On 2025-04-04 03:34, Jan Beulich wrote:
On 03.04.2025 23:46, Jason Andryuk wrote:
xenstored maps other domains' xenstore pages. Currently this relies on
init-dom0less or xl to seed the grants from Dom0. With split
hardware/control/xenstore domains, this is problematic since we don't
want the hardware domain to be able to map other domains' resources
without their permission. Instead have the hypervisor seed the grant
table entry for every dom0less domain. The grant is then accessible as
normal.
C xenstored uses grants, so it can map the xenstore pages from a
non-dom0 xenstore domain. OCaml xenstored uses foreign mappings, so it
can only run from a privileged domain (dom0).
Signed-off-by: Jason Andryuk <jason.andr...@amd.com>
---
v3:
Expand commit message about C vs. OCaml xenstored.
Remove __init and flags from gnttab_seed_entry()
Change frame to uint32_t
ASSERT gfn fits in a uint32_t
Ehem. For this you need to use ...
--- a/xen/arch/arm/dom0less-build.c
+++ b/xen/arch/arm/dom0less-build.c
@@ -788,6 +788,12 @@ static void __init initialize_domU_xenstore(void)
rc = alloc_xenstore_evtchn(d);
if ( rc < 0 )
panic("%pd: Failed to allocate xenstore_evtchn\n", d);
+
+ if ( gfn != ~0ULL )
+ {
+ ASSERT(gfn <= UINT_MAX);
... UINT32_MAX here. Furthermore may I remind you that INVALID_GFN ==
UINT32_MAX in 32-bit environments.
Yes, thanks.
The ~0ULL may also better be UINT64_MAX.
I'll also add
#define XENSTORE_PFN_LATE_ALLOC UINT64_MAX
@@ -85,6 +89,9 @@ static inline void grant_table_destroy(struct domain *d) {}
static inline void grant_table_init_vcpu(struct vcpu *v) {}
+static inline void gnttab_seed_entry(struct domain *d, int idx,
+ domid_t be_domid, uint32_t frame) {}
Hmm. While generally I prefer using such wrappers, I wonder if in this
case it wouldn't end up more clear if a conditional was added in
initialize_domU_xenstore(). Ideally using IS_ENABLED(), which - aiui -
would require moving the declaration of the function.
Ok.
Thanks,
Jason
