diff options
| author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-02-18 01:56:34 +0000 |
|---|---|---|
| committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-02-18 01:56:34 +0000 |
| commit | 8185891e28635bdb83fdf4ba4391030912dae596 (patch) | |
| tree | 66a946535bdd228514750233b2cc99dd1866ff64 /kernels/xen | |
| parent | 60a11f87366fdfbd114cdc91ff813518858e5f8d (diff) | |
Tue Feb 18 01:56:27 UTC 2014
Diffstat (limited to 'kernels/xen')
| -rw-r--r-- | kernels/xen/09_xen | 141 | ||||
| -rw-r--r-- | kernels/xen/ChangeLog | 48 | ||||
| -rw-r--r-- | kernels/xen/IVRS-debug.patch | 14 | ||||
| -rw-r--r-- | kernels/xen/PKGBUILD | 191 | ||||
| -rw-r--r-- | kernels/xen/TOM-register.patch | 187 | ||||
| -rw-r--r-- | kernels/xen/ati-passthrough.patch | 415 | ||||
| -rw-r--r-- | kernels/xen/bios_workaround.patch | 51 | ||||
| -rw-r--r-- | kernels/xen/conf.d-xenconsoled | 14 | ||||
| -rw-r--r-- | kernels/xen/conf.d-xenstored | 2 | ||||
| -rw-r--r-- | kernels/xen/grub.conf | 2 | ||||
| -rw-r--r-- | kernels/xen/proc-xen.mount | 9 | ||||
| -rw-r--r-- | kernels/xen/tmpfiles.d-xen.conf | 2 | ||||
| -rw-r--r-- | kernels/xen/var-lib-xenstored.mount | 10 | ||||
| -rw-r--r-- | kernels/xen/xen.conf | 19 | ||||
| -rw-r--r-- | kernels/xen/xen.install | 64 | ||||
| -rw-r--r-- | kernels/xen/xenconsoled.service | 18 | ||||
| -rw-r--r-- | kernels/xen/xendomU@.service | 12 | ||||
| -rw-r--r-- | kernels/xen/xendomains.patch | 108 | ||||
| -rw-r--r-- | kernels/xen/xendomains.service | 15 | ||||
| -rw-r--r-- | kernels/xen/xenstored.service | 20 | ||||
| -rw-r--r-- | kernels/xen/xsa73-4.3-unstable.patch | 105 | ||||
| -rw-r--r-- | kernels/xen/xsa75-4.3-unstable.patch | 55 | ||||
| -rw-r--r-- | kernels/xen/xsa78.patch | 23 |
23 files changed, 1525 insertions, 0 deletions
diff --git a/kernels/xen/09_xen b/kernels/xen/09_xen new file mode 100644 index 000000000..ddb20696f --- /dev/null +++ b/kernels/xen/09_xen @@ -0,0 +1,141 @@ +#! /bin/sh -e + +if [ -f /usr/share/grub/grub-mkconfig_lib ]; then + . /usr/share/grub/grub-mkconfig_lib +else + # no grub file, so we notify and exit gracefully + echo "Cannot find grub config file, exiting." >&2 + exit 0 +fi + +XEN_HYPERVISOR_CMDLINE="xsave=1" +XEN_LINUX_CMDLINE="console=tty0" +[ -r /etc/xen/grub.conf ] && . /etc/xen/grub.conf + +CLASS="--class gnu-linux --class gnu --class os" + +if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then + OS=GNU/Linux +else + if [ "${GRUB_DISTRIBUTOR}" = "Parabola" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre" + elif [ "${GRUB_DISTRIBUTOR}" = "parabola" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre" + elif [ "${GRUB_DISTRIBUTOR}" = "Blag" ] ; then + OS="${GRUB_DISTRIBUTOR} Linux and GNU" + elif [ "${GRUB_DISTRIBUTOR}" = "blag" ] ; then + OS="${GRUB_DISTRIBUTOR} Linux and GNU" + elif [ "${GRUB_DISTRIBUTOR}" = "Musix" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU+Linux" + elif [ "${GRUB_DISTRIBUTOR}" = "musix" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU+Linux" + elif [ "${GRUB_DISTRIBUTOR}" = "Dragora" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre" + elif [ "${GRUB_DISTRIBUTOR}" = "dragora" ] ; then + OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre" + else + OS="${GRUB_DISTRIBUTOR} GNU/Linux" + fi + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}" +fi + +# loop-AES arranges things so that /dev/loop/X can be our root device, but +# the initrds that Linux uses don't like that. +case ${GRUB_DEVICE} in + /dev/loop/*|/dev/loop[0-9]) + GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"` + ;; +esac + +if [ "x${GRUB_DEVICE_UUID}" = "x" ] || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \ + || ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \ + || [ "`grub-probe -t abstraction --device ${GRUB_DEVICE} | sed -e 's,.*\(lvm\).*,\1,'`" = "lvm" ] ; then + LINUX_ROOT_DEVICE=${GRUB_DEVICE} +else + LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID} +fi + +xen_entry () +{ + os="$1" + xen_version="$2" + version="$3" + xen_args="$4" + args="$5" + printf "menuentry 'Xen %s / %s, with Linux %s' --class xen ${CLASS} {\n" "${xen_version}" "${os}" "${version}" + save_default_entry | sed -e "s/^/\t/" + + if [ -z "${prepare_boot_cache}" ]; then + prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | sed -e "s/^/\t/")" + fi + printf '%s\n' "${prepare_boot_cache}" + cat << EOF + echo '$(printf "Loading Xen %s ..." ${xen_version})' + multiboot ${rel_dirname}/${xen_basename} ${rel_dirname}/${xen_basename} ${xen_args} + echo $(printf "$(gettext "Loading Linux %s ...")" ${version}) + module ${rel_dirname}/${basename} ${rel_dirname}/${basename} root=${linux_root_device_thisversion} rw ${args} +EOF + if test -n "${initrd}" ; then + cat << EOF + echo "Loading initial ramdisk ..." + module ${rel_dirname}/${initrd} +EOF + fi + cat << EOF +} +EOF +} + +xen_list=`for i in /boot/xen-*.gz /xen-*.gz ; do + if grub_file_is_not_garbage "$i" ; then echo -n "$i "; fi +done` +prepare_boot_cache= + +while [ "x$xen_list" != "x" ] ; do + xen=`version_find_latest $xen_list` + echo "Found Xen hypervisor image: $xen" >&2 + xen_basename=`basename $xen` + xen_dirname=`dirname $xen` + rel_xen_dirname=`make_system_path_relative_to_its_root $xen_dirname` + xen_version=`echo $xen_basename | sed -e "s,^[^0-9]*-,,g" | sed -e "s,.gz,,g"` + alt_xen_version=`echo $xen_version | sed -e "s,\.old$,,g"` + + list=`for i in /boot/vmlinuz-* /vmlinuz-*; do + if grub_file_is_not_garbage "$i" ; then echo -n "$i "; fi + done` + + while [ "x$list" != "x" ] ; do + linux=`version_find_latest $list` + echo -e "\tFound linux image: $linux" >&2 + basename=`basename $linux` + dirname=`dirname $linux` + rel_dirname=`make_system_path_relative_to_its_root $dirname` + version=`echo $basename | sed -e "s,^[^0-9]*-,,g"` + base_init=`echo $basename | sed -e "s,vmlinuz,initramfs,g"` + alt_version="${base_init}-fallback" + linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" + initrd= + + for i in "${base_init}.img"; do + if test -e "${dirname}/${i}" ; then + initrd="$i" + break + fi + done + if test -n "${initrd}" ; then + echo -e "\tFound initrd image: ${dirname}/${initrd}" >&2 + else + # "UUID=" magic is parsed by initrds. Since there's no initrd, it can't work here. + linux_root_device_thisversion=${GRUB_DEVICE} + fi + + xen_entry "${OS}" "${xen_version}" "${version}" \ + "${XEN_HYPERVISOR_CMDLINE}" \ + "${XEN_LINUX_CMDLINE}" + + list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` + done + + xen_list=`echo $xen_list | tr ' ' '\n' | grep -vx $xen | tr '\n' ' '` +done + diff --git a/kernels/xen/ChangeLog b/kernels/xen/ChangeLog new file mode 100644 index 000000000..63c33c223 --- /dev/null +++ b/kernels/xen/ChangeLog @@ -0,0 +1,48 @@ +2013-11-25 David Sutton <kantras - gmail.com> + * 4.3.1-2: + Changed bluez dependancy from bluez4 to bluez + Added recent security patches + +2013-10-31 David Sutton <kantras - gmail.com> + * 4.3.1-1: + New upstream release + Removed unnecessary security patches (already merged) + Fixed