1 /* SPDX-License-Identifier: MIT */
2 
3 /******************************************************************************
4  * xen.h
5  *
6  * Guest OS interface to Xen.
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to
10  * deal in the Software without restriction, including without limitation the
11  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
12  * sell copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
23  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
24  * DEALINGS IN THE SOFTWARE.
25  *
26  * Copyright (c) 2004, K A Fraser
27  */
28 
29 #ifndef __XEN_PUBLIC_XEN_H__
30 #define __XEN_PUBLIC_XEN_H__
31 
32 #if defined(CONFIG_ARM64)
33 #include "arch-arm.h"
34 #else
35 #error "Unsupported architecture"
36 #endif
37 
38 #ifndef __ASSEMBLY__
39 /* Guest handles for primitive C types. */
40 DEFINE_XEN_GUEST_HANDLE(char);
41 __DEFINE_XEN_GUEST_HANDLE(uchar, unsigned char);
42 DEFINE_XEN_GUEST_HANDLE(int);
43 __DEFINE_XEN_GUEST_HANDLE(uint,  unsigned int);
44 #if __XEN_INTERFACE_VERSION__ < 0x00040300
45 DEFINE_XEN_GUEST_HANDLE(long);
46 __DEFINE_XEN_GUEST_HANDLE(ulong, unsigned long);
47 #endif
48 DEFINE_XEN_GUEST_HANDLE(void);
49 
50 DEFINE_XEN_GUEST_HANDLE(uint8_t);
51 DEFINE_XEN_GUEST_HANDLE(uint64_t);
52 DEFINE_XEN_GUEST_HANDLE(xen_pfn_t);
53 DEFINE_XEN_GUEST_HANDLE(xen_ulong_t);
54 
55 /* Define a variable length array (depends on compiler). */
56 #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
57 #define XEN_FLEX_ARRAY_DIM
58 #elif defined(__GNUC__)
59 #define XEN_FLEX_ARRAY_DIM 0
60 #else
61 #define XEN_FLEX_ARRAY_DIM 1 /* variable size */
62 #endif
63 
64 /* Turn a plain number into a C unsigned (long (long)) constant. */
65 #define __xen_mk_uint(x)	x ## U
66 #define __xen_mk_ulong(x)	x ## UL
67 #ifndef __xen_mk_ullong
68 #define __xen_mk_ullong(x)	x ## ULL
69 #endif
70 #define xen_mk_uint(x)		__xen_mk_uint(x)
71 #define xen_mk_ulong(x)		__xen_mk_ulong(x)
72 #define xen_mk_ullong(x)	__xen_mk_ullong(x)
73 
74 #else
75 
76 /* In assembly code we cannot use C numeric constant suffixes. */
77 #define xen_mk_uint(x)		x
78 #define xen_mk_ulong(x)		x
79 #define xen_mk_ullong(x)	x
80 
81 #endif
82 
83 /*
84  * HYPERCALLS
85  */
86 
87 /* `incontents 100 hcalls List of hypercalls
88  * ` enum hypercall_num { // __HYPERVISOR_* => HYPERVISOR_*()
89  */
90 
91 #define __HYPERVISOR_set_trap_table			0
92 #define __HYPERVISOR_mmu_update				1
93 #define __HYPERVISOR_set_gdt				2
94 #define __HYPERVISOR_stack_switch			3
95 #define __HYPERVISOR_set_callbacks			4
96 #define __HYPERVISOR_fpu_taskswitch			5
97 
98 /* compat since 0x00030101 */
99 #define __HYPERVISOR_sched_op_compat			6
100 #define __HYPERVISOR_platform_op			7
101 #define __HYPERVISOR_set_debugreg			8
102 #define __HYPERVISOR_get_debugreg			9
103 #define __HYPERVISOR_update_descriptor			10
104 #define __HYPERVISOR_memory_op				12
105 #define __HYPERVISOR_multicall				13
106 #define __HYPERVISOR_update_va_mapping			14
107 #define __HYPERVISOR_set_timer_op			15
108 
109 /* compat since 0x00030202 */
110 #define __HYPERVISOR_event_channel_op_compat		16
111 #define __HYPERVISOR_xen_version			17
112 #define __HYPERVISOR_console_io				18
113 
114 /* compat since 0x00030202 */
115 #define __HYPERVISOR_physdev_op_compat			19
116 #define __HYPERVISOR_grant_table_op			20
117 #define __HYPERVISOR_vm_assist				21
118 #define __HYPERVISOR_update_va_mapping_otherdomain	22
119 
120 /* x86 only */
