1a3434a2dSAnthony PERARD /****************************************************************************** 2a3434a2dSAnthony PERARD * grant_table.h 3a3434a2dSAnthony PERARD * 4a3434a2dSAnthony PERARD * Interface for granting foreign access to page frames, and receiving 5a3434a2dSAnthony PERARD * page-ownership transfers. 6a3434a2dSAnthony PERARD * 7a3434a2dSAnthony PERARD * Permission is hereby granted, free of charge, to any person obtaining a copy 8a3434a2dSAnthony PERARD * of this software and associated documentation files (the "Software"), to 9a3434a2dSAnthony PERARD * deal in the Software without restriction, including without limitation the 10a3434a2dSAnthony PERARD * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 11a3434a2dSAnthony PERARD * sell copies of the Software, and to permit persons to whom the Software is 12a3434a2dSAnthony PERARD * furnished to do so, subject to the following conditions: 13a3434a2dSAnthony PERARD * 14a3434a2dSAnthony PERARD * The above copyright notice and this permission notice shall be included in 15a3434a2dSAnthony PERARD * all copies or substantial portions of the Software. 16a3434a2dSAnthony PERARD * 17a3434a2dSAnthony PERARD * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18a3434a2dSAnthony PERARD * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19a3434a2dSAnthony PERARD * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20a3434a2dSAnthony PERARD * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21a3434a2dSAnthony PERARD * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 22a3434a2dSAnthony PERARD * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 23a3434a2dSAnthony PERARD * DEALINGS IN THE SOFTWARE. 24a3434a2dSAnthony PERARD * 25a3434a2dSAnthony PERARD * Copyright (c) 2004, K A Fraser 26a3434a2dSAnthony PERARD */ 27a3434a2dSAnthony PERARD 28a3434a2dSAnthony PERARD #ifndef __XEN_PUBLIC_GRANT_TABLE_H__ 29a3434a2dSAnthony PERARD #define __XEN_PUBLIC_GRANT_TABLE_H__ 30a3434a2dSAnthony PERARD 31*50c88402SJoao Martins #include "xen.h" 32*50c88402SJoao Martins 33*50c88402SJoao Martins /* 34*50c88402SJoao Martins * `incontents 150 gnttab Grant Tables 35*50c88402SJoao Martins * 36*50c88402SJoao Martins * Xen's grant tables provide a generic mechanism to memory sharing 37*50c88402SJoao Martins * between domains. This shared memory interface underpins the split 38*50c88402SJoao Martins * device drivers for block and network IO. 39*50c88402SJoao Martins * 40*50c88402SJoao Martins * Each domain has its own grant table. This is a data structure that 41*50c88402SJoao Martins * is shared with Xen; it allows the domain to tell Xen what kind of 42*50c88402SJoao Martins * permissions other domains have on its pages. Entries in the grant 43*50c88402SJoao Martins * table are identified by grant references. A grant reference is an 44*50c88402SJoao Martins * integer, which indexes into the grant table. It acts as a 45*50c88402SJoao Martins * capability which the grantee can use to perform operations on the 46*50c88402SJoao Martins * granter's memory. 47*50c88402SJoao Martins * 48*50c88402SJoao Martins * This capability-based system allows shared-memory communications 49*50c88402SJoao Martins * between unprivileged domains. A grant reference also encapsulates 50*50c88402SJoao Martins * the details of a shared page, removing the need for a domain to 51*50c88402SJoao Martins * know the real machine address of a page it is sharing. This makes 52*50c88402SJoao Martins * it possible to share memory correctly with domains running in 53*50c88402SJoao Martins * fully virtualised memory. 54*50c88402SJoao Martins */ 55*50c88402SJoao Martins 56*50c88402SJoao Martins /*********************************** 57*50c88402SJoao Martins * GRANT TABLE REPRESENTATION 58*50c88402SJoao Martins */ 59*50c88402SJoao Martins 60*50c88402SJoao Martins /* Some rough guidelines on accessing and updating grant-table entries 61*50c88402SJoao Martins * in a concurrency-safe manner. For more information, Linux contains a 62*50c88402SJoao Martins * reference implementation for guest OSes (drivers/xen/grant_table.c, see 63*50c88402SJoao Martins * http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=drivers/xen/grant-table.c;hb=HEAD 64*50c88402SJoao Martins * 65*50c88402SJoao Martins * NB. WMB is a no-op on current-generation x86 processors. However, a 66*50c88402SJoao Martins * compiler barrier will still be required. 67*50c88402SJoao Martins * 68*50c88402SJoao Martins * Introducing a valid entry into the grant table: 69*50c88402SJoao Martins * 1. Write ent->domid. 70*50c88402SJoao Martins * 2. Write ent->frame: 71*50c88402SJoao Martins * GTF_permit_access: Frame to which access is permitted. 72*50c88402SJoao Martins * GTF_accept_transfer: Pseudo-phys frame slot being filled by new 73*50c88402SJoao Martins * frame, or zero if none. 74*50c88402SJoao Martins * 3. Write memory barrier (WMB). 75*50c88402SJoao Martins * 4. Write ent->flags, inc. valid type. 76*50c88402SJoao Martins * 77*50c88402SJoao Martins * Invalidating an unused GTF_permit_access entry: 78*50c88402SJoao Martins * 1. flags = ent->flags. 