Xen project Mailing List

[XEN][PATCH v2 4/4] x86: pvh: allow to disable 32-bit interface support

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Grygorii Strashko <grygorii_strashko@xxxxxxxx>

Date: Wed, 19 Nov 2025 19:30:10 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2pgeAgmuBA5/KH5sFul8K61H69AUlJ3tMBDEqpzse9k=; b=hsrU32Mq3vrw8tlUWY6v2sz8lJfQuu0mFdbGstywnFQBQLdVHpXgr5qMrnybKHodaijmGAla5X3vJzckL97YZKJAt/2X8ygjIabiSSnrIwJKe27sm5ACLjpyHKfgBb8wY6BbWMmIjCtbGGMA88tJWa6OwcGlYM33S0CPmYJA8M7m4WABB4xQm3dI5hSFjQSNt6CrF7U3dJd2HnJ7JB39TICp3TuQh/ujR7h5sFRZwh8cGpV8Rrm53VAmS7X45lZRdDxqPHuaUE4/ZGxqCtWHGy/Ak1onnrtpGfTRv0suSb+/dGhcg1dZs61HNXHXFML9PDnJW7ZL/jFKsVHu7mVmPw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RaB2bSTix67HTsLfGfHAUWaXHzuzSuuX4ACsFgq3TL9s63UrXQ9ES+PSPfk6iX0umVLcjfYkQ89A9mkhTx8lQsQTytR2h+2fa+3rQ0R1pxui4kIYr1tdKlnmFW3NSteNvW74klYNlJQm5JcGCHXSIf0AKC+NCy0FHUDUNecT5PkqJOtrupw51sIW9ov4Y1m+EkJCTrc/Scz1KCa+Uj6QslxsCLaN3DB34h53S1B2f2nsRJS2jcIjLEqw8aD1OXB3d9e0x4FTz+S9d3ij2qs9gbuZpaI6d4+34ZXv2nKRdZMiEUyWOahXdwzm1d+IZUWoo3wxyXlGi2xIHk174w3WCA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Grygorii Strashko <grygorii_strashko@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>

Delivery-date: Wed, 19 Nov 2025 19:30:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHcWYrr1fGFNDkTXkKtxIuHdmqCJw==

Thread-topic: [XEN][PATCH v2 4/4] x86: pvh: allow to disable 32-bit interface support

From: Grygorii Strashko <grygorii_strashko@xxxxxxxx> For x86 Xen safety certification only PVH Gusts are selected to be allowed which are started by using direct Direct Kernel Boot only. There is also an assumption that x86 Guest's (OS) early boot code (which is running not in 64-bit mode) does not access Xen interfaces (hypercalls, shared_info, ..). In this case the Xen HVM 32-bit COMPAT interface become unused and leaves gaps in terms of coverage. Hence now all prerequisite changes are in place, introduce a CONFIG_HVM_COMPAT option through which HVM(PVH) 32-bit interface support on 64-bit Xen can be disabled. By default, CONFIG_HVM_COMPAT is ("y") enabled and accessible only in EXPERT mode. Signed-off-by: Grygorii Strashko <grygorii_strashko@xxxxxxxx> --- changes in v2: - fix format and move above HVM_FEP xen/arch/x86/hvm/Kconfig | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/hvm/Kconfig b/xen/arch/x86/hvm/Kconfig index c323d767e77c..88090f5b3965 100644 --- a/xen/arch/x86/hvm/Kconfig +++ b/xen/arch/x86/hvm/Kconfig @@ -2,7 +2,6 @@ menuconfig HVM bool "HVM support" depends on !PV_SHIM_EXCLUSIVE default !PV_SHIM - select COMPAT select IOREQ_SERVER select MEM_ACCESS_ALWAYS_ON help @@ -35,6 +34,24 @@ config INTEL_VMX If your system includes a processor with Intel VT-x support, say Y. If in doubt, say Y. +config HVM_COMPAT + bool "HVM 32-bit hypercalls interface support" if EXPERT + select COMPAT + default y + help + The HVM 32-bit interface must be enabled for HVM domains to be able to + make hypercalls in 32bit mode. Non-PVH domains unconditionally need this + option so that hvmloader may issue hypercalls in 32bit mode. + + The HVM 32-bit interface can be disabled if: + - Only PVH domains are used + - Guests (OS) are started by using direct Direct Kernel Boot + - Guests (OS) are 64-bit and Guest early boot code, which is running not + in 64-bit mode, does not access Xen interfaces + (hypercalls, shared_info, ..) + + If unsure, say Y. + config HVM_FEP bool "HVM Forced Emulation Prefix support (UNSUPPORTED)" if UNSUPPORTED default DEBUG -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.