121 #define __HYPERVISOR_iret				23
122 #define __HYPERVISOR_vcpu_op				24
123 
124 /* x86/64 only */
125 #define __HYPERVISOR_set_segment_base			25
126 #define __HYPERVISOR_mmuext_op				26
127 #define __HYPERVISOR_xsm_op				27
128 #define __HYPERVISOR_nmi_op				28
129 #define __HYPERVISOR_sched_op				29
130 #define __HYPERVISOR_callback_op			30
131 #define __HYPERVISOR_xenoprof_op			31
132 #define __HYPERVISOR_event_channel_op			32
133 #define __HYPERVISOR_physdev_op				33
134 #define __HYPERVISOR_hvm_op				34
135 #define __HYPERVISOR_sysctl				35
136 #define __HYPERVISOR_domctl				36
137 #define __HYPERVISOR_kexec_op				37
138 #define __HYPERVISOR_tmem_op				38
139 #define __HYPERVISOR_argo_op				39
140 #define __HYPERVISOR_xenpmu_op				40
141 #define __HYPERVISOR_dm_op				41
142 #define __HYPERVISOR_hypfs_op				42
143 
144 /*
145  * ` int
146  * ` HYPERVISOR_console_io(unsigned int cmd,
147  * `					   unsigned int count,
148  * `					   char buffer[]);
149  *
150  * @cmd: Command (see below)
151  * @count: Size of the buffer to read/write
152  * @buffer: Pointer in the guest memory
153  *
154  * List of commands:
155  *
156  *  * CONSOLEIO_write: Write the buffer to Xen console.
157  *      For the hardware domain, all the characters in the buffer will
158  *      be written. Characters will be printed directly to the console.
159  *      For all the other domains, only the printable characters will be
160  *      written. Characters may be buffered until a newline (i.e '\n') is
161  *      found.
162  *      @return 0 on success, otherwise return an error code.
163  *  * CONSOLEIO_read: Attempts to read up to @count characters from Xen
164  *      console. The maximum buffer size (i.e. @count) supported is 2GB.
165  *      @return the number of characters read on success, otherwise return
166  *      an error code.
167  */
168 #define CONSOLEIO_write		0
169 #define CONSOLEIO_read		1
170 
171 /* Domain ids >= DOMID_FIRST_RESERVED cannot be used for ordinary domains. */
172 #define DOMID_FIRST_RESERVED	xen_mk_uint(0x7FF0)
173 
174 /* DOMID_SELF is used in certain contexts to refer to oneself. */
175 #define DOMID_SELF		xen_mk_uint(0x7FF0)
176 
177 /*
178  * DOMID_IO is used to restrict page-table updates to mapping I/O memory.
179  * Although no Foreign Domain need be specified to map I/O pages, DOMID_IO
180  * is useful to ensure that no mappings to the OS's own heap are accidentally
181  * installed. (e.g., in Linux this could cause havoc as reference counts
182  * aren't adjusted on the I/O-mapping code path).
183  * This only makes sense as HYPERVISOR_mmu_update()'s and
184  * HYPERVISOR_update_va_mapping_otherdomain()'s "foreigndom" argument. For
185  * HYPERVISOR_mmu_update() context it can be specified by any calling domain,
186  * otherwise it's only permitted if the caller is privileged.
187  */
188 #define DOMID_IO		xen_mk_uint(0x7FF1)
189 
190 /*
191  * DOMID_XEN is used to allow privileged domains to map restricted parts of
192  * Xen's heap space (e.g., the machine_to_phys table).
193  * This only makes sense as
194  * - HYPERVISOR_mmu_update()'s, HYPERVISOR_mmuext_op()'s, or
195  *   HYPERVISOR_update_va_mapping_otherdomain()'s "foreigndom" argument,
196  * - with XENMAPSPACE_gmfn_foreign,
197  * and is only permitted if the caller is privileged.
198  */
199 #define DOMID_XEN		xen_mk_uint(0x7FF2)
200 
201 /*
202  * DOMID_COW is used as the owner of sharable pages.