79*50c88402SJoao Martins * 2. Observe that !(flags & (GTF_reading|GTF_writing)). 80*50c88402SJoao Martins * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 81*50c88402SJoao Martins * NB. No need for WMB as reuse of entry is control-dependent on success of 82*50c88402SJoao Martins * step 3, and all architectures guarantee ordering of ctrl-dep writes. 83*50c88402SJoao Martins * 84*50c88402SJoao Martins * Invalidating an in-use GTF_permit_access entry: 85*50c88402SJoao Martins * This cannot be done directly. Request assistance from the domain controller 86*50c88402SJoao Martins * which can set a timeout on the use of a grant entry and take necessary 87*50c88402SJoao Martins * action. (NB. This is not yet implemented!). 88*50c88402SJoao Martins * 89*50c88402SJoao Martins * Invalidating an unused GTF_accept_transfer entry: 90*50c88402SJoao Martins * 1. flags = ent->flags. 91*50c88402SJoao Martins * 2. Observe that !(flags & GTF_transfer_committed). [*] 92*50c88402SJoao Martins * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 93*50c88402SJoao Martins * NB. No need for WMB as reuse of entry is control-dependent on success of 94*50c88402SJoao Martins * step 3, and all architectures guarantee ordering of ctrl-dep writes. 95*50c88402SJoao Martins * [*] If GTF_transfer_committed is set then the grant entry is 'committed'. 96*50c88402SJoao Martins * The guest must /not/ modify the grant entry until the address of the 97*50c88402SJoao Martins * transferred frame is written. It is safe for the guest to spin waiting 98*50c88402SJoao Martins * for this to occur (detect by observing GTF_transfer_completed in 99*50c88402SJoao Martins * ent->flags). 100*50c88402SJoao Martins * 101*50c88402SJoao Martins * Invalidating a committed GTF_accept_transfer entry: 102*50c88402SJoao Martins * 1. Wait for (ent->flags & GTF_transfer_completed). 103*50c88402SJoao Martins * 104*50c88402SJoao Martins * Changing a GTF_permit_access from writable to read-only: 105*50c88402SJoao Martins * Use SMP-safe CMPXCHG to set GTF_readonly, while checking !GTF_writing. 106*50c88402SJoao Martins * 107*50c88402SJoao Martins * Changing a GTF_permit_access from read-only to writable: 108*50c88402SJoao Martins * Use SMP-safe bit-setting instruction. 109*50c88402SJoao Martins */ 110*50c88402SJoao Martins 111a3434a2dSAnthony PERARD /* 112a3434a2dSAnthony PERARD * Reference to a grant entry in a specified domain's grant table. 113a3434a2dSAnthony PERARD */ 114a3434a2dSAnthony PERARD typedef uint32_t grant_ref_t; 115a3434a2dSAnthony PERARD 116*50c88402SJoao Martins /* 117*50c88402SJoao Martins * A grant table comprises a packed array of grant entries in one or more 118*50c88402SJoao Martins * page frames shared between Xen and a guest. 119*50c88402SJoao Martins * [XEN]: This field is written by Xen and read by the sharing guest. 120*50c88402SJoao Martins * [GST]: This field is written by the guest and read by Xen. 121*50c88402SJoao Martins */ 122*50c88402SJoao Martins 123*50c88402SJoao Martins /* 124*50c88402SJoao Martins * Version 1 of the grant table entry structure is maintained largely for 125*50c88402SJoao Martins * backwards compatibility. New guests are recommended to support using 126*50c88402SJoao Martins * version 2 to overcome version 1 limitations, but to default to version 1. 127*50c88402SJoao Martins */ 128*50c88402SJoao Martins #if __XEN_INTERFACE_VERSION__ < 0x0003020a 129*50c88402SJoao Martins #define grant_entry_v1 grant_entry 130*50c88402SJoao Martins #define grant_entry_v1_t grant_entry_t 131*50c88402SJoao Martins #endif 132*50c88402SJoao Martins struct grant_entry_v1 { 133*50c88402SJoao Martins /* GTF_xxx: various type and flag information. [XEN,GST] */ 134*50c88402SJoao Martins uint16_t flags; 135*50c88402SJoao Martins /* The domain being granted foreign privileges. [GST] */ 136*50c88402SJoao Martins domid_t domid; 137*50c88402SJoao Martins /* 138*50c88402SJoao Martins * GTF_permit_access: GFN that @domid is allowed to map and access. [GST] 139*50c88402SJoao Martins * GTF_accept_transfer: GFN that @domid is allowed to transfer into. [GST] 140*50c88402SJoao Martins * GTF_transfer_completed: MFN whose ownership transferred by @domid 141*50c88402SJoao Martins * (non-translated guests only). [XEN] 142*50c88402SJoao Martins */ 143*50c88402SJoao Martins uint32_t frame; 144*50c88402SJoao Martins }; 145*50c88402SJoao Martins typedef struct grant_entry_v1 grant_entry_v1_t; 146*50c88402SJoao Martins 147*50c88402SJoao Martins /* The first few grant table entries will be preserved across grant table 148*50c88402SJoao Martins * version changes and may be pre-populated at domain creation by tools. 149*50c88402SJoao Martins */ 150*50c88402SJoao Martins #define GNTTAB_NR_RESERVED_ENTRIES 8 151*50c88402SJoao Martins #define GNTTAB_RESERVED_CONSOLE 0 152*50c88402SJoao Martins #define GNTTAB_RESERVED_XENSTORE 1 153*50c88402SJoao Martins 154*50c88402SJoao Martins /* 155*50c88402SJoao Martins * Type of grant entry. 156*50c88402SJoao Martins * GTF_invalid: This grant entry grants no privileges. 