19e2b3e83SJuergen Gross /* SPDX-License-Identifier: MIT */ 2a42089ddSJeremy Fitzhardinge /****************************************************************************** 3a42089ddSJeremy Fitzhardinge * grant_table.h 4a42089ddSJeremy Fitzhardinge * 5a42089ddSJeremy Fitzhardinge * Interface for granting foreign access to page frames, and receiving 6a42089ddSJeremy Fitzhardinge * page-ownership transfers. 7a42089ddSJeremy Fitzhardinge * 8a42089ddSJeremy Fitzhardinge * Copyright (c) 2004, K A Fraser 9a42089ddSJeremy Fitzhardinge */ 10a42089ddSJeremy Fitzhardinge 11a42089ddSJeremy Fitzhardinge #ifndef __XEN_PUBLIC_GRANT_TABLE_H__ 12a42089ddSJeremy Fitzhardinge #define __XEN_PUBLIC_GRANT_TABLE_H__ 13a42089ddSJeremy Fitzhardinge 14183d03ccSStefano Stabellini #include <xen/interface/xen.h> 15a42089ddSJeremy Fitzhardinge 16a42089ddSJeremy Fitzhardinge /*********************************** 17a42089ddSJeremy Fitzhardinge * GRANT TABLE REPRESENTATION 18a42089ddSJeremy Fitzhardinge */ 19a42089ddSJeremy Fitzhardinge 20a42089ddSJeremy Fitzhardinge /* Some rough guidelines on accessing and updating grant-table entries 21a42089ddSJeremy Fitzhardinge * in a concurrency-safe manner. For more information, Linux contains a 22*79c22318SJuergen Gross * reference implementation for guest OSes (drivers/xen/grant_table.c, see 23*79c22318SJuergen Gross * http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=drivers/xen/grant-table.c;hb=HEAD 24a42089ddSJeremy Fitzhardinge * 25a42089ddSJeremy Fitzhardinge * NB. WMB is a no-op on current-generation x86 processors. However, a 26a42089ddSJeremy Fitzhardinge * compiler barrier will still be required. 27a42089ddSJeremy Fitzhardinge * 28a42089ddSJeremy Fitzhardinge * Introducing a valid entry into the grant table: 29a42089ddSJeremy Fitzhardinge * 1. Write ent->domid. 30a42089ddSJeremy Fitzhardinge * 2. Write ent->frame: 31a42089ddSJeremy Fitzhardinge * GTF_permit_access: Frame to which access is permitted. 32a42089ddSJeremy Fitzhardinge * GTF_accept_transfer: Pseudo-phys frame slot being filled by new 33a42089ddSJeremy Fitzhardinge * frame, or zero if none. 34a42089ddSJeremy Fitzhardinge * 3. Write memory barrier (WMB). 35a42089ddSJeremy Fitzhardinge * 4. Write ent->flags, inc. valid type. 36a42089ddSJeremy Fitzhardinge * 37a42089ddSJeremy Fitzhardinge * Invalidating an unused GTF_permit_access entry: 38a42089ddSJeremy Fitzhardinge * 1. flags = ent->flags. 39a42089ddSJeremy Fitzhardinge * 2. Observe that !(flags & (GTF_reading|GTF_writing)). 40a42089ddSJeremy Fitzhardinge * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 41a42089ddSJeremy Fitzhardinge * NB. No need for WMB as reuse of entry is control-dependent on success of 42a42089ddSJeremy Fitzhardinge * step 3, and all architectures guarantee ordering of ctrl-dep writes. 43a42089ddSJeremy Fitzhardinge * 44a42089ddSJeremy Fitzhardinge * Invalidating an in-use GTF_permit_access entry: 45a42089ddSJeremy Fitzhardinge * This cannot be done directly. Request assistance from the domain controller 46a42089ddSJeremy Fitzhardinge * which can set a timeout on the use of a grant entry and take necessary 47a42089ddSJeremy Fitzhardinge * action. (NB. This is not yet implemented!). 48a42089ddSJeremy Fitzhardinge * 49a42089ddSJeremy Fitzhardinge * Invalidating an unused GTF_accept_transfer entry: 50a42089ddSJeremy Fitzhardinge * 1. flags = ent->flags. 51a42089ddSJeremy Fitzhardinge * 2. Observe that !(flags & GTF_transfer_committed). [*] 52a42089ddSJeremy Fitzhardinge * 3. Check result of SMP-safe CMPXCHG(&ent->flags, flags, 0). 53a42089ddSJeremy Fitzhardinge * NB. No need for WMB as reuse of entry is control-dependent on success of 54a42089ddSJeremy Fitzhardinge * step 3, and all architectures guarantee ordering of ctrl-dep writes. 55a42089ddSJeremy Fitzhardinge * [*] If GTF_transfer_committed is set then the grant entry is 'committed'. 56a42089ddSJeremy Fitzhardinge * The guest must /not/ modify the grant entry until the address of the 57a42089ddSJeremy Fitzhardinge * transferred frame is written. It is safe for the guest to spin waiting 58a42089ddSJeremy Fitzhardinge * for this to occur (detect by observing GTF_transfer_completed in 59a42089ddSJeremy Fitzhardinge * ent->flags). 60a42089ddSJeremy Fitzhardinge * 61a42089ddSJeremy Fitzhardinge * Invalidating a committed GTF_accept_transfer entry: 62a42089ddSJeremy Fitzhardinge * 1. Wait for (ent->flags & GTF_transfer_completed). 