[v6,05/44] x86/boot: introduce struct boot_module

Message ID	20241017170325.3842-6-dpsmith@apertussolutions.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: "Daniel P. Smith" <dpsmith@apertussolutions.com> To: xen-devel@lists.xenproject.org Cc: "Daniel P. Smith" <dpsmith@apertussolutions.com>, jason.andryuk@amd.com, christopher.w.clark@gmail.com, stefano.stabellini@amd.com, Jan Beulich <jbeulich@suse.com>, Andrew Cooper <andrew.cooper3@citrix.com>, =?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com> Subject: [PATCH v6 05/44] x86/boot: introduce struct boot_module Date: Thu, 17 Oct 2024 13:02:45 -0400 Message-Id: <20241017170325.3842-6-dpsmith@apertussolutions.com> In-Reply-To: <20241017170325.3842-1-dpsmith@apertussolutions.com> References: <20241017170325.3842-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Boot modules for Hyperlaunch \| expand [v6,00/44] Boot modules for Hyperlaunch [v6,01/44] x86/boot: move x86 boot module counting into a new boot_info struct [v6,02/44] x86/boot: move boot loader name to boot info [v6,03/44] x86/boot: move cmdline to boot info [v6,04/44] x86/boot: move mmap info to boot info [v6,05/44] x86/boot: introduce struct boot_module [v6,06/44] x86/boot: convert consider_modules to struct boot_module [v6,07/44] x86/boot: move headroom to boot modules [v6,08/44] x86/boot: convert mod refs to boot_module mod [v6,09/44] x86/boot: introduce boot module types [v6,10/44] x86/boot: introduce boot module flags [v6,11/44] x86/boot: add start and size fields to struct boot_module [v6,12/44] x86/boot: update struct boot_module on module relocation [v6,13/44] x86/boot: transition relocation calculations to struct boot_module [v6,14/44] x86/boot: introduce boot module interator [v6,15/44] x86/boot: introduce consumed flag for struct boot_module [v6,16/44] x86/boot: split bootstrap_map_addr() out of bootstrap_map() [v6,17/44] x86/boot: convert microcode loading to consume struct boot_info [v6,18/44] x86/boot: convert late microcode loading to struct boot_module [v6,19/44] x86/boot: use consumed boot module flag for microcode [v6,20/44] x86/boot: convert xsm policy loading to struct boot_module [v6,21/44] x86/boot: convert ramdisk locating to struct boot_module [v6,22/44] x86/boot: remove module_map usage from microcode loading [v6,23/44] x86/boot: remove module_map usage from xsm policy loading [v6,24/44] x86/boot: remove module_map usage by ramdisk loading [v6,25/44] x86/boot: convert create_dom0 to use boot info [v6,26/44] x86/boot: convert construct_dom0 to use struct boot_module [v6,27/44] x86/boot: relocate kextra into boot info [v6,28/44] x86/boot: add cmdline to struct boot_module [v6,29/44] x86/boot: convert dom0_construct_pv image param to struct boot_module [v6,30/44] x86/boot: convert dom0_construct_pv initrd param to struct boot_module [v6,31/44] x86/boot: convert dom0_construct_pvh to struct boot_module [v6,32/44] x86/boot: convert pvh_load_kernel to struct boot_module [v6,33/44] x86/boot: convert initial_images to struct boot_module [v6,34/44] x86/boot: drop the use of initial_images unit global [v6,35/44] x86/boot: remove usage of mod_end by discard_initial_images [v6,36/44] x86/boot: remove remaining module_t references [v6,37/44] x86/boot: remove mod from struct boot_module [v6,38/44] x86/boot: introduce boot domain [v6,39/44] x86/boot: introduce domid field to struct boot_domain [v6,40/44] x86/boot: add cmdline to struct boot_domain [v6,41/44] x86/boot: add struct domain to struct boot_domain [v6,42/44] x86/boot: convert construct_dom0 to struct boot_domain [v6,43/44] x86/boot: convert dom0_construct_pv to struct boot_domain [v6,44/44] x86/boot: convert dom0_construct_pvh to struct boot_domain