157*50c88402SJoao Martins * GTF_permit_access: Allow @domid to map/access @frame. 158*50c88402SJoao Martins * GTF_accept_transfer: Allow @domid to transfer ownership of one page frame 159*50c88402SJoao Martins * to this guest. Xen writes the page number to @frame. 160*50c88402SJoao Martins * GTF_transitive: Allow @domid to transitively access a subrange of 161*50c88402SJoao Martins * @trans_grant in @trans_domid. No mappings are allowed. 162*50c88402SJoao Martins */ 163*50c88402SJoao Martins #define GTF_invalid (0U<<0) 164*50c88402SJoao Martins #define GTF_permit_access (1U<<0) 165*50c88402SJoao Martins #define GTF_accept_transfer (2U<<0) 166*50c88402SJoao Martins #define GTF_transitive (3U<<0) 167*50c88402SJoao Martins #define GTF_type_mask (3U<<0) 168*50c88402SJoao Martins 169*50c88402SJoao Martins /* 170*50c88402SJoao Martins * Subflags for GTF_permit_access and GTF_transitive. 171*50c88402SJoao Martins * GTF_readonly: Restrict @domid to read-only mappings and accesses. [GST] 172*50c88402SJoao Martins * GTF_reading: Grant entry is currently mapped for reading by @domid. [XEN] 173*50c88402SJoao Martins * GTF_writing: Grant entry is currently mapped for writing by @domid. [XEN] 174*50c88402SJoao Martins * Further subflags for GTF_permit_access only. 175*50c88402SJoao Martins * GTF_PAT, GTF_PWT, GTF_PCD: (x86) cache attribute flags to be used for 176*50c88402SJoao Martins * mappings of the grant [GST] 177*50c88402SJoao Martins * GTF_sub_page: Grant access to only a subrange of the page. @domid 178*50c88402SJoao Martins * will only be allowed to copy from the grant, and not 179*50c88402SJoao Martins * map it. [GST] 180*50c88402SJoao Martins */ 181*50c88402SJoao Martins #define _GTF_readonly (2) 182*50c88402SJoao Martins #define GTF_readonly (1U<<_GTF_readonly) 183*50c88402SJoao Martins #define _GTF_reading (3) 184*50c88402SJoao Martins #define GTF_reading (1U<<_GTF_reading) 185*50c88402SJoao Martins #define _GTF_writing (4) 186*50c88402SJoao Martins #define GTF_writing (1U<<_GTF_writing) 187*50c88402SJoao Martins #define _GTF_PWT (5) 188*50c88402SJoao Martins #define GTF_PWT (1U<<_GTF_PWT) 189*50c88402SJoao Martins #define _GTF_PCD (6) 190*50c88402SJoao Martins #define GTF_PCD (1U<<_GTF_PCD) 191*50c88402SJoao Martins #define _GTF_PAT (7) 192*50c88402SJoao Martins #define GTF_PAT (1U<<_GTF_PAT) 193*50c88402SJoao Martins #define _GTF_sub_page (8) 194*50c88402SJoao Martins #define GTF_sub_page (1U<<_GTF_sub_page) 195*50c88402SJoao Martins 196*50c88402SJoao Martins /* 197*50c88402SJoao Martins * Subflags for GTF_accept_transfer: 198*50c88402SJoao Martins * GTF_transfer_committed: Xen sets this flag to indicate that it is committed 199*50c88402SJoao Martins * to transferring ownership of a page frame. When a guest sees this flag 200*50c88402SJoao Martins * it must /not/ modify the grant entry until GTF_transfer_completed is 201*50c88402SJoao Martins * set by Xen. 202*50c88402SJoao Martins * GTF_transfer_completed: It is safe for the guest to spin-wait on this flag 203*50c88402SJoao Martins * after reading GTF_transfer_committed. Xen will always write the frame 204*50c88402SJoao Martins * address, followed by ORing this flag, in a timely manner. 205*50c88402SJoao Martins */ 206*50c88402SJoao Martins #define _GTF_transfer_committed (2) 207*50c88402SJoao Martins #define GTF_transfer_committed (1U<<_GTF_transfer_committed) 208*50c88402SJoao Martins #define _GTF_transfer_completed (3) 209*50c88402SJoao Martins #define GTF_transfer_completed (1U<<_GTF_transfer_completed) 210*50c88402SJoao Martins 211*50c88402SJoao Martins /* 212*50c88402SJoao Martins * Version 2 grant table entries. These fulfil the same role as 213*50c88402SJoao Martins * version 1 entries, but can represent more complicated operations. 214*50c88402SJoao Martins * Any given domain will have either a version 1 or a version 2 table, 215*50c88402SJoao Martins * and every entry in the table will be the same version. 216*50c88402SJoao Martins * 217*50c88402SJoao Martins * The interface by which domains use grant references does not depend 218*50c88402SJoao Martins * on the grant table version in use by the other domain. 219*50c88402SJoao Martins */ 220*50c88402SJoao Martins #if __XEN_INTERFACE_VERSION__ >= 0x0003020a 221*50c88402SJoao Martins /* 222*50c88402SJoao Martins * Version 1 and version 2 grant entries share a common prefix. The 223*50c88402SJoao Martins * fields of the prefix are documented as part of struct 224*50c88402SJoao Martins * grant_entry_v1. 225*50c88402SJoao Martins */ 226*50c88402SJoao Martins struct grant_entry_header { 227*50c88402SJoao Martins uint16_t flags; 228*50c88402SJoao Martins domid_t domid; 229*50c88402SJoao Martins }; 230*50c88402SJoao Martins typedef struct grant_entry_header grant_entry_header_t; 231*50c88402SJoao Martins 232*50c88402SJoao Martins /* 233*50c88402SJoao Martins * Version 2 of the grant entry structure. 