Oxidize Hafnium's initialization sequence (successor of #45)

hfo2/src/abi.rs

@@ -115,3 +115,84 @@ impl TryFrom<usize> for HfShare {
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    /// Encode a preempted response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_preempted() {
+        let res = HfVCpuRunReturn::Preempted;
+        assert_eq!(res.into_raw(), 0);
+    }
+
+    /// Encode a yield response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_yield() {
+        let res = HfVCpuRunReturn::Yield;
+        assert_eq!(res.into_raw(), 1);
+    }
+
+    /// Encode wait-for-interrupt response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_wait_for_interrupt() {
+        let res = HfVCpuRunReturn::WaitForInterrupt {
+            ns: HF_SLEEP_INDEFINITE,
+        };
+        assert_eq!(res.into_raw(), 0xffffffffffffff02);
+    }
+
+    /// Encoding wait-for-interrupt response with too large sleep duration will
+    /// drop the top octet.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_wait_for_interrupt_sleep_too_long() {
+        let res = HfVCpuRunReturn::WaitForInterrupt {
+            ns: 0xcc22888888888888,
+        };
+        assert_eq!(res.into_raw(), 0x2288888888888802);
+    }
+
+    /// Encode wait-for-message response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_wait_for_message() {
+        let res = HfVCpuRunReturn::WaitForMessage {
+            ns: HF_SLEEP_INDEFINITE,
+        };
+        assert_eq!(res.into_raw(), 0xffffffffffffff03);
+    }
+
+    /// Encoding wait-for-message response with too large sleep duration will
+    /// drop the top octet.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_wait_for_message_sleep_too_long() {
+        let res = HfVCpuRunReturn::WaitForMessage {
+            ns: 0xaa99777777777777,
+        };
+        assert_eq!(res.into_raw(), 0x9977777777777703);
+    }
+
+    /// Encode wake up response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_wake_up() {
+        let res = HfVCpuRunReturn::WakeUp {
+            vm_id: 0x1234,
+            vcpu: 0xabcd,
+        };
+        assert_eq!(res.into_raw(), 0x1234abcd0004);
+    }
+
+    /// Encode a 'notify waiters' response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_notify_waiters() {
+        let res = HfVCpuRunReturn::NotifyWaiters;
+        assert_eq!(res.into_raw(), 6);
+    }
+
+    /// Encode an aborted response without leaking.
+    #[test]
+    fn abi_hf_vcpu_run_return_encode_aborted() {
+        let res = HfVCpuRunReturn::Aborted;
+        assert_eq!(res.into_raw(), 7);
+    }
+}

hfo2/src/api.rs

@@ -24,6 +24,7 @@ use crate::abi::*;
 use crate::addr::*;
 use crate::arch::*;
 use crate::cpu::*;
+use crate::init::*;
 use crate::mm::*;
 use crate::mpool::*;
 use crate::page::*;
@@ -47,19 +48,6 @@ use crate::vm::*;
 // of a page.
 const_assert_eq!(hf_mailbox_size; HF_MAILBOX_SIZE, PAGE_SIZE);
 
-/// A global page pool for sharing memories. Its mutability is needed only for
-/// initialization.
-static mut API_PAGE_POOL: MaybeUninit<MPool> = MaybeUninit::uninit();
-
-/// Initialises the API page pool by taking ownership of the contents of the
-/// given page pool.
-/// TODO(HfO2): The ownership of `ppool` is actually moved from `one_time_init`
-/// to here. Refactor this function like `Api::new(ppool: MPool) -> Api`. (#31)
-#[no_mangle]
-pub unsafe extern "C" fn api_init(ppool: *const MPool) {
-    API_PAGE_POOL = MaybeUninit::new(MPool::new_from(&*ppool));
-}
-
 /// Switches the physical CPU back to the corresponding vcpu of the primary VM.
 ///
 /// This triggers the scheduling logic to run. Run in the context of secondary
@@ -70,11 +58,11 @@ unsafe fn switch_to_primary(
     mut primary_ret: HfVCpuRunReturn,
     secondary_state: VCpuStatus,
 ) -> *mut VCpu {
-    let primary = vm_find(HF_PRIMARY_VM_ID);
-    let next = vm_get_vcpu(
-        primary,
-        cpu_index(current.get_inner().cpu) as spci_vcpu_index_t,
-    );
+    let primary = hafnium().vm_manager.get(HF_PRIMARY_VM_ID).unwrap();
+    let next = primary
+        .vcpus
+        .get(cpu_index(&*current.get_inner().cpu))
+        .unwrap();
 
