From b1e5a89f19d9919c3eae17ab9c6a663b0801ad9c Mon Sep 17 00:00:00 2001

From: Julien Grall <jgrall@amazon.com>

Date: Mon, 17 May 2021 17:47:13 +0100

Subject: [PATCH 1/2] xen/arm: Create dom0less domUs earlier

In a follow-up patch we will need to unallocate the boot modules

before heap_init_late() is called.

The modules will contain the domUs kernel and initramfs. Therefore Xen

will need to create extra domUs (used by dom0less) before heap_init_late().

This has two consequences on dom0less:

    1) Domains will not be unpaused as soon as they are created but

    once all have been created. However, Xen doesn't guarantee an order

    to unpause, so this is not something one could rely on.

    2) The memory allocated for a domU will not be scrubbed anymore when an

    admin select bootscrub=on. This is not something we advertised, but if

    this is a concern we can introduce either force scrub for all domUs or

    a per-domain flag in the DT. The behavior for bootscrub=off and

    bootscrub=idle (default) has not changed.

This is part of XSA-372 / CVE-2021-28693.

Signed-off-by: Julien Grall <jgrall@amazon.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

Tested-by: Stefano Stabellini <sstabellini@kernel.org>

---

 xen/arch/arm/domain_build.c |  2 --

 xen/arch/arm/setup.c        | 11 ++++++-----

 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c

index 374bf655ee34..4203ddcca0e3 100644

--- a/xen/arch/arm/domain_build.c

+++ b/xen/arch/arm/domain_build.c

@@ -2515,8 +2515,6 @@ void __init create_domUs(void)

         if ( construct_domU(d, node) != 0 )

             panic("Could not set up domain %s\n", dt_node_name(node));

-

-        domain_unpause_by_systemcontroller(d);

     }

 }

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c

index 2532ec973913..441e0e16e9f0 100644

--- a/xen/arch/arm/setup.c

+++ b/xen/arch/arm/setup.c

@@ -804,7 +804,7 @@ void __init start_xen(unsigned long boot_phys_offset,

     int cpus, i;

     const char *cmdline;

     struct bootmodule *xen_bootmodule;

-    struct domain *dom0;

+    struct domain *dom0, *d;

     struct xen_domctl_createdomain dom0_cfg = {

         .flags = XEN_DOMCTL_CDF_hvm | XEN_DOMCTL_CDF_hap,

         .max_evtchn_port = -1,

@@ -987,6 +987,9 @@ void __init start_xen(unsigned long boot_phys_offset,

     if ( construct_dom0(dom0) != 0)

         panic("Could not set up DOM0 guest OS\n");

+    if ( acpi_disabled )

+        create_domUs();

+

     heap_init_late();

     init_trace_bufs();

@@ -1000,10 +1003,8 @@ void __init start_xen(unsigned long boot_phys_offset,

     system_state = SYS_STATE_active;

-    if ( acpi_disabled )

-        create_domUs();

-

-    domain_unpause_by_systemcontroller(dom0);

+    for_each_domain( d )

+        domain_unpause_by_systemcontroller(d);

     /* Switch on to the dynamically allocated stack for the idle vcpu

      * since the static one we're running on is about to be freed. */

-- 

2.17.1