234*50c88402SJoao Martins */ 235*50c88402SJoao Martins union grant_entry_v2 { 236*50c88402SJoao Martins grant_entry_header_t hdr; 237*50c88402SJoao Martins 238*50c88402SJoao Martins /* 239*50c88402SJoao Martins * This member is used for V1-style full page grants, where either: 240*50c88402SJoao Martins * 241*50c88402SJoao Martins * -- hdr.type is GTF_accept_transfer, or 242*50c88402SJoao Martins * -- hdr.type is GTF_permit_access and GTF_sub_page is not set. 243*50c88402SJoao Martins * 244*50c88402SJoao Martins * In that case, the frame field has the same semantics as the 245*50c88402SJoao Martins * field of the same name in the V1 entry structure. 246*50c88402SJoao Martins */ 247*50c88402SJoao Martins struct { 248*50c88402SJoao Martins grant_entry_header_t hdr; 249*50c88402SJoao Martins uint32_t pad0; 250*50c88402SJoao Martins uint64_t frame; 251*50c88402SJoao Martins } full_page; 252*50c88402SJoao Martins 253*50c88402SJoao Martins /* 254*50c88402SJoao Martins * If the grant type is GTF_grant_access and GTF_sub_page is set, 255*50c88402SJoao Martins * @domid is allowed to access bytes [@page_off,@page_off+@length) 256*50c88402SJoao Martins * in frame @frame. 257*50c88402SJoao Martins */ 258*50c88402SJoao Martins struct { 259*50c88402SJoao Martins grant_entry_header_t hdr; 260*50c88402SJoao Martins uint16_t page_off; 261*50c88402SJoao Martins uint16_t length; 262*50c88402SJoao Martins uint64_t frame; 263*50c88402SJoao Martins } sub_page; 264*50c88402SJoao Martins 265*50c88402SJoao Martins /* 266*50c88402SJoao Martins * If the grant is GTF_transitive, @domid is allowed to use the 267*50c88402SJoao Martins * grant @gref in domain @trans_domid, as if it was the local 268*50c88402SJoao Martins * domain. Obviously, the transitive access must be compatible 269*50c88402SJoao Martins * with the original grant. 270*50c88402SJoao Martins * 271*50c88402SJoao Martins * The current version of Xen does not allow transitive grants 272*50c88402SJoao Martins * to be mapped. 273*50c88402SJoao Martins */ 274*50c88402SJoao Martins struct { 275*50c88402SJoao Martins grant_entry_header_t hdr; 276*50c88402SJoao Martins domid_t trans_domid; 277*50c88402SJoao Martins uint16_t pad0; 278*50c88402SJoao Martins grant_ref_t gref; 279*50c88402SJoao Martins } transitive; 280*50c88402SJoao Martins 281*50c88402SJoao Martins uint32_t __spacer[4]; /* Pad to a power of two */ 282*50c88402SJoao Martins }; 283*50c88402SJoao Martins typedef union grant_entry_v2 grant_entry_v2_t; 284*50c88402SJoao Martins 285*50c88402SJoao Martins typedef uint16_t grant_status_t; 286*50c88402SJoao Martins 287*50c88402SJoao Martins #endif /* __XEN_INTERFACE_VERSION__ */ 288*50c88402SJoao Martins 289*50c88402SJoao Martins /*********************************** 290*50c88402SJoao Martins * GRANT TABLE QUERIES AND USES 291*50c88402SJoao Martins */ 292*50c88402SJoao Martins 293*50c88402SJoao Martins /* ` enum neg_errnoval 294*50c88402SJoao Martins * ` HYPERVISOR_grant_table_op(enum grant_table_op cmd, 295*50c88402SJoao Martins * ` void *args, 296*50c88402SJoao Martins * ` unsigned int count) 297*50c88402SJoao Martins * ` 298*50c88402SJoao Martins * 299*50c88402SJoao Martins * @args points to an array of a per-command data structure. The array 300*50c88402SJoao Martins * has @count members 301*50c88402SJoao Martins */ 302*50c88402SJoao Martins 303*50c88402SJoao Martins /* ` enum grant_table_op { // GNTTABOP_* => struct gnttab_* */ 304*50c88402SJoao Martins #define GNTTABOP_map_grant_ref 0 305*50c88402SJoao Martins #define GNTTABOP_unmap_grant_ref 1 306*50c88402SJoao Martins #define GNTTABOP_setup_table 2 307*50c88402SJoao Martins #define GNTTABOP_dump_table 3 308*50c88402SJoao Martins #define GNTTABOP_transfer 4 309*50c88402SJoao Martins #define GNTTABOP_copy 5 310*50c88402SJoao Martins #define GNTTABOP_query_size 6 311*50c88402SJoao Martins #define GNTTABOP_unmap_and_replace 7 312*50c88402SJoao Martins #if __XEN_INTERFACE_VERSION__ >= 0x0003020a 313*50c88402SJoao Martins #define GNTTABOP_set_version 8 314*50c88402SJoao Martins #define GNTTABOP_get_status_frames 9 315*50c88402SJoao Martins #define GNTTABOP_get_version 10 316*50c88402SJoao Martins #define GNTTABOP_swap_grant_ref 11 317*50c88402SJoao Martins #define GNTTABOP_cache_flush 12 318*50c88402SJoao Martins #endif /* __XEN_INTERFACE_VERSION__ */ 319*50c88402SJoao Martins /* ` } */ 320*50c88402SJoao Martins 321*50c88402SJoao Martins /* 322*50c88402SJoao Martins * Handle to track a mapping created via a grant reference. 323*50c88402SJoao Martins */ 324*50c88402SJoao Martins typedef uint32_t grant_handle_t; 325*50c88402SJoao Martins 326*50c88402SJoao Martins /* 327*50c88402SJoao Martins * GNTTABOP_map_grant_ref: Map the grant entry (<dom>,<ref>) for access 328*50c88402SJoao Martins * by devices and/or host CPUs. If successful, <handle> is a tracking number 329*50c88402SJoao Martins * that must be presented later to destroy the mapping(s). On error, <status> 330*50c88402SJoao Martins * is a negative status code. 331*50c88402SJoao Martins * NOTES: 332*50c88402SJoao Martins * 1. If GNTMAP_device_map is specified then <dev_bus_addr> is the address 333*50c88402SJoao Martins * via which I/O devices may access the granted frame. 