Version in base suite: 4.14.3-1~deb11u1 Base version: xen_4.14.3-1~deb11u1 Target version: xen_4.14.3+32-g9de3671772-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xen/xen_4.14.3-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xen/xen_4.14.3+32-g9de3671772-1~deb11u1.dsc debian/changelog | 32 ++ debian/patches/0003-version.patch | 2 debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch | 2 debian/patches/0036-fix-spelling-errors.patch | 2 debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch | 2 debian/patches/0041-x86-ACPI-fix-mapping-of-FACS.patch | 52 +++ debian/patches/0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch | 149 ++++++++++ debian/patches/0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch | 83 +++++ debian/patches/0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch | 58 +++ debian/patches/series | 4 tools/libacpi/build.c | 2 tools/libxl/libxl_cpuid.c | 10 tools/misc/xen-cpuid.c | 8 xen/Makefile | 2 xen/arch/arm/time.c | 5 xen/arch/x86/Makefile | 8 xen/arch/x86/apic.c | 11 xen/arch/x86/boot/Makefile | 9 xen/arch/x86/boot/build32.mk | 2 xen/arch/x86/cpu/amd.c | 69 +++- xen/arch/x86/cpu/common.c | 7 xen/arch/x86/cpu/cpu.h | 1 xen/arch/x86/cpu/hygon.c | 9 xen/arch/x86/dom0_build.c | 7 xen/arch/x86/hvm/hvm.c | 2 xen/arch/x86/hvm/hypercall.c | 2 xen/arch/x86/hvm/svm/svm.c | 1 xen/arch/x86/hvm/svm/vmcb.c | 1 xen/arch/x86/mm/p2m-pod.c | 87 ++++- xen/arch/x86/mm/p2m.c | 116 ++++++- xen/arch/x86/setup.c | 5 xen/arch/x86/smpboot.c | 9 xen/arch/x86/spec_ctrl.c | 51 ++- xen/arch/x86/traps.c | 2 xen/arch/x86/x86_64/compat.c | 1 xen/arch/x86/x86_emulate/x86_emulate.c | 31 +- xen/arch/x86/xen.lds.S | 2 xen/arch/x86/xstate.c | 7 xen/common/domain.c | 2 xen/common/grant_table.c | 7 xen/common/page_alloc.c | 35 +- xen/drivers/passthrough/amd/iommu_cmd.c | 14 xen/drivers/passthrough/amd/pci_amd_iommu.c | 6 xen/drivers/passthrough/pci.c | 5 xen/drivers/passthrough/vtd/dmar.c | 6 xen/drivers/passthrough/vtd/iommu.c | 56 ++- xen/drivers/passthrough/x86/iommu.c | 18 + xen/include/asm-arm/time.h | 2 xen/include/asm-x86/acpi.h | 8 xen/include/asm-x86/cpufeature.h | 5 xen/include/asm-x86/hvm/svm/svm.h | 2 xen/include/asm-x86/hvm/svm/vmcb.h | 4 xen/include/asm-x86/msr-index.h | 3 xen/include/asm-x86/paging.h | 15 - xen/include/public/arch-x86/cpufeatureset.h | 10 xen/include/public/grant_table.h | 5 xen/include/xen/smp.h | 1 xen/xsm/flask/Makefile | 4 58 files changed, 886 insertions(+), 175 deletions(-) diff -Nru xen-4.14.3/debian/changelog xen-4.14.3+32-g9de3671772/debian/changelog --- xen-4.14.3/debian/changelog 2021-09-13 14:28:21.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/changelog 2021-12-02 20:45:55.000000000 +0000 @@ -1,8 +1,36 @@ -xen (4.14.3-1~deb11u1) bullseye-security; urgency=medium +xen (4.14.3+32-g9de3671772-1~deb11u1) bullseye-security; urgency=medium + * d/salsa-ci.yml: Set RELEASE variable to bullseye * Rebuild for bullseye-security - -- Hans van Kranenburg Mon, 13 Sep 2021 16:28:21 +0200 + -- Hans van Kranenburg Thu, 02 Dec 2021 21:45:55 +0100 + +xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium + + * Update to new upstream version 4.14.3+32-g9de3671772, which also contains + security fixes for the following issues: + - guests may exceed their designated memory limit + XSA-385 CVE-2021-28706 + - PCI devices with RMRRs not deassigned correctly + XSA-386 CVE-2021-28702 + - PoD operations on misaligned GFNs + XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708 + - issues with partially successful P2M updates on x86 + XSA-389 CVE-2021-28705 CVE-2021-28709 + * Note that the following XSA are not listed, because... + - XSA-387 only applies to Xen 4.13 and older + - XSA-390 only applies to Xen 4.15 + * Pick the following upstream commits to fix a regression which prevents + amd64 type hardware to fully power off. The issue was introduced in + version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to + improve Raspberry Pi 4 support. (Closes: #994899): + - 8b6d55c126 ("x86/ACPI: fix mapping of FACS") + - f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb") + - 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping") + - 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector + cannot be determined") + + -- Hans van Kranenburg Sat, 27 Nov 2021 15:09:47 +0100 xen (4.14.3-1) unstable; urgency=high diff -Nru xen-4.14.3/debian/patches/0003-version.patch xen-4.14.3+32-g9de3671772/debian/patches/0003-version.patch --- xen-4.14.3/debian/patches/0003-version.patch 2021-09-13 14:26:14.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0003-version.patch 2021-12-02 20:45:55.000000000 +0000 @@ -12,7 +12,7 @@ 6 files changed, 31 insertions(+), 31 deletions(-) diff --git a/xen/Makefile b/xen/Makefile -index 661f787..f7a8797 100644 +index e20d61b..b211dbe 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -382,7 +382,7 @@ delete-unfresh-files: diff -Nru xen-4.14.3/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch xen-4.14.3+32-g9de3671772/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch --- xen-4.14.3/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch 2021-09-13 14:26:14.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch 2021-12-02 20:45:55.000000000 +0000 @@ -28,7 +28,7 @@ 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/Makefile b/xen/Makefile -index f7a8797..e61fa19 100644 +index b211dbe..9108a40 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -394,9 +394,9 @@ include/xen/compile.h: include/xen/compile.h.in diff -Nru xen-4.14.3/debian/patches/0036-fix-spelling-errors.patch xen-4.14.3+32-g9de3671772/debian/patches/0036-fix-spelling-errors.patch --- xen-4.14.3/debian/patches/0036-fix-spelling-errors.patch 2021-09-13 14:25:25.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0036-fix-spelling-errors.patch 2021-12-02 20:45:55.000000000 +0000 @@ -147,7 +147,7 @@ return -ENOSPC; } diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index f186ae6..bf17208 100644 +index de46ec1..605e535 100644 --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -3244,7 +3244,7 @@ x86_decode( diff -Nru xen-4.14.3/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch xen-4.14.3+32-g9de3671772/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch --- xen-4.14.3/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch 2021-09-13 14:25:25.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch 2021-12-02 20:45:55.000000000 +0000 @@ -21,7 +21,7 @@ 1 file changed, 6 insertions(+) diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile -index bbd11a4..d5c7002 100644 +index fd0acd5..45a8c8f 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -172,6 +172,12 @@ EFI_LDFLAGS += --major-image-version=$(XEN_VERSION) diff -Nru xen-4.14.3/debian/patches/0041-x86-ACPI-fix-mapping-of-FACS.patch xen-4.14.3+32-g9de3671772/debian/patches/0041-x86-ACPI-fix-mapping-of-FACS.patch --- xen-4.14.3/debian/patches/0041-x86-ACPI-fix-mapping-of-FACS.patch 1970-01-01 00:00:00.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0041-x86-ACPI-fix-mapping-of-FACS.patch 2021-12-02 20:45:55.000000000 +0000 @@ -0,0 +1,52 @@ +From: Jan Beulich +Date: Tue, 24 Nov 2020 11:26:02 +0100 +Subject: x86/ACPI: fix mapping of FACS +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +acpi_fadt_parse_sleep_info() runs when the system is already in +SYS_STATE_boot. Hence its direct call to __acpi_map_table() won't work +anymore. This call should probably have been replaced long ago already, +as the layering violation hasn't been necessary for quite some time. + +Fixes: 1c4aa69ca1e1 ("xen/acpi: Rework acpi_os_map_memory() and acpi_os_unmap_memory()") +Signed-off-by: Jan Beulich +Acked-by: Roger Pau Monné +(cherry picked from commit 8b6d55c1261820bb9db8d867ce9ee77397d05203) +--- + xen/arch/x86/acpi/boot.