BIOS Workaround patch to apply to the new source files + Fixed ATI Passthrough patch to apply to the new source files + Updated paths in all patches + +2013-09-29 David Sutton <kantras - gmail.com> + * 4.3.0-7: + Fixed optdepends in PKGBUILD + Added in a pre_remove function in xen.install to disable services + Minor text formating changes in xen.install + Added XSA 62,63,64 and 66 patches (Xen Security Advisories) + +2013-09-29 David Sutton <kantras - gmail.com> + * 4.3.0-6: + Fixed 09_xen so it can detect lts kernels + +2013-09-28 David Sutton <kantras - gmail.com> + * 4.3.0-5: + Fixed mount option in 09_xen from ro to rw + Added in dummy /etc/xen/grub.conf to control settings in 09_xen + Fix library sanitize so that it returns to the base directory + Move the syms file to /usr/share/xen so that it is out of the way of boot but still accessible + Added optional dependancy for openvswitch + +2013-08-13 David Sutton <kantras - gmail.com> + * 4.3.0-4 : + Added patch for qemu-xen to add a TOM register for PCI Hole mapping + Protected /etc/conf.d/xendomains from being overwritten + Included ATI Passthrough patch (not enabled by default, compile tested only) + +2013-07-23 David Sutton <kantras - gmail.com> + + * 4.3.0-3 : + added ChangeLog. + Cleaned up PKGBUILD to match Parabola Package Standards + Fixed some path references - /var/run to /run + Removed some unnecessary empty directories + Updated xenconsoled and xenstored so they use /run for pid file + Updated auto-created /run directories to include xenstored + diff --git a/kernels/xen/IVRS-debug.patch b/kernels/xen/IVRS-debug.patch new file mode 100644 index 000000000..5f6813cb9 --- /dev/null +++ b/kernels/xen/IVRS-debug.patch @@ -0,0 +1,14 @@ +--- a/xen/drivers/passthrough/amd/iommu_acpi.c 2013-07-09 05:46:56.000000000 -0500 ++++ b/xen/drivers/passthrough/amd/iommu_acpi.c 2013-08-31 01:26:18.614846438 -0500 +@@ -651,9 +651,9 @@ + return 0; + } + +- AMD_IOMMU_DEBUG("IVHD Special: %04x:%02x:%02x.%u variety %#x handle %#x\n", ++ AMD_IOMMU_DEBUG("IVHD Special: %04x:%02x:%02x.%u variety %#x handle %#x used_id %#x\n", + seg, PCI_BUS(bdf), PCI_SLOT(bdf), PCI_FUNC(bdf), +- special->variety, special->handle); ++ special->variety, special->handle, special->used_id); + add_ivrs_mapping_entry(bdf, bdf, special->header.data_setting, iommu); + + switch ( special->variety ) diff --git a/kernels/xen/PKGBUILD b/kernels/xen/PKGBUILD new file mode 100644 index 000000000..6ff16c8cd --- /dev/null +++ b/kernels/xen/PKGBUILD @@ -0,0 +1,191 @@ +# Maintainer: David Sutton <kantras - gmail.com> +# Contributor: Limao Luo +# Contributor: Luceo +# Contributor: Revellion +# Maintainer (Parabola): André Silva <emulatorman@parabola.nu> + +pkgname=xen +pkgver=4.3.1 +pkgrel=2 +pkgdesc="Virtual Machine Hypervisor & Tools (Parabola rebranded)" +arch=(i686 x86_64) +url="http://www.xenproject.org/" +license=(GPL2) +depends=(bin86 bluez bridge-utils curl e2fsprogs gnutls iproute2 libaio libcap-ng libiscsi libjpeg-turbo libpng lzo2 nss pixman pciutils python python2 sdl wget vde2 yajl) +[[ "$CARCH" == "x86_64" ]] && depends+=(lib32-glibc) +makedepends=(cmake dev86 git iasl markdown ocaml-findlib) +optdepends=('xen-docs: Official Xen Documentation' 'openvswitch: Optional Networking support') +conflicts=(xen-4.2{,-testing-hg} xen-{gdbsx,hg-unstable,rc,git} xen-4.3{,-testing-hg}) +backup=(etc/$pkgname/xend-{config,pci-{permissive,quirks}}.sxp etc/modules-load.d/$pkgname.conf etc/$pkgname/xl.conf etc/conf.d/xen{stored,consoled,domains} etc/default/xencommons etc/$pkgname/grub.conf) +options=(!buildflags !strip) +install=$pkgname.install +changelog=ChangeLog +source=(http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz + xen.install + 09_xen + bios_workaround.patch + xendomains.patch + TOM-register.patch + ati-passthrough.patch + IVRS-debug.patch + proc-xen.mount + var-lib-xenstored.mount + xenconsoled.service + conf.d-xenconsoled + xendomains.service + xendomU@.service + xenstored.service + conf.d-xenstored + tmpfiles.d-$pkgname.conf + grub.conf + xsa73-4.3-unstable.patch + xsa75-4.3-unstable.patch + xsa78.patch + $pkgname.conf) +sha256sums=('3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd' + '0f6ebf3437974d1708c9e74005b976479ab8ff28adec394208153bf404b411f8' + '74a957d783458b7481c7a09c3ed94ec2e07ee7943e4b7fa33d3684b8d585139e' + '914cc983da1fe89ff125d751c979b4968f8952da21b19b900fcd4e6b33e14552' + '1938ca36bfb62c76ad0642147017ecfaa64588abaa2d88e868f501c4ae83bfd9' + '0fa9426cc499ea3d6e1aa33a8be0e180aed87936814b9b88bb0ef42f6983654a' + 'd93c2d5bcdf0c3e4c6e8efb357cb4b9d618209025361f5ccd9d03651a8acd7a3' + '54883171ff9cf5f342a2be5c944df16902ef06b6f2d015b675fa9bd5ed899c7c' + '139eed988bfaf8edc8ccdfd0b668382bd63db48ce17be91776182a7e28e9d88c' + 'c19146931c6ab8e53092bd9b2ebbfda5c76fd22ad3b1d42dcda3dd1b61f123ff' + 'e4af7891e816b9549ebeff766a78036626c0e278734e5625b8e7d68729530ded' + '48d76cc6f25caa79b3f527c96a0883b1decb9012f6616f61336c8d43791bf007' + '0bd45d9de6456c4f9adf32e726f2db3a3cd0423c1d161b442e8a1666d2e68e3f' + '012cc60ffdcb0e061d04d404eb9232734554aef4dc4b551f66adf82a655e6e41' + '8ee5c5a14064fc2bbfd38d0ec8a6001f541bbe56b9fb534733209a8af148b297' + '0e1ad0a6a72b0c22025a556c23235a8f663427f1e769c45fe39d1c525bf82eff' + '40e0760810a49f925f2ae9f986940b40eba477dc6d3e83a78baaae096513b3cf' + '78398fb27edfedb432b5f4e4bf87b5dbee41f180c623d29f758234a49d8bf4b4' + '18f62049d714c3460df1f698663e42d0f8a16b9b4f62e66b40fdea635a348be5' + '4bac312d49a4a88633af652c09128ba1bba2ca97e2e56e5fe7da6e4671c56ccb' + 'bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3' + '50a9b7fd19e8beb1dea09755f07318f36be0b7ec53d3c9e74f3266a63e682c0c') +sha512sums=('f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275' + '78bfb62166ffcf136e12985809b3f412e0145a7f17388a559071f644970ccdfd2a02fe9aa4a180069b923c2e4354b061a4057096de856497f10d9cac57eae4b3' + '8667a97e10f09c5ce5ba604e38a073b7d7944f4d24c5c78a7235443b65a8cc7b6e7de90e40aa335bb17fda0858d6b517ba1e8b5a0bd6bba4ad75ad44b73f6c9c' + '7118bf02ff5338e70b3f27f8ea390cd05ea37a4ceabb4adc9d32fc57329e35e98330f0e865261dd4e670436e1a725832598888d44b1e2b17b351f59318860878' + '440b3967bf0f0cecde42111bc602f591edeadfdf7044f1f181029b0ded5fb8fa9d640bc4a4a57daadd350594f86065120ea5e4d833004590a8bfe0ee88b4c316' + 'b89f524015c1299c7b19573ae0637f9d33613f3fdbb3d978a07d294ee18a657bd124852f1cbb85e6d1382aca42ed799e8ee245a161340bb4b759eeccce28df7d' + 'c30a4cbdc942ae36364830ab604ecb46a68466bfbaaef2740aa805acf9e432a0dd7877593d6211437db4d2e7c2deb15f301d5a5571fd28936f01228f13256d3f' + 'e8392dbc66bf83b887de963416b1fe9a4eeccb8faca78c6fc1dd4243544b871625d43423f03d19cf91d80295d43073904c9dbe37241e7432b69566b05b267391' + '6afdf16e32bb837faf6333334f86855a746f1f46fee9673a4fddc62eecf41f9856bc34397807203c6f5071f0b1ce74532214084042154585c0d39514450db25c' + '00e340f4d3635e3850ca24baea1da08467523c17815feb74161e18397b607fef904db2165fd9bf4632a6e8a6e37aeddad4e56965e1c99b5213c98b3f9afc6aad' + '580e0645d7f157928f137f3d8b38d3e2834cb5fa091dbcd28217bbaed494415a35c8973487a1eec726c2f49c8b11d4dd28fdcbe75f14c91a4474cacd8dfb2e99' + 