334*50c88402SJoao Martins * 2. If GNTMAP_host_map is specified then a mapping will be added at 335*50c88402SJoao Martins * either a host virtual address in the current address space, or at 336*50c88402SJoao Martins * a PTE at the specified machine address. The type of mapping to 337*50c88402SJoao Martins * perform is selected through the GNTMAP_contains_pte flag, and the 338*50c88402SJoao Martins * address is specified in <host_addr>. 339*50c88402SJoao Martins * 3. Mappings should only be destroyed via GNTTABOP_unmap_grant_ref. If a 340*50c88402SJoao Martins * host mapping is destroyed by other means then it is *NOT* guaranteed 341*50c88402SJoao Martins * to be accounted to the correct grant reference! 342*50c88402SJoao Martins */ 343*50c88402SJoao Martins struct gnttab_map_grant_ref { 344*50c88402SJoao Martins /* IN parameters. */ 345*50c88402SJoao Martins uint64_t host_addr; 346*50c88402SJoao Martins uint32_t flags; /* GNTMAP_* */ 347*50c88402SJoao Martins grant_ref_t ref; 348*50c88402SJoao Martins domid_t dom; 349*50c88402SJoao Martins /* OUT parameters. */ 350*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 351*50c88402SJoao Martins grant_handle_t handle; 352*50c88402SJoao Martins uint64_t dev_bus_addr; 353*50c88402SJoao Martins }; 354*50c88402SJoao Martins typedef struct gnttab_map_grant_ref gnttab_map_grant_ref_t; 355*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_map_grant_ref_t); 356*50c88402SJoao Martins 357*50c88402SJoao Martins /* 358*50c88402SJoao Martins * GNTTABOP_unmap_grant_ref: Destroy one or more grant-reference mappings 359*50c88402SJoao Martins * tracked by <handle>. If <host_addr> or <dev_bus_addr> is zero, that 360*50c88402SJoao Martins * field is ignored. If non-zero, they must refer to a device/host mapping 361*50c88402SJoao Martins * that is tracked by <handle> 362*50c88402SJoao Martins * NOTES: 363*50c88402SJoao Martins * 1. The call may fail in an undefined manner if either mapping is not 364*50c88402SJoao Martins * tracked by <handle>. 365*50c88402SJoao Martins * 3. After executing a batch of unmaps, it is guaranteed that no stale 366*50c88402SJoao Martins * mappings will remain in the device or host TLBs. 367*50c88402SJoao Martins */ 368*50c88402SJoao Martins struct gnttab_unmap_grant_ref { 369*50c88402SJoao Martins /* IN parameters. */ 370*50c88402SJoao Martins uint64_t host_addr; 371*50c88402SJoao Martins uint64_t dev_bus_addr; 372*50c88402SJoao Martins grant_handle_t handle; 373*50c88402SJoao Martins /* OUT parameters. */ 374*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 375*50c88402SJoao Martins }; 376*50c88402SJoao Martins typedef struct gnttab_unmap_grant_ref gnttab_unmap_grant_ref_t; 377*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_unmap_grant_ref_t); 378*50c88402SJoao Martins 379*50c88402SJoao Martins /* 380*50c88402SJoao Martins * GNTTABOP_setup_table: Set up a grant table for <dom> comprising at least 381*50c88402SJoao Martins * <nr_frames> pages. The frame addresses are written to the <frame_list>. 382*50c88402SJoao Martins * Only <nr_frames> addresses are written, even if the table is larger. 383*50c88402SJoao Martins * NOTES: 384*50c88402SJoao Martins * 1. <dom> may be specified as DOMID_SELF. 385*50c88402SJoao Martins * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 386*50c88402SJoao Martins * 3. Xen may not support more than a single grant-table page per domain. 387*50c88402SJoao Martins */ 388*50c88402SJoao Martins struct gnttab_setup_table { 389*50c88402SJoao Martins /* IN parameters. */ 390*50c88402SJoao Martins domid_t dom; 391*50c88402SJoao Martins uint32_t nr_frames; 392*50c88402SJoao Martins /* OUT parameters. */ 393*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 394*50c88402SJoao Martins #if __XEN_INTERFACE_VERSION__ < 0x00040300 395*50c88402SJoao Martins XEN_GUEST_HANDLE(ulong) frame_list; 396*50c88402SJoao Martins #else 397*50c88402SJoao Martins XEN_GUEST_HANDLE(xen_pfn_t) frame_list; 398*50c88402SJoao Martins #endif 399*50c88402SJoao Martins }; 400*50c88402SJoao Martins typedef struct gnttab_setup_table gnttab_setup_table_t; 401*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_setup_table_t); 402*50c88402SJoao Martins 403*50c88402SJoao Martins /* 404*50c88402SJoao Martins * GNTTABOP_dump_table: Dump the contents of the grant table to the 405*50c88402SJoao Martins * xen console. Debugging use only. 406*50c88402SJoao Martins */ 407*50c88402SJoao Martins struct gnttab_dump_table { 408*50c88402SJoao Martins /* IN parameters. */ 409*50c88402SJoao Martins domid_t dom; 410*50c88402SJoao Martins /* OUT parameters. */ 411*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 412*50c88402SJoao Martins }; 413*50c88402SJoao Martins typedef struct gnttab_dump_table gnttab_dump_table_t; 414*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_dump_table_t); 415*50c88402SJoao Martins 416*50c88402SJoao Martins /* 417*50c88402SJoao Martins * GNTTABOP_transfer: Transfer <frame> to a foreign domain. The foreign domain 418*50c88402SJoao Martins * has previously registered its interest in the transfer via <domid, ref>. 