1 /****************************************************************************** 2 * grant_table.h 3 * 4 * Interface for granting foreign access to page frames, and receiving 5 * page-ownership transfers. 6 * 7 * Permission is hereby granted, free of charge, to any person obtaining a copy 8 * of this software and associated documentation files (the "Software"), to 9 * deal in the Software without restriction, including without limitation the 10 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 11 * sell copies of the Software, and to permit persons to whom the Software is 12 * furnished to do so, subject to the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be included in 15 * all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 22 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 23 * DEALINGS IN THE SOFTWARE. 24 * 25 * Copyright (c) 2004, K A Fraser 26 */ 27 28 #ifndef __XEN_PUBLIC_GRANT_TABLE_H__ 29 #define __XEN_PUBLIC_GRANT_TABLE_H__ 30 31 #include "xen.h" 32 33 /* 34 * `incontents 150 gnttab Grant Tables 35 * 36 * Xen's grant tables provide a generic mechanism to memory sharing 37 * between domains. This shared memory interface underpins the split 38 * device drivers for block and network IO. 39 * 40 * Each domain has its own grant table. This is a data structure that 41 * is shared with Xen; it allows the domain to tell Xen what kind of 42 * permissions other domains have on its pages. Entries in the grant 43 * table are identified by grant references. A grant reference is an 44 * integer, which indexes into the grant table. It acts as a 45 * capability which the grantee can use to perform operations on the 46 * granter’s memory. 47 * 48 * This capability-based system allows shared-memory communications 49 * between unprivileged domains. A grant reference also encapsulates 50 * the details of a shared page, removing the need for a domain to 51 * know the real machine address of a page it is sharing. This makes 52 * it possible to share memory correctly with domains running in 53 * fully virtualised memory. 54 */ 55 56 /*********************************** 57 * GRANT TABLE REPRESENTATION 58 */ 59 60 /* Some rough guidelines on accessing and updating grant-table entries 61 * in a concurrency-safe manner. For more information, Linux contains a 62 * reference implementation for guest OSes (drivers/xen/grant_table.c, see 63 * http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=drivers/xen/grant-table.c;hb=HEAD 64 * 65 * NB. WMB is a no-op on current-generation x86 processors. However, a 66 * compiler barrier will still be required. 67 * 68 * Introducing a valid entry into the grant table: 69 * 1. Write ent->domid. 70 * 2. Write ent->frame: 71 * GTF_permit_access: Frame to which access is permitted. 72 * GTF_accept_transfer: Pseudo-phys frame slot being filled by new 73 * frame, or zero if none. 74 * 3. Write memory barrier (WMB). 75 * 4. Write ent->flags, inc. valid type. 76 * 77 * Invalidating an unused GTF_permit_access entry: 78 * 1. flags = ent->flags. 79 * 2. Observe that !(flags & (GTF_reading|GTF_writing)). 80 * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 81 * NB. No need for WMB as reuse of entry is control-dependent on success of 82 * step 3, and all architectures guarantee ordering of ctrl-dep writes. 83 * 84 * Invalidating an in-use GTF_permit_access entry: 85 * This cannot be done directly. Request assistance from the domain controller 86 * which can set a timeout on the use of a grant entry and take necessary 87 * action. (NB. This is not yet implemented!). 88 * 89 * Invalidating an unused GTF_accept_transfer entry: 90 * 1. flags = ent->flags. 91 * 2. Observe that !(flags & GTF_transfer_committed). [*] 92 * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 93 * NB. No need for WMB as reuse of entry is control-dependent on success of 94 * step 3, and all architectures guarantee ordering of ctrl-dep writes. 95 * [*] If GTF_transfer_committed is set then the grant entry is 'committed'. 96 * The guest must /not/ modify the grant entry until the address of the 97 * transferred frame is written. It is safe for the guest to spin waiting 98 * for this to occur (detect by observing GTF_transfer_completed in 99 * ent->flags). 