203  */
204 #define DOMID_COW		xen_mk_uint(0x7FF3)
205 
206 /* DOMID_INVALID is used to identify pages with unknown owner. */
207 #define DOMID_INVALID		xen_mk_uint(0x7FF4)
208 
209 /* Idle domain. */
210 #define DOMID_IDLE		xen_mk_uint(0x7FFF)
211 
212 /* Mask for valid domain id values */
213 #define DOMID_MASK		xen_mk_uint(0x7FFF)
214 
215 #ifndef __ASSEMBLY__
216 
217 typedef uint16_t domid_t;
218 
219 #if __XEN_INTERFACE_VERSION__ < 0x00040400
220 /*
221  * Event channel endpoints per domain (when using the 2-level ABI):
222  *  1024 if a long is 32 bits; 4096 if a long is 64 bits.
223  */
224 #define NR_EVENT_CHANNELS EVTCHN_2L_NR_CHANNELS
225 #endif
226 
227 struct vcpu_time_info {
228 	/*
229 	 * Updates to the following values are preceded and followed by an
230 	 * increment of 'version'. The guest can therefore detect updates by
231 	 * looking for changes to 'version'. If the least-significant bit of
232 	 * the version number is set then an update is in progress and the
233 	 * guest must wait to read a consistent set of values.
234 	 * The correct way to interact with the version number is similar to
235 	 * Linux's seqlock: see the implementations of
236 	 * read_seqbegin/read_seqretry.
237 	 */
238 	uint32_t	version;
239 	uint32_t	pad0;
240 	uint64_t	tsc_timestamp;	/* TSC at last update of time vals. */
241 	uint64_t	system_time;	/* Time, in nanosecs, since boot.*/
242 	/*
243 	 * Current system time:
244 	 *   system_time +
245 	 *   ((((tsc - tsc_timestamp) << tsc_shift) * tsc_to_system_mul) >> 32)
246 	 * CPU frequency (Hz):
247 	 *   ((10^9 << 32) / tsc_to_system_mul) >> tsc_shift
248 	 */
249 	uint32_t	tsc_to_system_mul;
250 	int8_t		tsc_shift;
251 #if __XEN_INTERFACE_VERSION__ > 0x040600
252 	uint8_t		flags;
253 	uint8_t		pad1[2];
254 #else
255 	int8_t		pad1[3];
256 #endif
257 }; /* 32 bytes */
258 typedef struct vcpu_time_info vcpu_time_info_t;
259 
260 #define XEN_PVCLOCK_TSC_STABLE_BIT	(1 << 0)
261 #define XEN_PVCLOCK_GUEST_STOPPED	(1 << 1)
262 
263 struct vcpu_info {
264 	/*
265 	 * 'evtchn_upcall_pending' is written non-zero by Xen to indicate
266 	 * a pending notification for a particular VCPU. It is then cleared
267 	 * by the guest OS /before/ checking for pending work, thus avoiding
268 	 * a set-and-check race. Note that the mask is only accessed by Xen
269 	 * on the CPU that is currently hosting the VCPU. This means that the
270 	 * pending and mask flags can be updated by the guest without special
271 	 * synchronisation (i.e., no need for the x86 LOCK prefix).
272 	 * This may seem suboptimal because if the pending flag is set by
273 	 * a different CPU then an IPI may be scheduled even when the mask
274 	 * is set. However, note:
275 	 *  1. The task of 'interrupt holdoff' is covered by the per-event-
276 	 *     channel mask bits. A 'noisy' event that is continually being
277 	 *     triggered can be masked at source at this very precise
278 	 *	 granularity.
279 	 *  2. The main purpose of the per-VCPU mask is therefore to restrict
280 	 *     reentrant execution: whether for concurrency control, or to
281 	 *     prevent unbounded stack usage. Whatever the purpose, we expect
282 	 *     that the mask will be asserted only for short periods at a time,
283 	 *	 and so the likelihood of a 'spurious' IPI is suitably small.
284 	 * The mask is read before making an event upcall to the guest: a
285 	 * non-zero mask therefore guarantees that the VCPU will not receive
286 	 * an upcall activation. The mask is cleared when the VCPU requests
287 	 * to block: this avoids wakeup-waiting races.
288 	 */
289 	uint8_t evtchn_upcall_pending;
290 #ifdef XEN_HAVE_PV_UPCALL_MASK
291 	uint8_t evtchn_upcall_mask;
292 #else /* XEN_HAVE_PV_UPCALL_MASK */
293 	uint8_t pad0;
294 #endif /* XEN_HAVE_PV_UPCALL_MASK */
295 	xen_ulong_t evtchn_pending_sel;
296 	struct arch_vcpu_info arch;
297 	vcpu_time_info_t time;
298 }; /* 64 bytes (x86) */
299 #ifndef __XEN__
300 typedef struct vcpu_info vcpu_info_t;
301 #endif
302 
303 /*
304  * `incontents 200 startofday_shared Start-of-day shared data structure
305  * Xen/kernel shared data -- pointer provided in start_info.