419*50c88402SJoao Martins * 420*50c88402SJoao Martins * Note that, even if the transfer fails, the specified page no longer belongs 421*50c88402SJoao Martins * to the calling domain *unless* the error is GNTST_bad_page. 422*50c88402SJoao Martins * 423*50c88402SJoao Martins * Note further that only PV guests can use this operation. 424*50c88402SJoao Martins */ 425*50c88402SJoao Martins struct gnttab_transfer { 426*50c88402SJoao Martins /* IN parameters. */ 427*50c88402SJoao Martins xen_pfn_t mfn; 428*50c88402SJoao Martins domid_t domid; 429*50c88402SJoao Martins grant_ref_t ref; 430*50c88402SJoao Martins /* OUT parameters. */ 431*50c88402SJoao Martins int16_t status; 432*50c88402SJoao Martins }; 433*50c88402SJoao Martins typedef struct gnttab_transfer gnttab_transfer_t; 434*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_transfer_t); 435*50c88402SJoao Martins 436*50c88402SJoao Martins 437*50c88402SJoao Martins /* 438*50c88402SJoao Martins * GNTTABOP_copy: Hypervisor based copy 439*50c88402SJoao Martins * source and destinations can be eithers MFNs or, for foreign domains, 440*50c88402SJoao Martins * grant references. the foreign domain has to grant read/write access 441*50c88402SJoao Martins * in its grant table. 442*50c88402SJoao Martins * 443*50c88402SJoao Martins * The flags specify what type source and destinations are (either MFN 444*50c88402SJoao Martins * or grant reference). 445*50c88402SJoao Martins * 446*50c88402SJoao Martins * Note that this can also be used to copy data between two domains 447*50c88402SJoao Martins * via a third party if the source and destination domains had previously 448*50c88402SJoao Martins * grant appropriate access to their pages to the third party. 449*50c88402SJoao Martins * 450*50c88402SJoao Martins * source_offset specifies an offset in the source frame, dest_offset 451*50c88402SJoao Martins * the offset in the target frame and len specifies the number of 452*50c88402SJoao Martins * bytes to be copied. 453*50c88402SJoao Martins */ 454*50c88402SJoao Martins 455*50c88402SJoao Martins #define _GNTCOPY_source_gref (0) 456*50c88402SJoao Martins #define GNTCOPY_source_gref (1<<_GNTCOPY_source_gref) 457*50c88402SJoao Martins #define _GNTCOPY_dest_gref (1) 458*50c88402SJoao Martins #define GNTCOPY_dest_gref (1<<_GNTCOPY_dest_gref) 459*50c88402SJoao Martins 460*50c88402SJoao Martins struct gnttab_copy { 461*50c88402SJoao Martins /* IN parameters. */ 462*50c88402SJoao Martins struct gnttab_copy_ptr { 463*50c88402SJoao Martins union { 464*50c88402SJoao Martins grant_ref_t ref; 465*50c88402SJoao Martins xen_pfn_t gmfn; 466*50c88402SJoao Martins } u; 467*50c88402SJoao Martins domid_t domid; 468*50c88402SJoao Martins uint16_t offset; 469*50c88402SJoao Martins } source, dest; 470*50c88402SJoao Martins uint16_t len; 471*50c88402SJoao Martins uint16_t flags; /* GNTCOPY_* */ 472*50c88402SJoao Martins /* OUT parameters. */ 473*50c88402SJoao Martins int16_t status; 474*50c88402SJoao Martins }; 475*50c88402SJoao Martins typedef struct gnttab_copy gnttab_copy_t; 476*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_copy_t); 477*50c88402SJoao Martins 478*50c88402SJoao Martins /* 479*50c88402SJoao Martins * GNTTABOP_query_size: Query the current and maximum sizes of the shared 480*50c88402SJoao Martins * grant table. 481*50c88402SJoao Martins * NOTES: 482*50c88402SJoao Martins * 1. <dom> may be specified as DOMID_SELF. 483*50c88402SJoao Martins * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 484*50c88402SJoao Martins */ 485*50c88402SJoao Martins struct gnttab_query_size { 486*50c88402SJoao Martins /* IN parameters. */ 487*50c88402SJoao Martins domid_t dom; 488*50c88402SJoao Martins /* OUT parameters. */ 489*50c88402SJoao Martins uint32_t nr_frames; 490*50c88402SJoao Martins uint32_t max_nr_frames; 491*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 492*50c88402SJoao Martins }; 493*50c88402SJoao Martins typedef struct gnttab_query_size gnttab_query_size_t; 494*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_query_size_t); 495*50c88402SJoao Martins 496*50c88402SJoao Martins /* 497*50c88402SJoao Martins * GNTTABOP_unmap_and_replace: Destroy one or more grant-reference mappings 498*50c88402SJoao Martins * tracked by <handle> but atomically replace the page table entry with one 499*50c88402SJoao Martins * pointing to the machine address under <new_addr>. <new_addr> will be 500*50c88402SJoao Martins * redirected to the null entry. 501*50c88402SJoao Martins * NOTES: 502*50c88402SJoao Martins * 1. The call may fail in an undefined manner if either mapping is not 503*50c88402SJoao Martins * tracked by <handle>. 