'a0bbd9c14ee0f2b9dc9cf304b531aaefde545e56b4ce4847f12faab4952520ce857a92765ae3a1b25ebd2b7511bb24fc820864d7342ac43a311d8c6551958895' + 'f00034f8b826b828659a0177f0a6454113c625e69a817dfe32e461767f6643e0288bfc2a22d23358504240df627af6e3b8f5ffa0077e241e590b33d3f252e74c' + 'f21cc17009957797630c2e82630b5e93ceac8fdadc5eaa3abf0510ca81a49e5680a80ece63b248354122c5fd5d40c9a495fad15e307a694936fa062e984158c4' + '9e95e05ac7cce383530ede0f8f75b4f8990c7d7d55ef59f3e37c64a75ccc012475595bc1123bc4c2072dd2c1c2f4b744f26d6adb799f7a068195aadde383af89' + 'c996d48737ad31528b0b2b1379e3ebae948d290de9ddc71f33c7c56f0634466bc7afb2eab847e851c19e3c13bb99468a0778d908606486959a40ff3272189bd3' + '53ba61587cc2e84044e935531ed161e22c36d9e90b43cab7b8e63bcc531deeefacca301b5dff39ce89210f06f1d1e4f4f5cf49d658ed5d9038c707e3c95c66ef' + '04000a802e96c11929cb94c9a2bcafbb4307620192388441d979ea85836c3395954dea53d449c1cc25c3a0a30c49d318b8de59a053c6254f5a81e87864648a9c' + '78c94d3e473abaf857213754c7f0ef1a0dd06354cd137d1567a48d92b4106cbefd112f1dcecc90bc1f8c75d76a0e8a3425408f777044de8ec754bcda32bb7f97' + '4fb6f678dccc9f23f2c3b27617718bc6c0a87505f7483f4d07563b7b2cc37d57d3b5ef658ee5867258916c5c2695a5086cc7790196aed85357c6d3168c06749b' + 'b55cb25f88acc348e6777063f241269730f06482fe430706ac500cbd7127bc7c70188f84a282dc8a0369cc838999d47a09afc33fc9f24b5c214bdf59352c414c' + 'ccaa2ff82e4203b11e5dec9aeccac2e165721d8067e0094603ecaa7a70b78c9eb9e2287a32687883d26b6ceae6f8d2ad7636ddf949eb658637b3ceaa6999711b') + +prepare() { + cd $pkgname-$pkgver/ + + ### Patching + patch -Np1 -i ../xendomains.patch + patch -Np1 -i ../TOM-register.patch + + # Uncomment line below if you have a bios which is reporting bad IVRS data + #patch -Np1 -i ../bios_workaround.patch + #patch -Np1 -i ../IVRS-debug.patch + + # Uncomment line below if you want to enable ATI Passthrough support (some reported successes) + #patch -Np1 -i ../ati-passthrough.patch + + # Add Security Patches + patch -Np1 -i ../xsa73-4.3-unstable.patch + patch -Np1 -i ../xsa75-4.3-unstable.patch + patch -Np1 -i ../xsa78.patch + + # Fix Install Paths + sed -i 's:/sbin:/bin:' config/StdGNU.mk + +} + +build() { + export CFLAGS+='-Wall -Wstrict-prototypes -Wno-unused-local-typedefs -Wno-sizeof-pointer-memaccess' + cd $pkgname-$pkgver/ + ./autogen.sh + ./configure PYTHON=/usr/bin/python2 --prefix=/usr --localstatedir=/run + unset CFLAGS +} + +package() { + cd $pkgname-$pkgver/ + + make DESTDIR="$pkgdir" LANG=C PYTHON=python2 install-{xen,tools,stubdom} + + cd ../ + for f in ${source[@]}; do + [[ $f =~ .mount || $f =~ .service ]] && install -Dm644 $f "$pkgdir"/usr/lib/systemd/system/$f + done + install -Dm644 tmpfiles.d-$pkgname.conf "$pkgdir"/usr/lib/tmpfiles.d/$pkgname.conf + install -Dm644 $pkgname.conf "$pkgdir"/etc/modules-load.d/$pkgname.conf + install -Dm644 conf.d-xenstored "$pkgdir"/etc/conf.d/xenstored + install -Dm644 conf.d-xenconsoled "$pkgdir"/etc/conf.d/xenconsoled + install -Dm644 grub.conf "$pkgdir"/etc/xen/grub.conf + install -Dm755 09_xen "$pkgdir"/etc/grub.d/09_xen + + cd "$pkgdir" + + # Fix paths in scripts, move to right locations and create missing directories + sed -i 's:/var/lock:/run/lock:' etc/init.d/xendomains + sed -i 's:/var/lock:/run/lock:' etc/init.d/xend + sed -i 's:/var/lock:/run/lock:' etc/xen/scripts/hotplugpath.sh + sed -i 's:/var/run:/run:' etc/xen/scripts/hotplugpath.sh + mv etc/{init,rc}.d + mv etc/rc.d/xendomains etc/xen/scripts/xendomains + mv etc/default/xendomains etc/conf.d/xendomains + mv var/xen/dump var/lib/xen/ + mkdir var/log/xen/console + + # Sanitize library path (if lib64 exists) + if [[ -d usr/lib64 ]]; then + cd usr/ + cp -r lib64/* lib/ + rm -rf lib64 + cd ../ + fi + + # Compress and move syms file to a different directory + if [ "$CARCH" == "x86_64" ]; then + gzip boot/$pkgname-syms-$pkgver + mv boot/$pkgname-syms-$pkgver.gz usr/share/xen + fi + + ##### Kill unwanted stuff ##### + # hypervisor symlinks + rm -f boot/xen{,-4,-4.3}.gz + + # Documentation cleanup ( see xen-docs package ) + rm -rf usr/share/doc + rm -rf usr/share/xen/man + + # Pointless helper cleanup + rm -f usr/bin/xen-python-path + rm -rf usr/libexec + + # Unnecessary qemu support files + rm -rf usr/bin/qemu-*-xen + rm usr/share/qemu-xen/qemu/{palcode,openbios}-* + rm usr/share/xen/qemu/openbios-* + + # Clean up udev rules naming, remove depreciated xend.rules + mv etc/udev/rules.d/xen-backend.rules etc/udev/rules.d/40-xen-backend.rules + rm etc/udev/rules.d/xend.rules + + # Clean up left over empty directories + rm -rf var/run var/lock var/xen + + # adhere to Static Library Packaging Guidelines + rm -rf usr/lib/*.a +} diff --git a/kernels/xen/TOM-register.patch b/kernels/xen/TOM-register.patch new file mode 100644 index 000000000..88bedbbc0 --- /dev/null +++ b/kernels/xen/TOM-register.patch @@ -0,0 +1,187 @@ +--- xen-4.3.1/tools/qemu-xen/hw/pc.h ++++ xen-4.3.1-new/tools/qemu-xen/hw/pc.h +@@ -128,15 +128,14 @@ extern int no_hpet; + struct PCII440FXState; + typedef struct PCII440FXState PCII440FXState; + ++#define I440FX_TOM 0xe0000000 ++#define I440FX_XEN_TOM 0xf0000000 ++ + PCIBus *i440fx_init(PCII440FXState **pi440fx_state, int *piix_devfn, + ISABus **isa_bus, qemu_irq *pic, + MemoryRegion *address_space_mem, + MemoryRegion *address_space_io, + ram_addr_t ram_size, +- hwaddr pci_hole_start, +- hwaddr pci_hole_size, +- hwaddr pci_hole64_start, +- hwaddr pci_hole64_size, + MemoryRegion *pci_memory, + MemoryRegion *ram_memory); + +--- xen-4.3.1/tools/qemu-xen/hw/pc_piix.c ++++ xen-4.3.1-new/tools/qemu-xen/hw/pc_piix.c +@@ -92,9 +92,9 @@ static void pc_init1(MemoryRegion *system_memory, + kvmclock_create(); + } + +- if (ram_size >= 0xe0000000 ) { +- above_4g_mem_size = ram_size - 0xe0000000; +- below_4g_mem_size = 0xe0000000; ++ if (ram_size >= I440FX_TOM) { ++ above_4g_mem_size = ram_size - I440FX_TOM; ++ below_4g_mem_size = I440FX_TOM; + } else { + above_4g_mem_size = 0; + below_4g_mem_size = ram_size; +@@ -129,12 +129,6 @@ static void pc_init1(MemoryRegion *system_memory, + if (pci_enabled) { + pci_bus = i440fx_init(&i440fx_state, &piix3_devfn, &isa_bus, gsi, + system_memory, system_io, ram_size, +- below_4g_mem_size, +- 0x100000000ULL - below_4g_mem_size, +- 0x100000000ULL + above_4g_mem_size, +- (sizeof(hwaddr) == 4 +- ? 0 +- : ((uint64_t)1 << 62)), + pci_memory, ram_memory); + } else { + pci_bus = NULL; +--- xen-4.3.1/tools/qemu-xen/hw/piix_pci.c ++++ xen-4.3.1-new/tools/qemu-xen/hw/piix_pci.c +@@ -86,6 +86,14 @@ struct PCII440FXState { + #define I440FX_PAM_SIZE 7 + #define I440FX_SMRAM 0x72 + ++/* The maximum vaule of TOM(top of memory) register in I440FX ++ * is 1G, so it doesn't meet any popular virutal machines, so ++ * define another register to report the base of PCI memory. ++ * Use one byte 0xb0 for the upper 8 bit, they are originally ++ * resevered for host bridge. ++ * */ ++#define I440FX_PCI_HOLE_BASE 0xb0 ++ + static void piix3_set_irq(void *opaque, int pirq, int level); + static PCIINTxRoute piix3_route_intx_pin_to_irq(void *opaque, int pci_intx); + static void piix3_write_config_xen(PCIDevice *dev, +@@ -101,6 +109,43 @@ static int pci_slot_get_pirq(PCIDevice *pci_dev, int pci_intx) + return (pci_intx + slot_addend) & 3; + } + ++ ++static void i440fx_update_pci_mem_hole(PCII440FXState *f, bool del) ++{ ++ ram_addr_t above_4g_mem_size; ++ hwaddr pci_hole_start, pci_hole_size, pci_hole64_start, pci_hole64_size; ++ ++ pci_hole_start = pci_default_read_config(&f->dev, I440FX_PCI_HOLE_BASE, 1) << 24; ++ pci_hole_size = 0x100000000ULL - pci_hole_start; ++ ++ if (ram_size >= pci_hole_start) { ++ above_4g_mem_size = ram_size - pci_hole_start; ++ } else { ++ above_4g_mem_size = 0; ++ } ++ pci_hole64_start = 0x100000000ULL + above_4g_mem_size; ++ pci_hole64_size = sizeof(hwaddr) == 4 ? 