63a42089ddSJeremy Fitzhardinge * 64a42089ddSJeremy Fitzhardinge * Changing a GTF_permit_access from writable to read-only: 65a42089ddSJeremy Fitzhardinge * Use SMP-safe CMPXCHG to set GTF_readonly, while checking !GTF_writing. 66a42089ddSJeremy Fitzhardinge * 67a42089ddSJeremy Fitzhardinge * Changing a GTF_permit_access from read-only to writable: 68a42089ddSJeremy Fitzhardinge * Use SMP-safe bit-setting instruction. 69a42089ddSJeremy Fitzhardinge */ 70a42089ddSJeremy Fitzhardinge 71a42089ddSJeremy Fitzhardinge /* 720f9f5a95SAnnie Li * Reference to a grant entry in a specified domain's grant table. 730f9f5a95SAnnie Li */ 740f9f5a95SAnnie Li typedef uint32_t grant_ref_t; 750f9f5a95SAnnie Li 760f9f5a95SAnnie Li /* 77a42089ddSJeremy Fitzhardinge * A grant table comprises a packed array of grant entries in one or more 78a42089ddSJeremy Fitzhardinge * page frames shared between Xen and a guest. 79a42089ddSJeremy Fitzhardinge * [XEN]: This field is written by Xen and read by the sharing guest. 80a42089ddSJeremy Fitzhardinge * [GST]: This field is written by the guest and read by Xen. 81a42089ddSJeremy Fitzhardinge */ 820f9f5a95SAnnie Li 830f9f5a95SAnnie Li /* 84*79c22318SJuergen Gross * Version 1 of the grant table entry structure is maintained largely for 85*79c22318SJuergen Gross * backwards compatibility. New guests are recommended to support using 86*79c22318SJuergen Gross * version 2 to overcome version 1 limitations, but to default to version 1. 870f9f5a95SAnnie Li */ 880f9f5a95SAnnie Li struct grant_entry_v1 { 89a42089ddSJeremy Fitzhardinge /* GTF_xxx: various type and flag information. [XEN,GST] */ 90a42089ddSJeremy Fitzhardinge uint16_t flags; 91a42089ddSJeremy Fitzhardinge /* The domain being granted foreign privileges. [GST] */ 92a42089ddSJeremy Fitzhardinge domid_t domid; 93a42089ddSJeremy Fitzhardinge /* 94*79c22318SJuergen Gross * GTF_permit_access: GFN that @domid is allowed to map and access. [GST] 95*79c22318SJuergen Gross * GTF_accept_transfer: GFN that @domid is allowed to transfer into. [GST] 96*79c22318SJuergen Gross * GTF_transfer_completed: MFN whose ownership transferred by @domid 97*79c22318SJuergen Gross * (non-translated guests only). [XEN] 98a42089ddSJeremy Fitzhardinge */ 99a42089ddSJeremy Fitzhardinge uint32_t frame; 100a42089ddSJeremy Fitzhardinge }; 101a42089ddSJeremy Fitzhardinge 102*79c22318SJuergen Gross /* The first few grant table entries will be preserved across grant table 103*79c22318SJuergen Gross * version changes and may be pre-populated at domain creation by tools. 104*79c22318SJuergen Gross */ 105*79c22318SJuergen Gross #define GNTTAB_NR_RESERVED_ENTRIES 8 106*79c22318SJuergen Gross #define GNTTAB_RESERVED_CONSOLE 0 107*79c22318SJuergen Gross #define GNTTAB_RESERVED_XENSTORE 1 108*79c22318SJuergen Gross 109a42089ddSJeremy Fitzhardinge /* 110a42089ddSJeremy Fitzhardinge * Type of grant entry. 111a42089ddSJeremy Fitzhardinge * GTF_invalid: This grant entry grants no privileges. 112a42089ddSJeremy Fitzhardinge * GTF_permit_access: Allow @domid to map/access @frame. 113a42089ddSJeremy Fitzhardinge * GTF_accept_transfer: Allow @domid to transfer ownership of one page frame 114a42089ddSJeremy Fitzhardinge * to this guest. Xen writes the page number to @frame. 1150f9f5a95SAnnie Li * GTF_transitive: Allow @domid to transitively access a subrange of 1160f9f5a95SAnnie Li * @trans_grant in @trans_domid. No mappings are allowed. 117a42089ddSJeremy Fitzhardinge */ 118a42089ddSJeremy Fitzhardinge #define GTF_invalid (0U<<0) 119a42089ddSJeremy Fitzhardinge #define GTF_permit_access (1U<<0) 120a42089ddSJeremy Fitzhardinge #define GTF_accept_transfer (2U<<0) 1210f9f5a95SAnnie Li #define GTF_transitive (3U<<0) 122a42089ddSJeremy Fitzhardinge #define GTF_type_mask (3U<<0) 123a42089ddSJeremy Fitzhardinge 124a42089ddSJeremy Fitzhardinge /* 125*79c22318SJuergen Gross * Subflags for GTF_permit_access and GTF_transitive. 