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/acpi/boot.c b/xen/arch/x86/acpi/boot.c +index 38c2b76..3ad4105 100644 +--- a/xen/arch/x86/acpi/boot.c ++++ b/xen/arch/x86/acpi/boot.c +@@ -422,8 +422,7 @@ acpi_fadt_parse_sleep_info(const struct acpi_table_fadt *fadt) + if (!facs_pa) + goto bad; + +- facs = (struct acpi_table_facs *) +- __acpi_map_table(facs_pa, sizeof(struct acpi_table_facs)); ++ facs = acpi_os_map_memory(facs_pa, sizeof(*facs)); + if (!facs) + goto bad; + +@@ -448,11 +447,16 @@ acpi_fadt_parse_sleep_info(const struct acpi_table_fadt *fadt) + offsetof(struct acpi_table_facs, firmware_waking_vector); + acpi_sinfo.vector_width = 32; + ++ acpi_os_unmap_memory(facs, sizeof(*facs)); ++ + printk(KERN_INFO PREFIX + " wakeup_vec[%"PRIx64"], vec_size[%x]\n", + acpi_sinfo.wakeup_vector, acpi_sinfo.vector_width); + return; +-bad: ++ ++ bad: ++ if (facs) ++ acpi_os_unmap_memory(facs, sizeof(*facs)); + memset(&acpi_sinfo, 0, + offsetof(struct acpi_sleep_info, sleep_control)); + memset(&acpi_sinfo.sleep_status + 1, 0, diff -Nru xen-4.14.3/debian/patches/0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch xen-4.14.3+32-g9de3671772/debian/patches/0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch --- xen-4.14.3/debian/patches/0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch 1970-01-01 00:00:00.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch 2021-12-02 20:45:55.000000000 +0000 @@ -0,0 +1,149 @@ +From: Jan Beulich +Date: Tue, 24 Nov 2020 11:26:34 +0100 +Subject: x86/DMI: fix table mapping when one lives above 1Mb +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Use of __acpi_map_table() is kind of an abuse here, and doesn't work +anymore for the majority of cases if any of the tables lives outside the +low first Mb. Keep this (ab)use only prior to reaching SYS_STATE_boot, +primarily to avoid needing to audit whether any of the calls here can +happen this early in the first place; quite likely this isn't necessary +at all - at least dmi_scan_machine() gets called late enough. + +For the "normal" case, call __vmap() directly, despite effectively +duplicating acpi_os_map_memory(). There's one difference though: We +shouldn't need to establish UC- mappings, WP or r/o WB mappings ought to +be fine, as the tables are going to live in either RAM or ROM. Short of +having PAGE_HYPERVISOR_WP and wanting to map the tables r/o anyway, use +the latter of the two options. The r/o mapping implies some +constification of code elsewhere in the file. For code touched anyway +also switch to void (where possible) or uint8_t. + +Fixes: 1c4aa69ca1e1 ("xen/acpi: Rework acpi_os_map_memory() and acpi_os_unmap_memory()") +Signed-off-by: Jan Beulich +Acked-by: Roger Pau Monné +(cherry picked from commit f390941a92f102ebbbbce1b54be206a602187fd7) +--- + xen/arch/x86/dmi_scan.c | 53 ++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 37 insertions(+), 16 deletions(-) + +diff --git a/xen/arch/x86/dmi_scan.c b/xen/arch/x86/dmi_scan.c +index e5930d2..d27cd34 100644 +--- a/xen/arch/x86/dmi_scan.c ++++ b/xen/arch/x86/dmi_scan.c +@@ -12,8 +12,6 @@ + #include + #include + +-#define bt_ioremap(b,l) ((void *)__acpi_map_table(b,l)) +-#define bt_iounmap(b,l) ((void)0) + #define memcpy_fromio memcpy + #define alloc_bootmem(l) xmalloc_bytes(l) + +@@ -111,9 +109,32 @@ enum dmi_entry_type { + #define dmi_printk(x) + #endif + +-static char * __init dmi_string(struct dmi_header *dm, u8 s) ++static const void *__init bt_ioremap(paddr_t addr, unsigned int len) + { +- char *bp=(char *)dm; ++ mfn_t mfn = _mfn(PFN_DOWN(addr)); ++ unsigned int offs = PAGE_OFFSET(addr); ++ ++ if ( addr + len <= MB(1) ) ++ return __va(addr); ++ ++ if ( system_state < SYS_STATE_boot ) ++ return __acpi_map_table(addr, len); ++ ++ return __vmap(&mfn, PFN_UP(offs + len), 1, 1, PAGE_HYPERVISOR_RO, ++ VMAP_DEFAULT) + offs; ++} ++ ++static void __init bt_iounmap(const void *ptr, unsigned int len) ++{ ++ if ( (unsigned long)ptr < DIRECTMAP_VIRT_START && ++ system_state >= SYS_STATE_boot ) ++ vunmap(ptr); ++} ++ ++static const char *__init dmi_string(const struct dmi_header *dm, uint8_t s) ++{ ++ const char *bp = (const void *)dm; ++ + bp+=dm->length; + if(!s) + return ""; +@@ -133,11 +154,10 @@ static char * __init dmi_string(struct dmi_header *dm, u8 s) + */ + + static int __init dmi_table(paddr_t base, u32 len, int num, +- void (*decode)(struct dmi_header *)) ++ void (*decode)(const struct dmi_header *)) + { +- u8 *buf; +- struct dmi_header *dm; +- u8 *data; ++ const uint8_t *buf, *data; ++ const struct dmi_header *dm; + int i=0; + + buf = bt_ioremap(base, len); +@@ -301,7 +321,7 @@ typedef union { + + static int __init _dmi_iterate(const struct dmi_eps *dmi, + const smbios_eps_u smbios, +- void (*decode)(struct dmi_header *)) ++ void (*decode)(const struct dmi_header *)) + { + int num; + u32 len; +@@ -335,7 +355,7 @@ static int __init _dmi_iterate(const struct dmi_eps *dmi, + return dmi_table(base, len, num, decode); + } + +-static int __init dmi_iterate(void (*decode)(struct dmi_header *)) ++static int __init dmi_iterate(void (*decode)(const struct dmi_header *)) + { + struct dmi_eps dmi; + struct smbios3_eps smbios3; +@@ -370,7 +390,7 @@ static int __init dmi_iterate(void (*decode)(struct dmi_header *)) + return -1; + } + +-static int __init dmi_efi_iterate(void (*decode)(struct dmi_header *)) ++static int __init dmi_efi_iterate(void (*decode)(const struct dmi_header *)) + { + int ret = -1; + +@@ -433,10 +453,11 @@ static char *__initdata dmi_ident[DMI_STRING_MAX]; + * Save a DMI string + */ + +-static void __init dmi_save_ident(struct dmi_header *dm, int slot, int string) ++static void __init dmi_save_ident(const struct dmi_header *dm, int slot, int string) + { +- char *d = (char*)dm; +- char *p = dmi_string(dm, d[string]); ++ const char *d = (const void *)dm; ++ const char *p = dmi_string(dm, d[string]); ++ + if(p==NULL || *p == 0) + return; + if (dmi_ident[slot]) +@@ -629,10 +650,10 @@ static const struct dmi_blacklist __initconstrel dmi_blacklist[] = { + * out of here. + */ + +-static void __init dmi_decode(struct dmi_header *dm) ++static void __init dmi_decode(const struct dmi_header *dm) + { + #ifdef DMI_DEBUG +- u8 *data = (u8 *)dm; ++ const uint8_t *data = (const void *)dm; + #endif + + switch(dm->type) diff -Nru xen-4.14.3/debian/patches/0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch xen-4.14.3+32-g9de3671772/debian/patches/0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch --- xen-4.14.3/debian/patches/0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch 1970-01-01 00:00:00.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch 2021-12-02 20:45:55.000000000 +0000 @@ -0,0 +1,83 @@ +From: Jan Beulich +Date: Tue, 5 Jan 2021 13:09:55 +0100 +Subject: x86/ACPI: fix S3 wakeup vector mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Use of __acpi_map_table() here was at least close to an abuse already +before, but it will now consistently return NULL here. Drop the layering +violation and use set_fixmap() directly. Re-use of the ACPI fixmap area +is hopefully going to remain "fine" for the time being. + +Add checks to acpi_enter_sleep(): The vector now needs to be contained +within a single page, but the ACPI spec requires 64-byte alignment of +FACS anyway. Also bail if no wakeup vector was determined in the first +place, in part as preparation for a subsequent relaxation change. + +Fixes: 1c4aa69ca1e1 ("xen/acpi: Rework acpi_os_map_memory() and acpi_os_unmap_memory()") +Signed-off-by: Jan Beulich +Acked-by: Roger Pau Monné +(cherry picked from commit 0f089bbf43ecce6f27576cb548ba4341d0ec46a8) +--- + xen/arch/x86/acpi/boot.c | 5 +++++ + xen/arch/x86/acpi/power.c | 15 ++++++++++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/acpi/boot.c b/xen/arch/x86/acpi/boot.c +index 3ad4105..7994228 100644 +--- a/xen/arch/x86/acpi/boot.c ++++ b/xen/arch/x86/acpi/boot.c +@@ -443,6 +443,11 @@ acpi_fadt_parse_sleep_info(const struct acpi_table_fadt *fadt) + "FACS is shorter than ACPI spec allow: %#x", + facs->length); + ++ if (facs_pa % 64) ++ printk(KERN_WARNING PREFIX ++ "FACS is not 64-byte aligned: %#lx", ++ facs_pa); ++ + acpi_sinfo.wakeup_vector = facs_pa + + offsetof(struct acpi_table_facs, firmware_waking_vector); + acpi_sinfo.vector_width = 32; +diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c +index 604cb7e..3486a9c 100644 +--- a/xen/arch/x86/acpi/power.c ++++ b/xen/arch/x86/acpi/power.c +@@ -174,17 +174,20 @@ static void acpi_sleep_prepare(u32 state) + if ( state != ACPI_STATE_S3 ) + return; + +- wakeup_vector_va = __acpi_map_table( +- acpi_sinfo.wakeup_vector, sizeof(uint64_t)); +- + /* TBoot will set resume vector itself (when it is safe to do so). */ + if ( tboot_in_measured_env() ) + return; + ++ set_fixmap(FIX_ACPI_END, acpi_sinfo.wakeup_vector); ++ wakeup_vector_va = fix_to_virt(FIX_ACPI_END) + ++ PAGE_OFFSET(acpi_sinfo.wakeup_vector); ++ + if ( acpi_sinfo.vector_width == 32 ) + *(uint32_t *)wakeup_vector_va = bootsym_phys(wakeup_start); + else + *(uint64_t *)wakeup_vector_va = bootsym_phys(wakeup_start); ++ ++ clear_fixmap(FIX_ACPI_END); + } + + static void acpi_sleep_post(u32 state) {} +@@ -333,6 +336,12 @@ static long enter_state_helper(void *data) + */ + int acpi_enter_sleep(struct xenpf_enter_acpi_sleep *sleep) + { ++ if ( sleep->sleep_state == ACPI_STATE_S3 && ++ (!acpi_sinfo.wakeup_vector || !acpi_sinfo.vector_width || ++ (PAGE_OFFSET(acpi_sinfo.wakeup_vector) > ++ PAGE_SIZE - acpi_sinfo.vector_width / 8)) ) ++ return -EOPNOTSUPP; ++ + if ( sleep->flags & XENPF_ACPI_SLEEP_EXTENDED ) + { + if ( !acpi_sinfo.sleep_control.address || diff -Nru xen-4.14.3/debian/patches/0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch xen-4.14.3+32-g9de3671772/debian/patches/0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch --- xen-4.14.3/debian/patches/0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch 1970-01-01 00:00:00.