On 29/07/2025 10:22, Orzel, Michal wrote:
>
> On 28/07/2025 19:07, Oleksii Moisieiev wrote:
>> This commit introduces a new Kconfig option, `CONFIG_DOM0_BOOT`, to
>> allow for building Xen without support for booting a regular domain (Dom0).
>> This functionality is primarily intended for the ARM architecture.
>>
[snip]
>>
>> In a build configured for a dom0less environment, the code responsible
>> for creating Dom0 would be considered "dead code" as it would never be
>> executed. By using the preprocessor to remove it before compilation,
>> we ensure that the final executable is free from this unreachable
>> code. This simplifies static analysis, reduces the attack surface,
>> and makes the codebase easier to verify, which is critical for
>> systems requiring high levels of safety and security.
>>
>> ---
>> xen/arch/arm/Kconfig | 1 +
>> xen/arch/arm/domain_build.c | 8 ++++++++
>> xen/arch/arm/setup.c | 14 ++++++++++----
>> xen/arch/x86/Kconfig | 1 +
>> xen/common/Kconfig | 11 +++++++++++
>> 5 files changed, 31 insertions(+), 4 deletions(-)
>>
>> diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
>> index bf6d1cf88e..74da544925 100644
>> --- a/xen/arch/arm/Kconfig
>> +++ b/xen/arch/arm/Kconfig
>> @@ -18,6 +18,7 @@ config ARM
>> select GENERIC_UART_INIT
>> select HAS_ALTERNATIVE if HAS_VMAP
>> select HAS_DEVICE_TREE
>> + select HAS_DOM0
>> select HAS_DOM0LESS
>> select HAS_GRANT_CACHE_FLUSH if GRANT_TABLE
>> select HAS_STACK_PROTECTOR
>> diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
>> index ed668bd61c..9b8993df80 100644
>> --- a/xen/arch/arm/domain_build.c
>> +++ b/xen/arch/arm/domain_build.c
>> @@ -40,8 +40,10 @@
>> #include <asm/grant_table.h>
>> #include <xen/serial.h>
>>
>> +#ifdef CONFIG_DOM0_BOOT
>> static unsigned int __initdata opt_dom0_max_vcpus;
>> integer_param("dom0_max_vcpus", opt_dom0_max_vcpus);
>> +#endif
>>
>> /*
>> * If true, the extended regions support is enabled for dom0 and
>> @@ -102,6 +104,7 @@ int __init parse_arch_dom0_param(const char *s, const
>> char *e)
> Why is this and other dom0 cmdline parsing functions not disabled?
> What is your method of deciding what to compile out or not?
I just wanted to add that I have only guarded dom0_max_vcpus because it
is used by the create_dom0() function. The other parameters are used in
functions that are also reused by dom0less builds.
>> */
>> #define DOM0_FDT_EXTRA_SIZE (128 + sizeof(struct fdt_reserve_entry))
>>
>> +#ifdef CONFIG_DOM0_BOOT
>> unsigned int __init dom0_max_vcpus(void)
>>
[snip]