126a42089ddSJeremy Fitzhardinge * GTF_readonly: Restrict @domid to read-only mappings and accesses. [GST] 127a42089ddSJeremy Fitzhardinge * GTF_reading: Grant entry is currently mapped for reading by @domid. [XEN] 128a42089ddSJeremy Fitzhardinge * GTF_writing: Grant entry is currently mapped for writing by @domid. [XEN] 129*79c22318SJuergen Gross * Further subflags for GTF_permit_access only. 130*79c22318SJuergen Gross * GTF_PAT, GTF_PWT, GTF_PCD: (x86) cache attribute flags to be used for 131*79c22318SJuergen Gross * mappings of the grant [GST] 1320f9f5a95SAnnie Li * GTF_sub_page: Grant access to only a subrange of the page. @domid 1330f9f5a95SAnnie Li * will only be allowed to copy from the grant, and not 1340f9f5a95SAnnie Li * map it. [GST] 135a42089ddSJeremy Fitzhardinge */ 136a42089ddSJeremy Fitzhardinge #define _GTF_readonly (2) 137a42089ddSJeremy Fitzhardinge #define GTF_readonly (1U<<_GTF_readonly) 138a42089ddSJeremy Fitzhardinge #define _GTF_reading (3) 139a42089ddSJeremy Fitzhardinge #define GTF_reading (1U<<_GTF_reading) 140a42089ddSJeremy Fitzhardinge #define _GTF_writing (4) 141a42089ddSJeremy Fitzhardinge #define GTF_writing (1U<<_GTF_writing) 142*79c22318SJuergen Gross #define _GTF_PWT (5) 143*79c22318SJuergen Gross #define GTF_PWT (1U<<_GTF_PWT) 144*79c22318SJuergen Gross #define _GTF_PCD (6) 145*79c22318SJuergen Gross #define GTF_PCD (1U<<_GTF_PCD) 146*79c22318SJuergen Gross #define _GTF_PAT (7) 147*79c22318SJuergen Gross #define GTF_PAT (1U<<_GTF_PAT) 1480f9f5a95SAnnie Li #define _GTF_sub_page (8) 1490f9f5a95SAnnie Li #define GTF_sub_page (1U<<_GTF_sub_page) 150a42089ddSJeremy Fitzhardinge 151a42089ddSJeremy Fitzhardinge /* 152a42089ddSJeremy Fitzhardinge * Subflags for GTF_accept_transfer: 153a42089ddSJeremy Fitzhardinge * GTF_transfer_committed: Xen sets this flag to indicate that it is committed 154a42089ddSJeremy Fitzhardinge * to transferring ownership of a page frame. When a guest sees this flag 155a42089ddSJeremy Fitzhardinge * it must /not/ modify the grant entry until GTF_transfer_completed is 156a42089ddSJeremy Fitzhardinge * set by Xen. 157a42089ddSJeremy Fitzhardinge * GTF_transfer_completed: It is safe for the guest to spin-wait on this flag 158a42089ddSJeremy Fitzhardinge * after reading GTF_transfer_committed. Xen will always write the frame 159a42089ddSJeremy Fitzhardinge * address, followed by ORing this flag, in a timely manner. 160a42089ddSJeremy Fitzhardinge */ 161a42089ddSJeremy Fitzhardinge #define _GTF_transfer_committed (2) 162a42089ddSJeremy Fitzhardinge #define GTF_transfer_committed (1U<<_GTF_transfer_committed) 163a42089ddSJeremy Fitzhardinge #define _GTF_transfer_completed (3) 164a42089ddSJeremy Fitzhardinge #define GTF_transfer_completed (1U<<_GTF_transfer_completed) 165a42089ddSJeremy Fitzhardinge 1660f9f5a95SAnnie Li /* 1670f9f5a95SAnnie Li * Version 2 grant table entries. These fulfil the same role as 1680f9f5a95SAnnie Li * version 1 entries, but can represent more complicated operations. 1690f9f5a95SAnnie Li * Any given domain will have either a version 1 or a version 2 table, 1700f9f5a95SAnnie Li * and every entry in the table will be the same version. 1710f9f5a95SAnnie Li * 1720f9f5a95SAnnie Li * The interface by which domains use grant references does not depend 1730f9f5a95SAnnie Li * on the grant table version in use by the other domain. 1740f9f5a95SAnnie Li */ 1750f9f5a95SAnnie Li 1760f9f5a95SAnnie Li /* 1770f9f5a95SAnnie Li * Version 1 and version 2 grant entries share a common prefix. The 1780f9f5a95SAnnie Li * fields of the prefix are documented as part of struct 1790f9f5a95SAnnie Li * grant_entry_v1. 1800f9f5a95SAnnie Li */ 1810f9f5a95SAnnie Li struct grant_entry_header { 1820f9f5a95SAnnie Li uint16_t flags; 1830f9f5a95SAnnie Li domid_t domid; 1840f9f5a95SAnnie Li }; 1850f9f5a95SAnnie Li 1860f9f5a95SAnnie Li /* 187*79c22318SJuergen Gross * Version 2 of the grant entry structure. 1880f9f5a95SAnnie Li */ 1890f9f5a95SAnnie Li union grant_entry_v2 { 1900f9f5a95SAnnie Li struct grant_entry_header hdr; 1910f9f5a95SAnnie Li 1920f9f5a95SAnnie Li /* 1930f9f5a95SAnnie Li * This member is used for V1-style full page grants, where either: 1940f9f5a95SAnnie Li * 1950f9f5a95SAnnie Li * -- hdr.type is GTF_accept_transfer, or 1960f9f5a95SAnnie Li * -- hdr.type is GTF_permit_access and GTF_sub_page is not set. 1970f9f5a95SAnnie Li * 1980f9f5a95SAnnie Li * In that case, the frame field has the same semantics as the 1990f9f5a95SAnnie Li * field of the same name in the V1 entry structure. 2000f9f5a95SAnnie Li */ 2010f9f5a95SAnnie Li struct { 2020f9f5a95SAnnie Li struct grant_entry_header hdr; 2030f9f5a95SAnnie Li uint32_t pad0; 2040f9f5a95SAnnie Li uint64_t frame; 2050f9f5a95SAnnie Li } full_page; 2060f9f5a95SAnnie Li 2070f9f5a95SAnnie Li /* 2080f9f5a95SAnnie Li * If the grant type is GTF_grant_access and GTF_sub_page is set, 2090f9f5a95SAnnie Li * @domid is allowed to access bytes [@page_off,@page_off+@length) 2100f9f5a95SAnnie Li * in frame @frame. 