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch 2021-12-02 20:45:55.000000000 +0000 @@ -0,0 +1,58 @@ +From: Jan Beulich +Date: Tue, 5 Jan 2021 13:11:04 +0100 +Subject: x86/ACPI: don't invalidate S5 data when S3 wakeup vector cannot be + determined +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +We can be more tolerant as long as the data collected from FACS is only +needed to enter S3. A prior change already added suitable checking to +acpi_enter_sleep(). + +Signed-off-by: Jan Beulich +Acked-by: Roger Pau Monné +(cherry picked from commit 16ca5b3f873f17f4fbdaecf46c133e1aa3d623b2) +--- + xen/arch/x86/acpi/boot.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/xen/arch/x86/acpi/boot.c b/xen/arch/x86/acpi/boot.c +index 7994228..9e857c3 100644 +--- a/xen/arch/x86/acpi/boot.c ++++ b/xen/arch/x86/acpi/boot.c +@@ -420,22 +420,22 @@ acpi_fadt_parse_sleep_info(const struct acpi_table_fadt *fadt) + facs_pa = (uint64_t)fadt->facs; + } + if (!facs_pa) +- goto bad; ++ return; + + facs = acpi_os_map_memory(facs_pa, sizeof(*facs)); + if (!facs) +- goto bad; ++ return; + + if (strncmp(facs->signature, "FACS", 4)) { + printk(KERN_ERR PREFIX "Invalid FACS signature %.4s\n", + facs->signature); +- goto bad; ++ goto done; + } + + if (facs->length < 24) { + printk(KERN_ERR PREFIX "Invalid FACS table length: %#x", + facs->length); +- goto bad; ++ goto done; + } + + if (facs->length < 64) +@@ -452,6 +452,7 @@ acpi_fadt_parse_sleep_info(const struct acpi_table_fadt *fadt) + offsetof(struct acpi_table_facs, firmware_waking_vector); + acpi_sinfo.vector_width = 32; + ++ done: + acpi_os_unmap_memory(facs, sizeof(*facs)); + + printk(KERN_INFO PREFIX diff -Nru xen-4.14.3/debian/patches/series xen-4.14.3+32-g9de3671772/debian/patches/series --- xen-4.14.3/debian/patches/series 2021-09-13 14:25:25.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/debian/patches/series 2021-12-02 20:45:55.000000000 +0000 @@ -38,3 +38,7 @@ 0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch 0039-docs-use-predictable-ordering-in-generated-documenta.patch 0040-docs-set-date-to-SOURCE_DATE_EPOCH-if-available.patch +0041-x86-ACPI-fix-mapping-of-FACS.patch +0042-x86-DMI-fix-table-mapping-when-one-lives-above-1Mb.patch +0043-x86-ACPI-fix-S3-wakeup-vector-mapping.patch +0044-x86-ACPI-don-t-invalidate-S5-data-when-S3-wakeup-vec.patch diff -Nru xen-4.14.3/tools/libacpi/build.c xen-4.14.3+32-g9de3671772/tools/libacpi/build.c --- xen-4.14.3/tools/libacpi/build.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/tools/libacpi/build.c 2021-11-23 12:30:09.000000000 +0000 @@ -532,7 +532,7 @@ * Fill in high-memory data structures, starting at @buf. */ - facs = ctxt->mem_ops.alloc(ctxt, sizeof(struct acpi_20_facs), 16); + facs = ctxt->mem_ops.alloc(ctxt, sizeof(struct acpi_20_facs), 64); if (!facs) goto oom; memcpy(facs, &Facs, sizeof(struct acpi_20_facs)); diff -Nru xen-4.14.3/tools/libxl/libxl_cpuid.c xen-4.14.3+32-g9de3671772/tools/libxl/libxl_cpuid.c --- xen-4.14.3/tools/libxl/libxl_cpuid.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/tools/libxl/libxl_cpuid.c 2021-11-23 12:30:09.000000000 +0000 @@ -267,7 +267,17 @@ {"rstr-fp-err-ptrs", 0x80000008, NA, CPUID_REG_EBX, 2, 1}, {"wbnoinvd", 0x80000008, NA, CPUID_REG_EBX, 9, 1}, {"ibpb", 0x80000008, NA, CPUID_REG_EBX, 12, 1}, + {"ibrs", 0x80000008, NA, CPUID_REG_EBX, 14, 1}, + {"amd-stibp", 0x80000008, NA, CPUID_REG_EBX, 15, 1}, + {"ibrs-always", 0x80000008, NA, CPUID_REG_EBX, 16, 1}, + {"stibp-always", 0x80000008, NA, CPUID_REG_EBX, 17, 1}, + {"ibrs-fast", 0x80000008, NA, CPUID_REG_EBX, 18, 1}, + {"ibrs-same-mode", 0x80000008, NA, CPUID_REG_EBX, 19, 1}, {"ppin", 0x80000008, NA, CPUID_REG_EBX, 23, 1}, + {"amd-ssbd", 0x80000008, NA, CPUID_REG_EBX, 24, 1}, + {"virt-ssbd", 0x80000008, NA, CPUID_REG_EBX, 25, 1}, + {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1}, + {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1}, {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, diff -Nru xen-4.14.3/tools/misc/xen-cpuid.c xen-4.14.3+32-g9de3671772/tools/misc/xen-cpuid.c --- xen-4.14.3/tools/misc/xen-cpuid.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/tools/misc/xen-cpuid.c 2021-11-23 12:30:09.000000000 +0000 @@ -148,11 +148,17 @@ [ 0] = "clzero", [ 2] = "rstr-fp-err-ptrs", - /* [ 8] */ [ 9] = "wbnoinvd", + /* [ 8] */ [ 9] = "wbnoinvd", [12] = "ibpb", + [14] = "ibrs", [15] = "amd-stibp", + [16] = "ibrs-always", [17] = "stibp-always", + [18] = "ibrs-fast", [19] = "ibrs-same-mode", /* [22] */ [23] = "ppin", + [24] = "amd-ssbd", [25] = "virt-ssbd", + [26] = "ssb-no", + [28] = "psfd", }; static const char *const str_7d0[32] = diff -Nru xen-4.14.3/xen/Makefile xen-4.14.3+32-g9de3671772/xen/Makefile --- xen-4.14.3/xen/Makefile 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/Makefile 2021-11-23 12:30:09.000000000 +0000 @@ -2,7 +2,7 @@ # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 14 -export XEN_EXTRAVERSION ?= .3$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .4-pre$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version diff -Nru xen-4.14.3/xen/arch/arm/time.c xen-4.14.3+32-g9de3671772/xen/arch/arm/time.c --- xen-4.14.3/xen/arch/arm/time.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/arm/time.c 2021-11-23 12:30:09.000000000 +0000 @@ -351,6 +351,11 @@ /* XXX update shared_info->wc_* */ } +void force_update_vcpu_system_time(struct vcpu *v) +{ + update_vcpu_system_time(v); +} + void domain_set_time_offset(struct domain *d, int64_t time_offset_seconds) { d->time_offset.seconds = time_offset_seconds; diff -Nru xen-4.14.3/xen/arch/x86/Makefile xen-4.14.3+32-g9de3671772/xen/arch/x86/Makefile --- xen-4.14.3/xen/arch/x86/Makefile 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/Makefile 2021-11-23 12:30:09.000000000 +0000 @@ -145,13 +145,13 @@ $(NM) -pa --format=sysv $(@D)/.$(@F).0 \ | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort \ >$(@D)/.$(@F).0.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).0.o + $(MAKE) -f $(BASEDIR)/Rules.mk efi-y= $(@D)/.$(@F).0.o $(LD) $(XEN_LDFLAGS) -T xen.lds -N prelink.o $(build_id_linker) \ $(@D)/.$(@F).0.o -o $(@D)/.$(@F).1 $(NM) -pa --format=sysv $(@D)/.$(@F).1 \ | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort $(syms-warn-dup-y) \ >$(@D)/.$(@F).1.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).1.o + $(MAKE) -f $(BASEDIR)/Rules.mk efi-y= $(@D)/.$(@F).1.o $(LD) $(XEN_LDFLAGS) -T xen.lds -N prelink.o $(build_id_linker) \ $(@D)/.$(@F).1.o -o $@ $(NM) -pa --format=sysv $(@D)/$(@F) \ @@ -211,14 +211,14 @@ efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).0) >$(@D)/.$(@F).0r.S $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).0 \ | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).0s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o + $(MAKE) -f $(BASEDIR)/Rules.mk efi-y= $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(note_file_option) -o $(@D)/.$(@F).$(base).1 &&) : efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).1) >$(@D)/.