There can be situations when the registers cannot be emulated to their full
functionality. This can be due to the complexity involved. In such cases, one
can emulate those registers as RAZ/WI for example. We call them as partial
emulation.
Some registers are non-optional and as such there is nothing preventing an OS
from accessing them.
Instead of injecting undefined exception (which might result in crashing a
guest), one may want to prefer a partial emulation to let the guest running
(in some cases accepting the fact that it might result in unwanted behavior).
A suitable example of this (as seen in subsequent patches) is emulation of
DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
registers can be emulated as RAZ/WI and they can be enclosed within
CONFIG_PARTIAL_EMULATION.
Further, "partial-emulation" command line option allows us to
enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
enables support for partial emulation at compile time (i.e. adds code for
partial emulation), this option may be enabled or disabled by Yocto or other
build systems. However if the build system turns this option on, users
can use scripts like Imagebuilder to generate uboot-script which will append
"partial-emulation=true" to xen command line to turn on the partial emulation.
Thus, it helps to avoid rebuilding xen.
By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
This is done so that Xen supports partial emulation. However, customers are
fully aware when they enable partial emulation. It's important to note that
enabling such support might result in unwanted/non-spec compliant behavior.
Added a note in SUPPORT.md to clarify the security support for partial
emulation.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
Signed-off-by: Michal Orzel <michal.orzel@amd.com>
---
Changes from v1 :-
1. New patch introduced in v2.
v2 :-
1. Reordered the patches so that the config and command line option is
introduced in the first patch.
v3 :-
1. Defined a macro 'partial_emulation' to reduce if-defs.
2. Fixed style issues.
v4 :-
1. Added a note in SUPPORT.md.
v5 :-
1. Dropped R-b
2. Update the commit message and Kconfig message.
3. Update 'SUPPORT.md' message.
SUPPORT.md | 9 +++++++++
docs/misc/xen-command-line.pandoc | 11 +++++++++++
xen/arch/arm/Kconfig | 9 +++++++++
xen/arch/arm/include/asm/traps.h | 6 ++++++
xen/arch/arm/traps.c | 9 +++++++++
5 files changed, 44 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index 7eb6875cfa..b49da114ab 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -102,6 +102,15 @@ Extension to the GICv3 interrupt controller to support MSI.
Status: Experimental
+### ARM/Partial Emulation
+
+Enable partial emulation of registers, otherwise considered unimplemented,
+that would normally trigger a fault injection.
+
+ Status: Supported, with caveats
+
+Only the following system registers are security supported:
+
### ARM Scalable Vector Extension (SVE/SVE2)
Arm64 domains can use Scalable Vector Extension (SVE/SVE2).
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 02896598df..023c5e7225 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1942,6 +1942,17 @@ This option is ignored in **pv-shim** mode.
> Default: `on`
+### partial-emulation (arm)
+> `= <boolean>`
+
+> Default: `false`
+
+Flag to enable or disable partial emulation of system/coprocessor registers.
+Only effective if CONFIG_PARTIAL_EMULATION is enabled.
+
+**WARNING: Enabling this option might result in unwanted/non-spec compliant
+behavior.**
+
### pci
= List of [ serr=<bool>, perr=<bool> ]
diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 40f834bb71..f8139a773a 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -234,6 +234,15 @@ config STATIC_EVTCHN
This option enables establishing static event channel communication
between domains on a dom0less system (domU-domU as well as domU-dom0).
+config PARTIAL_EMULATION
+ bool "Enable partial emulation of system/coprocessor registers"
+ default y
+ help
+ This option enables partial emulation of registers to prevent possible
+ guests crashing when accessing registers which are not optional but have
+ not been emulated to their complete functionality. Enabling this might
+ result in unwanted/non-spec compliant behavior.
+
endmenu
menu "ARM errata workaround via the alternative framework"
diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h
index 883dae368e..9a60dbf70e 100644
--- a/xen/arch/arm/include/asm/traps.h
+++ b/xen/arch/arm/include/asm/traps.h
@@ -10,6 +10,12 @@
# include <asm/arm64/traps.h>
#endif
+#ifdef CONFIG_PARTIAL_EMULATION
+extern bool partial_emulation;
+#else
+#define partial_emulation false
+#endif
+
/*
* GUEST_BUG_ON is intended for checking that the guest state has not been
* corrupted in hardware and/or that the hardware behaves as we
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 9c10e8f78c..d1c7a6c516 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -42,6 +42,15 @@
#include <asm/vgic.h>
#include <asm/vtimer.h>
+/*
+ * partial_emulation: If true, partial emulation for system/coprocessor
+ * registers will be enabled.
+ */
+#ifdef CONFIG_PARTIAL_EMULATION
+bool __ro_after_init partial_emulation = false;
+boolean_param("partial-emulation", partial_emulation);
+#endif
+
/* The base of the stack must always be double-word aligned, which means
* that both the kernel half of struct cpu_user_regs (which is pushed in
* entry.S) and struct cpu_info (which lives at the bottom of a Xen
--
2.25.1
functionality. This can be due to the complexity involved. In such cases, one
can emulate those registers as RAZ/WI for example. We call them as partial
emulation.