2110f9f5a95SAnnie Li */ 2120f9f5a95SAnnie Li struct { 2130f9f5a95SAnnie Li struct grant_entry_header hdr; 2140f9f5a95SAnnie Li uint16_t page_off; 2150f9f5a95SAnnie Li uint16_t length; 2160f9f5a95SAnnie Li uint64_t frame; 2170f9f5a95SAnnie Li } sub_page; 2180f9f5a95SAnnie Li 2190f9f5a95SAnnie Li /* 2200f9f5a95SAnnie Li * If the grant is GTF_transitive, @domid is allowed to use the 2210f9f5a95SAnnie Li * grant @gref in domain @trans_domid, as if it was the local 2220f9f5a95SAnnie Li * domain. Obviously, the transitive access must be compatible 2230f9f5a95SAnnie Li * with the original grant. 224*79c22318SJuergen Gross * 225*79c22318SJuergen Gross * The current version of Xen does not allow transitive grants 226*79c22318SJuergen Gross * to be mapped. 2270f9f5a95SAnnie Li */ 2280f9f5a95SAnnie Li struct { 2290f9f5a95SAnnie Li struct grant_entry_header hdr; 2300f9f5a95SAnnie Li domid_t trans_domid; 2310f9f5a95SAnnie Li uint16_t pad0; 2320f9f5a95SAnnie Li grant_ref_t gref; 2330f9f5a95SAnnie Li } transitive; 2340f9f5a95SAnnie Li 2350f9f5a95SAnnie Li uint32_t __spacer[4]; /* Pad to a power of two */ 2360f9f5a95SAnnie Li }; 2370f9f5a95SAnnie Li 2380f9f5a95SAnnie Li typedef uint16_t grant_status_t; 239a42089ddSJeremy Fitzhardinge 240a42089ddSJeremy Fitzhardinge /*********************************** 241a42089ddSJeremy Fitzhardinge * GRANT TABLE QUERIES AND USES 242a42089ddSJeremy Fitzhardinge */ 243a42089ddSJeremy Fitzhardinge 244*79c22318SJuergen Gross #define GNTTABOP_map_grant_ref 0 245*79c22318SJuergen Gross #define GNTTABOP_unmap_grant_ref 1 246*79c22318SJuergen Gross #define GNTTABOP_setup_table 2 247*79c22318SJuergen Gross #define GNTTABOP_dump_table 3 248*79c22318SJuergen Gross #define GNTTABOP_transfer 4 249*79c22318SJuergen Gross #define GNTTABOP_copy 5 250*79c22318SJuergen Gross #define GNTTABOP_query_size 6 251*79c22318SJuergen Gross #define GNTTABOP_unmap_and_replace 7 252*79c22318SJuergen Gross #define GNTTABOP_set_version 8 253*79c22318SJuergen Gross #define GNTTABOP_get_status_frames 9 254*79c22318SJuergen Gross #define GNTTABOP_get_version 10 255*79c22318SJuergen Gross #define GNTTABOP_swap_grant_ref 11 256*79c22318SJuergen Gross #define GNTTABOP_cache_flush 12 257*79c22318SJuergen Gross /* ` } */ 258*79c22318SJuergen Gross 259a42089ddSJeremy Fitzhardinge /* 260a42089ddSJeremy Fitzhardinge * Handle to track a mapping created via a grant reference. 261a42089ddSJeremy Fitzhardinge */ 262a42089ddSJeremy Fitzhardinge typedef uint32_t grant_handle_t; 263a42089ddSJeremy Fitzhardinge 264a42089ddSJeremy Fitzhardinge /* 265a42089ddSJeremy Fitzhardinge * GNTTABOP_map_grant_ref: Map the grant entry (<dom>,<ref>) for access 266a42089ddSJeremy Fitzhardinge * by devices and/or host CPUs. If successful, <handle> is a tracking number 267*79c22318SJuergen Gross * that must be presented later to destroy the mapping(s). On error, <status> 268a42089ddSJeremy Fitzhardinge * is a negative status code. 269a42089ddSJeremy Fitzhardinge * NOTES: 270ad9a8612SJeremy Fitzhardinge * 1. If GNTMAP_device_map is specified then <dev_bus_addr> is the address 271a42089ddSJeremy Fitzhardinge * via which I/O devices may access the granted frame. 272ad9a8612SJeremy Fitzhardinge * 2. If GNTMAP_host_map is specified then a mapping will be added at 273a42089ddSJeremy Fitzhardinge * either a host virtual address in the current address space, or at 274a42089ddSJeremy Fitzhardinge * a PTE at the specified machine address. The type of mapping to 275a42089ddSJeremy Fitzhardinge * perform is selected through the GNTMAP_contains_pte flag, and the 276a42089ddSJeremy Fitzhardinge * address is specified in <host_addr>. 277a42089ddSJeremy Fitzhardinge * 3. Mappings should only be destroyed via GNTTABOP_unmap_grant_ref. If a 278a42089ddSJeremy Fitzhardinge * host mapping is destroyed by other means then it is *NOT* guaranteed 279a42089ddSJeremy Fitzhardinge * to be accounted to the correct grant reference! 