$(@F).1r.S $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).1 \ | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).1s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o + $(MAKE) -f $(BASEDIR)/Rules.mk efi-y= $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(note_file_option) -o $@ $(NM) -pa --format=sysv $(@D)/$(@F) \ diff -Nru xen-4.14.3/xen/arch/x86/apic.c xen-4.14.3+32-g9de3671772/xen/arch/x86/apic.c --- xen-4.14.3/xen/arch/x86/apic.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/apic.c 2021-11-23 12:30:09.000000000 +0000 @@ -864,6 +864,7 @@ void __init x2apic_bsp_setup(void) { struct IO_APIC_route_entry **ioapic_entries = NULL; + bool iommu_x2apic; const char *orig_name; if ( !cpu_has_x2apic ) @@ -879,7 +880,8 @@ printk("x2APIC: Already enabled by BIOS: Ignoring cmdline disable.\n"); } - if ( iommu_supports_x2apic() ) + iommu_x2apic = iommu_supports_x2apic(); + if ( iommu_x2apic ) { if ( (ioapic_entries = alloc_ioapic_entries()) == NULL ) { @@ -932,8 +934,11 @@ printk("Switched to APIC driver %s\n", genapic.name); restore_out: - /* iommu_x2apic_enabled cannot be used here in the error case. */ - if ( iommu_supports_x2apic() ) + /* + * iommu_x2apic_enabled and iommu_supports_x2apic() cannot be used here + * in the error case. + */ + if ( iommu_x2apic ) { /* * NB: do not use raw mode when restoring entries if the iommu has diff -Nru xen-4.14.3/xen/arch/x86/boot/Makefile xen-4.14.3+32-g9de3671772/xen/arch/x86/boot/Makefile --- xen-4.14.3/xen/arch/x86/boot/Makefile 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/boot/Makefile 2021-11-23 12:30:09.000000000 +0000 @@ -2,19 +2,22 @@ DEFS_H_DEPS = defs.h $(BASEDIR)/include/xen/stdbool.h -CMDLINE_DEPS = $(DEFS_H_DEPS) video.h +CMDLINE_DEPS = $(DEFS_H_DEPS) video.h \ + $(BASEDIR)/include/xen/kconfig.h \ + $(BASEDIR)/include/generated/autoconf.h RELOC_DEPS = $(DEFS_H_DEPS) \ $(BASEDIR)/include/generated/autoconf.h \ $(BASEDIR)/include/xen/kconfig.h \ $(BASEDIR)/include/xen/multiboot.h \ $(BASEDIR)/include/xen/multiboot2.h \ + $(BASEDIR)/include/xen/const.h \ $(BASEDIR)/include/public/arch-x86/hvm/start_info.h head.o: cmdline.S reloc.S -cmdline.S: cmdline.c $(CMDLINE_DEPS) +cmdline.S: cmdline.c $(CMDLINE_DEPS) build32.lds $(MAKE) -f build32.mk $@ CMDLINE_DEPS="$(CMDLINE_DEPS)" -reloc.S: reloc.c $(RELOC_DEPS) +reloc.S: reloc.c $(RELOC_DEPS) build32.lds $(MAKE) -f build32.mk $@ RELOC_DEPS="$(RELOC_DEPS)" diff -Nru xen-4.14.3/xen/arch/x86/boot/build32.mk xen-4.14.3+32-g9de3671772/xen/arch/x86/boot/build32.mk --- xen-4.14.3/xen/arch/x86/boot/build32.mk 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/boot/build32.mk 2021-11-23 12:30:09.000000000 +0000 @@ -27,7 +27,7 @@ done $(OBJCOPY) -O binary -R .got.plt $< $@ -%.lnk: %.o +%.lnk: %.o build32.lds $(LD) $(LDFLAGS_DIRECT) -N -T build32.lds -o $@ $< %.o: %.c diff -Nru xen-4.14.3/xen/arch/x86/cpu/amd.c xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/amd.c --- xen-4.14.3/xen/arch/x86/cpu/amd.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/amd.c 2021-11-23 12:30:09.000000000 +0000 @@ -642,6 +642,56 @@ ctxt_switch_levelling(NULL); } +/* + * Refer to the AMD Speculative Store Bypass whitepaper: + * https://developer.amd.com/wp-content/resources/124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf + */ +void amd_init_ssbd(const struct cpuinfo_x86 *c) +{ + int bit = -1; + + if (cpu_has_ssb_no) + return; + + if (cpu_has_amd_ssbd) { + wrmsrl(MSR_SPEC_CTRL, opt_ssbd ? SPEC_CTRL_SSBD : 0); + return; + } + + if (cpu_has_virt_ssbd) { + wrmsrl(MSR_VIRT_SPEC_CTRL, opt_ssbd ? SPEC_CTRL_SSBD : 0); + return; + } + + switch (c->x86) { + case 0x15: bit = 54; break; + case 0x16: bit = 33; break; + case 0x17: + case 0x18: bit = 10; break; + } + + if (bit >= 0) { + uint64_t val, mask = 1ull << bit; + + if (rdmsr_safe(MSR_AMD64_LS_CFG, val) || + ({ + val &= ~mask; + if (opt_ssbd) + val |= mask; + false; + }) || + wrmsr_safe(MSR_AMD64_LS_CFG, val) || + ({ + rdmsrl(MSR_AMD64_LS_CFG, val); + (val & mask) != (opt_ssbd * mask); + })) + bit = -1; + } + + if (bit < 0) + printk_once(XENLOG_ERR "No SSBD controls available\n"); +} + static void init_amd(struct cpuinfo_x86 *c) { u32 l, h; @@ -718,24 +768,7 @@ c->x86_capability); } - /* - * If the user has explicitly chosen to disable Memory Disambiguation - * to mitigiate Speculative Store Bypass, poke the appropriate MSR. - */ - if (opt_ssbd) { - int bit = -1; - - switch (c->x86) { - case 0x15: bit = 54; break; - case 0x16: bit = 33; break; - case 0x17: bit = 10; break; - } - - if (bit >= 0 && !rdmsr_safe(MSR_AMD64_LS_CFG, value)) { - value |= 1ull << bit; - wrmsr_safe(MSR_AMD64_LS_CFG, value); - } - } + amd_init_ssbd(c); /* MFENCE stops RDTSC speculation */ if (!cpu_has_lfence_dispatch) diff -Nru xen-4.14.3/xen/arch/x86/cpu/common.c xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/common.c --- xen-4.14.3/xen/arch/x86/cpu/common.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/common.c 2021-11-23 12:30:09.000000000 +0000 @@ -336,16 +336,23 @@ eax = cpuid_eax(0x80000000); if ((eax >> 16) == 0x8000 && eax >= 0x80000008) { + ebx = eax >= 0x8000001f ? cpuid_ebx(0x8000001f) : 0; eax = cpuid_eax(0x80000008); + paddr_bits = eax & 0xff; if (paddr_bits > PADDR_BITS) paddr_bits = PADDR_BITS; + vaddr_bits = (eax >> 8) & 0xff; if (vaddr_bits > VADDR_BITS) vaddr_bits = VADDR_BITS; + hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; if (hap_paddr_bits > PADDR_BITS) hap_paddr_bits = PADDR_BITS; + + /* Account for SME's physical address space reduction. */ + paddr_bits -= (ebx >> 6) & 0x3f; } if (!(c->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON))) diff -Nru xen-4.14.3/xen/arch/x86/cpu/cpu.h xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/cpu.h --- xen-4.14.3/xen/arch/x86/cpu/cpu.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/cpu.h 2021-11-23 12:30:09.000000000 +0000 @@ -20,3 +20,4 @@ void early_init_amd(struct cpuinfo_x86 *c); void amd_log_freq(const struct cpuinfo_x86 *c); +void amd_init_ssbd(const struct cpuinfo_x86 *c); diff -Nru xen-4.14.3/xen/arch/x86/cpu/hygon.c xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/hygon.c --- xen-4.14.3/xen/arch/x86/cpu/hygon.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/cpu/hygon.c 2021-11-23 12:30:09.000000000 +0000 @@ -59,14 +59,7 @@ __set_bit(X86_FEATURE_LFENCE_DISPATCH, c->x86_capability); - /* - * If the user has explicitly chosen to disable Memory Disambiguation - * to mitigiate Speculative Store Bypass, poke the appropriate MSR. - */ - if (opt_ssbd && !rdmsr_safe(MSR_AMD64_LS_CFG, value)) { - value |= 1ull << 10; - wrmsr_safe(MSR_AMD64_LS_CFG, value); - } + amd_init_ssbd(c); /* MFENCE stops RDTSC speculation */ if (!cpu_has_lfence_dispatch) diff -Nru xen-4.14.3/xen/arch/x86/dom0_build.c xen-4.14.3+32-g9de3671772/xen/arch/x86/dom0_build.c --- xen-4.14.3/xen/arch/x86/dom0_build.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/dom0_build.c 2021-11-23 12:30:09.000000000 +0000 @@ -521,8 +521,11 @@ MSI_ADDR_DEST_ID_MASK)); /* HyperTransport range. */ if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) ) - rc |= iomem_deny_access(d, paddr_to_pfn(0xfdULL << 32), - paddr_to_pfn((1ULL << 40) - 1)); + { + mfn = paddr_to_pfn(1UL << + (boot_cpu_data.x86 < 0x17 ? 40 : paddr_bits)); + rc |= iomem_deny_access(d, mfn - paddr_to_pfn(3UL << 32), mfn - 1); + } /* Remove access to E820_UNUSABLE I/O regions above 1MB. */ for ( i = 0; i < e820.nr_map; i++ ) diff -Nru xen-4.14.3/xen/arch/x86/hvm/hvm.c xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/hvm.c --- xen-4.14.3/xen/arch/x86/hvm/hvm.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/hvm.c 2021-11-23 12:30:09.000000000 +0000 @@ -1580,7 +1580,7 @@ rc = viridian_vcpu_init(v); if ( rc ) - goto fail5; + goto fail6; rc = hvm_all_ioreq_servers_add_vcpu(d, v); if ( rc != 0 ) diff -Nru xen-4.14.3/xen/arch/x86/hvm/hypercall.c xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/hypercall.c --- xen-4.14.3/xen/arch/x86/hvm/hypercall.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/hypercall.c 2021-11-23 12:30:09.000000000 +0000 @@ -137,7 +137,7 @@ HYPERCALL(event_channel_op), COMPAT_CALL(sched_op), COMPAT_CALL(set_timer_op), - HYPERCALL(xsm_op), + COMPAT_CALL(xsm_op), HYPERCALL(hvm_op), HYPERCALL(sysctl), HYPERCALL(domctl), diff -Nru xen-4.14.3/xen/arch/x86/hvm/svm/svm.c xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/svm/svm.c --- xen-4.14.3/xen/arch/x86/hvm/svm/svm.