504*50c88402SJoao Martins * 2. After executing a batch of unmaps, it is guaranteed that no stale 505*50c88402SJoao Martins * mappings will remain in the device or host TLBs. 506*50c88402SJoao Martins */ 507*50c88402SJoao Martins struct gnttab_unmap_and_replace { 508*50c88402SJoao Martins /* IN parameters. */ 509*50c88402SJoao Martins uint64_t host_addr; 510*50c88402SJoao Martins uint64_t new_addr; 511*50c88402SJoao Martins grant_handle_t handle; 512*50c88402SJoao Martins /* OUT parameters. */ 513*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 514*50c88402SJoao Martins }; 515*50c88402SJoao Martins typedef struct gnttab_unmap_and_replace gnttab_unmap_and_replace_t; 516*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_unmap_and_replace_t); 517*50c88402SJoao Martins 518*50c88402SJoao Martins #if __XEN_INTERFACE_VERSION__ >= 0x0003020a 519*50c88402SJoao Martins /* 520*50c88402SJoao Martins * GNTTABOP_set_version: Request a particular version of the grant 521*50c88402SJoao Martins * table shared table structure. This operation may be used to toggle 522*50c88402SJoao Martins * between different versions, but must be performed while no grants 523*50c88402SJoao Martins * are active. The only defined versions are 1 and 2. 524*50c88402SJoao Martins */ 525*50c88402SJoao Martins struct gnttab_set_version { 526*50c88402SJoao Martins /* IN/OUT parameters */ 527*50c88402SJoao Martins uint32_t version; 528*50c88402SJoao Martins }; 529*50c88402SJoao Martins typedef struct gnttab_set_version gnttab_set_version_t; 530*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_set_version_t); 531*50c88402SJoao Martins 532*50c88402SJoao Martins 533*50c88402SJoao Martins /* 534*50c88402SJoao Martins * GNTTABOP_get_status_frames: Get the list of frames used to store grant 535*50c88402SJoao Martins * status for <dom>. In grant format version 2, the status is separated 536*50c88402SJoao Martins * from the other shared grant fields to allow more efficient synchronization 537*50c88402SJoao Martins * using barriers instead of atomic cmpexch operations. 538*50c88402SJoao Martins * <nr_frames> specify the size of vector <frame_list>. 539*50c88402SJoao Martins * The frame addresses are returned in the <frame_list>. 540*50c88402SJoao Martins * Only <nr_frames> addresses are returned, even if the table is larger. 541*50c88402SJoao Martins * NOTES: 542*50c88402SJoao Martins * 1. <dom> may be specified as DOMID_SELF. 543*50c88402SJoao Martins * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 544*50c88402SJoao Martins */ 545*50c88402SJoao Martins struct gnttab_get_status_frames { 546*50c88402SJoao Martins /* IN parameters. */ 547*50c88402SJoao Martins uint32_t nr_frames; 548*50c88402SJoao Martins domid_t dom; 549*50c88402SJoao Martins /* OUT parameters. */ 550*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 551*50c88402SJoao Martins XEN_GUEST_HANDLE(uint64_t) frame_list; 552*50c88402SJoao Martins }; 553*50c88402SJoao Martins typedef struct gnttab_get_status_frames gnttab_get_status_frames_t; 554*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_get_status_frames_t); 555*50c88402SJoao Martins 556*50c88402SJoao Martins /* 557*50c88402SJoao Martins * GNTTABOP_get_version: Get the grant table version which is in 558*50c88402SJoao Martins * effect for domain <dom>. 559*50c88402SJoao Martins */ 560*50c88402SJoao Martins struct gnttab_get_version { 561*50c88402SJoao Martins /* IN parameters */ 562*50c88402SJoao Martins domid_t dom; 563*50c88402SJoao Martins uint16_t pad; 564*50c88402SJoao Martins /* OUT parameters */ 565*50c88402SJoao Martins uint32_t version; 566*50c88402SJoao Martins }; 567*50c88402SJoao Martins typedef struct gnttab_get_version gnttab_get_version_t; 568*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_get_version_t); 569*50c88402SJoao Martins 570*50c88402SJoao Martins /* 571*50c88402SJoao Martins * GNTTABOP_swap_grant_ref: Swap the contents of two grant entries. 572*50c88402SJoao Martins */ 573*50c88402SJoao Martins struct gnttab_swap_grant_ref { 574*50c88402SJoao Martins /* IN parameters */ 575*50c88402SJoao Martins grant_ref_t ref_a; 576*50c88402SJoao Martins grant_ref_t ref_b; 577*50c88402SJoao Martins /* OUT parameters */ 578*50c88402SJoao Martins int16_t status; /* => enum grant_status */ 579*50c88402SJoao Martins }; 580*50c88402SJoao Martins typedef struct gnttab_swap_grant_ref gnttab_swap_grant_ref_t; 581*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_swap_grant_ref_t); 582*50c88402SJoao Martins 583*50c88402SJoao Martins /* 584*50c88402SJoao Martins * Issue one or more cache maintenance operations on a portion of a 585*50c88402SJoao Martins * page granted to the calling domain by a foreign domain. 586*50c88402SJoao Martins */ 587*50c88402SJoao Martins struct gnttab_cache_flush { 588*50c88402SJoao Martins union { 589*50c88402SJoao Martins uint64_t dev_bus_addr; 590*50c88402SJoao Martins grant_ref_t ref; 591*50c88402SJoao Martins } a; 592*50c88402SJoao Martins uint16_t offset; /* offset from start of grant */ 593*50c88402SJoao Martins uint16_t length; /* size within the grant */ 594*50c88402SJoao Martins #define GNTTAB_CACHE_CLEAN (1u<<0) 595*50c88402SJoao Martins #define GNTTAB_CACHE_INVAL (1u<<1) 596*50c88402SJoao Martins #define GNTTAB_CACHE_SOURCE_GREF (1u<<31) 597*50c88402SJoao Martins uint32_t op; 598*50c88402SJoao Martins }; 599*50c88402SJoao Martins typedef struct gnttab_cache_flush gnttab_cache_flush_t; 600*50c88402SJoao Martins DEFINE_XEN_GUEST_HANDLE(gnttab_cache_flush_t); 601*50c88402SJoao Martins 602*50c88402SJoao Martins #endif /* __XEN_INTERFACE_VERSION__ */ 603*50c88402SJoao Martins 604*50c88402SJoao Martins /* 605*50c88402SJoao Martins * Bitfield values for gnttab_map_grant_ref.flags. 