New Xen core platform stack

[mato]

Part of mirage/mirage#1159. The interesting commits start from 5bb9bc5 onwards.

This is a rewrite of the MirageOS Xen platform stack, with the overall goal of replacing Mini-OS and moving to a minimal, legacy-free codebase which builds MirageOS unikernels as Xen PVHv2 domUs only. At the same
time, this change aligns the Xen backend with existing Solo5 backends as much as is practical and replaces the OCaml runtime with that providedby ocaml-freestanding.

This is a breaking change. MirageOS libraries and applications that make use of Xen-specific APIs will need to be updated. See below for a list of the interfaces that have changed.

Security posture improvements:

With the move to a Solo5/ocaml-freestanding base MirageOS gains several notable improvements to security posture for unikernels on Xen:

• Stack smashing protection is enabled unconditionally for all C code.
• W^X is enforced throughout, i.e. .text is read-execute, .rodata is read-only, non-executable and .data, heap and stack are read-write and non-executable.
• The memory allocator used by the OCaml runtime is now dlmalloc (provided by ocaml-freestanding), which is a big improvement over the Mini-OS malloc.

Requirements changes:

• Xen version 4.10 or later is required, as this is the earliest version which provides production-quality and stable PVHv2 APIs.
• Only x86_64 hosts with HAP (EPT) are supported. Support for ARM32 has been removed. Support for ARM64 may be added at a later date if there is interest.

Interface changes:

• The Eventchn and Generation modules, previously provided by xen-evtchn have been folded into mirage-xen as OS.Eventchn and OS.Generation respectively. Applications and libraries should replace any dependency on xen-evtchn with one on mirage-xen {>= "6.0.0"} and use the corresponding submodules in OS directly.
• OS.Lifecycle.await_shutdown_request is a stub, as for the other Solo5 backends.
• OS.Sched has been removed. These interfaces (notably domain suspend/resume) were present but never fully implemented in the old Xen stack. They are not required for PVH domains or full-system suspend/resume and applications/libraries should remove any calls to them.
• OS.Start_info has been removed. These interfaces were specific to Xen PV, and don't have a direct equivalent for PVH domains.
• OS.Xenctrl has been removed. There are no known users of these interfaces, which appear to be a left-over from earlier versions of the Xen stack.

Dependency changes:

• Now depends on solo5-bindings-xen (for the low-level VCPU initialisation and startup) and ocaml-freestanding (for the OCaml runtime). It follows that -freestanding variants of existing packages such as zarith and gmp are used instead of -xen variants.
• The io-page-xen package is no longer used. Applications/libraries depending on it should replace the dependency with one on io-page.
• As mentioned above, the xen-evtchn package is no longer used and applications/libraries should replace their dependency with one on mirage-xen {>= "6.0.0"}.

C stubs changes:

• alloc_pages_stubs.c: added, provides stubs for Io_page, as in mirage-solo5.
• checksum_stubs.c: added, provides stubs for Tcpip, as in mirage-solo5.
• exit_stubs.c: removed, equivalent provided by ocaml-freestanding.
• sched_stubs.c: removed, no longer required.
• start_info_stubs.c: removed, no longer required.
• xb_stubs.c: removed, no users and no longer required.

Apart from the above, the majority of C stubs which are used by mirage-xen have been renamed to follow the mirage_xen_XXX rather than stub_XXX convention.

The low-level C interfaces to Xen event channels (evtchn.c) and grant tables (gnttab.c) have been re-written from scratch. Some additional interfaces have been added to main.c to replace functionality that was previously part of start_info_stubs.c (obtaining initial PV console and Xenstore ports and I/O rings from Xen).

Relationship with the Solo5 Xen bindings:

For Xen, Solo5 only provides the initial PVH boot, VCPU setup/traps and C-side PV console code. Some Mirage-internal private APIs are provided to allow mirage-xen to interact with the hypervisor -- this is fully explained in Solo5 commit
Solo5/solo5@f4b47d1.

[mato]

Some notes on what needs review or further discussion:

• The new grant table code uses OCaml custom blocks to encapsulate a gnttab_mapping_head_t into the opaque OS.Xen.grant_handle which is passed into and back out of OCaml code. I think I've got this right, but would appreciate some more review, especially anything needs to be done on the finalization side?
• As discussed during a code walkthrough with @avsm @djs55 @jonludlam, the loop in OS.Activations.run which loops over all 4K events on each call could be optimized better. See also the comments in evtchn.c regarding the low-level array representing OCaml's shadow view of the event channel state.
• OS.Xen.virt_to_mfn got added in bind minios function virt_to_mfn #4 and a) AFAICT has never been used, b) for our purposes is effectively just (addr << 12), so I'd prefer to remove it.
• Now would be a good time to discuss cleaning up OS further, since we're already breaking APIs. The organisation of submodules under that name space has evolved rather chaotically over time.
  • If we decide not to have Xen-specific APIs under OS.Xen then we should rename Xen.Import and Xen.Export to (for example) Grant.Import and Grant.Export.