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/svm/svm.c 2021-11-23 12:30:09.000000000 +0000 @@ -1653,6 +1653,7 @@ P(cpu_has_pause_filter, "Pause-Intercept Filter"); P(cpu_has_pause_thresh, "Pause-Intercept Filter Threshold"); P(cpu_has_tsc_ratio, "TSC Rate MSR"); + P(cpu_has_svm_spec_ctrl, "MSR_SPEC_CTRL virtualisation"); #undef P if ( !printed ) diff -Nru xen-4.14.3/xen/arch/x86/hvm/svm/vmcb.c xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/svm/vmcb.c --- xen-4.14.3/xen/arch/x86/hvm/svm/vmcb.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/hvm/svm/vmcb.c 2021-11-23 12:30:09.000000000 +0000 @@ -271,6 +271,7 @@ BUILD_BUG_ON(offsetof(typeof(vmcb), rsp) != 0x5d8); BUILD_BUG_ON(offsetof(typeof(vmcb), rax) != 0x5f8); BUILD_BUG_ON(offsetof(typeof(vmcb), _g_pat) != 0x668); + BUILD_BUG_ON(offsetof(typeof(vmcb), spec_ctrl) != 0x6e0); /* Check struct segment_register against the VMCB segment layout. */ BUILD_BUG_ON(sizeof(vmcb.es) != 16); diff -Nru xen-4.14.3/xen/arch/x86/mm/p2m-pod.c xen-4.14.3+32-g9de3671772/xen/arch/x86/mm/p2m-pod.c --- xen-4.14.3/xen/arch/x86/mm/p2m-pod.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/mm/p2m-pod.c 2021-11-23 12:30:09.000000000 +0000 @@ -111,15 +111,13 @@ /* Then add to the appropriate populate-on-demand list. */ switch ( order ) { - case PAGE_ORDER_1G: - for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M ) + case PAGE_ORDER_2M ... PAGE_ORDER_1G: + for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M ) page_list_add_tail(page + i, &p2m->pod.super); break; - case PAGE_ORDER_2M: - page_list_add_tail(page, &p2m->pod.super); - break; - case PAGE_ORDER_4K: - page_list_add_tail(page, &p2m->pod.single); + case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1: + for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K ) + page_list_add_tail(page + i, &p2m->pod.single); break; default: BUG(); @@ -495,7 +493,7 @@ /* - * This function is needed for two reasons: + * This pair of functions is needed for two reasons: * + To properly handle clearing of PoD entries * + To "steal back" memory being freed for the PoD cache, rather than * releasing it. @@ -503,8 +501,8 @@ * Once both of these functions have been completed, we can return and * allow decrease_reservation() to handle everything else. */ -unsigned long -p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) +static unsigned long +decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) { unsigned long ret = 0, i, n; struct p2m_domain *p2m = p2m_get_hostp2m(d); @@ -551,8 +549,10 @@ * All PoD: Mark the whole region invalid and tell caller * we're done. */ - if ( p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid, - p2m->default_access) ) + int rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid, + p2m->default_access); + + if ( rc ) { /* * If this fails, we can't tell how much of the range was changed. @@ -560,7 +560,12 @@ * impossible. */ if ( order != 0 ) + { + printk(XENLOG_G_ERR + "%pd: marking GFN %#lx (order %u) as non-PoD failed: %d\n", + d, gfn_x(gfn), order, rc); domain_crash(d); + } goto out_unlock; } ret = 1UL << order; @@ -667,6 +672,22 @@ return ret; } +unsigned long +p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) +{ + unsigned long left = 1UL << order, ret = 0; + unsigned int chunk_order = find_first_set_bit(gfn_x(gfn) | left); + + do { + ret += decrease_reservation(d, gfn, chunk_order); + + left -= 1UL << chunk_order; + gfn = gfn_add(gfn, 1UL << chunk_order); + } while ( left ); + + return ret; +} + void p2m_pod_dump_data(struct domain *d) { struct p2m_domain *p2m = p2m_get_hostp2m(d); @@ -1266,19 +1287,15 @@ return true; } - -int -guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn_l, - unsigned int order) +static int +mark_populate_on_demand(struct domain *d, unsigned long gfn_l, + unsigned int order) { struct p2m_domain *p2m = p2m_get_hostp2m(d); gfn_t gfn = _gfn(gfn_l); unsigned long i, n, pod_count = 0; int rc = 0; - if ( !paging_mode_translate(d) ) - return -EINVAL; - gfn_lock(p2m, gfn, order); P2M_DEBUG("mark pod gfn=%#lx\n", gfn_l); @@ -1316,12 +1333,44 @@ BUG_ON(p2m->pod.entry_count < 0); pod_unlock(p2m); } + else if ( order ) + { + /* + * If this failed, we can't tell how much of the range was changed. + * Best to crash the domain. + */ + printk(XENLOG_G_ERR + "%pd: marking GFN %#lx (order %u) as PoD failed: %d\n", + d, gfn_l, order, rc); + domain_crash(d); + } out: gfn_unlock(p2m, gfn, order); return rc; } + +int +guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, + unsigned int order) +{ + unsigned long left = 1UL << order; + unsigned int chunk_order = find_first_set_bit(gfn | left); + int rc; + + if ( !paging_mode_translate(d) ) + return -EINVAL; + + do { + rc = mark_populate_on_demand(d, gfn, chunk_order); + + left -= 1UL << chunk_order; + gfn += 1UL << chunk_order; + } while ( !rc && left ); + + return rc; +} void p2m_pod_init(struct p2m_domain *p2m) { diff -Nru xen-4.14.3/xen/arch/x86/mm/p2m.c xen-4.14.3+32-g9de3671772/xen/arch/x86/mm/p2m.c --- xen-4.14.3/xen/arch/x86/mm/p2m.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/mm/p2m.c 2021-11-23 12:30:09.000000000 +0000 @@ -780,6 +780,7 @@ unsigned long i; p2m_type_t t; p2m_access_t a; + int rc; /* IOMMU for PV guests is handled in get_page_type() and put_page(). */ if ( !paging_mode_translate(p2m->domain) ) @@ -813,8 +814,27 @@ } } - return p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid, - p2m->default_access); + rc = p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid, + p2m->default_access); + if ( likely(!rc) || !mfn_valid(mfn) ) + return rc; + + /* + * The operation may have partially succeeded. For the failed part we need + * to undo the M2P update and, out of precaution, mark the pages dirty + * again. + */ + for ( i = 0; i < (1UL << page_order); ++i ) + { + p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, NULL, NULL); + if ( !p2m_is_hole(t) && !p2m_is_special(t) && !p2m_is_shared(t) ) + { + set_gpfn_from_mfn(mfn_x(mfn) + i, gfn_x(gfn) + i); + paging_mark_pfn_dirty(p2m->domain, _pfn(gfn_x(gfn) + i)); + } + } + + return rc; } int @@ -1003,13 +1023,8 @@ /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access); - if ( rc == 0 ) + if ( likely(!rc) ) { - pod_lock(p2m); - p2m->pod.entry_count -= pod_count; - BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); - if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ ) @@ -1017,6 +1032,42 @@ gfn_x(gfn_add(gfn, i))); } } + else + { + /* + * The operation may have partially succeeded. For the successful part + * we need to update M2P and dirty state, while for the failed part we + * may need to adjust PoD stats as well as undo the earlier M2P update. + */ + for ( i = 0; i < (1UL << page_order); ++i ) + { + omfn = p2m->get_entry(p2m, gfn_add(gfn, i), &ot, &a, 0, NULL, NULL); + if ( p2m_is_pod(ot) ) + { + BUG_ON(!pod_count); + --pod_count; + } + else if ( mfn_eq(omfn, mfn_add(mfn, i)) && ot == t && + a == p2m->default_access && !p2m_is_grant(t) ) + { + set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i); + paging_mark_pfn_dirty(d, _pfn(gfn_x(gfn) + i)); + } + else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) ) + { + ASSERT(mfn_valid(omfn)); + set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i); + } + } + } + + if ( pod_count ) + { + pod_lock(p2m); + p2m->pod.entry_count -= pod_count; + BUG_ON(p2m->pod.entry_count < 0); + pod_unlock(p2m); + } out: p2m_unlock(p2m); @@ -1308,6 +1359,49 @@ return 0; } } + + P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn)); + rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access); + if ( unlikely(rc) ) + { + gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n", + gfn_l, order, rc, mfn_x(mfn)); + + /* + * The operation may have partially succeeded. For the successful part + * we need to update PoD stats, M2P, and dirty state. + */ + if ( order != PAGE_ORDER_4K ) + { + unsigned long i; + + for ( i = 0; i < (1UL << order); ++i ) + { + p2m_type_t t; + mfn_t cmfn = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, + NULL, NULL); + + if ( !mfn_eq(cmfn, mfn_add(mfn, i)) || t != gfn_p2mt || + a != access ) + continue; + + if ( p2m_is_ram(ot) ) + { + ASSERT(mfn_valid(mfn_add(omfn, i))); + set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); + } +#ifdef CONFIG_HVM + else if ( p2m_is_pod(ot) ) + { + pod_lock(p2m); + BUG_ON(!p2m->pod.entry_count); + --p2m->pod.entry_count; + pod_unlock(p2m); + } +#endif + } + } + } else if ( p2m_is_ram(ot) ) { unsigned long i; @@ -1318,12 +1412,6 @@ set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); } } - - P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn)); - rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access); - if ( rc ) - gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n", - gfn_l, order, rc, mfn_x(mfn)); #ifdef CONFIG_HVM else if ( p2m_is_pod(ot) ) { diff -Nru xen-4.14.3/xen/arch/x86/setup.c xen-4.14.3+32-g9de3671772/xen/arch/x86/setup.c --- xen-4.14.3/xen/arch/x86/setup.