Fix some wording, table formatting, and links to issues and commits from
the original PR #3515
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Issue description:
-----------------
Machine Check Error on Page Size Change
Instruction fetch may cause machine check error if page size
and memory type was changed without invalidation on some
processors[1][2]. Malicious guest kernel could trigger this issue.
This issue applies to both primary page table and extended page
tables (EPT), however the primary page table is controlled by
hypervisor only. This patch mitigates the situation in EPT.
Mitigation details:
------------------
Implement non-execute huge pages in EPT.
This patch series clears the execute permission (bit 2) in the
EPT entries for large pages. When EPT violation is triggered by
guest instruction fetch, hypervisor converts the large page to
smaller 4 KB pages and restore the execute permission, and then
re-execute the guest instruction.
The current patch turns on the mitigation by default.
The follow-up patches will conditionally turn on/off the feature
per processor model.
[1] Refer to erratum KBL002 in "7th Generation Intel Processor
Family and 8th Generation Intel Processor Family for U Quad Core
Platforms Specification Update"
https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/7th-gen-core-family-spec-update.pdf
[2] Refer to erratum SKL002 in "6th Generation Intel Processor
Family Specification Update"
https://www.intel.com/content/www/us/en/products/docs/processors/core/desktop-6th-gen-core-family-spec-update.html
Tracked-On: #4120
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Eddie Dong <eddie.dong@intel.com>
Cacheline is flushed on EPT entry change, no need to invalidate cache globally
when VM created per VM.
Tracked-On: #4120
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
EPT tables are shared by MMU and IOMMU.
Some IOMMUs don't support page-walk coherency, the cpu cache of EPT entires
should be flushed to memory after modifications, so that the modifications
are visible to the IOMMUs.
This patch adds a new interface to flush the cache of modified EPT entires.
There are different implementations for EPT/PPT entries:
- For PPT, there is no need to flush the cpu cache after update.
- For EPT, need to call iommu_flush_cache to make the modifications visible
to IOMMUs.
Tracked-On: #4120
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
VT-d shares the EPT tables as the second level translation tables.
For the IOMMUs that don't support page-walk coherecy, cpu cache should
be flushed for the IOMMU EPT entries that are modified.
For the current implementation, EPT tables for translating from GPA to HPA
for EPT/IOMMU are not modified after VM is created, so cpu cache invlidation is
done once per VM before starting execution of VM.
However, this may be changed, runtime EPT modification is possible.
When cpu cache of EPT entries is invalidated when modification, there is no need
invalidate cpu cache globally per VM.
This patch exports iommu_flush_cache for EPT entry cache invlidation operations.
- IOMMUs share the same copy of EPT table, cpu cache should be flushed if any of
the IOMMU active doesn't support page-walk coherency.
- In the context of ACRN, GPA to HPA mapping relationship is not changed after
VM created, skip flushing iotlb to avoid potential performance penalty.
Tracked-On: #4120
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Anthony Xu <anthony.xu@intel.com>
AP trampoline code should be accessile to hypervisor only,
Unmap this memory region from service VM's EPT mapping
for security reason..
Tracked-On: #4091
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
1. Print warning message instead of panic when
the caller try to modify the attribute for
memory region or delete memory region that
are not present.
2. To avoid above warning message for memory region
below 1M,its attribute may be updated by Service
VM when updating MTTR setting.
Tracked-On: #4091
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Fei Li <fei1.li@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
In lib/string.c, strncmp doesn't consider condition "n_arg=0",
just add a process to "n_arg=0".
Tracked-On: #4093
Tracked-On: projectacrn/acrn-hypervisor#3466
Signed-off-by: YanX Fu <yanx.fu@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
This patch is to remove unused info in server.c
Tracked-On: #4089
Signed-off-by: xiaojin2 <xiaojing.liu@intel.com>
Reviewed-by: Liu, Xinwu <xinwu.liu@intel.com>
Acked-by: CHEN Gang <gang.c.chen@intel.com>
The return value of 'strtol()' is not checked properly
in _get_vmname_pid() @acrn_vm_ops.c and parse_opt()@acnrd.c,
the return type of 'strtol' is 'long int', but it is assigned
to a variable with type of 'int' and compared to "LONG_MAX"
and "LONG_MIN", which is always false.