Message ID

20241017170325.3842-6-dpsmith@apertussolutions.com (mailing list archive)

State

Superseded

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: xen-devel@lists.xenproject.org
Cc: "Daniel P. Smith" <dpsmith@apertussolutions.com>, jason.andryuk@amd.com,
 christopher.w.clark@gmail.com, stefano.stabellini@amd.com,
 Jan Beulich <jbeulich@suse.com>, Andrew Cooper <andrew.cooper3@citrix.com>,
	=?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH v6 05/44] x86/boot: introduce struct boot_module
Date: Thu, 17 Oct 2024 13:02:45 -0400
Message-Id: <20241017170325.3842-6-dpsmith@apertussolutions.com>
In-Reply-To: <20241017170325.3842-1-dpsmith@apertussolutions.com>
References: <20241017170325.3842-1-dpsmith@apertussolutions.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Boot modules for Hyperlaunch | expand

Commit Message

Daniel P. Smith Oct. 17, 2024, 5:02 p.m. UTC

This will introduce a new struct boot_module to provide a rich state
representation around modules provided by the boot loader. Support is for 64
boot modules, one held in reserve for Xen, and up to 63 can be provided by the
boot loader. The array of struct boot_modules will be accessible via a
reference held in struct boot_info.

A temporary `mod` parameter is included in struct boot_module to ease the
transition from using Multiboot v1 structures over to struct boot_module. Once
the transition is complete, the parameter will be dropped from the structure.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
---
Changes since v5:
- reword comment
---
 xen/arch/x86/include/asm/bootinfo.h | 10 ++++++++++
 xen/arch/x86/setup.c                |  9 +++++++++
 2 files changed, 19 insertions(+)

Comments

Andrew Cooper Oct. 17, 2024, 9:02 p.m. UTC | #1

On 17/10/2024 6:02 pm, Daniel P. Smith wrote:
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index f7ea482920ef..d8ee5741740a 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -284,6 +284,8 @@ static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
>  {
>      struct boot_info *bi = &xen_boot_info;
>      const multiboot_info_t *mbi = __va(mbi_p);
> +    module_t *mods = __va(mbi->mods_addr);
> +    unsigned int i;
>  
>      bi->nr_modules = (mbi->flags & MBI_MODULES) ? mbi->mods_count : 0;
>  
> @@ -302,6 +304,13 @@ static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
>          bi->memmap_length = mbi->mmap_length;
>      }
>  
> +    /*
> +     * Iterate over all modules, including the extra one which should have been
> +     * reserved for Xen itself
> +     */
> +    for ( i = 0; i <= bi->nr_modules; i++ )
> +        bi->mods[i].mod = &mods[i];

I'm afraid you've got a bug here.  bi->nr_modules is unsanitised from
firmware at this point.

It's checked/clamped later in __start_xen(), but not before you've
potentially scribbled past the end of bi->mod[] in this loop.

I think we want to retain the warning from clamping (which needs to be
after printk() is set up, so after parsing the cmdline), so to
compensate I think you want:

    i < ARRAY_SIZE(bi->mods) && i <= bi->nr_modules

as the loop condition here, and a note to this effect.  I'm not sure
what I think about passing exactly 64 modules, and this interacting with
the Xen slot.

However, you also want to move part of "x86/boot: convert create_dom0 to
use boot info" into this patch.

Specifically, the conversion from sizeof(module_map)*8 to
MAX_NR_BOOTMODS, or there's also a latent bug that depends Xen being
compiled as 64bit (unsigned long vs MAX_NR_BOOTMODS).

