Theses are the broad changes needed for a split hardware / control domain. I'm mainly focused on the XSM changes, but there are additional xenstored and init-dom0less changes to make things work.
An earlier posting gave device_model privileges to hardware domain. For this posting, it was split out into a new capability. This way the operator can choose where to run the device models without making the hardware domain have the permissions. The first patch add XSM_HW_PRIV for the hardware hypercalls. In this posting, the control domain cannot call these hypercalls. There is also a new XEN_DOMCTL_CDF_not_hypercall_target flag. This is used to mark a domain that cannot be the target of hypercalls. This is useful for ensuring a domain has freedom from interference from control and device model domains. The control domain can still issue XSM_DM_PRIV hypercalls. SILO is changed to allow hardware and xenstore to service domUs. Xenstore and hardware will use grants for PV interfaces. xenstored runs in the xenstore domain. C xenstored is updated to read the event channel from the domU's grant. C xenstored must also be used since it uses grants instead of foreign mapping. init-dom0less is run from control domain. auto-introduction of domains is needed for this to work. init-dom0less issues xs_introduce_domain over the xenbus, so it must be functional for control to issue it. The special casing in "xsm/dummy: Allow HVMOP_get_param for control domain" is needed for init-dom0less to know if it should or should not configure xenstore for dom0less xen.enhanced = "no-xenstore". There are some cosmetic errors from xl related to SYSCTL_physinfo. libxl: error: libxl_utils.c:818:libxl_cpu_bitmap_alloc: failed to retrieve the maximum number of cpus Jason Andryuk (17): xen/xsm: Add XSM_HW_PRIV xsm/silo: Support hardware & xenstore domains xen: Add DOMAIN_CAPS_DEVICE_MODEL & XEN_DOMCTL_CDF_device_model xen: Introduce XEN_DOMCTL_CDF_not_hypercall_target xen/dom0less: Workaround XSM for evtchn_alloc_unbound xen/xsm: Expand XSM_XS_PRIV for untargetable domains xsm/dummy: Allow HVMOP_get_param for control domain public/io: xs_wire: Include event channel in interface page xen/dom0less: store xenstore event channel in page tools/xenstored: Read event channel from xenstored page xen: Add capabilities to get_domain_state tools/manage: Expose domain capabilities tools/xenstored: Delay firing special watches tools/xenstored: Auto-introduce domains tools/init-dom0less: Factor out xenstore setup tools/init-dom0less: Configure already-introduced domains tools/init-dom0less: Continue on error docs/misc/arm/device-tree/booting.txt | 6 ++ tools/helpers/init-dom0less.c | 78 +++++++++++++++---------- tools/include/xenmanage.h | 14 ++++- tools/libs/manage/core.c | 21 +++++-- tools/ocaml/libs/xc/xenctrl.ml | 2 + tools/ocaml/libs/xc/xenctrl.mli | 2 + tools/xenstored/core.c | 7 ++- tools/xenstored/core.h | 1 + tools/xenstored/domain.c | 65 ++++++++++++++++----- tools/xenstored/domain.h | 2 +- xen/arch/arm/domain.c | 4 +- xen/arch/arm/platform_hypercall.c | 2 +- xen/arch/x86/msi.c | 2 +- xen/arch/x86/physdev.c | 12 ++-- xen/arch/x86/platform_hypercall.c | 2 +- xen/common/device-tree/dom0less-build.c | 25 ++++++++ xen/common/domain.c | 11 +++- xen/drivers/passthrough/pci.c | 5 +- xen/drivers/pci/physdev.c | 2 +- xen/include/public/bootfdt.h | 18 +++++- xen/include/public/domctl.h | 13 ++++- xen/include/public/io/xs_wire.h | 7 +++ xen/include/xen/sched.h | 21 +++++++ xen/include/xsm/dummy.h | 34 +++++++---- xen/include/xsm/xsm.h | 1 + xen/xsm/silo.c | 15 ++++- 26 files changed, 285 insertions(+), 87 deletions(-) -- 2.50.0