Some registers are non-optional and as such there is nothing preventing an OS
from accessing them.
Instead of injecting undefined exception (which might result in crashing a
guest), one may want to prefer a partial emulation to let the guest running
(in some cases accepting the fact that it might result in unwanted behavior).
A suitable example of this (as seen in subsequent patches) is emulation of
DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional
registers can be emulated as RAZ/WI and they can be enclosed within
CONFIG_PARTIAL_EMULATION.
Further, "partial-emulation" command line option allows us to
enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION
enables support for partial emulation at compile time (i.e. adds code for
partial emulation), this option may be enabled or disabled by Yocto or other
build systems. However if the build system turns this option on, users
can use scripts like Imagebuilder to generate uboot-script which will append
"partial-emulation=true" to xen command line to turn on the partial emulation.
Thus, it helps to avoid rebuilding xen.
By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false".
This is done so that Xen supports partial emulation. However, customers are
fully aware when they enable partial emulation. It's important to note that
enabling such support might result in unwanted/non-spec compliant behavior.
Added a note in SUPPORT.md to clarify the security support for partial
emulation.
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
Signed-off-by: Michal Orzel <michal.orzel@amd.com>
---
Changes from v1 :-
1. New patch introduced in v2.
v2 :-
1. Reordered the patches so that the config and command line option is
introduced in the first patch.
v3 :-
1. Defined a macro 'partial_emulation' to reduce if-defs.
2. Fixed style issues.
v4 :-
1. Added a note in SUPPORT.md.
v5 :-
1. Dropped R-b
2. Update the commit message and Kconfig message.
3. Update 'SUPPORT.md' message.
SUPPORT.md | 9 +++++++++
docs/misc/xen-command-line.pandoc | 11 +++++++++++
xen/arch/arm/Kconfig | 9 +++++++++
xen/arch/arm/include/asm/traps.h | 6 ++++++
xen/arch/arm/traps.c | 9 +++++++++
5 files changed, 44 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index 7eb6875cfa..b49da114ab 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -102,6 +102,15 @@ Extension to the GICv3 interrupt controller to support MSI.
Status: Experimental
+### ARM/Partial Emulation
+
+Enable partial emulation of registers, otherwise considered unimplemented,
+that would normally trigger a fault injection.
+
+ Status: Supported, with caveats
+
+Only the following system registers are security supported:
+
### ARM Scalable Vector Extension (SVE/SVE2)
Arm64 domains can use Scalable Vector Extension (SVE/SVE2).
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 02896598df..023c5e7225 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1942,6 +1942,17 @@ This option is ignored in **pv-shim** mode.
> Default: `on`
+### partial-emulation (arm)
+> `= <boolean>`
+
+> Default: `false`
+
+Flag to enable or disable partial emulation of system/coprocessor registers.
+Only effective if CONFIG_PARTIAL_EMULATION is enabled.
+
+**WARNING: Enabling this option might result in unwanted/non-spec compliant
+behavior.**
+
### pci
= List of [ serr=<bool>, perr=<bool> ]
diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 40f834bb71..f8139a773a 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -234,6 +234,15 @@ config STATIC_EVTCHN
This option enables establishing static event channel communication
between domains on a dom0less system (domU-domU as well as domU-dom0).
+config PARTIAL_EMULATION
+ bool "Enable partial emulation of system/coprocessor registers"
+ default y
+ help
+ This option enables partial emulation of registers to prevent possible
+ guests crashing when accessing registers which are not optional but have
+ not been emulated to their complete functionality. Enabling this might
+ result in unwanted/non-spec compliant behavior.
+
endmenu
menu "ARM errata workaround via the alternative framework"
diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h
index 883dae368e..9a60dbf70e 100644
--- a/xen/arch/arm/include/asm/traps.h
+++ b/xen/arch/arm/include/asm/traps.h
@@ -10,6 +10,12 @@
# include <asm/arm64/traps.h>
#endif
+#ifdef CONFIG_PARTIAL_EMULATION
+extern bool partial_emulation;
+#else
+#define partial_emulation false
+#endif
+
/*
* GUEST_BUG_ON is intended for checking that the guest state has not been
* corrupted in hardware and/or that the hardware behaves as we
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 9c10e8f78c..d1c7a6c516 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -42,6 +42,15 @@
#include <asm/vgic.h>
#include <asm/vtimer.h>
+/*
+ * partial_emulation: If true, partial emulation for system/coprocessor
+ * registers will be enabled.
+ */
+#ifdef CONFIG_PARTIAL_EMULATION
+bool __ro_after_init partial_emulation = false;
+boolean_param("partial-emulation", partial_emulation);
+#endif
+
/* The base of the stack must always be double-word aligned, which means
* that both the kernel half of struct cpu_user_regs (which is pushed in
* entry.S) and struct cpu_info (which lives at the bottom of a Xen
--
2.25.1