     // If the secondary is blocked but has a timer running, sleep until the
     // timer fires rather than indefinitely.
@@ -94,16 +82,15 @@ unsafe fn switch_to_primary(
     // The use of `get_mut_unchecked()` is safe because the currently running pCPU implicitly owns
     // `next`. Notice that `next` is the vCPU of the primary VM that corresponds to the currently
     // running pCPU.
-    (*next)
-        .inner
+    next.inner
         .get_mut_unchecked()
         .regs
         .set_retval(primary_ret.into_raw());
 
     // Mark the current vcpu as waiting.
     current.get_inner_mut().state = secondary_state;
 
-    next
+    next as *const _ as usize as *mut _
 }
 
 /// Returns to the primary vm and signals that the vcpu still has work to do so.
@@ -225,19 +212,14 @@ pub unsafe extern "C" fn api_vcpu_get_count(
     vm_id: spci_vm_id_t,
     current: *const VCpu,
 ) -> spci_vcpu_count_t {
-    let vm;
-
     // Only the primary VM needs to know about vcpus for scheduling.
     if (*(*current).vm).id != HF_PRIMARY_VM_ID {
         return 0;
     }
 
-    vm = vm_find(vm_id);
-    if vm.is_null() {
-        return 0;
-    }
+    let vm = some_or!(hafnium().vm_manager.get(vm_id), return 0);
 
-    (*vm).vcpu_count
+    vm.vcpus.len() as _
 }
 
 /// This function is called by the architecture-specific context switching
@@ -286,7 +268,7 @@ unsafe fn internal_interrupt_inject(
 ///    `vcpu.execution_lock` has acquired.
 unsafe fn vcpu_prepare_run(
     current: &VCpuExecutionLocked,
-    vcpu: *mut VCpu,
+    vcpu: &VCpu,
     run_ret: HfVCpuRunReturn,
 ) -> Result<VCpuExecutionLocked, HfVCpuRunReturn> {
     let mut vcpu_inner = (*vcpu).inner.try_lock().map_err(|_| {
@@ -300,13 +282,9 @@ unsafe fn vcpu_prepare_run(
         run_ret
     })?;
 
-    if (*(*vcpu).vm).aborting.load(Ordering::Relaxed) {
+    if (*vcpu.vm).aborting.load(Ordering::Relaxed) {
         if vcpu_inner.state != VCpuStatus::Aborted {
-            dlog!(
-                "Aborting VM {} vCPU {}\n",
-                (*(*vcpu).vm).id,
-                vcpu_index(vcpu)
-            );
+            dlog!("Aborting VM {} vCPU {}\n", (*vcpu.vm).id, vcpu_index(vcpu));
             vcpu_inner.state = VCpuStatus::Aborted;
         }
         return Err(run_ret);
@@ -324,13 +302,13 @@ unsafe fn vcpu_prepare_run(
         // when it is going to be needed. This ensures there are no inter-vCPU
         // dependencies in the common run case meaning the sensitive context
         // switch performance is consistent.
-        VCpuStatus::BlockedMailbox if (*(*vcpu).vm).inner.lock().try_read().is_ok() => {
+        VCpuStatus::BlockedMailbox if (*vcpu.vm).inner.lock().try_read().is_ok() => {
             vcpu_inner.regs.set_retval(SpciReturn::Success as uintreg_t);
         }
 