100 * 101 * Invalidating a committed GTF_accept_transfer entry: 102 * 1. Wait for (ent->flags & GTF_transfer_completed). 103 * 104 * Changing a GTF_permit_access from writable to read-only: 105 * Use SMP-safe CMPXCHG to set GTF_readonly, while checking !GTF_writing. 106 * 107 * Changing a GTF_permit_access from read-only to writable: 108 * Use SMP-safe bit-setting instruction. 109 */ 110 111 /* 112 * Reference to a grant entry in a specified domain's grant table. 113 */ 114 typedef UINT32 grant_ref_t; 115 116 /* 117 * A grant table comprises a packed array of grant entries in one or more 118 * page frames shared between Xen and a guest. 119 * [XEN]: This field is written by Xen and read by the sharing guest. 120 * [GST]: This field is written by the guest and read by Xen. 121 */ 122 123 /* 124 * Version 1 of the grant table entry structure is maintained purely 125 * for backwards compatibility. New guests should use version 2. 126 */ 127 #if __XEN_INTERFACE_VERSION__ < 0x0003020a 128 #define grant_entry_v1 grant_entry 129 #define grant_entry_v1_t grant_entry_t 130 #endif 131 struct grant_entry_v1 { 132 /* GTF_xxx: various type and flag information. [XEN,GST] */ 133 UINT16 flags; 134 /* The domain being granted foreign privileges. [GST] */ 135 domid_t domid; 136 /* 137 * GTF_permit_access: Frame that @domid is allowed to map and access. [GST] 138 * GTF_accept_transfer: Frame whose ownership transferred by @domid. [XEN] 139 */ 140 UINT32 frame; 141 }; 142 typedef struct grant_entry_v1 grant_entry_v1_t; 143 144 /* The first few grant table entries will be preserved across grant table 145 * version changes and may be pre-populated at domain creation by tools. 146 */ 147 #define GNTTAB_NR_RESERVED_ENTRIES 8 148 #define GNTTAB_RESERVED_CONSOLE 0 149 #define GNTTAB_RESERVED_XENSTORE 1 150 151 /* 152 * Type of grant entry. 153 * GTF_invalid: This grant entry grants no privileges. 154 * GTF_permit_access: Allow @domid to map/access @frame. 155 * GTF_accept_transfer: Allow @domid to transfer ownership of one page frame 156 * to this guest. Xen writes the page number to @frame. 157 * GTF_transitive: Allow @domid to transitively access a subrange of 158 * @trans_grant in @trans_domid. No mappings are allowed. 159 */ 160 #define GTF_invalid (0U<<0) 161 #define GTF_permit_access (1U<<0) 162 #define GTF_accept_transfer (2U<<0) 163 #define GTF_transitive (3U<<0) 164 #define GTF_type_mask (3U<<0) 165 166 /* 167 * Subflags for GTF_permit_access. 168 * GTF_readonly: Restrict @domid to read-only mappings and accesses. [GST] 169 * GTF_reading: Grant entry is currently mapped for reading by @domid. [XEN] 170 * GTF_writing: Grant entry is currently mapped for writing by @domid. [XEN] 171 * GTF_PAT, GTF_PWT, GTF_PCD: (x86) cache attribute flags for the grant [GST] 172 * GTF_sub_page: Grant access to only a subrange of the page. @domid 173 * will only be allowed to copy from the grant, and not 174 * map it. [GST] 175 */ 176 #define _GTF_readonly (2) 177 #define GTF_readonly (1U<<_GTF_readonly) 178 #define _GTF_reading (3) 179 #define GTF_reading (1U<<_GTF_reading) 180 #define _GTF_writing (4) 181 #define GTF_writing (1U<<_GTF_writing) 182 #define _GTF_PWT (5) 183 #define GTF_PWT (1U<<_GTF_PWT) 184 #define _GTF_PCD (6) 185 #define GTF_PCD (1U<<_GTF_PCD) 186 #define _GTF_PAT (7) 187 #define GTF_PAT (1U<<_GTF_PAT) 188 #define _GTF_sub_page (8) 189 #define GTF_sub_page (1U<<_GTF_sub_page) 190 191 /* 192 * Subflags for GTF_accept_transfer: 193 * GTF_transfer_committed: Xen sets this flag to indicate that it is committed 194 * to transferring ownership of a page frame. When a guest sees this flag 195 * it must /not/ modify the grant entry until GTF_transfer_completed is 196 * set by Xen. 197 * GTF_transfer_completed: It is safe for the guest to spin-wait on this flag 198 * after reading GTF_transfer_committed. Xen will always write the frame 199 * address, followed by ORing this flag, in a timely manner. 200 */ 201 #define _GTF_transfer_committed (2) 202 #define GTF_transfer_committed (1U<<_GTF_transfer_committed) 203 #define _GTF_transfer_completed (3) 204 #define GTF_transfer_completed (1U<<_GTF_transfer_completed) 205 206 /* 207 * Version 2 grant table entries. These fulfil the same role as 208 * version 1 entries, but can represent more complicated operations. 