306  *
307  * This structure is defined to be both smaller than a page, and the
308  * only data on the shared page, but may vary in actual size even within
309  * compatible Xen versions; guests should not rely on the size
310  * of this structure remaining constant.
311  */
312 struct shared_info {
313 	struct vcpu_info vcpu_info[XEN_LEGACY_MAX_VCPUS];
314 
315 	/*
316 	 * A domain can create "event channels" on which it can send and receive
317 	 * asynchronous event notifications. There are three classes of event that
318 	 * are delivered by this mechanism:
319 	 *  1. Bi-directional inter- and intra-domain connections. Domains must
320 	 *     arrange out-of-band to set up a connection (usually by allocating
321 	 *     an unbound 'listener' port and advertising that via a storage service
322 	 *     such as xenstore).
323 	 *  2. Physical interrupts. A domain with suitable hardware-access
324 	 *     privileges can bind an event-channel port to a physical interrupt
325 	 *     source.
326 	 *  3. Virtual interrupts ('events'). A domain can bind an event-channel
327 	 *     port to a virtual interrupt source, such as the virtual-timer
328 	 *     device or the emergency console.
329 	 *
330 	 * Event channels are addressed by a "port index". Each channel is
331 	 * associated with two bits of information:
332 	 *  1. PENDING -- notifies the domain that there is a pending notification
333 	 *     to be processed. This bit is cleared by the guest.
334 	 *  2. MASK -- if this bit is clear then a 0->1 transition of PENDING
335 	 *     will cause an asynchronous upcall to be scheduled. This bit is only
336 	 *     updated by the guest. It is read-only within Xen. If a channel
337 	 *     becomes pending while the channel is masked then the 'edge' is lost
338 	 *     (i.e., when the channel is unmasked, the guest must manually handle
339 	 *     pending notifications as no upcall will be scheduled by Xen).
340 	 *
341 	 * To expedite scanning of pending notifications, any 0->1 pending
342 	 * transition on an unmasked channel causes a corresponding bit in a
343 	 * per-vcpu selector word to be set. Each bit in the selector covers a
344 	 * 'C long' in the PENDING bitfield array.
345 	 */
346 	xen_ulong_t evtchn_pending[sizeof(xen_ulong_t) * 8];
347 	xen_ulong_t evtchn_mask[sizeof(xen_ulong_t) * 8];
348 
349 	/*
350 	 * Wallclock time: updated by control software or RTC emulation.
351 	 * Guests should base their gettimeofday() syscall on this
352 	 * wallclock-base value.
353 	 * The values of wc_sec and wc_nsec are offsets from the Unix epoch
354 	 * adjusted by the domain's 'time offset' (in seconds) as set either
355 	 * by XEN_DOMCTL_settimeoffset, or adjusted via a guest write to the
356 	 * emulated RTC.
357 	 */
358 	uint32_t wc_version;	/* Version counter: see vcpu_time_info_t. */
359 	uint32_t wc_sec;
360 	uint32_t wc_nsec;
361 #if !defined(__i386__)
362 	uint32_t wc_sec_hi;
363 # define xen_wc_sec_hi wc_sec_hi
364 #elif !defined(__XEN__) && !defined(__XEN_TOOLS__)
365 # define xen_wc_sec_hi arch.wc_sec_hi
366 #endif
367 
368 	struct arch_shared_info arch;
369 
370 };
371 #ifndef __XEN__
372 typedef struct shared_info shared_info_t;
373 #endif
374 
375 typedef uint8_t xen_domain_handle_t[16];
376 
377 #ifndef int64_aligned_t
378 #define int64_aligned_t int64_t
379 #endif
380 #ifndef uint64_aligned_t
381 #define uint64_aligned_t uint64_t
382 #endif
383 #ifndef XEN_GUEST_HANDLE_64
384 #define XEN_GUEST_HANDLE_64(name) XEN_GUEST_HANDLE(name)
385 #endif
386 
387 #ifndef __ASSEMBLY__
388 struct xenctl_bitmap {
389 	XEN_GUEST_HANDLE_64(uint8_t) bitmap;
390 	uint32_t nr_bits;
391 };
392 typedef struct xenctl_bitmap xenctl_bitmap_t;
393 #endif
394 
395 #endif /* !__ASSEMBLY__ */
396 
397 #endif /* __XEN_PUBLIC_XEN_H__ */
398