0 : ((uint64_t)1 << 62); ++ ++ if (del) { ++ memory_region_del_subregion(f->system_memory, &f->pci_hole); ++ if (pci_hole64_size) { ++ memory_region_del_subregion(f->system_memory, &f->pci_hole_64bit); ++ } ++ } ++ ++ memory_region_init_alias(&f->pci_hole, "pci-hole", f->pci_address_space, ++ pci_hole_start, pci_hole_size); ++ memory_region_add_subregion(f->system_memory, pci_hole_start, &f->pci_hole); ++ memory_region_init_alias(&f->pci_hole_64bit, "pci-hole64", ++ f->pci_address_space, ++ pci_hole64_start, pci_hole64_size); ++ if (pci_hole64_size) { ++ memory_region_add_subregion(f->system_memory, pci_hole64_start, ++ &f->pci_hole_64bit); ++ } ++} ++ ++ + static void i440fx_update_memory_mappings(PCII440FXState *d) + { + int i; +@@ -136,6 +181,9 @@ static void i440fx_write_config(PCIDevice *dev, + range_covers_byte(address, len, I440FX_SMRAM)) { + i440fx_update_memory_mappings(d); + } ++ if (range_covers_byte(address, len, I440FX_PCI_HOLE_BASE)) { ++ i440fx_update_pci_mem_hole(d, true); ++ } + } + + static int i440fx_load_old(QEMUFile* f, void *opaque, int version_id) +@@ -203,6 +251,10 @@ static int i440fx_initfn(PCIDevice *dev) + + d->dev.config[I440FX_SMRAM] = 0x02; + ++ /* Emulate top of memory, here use 0xe0000000 as default val*/ ++ uint32_t addr = xen_enabled() ? I440FX_XEN_TOM : I440FX_TOM; ++ pci_set_byte(dev->config + I440FX_PCI_HOLE_BASE, (uint8_t)(addr >> 24)); ++ + cpu_smm_register(&i440fx_set_smm, d); + return 0; + } +@@ -214,10 +266,6 @@ static PCIBus *i440fx_common_init(const char *device_name, + MemoryRegion *address_space_mem, + MemoryRegion *address_space_io, + ram_addr_t ram_size, +- hwaddr pci_hole_start, +- hwaddr pci_hole_size, +- hwaddr pci_hole64_start, +- hwaddr pci_hole64_size, + MemoryRegion *pci_address_space, + MemoryRegion *ram_memory) + { +@@ -244,16 +292,6 @@ static PCIBus *i440fx_common_init(const char *device_name, + f->system_memory = address_space_mem; + f->pci_address_space = pci_address_space; + f->ram_memory = ram_memory; +- memory_region_init_alias(&f->pci_hole, "pci-hole", f->pci_address_space, +- pci_hole_start, pci_hole_size); +- memory_region_add_subregion(f->system_memory, pci_hole_start, &f->pci_hole); +- memory_region_init_alias(&f->pci_hole_64bit, "pci-hole64", +- f->pci_address_space, +- pci_hole64_start, pci_hole64_size); +- if (pci_hole64_size) { +- memory_region_add_subregion(f->system_memory, pci_hole64_start, +- &f->pci_hole_64bit); +- } + memory_region_init_alias(&f->smram_region, "smram-region", + f->pci_address_space, 0xa0000, 0x20000); + memory_region_add_subregion_overlap(f->system_memory, 0xa0000, +@@ -295,6 +333,7 @@ static PCIBus *i440fx_common_init(const char *device_name, + (*pi440fx_state)->dev.config[0x57]=ram_size; + + i440fx_update_memory_mappings(f); ++ i440fx_update_pci_mem_hole(f, false); + + return b; + } +@@ -304,10 +343,6 @@ PCIBus *i440fx_init(PCII440FXState **pi440fx_state, int *piix3_devfn, + MemoryRegion *address_space_mem, + MemoryRegion *address_space_io, + ram_addr_t ram_size, +- hwaddr pci_hole_start, +- hwaddr pci_hole_size, +- hwaddr pci_hole64_start, +- hwaddr pci_hole64_size, + MemoryRegion *pci_memory, MemoryRegion *ram_memory) + + { +@@ -315,8 +350,6 @@ PCIBus *i440fx_init(PCII440FXState **pi440fx_state, int *piix3_devfn, + + b = i440fx_common_init("i440FX", pi440fx_state, piix3_devfn, isa_bus, pic, + address_space_mem, address_space_io, ram_size, +- pci_hole_start, pci_hole_size, +- pci_hole64_start, pci_hole64_size, + pci_memory, ram_memory); + return b; + } diff --git a/kernels/xen/ati-passthrough.patch b/kernels/xen/ati-passthrough.patch new file mode 100644 index 000000000..7c20b1ecd --- /dev/null +++ b/kernels/xen/ati-passthrough.patch @@ -0,0 +1,415 @@ +--- xen-4.3.1/tools/qemu-xen-traditional/hw/pass-through.c Thu Sep 6 11:05:30 2012 ++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pass-through.c Sat Nov 24 08:27:07 2012 +@@ -1438,9 +1438,17 @@ static void pt_ioport_map(PCIDevice *d, + if (e_phys != -1) + { + /* Create new mapping */ +- ret = xc_domain_ioport_mapping(xc_handle, domid, e_phys, +- assigned_device->bases[i].access.pio_base, e_size, +- DPCI_ADD_MAPPING); ++ if ( vga_skip_ioport_map(d) ) ++ { ++ assigned_device->bases[i].e_physbase = -1; ++ } ++ else ++ { ++ ret = xc_domain_ioport_mapping(xc_handle, domid, e_phys, ++ assigned_device->bases[i].access.pio_base, e_size, ++ DPCI_ADD_MAPPING); ++ } ++ + if ( ret != 0 ) + { + PT_LOG("Error: create new mapping failed!\n"); +--- xen-4.3.1/tools/qemu-xen-traditional/hw/pass-through.h Thu Sep 6 11:05:30 2012 ++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pass-through.h Sat Nov 24 08:27:07 2012 +@@ -419,6 +419,11 @@ int pt_pci_host_write(struct pci_dev *pc + void intel_pch_init(PCIBus *bus); + int register_vga_regions(struct pt_dev *real_device); + int unregister_vga_regions(struct pt_dev *real_device); ++int vga_skip_ioport_map(PCIDevice *d); ++int igd_register_vga_regions(struct pt_dev *real_device); ++int igd_unregister_vga_regions(struct pt_dev *real_device); ++int ati_register_vga_regions(struct pt_dev *real_device); ++int ati_unregister_vga_regions(struct pt_dev *real_device); + int setup_vga_pt(struct pt_dev *real_device); + PCIBus *intel_pci_bridge_init(PCIBus *bus, int devfn, uint16_t vid, + uint16_t did, const char *name, uint16_t revision); +--- xen-4.3.1/tools/qemu-xen-traditional/hw/pci.h Thu Sep 6 11:05:30 2012 ++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pci.h Sat Nov 24 08:27:07 2012 +@@ -54,6 +54,8 @@ extern target_phys_addr_t pci_mem_base; + + #define PCI_VENDOR_ID_CIRRUS 0x1013 + ++#define PCI_VENDOR_ID_ATI 0x1002 ++ + #define PCI_VENDOR_ID_IBM 0x1014 + #define PCI_DEVICE_ID_IBM_OPENPIC2 0xffff + +--- xen-4.3.1/tools/qemu-xen-traditional/hw/pt-graphics.c Thu Sep 6 11:05:30 2012 ++++ xen-4.3.1-new/tools/qemu-xen-traditional/hw/pt-graphics.c Sat Nov 24 08:28:10 2012 +@@ -13,6 +13,207 @@ + + extern int gfx_passthru; + extern int igd_passthru; ++/*********************************/ ++/* Code for ATI GFX Passthru */ ++/*********************************/ ++/* ATI VBIOS Working Mechanism ++ * ++ * Generally there are three memory resources (two MMIO and one PIO) ++ * associated with modern ATI gfx. VBIOS uses special tricks to figure out ++ * BARs, instead of using regular PCI