         // Allow virtual interrupts to be delivered.
         VCpuStatus::BlockedMailbox | VCpuStatus::BlockedInterrupt
-            if (*vcpu).interrupts.lock().is_interrupted() =>
+            if vcpu.interrupts.lock().is_interrupted() =>
         {
             // break;
         }
@@ -395,18 +373,12 @@ pub unsafe extern "C" fn api_vcpu_run(
     }
 
     // The requested VM must exist.
-    let vm = vm_find(vm_id);
-    if vm.is_null() {
-        return ret.into_raw();
-    }
+    let vm = some_or!(hafnium().vm_manager.get(vm_id), return ret.into_raw());
 
     // The requested vcpu must exist.
-    if vcpu_idx >= (*vm).vcpu_count {
-        return ret.into_raw();
-    }
+    let vcpu = some_or!(vm.vcpus.get(vcpu_idx as usize), return ret.into_raw());
 
     // Update state if allowed.
-    let vcpu = vm_get_vcpu(vm, vcpu_idx);
     let mut vcpu_locked = match vcpu_prepare_run(&current, vcpu, ret) {
         Ok(locked) => locked,
         Err(ret) => return ret.into_raw(),
@@ -493,10 +465,7 @@ pub unsafe extern "C" fn api_vm_configure(
     // TODO: the scope of the can be reduced but will require restructing
     //       to keep a single unlock point.
     let mut vm_inner = (*vm).inner.lock();
-    if vm_inner
-        .configure(send, recv, API_PAGE_POOL.get_ref())
-        .is_err()
-    {
+    if vm_inner.configure(send, recv, &hafnium().mpool).is_err() {
         return -1;
     }
 
@@ -550,10 +519,10 @@ pub unsafe extern "C" fn api_spci_msg_send(
     }
 
     // Ensure the target VM exists.
-    let to = vm_find(from_msg_replica.target_vm_id);
-    if to.is_null() {
-        return SpciReturn::InvalidParameters;
-    }
+    let to = some_or!(
+        hafnium().vm_manager.get(from_msg_replica.target_vm_id),
+        return SpciReturn::InvalidParameters
+    );
 
     // Hf needs to hold the lock on `to` before the mailbox state is checked.
     // The lock on `to` must be held until the information is copied to `to` Rx
@@ -615,8 +584,10 @@ pub unsafe extern "C" fn api_spci_msg_send(
         // at spci_msg_handle_architected_message will make several accesses to
         // fields in message_buffer. The memory area message_buffer must be
         // exclusively owned by Hf so that TOCTOU issues do not arise.
+        // TODO(HfO2): Refactor `spci_*` functions, in order to pass references
+        // to VmInner.
         let ret = spci_msg_handle_architected_message(
-            &ManuallyDrop::new(VmLocked::from_raw(to)),
+            &ManuallyDrop::new(VmLocked::from_raw(to as *const _ as usize as *mut _)),
             &ManuallyDrop::new(VmLocked::from_raw(from)),
             architected_message_replica,
             &from_msg_replica,
@@ -730,10 +701,7 @@ pub unsafe extern "C" fn api_mailbox_waiter_get(vm_id: spci_vm_id_t, current: *c
         return -1;
     }
 
-    let vm = vm_find(vm_id);
-    if vm.is_null() {
-        return -1;
-    }
+    let vm = some_or!(hafnium().vm_manager.get(vm_id), return -1);
 
     // Check if there are outstanding notifications from given vm.
     let entry = (*vm).inner.lock().fetch_waiter();
@@ -833,26 +801,17 @@ pub unsafe extern "C" fn api_interrupt_inject(
     next: *mut *mut VCpu,
 ) -> i64 {
     let mut current = ManuallyDrop::new(VCpuExecutionLocked::from_raw(current));
-    let target_vm = vm_find(target_vm_id);
+    let target_vm = some_or!(hafnium().vm_manager.get(target_vm_id), return -1);
 
     if intid >= HF_NUM_INTIDS {
         return -1;
     }
 
-    if target_vm.is_null() {
-        return -1;
-    }
-
-    if target_vcpu_idx >= (*target_vm).vcpu_count {
-        // The requested vcpu must exist.
-        return -1;
-    }
-
     if !is_injection_allowed(target_vm_id, current.deref()) {
         return -1;
     }
 