~Andrew

Daniel P. Smith Oct. 18, 2024, 12:15 a.m. UTC | #2

On 10/17/24 17:02, Andrew Cooper wrote:
> On 17/10/2024 6:02 pm, Daniel P. Smith wrote:
>> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
>> index f7ea482920ef..d8ee5741740a 100644
>> --- a/xen/arch/x86/setup.c
>> +++ b/xen/arch/x86/setup.c
>> @@ -284,6 +284,8 @@ static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
>>   {
>>       struct boot_info *bi = &xen_boot_info;
>>       const multiboot_info_t *mbi = __va(mbi_p);
>> +    module_t *mods = __va(mbi->mods_addr);
>> +    unsigned int i;
>>   
>>       bi->nr_modules = (mbi->flags & MBI_MODULES) ? mbi->mods_count : 0;
>>   
>> @@ -302,6 +304,13 @@ static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
>>           bi->memmap_length = mbi->mmap_length;
>>       }
>>   
>> +    /*
>> +     * Iterate over all modules, including the extra one which should have been
>> +     * reserved for Xen itself
>> +     */
>> +    for ( i = 0; i <= bi->nr_modules; i++ )
>> +        bi->mods[i].mod = &mods[i];
> 
> I'm afraid you've got a bug here.  bi->nr_modules is unsanitised from
> firmware at this point.
> 
> It's checked/clamped later in __start_xen(), but not before you've
> potentially scribbled past the end of bi->mod[] in this loop.
> 
> I think we want to retain the warning from clamping (which needs to be
> after printk() is set up, so after parsing the cmdline), so to
> compensate I think you want:
> 
>      i < ARRAY_SIZE(bi->mods) && i <= bi->nr_modules
> 
> as the loop condition here, and a note to this effect.  I'm not sure
> what I think about passing exactly 64 modules, and this interacting with
> the Xen slot.

Completely agree. I think Alejandro was trying to call that out and I 
missed his point. Will fix.

> However, you also want to move part of "x86/boot: convert create_dom0 to
> use boot info" into this patch.
> 
> Specifically, the conversion from sizeof(module_map)*8 to
> MAX_NR_BOOTMODS, or there's also a latent bug that depends Xen being
> compiled as 64bit (unsigned long vs MAX_NR_BOOTMODS).

You are right, we should truncate to MAX_NR_BOOTMODS at this point and 
not later.

v/r,
dps

diff --git a/xen/arch/x86/include/asm/bootinfo.h b/xen/arch/x86/include/asm/bootinfo.h
index f75a7e72a700..d19473d8941e 100644
--- a/xen/arch/x86/include/asm/bootinfo.h
+++ b/xen/arch/x86/include/asm/bootinfo.h
@@ -8,8 +8,17 @@ 
 #ifndef __XEN_X86_BOOTINFO_H__
 #define __XEN_X86_BOOTINFO_H__
 
+#include <xen/multiboot.h>
 #include <xen/types.h>
 
+/* Max number of boot modules a bootloader can provide in addition to Xen */
+#define MAX_NR_BOOTMODS 63
+
+struct boot_module {
+    /* Transitionary only */
+    module_t *mod;
+};
+
 /*
  * Xen internal representation of information provided by the
  * bootloader/environment, or derived from the information.
@@ -22,6 +31,7 @@  struct boot_info {
     size_t memmap_length;
 
     unsigned int nr_modules;
+    struct boot_module mods[MAX_NR_BOOTMODS + 1];
 };
 
 #endif /* __XEN_X86_BOOTINFO_H__ */
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index f7ea482920ef..d8ee5741740a 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -284,6 +284,8 @@  static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
 {
     struct boot_info *bi = &xen_boot_info;
     const multiboot_info_t *mbi = __va(mbi_p);
+    module_t *mods = __va(mbi->mods_addr);
+    unsigned int i;
 
     bi->nr_modules = (mbi->flags & MBI_MODULES) ? mbi->mods_count : 0;
 
@@ -302,6 +304,13 @@  static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
         bi->memmap_length = mbi->mmap_length;
     }
 
+    /*
+     * Iterate over all modules, including the extra one which should have been
+     * reserved for Xen itself
+     */
+    for ( i = 0; i <= bi->nr_modules; i++ )
+        bi->mods[i].mod = &mods[i];
+
     return bi;
 }

[v6,05/44] x86/boot: introduce struct boot_module

Commit Message

Comments

Patch