On 2025-11-19 14:30, Grygorii Strashko wrote:
From: Grygorii Strashko <[email protected]>
For x86 Xen safety certification only PVH Gusts are selected to be allowed
s/Gusts/Guests/
which are started by using direct Direct Kernel Boot only. There is also an
s/direct Direct/direct/
assumption that x86 Guest's (OS) early boot code (which is running not in
64-bit mode) does not access Xen interfaces (hypercalls, shared_info, ..).
In this case the Xen HVM 32-bit COMPAT interface become unused and leaves
gaps in terms of coverage.
Hence now all prerequisite changes are in place, introduce a
CONFIG_HVM_COMPAT option through which HVM(PVH) 32-bit interface support on
64-bit Xen can be disabled.
By default, CONFIG_HVM_COMPAT is ("y") enabled and accessible only in
EXPERT mode.
Signed-off-by: Grygorii Strashko <[email protected]>
---
changes in v2:
- fix format and move above HVM_FEP
xen/arch/x86/hvm/Kconfig | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig
index c323d767e77c..88090f5b3965 100644
--- a/xen/arch/x86/hvm/Kconfig
+++ b/xen/arch/x86/hvm/Kconfig
@@ -2,7 +2,6 @@ menuconfig HVM
bool "HVM support"
depends on !PV_SHIM_EXCLUSIVE
default !PV_SHIM
- select COMPAT
select IOREQ_SERVER
select MEM_ACCESS_ALWAYS_ON
help
@@ -35,6 +34,24 @@ config INTEL_VMX
If your system includes a processor with Intel VT-x support, say Y.
If in doubt, say Y.
+config HVM_COMPAT
+ bool "HVM 32-bit hypercalls interface support" if EXPERT
Maybe "HVM 32-bit compat hypercall support" to get "compat" in the
user-visible text?
+ select COMPAT
+ default y
+ help
+ The HVM 32-bit interface must be enabled for HVM domains to be able to
+ make hypercalls in 32bit mode. Non-PVH domains unconditionally need
this
+ option so that hvmloader may issue hypercalls in 32bit mode.
+
+ The HVM 32-bit interface can be disabled if:
+ - Only PVH domains are used
+ - Guests (OS) are started by using direct Direct Kernel Boot
+ - Guests (OS) are 64-bit and Guest early boot code, which is running
not
+ in 64-bit mode, does not access Xen interfaces
+ (hypercalls, shared_info, ..)
+
+ If unsure, say Y.
+
Maybe something like:
"""
Support HVM hypercalls from 32-bit code. Hypercalls from 64-bit code
are always supported.
Disabling 32-bit compat hypercalls reduces the hypervisor binary size.
HVM guests require the 32-bit hvmloader, so they cannot run with this
disabled. i.e. Xen will only run 64-bit PVH guests with this disabled.
If unsure, say Y.
"""
While what you wrote is correct, I tried to rephrase to highlight the
the implications.
Regards,
Jason
config HVM_FEP
bool "HVM Forced Emulation Prefix support (UNSUPPORTED)" if UNSUPPORTED
default DEBUG