-    let target_vcpu = vm_get_vcpu(target_vm, target_vcpu_idx);
+    let target_vcpu = some_or!(target_vm.vcpus.get(target_vcpu_idx as usize), return -1);
 
     dlog!(
         "Injecting IRQ {} for VM {} VCPU {} from VM {} VCPU {}\n",
@@ -868,7 +827,7 @@ pub unsafe extern "C" fn api_interrupt_inject(
 /// Clears a region of physical memory by overwriting it with zeros. The data is
 /// flushed from the cache so the memory has been cleared across the system.
 fn clear_memory(begin: paddr_t, end: paddr_t, ppool: &MPool) -> Result<(), ()> {
-    let mut hypervisor_ptable = HYPERVISOR_PAGE_TABLE.lock();
+    let mut hypervisor_ptable = hafnium().memory_manager.hypervisor_ptable.lock();
     let size = pa_difference(begin, end);
     let region = pa_addr(begin);
 
@@ -925,7 +884,7 @@ pub fn spci_share_memory(
     // Create a local pool so any freed memory can't be used by another thread.
     // This is to ensure the original mapping can be restored if any stage of
     // the process fails.
-    let local_page_pool: MPool = MPool::new_with_fallback(unsafe { API_PAGE_POOL.get_ref() });
+    let local_page_pool: MPool = MPool::new_with_fallback(&hafnium().mpool);
 
     // Obtain the single contiguous set of pages from the memory_region.
     // TODO: Add support for multiple constituent regions.
@@ -937,7 +896,7 @@ pub fn spci_share_memory(
     // Check if the state transition is lawful for both VMs involved in the
     // memory exchange, ensure that all constituents of a memory region being
     // shared are at the same state.
-    let (orig_from_mode, from_mode, to_mode) = ok_or_return!(
+    let (orig_from_mode, from_mode, to_mode) = ok_or!(
         spci_msg_check_transition(
             &to_locked,
             &from_locked,
@@ -946,7 +905,7 @@ pub fn spci_share_memory(
             end,
             memory_to_attributes,
         ),
-        SpciReturn::InvalidParameters
+        return SpciReturn::InvalidParameters
     );
 
     let pa_begin = pa_from_ipa(begin);
@@ -1006,12 +965,7 @@ fn share_memory(
     }
 
     // Ensure the target VM exists.
-    let to = unsafe { vm_find(vm_id) };
-    if to.is_null() {
-        return Err(());
-    }
-
-    let to = unsafe { &*to };
+    let to = hafnium().vm_manager.get(vm_id).ok_or(())?;
 
     let begin = addr;
     let end = ipa_add(addr, size);
@@ -1036,7 +990,7 @@ fn share_memory(
     // Create a local pool so any freed memory can't be used by another thread.
     // This is to ensure the original mapping can be restored if any stage of
     // the process fails.
-    let local_page_pool = MPool::new_with_fallback(unsafe { API_PAGE_POOL.get_ref() });
+    let local_page_pool = MPool::new_with_fallback(&hafnium().mpool);
 
     let (mut from_inner, mut to_inner) = SpinLock::lock_both(&(*from).inner, &(*to).inner);
 
@@ -1115,7 +1069,7 @@ pub unsafe extern "C" fn api_share_memory(
 ) -> i64 {
     // Convert the sharing request to memory management modes.
     // The input is untrusted so might not be a valid value.
-    let share = ok_or_return!(HfShare::try_from(share), -1);
+    let share = ok_or!(HfShare::try_from(share), return -1);
 
     match share_memory(vm_id, addr, size, share, &*current) {
         Ok(_) => 0,