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/setup.c 2021-11-23 12:30:09.000000000 +0000 @@ -658,6 +658,7 @@ static void __init noreturn reinit_bsp_stack(void) { unsigned long *stack = (void*)(get_stack_bottom() & ~(STACK_SIZE - 1)); + int rc; /* Update TSS and ISTs */ load_system_tables(); @@ -668,6 +669,10 @@ stack_base[0] = stack; memguard_guard_stack(stack); + rc = setup_cpu_root_pgt(0); + if ( rc ) + panic("Error %d setting up PV root page table\n", rc); + if ( IS_ENABLED(CONFIG_XEN_SHSTK) && cpu_has_xen_shstk ) { wrmsrl(MSR_PL0_SSP, diff -Nru xen-4.14.3/xen/arch/x86/smpboot.c xen-4.14.3+32-g9de3671772/xen/arch/x86/smpboot.c --- xen-4.14.3/xen/arch/x86/smpboot.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/smpboot.c 2021-11-23 12:30:09.000000000 +0000 @@ -785,7 +785,7 @@ extern const char _stextentry[], _etextentry[]; -static int setup_cpu_root_pgt(unsigned int cpu) +int setup_cpu_root_pgt(unsigned int cpu) { root_pgentry_t *rpt; unsigned int off; @@ -1102,8 +1102,6 @@ void __init smp_prepare_cpus(void) { - int rc; - register_cpu_notifier(&cpu_smpboot_nfb); mtrr_aps_sync_begin(); @@ -1117,10 +1115,7 @@ stack_base[0] = (void *)((unsigned long)stack_start & ~(STACK_SIZE - 1)); - rc = setup_cpu_root_pgt(0); - if ( rc ) - panic("Error %d setting up PV root page table\n", rc); - if ( per_cpu(root_pgt, 0) ) + if ( opt_xpti_hwdom || opt_xpti_domu ) { get_cpu_info()->pv_cr3 = 0; diff -Nru xen-4.14.3/xen/arch/x86/spec_ctrl.c xen-4.14.3+32-g9de3671772/xen/arch/x86/spec_ctrl.c --- xen-4.14.3/xen/arch/x86/spec_ctrl.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/spec_ctrl.c 2021-11-23 12:30:09.000000000 +0000 @@ -317,23 +317,40 @@ printk("Speculative mitigation facilities:\n"); - /* Hardware features which pertain to speculative mitigations. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", - (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "", - (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", - (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", - (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", - (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", - (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "", - (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", - (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "", - (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", - (caps & ARCH_CAPS_TAA_NO) ? " TAA_NO" : ""); + /* + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", + (caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL" : "", + (e8b & cpufeat_mask(X86_FEATURE_SSB_NO)) || + (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", + (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "", + (caps & ARCH_CAPS_TAA_NO) ? " TAA_NO" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : ""); + + /* Hardware features which need driving to mitigate issues. */ + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s\n", + (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || + (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || + (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS" : "", + (e8b & cpufeat_mask(X86_FEATURE_AMD_STIBP)) || + (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", + (e8b & cpufeat_mask(X86_FEATURE_AMD_SSBD)) || + (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", + (e8b & cpufeat_mask(X86_FEATURE_PSFD)) ? " PSFD" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "", + (e8b & cpufeat_mask(X86_FEATURE_VIRT_SSBD)) ? " VIRT_SSBD" : "", + (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : ""); /* Compiled-in support which pertains to mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) diff -Nru xen-4.14.3/xen/arch/x86/traps.c xen-4.14.3+32-g9de3671772/xen/arch/x86/traps.c --- xen-4.14.3/xen/arch/x86/traps.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/traps.c 2021-11-23 12:30:09.000000000 +0000 @@ -1975,7 +1975,7 @@ const char *err = "??"; unsigned int ec = regs->error_code; - if ( debugger_trap_entry(TRAP_debug, regs) ) + if ( debugger_trap_entry(X86_EXC_CP, regs) ) return; /* Decode ec if possible */ diff -Nru xen-4.14.3/xen/arch/x86/x86_64/compat.c xen-4.14.3+32-g9de3671772/xen/arch/x86/x86_64/compat.c --- xen-4.14.3/xen/arch/x86/x86_64/compat.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/x86_64/compat.c 2021-11-23 12:30:09.000000000 +0000 @@ -12,6 +12,7 @@ #define physdev_op_t physdev_op_compat_t #define do_physdev_op compat_physdev_op #define do_physdev_op_compat(x) compat_physdev_op_compat(_##x) +#define native compat #define COMPAT #define _XEN_GUEST_HANDLE(t) XEN_GUEST_HANDLE(t) diff -Nru xen-4.14.3/xen/arch/x86/x86_emulate/x86_emulate.c xen-4.14.3+32-g9de3671772/xen/arch/x86/x86_emulate/x86_emulate.c --- xen-4.14.3/xen/arch/x86/x86_emulate/x86_emulate.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/x86_emulate/x86_emulate.c 2021-11-23 12:30:09.000000000 +0000 @@ -10024,15 +10024,36 @@ for ( i = 0; op_mask; ++i ) { - long idx = b & 1 ? index.qw[i] : index.dw[i]; + long idx = (b & 1 ? index.qw[i] + : index.dw[i]) * (1 << state->sib_scale); + unsigned long offs = truncate_ea(ea.mem.off + idx); + unsigned int j, slot; if ( !(op_mask & (1 << i)) ) continue; - rc = ops->write(ea.mem.seg, - truncate_ea(ea.mem.off + - idx * (1 << state->sib_scale)), - (void *)mmvalp + i * op_bytes, op_bytes, ctxt); + /* + * hvmemul_linear_mmio_access() will find a cache slot based on + * linear address. hvmemul_phys_mmio_access() will crash the + * domain if observing varying data getting written to the same + * cache slot. Utilize that squashing earlier writes to fully + * overlapping addresses is permitted by the spec. We can't, + * however, drop the writes altogether, to maintain correct + * faulting behavior. Instead write the data from the last of + * the fully overlapping slots multiple times. + */ + for ( j = (slot = i) + 1; j < n; ++j ) + { + long idx2 = (b & 1 ? index.qw[j] + : index.dw[j]) * (1 << state->sib_scale); + + if ( (op_mask & (1 << j)) && + truncate_ea(ea.mem.off + idx2) == offs ) + slot = j; + } + + rc = ops->write(ea.mem.seg, offs, + (void *)mmvalp + slot * op_bytes, op_bytes, ctxt); if ( rc != X86EMUL_OKAY ) { /* See comment in gather emulation. */ diff -Nru xen-4.14.3/xen/arch/x86/xen.lds.S xen-4.14.3+32-g9de3671772/xen/arch/x86/xen.lds.S --- xen-4.14.3/xen/arch/x86/xen.lds.S 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/xen.lds.S 2021-11-23 12:30:09.000000000 +0000 @@ -18,7 +18,7 @@ #else /* !EFI */ #define FORMAT "elf64-x86-64" -#define DECL_SECTION(x) x : AT(ADDR(#x) - __XEN_VIRT_START) +#define DECL_SECTION(x) #x : AT(ADDR(#x) - __XEN_VIRT_START) ENTRY(start_pa) diff -Nru xen-4.14.3/xen/arch/x86/xstate.c xen-4.14.3+32-g9de3671772/xen/arch/x86/xstate.c --- xen-4.14.3/xen/arch/x86/xstate.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/arch/x86/xstate.c 2021-11-23 12:30:09.000000000 +0000 @@ -608,6 +608,13 @@ return; } + /* + * Zap the cached values to make set_xcr0() and set_msr_xss() really + * write it. + */ + this_cpu(xcr0) = 0; + this_cpu(xss) = ~0; + cpuid_count(XSTATE_CPUID, 0, &eax, &ebx, &ecx, &edx); BUG_ON((eax & XSTATE_FP_SSE) != XSTATE_FP_SSE); diff -Nru xen-4.14.3/xen/common/domain.c xen-4.14.3+32-g9de3671772/xen/common/domain.c --- xen-4.14.3/xen/common/domain.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/common/domain.c 2021-11-23 12:30:09.000000000 +0000 @@ -1498,6 +1498,8 @@ rc = map_vcpu_info(v, info.mfn, info.offset); domain_unlock(d); + force_update_vcpu_system_time(v); + break; } diff -Nru xen-4.14.3/xen/common/grant_table.c xen-4.14.3+32-g9de3671772/xen/common/grant_table.c --- xen-4.14.3/xen/common/grant_table.