209 * Any given domain will have either a version 1 or a version 2 table, 210 * and every entry in the table will be the same version. 211 * 212 * The interface by which domains use grant references does not depend 213 * on the grant table version in use by the other domain. 214 */ 215 #if __XEN_INTERFACE_VERSION__ >= 0x0003020a 216 /* 217 * Version 1 and version 2 grant entries share a common prefix. The 218 * fields of the prefix are documented as part of struct 219 * grant_entry_v1. 220 */ 221 struct grant_entry_header { 222 UINT16 flags; 223 domid_t domid; 224 }; 225 typedef struct grant_entry_header grant_entry_header_t; 226 227 /* 228 * Version 2 of the grant entry structure. 229 */ 230 union grant_entry_v2 { 231 grant_entry_header_t hdr; 232 233 /* 234 * This member is used for V1-style full page grants, where either: 235 * 236 * -- hdr.type is GTF_accept_transfer, or 237 * -- hdr.type is GTF_permit_access and GTF_sub_page is not set. 238 * 239 * In that case, the frame field has the same semantics as the 240 * field of the same name in the V1 entry structure. 241 */ 242 struct { 243 grant_entry_header_t hdr; 244 UINT32 pad0; 245 UINT64 frame; 246 } full_page; 247 248 /* 249 * If the grant type is GTF_grant_access and GTF_sub_page is set, 250 * @domid is allowed to access bytes [@page_off,@page_off+@length) 251 * in frame @frame. 252 */ 253 struct { 254 grant_entry_header_t hdr; 255 UINT16 page_off; 256 UINT16 length; 257 UINT64 frame; 258 } sub_page; 259 260 /* 261 * If the grant is GTF_transitive, @domid is allowed to use the 262 * grant @gref in domain @trans_domid, as if it was the local 263 * domain. Obviously, the transitive access must be compatible 264 * with the original grant. 265 * 266 * The current version of Xen does not allow transitive grants 267 * to be mapped. 268 */ 269 struct { 270 grant_entry_header_t hdr; 271 domid_t trans_domid; 272 UINT16 pad0; 273 grant_ref_t gref; 274 } transitive; 275 276 UINT32 __spacer[4]; /* Pad to a power of two */ 277 }; 278 typedef union grant_entry_v2 grant_entry_v2_t; 279 280 typedef UINT16 grant_status_t; 281 282 #endif /* __XEN_INTERFACE_VERSION__ */ 283 284 /*********************************** 285 * GRANT TABLE QUERIES AND USES 286 */ 287 288 /* ` enum neg_errnoval 289 * ` HYPERVISOR_grant_table_op(enum grant_table_op cmd, 290 * ` VOID *args, 291 * ` UINT32 count) 292 * ` 293 * 294 * @args points to an array of a per-command data structure. The array 295 * has @count members 296 */ 297 298 /* ` enum grant_table_op { // GNTTABOP_* => struct gnttab_* */ 299 #define GNTTABOP_map_grant_ref 0 300 #define GNTTABOP_unmap_grant_ref 1 301 /* ` } */ 302 303 /* 304 * Handle to track a mapping created via a grant reference. 305 */ 306 typedef UINT32 grant_handle_t; 307 308 /* 309 * GNTTABOP_map_grant_ref: Map the grant entry (<dom>,<ref>) for access 310 * by devices and/or host CPUs. If successful, <handle> is a tracking number 311 * that must be presented later to destroy the mapping(s). On error, <handle> 312 * is a negative status code. 313 * NOTES: 314 * 1. If GNTMAP_device_map is specified then <dev_bus_addr> is the address 315 * via which I/O devices may access the granted frame. 316 * 2. If GNTMAP_host_map is specified then a mapping will be added at 317 * either a host virtual address in the current address space, or at 318 * a PTE at the specified machine address. The type of mapping to 319 * perform is selected through the GNTMAP_contains_pte flag, and the 320 * address is specified in <host_addr>. 321 * 3. Mappings should only be destroyed via GNTTABOP_unmap_grant_ref. If a 322 * host mapping is destroyed by other means then it is *NOT* guaranteed 323 * to be accounted to the correct grant reference! 