606*50c88402SJoao Martins */ 607*50c88402SJoao Martins /* Map the grant entry for access by I/O devices. */ 608*50c88402SJoao Martins #define _GNTMAP_device_map (0) 609*50c88402SJoao Martins #define GNTMAP_device_map (1<<_GNTMAP_device_map) 610*50c88402SJoao Martins /* Map the grant entry for access by host CPUs. */ 611*50c88402SJoao Martins #define _GNTMAP_host_map (1) 612*50c88402SJoao Martins #define GNTMAP_host_map (1<<_GNTMAP_host_map) 613*50c88402SJoao Martins /* Accesses to the granted frame will be restricted to read-only access. */ 614*50c88402SJoao Martins #define _GNTMAP_readonly (2) 615*50c88402SJoao Martins #define GNTMAP_readonly (1<<_GNTMAP_readonly) 616*50c88402SJoao Martins /* 617*50c88402SJoao Martins * GNTMAP_host_map subflag: 618*50c88402SJoao Martins * 0 => The host mapping is usable only by the guest OS. 619*50c88402SJoao Martins * 1 => The host mapping is usable by guest OS + current application. 620*50c88402SJoao Martins */ 621*50c88402SJoao Martins #define _GNTMAP_application_map (3) 622*50c88402SJoao Martins #define GNTMAP_application_map (1<<_GNTMAP_application_map) 623*50c88402SJoao Martins 624*50c88402SJoao Martins /* 625*50c88402SJoao Martins * GNTMAP_contains_pte subflag: 626*50c88402SJoao Martins * 0 => This map request contains a host virtual address. 627*50c88402SJoao Martins * 1 => This map request contains the machine addess of the PTE to update. 628*50c88402SJoao Martins */ 629*50c88402SJoao Martins #define _GNTMAP_contains_pte (4) 630*50c88402SJoao Martins #define GNTMAP_contains_pte (1<<_GNTMAP_contains_pte) 631*50c88402SJoao Martins 632*50c88402SJoao Martins /* 633*50c88402SJoao Martins * Bits to be placed in guest kernel available PTE bits (architecture 634*50c88402SJoao Martins * dependent; only supported when XENFEAT_gnttab_map_avail_bits is set). 635*50c88402SJoao Martins */ 636*50c88402SJoao Martins #define _GNTMAP_guest_avail0 (16) 637*50c88402SJoao Martins #define GNTMAP_guest_avail_mask ((uint32_t)~0 << _GNTMAP_guest_avail0) 638*50c88402SJoao Martins 639*50c88402SJoao Martins /* 640*50c88402SJoao Martins * Values for error status returns. All errors are -ve. 641*50c88402SJoao Martins */ 642*50c88402SJoao Martins /* ` enum grant_status { */ 643*50c88402SJoao Martins #define GNTST_okay (0) /* Normal return. */ 644*50c88402SJoao Martins #define GNTST_general_error (-1) /* General undefined error. */ 645*50c88402SJoao Martins #define GNTST_bad_domain (-2) /* Unrecognsed domain id. */ 646*50c88402SJoao Martins #define GNTST_bad_gntref (-3) /* Unrecognised or inappropriate gntref. */ 647*50c88402SJoao Martins #define GNTST_bad_handle (-4) /* Unrecognised or inappropriate handle. */ 648*50c88402SJoao Martins #define GNTST_bad_virt_addr (-5) /* Inappropriate virtual address to map. */ 649*50c88402SJoao Martins #define GNTST_bad_dev_addr (-6) /* Inappropriate device address to unmap.*/ 650*50c88402SJoao Martins #define GNTST_no_device_space (-7) /* Out of space in I/O MMU. */ 651*50c88402SJoao Martins #define GNTST_permission_denied (-8) /* Not enough privilege for operation. */ 652*50c88402SJoao Martins #define GNTST_bad_page (-9) /* Specified page was invalid for op. */ 653*50c88402SJoao Martins #define GNTST_bad_copy_arg (-10) /* copy arguments cross page boundary. */ 654*50c88402SJoao Martins #define GNTST_address_too_big (-11) /* transfer page address too large. */ 655*50c88402SJoao Martins #define GNTST_eagain (-12) /* Operation not done; try again. */ 656*50c88402SJoao Martins #define GNTST_no_space (-13) /* Out of space (handles etc). */ 657*50c88402SJoao Martins /* ` } */ 658*50c88402SJoao Martins 659*50c88402SJoao Martins #define GNTTABOP_error_msgs { \ 660*50c88402SJoao Martins "okay", \ 661*50c88402SJoao Martins "undefined error", \ 662*50c88402SJoao Martins "unrecognised domain id", \ 663*50c88402SJoao Martins "invalid grant reference", \ 664*50c88402SJoao Martins "invalid mapping handle", \ 665*50c88402SJoao Martins "invalid virtual address", \ 666*50c88402SJoao Martins "invalid device address", \ 667*50c88402SJoao Martins "no spare translation slot in the I/O MMU", \ 668*50c88402SJoao Martins "permission denied", \ 669*50c88402SJoao Martins "bad page", \ 670*50c88402SJoao Martins "copy arguments cross page boundary", \ 671*50c88402SJoao Martins "page address size too large", \ 672*50c88402SJoao Martins "operation not done; try again", \ 673*50c88402SJoao Martins "out of space", \ 674*50c88402SJoao Martins } 675*50c88402SJoao Martins 676a3434a2dSAnthony PERARD #endif /* __XEN_PUBLIC_GRANT_TABLE_H__ */ 677*50c88402SJoao Martins 678*50c88402SJoao Martins /* 679*50c88402SJoao Martins * Local variables: 680*50c88402SJoao Martins * mode: C 681*50c88402SJoao Martins * c-file-style: "BSD" 682*50c88402SJoao Martins * c-basic-offset: 4 683*50c88402SJoao Martins * tab-width: 4 684*50c88402SJoao Martins * indent-tabs-mode: nil 685*50c88402SJoao Martins * End: 686*50c88402SJoao Martins */ 687