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/common/grant_table.c 2021-11-23 12:30:09.000000000 +0000 @@ -2319,7 +2319,8 @@ * pages when it is dying. */ if ( unlikely(e->is_dying) || - unlikely(domain_tot_pages(e) >= e->max_pages) ) + unlikely(domain_tot_pages(e) >= e->max_pages) || + unlikely(!(e->tot_pages + 1)) ) { spin_unlock(&e->page_alloc_lock); @@ -2328,8 +2329,8 @@ e->domain_id); else gdprintk(XENLOG_INFO, - "Transferee d%d has no headroom (tot %u, max %u)\n", - e->domain_id, domain_tot_pages(e), e->max_pages); + "Transferee %pd has no headroom (tot %u, max %u, ex %u)\n", + e, domain_tot_pages(e), e->max_pages, e->extra_pages); gop.status = GNTST_general_error; goto unlock_and_copyback; diff -Nru xen-4.14.3/xen/common/page_alloc.c xen-4.14.3+32-g9de3671772/xen/common/page_alloc.c --- xen-4.14.3/xen/common/page_alloc.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/common/page_alloc.c 2021-11-23 12:30:09.000000000 +0000 @@ -2298,20 +2298,43 @@ } else if ( !(memflags & MEMF_no_refcount) ) { - unsigned int tot_pages = domain_tot_pages(d) + (1 << order); + unsigned int tot_pages = domain_tot_pages(d), nr = 1u << order; if ( unlikely(tot_pages > d->max_pages) ) { - gprintk(XENLOG_INFO, "Over-allocation for domain %u: " - "%u > %u\n", d->domain_id, tot_pages, d->max_pages); + gprintk(XENLOG_INFO, "Inconsistent allocation for %pd: %u > %u\n", + d, tot_pages, d->max_pages); + rc = -EPERM; + goto out; + } + + if ( unlikely(nr > d->max_pages - tot_pages) ) + { + gprintk(XENLOG_INFO, "Over-allocation for %pd: %Lu > %u\n", + d, tot_pages + 0ull + nr, d->max_pages); rc = -E2BIG; goto out; } } - if ( !(memflags & MEMF_no_refcount) && - unlikely(domain_adjust_tot_pages(d, 1 << order) == (1 << order)) ) - get_knownalive_domain(d); + if ( !(memflags & MEMF_no_refcount) ) + { + unsigned int nr = 1u << order; + + if ( unlikely(d->tot_pages + nr < nr) ) + { + gprintk(XENLOG_INFO, + "Excess allocation for %pd: %Lu (%u extra)\n", + d, d->tot_pages + 0ull + nr, d->extra_pages); + if ( pg[0].count_info & PGC_extra ) + d->extra_pages -= nr; + rc = -E2BIG; + goto out; + } + + if ( unlikely(domain_adjust_tot_pages(d, nr) == nr) ) + get_knownalive_domain(d); + } for ( i = 0; i < (1 << order); i++ ) { diff -Nru xen-4.14.3/xen/drivers/passthrough/amd/iommu_cmd.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/amd/iommu_cmd.c --- xen-4.14.3/xen/drivers/passthrough/amd/iommu_cmd.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/amd/iommu_cmd.c 2021-11-23 12:30:09.000000000 +0000 @@ -309,14 +309,11 @@ spin_unlock_irqrestore(&iommu->lock, flags); } -static void amd_iommu_flush_all_iotlbs(struct domain *d, daddr_t daddr, +static void amd_iommu_flush_all_iotlbs(const struct domain *d, daddr_t daddr, unsigned int order) { struct pci_dev *pdev; - if ( !ats_enabled ) - return; - for_each_pdev( d, pdev ) { u8 devfn = pdev->devfn; @@ -347,7 +344,16 @@ } if ( ats_enabled ) + { amd_iommu_flush_all_iotlbs(d, daddr, order); + + /* + * Hidden devices are associated with DomXEN but usable by the + * hardware domain. Hence they need dealing with here as well. + */ + if ( is_hardware_domain(d) ) + amd_iommu_flush_all_iotlbs(dom_xen, daddr, order); + } } void amd_iommu_flush_all_pages(struct domain *d) diff -Nru xen-4.14.3/xen/drivers/passthrough/amd/pci_amd_iommu.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/amd/pci_amd_iommu.c --- xen-4.14.3/xen/drivers/passthrough/amd/pci_amd_iommu.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/amd/pci_amd_iommu.c 2021-11-23 12:30:09.000000000 +0000 @@ -155,14 +155,8 @@ int __init acpi_ivrs_init(void) { - if ( !iommu_enable && !iommu_intremap ) - return 0; - if ( (amd_iommu_detect_acpi() !=0) || (iommu_found() == 0) ) - { - iommu_intremap = iommu_intremap_off; return -ENODEV; - } iommu_init_ops = &_iommu_init_ops; diff -Nru xen-4.14.3/xen/drivers/passthrough/pci.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/pci.c --- xen-4.14.3/xen/drivers/passthrough/pci.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/pci.c 2021-11-23 12:30:09.000000000 +0000 @@ -375,8 +375,7 @@ /* update bus2bridge */ switch ( pdev->type = pdev_type(pseg->nr, bus, devfn) ) { - u16 cap; - u8 sec_bus, sub_bus; + unsigned int cap, sec_bus, sub_bus; case DEV_TYPE_PCIe2PCI_BRIDGE: case DEV_TYPE_LEGACY_PCI_BRIDGE: @@ -443,7 +442,7 @@ /* update bus2bridge */ switch ( pdev->type ) { - uint8_t sec_bus, sub_bus; + unsigned int sec_bus, sub_bus; case DEV_TYPE_PCIe2PCI_BRIDGE: case DEV_TYPE_LEGACY_PCI_BRIDGE: diff -Nru xen-4.14.3/xen/drivers/passthrough/vtd/dmar.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/vtd/dmar.c --- xen-4.14.3/xen/drivers/passthrough/vtd/dmar.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/vtd/dmar.c 2021-11-23 12:30:09.000000000 +0000 @@ -760,11 +760,7 @@ dmar = (struct acpi_table_dmar *)table; dmar_flags = dmar->flags; - if ( !iommu_enable && !iommu_intremap ) - { - ret = -EINVAL; - goto out; - } + ASSERT(iommu_enable || iommu_intremap); if ( !dmar->width ) { diff -Nru xen-4.14.3/xen/drivers/passthrough/vtd/iommu.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/vtd/iommu.c --- xen-4.14.3/xen/drivers/passthrough/vtd/iommu.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/vtd/iommu.c 2021-11-23 12:30:09.000000000 +0000 @@ -1486,7 +1486,8 @@ { struct acpi_drhd_unit *drhd; int ret = 0; - u8 seg = pdev->seg, bus = pdev->bus, secbus; + uint16_t seg = pdev->seg; + uint8_t bus = pdev->bus, secbus; drhd = acpi_find_matched_drhd_unit(pdev); if ( !drhd ) @@ -1673,14 +1674,36 @@ return rc; } +static bool any_pdev_behind_iommu(const struct domain *d, + const struct pci_dev *exclude, + const struct vtd_iommu *iommu) +{ + const struct pci_dev *pdev; + + for_each_pdev ( d, pdev ) + { + const struct acpi_drhd_unit *drhd; + + if ( pdev == exclude ) + continue; + + drhd = acpi_find_matched_drhd_unit(pdev); + if ( drhd && drhd->iommu == iommu ) + return true; + } + + return false; +} + static int domain_context_unmap(struct domain *domain, u8 devfn, struct pci_dev *pdev) { struct acpi_drhd_unit *drhd; struct vtd_iommu *iommu; int ret = 0; - u8 seg = pdev->seg, bus = pdev->bus, tmp_bus, tmp_devfn, secbus; - int found = 0; + uint16_t seg = pdev->seg; + uint8_t bus = pdev->bus, tmp_bus, tmp_devfn, secbus; + bool found; drhd = acpi_find_matched_drhd_unit(pdev); if ( !drhd ) @@ -1765,23 +1788,18 @@ goto out; /* - * if no other devices under the same iommu owned by this domain, - * clear iommu in iommu_bitmap and clear domain_id in domid_bitmp + * If no other devices under the same iommu owned by this domain, + * clear iommu in iommu_bitmap and clear domain_id in domid_bitmap. */ - for_each_pdev ( domain, pdev ) - { - if ( pdev->seg == seg && pdev->bus == bus && pdev->devfn == devfn ) - continue; - - drhd = acpi_find_matched_drhd_unit(pdev); - if ( drhd && drhd->iommu == iommu ) - { - found = 1; - break; - } - } + found = any_pdev_behind_iommu(domain, pdev, iommu); + /* + * Hidden devices are associated with DomXEN but usable by the hardware + * domain. Hence they need considering here as well. + */ + if ( !found && is_hardware_domain(domain) ) + found = any_pdev_behind_iommu(dom_xen, pdev, iommu); - if ( found == 0 ) + if ( !found ) { clear_bit(iommu->index, &dom_iommu(domain)->arch.iommu_bitmap); cleanup_domid_map(domain, iommu); @@ -2408,7 +2426,7 @@ ret = iommu_identity_mapping(source, p2m_access_x, rmrr->base_address, rmrr->end_address, 0); - if ( ret != -ENOENT ) + if ( ret && ret != -ENOENT ) return ret; } } diff -Nru xen-4.14.3/xen/drivers/passthrough/x86/iommu.c xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/x86/iommu.c --- xen-4.14.3/xen/drivers/passthrough/x86/iommu.c 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/drivers/passthrough/x86/iommu.c 2021-11-23 12:30:09.000000000 +0000 @@ -39,6 +39,24 @@ bool __read_mostly iommu_intpost; #endif +void __init acpi_iommu_init(void) +{ + int ret; + + if ( !iommu_enable && !iommu_intremap ) + return; + + ret = acpi_dmar_init(); + if ( ret == -ENODEV ) + ret = acpi_ivrs_init(); + + if ( ret ) + { + iommu_enable = false; + iommu_intremap = iommu_intremap_off; + } +} + int __init iommu_hardware_setup(void) { struct IO_APIC_route_entry **ioapic_entries = NULL; diff -Nru xen-4.14.3/xen/include/asm-arm/time.h xen-4.14.3+32-g9de3671772/xen/include/asm-arm/time.h --- xen-4.14.3/xen/include/asm-arm/time.