KVM: x86: allow compiling out the Xen hypercall interface
The Xen hypercall interface adds to the attack surface of the hypervisor and will be used quite rarely. Allow compiling it out. Suggested-by: Christoph Hellwig <hch@lst.de> Reviewed-by: David Woodhouse <dwmw@amazon.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini
parent
c462f859f8
commit
b59b153d10
@ -103,6 +103,15 @@ config KVM_AMD_SEV
|
|||||||
Provides support for launching Encrypted VMs (SEV) and Encrypted VMs
|
Provides support for launching Encrypted VMs (SEV) and Encrypted VMs
|
||||||
with Encrypted State (SEV-ES) on AMD processors.
|
with Encrypted State (SEV-ES) on AMD processors.
|
||||||
|
|
||||||
|
config KVM_XEN
|
||||||
|
bool "Support for Xen hypercall interface"
|
||||||
|
depends on KVM
|
||||||
|
help
|
||||||
|
Provides KVM support for the hosting Xen HVM guests and
|
||||||
|
passing Xen hypercalls to userspace.
|
||||||
|
|
||||||
|
If in doubt, say "N".
|
||||||
|
|
||||||
config KVM_MMU_AUDIT
|
config KVM_MMU_AUDIT
|
||||||
bool "Audit KVM MMU"
|
bool "Audit KVM MMU"
|
||||||
depends on KVM && TRACEPOINTS
|
depends on KVM && TRACEPOINTS
|
||||||
|
|||||||
@ -14,11 +14,12 @@ kvm-y += $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o \
|
|||||||
$(KVM)/dirty_ring.o
|
$(KVM)/dirty_ring.o
|
||||||
kvm-$(CONFIG_KVM_ASYNC_PF) += $(KVM)/async_pf.o
|
kvm-$(CONFIG_KVM_ASYNC_PF) += $(KVM)/async_pf.o
|
||||||
|
|
||||||
kvm-y += x86.o emulate.o i8259.o irq.o lapic.o xen.o \
|
kvm-y += x86.o emulate.o i8259.o irq.o lapic.o \
|
||||||
i8254.o ioapic.o irq_comm.o cpuid.o pmu.o mtrr.o \
|
i8254.o ioapic.o irq_comm.o cpuid.o pmu.o mtrr.o \
|
||||||
hyperv.o debugfs.o mmu/mmu.o mmu/page_track.o \
|
hyperv.o debugfs.o mmu/mmu.o mmu/page_track.o \
|
||||||
mmu/spte.o
|
mmu/spte.o
|
||||||
kvm-$(CONFIG_X86_64) += mmu/tdp_iter.o mmu/tdp_mmu.o
|
kvm-$(CONFIG_X86_64) += mmu/tdp_iter.o mmu/tdp_mmu.o
|
||||||
|
kvm-$(CONFIG_KVM_XEN) += xen.o
|
||||||
|
|
||||||
kvm-intel-y += vmx/vmx.o vmx/vmenter.o vmx/pmu_intel.o vmx/vmcs12.o \
|
kvm-intel-y += vmx/vmx.o vmx/vmenter.o vmx/pmu_intel.o vmx/vmcs12.o \
|
||||||
vmx/evmcs.o vmx/nested.o vmx/posted_intr.o
|
vmx/evmcs.o vmx/nested.o vmx/posted_intr.o
|
||||||
|
|||||||
@ -3755,11 +3755,13 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
|
|||||||
case KVM_CAP_ENFORCE_PV_FEATURE_CPUID:
|
case KVM_CAP_ENFORCE_PV_FEATURE_CPUID:
|
||||||
r = 1;
|
r = 1;
|
||||||
break;
|
break;
|
||||||
|
#ifdef CONFIG_KVM_XEN
|
||||||
case KVM_CAP_XEN_HVM:
|
case KVM_CAP_XEN_HVM:
|
||||||
r = KVM_XEN_HVM_CONFIG_HYPERCALL_MSR |
|
r = KVM_XEN_HVM_CONFIG_HYPERCALL_MSR |
|
||||||
KVM_XEN_HVM_CONFIG_INTERCEPT_HCALL |
|
KVM_XEN_HVM_CONFIG_INTERCEPT_HCALL |
|
||||||
KVM_XEN_HVM_CONFIG_SHARED_INFO;
|
KVM_XEN_HVM_CONFIG_SHARED_INFO;
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
case KVM_CAP_SYNC_REGS:
|
case KVM_CAP_SYNC_REGS:
|
||||||
r = KVM_SYNC_X86_VALID_FIELDS;
|
r = KVM_SYNC_X86_VALID_FIELDS;
|
||||||
break;
|
break;
|
||||||
@ -5012,6 +5014,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
|
|||||||
case KVM_GET_SUPPORTED_HV_CPUID:
|
case KVM_GET_SUPPORTED_HV_CPUID:
|
||||||
r = kvm_ioctl_get_supported_hv_cpuid(vcpu, argp);
|
r = kvm_ioctl_get_supported_hv_cpuid(vcpu, argp);
|
||||||
break;
|
break;
|
||||||
|
#ifdef CONFIG_KVM_XEN
|
||||||
case KVM_XEN_VCPU_GET_ATTR: {
|
case KVM_XEN_VCPU_GET_ATTR: {
|
||||||
struct kvm_xen_vcpu_attr xva;
|
struct kvm_xen_vcpu_attr xva;
|
||||||
|
|
||||||
@ -5032,6 +5035,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
|
|||||||
r = kvm_xen_vcpu_set_attr(vcpu, &xva);
|
r = kvm_xen_vcpu_set_attr(vcpu, &xva);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
default:
|
default:
|
||||||
r = -EINVAL;
|
r = -EINVAL;
|
||||||
}
|
}
|
||||||
@ -5653,6 +5657,7 @@ set_pit2_out:
|
|||||||
kvm->arch.bsp_vcpu_id = arg;
