expose it to guests.
- add validation for the value to be set to 'xcr0' before call xsetbv
when handling xsetbv vmexit.
- tested in SOS guest, created two threads to do different
FP calculations,test code runs in user land of sos.
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
According to C99:
The empty list in a function declarator that is not part of a definition of
that function specifies that no information about the number or types of the
parameters is supplied.
This means gcc is happy with the following code, which is undesirable.
void foo(); /* declaration with an empty parameter list */
void bar() {
foo(); /* OK */
foo(1); /* OK */
foo(1, 2); /* OK */
}
This patch fixes declarations of functions with empty parameter lists by adding
an unnamed parameter of type void, which is the standard way to specify that a
function has no parameters. The following coccinelle script is used.
@@
type T;
identifier f;
@@
-T f();
+T f(void);
New compilation errors are fixed accordingly.
Signed-off-by: Junjie Mao <junjie.mao@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
A bugfix for saving secure world memory info.
Maybe there are multiple UOS, each VM has its own secure
world and normal world, should save memory info into individual VM.
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
On some toolchain configurations direct struct assignments will
default to a memcpy operation which is not present in this
environment, so explicitly use the internal memcpy_s function.
Signed-of-by: Rusty Lynch <rusty.lynch@intel.com>
Add a FIXME comment that the emalloc() & __emalloc cannot
guarantee to return address under 4G, and the hypervisor
cannot handle params, which address is above 4G, delivered
from efi stub.
Signed-off-by: Zheng, Gen <gen.zheng@intel.com>
Remove the useless function named get_path().
Remove the useless function named print_ch().
Remove the useless function named isspace().
Move the function memory_map() from boot.c to malloc.c
Signed-off-by: Zheng, Gen <gen.zheng@intel.com>
Save the pointer of efi_ctx in mi_drivers_addr field of
multiboot structure and pass to hypervisor, not by
saving in register RDX(the third default parameter in
64bit call function).
With this method, we can be compatible with the original
32bit boot parameters passing method and no need to
large the array size of boot_regs in hypervisor.
Signed-off-by: Zheng, Gen <gen.zheng@intel.com>
With current code, the acrn.efi is inserted between
cl bootloader.efi and bzImage.efi that destroyed the chain
relationship of cl bootloader and cl bzImage.efi.
And the following is current boot flow:
UEFI -> cl bootloader.efi -> acrn.efi -> bzImage.efi
The purpose of this patch is resume above chain relationship,
and make uefi vm return to efi stub context once launched,
then continue to call the UEFI API(LoadImage/StartImage) to launch
cl bootloader or other bootloaders. So the boot flow will
change to be as below:
UEFI -> acrn.efi -> cl bootloader.efi -> bzImage.efi
After applying this patch, the code related to loading
bzImage.efi and getting pe_entry is unnecessary due to
the bzImage.efi will not be launched by acrn.efi directly,
so it is removed.
Signed-off-by: Zheng, Gen <gen.zheng@intel.com>
With current code, memcpy rsdp to 0x500 maybe overwrite uefi
code/data region.
So remove the legacy BIOS deliver method of RSDP, which need copy
the RSDP to EBDA space which is addressed by the 16bit pointer
at 0x40E or upper memory BIOS space 0xe0000-0xfffff. And just
deliver the pointer of RSDP, which is already saved in UEFI system
table, to hypervisor.
Create a function named efi_init() to separate efi initialize code.
Signed-off-by: Zheng, Gen <gen.zheng@intel.com>
Currently, the serial log is printed through IO(0x3f8).
Secure World will print serial log by port 0x3f8. So
remove the ASSERT for Secure World booting.
Signed-off-by: Qi Yadong <yadong.qi@intel.com>
For trusty bring-up, key_info is needed.
Currently, bootloader did not transfer key_info to hypervisor.
So in this patch, use dummy key_info temporarily.
Derive vSeed from dSeed before trusty startup, the vSeed will
bind with UUID of each VM.
Remove key_info from sworld_control structure.
Signed-off-by: Qi Yadong <yadong.qi@intel.com>