[hannesm]

OS.Xen.virt_to_mfn

it is actually used by the (unreleased) framebuffer library https://github.com/cfcs/mirage-framebuffer/blob/f63d54dd86f4ab723cc471fbf127d5fc105aa656/qubes/framebuffer_qubes.ml#L122-L123 /cc @cfcs

[talex5]

OS.Lifecycle.await_shutdown_request is a stub, as for the other Solo5 backends.

This is needed by mirage-firewall, otherwise Qubes won't be able to shut down the VM.

[mato]

OS.Lifecycle.await_shutdown_request is a stub, as for the other Solo5 backends.

This is needed by mirage-firewall, otherwise Qubes won't be able to shut down the VM.

Sorry about that, I was a bit too over-zealous in removing code there. I've reinstated it in 528d6c2. It'd be good if you could confirm that it (still) works as advertised.

[talex5]

Thanks! I'll test it once the new Qubes is out. But since it hasn't changed from the current code, I don't see why it shouldn't work.

[mato]

I have pushed the following additional changes to this branch/PR:

• Use a separate virtual memory range for importing grant mappings (94372da).
• Hook up OS.MM.Heap_pages.{total,used} (ab32449).
• opam: Depend on solo5-bindngs-xen >= 0.6.7 (2cb0ae8) (unreleased, but the OPAM repository in Xen PVH: Third time lucky mirage#1159 has been updated to match).

94372da is probably of most interest to any lurkers, from the commit log:

The initial implementation of mirage_xen_gnttab_{map,mapv,unmap} was
wrong in using heap-allocated memory for grant mappings imported from
other Xen domains. This is not possible, since once a grant is unmapped
the associated guest pages are mapped by Xen to a "dead" page (writes
are a no-op, reads return 0xff) and can no longer be re-used as "normal"
memory.

This change introduces a separate virtual memory range used for such
mappings; a private ABI from Solo5 provides a way to determine which
memory range to use and a simple bitmap allocator is used to externally
manage usage of pages in this memory range.

[hannesm]

I reviewed 94372da and am confident it works as advertised.

[hannesm]

You're building on FreeBSD 12 with clang, right?

yes indeed

[hannesm]

executing dune build --verbose (after a dune clean) leads to the following:

Running[66]: (cd _build/default/lib && /usr/bin/cc -O2 -fno-strict-aliasing -fwrapv -fPIC -D_FILE_OFFSET_BITS=64 -D_REENTRANT -I/usr/home/hannes/.opam/4.11.1/lib/pkgconfig/../../include/ocaml-freestanding -include _freestanding/overrides.h -ffreestanding -fstack-protector-strong -nostdlibinc -isystem /usr/home/hannes/.opam/4.11.1/lib/pkgconfig/../../include/solo5-bindings-hvt/crt -I/usr/home/hannes/.opam/4.11.1/lib/pkgconfig/../../include/solo5-bindings-hvt/solo5 -O2 -std=c99 -Wall -Werror -D__XEN_INTERFACE_VERSION__=__XEN_LATEST_INTERFACE_VERSION__ -g -I /usr/home/hannes/.opam/4.11.1/lib/ocaml -I ../include -o mm_stubs.o -c bindings/mm_stubs.c)

this is with dune 2.7.1, my suspicion is that this magically adds -O2 -fno-strict-aliasing -fwrapv -fPIC -D_FILE_OFFSET_BITS=64 -D_REENTRANT.

[mato]

this is with dune 2.7.1, my suspicion is that this magically adds -O2 -fno-strict-aliasing -fwrapv -fPIC -D_FILE_OFFSET_BITS=64 -D_REENTRANT.

Can you upload the entire output of dune build -j1 --display=verbose >log 2>&1 here as an attachment?

[hannesm]

relevant PR ocaml/dune#3565 (part of dune 2.7.0) and indeed in my ocamlc -config, there's:

ocamlc_cflags: -O2 -fno-strict-aliasing -fwrapv -fPIC
ocamlc_cppflags: -D_FILE_OFFSET_BITS=64 -D_REENTRANT

[hannesm]

the requested log.txt

[mato]

Travis is green, so this is good to merge, finally! There is some follow-up work to do before release but that can be done in separate PRs.

[cfcs]

OS.Xen.virt_to_mfn

it is actually used by the (unreleased) framebuffer library https://github.com/cfcs/mirage-framebuffer/blob/f63d54dd86f4ab723cc471fbf127d5fc105aa656/qubes/framebuffer_qubes.ml#L122-L123 /cc @cfcs

sorry to be super late to the party. virt_to_mfn use should go away with PVH, so this should be fine. :)