config space read. ++ * ++ * (1) VBIOS relies on I/O port 0x3C3 to retrieve PIO BAR ++ * (2) VBIOS maintains a shadow copy of PCI configure space. It retries the ++ * MMIO BARs from this shadow copy via sending I/O requests to first two ++ * registers of PIO (MMINDEX and MMDATA). The workflow is like this: ++ * MMINDEX (register 0) is written with an index value, specifying the ++ * register VBIOS wanting to access. Then the shadowed data can be ++ * read/written from MMDATA (register 1). For two MMIO BARs, the index ++ * values are 0x4010 and 0x4014 respectively. ++ * ++ */ ++ ++#define ATI_BAR1_INDEX 0 //MMIO BAR1 ++#define ATI_BAR2_INDEX 1 //MMIO BAR2 ++#define ATI_BAR5_INDEX 4 //PIO BAR == BAR5 ++ ++#define ATI_BAR1_MMINDEX 0x4010 //data written to MMINDEX for MMIO BAR1 ++#define ATI_BAR2_MMINDEX 0x4014 //data written to MMINDEX FOR MMIO BAR2 ++ ++struct ati_gfx_info { ++ int initialized; /* initialized already? */ ++ ++ /* PIO */ ++ uint32_t host_pio_base; /* host base addr of PIO */ ++ uint32_t guest_pio_base; /* guest base addr of PIO */ ++ uint32_t pio_size; /* PIO size */ ++ ++ /* MMIO */ ++ uint32_t guest_mmio_base1; /* guest base addr of MMIO 1 */ ++ uint32_t guest_mmio_base2; /* guest base addr of MMIO 2 */ ++ ++ /* PIO MMINDEX access recording */ ++ uint32_t pre_mmindex_data; /* previous data written to MMINDEX */ ++}; ++ ++static struct ati_gfx_info gfx_info; ++ ++/* Convert guest PIO port to host PIO port */ ++static uint16_t gport_to_hport(uint16_t gport) ++{ ++ return (gport - gfx_info.guest_pio_base) + gfx_info.host_pio_base; ++} ++ ++/* Read host PIO port */ ++static uint32_t ati_hw_in(uint16_t hport) ++{ ++ unsigned val; ++ ++ //iopl(3); ++ asm volatile ("in %1,%0":"=a"(val):"Nd"(hport)); ++ //iopl(0); ++ ++ return val; ++} ++ ++/* Write data to host PIO */ ++static void ati_hw_out(uint16_t hport, uint32_t data) ++{ ++ //iopl(3); ++ asm volatile ("out %1, %0"::"Nd"(hport),"a"(data)); ++ //iopl(0); ++} ++ ++static uint32_t ati_io_regs_read(void *opaque, uint32_t addr) ++{ ++ uint32_t val; ++ ++ val = ati_hw_in(gport_to_hport(addr)); ++ ++ /* tweak the value if VBIOS is reading MMIO BAR1 and BAR2 */ ++ if ( addr == (gfx_info.guest_pio_base + 4) ) ++ { ++ switch ( gfx_info.pre_mmindex_data ) ++ { ++ case ATI_BAR1_MMINDEX: ++ val = gfx_info.guest_mmio_base1 | (val & 0x0000000f); ++ break; ++ case ATI_BAR2_MMINDEX: ++ val = gfx_info.guest_mmio_base2 | (val & 0x0000000f); ++ break; ++ default: ++ break; ++ } ++ } ++ ++ return val; ++} ++ ++static void ati_io_regs_write(void *opaque, uint32_t addr, uint32_t val) ++{ ++ ati_hw_out(gport_to_hport(addr), val); ++ ++ /* book keeping */ ++ if ( addr == gfx_info.guest_pio_base ) ++ gfx_info.pre_mmindex_data = val; ++} ++ ++static void ati_gfx_init(struct pt_dev *assigned) ++{ ++ PCIDevice *dev = (PCIDevice *)&assigned->dev; ++ ++ register_ioport_read(dev->io_regions[ATI_BAR5_INDEX].addr, ++ dev->io_regions[ATI_BAR5_INDEX].size, 4, ati_io_regs_read, assigned); ++ ++ register_ioport_write(dev->io_regions[ATI_BAR5_INDEX].addr, ++ dev->io_regions[ATI_BAR5_INDEX].size, 4, ati_io_regs_write, assigned); ++ ++ /* initialize IO registers */ ++ gfx_info.guest_pio_base = dev->io_regions[ATI_BAR5_INDEX].addr; ++ gfx_info.pio_size = dev->io_regions[ATI_BAR5_INDEX].size; ++ gfx_info.host_pio_base = assigned->bases[ATI_BAR5_INDEX].access.pio_base; ++ ++ gfx_info.guest_mmio_base1 = dev->io_regions[ATI_BAR1_INDEX].addr; ++ gfx_info.guest_mmio_base2 = dev->io_regions[ATI_BAR2_INDEX].addr; ++ gfx_info.initialized = 1; ++ ++ PT_LOG("guest_pio_bar = 0x%x, host_pio_bar = 0x%x, pio_size=0x%x " ++ "guest_mmio_bar1=0x%x, guest_mmio_bar2=0x%x\n", ++ gfx_info.guest_pio_base, gfx_info.host_pio_base, gfx_info.pio_size, ++ gfx_info.guest_mmio_base1, gfx_info.guest_mmio_base2); ++} ++ ++static uint32_t ati_legacy_io_read(void *opaque, uint32_t addr) ++{ ++ struct pt_dev *assigned_device = opaque; ++ PCIDevice *dev = (PCIDevice *)&assigned_device->dev; ++ uint32_t val = 0xFF; ++ ++ switch( addr ) ++ { ++ case 0x3c3: ++ val = dev->io_regions[ATI_BAR5_INDEX].addr >> 8; ++ /* Intercept GFX IO registers. This supposes to happen in ++ * ati_register_vga_regions(). But we cannot get guest phys IO BAR ++ * over there. */ ++ if ( !gfx_info.initialized ) ++ ati_gfx_init(assigned_device); ++ break; ++ default: ++ PT_LOG("ERROR: port 0x%x I/O read not handled\n", addr); ++ break; ++ } ++ ++ return val; ++} ++ ++static void ati_legacy_io_write(void *opaque, uint32_t addr, uint32_t val) ++{ ++ PT_LOG("ERROR: port 0x%x I/O write not handled\n", addr); ++} ++ ++int ati_register_vga_regions(struct pt_dev *real_device) ++{ ++ PCIDevice *dev = (PCIDevice *)&real_device->dev; ++ int ret = 0; ++ ++ /* We need to intercept VBIOS accesses to port 0x3C3, which returns ++ * device port I/O BAR. For the rest of legacy I/O ports, we allow direct ++ * accesses. ++ */ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, ++ 0x3C0, 0x3, DPCI_ADD_MAPPING); ++ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C4, ++ 0x3C4, 0x1C, DPCI_ADD_MAPPING); ++ ++ register_ioport_read(0x3c3, 1, 1, ati_legacy_io_read, real_device); ++ register_ioport_write(0x3c3, 1, 1, ati_legacy_io_write, real_device); ++ ++ /* initialized on the first port 0x3C3 access in ati_gfx_init */ ++ gfx_info.initialized = 0; ++ ++ return ret; ++} ++ ++int ati_unregister_vga_regions(struct pt_dev *real_device) ++{ ++ int ret = 0; ++ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, ++ 0x3C0, 0x3, DPCI_REMOVE_MAPPING); ++ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C4, ++ 0x3C4, 0x1C, DPCI_REMOVE_MAPPING); ++ ++ gfx_info.initialized = 0; ++ ++ return ret; ++} ++ ++/*********************************/ ++/* Code for Intel IGD Passthru */ ++/*********************************/ + + static uint32_t igd_guest_opregion = 0; + +@@ -176,6 +377,77 @@ read_default: + return pci_default_read_config(pci_dev, config_addr, len); + } + ++int igd_register_vga_regions(struct pt_dev *real_device) ++{ ++ u32 vendor_id, igd_opregion; ++ int ret = 0; ++ ++ /* legacy I/O ports 0x3C0 -- 0x3E0 */ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, ++ 0x3C0, 0x20, DPCI_ADD_MAPPING); ++ ++ /* 1:1 map ASL Storage register value */ ++ vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2); ++ igd_opregion = pt_pci_host_read(real_device->pci_dev, PCI_INTEL_OPREGION, 4); ++ if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_opregion ) ++ { ++ ret |= xc_domain_memory_mapping(xc_handle, domid, ++ igd_opregion >> XC_PAGE_SHIFT, ++ igd_opregion >> XC_PAGE_SHIFT, ++ 2, ++ DPCI_ADD_MAPPING); ++ PT_LOG("register_vga: igd_opregion = %x\n", igd_opregion); ++ } ++ ++ return ret; ++} ++ ++int igd_unregister_vga_regions(struct pt_dev *real_device) ++{ ++ u32 vendor_id, igd_opregion; ++ int ret = 0; ++ ++ ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, ++ 0x3C0, 0x20, DPCI_REMOVE_MAPPING); ++ ++ vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2); ++ igd_opregion = pt_pci_host_read(real_device->pci_dev, PCI_INTEL_OPREGION, 4); ++ if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_opregion ) ++ { ++ ret |= xc_domain_memory_mapping(xc_handle, domid, ++ igd_opregion >> XC_PAGE_SHIFT, ++ igd_opregion >> XC_PAGE_SHIFT, ++ 2, ++ DPCI_REMOVE_MAPPING); ++ } ++ ++ return ret; ++} ++/*********************************/ ++/* Generic Code for GFX Passthru */ ++/*********************************/ ++/* This function decides whether I/O port map should be skipped */ ++int vga_skip_ioport_map(PCIDevice *d) ++{ ++ struct pt_dev *dev = (struct pt_dev *)d; ++ int skip = 0; ++ ++ if ( !gfx_passthru || dev->pci_dev->device_class != 0x0300 ) ++ return 0; ++ ++ switch( dev->pci_dev->vendor_id ) ++ { ++ case PCI_VENDOR_ID_ATI: ++ case PCI_VENDOR_ID_AMD: ++ skip = 1; ++ break; ++ default: ++ skip = 0; ++ break; ++ } ++ ++ return skip; ++} + /* + * register VGA resources for the domain with assigned gfx + */ +@@ -187,18 +459,33 @@ int register_vga_regions(struct pt_dev * + if ( !gfx_passthru || real_device->pci_dev->device_class != 0x0300 ) + return ret; + ++ /* legacy I/O ports 0x3B0 - 0x3BC */ + ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3B0, + 0x3B0, 0xC, DPCI_ADD_MAPPING); + +- ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, +- 0x3C0, 0x20, DPCI_ADD_MAPPING); +- ++ /* legacy video MMIO range 0xA0000 - 0xBFFFF */ + ret |= xc_domain_memory_mapping(xc_handle, domid, + 0xa0000 >> XC_PAGE_SHIFT, + 0xa0000 >> XC_PAGE_SHIFT, + 0x20, + DPCI_ADD_MAPPING); + ++ /* Other VGA regions are vendor specific */ ++ switch( real_device->pci_dev->vendor_id ) ++ { ++ case PCI_VENDOR_ID_INTEL: ++ ret = igd_register_vga_regions(real_device); ++ break; ++ case PCI_VENDOR_ID_ATI: ++ case PCI_VENDOR_ID_AMD: ++ ret = ati_register_vga_regions(real_device); ++ break; ++ default: ++ PT_LOG("gfx card wasn't supported by Xen passthru!\n"); ++ ret = 1; ++ break; ++ } ++ + if ( ret != 0 ) + PT_LOG("VGA region mapping failed\n"); + +@@ -216,26 +503,31 @@ int unregister_vga_regions(struct pt_dev + if ( !gfx_passthru || real_device->pci_dev->device_class != 0x0300 ) + return ret; + ++ /* legacy I/O ports 0x3B0 - 0x3BC */ + ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3B0, + 0x3B0, 0xC, DPCI_REMOVE_MAPPING); + +- ret |= xc_domain_ioport_mapping(xc_handle, domid, 0x3C0, +- 0x3C0, 0x20, DPCI_REMOVE_MAPPING); +- ++ /* legacy video MMIO range 0xA0000 - 0xBFFFF */ + ret |= xc_domain_memory_mapping(xc_handle, domid, + 0xa0000 >> XC_PAGE_SHIFT, + 0xa0000 >> XC_PAGE_SHIFT, + 20, + DPCI_REMOVE_MAPPING); + +- vendor_id = pt_pci_host_read(real_device->pci_dev, PCI_VENDOR_ID, 2); +- if ( (vendor_id == PCI_VENDOR_ID_INTEL) && igd_guest_opregion ) ++ /* Other VGA regions are vendor specific */ ++ switch( real_device->pci_dev->vendor_id ) + { +- ret |= xc_domain_memory_mapping(xc_handle, domid, +- igd_guest_opregion >> XC_PAGE_SHIFT, +- igd_guest_opregion >> XC_PAGE_SHIFT, +- 2, +- DPCI_REMOVE_MAPPING); ++ case PCI_VENDOR_ID_INTEL: ++ ret = igd_unregister_vga_regions(real_device); ++ break; ++ case PCI_VENDOR_ID_ATI: ++ case PCI_VENDOR_ID_AMD: ++ ret = ati_unregister_vga_regions(real_device); ++ break; ++ default: ++ PT_LOG("gfx card wasn't supported by Xen passthru!\n"); ++ ret = 1; ++ break; + } + + if ( ret != 0 ) diff --git a/kernels/xen/bios_workaround.patch b/kernels/xen/bios_workaround.patch new file mode 100644 index 000000000..12fc00184 --- /dev/null +++ b/kernels/xen/bios_workaround.patch @@ -0,0 +1,51 @@ +--- xen-4.3.1.orig/xen/drivers/passthrough/amd/iommu_acpi.c 2013-07-09 05:46:56.000000000 -0500 ++++ xen-4.3.1/xen/drivers/passthrough/amd/iommu_acpi.c 2013-07-18 02:31:38.767195258 -0500 +@@ -668,26 +668,26 @@ + */ + for ( apic = 0; apic < nr_ioapics; apic++ ) + { +- if ( IO_APIC_ID(apic) != special->handle ) ++ if ( ioapic_sbdf[IO_APIC_ID(apic)].bdf != ioapic_sbdf[special->handle].bdf ) + continue; + +- if ( special->handle >= ARRAY_SIZE(ioapic_sbdf) ) ++ if ( IO_APIC_ID(apic) >= ARRAY_SIZE(ioapic_sbdf) ) + { + printk(XENLOG_ERR "IVHD Error: IO-APIC %#x entry beyond bounds\n", +- special->handle); ++ IO_APIC_ID(apic)); + return 0; + } + +- if ( ioapic_sbdf[special->handle].pin_setup ) ++ if ( ioapic_sbdf[IO_APIC_ID(apic)].pin_setup ) + { +- if ( ioapic_sbdf[special->handle].bdf == bdf && +- ioapic_sbdf[special->handle].seg == seg ) ++ if ( ioapic_sbdf[IO_APIC_ID(apic)].bdf == bdf && ++ ioapic_sbdf[IO_APIC_ID(apic)].seg == seg ) + AMD_IOMMU_DEBUG("IVHD Warning: Duplicate IO-APIC %#x entries\n", +- special->handle); ++ IO_APIC_ID(apic)); + else + { + printk(XENLOG_ERR "IVHD Error: Conflicting IO-APIC %#x entries\n", +- special->handle); ++ IO_APIC_ID(apic)); + if ( amd_iommu_perdev_intremap ) + return 0; + } +@@ -695,10 +695,10 @@ + else + { + /* set device id of ioapic */ +- ioapic_sbdf[special->handle].bdf = bdf; +- ioapic_sbdf[special->handle].seg = seg; ++ ioapic_sbdf[IO_APIC_ID(apic)].bdf = bdf; ++ ioapic_sbdf[IO_APIC_ID(apic)].seg = seg; + +- ioapic_sbdf[special->handle].pin_setup = xzalloc_array( ++ ioapic_sbdf[IO_APIC_ID(apic)].pin_setup = xzalloc_array( + unsigned long, BITS_TO_LONGS(nr_ioapic_entries[apic])); + if ( nr_ioapic_entries[apic] && + !ioapic_sbdf[IO_APIC_ID(apic)].pin_setup ) diff --git a/kernels/xen/conf.d-xenconsoled b/kernels/xen/conf.d-xenconsoled new file mode 100644 index 000000000..9dee0960a --- /dev/null +++ b/kernels/xen/conf.d-xenconsoled @@ -0,0 +1,14 @@ +# No logging (default) +#XENCONSOLED_LOG=none +# Log guest console output only +#XENCONSOLED_LOG=guest +# Log hypervisor messages only +#XENCONSOLED_LOG=hv +# Log both guest console output and hypervisor messages +XENCONSOLED_LOG=all + +# Location to store guest & hypervisor logs +XENCONSOLED_LOG_DIR=/var/log/xen/console + +#XENCONSOLED_ARGS= + diff --git a/kernels/xen/conf.d-xenstored b/kernels/xen/conf.d-xenstored new file mode 100644 index 000000000..366abf9ad --- /dev/null +++ b/kernels/xen/conf.d-xenstored @@ -0,0 +1,2 @@ +#XENSTORED_ARGS=" -T /var/log/xen/xenstored-trace.log" +XENDOM0_NAME="Domain-0" diff --git a/kernels/xen/grub.conf b/kernels/xen/grub.conf new file mode 100644 index 000000000..9b13008d9 --- /dev/null +++ b/kernels/xen/grub.conf @@ -0,0 +1,2 @@ +#XEN_HYPERVISOR_CMDLINE="xsave=1" +#XEN_LINUX_CMDLINE="console=tty0" diff --git a/kernels/xen/proc-xen.mount b/kernels/xen/proc-xen.mount new file mode 100644 index 000000000..0eaa59c5f --- /dev/null +++ b/kernels/xen/proc-xen.mount @@ -0,0 +1,9 @@ +[Unit] +Description=Mount /proc/xen files +ConditionPathExists=/proc/xen +RefuseManualStop=true + +[Mount] +What=xenfs +Where=/proc/xen +Type=xenfs diff --git a/kernels/xen/tmpfiles.d-xen.conf b/kernels/xen/tmpfiles.d-xen.conf new file mode 100644 index 000000000..a55258b0f --- /dev/null +++ b/kernels/xen/tmpfiles.d-xen.conf @@ -0,0 +1,2 @@ +d /run/xen 0755 root root - +d /run/xenstored 0755 root root - diff --git a/kernels/xen/var-lib-xenstored.mount b/kernels/xen/var-lib-xenstored.mount new file mode 100644 index 000000000..1c2015ca2 --- /dev/null +++ b/kernels/xen/var-lib-xenstored.mount @@ -0,0 +1,10 @@ +[Unit] +Description=mount xenstore file