argo: implement the register op

The register op is used by a domain to register a region of memory for
receiving messages from either a specified other domain, or, if specifying a
wildcard, any domain.

This operation creates a mapping within Xen's private address space that
will remain resident for the lifetime of the ring. In subsequent commits,
the hypervisor will use this mapping to copy data from a sending domain into
this registered ring, making it accessible to the domain that registered the
ring to receive data.

Wildcard any-sender rings are default disabled and registration will be
refused with EPERM unless they have been specifically enabled with the
argo-mac boot option introduced here. The reason why the default for
wildcard rings is 'deny' is that there is currently no means to protect the
ring from DoS by a noisy domain spamming the ring, affecting other domains
ability to send to it. This will be addressed with XSM policy controls in
subsequent work.

Since denying access to any-sender rings is a significant functional
constraint, a new bootparam is provided to enable overriding this:
 "argo-mac" variable has allowed values: 'permissive' and 'enforcing'.
Even though this is a boolean variable, use these descriptive strings in
order to make it obvious to an administrator that this has potential
security impact.

The p2m type of the memory supplied by the guest for the ring must be
p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring
is registered.

xen_argo_gfn_t type is defined and is 64-bit on all architectures which
assists with avoiding the need for compat code to translate hypercall args.
This hypercall op and its interface currently only supports 4K-sized pages.

array_index_nospec is used to guard the result of the ring id hash function.
This is out of an abundance of caution, since this is a very basic hash
function and it operates upon values supplied by the guest just before
being used as an array index.

Signed-off-by: Christopher Clark <[email protected]>

-This version contains FIXMEs for 4.12:
 * find_ring_mfn: investigate using check_get_page_from_gfn()
   and rewrite this function using it or with adopted logic

 * shrink critical sections: move acquire/release of the global lock.
 * simplify the out label path when lock release has been moved.

 * - drop use of unsigned long type as hypercall args: not compat-friendly
 * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK
 * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__")
 * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined

 * register_ring: pull write_unlock up above the cleanup actions above
   and add another label to aborb the two separate put_domain() calls on
   the error paths.
-end FIXME

v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message
v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation
v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent
v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros
v3 xen-project#7 Jan: remove dead code from find_ring_mfns
v3 xen-project#7 Jan: fix format string indention in printks
v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns
v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info
v3 xen-project#7 Jan: rename ring_find_info to find_ring_info
v3 xen-project#7 Jan: use array_index_nospec in ring_map_page
v3 xen-project#7 Jan: fix numeric entries in printk format strings
v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn
v3 #10 Roger: move find functions to top of file and drop prototypes
v3 xen-project#3 meld compat check for hypercall arg register struct
v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state
v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn
v3 feedback xen-project#7 Eric: fix header max ring size comment units
v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t*
v3 use %u for printing unsigned ints in find_ring_mfns
v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring
v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len
v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr
v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name
v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt
v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order
v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping
v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast
v3 feedback xen-project#7 Roger: drop newline in ring_map_page
v3 feedback xen-project#7 Roger: drop unneeded null check before xfree
v3 feedback xen-project#7 Roger: use return and drop out label in register_ring
v3 Stefano: add 4K page constraint to header file comment & commit msg
v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface

v2 self: disallow ring resize via reregister
v2 feedback Jan: drop cookie, implement teardown
v2 feedback Jan: drop message from argo_message_op
v2 self: move hash_index function below locking comment
v2 self: OVERHAUL
v2 self/Jan: remove use of magic verification field and tidy up
v2 self: merge max and min ring size check clauses
v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header
v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction
v2 feedback #9, Jan: rename boot opt variable to comply with convention
v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac
v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown
v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions
v1 feedback Roger, Jan: drop argo prefix on static functions
v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type
v2. feedback Jan: document the argo-mac boot opt
v2. feedback Jan: simplify re-register, drop mappings
v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops

v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/
v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op
v1 #13 feedback, Paul: register op: use mfn_eq comparator
v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring
v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check
v1 #13 feedback Paul: use of hex in limit constant definition
v1 #13 feedback Paul, register op: set nmfns on loop termination
v1 #13 feedback Paul: register op: do/while -> gotos, reindent
v1 argo_ring_map_page: drop uint32_t for unsigned int
v1. #13 feedback Julien: use page descriptors instead of gpfns.
   - adds ABI support for pages with different granularity.
v1 feedback #13, Paul: adjust log level of message
v1 feedback #13, Paul: use gprintk for guest-triggered warning
v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration
v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page
v1 feedback #13, Paul: use ENOMEM if global mapping fails
v1 feedback Paul: overflow check before shift
v1: add define for copy_field_to_guest_errno
v1: fix gprintk use for ARM as its defn dislikes split format strings
v1: use copy_field_to_guest_errno
v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type
v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page
v1 feedback #13, Jan: rename page var in argo_ring_map_page
v1 feedback #13, Jan: switch uint8_t* to void* and drop cast
v1 feedback #13, Jan: switch memory barrier to smp_wmb
v1 feedback #13, Jan: make 'ring' comment comply with single-line style
v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init
v1 feedback #13, Jan: init bool with false rather than 0
v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno
v1 feedback #13, Jan: use xzalloc, drop individual init zeroes
v1 feedback #13, Jan: prefix public namespace with xen
v1 feedback #13, Jan: blank line after op case in do_argo_message_op
v1 self: reflow comment in argo_ring_map_page to within 80 char len
v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool
v1 feedback #21, Jan: fold in the array_index_nospec hash function guards
v1 feedback #18, Jan: fold the max ring count limit into the series
v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK
v1: feedback #15 Jan: handle upper-halves of hypercall args
v1. feedback #13 Jan: add comment re: page alignment
v1. self: confirm ring magic presence in supplied page array
v1. feedback #13 Jan: add comment re: minimum ring size
v1. feedback #13 Roger: use ASSERT_UNREACHABLE
v1. feedback Roger: add comment to hash function

docs/misc/xen-command-line.pandoc

@@ -195,6 +195,23 @@ to appropriate auditing by Xen.
 
 * An overall boolean acts as a global control.  Argo is disabled by default.
 
+### argo-mac-permissive
+> `= <boolean>`
+
+> Default: `false`
+
+Constrain the access control applied to the Argo communication mechanism.
+
+Only available if Xen is compiled with `CONFIG_ARGO` enabled.
+
+When `false`, domains may not register rings that have wildcard specified
+for the sender which would allow messages to be sent to the ring by any domain.
+This is to protect rings and the services that utilize them against DoS by a
+malicious or buggy domain spamming the ring.
+
+When the boot option is set to `true`, this constraint is relaxed and
+wildcard any-sender rings are allowed to be registered.
+
 ### asid (x86)
 > `= <boolean>`