280a42089ddSJeremy Fitzhardinge */ 281a42089ddSJeremy Fitzhardinge struct gnttab_map_grant_ref { 282a42089ddSJeremy Fitzhardinge /* IN parameters. */ 283a42089ddSJeremy Fitzhardinge uint64_t host_addr; 284a42089ddSJeremy Fitzhardinge uint32_t flags; /* GNTMAP_* */ 285a42089ddSJeremy Fitzhardinge grant_ref_t ref; 286a42089ddSJeremy Fitzhardinge domid_t dom; 287a42089ddSJeremy Fitzhardinge /* OUT parameters. */ 288a42089ddSJeremy Fitzhardinge int16_t status; /* GNTST_* */ 289a42089ddSJeremy Fitzhardinge grant_handle_t handle; 290a42089ddSJeremy Fitzhardinge uint64_t dev_bus_addr; 291a42089ddSJeremy Fitzhardinge }; 29287e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_map_grant_ref); 293a42089ddSJeremy Fitzhardinge 294a42089ddSJeremy Fitzhardinge /* 295a42089ddSJeremy Fitzhardinge * GNTTABOP_unmap_grant_ref: Destroy one or more grant-reference mappings 296a42089ddSJeremy Fitzhardinge * tracked by <handle>. If <host_addr> or <dev_bus_addr> is zero, that 297a42089ddSJeremy Fitzhardinge * field is ignored. If non-zero, they must refer to a device/host mapping 298a42089ddSJeremy Fitzhardinge * that is tracked by <handle> 299a42089ddSJeremy Fitzhardinge * NOTES: 300a42089ddSJeremy Fitzhardinge * 1. The call may fail in an undefined manner if either mapping is not 301a42089ddSJeremy Fitzhardinge * tracked by <handle>. 302a42089ddSJeremy Fitzhardinge * 3. After executing a batch of unmaps, it is guaranteed that no stale 303a42089ddSJeremy Fitzhardinge * mappings will remain in the device or host TLBs. 304a42089ddSJeremy Fitzhardinge */ 305a42089ddSJeremy Fitzhardinge struct gnttab_unmap_grant_ref { 306a42089ddSJeremy Fitzhardinge /* IN parameters. */ 307a42089ddSJeremy Fitzhardinge uint64_t host_addr; 308a42089ddSJeremy Fitzhardinge uint64_t dev_bus_addr; 309a42089ddSJeremy Fitzhardinge grant_handle_t handle; 310a42089ddSJeremy Fitzhardinge /* OUT parameters. */ 311a42089ddSJeremy Fitzhardinge int16_t status; /* GNTST_* */ 312a42089ddSJeremy Fitzhardinge }; 31387e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_unmap_grant_ref); 314a42089ddSJeremy Fitzhardinge 315a42089ddSJeremy Fitzhardinge /* 316a42089ddSJeremy Fitzhardinge * GNTTABOP_setup_table: Set up a grant table for <dom> comprising at least 317a42089ddSJeremy Fitzhardinge * <nr_frames> pages. The frame addresses are written to the <frame_list>. 318a42089ddSJeremy Fitzhardinge * Only <nr_frames> addresses are written, even if the table is larger. 319a42089ddSJeremy Fitzhardinge * NOTES: 320a42089ddSJeremy Fitzhardinge * 1. <dom> may be specified as DOMID_SELF. 321a42089ddSJeremy Fitzhardinge * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 322a42089ddSJeremy Fitzhardinge * 3. Xen may not support more than a single grant-table page per domain. 323a42089ddSJeremy Fitzhardinge */ 324a42089ddSJeremy Fitzhardinge struct gnttab_setup_table { 325a42089ddSJeremy Fitzhardinge /* IN parameters. */ 326a42089ddSJeremy Fitzhardinge domid_t dom; 327a42089ddSJeremy Fitzhardinge uint32_t nr_frames; 328a42089ddSJeremy Fitzhardinge /* OUT parameters. */ 329a42089ddSJeremy Fitzhardinge int16_t status; /* GNTST_* */ 330ef32f892SIan Campbell GUEST_HANDLE(xen_pfn_t) frame_list; 331a42089ddSJeremy Fitzhardinge }; 33287e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_setup_table); 333a42089ddSJeremy Fitzhardinge 334a42089ddSJeremy Fitzhardinge /* 335a42089ddSJeremy Fitzhardinge * GNTTABOP_dump_table: Dump the contents of the grant table to the 336a42089ddSJeremy Fitzhardinge * xen console. Debugging use only. 337a42089ddSJeremy Fitzhardinge */ 338a42089ddSJeremy Fitzhardinge struct gnttab_dump_table { 339a42089ddSJeremy Fitzhardinge /* IN parameters. */ 340a42089ddSJeremy Fitzhardinge domid_t dom; 341a42089ddSJeremy Fitzhardinge /* OUT parameters. */ 342a42089ddSJeremy Fitzhardinge int16_t status; /* GNTST_* */ 343a42089ddSJeremy Fitzhardinge }; 34487e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_dump_table); 345a42089ddSJeremy Fitzhardinge 346a42089ddSJeremy Fitzhardinge /* 347*79c22318SJuergen Gross * GNTTABOP_transfer: Transfer <frame> to a foreign domain. The foreign domain 348*79c22318SJuergen Gross * has previously registered its interest in the transfer via <domid, ref>. 349a42089ddSJeremy Fitzhardinge * 350a42089ddSJeremy Fitzhardinge * Note that, even if the transfer fails, the specified page no longer belongs 351a42089ddSJeremy Fitzhardinge * to the calling domain *unless* the error is GNTST_bad_page. 352*79c22318SJuergen Gross * 353*79c22318SJuergen Gross * Note further that only PV guests can use this operation. 354a42089ddSJeremy Fitzhardinge */ 355a42089ddSJeremy Fitzhardinge struct gnttab_transfer { 356a42089ddSJeremy Fitzhardinge /* IN parameters. */ 357bd3f79b7SStefano Stabellini xen_pfn_t mfn; 358a42089ddSJeremy Fitzhardinge domid_t domid; 359a42089ddSJeremy Fitzhardinge grant_ref_t ref; 360a42089ddSJeremy Fitzhardinge /* OUT parameters. */ 361a42089ddSJeremy Fitzhardinge int16_t status; 362a42089ddSJeremy Fitzhardinge }; 36387e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_transfer); 364ad9a8612SJeremy Fitzhardinge 365ad9a8612SJeremy Fitzhardinge /* 366ad9a8612SJeremy Fitzhardinge * GNTTABOP_copy: Hypervisor based copy 367ad9a8612SJeremy Fitzhardinge * source and destinations can be eithers MFNs or, for foreign domains, 368ad9a8612SJeremy Fitzhardinge * grant references. the foreign domain has to grant read/write access 369ad9a8612SJeremy Fitzhardinge * in its grant table. 