system +ConditionPathExists=/proc/xen +RefuseManualStop=true + +[Mount] +What=xenstore +Where=/var/lib/xenstored +Type=tmpfs +Options=mode=755 diff --git a/kernels/xen/xen.conf b/kernels/xen/xen.conf new file mode 100644 index 000000000..37a5b59f7 --- /dev/null +++ b/kernels/xen/xen.conf @@ -0,0 +1,19 @@ +xen-evtchn +xen-gntdev +xen-gntalloc +xen-blkback +xen-netback +xen-pciback +xen-acpi-processor +## xen-acpi-processor: This module may not work on all machines; try removing this first if it causes issues. + +## The following were included in xencommons, but were not inserted by systemd: +# evtchn +# gntdev +# netbk +# blkbk +# xen-scsibk +# usbbk +# pciback +# blktap2 +# blktap diff --git a/kernels/xen/xen.install b/kernels/xen/xen.install new file mode 100644 index 000000000..f1a34d522 --- /dev/null +++ b/kernels/xen/xen.install @@ -0,0 +1,64 @@ +install_msg() { + cat << __EOF__ +===> IMPORTANT NOTICE: + +In order to complete the installation, and enable Xen, +at the very least you must: +1. Edit your GRUB2 config files as specified at + https://wiki.parabolagnulinux.org/index.php/Xen#Bootloader_Configuration +2. Issue the following commands to allow you to create and start VMs: + systemctl enable xenstored.service + systemctl enable xenconsoled.service +3. If you want some domains to automatically start up/shutdown, run the following: + systemctl enable xendomains.service + +For more information refer to the Wiki: + https://wiki.parabolagnulinux.org/index.php/Xen + +__EOF__ + +} + +upgrade_msg() { + cat << __EOF__ + +Note: If you are upgrading from one of the previous 4.2 xen builds, and are having issues + with graphics card passthrough, the default device model used has changed and the + newer model can sometimes have issues. To resolve, add (or change ) the following + line into your domain config file: + device_model_version = "qemu-xen-traditional" + + Also remember to rebuild your grub configuration if upgrading from a non-xen 4.3.1 + install. +__EOF__ + +} + +post_install() { + install_msg + upgrade_msg +} + +post_upgrade() { + upgrade_msg +} + +pre_remove() { + systemctl stop xendomains.service + systemctl stop xenconsoled.service + systemctl stop xenstored.service + + systemctl disable xendomains.service + systemctl disable xenconsoled.service + systemctl disable xenstored.service +} + +post_remove() { + cat << __EOF__ +===> IMPORTANT NOTICE: + +In order to finish removing Xen, you will need to modify +your bootloader configuration files to load your Linux +kernel instead of Xen kernel. +__EOF__ +} diff --git a/kernels/xen/xenconsoled.service b/kernels/xen/xenconsoled.service new file mode 100644 index 000000000..1e06b4537 --- /dev/null +++ b/kernels/xen/xenconsoled.service @@ -0,0 +1,18 @@ +[Unit] +Description=Xenconsoled - handles logging from guest consoles and hypervisor +Requires=proc-xen.mount +After=proc-xen.mount xenstored.service +ConditionPathExists=/proc/xen + +[Service] +Type=simple +Environment=XENCONSOLED_ARGS= +Environment=XENCONSOLED_LOG=none +Environment=XENCONSOLED_LOG_DIR=/var/log/xen/console +EnvironmentFile=-/etc/conf.d/xenconsoled +PIDFile=/run/xenconsoled.pid +ExecStartPre=/usr/bin/grep -q control_d /proc/xen/capabilities +ExecStart=/usr/bin/xenconsoled --pid-file /run/xenconsoled.pid --log=${XENCONSOLED_LOG} --log-dir=${XENCONSOLED_LOG_DIR} $XENCONSOLED_ARGS + +[Install] +WantedBy=multi-user.target diff --git a/kernels/xen/xendomU@.service b/kernels/xen/xendomU@.service new file mode 100644 index 000000000..b3dd6c7d7 --- /dev/null +++ b/kernels/xen/xendomU@.service @@ -0,0 +1,12 @@ +[Unit] +Description=xen domU service for domain %i +Requires=xenstored.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/xl create /etc/xen/conf/%i.cfg +ExecStop=/usr/bin/xl shutdown %i + +[Install] +WantedBy=multi-user.target diff --git a/kernels/xen/xendomains.patch b/kernels/xen/xendomains.patch new file mode 100644 index 000000000..16f62b65a --- /dev/null +++ b/kernels/xen/xendomains.patch @@ -0,0 +1,108 @@ +--- xen-4.3.1.orig/tools/hotplug/Linux/init.d/xendomains 2013-07-19 14:52:52.159013757 -0500 ++++ xen-4.3.1/tools/hotplug/Linux/init.d/xendomains 2013-07-19 14:56:00.079145322 -0500 +@@ -51,17 +51,13 @@ + fi + + # See docs/misc/distro_mapping.txt +-if [ -d /var/lock/subsys ]; then +- LOCKFILE=/var/lock/subsys/xendomains ++if [ -d /run/lock/subsys ]; then ++ LOCKFILE=/run/lock/subsys/xendomains + else +- LOCKFILE=/var/lock/xendomains ++ LOCKFILE=/run/lock/xendomains + fi + +-if [ -d /etc/sysconfig ]; then +- XENDOM_CONFIG=/etc/sysconfig/xendomains +-else +- XENDOM_CONFIG=/etc/default/xendomains +-fi ++XENDOM_CONFIG=/etc/conf.d/xendomains + + test -r $XENDOM_CONFIG || { echo "$XENDOM_CONFIG not existing"; + if [ "$1" = "stop" ]; then exit 0; +@@ -185,8 +181,13 @@ + # read name from xen config file + rdname() + { +- NM=$($CMD create --quiet --dryrun --defconfig "$1" | +- sed -n 's/^.*(name \(.*\))$/\1/p') ++ if [ "$CMD" == "xm" ]; then ++ NM=$($CMD create --quiet --dryrun --defconfig "$1" | ++ sed -n 's/^.*(name \(.*\))$/\1/p') ++ else ++ NM=$($CMD create --quiet --dryrun --defconfig "$1" | ++ perl -pe 's|^.*"name":"(.*?)".*$|$1|') ++ fi + } + + rdnames() +@@ -229,15 +230,15 @@ + rdname $1 + RC=1 + name=;id= +- while read LN; do +- parseln "$LN" || continue ++ while read id; do + if test $id = 0; then continue; fi ++ name=`xenstore-read /local/domain/$id/name` + case $name in + ($NM) + RC=0 + ;; + esac +- done < <($CMD list -l | grep "$LIST_GREP") ++ done < <(xenstore-list /local/domain) + return $RC + } + +@@ -312,6 +313,8 @@ + + all_zombies() + { ++ return 0 ++ + name=;id= + while read LN; do + parseln "$LN" || continue +@@ -363,9 +366,9 @@ + fi + echo -n "Shutting down Xen domains:" + name=;id= +- while read LN; do +- parseln "$LN" || continue ++ while read id; do + if test $id = 0; then continue; fi ++ name=`xenstore-read /local/domain/$id/name` + echo -n " $name" + if test "$XENDOMAINS_AUTO_ONLY" = "true"; then + eval " +@@ -450,7 +453,7 @@ + fi + kill $WDOG_PID >/dev/null 2>&1 + fi +- done < <($CMD list -l | grep "$LIST_GREP") ++ done < <(xenstore-list /local/domain) + + # NB. this shuts down ALL Xen domains (politely), not just the ones in + # AUTODIR/* +@@ -479,15 +482,15 @@ + check_domain_up() + { + name=;id= +- while read LN; do +- parseln "$LN" || continue ++ while read id; do + if test $id = 0; then continue; fi ++ name=`xenstore-read /local/domain/$id/name` + case $name in + ($1) + return 0 + ;; + esac +- done < <($CMD list -l | grep "$LIST_GREP") ++ done < <(xenstore-list /local/domain) + return 1 + } + diff --git a/kernels/xen/xendomains.service b/kernels/xen/xendomains.service new file mode 100644 index 000000000..d49bd5593 --- /dev/null +++ b/kernels/xen/xendomains.service @@ -0,0 +1,15 @@ +[Unit] +Description=Xendomains - start and stop guests on boot and shutdown +Requires=proc-xen.mount xenstored.service +After=proc-xen.mount xenstored.service xenconsoled.service +ConditionPathExists=/proc/xen + +[Service] +Type=oneshot +RemainAfterExit=true +ExecStartPre=/usr/bin/grep -q control_d /proc/xen/capabilities +ExecStart=/etc/xen/scripts/xendomains start +ExecStop=/etc/xen/scripts/xendomains stop + +[Install] +WantedBy=multi-user.target diff --git a/kernels/xen/xenstored.service b/kernels/xen/xenstored.service new file mode 100644 index 000000000..46e0b3226 --- /dev/null +++ b/kernels/xen/xenstored.service @@ -0,0 +1,20 @@ +[Unit] +Description=Xenstored - daemon managing xenstore file system +Requires=proc-xen.mount var-lib-xenstored.mount systemd-tmpfiles-setup.service +After=proc-xen.mount var-lib-xenstored.mount systemd-tmpfiles-setup.service +Before=libvirtd.service libvirt-guests.service +RefuseManualStop=true +ConditionPathExists=/proc/xen + +[Service] +Type=forking +Environment=XENSTORED_ARGS= +Environment=XENDOM0_NAME=Domain-0 +EnvironmentFile=-/etc/conf.d/xenstored +PIDFile=/run/xenstored.pid +ExecStartPre=/usr/bin/grep -q control_d /proc/xen/capabilities +ExecStart=/usr/bin/xenstored --pid-file /run/xenstored.pid $XENSTORED_ARGS +ExecStartPost=/usr/bin/xenstore-write "/local/domain/0/name" "$XENDOM0_NAME" + +[Install] +WantedBy=multi-user.target diff --git a/kernels/xen/xsa73-4.3-unstable.patch b/kernels/xen/xsa73-4.3-unstable.patch new file mode 100644 index 000000000..aa36b40a1 --- /dev/null +++ b/kernels/xen/xsa73-4.3-unstable.patch @@ -0,0 +1,105 @@ +From 068bfa76bbd52430e65853375e1d5db99d193e2f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 31 Oct 2013 20:49:00 +0000 +Subject: [PATCH] gnttab: correct locking order reversal + +Coverity ID 1087189 + +Correct a lock order reversal between a domains page allocation and grant +table locks. + +This is CVE-2013-4494 / XSA-73. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> + +Consolidate error handling. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Keir Fraser <keir@xen.org> +Tested-by: Matthew Daley <mattjd@gmail.com> +--- + xen/common/grant_table.c | 52 +++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 44 insertions(+), 8 deletions(-) + +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index f42bc7a..48df928 100644 +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -1518,6 +1518,8 @@ gnttab_transfer( + + for ( i = 0; i < count; i++ ) + { ++ bool_t okay; ++ + if (i && hypercall_preempt_check()) + return i; + +@@ -1626,16 +1628,18 @@ gnttab_transfer( + * pages when it is dying. + */ + if ( unlikely(e->is_dying) || +- unlikely(e->tot_pages >= e->max_pages) || +- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) ) ++ unlikely(e->tot_pages >= e->max_pages) ) + { +- if ( !e->is_dying ) +- gdprintk(XENLOG_INFO, "gnttab_transfer: " +- "Transferee has no reservation " +- "headroom (%d,%d) or provided a bad grant ref (%08x) " +- "or is dying (%d)\n", +- e->tot_pages, e->max_pages, gop.ref, e->is_dying); + spin_unlock(&e->page_alloc_lock); ++ ++ if ( e->is_dying ) ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) is dying\n", e->domain_id); ++ else ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) has no headroom (tot %u, max %u)\n", ++ e->domain_id, e->tot_pages, e->max_pages); ++ + rcu_unlock_domain(e); + put_gfn(d, gop.mfn); + page->count_info &= ~(PGC_count_mask|PGC_allocated); +@@ -1647,6 +1651,38 @@ gnttab_transfer( + /* Okay, add the page to 'e'. */ + if ( unlikely(domain_adjust_tot_pages(e, 1) == 1) ) + get_knownalive_domain(e); ++ ++ /* ++ * We must drop the lock to avoid a possible deadlock in ++ * gnttab_prepare_for_transfer. We have reserved a page in e so can ++ * safely drop the lock and re-aquire it later to add page to the ++ * pagelist. ++ */ ++ spin_unlock(&e->page_alloc_lock); ++ okay = gnttab_prepare_for_transfer(e, d, gop.ref); ++ spin_lock(&e->page_alloc_lock); ++ ++ if ( unlikely(!okay) || unlikely(e->is_dying) ) ++ { ++ bool_t drop_dom_ref = (domain_adjust_tot_pages(e, -1) == 0); ++ ++ spin_unlock(&e->page_alloc_lock); ++ ++ if ( okay /* i.e. e->is_dying due to the surrounding if() */ ) ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) is now dying\n", e->domain_id); ++ ++ if ( drop_dom_ref ) ++ put_domain(e); ++ rcu_unlock_domain(e); ++ ++ put_gfn(d, gop.mfn); ++ page->count_info &= ~(PGC_count_mask|PGC_allocated); ++ free_domheap_page(page); ++ gop.status = GNTST_general_error; ++ goto copyback; ++ } ++ + page_list_add_tail(page, &e->page_list); + page_set_owner(page, e); + +-- +1.7.10.4 + diff --git a/kernels/xen/xsa75-4.3-unstable.patch b/kernels/xen/xsa75-4.3-unstable.patch new file mode 100644 index 000000000..6c0c5bca1 --- /dev/null +++ b/kernels/xen/xsa75-4.3-unstable.patch @@ -0,0 +1,55 @@ +nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing + +Otherwise uninitialized data may be used, leading to crashes. + +This is XSA-75. + +Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/hvm/vmx/vvmx.c ++++ b/xen/arch/x86/hvm/vmx/vvmx.c +@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct + } + } + +-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) ++static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) + { + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); +- int rc; +- +- rc = vmx_inst_check_privilege(regs, 0); +- if ( rc != X86EMUL_OKAY ) +- return rc; + + /* check VMCS is valid and IO BITMAP is set */ + if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) && +@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user + struct vcpu *v = current; + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); ++ int rc = vmx_inst_check_privilege(regs, 0); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; + + if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) + { +@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user + int nvmx_handle_vmlaunch(struct cpu_user_regs *regs) + { + bool_t launched; +- int rc; + struct vcpu *v = current; + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); ++ int rc = vmx_inst_check_privilege(regs, 0); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; + + if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) + { diff --git a/kernels/xen/xsa78.patch b/kernels/xen/xsa78.patch new file mode 100644 index 000000000..180506cdd --- /dev/null +++ b/kernels/xen/xsa78.patch @@ -0,0 +1,23 @@ +VT-d: fix TLB flushing in dma_pte_clear_one() + +The third parameter of __intel_iommu_iotlb_flush() is to indicate +whether the to be flushed entry was a present one. A few lines before, +we bailed if !dma_pte_present(*pte), so there's no need to check the +flag here again - we can simply always pass TRUE here. + +This is CVE-2013-6375 / XSA-78. + +Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg> +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/drivers/passthrough/vtd/iommu.c ++++ b/xen/drivers/passthrough/vtd/iommu.c +@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom + iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); + + if ( !this_cpu(iommu_dont_flush_iotlb) ) +- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1); ++ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1); + + unmap_vtd_domain_page(page); + |