324 */ 325 struct gnttab_map_grant_ref { 326 /* IN parameters. */ 327 UINT64 host_addr; 328 UINT32 flags; /* GNTMAP_* */ 329 grant_ref_t ref; 330 domid_t dom; 331 /* OUT parameters. */ 332 INT16 status; /* => enum grant_status */ 333 grant_handle_t handle; 334 UINT64 dev_bus_addr; 335 }; 336 typedef struct gnttab_map_grant_ref gnttab_map_grant_ref_t; 337 DEFINE_XEN_GUEST_HANDLE(gnttab_map_grant_ref_t); 338 339 /* 340 * GNTTABOP_unmap_grant_ref: Destroy one or more grant-reference mappings 341 * tracked by <handle>. If <host_addr> or <dev_bus_addr> is zero, that 342 * field is ignored. If non-zero, they must refer to a device/host mapping 343 * that is tracked by <handle> 344 * NOTES: 345 * 1. The call may fail in an undefined manner if either mapping is not 346 * tracked by <handle>. 347 * 3. After executing a batch of unmaps, it is guaranteed that no stale 348 * mappings will remain in the device or host TLBs. 349 */ 350 struct gnttab_unmap_grant_ref { 351 /* IN parameters. */ 352 UINT64 host_addr; 353 UINT64 dev_bus_addr; 354 grant_handle_t handle; 355 /* OUT parameters. */ 356 INT16 status; /* => enum grant_status */ 357 }; 358 typedef struct gnttab_unmap_grant_ref gnttab_unmap_grant_ref_t; 359 DEFINE_XEN_GUEST_HANDLE(gnttab_unmap_grant_ref_t); 360 361 /* 362 * Bitfield values for gnttab_map_grant_ref.flags. 363 */ 364 /* Map the grant entry for access by I/O devices. */ 365 #define _GNTMAP_device_map (0) 366 #define GNTMAP_device_map (1<<_GNTMAP_device_map) 367 /* Map the grant entry for access by host CPUs. */ 368 #define _GNTMAP_host_map (1) 369 #define GNTMAP_host_map (1<<_GNTMAP_host_map) 370 /* Accesses to the granted frame will be restricted to read-only access. */ 371 #define _GNTMAP_readonly (2) 372 #define GNTMAP_readonly (1<<_GNTMAP_readonly) 373 /* 374 * GNTMAP_host_map subflag: 375 * 0 => The host mapping is usable only by the guest OS. 376 * 1 => The host mapping is usable by guest OS + current application. 377 */ 378 #define _GNTMAP_application_map (3) 379 #define GNTMAP_application_map (1<<_GNTMAP_application_map) 380 381 /* 382 * GNTMAP_contains_pte subflag: 383 * 0 => This map request contains a host virtual address. 384 * 1 => This map request contains the machine addess of the PTE to update. 385 */ 386 #define _GNTMAP_contains_pte (4) 387 #define GNTMAP_contains_pte (1<<_GNTMAP_contains_pte) 388 389 #define _GNTMAP_can_fail (5) 390 #define GNTMAP_can_fail (1<<_GNTMAP_can_fail) 391 392 /* 393 * Bits to be placed in guest kernel available PTE bits (architecture 394 * dependent; only supported when XENFEAT_gnttab_map_avail_bits is set). 395 */ 396 #define _GNTMAP_guest_avail0 (16) 397 #define GNTMAP_guest_avail_mask ((UINT32)~0 << _GNTMAP_guest_avail0) 398 399 /* 400 * Values for error status returns. All errors are -ve. 401 */ 402 /* ` enum grant_status { */ 403 #define GNTST_okay (0) /* Normal return. */ 404 #define GNTST_general_error (-1) /* General undefined error. */ 405 #define GNTST_bad_domain (-2) /* Unrecognsed domain id. */ 406 #define GNTST_bad_gntref (-3) /* Unrecognised or inappropriate gntref. */ 407 #define GNTST_bad_handle (-4) /* Unrecognised or inappropriate handle. */ 408 #define GNTST_bad_virt_addr (-5) /* Inappropriate virtual address to map. */ 409 #define GNTST_bad_dev_addr (-6) /* Inappropriate device address to unmap.*/ 410 #define GNTST_no_device_space (-7) /* Out of space in I/O MMU. */ 411 #define GNTST_permission_denied (-8) /* Not enough privilege for operation. */ 412 #define GNTST_bad_page (-9) /* Specified page was invalid for op. */ 413 #define GNTST_bad_copy_arg (-10) /* copy arguments cross page boundary. */ 414 #define GNTST_address_too_big (-11) /* transfer page address too large. */ 415 #define GNTST_eagain (-12) /* Operation not done; try again. */ 416 /* ` } */ 417 418 #define GNTTABOP_error_msgs { \ 419 "okay", \ 420 "undefined error", \ 421 "unrecognised domain id", \ 422 "invalid grant reference", \ 423 "invalid mapping handle", \ 424 "invalid virtual address", \ 425 "invalid device address", \ 426 "no spare translation slot in the I/O MMU", \ 427 "permission denied", \ 428 "bad page", \ 429 "copy arguments cross page boundary", \ 430 "page address size too large", \ 431 "operation not done; try again" \ 432 } 433 434 #endif /* __XEN_PUBLIC_GRANT_TABLE_H__ */ 435 436 /* 437 * Local variables: 438 * mode: C 439 * c-file-style: "BSD" 440 * c-basic-offset: 4 441 * tab-width: 4 442 * indent-tabs-mode: nil 443 * End: 444 */ 445