370ad9a8612SJeremy Fitzhardinge * 371ad9a8612SJeremy Fitzhardinge * The flags specify what type source and destinations are (either MFN 372ad9a8612SJeremy Fitzhardinge * or grant reference). 373ad9a8612SJeremy Fitzhardinge * 374ad9a8612SJeremy Fitzhardinge * Note that this can also be used to copy data between two domains 375ad9a8612SJeremy Fitzhardinge * via a third party if the source and destination domains had previously 376ad9a8612SJeremy Fitzhardinge * grant appropriate access to their pages to the third party. 377ad9a8612SJeremy Fitzhardinge * 378ad9a8612SJeremy Fitzhardinge * source_offset specifies an offset in the source frame, dest_offset 379ad9a8612SJeremy Fitzhardinge * the offset in the target frame and len specifies the number of 380ad9a8612SJeremy Fitzhardinge * bytes to be copied. 381ad9a8612SJeremy Fitzhardinge */ 382ad9a8612SJeremy Fitzhardinge 383ad9a8612SJeremy Fitzhardinge #define _GNTCOPY_source_gref (0) 384ad9a8612SJeremy Fitzhardinge #define GNTCOPY_source_gref (1<<_GNTCOPY_source_gref) 385ad9a8612SJeremy Fitzhardinge #define _GNTCOPY_dest_gref (1) 386ad9a8612SJeremy Fitzhardinge #define GNTCOPY_dest_gref (1<<_GNTCOPY_dest_gref) 387ad9a8612SJeremy Fitzhardinge 388ad9a8612SJeremy Fitzhardinge struct gnttab_copy { 389ad9a8612SJeremy Fitzhardinge /* IN parameters. */ 390*79c22318SJuergen Gross struct gnttab_copy_ptr { 391ad9a8612SJeremy Fitzhardinge union { 392ad9a8612SJeremy Fitzhardinge grant_ref_t ref; 393bd3f79b7SStefano Stabellini xen_pfn_t gmfn; 394ad9a8612SJeremy Fitzhardinge } u; 395ad9a8612SJeremy Fitzhardinge domid_t domid; 396ad9a8612SJeremy Fitzhardinge uint16_t offset; 397ad9a8612SJeremy Fitzhardinge } source, dest; 398ad9a8612SJeremy Fitzhardinge uint16_t len; 399ad9a8612SJeremy Fitzhardinge uint16_t flags; /* GNTCOPY_* */ 400ad9a8612SJeremy Fitzhardinge /* OUT parameters. */ 401ad9a8612SJeremy Fitzhardinge int16_t status; 402ad9a8612SJeremy Fitzhardinge }; 40387e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_copy); 404ad9a8612SJeremy Fitzhardinge 405ad9a8612SJeremy Fitzhardinge /* 406ad9a8612SJeremy Fitzhardinge * GNTTABOP_query_size: Query the current and maximum sizes of the shared 407ad9a8612SJeremy Fitzhardinge * grant table. 408ad9a8612SJeremy Fitzhardinge * NOTES: 409ad9a8612SJeremy Fitzhardinge * 1. <dom> may be specified as DOMID_SELF. 410ad9a8612SJeremy Fitzhardinge * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 411ad9a8612SJeremy Fitzhardinge */ 412ad9a8612SJeremy Fitzhardinge struct gnttab_query_size { 413ad9a8612SJeremy Fitzhardinge /* IN parameters. */ 414ad9a8612SJeremy Fitzhardinge domid_t dom; 415ad9a8612SJeremy Fitzhardinge /* OUT parameters. */ 416ad9a8612SJeremy Fitzhardinge uint32_t nr_frames; 417ad9a8612SJeremy Fitzhardinge uint32_t max_nr_frames; 418ad9a8612SJeremy Fitzhardinge int16_t status; /* GNTST_* */ 419ad9a8612SJeremy Fitzhardinge }; 42087e27cf6SIsaku Yamahata DEFINE_GUEST_HANDLE_STRUCT(gnttab_query_size); 421a42089ddSJeremy Fitzhardinge 422a42089ddSJeremy Fitzhardinge /* 4230f9f5a95SAnnie Li * GNTTABOP_unmap_and_replace: Destroy one or more grant-reference mappings 4240f9f5a95SAnnie Li * tracked by <handle> but atomically replace the page table entry with one 4250f9f5a95SAnnie Li * pointing to the machine address under <new_addr>. <new_addr> will be 4260f9f5a95SAnnie Li * redirected to the null entry. 4270f9f5a95SAnnie Li * NOTES: 4280f9f5a95SAnnie Li * 1. The call may fail in an undefined manner if either mapping is not 4290f9f5a95SAnnie Li * tracked by <handle>. 4300f9f5a95SAnnie Li * 2. After executing a batch of unmaps, it is guaranteed that no stale 4310f9f5a95SAnnie Li * mappings will remain in the device or host TLBs. 4320f9f5a95SAnnie Li */ 4330f9f5a95SAnnie Li struct gnttab_unmap_and_replace { 4340f9f5a95SAnnie Li /* IN parameters. */ 4350f9f5a95SAnnie Li uint64_t host_addr; 4360f9f5a95SAnnie Li uint64_t new_addr; 4370f9f5a95SAnnie Li grant_handle_t handle; 4380f9f5a95SAnnie Li /* OUT parameters. */ 4390f9f5a95SAnnie Li int16_t status; /* GNTST_* */ 4400f9f5a95SAnnie Li }; 4410f9f5a95SAnnie Li DEFINE_GUEST_HANDLE_STRUCT(gnttab_unmap_and_replace); 4420f9f5a95SAnnie Li 4430f9f5a95SAnnie Li /* 4440f9f5a95SAnnie Li * GNTTABOP_set_version: Request a particular version of the grant 445*79c22318SJuergen Gross * table shared table structure. This operation may be used to toggle 446*79c22318SJuergen Gross * between different versions, but must be performed while no grants 447*79c22318SJuergen Gross * are active. The only defined versions are 1 and 2. 