Add some encapsulation of utilities which read PCI header space using
wrapper functions. Also contain verification of PCI vendor to its own
function, rather than having hard-coded integrals exposed among other
code.
v3->v2
Changed the return type of pci_pdev_read_cfg_secbus
from 32-bit to 8-bit
v2->v1
Function names changed to follow Coding guidelines
Tracked-On: #4134
Signed-off-by: Alexander Merritt <alex.merritt@intel.com>
Signed-off-by: Sainath Grandhi <sainath.grandhi@intel.com>
Remove redundant DMAR MACROs for given platform_acpi_info files because
CONFIG_ACPI_PARSE_ENABLED is enabled for all boards by default. The DMAR
info for nuc7i7dnb is kept as reference in the case that ACPI_PARSE_ENABLED
is not set in Kconfig.
As DMAR info is not provided for apl-mrb, the platform_acpi_info.h under
apl-mrb config folder is meaningless, so also remove this file and let
hypervisor parse ACPI for apl-mrb;
Tracked-On: #3977
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
The DMAR info is board specific so move the structure definition to board.c.
As a configruation file, the whole board.c could be generated by acrn-config
tool for each board.
Please note we only provide DMAR info MACROs for nuc7i7dnb board. For other
boards, ACPI_PARSE_ENABLED must be set to y in Kconfig to let hypervisor parse
DMAR info, or use acrn-config tool to generate DMAR info MACROs if user won't
enable ACPI parse code for FuSa consideration.
The patch also moves the function of get_dmar_info() to vtd.c, so dmar_info.c
could be removed.
Tracked-On: #3977
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
The value of CONFIG_MAX_IOMMU and MAX_DRHDS are identical to DRHD_COUNT
which defined in platform ACPI table, so remove CONFIG_MAX_IOMMU_NUM
from Kconfig and link these three MACROs together.
Tracked-On: #3977
Signed-off-by: Victor Sun <victor.sun@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
1. Update acrn.efi name in acrn ootb scripts
2. Add licenses to acrn ootb scripts
3. Add format U disk step
4. Add execute permission to ootb script
5. Fix wrong img name
6. update clearlinux version to 31600
Signed-off-by: Lei, Lu <leix.lu@intel.com>
We've been keeping the doc version choice list trimmed as new doc
version releases are made, but the v1.0 version should remain. (Note
that the documents for all previously published versions are still
available on the server, but they were included in the menu choice).
This PR puts the 1.0 choice back in.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Mitigation for this vulnerability is applied in 1.4 release, update
related notes in adviosry.
Tracked-On: #4101
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Add a option MCE_ON_PSC_WORKAROUND_DISABLED to disable the software
workaround for the issue Machine Check Error on Page Size Change.
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Only apply the software workaround on the models that might be
affected by MCE on page size change. For these models that are
known immune to the issue, the mitigation is turned off.
Atom processors are not afftected by the issue.
Also check the CPUID & MSR to check whether the model is immune to the issue:
CPU is not vulnerable when both CPUID.(EAX=07H,ECX=0H).EDX[29] and
IA32_ARCH_CAPABILITIES[IF_PSCHANGE_MC_NO] are 1.
Other cases not listed above, CPU may be vulnerable.
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Issue description:
-----------------
Machine Check Error on Page Size Change
Instruction fetch may cause machine check error if page size
and memory type was changed without invalidation on some
processors[1][2]. Malicious guest kernel could trigger this issue.
This issue applies to both primary page table and extended page
tables (EPT), however the primary page table is controlled by
hypervisor only. This patch mitigates the situation in EPT.
Mitigation details:
------------------
Implement non-execute huge pages in EPT.
This patch series clears the execute permission (bit 2) in the
EPT entries for large pages. When EPT violation is triggered by
guest instruction fetch, hypervisor converts the large page to
smaller 4 KB pages and restore the execute permission, and then
re-execute the guest instruction.
The current patch turns on the mitigation by default.
The follow-up patches will conditionally turn on/off the feature
per processor model.
[1] Refer to erratum KBL002 in "7th Generation Intel Processor
Family and 8th Generation Intel Processor Family for U Quad Core
Platforms Specification Update"
https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/7th-gen-core-family-spec-update.pdf
[2] Refer to erratum SKL002 in "6th Generation Intel Processor
Family Specification Update"
https://www.intel.com/content/www/us/en/products/docs/processors/core/desktop-6th-gen-core-family-spec-update.html
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Eddie Dong <eddie.dong@intel.com>
1. add guest secure boot with OVMF.
2. delete obsolete content.
3. SOS -> Service VM and UOS -> User VM.
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
The default binary will not support 2 core/2 thread hardware from V1.3;
KBL NUC7i5DNH has serial port;
Add cores and threads for CPU of hardware listed;
Signed-off-by: Xie Zhengtian <zhengtian.xie@intel.com>
As reported in PR #3959, doc build errors were being masked by a script
error. This PR fixes a chunk of them.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Cleaned up the presentation and formatting problems from the conversion
to ReST, along with English grammar and spelling edits.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
1. Some security features are added into ACRN HV memory management.
2. Dynamic memory allocation is removed. Instead, static memory page allocation is added.
3. The guest to host mapping is not static any more for Service OS after it begins running
since the Service OS support PCI BAR re-pregramming now.
Signed-off-by: Li, Fei1 <fei1.li@intel.com>