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-arm/time.h 2021-11-23 12:30:09.000000000 +0000 @@ -66,6 +66,8 @@ void preinit_xen_time(void); +void force_update_vcpu_system_time(struct vcpu *v); + #endif /* __ARM_TIME_H__ */ /* * Local variables: diff -Nru xen-4.14.3/xen/include/asm-x86/acpi.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/acpi.h --- xen-4.14.3/xen/include/asm-x86/acpi.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/acpi.h 2021-11-23 12:30:09.000000000 +0000 @@ -141,16 +141,10 @@ extern u32 pmtmr_ioport; extern unsigned int pmtmr_width; +void acpi_iommu_init(void); int acpi_dmar_init(void); int acpi_ivrs_init(void); -static inline int acpi_iommu_init(void) -{ - int ret = acpi_dmar_init(); - - return ret == -ENODEV ? acpi_ivrs_init() : ret; -} - void acpi_mmcfg_init(void); /* Incremented whenever we transition through S3. Value is 1 during boot. */ diff -Nru xen-4.14.3/xen/include/asm-x86/cpufeature.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/cpufeature.h --- xen-4.14.3/xen/include/asm-x86/cpufeature.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/cpufeature.h 2021-11-23 12:30:09.000000000 +0000 @@ -125,6 +125,11 @@ /* CPUID level 0x80000007.edx */ #define cpu_has_itsc boot_cpu_has(X86_FEATURE_ITSC) +/* CPUID level 0x80000008.ebx */ +#define cpu_has_amd_ssbd boot_cpu_has(X86_FEATURE_AMD_SSBD) +#define cpu_has_virt_ssbd boot_cpu_has(X86_FEATURE_VIRT_SSBD) +#define cpu_has_ssb_no boot_cpu_has(X86_FEATURE_SSB_NO) + /* CPUID level 0x00000007:0.edx */ #define cpu_has_avx512_4vnniw boot_cpu_has(X86_FEATURE_AVX512_4VNNIW) #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) diff -Nru xen-4.14.3/xen/include/asm-x86/hvm/svm/svm.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/hvm/svm/svm.h --- xen-4.14.3/xen/include/asm-x86/hvm/svm/svm.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/hvm/svm/svm.h 2021-11-23 12:30:09.000000000 +0000 @@ -74,6 +74,7 @@ #define SVM_FEATURE_PAUSETHRESH 12 /* Pause intercept filter support */ #define SVM_FEATURE_VLOADSAVE 15 /* virtual vmload/vmsave */ #define SVM_FEATURE_VGIF 16 /* Virtual GIF */ +#define SVM_FEATURE_SPEC_CTRL 20 /* MSR_SPEC_CTRL virtualisation */ #define cpu_has_svm_feature(f) (svm_feature_flags & (1u << (f))) #define cpu_has_svm_npt cpu_has_svm_feature(SVM_FEATURE_NPT) @@ -88,6 +89,7 @@ #define cpu_has_pause_thresh cpu_has_svm_feature(SVM_FEATURE_PAUSETHRESH) #define cpu_has_tsc_ratio cpu_has_svm_feature(SVM_FEATURE_TSCRATEMSR) #define cpu_has_svm_vloadsave cpu_has_svm_feature(SVM_FEATURE_VLOADSAVE) +#define cpu_has_svm_spec_ctrl cpu_has_svm_feature(SVM_FEATURE_SPEC_CTRL) #define SVM_PAUSEFILTER_INIT 4000 #define SVM_PAUSETHRESH_INIT 1000 diff -Nru xen-4.14.3/xen/include/asm-x86/hvm/svm/vmcb.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/hvm/svm/vmcb.h --- xen-4.14.3/xen/include/asm-x86/hvm/svm/vmcb.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/hvm/svm/vmcb.h 2021-11-23 12:30:09.000000000 +0000 @@ -515,7 +515,9 @@ u64 _lastbranchtoip; /* cleanbit 10 */ u64 _lastintfromip; /* cleanbit 10 */ u64 _lastinttoip; /* cleanbit 10 */ - u64 res17[301]; + u64 res17[9]; + u64 spec_ctrl; + u64 res18[291]; }; struct svm_domain { diff -Nru xen-4.14.3/xen/include/asm-x86/msr-index.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/msr-index.h --- xen-4.14.3/xen/include/asm-x86/msr-index.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/msr-index.h 2021-11-23 12:30:09.000000000 +0000 @@ -33,6 +33,7 @@ #define SPEC_CTRL_IBRS (_AC(1, ULL) << 0) #define SPEC_CTRL_STIBP (_AC(1, ULL) << 1) #define SPEC_CTRL_SSBD (_AC(1, ULL) << 2) +#define SPEC_CTRL_PSFD (_AC(1, ULL) << 7) #define MSR_PRED_CMD 0x00000049 #define PRED_CMD_IBPB (_AC(1, ULL) << 0) @@ -129,6 +130,8 @@ #define MSR_F15H_CU_POWER 0xc001007a #define MSR_F15H_CU_MAX_POWER 0xc001007b +#define MSR_VIRT_SPEC_CTRL 0xc001011f /* Layout matches MSR_SPEC_CTRL */ + #define MSR_AMD_RAPL_POWER_UNIT 0xc0010299 #define MSR_AMD_CORE_ENERGY_STATUS 0xc001029a #define MSR_AMD_PKG_ENERGY_STATUS 0xc001029b diff -Nru xen-4.14.3/xen/include/asm-x86/paging.h xen-4.14.3+32-g9de3671772/xen/include/asm-x86/paging.h --- xen-4.14.3/xen/include/asm-x86/paging.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/asm-x86/paging.h 2021-11-23 12:30:09.000000000 +0000 @@ -391,11 +391,18 @@ { unsigned int bits = paging_mode_hap(d) ? hap_paddr_bits : paddr_bits; - if ( !IS_ENABLED(CONFIG_BIGMEM) && paging_mode_shadow(d) && - !is_pv_domain(d) ) + if ( paging_mode_external(d) ) { - /* Shadowed superpages store GFNs in 32-bit page_info fields. */ - bits = min(bits, 32U + PAGE_SHIFT); + if ( !IS_ENABLED(CONFIG_BIGMEM) && paging_mode_shadow(d) ) + { + /* Shadowed superpages store GFNs in 32-bit page_info fields. */ + bits = min(bits, 32U + PAGE_SHIFT); + } + else + { + /* Both p2m-ept and p2m-pt only support 4-level page tables. */ + bits = min(bits, 48U); + } } return bits; diff -Nru xen-4.14.3/xen/include/public/arch-x86/cpufeatureset.h xen-4.14.3+32-g9de3671772/xen/include/public/arch-x86/cpufeatureset.h --- xen-4.14.3/xen/include/public/arch-x86/cpufeatureset.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/public/arch-x86/cpufeatureset.h 2021-11-23 12:30:09.000000000 +0000 @@ -254,7 +254,17 @@ XEN_CPUFEATURE(RSTR_FP_ERR_PTRS, 8*32+ 2) /*A (F)X{SAVE,RSTOR} always saves/restores FPU Error pointers */ XEN_CPUFEATURE(WBNOINVD, 8*32+ 9) /* WBNOINVD instruction */ XEN_CPUFEATURE(IBPB, 8*32+12) /*A IBPB support only (no IBRS, used by AMD) */ +XEN_CPUFEATURE(IBRS, 8*32+14) /* MSR_SPEC_CTRL.IBRS */ +XEN_CPUFEATURE(AMD_STIBP, 8*32+15) /* MSR_SPEC_CTRL.STIBP */ +XEN_CPUFEATURE(IBRS_ALWAYS, 8*32+16) /* IBRS preferred always on */ +XEN_CPUFEATURE(STIBP_ALWAYS, 8*32+17) /* STIBP preferred always on */ +XEN_CPUFEATURE(IBRS_FAST, 8*32+18) /* IBRS preferred over software options */ +XEN_CPUFEATURE(IBRS_SAME_MODE, 8*32+19) /* IBRS provides same-mode protection */ XEN_CPUFEATURE(AMD_PPIN, 8*32+23) /* Protected Processor Inventory Number */ +XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /* MSR_SPEC_CTRL.SSBD available */ +XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ +XEN_CPUFEATURE(SSB_NO, 8*32+26) /* Hardware not vulnerable to SSB */ +XEN_CPUFEATURE(PSFD, 8*32+28) /* MSR_SPEC_CTRL.PSFD */ /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ diff -Nru xen-4.14.3/xen/include/public/grant_table.h xen-4.14.3+32-g9de3671772/xen/include/public/grant_table.h --- xen-4.14.3/xen/include/public/grant_table.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/public/grant_table.h 2021-11-23 12:30:09.000000000 +0000 @@ -121,8 +121,9 @@ */ /* - * Version 1 of the grant table entry structure is maintained purely - * for backwards compatibility. New guests should use version 2. + * Version 1 of the grant table entry structure is maintained largely for + * backwards compatibility. New guests are recommended to support using + * version 2 to overcome version 1 limitations, but to default to version 1. */ #if __XEN_INTERFACE_VERSION__ < 0x0003020a #define grant_entry_v1 grant_entry diff -Nru xen-4.14.3/xen/include/xen/smp.h xen-4.14.3+32-g9de3671772/xen/include/xen/smp.h --- xen-4.14.3/xen/include/xen/smp.h 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/include/xen/smp.h 2021-11-23 12:30:09.000000000 +0000 @@ -70,5 +70,6 @@ extern void *stack_base[NR_CPUS]; void initialize_cpu_data(unsigned int cpu); +int setup_cpu_root_pgt(unsigned int cpu); #endif /* __XEN_SMP_H__ */ diff -Nru xen-4.14.3/xen/xsm/flask/Makefile xen-4.14.3+32-g9de3671772/xen/xsm/flask/Makefile --- xen-4.14.3/xen/xsm/flask/Makefile 2021-09-10 12:30:40.000000000 +0000 +++ xen-4.14.3+32-g9de3671772/xen/xsm/flask/Makefile 2021-11-23 12:30:09.000000000 +0000 @@ -46,7 +46,9 @@ POLICY_SRC := $(FLASK_BUILD_DIR)/xenpolicy-$(XEN_FULLVERSION) policy.bin: FORCE - $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C $(XEN_ROOT)/tools/flask/policy FLASK_BUILD_DIR=$(FLASK_BUILD_DIR) + $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common \ + -C $(XEN_ROOT)/tools/flask/policy \ + FLASK_BUILD_DIR=$(FLASK_BUILD_DIR) POLICY_FILENAME=$(POLICY_SRC) cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@ .PHONY: clean