4480f9f5a95SAnnie Li */ 4490f9f5a95SAnnie Li struct gnttab_set_version { 450*79c22318SJuergen Gross /* IN/OUT parameters */ 4510f9f5a95SAnnie Li uint32_t version; 4520f9f5a95SAnnie Li }; 4530f9f5a95SAnnie Li DEFINE_GUEST_HANDLE_STRUCT(gnttab_set_version); 4540f9f5a95SAnnie Li 4550f9f5a95SAnnie Li /* 4560f9f5a95SAnnie Li * GNTTABOP_get_status_frames: Get the list of frames used to store grant 4570f9f5a95SAnnie Li * status for <dom>. In grant format version 2, the status is separated 4580f9f5a95SAnnie Li * from the other shared grant fields to allow more efficient synchronization 4590f9f5a95SAnnie Li * using barriers instead of atomic cmpexch operations. 4600f9f5a95SAnnie Li * <nr_frames> specify the size of vector <frame_list>. 4610f9f5a95SAnnie Li * The frame addresses are returned in the <frame_list>. 4620f9f5a95SAnnie Li * Only <nr_frames> addresses are returned, even if the table is larger. 4630f9f5a95SAnnie Li * NOTES: 4640f9f5a95SAnnie Li * 1. <dom> may be specified as DOMID_SELF. 4650f9f5a95SAnnie Li * 2. Only a sufficiently-privileged domain may specify <dom> != DOMID_SELF. 4660f9f5a95SAnnie Li */ 4670f9f5a95SAnnie Li struct gnttab_get_status_frames { 4680f9f5a95SAnnie Li /* IN parameters. */ 4690f9f5a95SAnnie Li uint32_t nr_frames; 4700f9f5a95SAnnie Li domid_t dom; 4710f9f5a95SAnnie Li /* OUT parameters. */ 4720f9f5a95SAnnie Li int16_t status; /* GNTST_* */ 4730f9f5a95SAnnie Li GUEST_HANDLE(uint64_t) frame_list; 4740f9f5a95SAnnie Li }; 4750f9f5a95SAnnie Li DEFINE_GUEST_HANDLE_STRUCT(gnttab_get_status_frames); 4760f9f5a95SAnnie Li 4770f9f5a95SAnnie Li /* 4780f9f5a95SAnnie Li * GNTTABOP_get_version: Get the grant table version which is in 4790f9f5a95SAnnie Li * effect for domain <dom>. 4800f9f5a95SAnnie Li */ 4810f9f5a95SAnnie Li struct gnttab_get_version { 4820f9f5a95SAnnie Li /* IN parameters */ 4830f9f5a95SAnnie Li domid_t dom; 4840f9f5a95SAnnie Li uint16_t pad; 4850f9f5a95SAnnie Li /* OUT parameters */ 4860f9f5a95SAnnie Li uint32_t version; 4870f9f5a95SAnnie Li }; 4880f9f5a95SAnnie Li DEFINE_GUEST_HANDLE_STRUCT(gnttab_get_version); 4890f9f5a95SAnnie Li 4900f9f5a95SAnnie Li /* 491*79c22318SJuergen Gross * GNTTABOP_swap_grant_ref: Swap the contents of two grant entries. 492*79c22318SJuergen Gross */ 493*79c22318SJuergen Gross struct gnttab_swap_grant_ref { 494*79c22318SJuergen Gross /* IN parameters */ 495*79c22318SJuergen Gross grant_ref_t ref_a; 496*79c22318SJuergen Gross grant_ref_t ref_b; 497*79c22318SJuergen Gross /* OUT parameters */ 498*79c22318SJuergen Gross int16_t status; /* GNTST_* */ 499*79c22318SJuergen Gross }; 500*79c22318SJuergen Gross DEFINE_GUEST_HANDLE_STRUCT(gnttab_swap_grant_ref); 501*79c22318SJuergen Gross 502*79c22318SJuergen Gross /* 503da095a99SStefano Stabellini * Issue one or more cache maintenance operations on a portion of a 504da095a99SStefano Stabellini * page granted to the calling domain by a foreign domain. 505da095a99SStefano Stabellini */ 506da095a99SStefano Stabellini struct gnttab_cache_flush { 507da095a99SStefano Stabellini union { 508da095a99SStefano Stabellini uint64_t dev_bus_addr; 509da095a99SStefano Stabellini grant_ref_t ref; 510da095a99SStefano Stabellini } a; 511da095a99SStefano Stabellini uint16_t offset; /* offset from start of grant */ 512da095a99SStefano Stabellini uint16_t length; /* size within the grant */ 513*79c22318SJuergen Gross #define GNTTAB_CACHE_CLEAN (1u<<0) 514*79c22318SJuergen Gross #define GNTTAB_CACHE_INVAL (1u<<1) 515*79c22318SJuergen Gross #define GNTTAB_CACHE_SOURCE_GREF (1u<<31) 516da095a99SStefano Stabellini uint32_t op; 517da095a99SStefano Stabellini }; 518da095a99SStefano Stabellini DEFINE_GUEST_HANDLE_STRUCT(gnttab_cache_flush); 519da095a99SStefano Stabellini 520da095a99SStefano Stabellini /* 521*79c22318SJuergen Gross * Bitfield values for gnttab_map_grant_ref.flags. 