|
kvm->arch.bsp_vcpu_id = arg;
|
||||||
mutex_unlock(&kvm->lock);
|
mutex_unlock(&kvm->lock);
|
||||||
break;
|
break;
|
||||||
|
#ifdef CONFIG_KVM_XEN
|
||||||
case KVM_XEN_HVM_CONFIG: {
|
case KVM_XEN_HVM_CONFIG: {
|
||||||
struct kvm_xen_hvm_config xhc;
|
struct kvm_xen_hvm_config xhc;
|
||||||
r = -EFAULT;
|
r = -EFAULT;
|
||||||
@ -5681,6 +5686,7 @@ set_pit2_out:
|
|||||||
r = kvm_xen_hvm_set_attr(kvm, &xha);
|
r = kvm_xen_hvm_set_attr(kvm, &xha);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
case KVM_SET_CLOCK: {
|
case KVM_SET_CLOCK: {
|
||||||
struct kvm_clock_data user_ns;
|
struct kvm_clock_data user_ns;
|
||||||
u64 now_ns;
|
u64 now_ns;
|
||||||
@ -8039,8 +8045,10 @@ void kvm_arch_exit(void)
|
|||||||
kvm_mmu_module_exit();
|
kvm_mmu_module_exit();
|
||||||
free_percpu(user_return_msrs);
|
free_percpu(user_return_msrs);
|
||||||
kmem_cache_destroy(x86_fpu_cache);
|
kmem_cache_destroy(x86_fpu_cache);
|
||||||
|
#ifdef CONFIG_KVM_XEN
|
||||||
static_key_deferred_flush(&kvm_xen_enabled);
|
static_key_deferred_flush(&kvm_xen_enabled);
|
||||||
WARN_ON(static_branch_unlikely(&kvm_xen_enabled.key));
|
WARN_ON(static_branch_unlikely(&kvm_xen_enabled.key));
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
static int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason)
|
static int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason)
|
||||||
|
|||||||
@ -9,6 +9,7 @@
|
|||||||
#ifndef __ARCH_X86_KVM_XEN_H__
|
#ifndef __ARCH_X86_KVM_XEN_H__
|
||||||
#define __ARCH_X86_KVM_XEN_H__
|
#define __ARCH_X86_KVM_XEN_H__
|
||||||
|
|
||||||
|
#ifdef CONFIG_KVM_XEN
|
||||||
#include <linux/jump_label_ratelimit.h>
|
#include <linux/jump_label_ratelimit.h>
|
||||||
|
|
||||||
extern struct static_key_false_deferred kvm_xen_enabled;
|
extern struct static_key_false_deferred kvm_xen_enabled;
|
||||||
@ -18,7 +19,6 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data)
|
|||||||
int kvm_xen_vcpu_get_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data);
|
int kvm_xen_vcpu_get_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data);
|
||||||
int kvm_xen_hvm_set_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data);
|
int kvm_xen_hvm_set_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data);
|
||||||
int kvm_xen_hvm_get_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data);
|
int kvm_xen_hvm_get_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data);
|
||||||
int kvm_xen_hypercall(struct kvm_vcpu *vcpu);
|
|
||||||
int kvm_xen_write_hypercall_page(struct kvm_vcpu *vcpu, u64 data);
|
int kvm_xen_write_hypercall_page(struct kvm_vcpu *vcpu, u64 data);
|
||||||
int kvm_xen_hvm_config(struct kvm *kvm, struct kvm_xen_hvm_config *xhc);
|
int kvm_xen_hvm_config(struct kvm *kvm, struct kvm_xen_hvm_config *xhc);
|
||||||
void kvm_xen_destroy_vm(struct kvm *kvm);
|
void kvm_xen_destroy_vm(struct kvm *kvm);
|
||||||
@ -38,6 +38,28 @@ static inline int kvm_xen_has_interrupt(struct kvm_vcpu *vcpu)
|
|||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
#else
|
||||||
|
static inline int kvm_xen_write_hypercall_page(struct kvm_vcpu *vcpu, u64 data)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void kvm_xen_destroy_vm(struct kvm *kvm)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline bool kvm_xen_hypercall_enabled(struct kvm *kvm)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int kvm_xen_has_interrupt(struct kvm_vcpu *vcpu)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int kvm_xen_hypercall(struct kvm_vcpu *vcpu);
|
||||||
|
|
||||||
/* 32-bit compatibility definitions, also used natively in 32-bit build */
|
/* 32-bit compatibility definitions, also used natively in 32-bit build */
|
||||||
#include <asm/pvclock-abi.h>
|
#include <asm/pvclock-abi.h>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user