This patch is to fix above error case.
Tracked-On: #4088
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yan, Like <like.yan@intel.com>
Acked-by: Yan, Like <like.yan@intel.com>
int snprintf(char *str, size_t size, const char *format, ...)
The functions snprintf() write at most size bytes (including the
terminating null byte('\0')) to str.
only when returned value of snprintf is non-negative and less than size,
the string has been completely written.
Tracked-On: #4087
Signed-off-by: Gao Junhao <junhao.gao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In function crb_reg_write() in tpm_rbc.c
'tpm_vdev->request_mutex' will potentially kept
in locked state after crb_reg_write() returns.
Tracked-On: #4086
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yadong Qi <yadong.qi@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In acrn_load_elf(), file pointer 'fp' is kept in
open state before exiting if 'load_elf32()' is executed,
this patch is to fix this bug.
Tracked-On: #4085
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
DIR handler is referenced after release, need to be adjusted before
released.
Tracked-On: #4084
Signed-off-by: Gao Junhao <junhao.gao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
When removing node in list, list_foreach_safe will be safer than
LIST_FOREACH.
Tracked-On: #4083
Signed-off-by: Junhao Gao <junhao.gao@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
this patch is to fix error debug message
for invalid 'param' case, there is no string
variable for '%s' output, which will potenially
trigger hypervisor crash as it may access random
memroy address and trigger SMAP violation.
Tracked-On: #4092
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
checking the inputs explicitly instead of using Assert.
Tracked-On: #4003
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Shuo Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In release environment, binary files must be stripped in
order to remove debugging code sections and symbol information
that aid attackers in the process of disassembly and reverse
engineering.
Use '-s' linking option to remove symbol table and relocation
information from release binaries.
Tracked-On: #3427
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Remove unsafe API in efi-stub
1, use Strnlen instead of StrLen except the parameter
is a static string.
2, strlen() only work on static strings.
Tracked-On: #3276
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
'pcpu_id' should be less than CONFIG_MAX_PCPU_NUM,
else 'per_cpu_data' will overflow. This commit fixes
this potential overflow issue.
Tracked-On: #3397
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
va_end() was not getting called under certain condition
after the va_start() function call taking the va_list.
Tracked-On: #3396
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
va_end() was not getting called under certain condition
after the va_start() function call taking the va_list
Tracked-On: #3396
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Gang Chen <gang.c.chen@intel.com>
This patch is to fix some potential memory leak issues
1, free mrp if the mmio_rb_lookup() function return 0;
2, free memory allocated by strdup in some error case handling.
Tracked-On: #3277
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
Replace strlen function with strnlen function in DM
Tracked-On: #3276
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
Use strncpy instead of strcpy to avoid buf overflow.
Fix strncpy null-terminated issues.
Tracked-On: #3245
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
APL NUC Getting started guide has some obsolete information (such as
saying the user had to build ACRN as part of the installation process
and changed instructions because the Clear Linux installer changed),
along with some spelling and grammar issues.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
An instruction is needed from gsg so that user could know where
to get the script and also how to use it to setup SOS, UOS automatically.
Signed-off-by: ruix.li <ruix.li@intel.com>
Update the architectural diagram in the "Using PREEMPT_RT-Linux for
real-time UOS" tutorial to reflect the new name given to that type of
VM, i.e. from "Privileged VM" to "RTVM".
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Update the instructions on how to build ACRN on Ubuntu 16.04,
specifically:
* Add 'pkg-config' package
* Upgrade 'binutils' to 2.27
Note: there is still an issue with regards to the GPIO header
(linux/gpio.h) which needs to be resolved.
Tracked-On: #2737
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Change shell command 'sos_console' to 'vm_console' as it is not only
used to switch console to SOS.
Tracked-On: #2987
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
This patch renames rules ID to reflect the language, in order
to support multiple programming languages.
Signed-off-by: Shiqing Gao <shiqing.gao@intel.com>
With latest gcc, there are build error with current ACRN code.
Fixing could involve many code changes. We use gcc option to
remove build error as temperary workaround. And will fix the
build error one by one.
Tracked-On: #3010
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