522a42089ddSJeremy Fitzhardinge */ 523a42089ddSJeremy Fitzhardinge /* Map the grant entry for access by I/O devices. */ 524a42089ddSJeremy Fitzhardinge #define _GNTMAP_device_map (0) 525a42089ddSJeremy Fitzhardinge #define GNTMAP_device_map (1<<_GNTMAP_device_map) 526a42089ddSJeremy Fitzhardinge /* Map the grant entry for access by host CPUs. */ 527a42089ddSJeremy Fitzhardinge #define _GNTMAP_host_map (1) 528a42089ddSJeremy Fitzhardinge #define GNTMAP_host_map (1<<_GNTMAP_host_map) 529a42089ddSJeremy Fitzhardinge /* Accesses to the granted frame will be restricted to read-only access. */ 530a42089ddSJeremy Fitzhardinge #define _GNTMAP_readonly (2) 531a42089ddSJeremy Fitzhardinge #define GNTMAP_readonly (1<<_GNTMAP_readonly) 532a42089ddSJeremy Fitzhardinge /* 533a42089ddSJeremy Fitzhardinge * GNTMAP_host_map subflag: 534a42089ddSJeremy Fitzhardinge * 0 => The host mapping is usable only by the guest OS. 535a42089ddSJeremy Fitzhardinge * 1 => The host mapping is usable by guest OS + current application. 536a42089ddSJeremy Fitzhardinge */ 537a42089ddSJeremy Fitzhardinge #define _GNTMAP_application_map (3) 538a42089ddSJeremy Fitzhardinge #define GNTMAP_application_map (1<<_GNTMAP_application_map) 539a42089ddSJeremy Fitzhardinge 540a42089ddSJeremy Fitzhardinge /* 541a42089ddSJeremy Fitzhardinge * GNTMAP_contains_pte subflag: 542a42089ddSJeremy Fitzhardinge * 0 => This map request contains a host virtual address. 543a42089ddSJeremy Fitzhardinge * 1 => This map request contains the machine addess of the PTE to update. 544a42089ddSJeremy Fitzhardinge */ 545a42089ddSJeremy Fitzhardinge #define _GNTMAP_contains_pte (4) 546a42089ddSJeremy Fitzhardinge #define GNTMAP_contains_pte (1<<_GNTMAP_contains_pte) 547a42089ddSJeremy Fitzhardinge 548a42089ddSJeremy Fitzhardinge /* 549923b2919SDavid Vrabel * Bits to be placed in guest kernel available PTE bits (architecture 550923b2919SDavid Vrabel * dependent; only supported when XENFEAT_gnttab_map_avail_bits is set). 551923b2919SDavid Vrabel */ 552923b2919SDavid Vrabel #define _GNTMAP_guest_avail0 (16) 553923b2919SDavid Vrabel #define GNTMAP_guest_avail_mask ((uint32_t)~0 << _GNTMAP_guest_avail0) 554923b2919SDavid Vrabel 555923b2919SDavid Vrabel /* 556a42089ddSJeremy Fitzhardinge * Values for error status returns. All errors are -ve. 557a42089ddSJeremy Fitzhardinge */ 558a42089ddSJeremy Fitzhardinge #define GNTST_okay (0) /* Normal return. */ 559a42089ddSJeremy Fitzhardinge #define GNTST_general_error (-1) /* General undefined error. */ 560a42089ddSJeremy Fitzhardinge #define GNTST_bad_domain (-2) /* Unrecognsed domain id. */ 561a42089ddSJeremy Fitzhardinge #define GNTST_bad_gntref (-3) /* Unrecognised or inappropriate gntref. */ 562a42089ddSJeremy Fitzhardinge #define GNTST_bad_handle (-4) /* Unrecognised or inappropriate handle. */ 563a42089ddSJeremy Fitzhardinge #define GNTST_bad_virt_addr (-5) /* Inappropriate virtual address to map. */ 564a42089ddSJeremy Fitzhardinge #define GNTST_bad_dev_addr (-6) /* Inappropriate device address to unmap.*/ 565a42089ddSJeremy Fitzhardinge #define GNTST_no_device_space (-7) /* Out of space in I/O MMU. */ 566a42089ddSJeremy Fitzhardinge #define GNTST_permission_denied (-8) /* Not enough privilege for operation. */ 567a42089ddSJeremy Fitzhardinge #define GNTST_bad_page (-9) /* Specified page was invalid for op. */ 568e58f5b55SIan Campbell #define GNTST_bad_copy_arg (-10) /* copy arguments cross page boundary. */ 569e58f5b55SIan Campbell #define GNTST_address_too_big (-11) /* transfer page address too large. */ 570e58f5b55SIan Campbell #define GNTST_eagain (-12) /* Operation not done; try again. */ 571*79c22318SJuergen Gross #define GNTST_no_space (-13) /* Out of space (handles etc). */ 572a42089ddSJeremy Fitzhardinge 573a42089ddSJeremy Fitzhardinge #define GNTTABOP_error_msgs { \ 574a42089ddSJeremy Fitzhardinge "okay", \ 575a42089ddSJeremy Fitzhardinge "undefined error", \ 576a42089ddSJeremy Fitzhardinge "unrecognised domain id", \ 577a42089ddSJeremy Fitzhardinge "invalid grant reference", \ 578a42089ddSJeremy Fitzhardinge "invalid mapping handle", \ 579a42089ddSJeremy Fitzhardinge "invalid virtual address", \ 580a42089ddSJeremy Fitzhardinge "invalid device address", \ 581a42089ddSJeremy Fitzhardinge "no spare translation slot in the I/O MMU", \ 582a42089ddSJeremy Fitzhardinge "permission denied", \ 583ad9a8612SJeremy Fitzhardinge "bad page", \ 584e58f5b55SIan Campbell "copy arguments cross page boundary", \ 585e58f5b55SIan Campbell "page address size too large", \ 586*79c22318SJuergen Gross "operation not done; try again", \ 587*79c22318SJuergen Gross "out of space", \ 588a42089ddSJeremy Fitzhardinge } 589a42089ddSJeremy Fitzhardinge 590a42089ddSJeremy Fitzhardinge #endif /* __XEN_PUBLIC_GRANT_TABLE_H__ */ 591