vtd: Fix condition for doRemoteClearCurrentVCPU

doRemoteClearCurrentVCPU should be called when the vcpu->last_cpu
is not the current CPU that is executing vcpu_finalise.

The commit is based on PR #185 by laokz.

Co-authored-by: laokz <laokz@foxmail.com>

Signed-off-by: Yanyan Shen <yshen@cog.systems>

trivial: Fix typo in error message

This commit is based on PR #185 by laokz

Co-authored-by: laokz <laokz@foxmail.com>

Signed-off-by: Yanyan Shen <yshen@cog.systems>

Convert license tags to SPDX identifiers

This commit also converts our own copyright headers to directly use
SPDX, but leaves all other copyright header intact, only adding the
SPDX ident. As far as possible this commit also merges multiple
Data61 copyright statements/headers into one for consistency.

Remove symlinked libsel4 files from include dir

These files can be included normally using libsel4 include paths. This
removes situations where the same file is available under different
include paths due to symlinking into different directory structures.

style: set code width to 120

style: set min-conditional-indent to 0

Given we use braces all the time conditional indents do not make code
cleaner.

style: consistently attach return type

Add attach-return-type to astyle

style: consistently align pointer with name

Run astyle with align-pointer=name

style: correct parenthesis padding

Use astyle's unpad-paren to unpad all parentheses that are not included
by pad-header, pad-oper, and pad-comma.

x86: Add missing VMCS field

x86: More efficient and verification friendly setIOPortMask

Refactors setIOPortMask to both be more efficient by never operating on individual bits,
whilst still having a structure that is more amenable to verification

x86: Generic setIOPortMask from VCPU code

Moves the function for manipulating a bitmap of IO ports from VCPU code into common
IO port code. This will be needed in the future by the IO Port control implementation

x86: #ifdef SKIM window logic in VCPUs

The abstractions referenced are not defined on ia32, due to ia32 not supporting the SKIM
window yet, and so this fails to compile.

x64: SKIM window to mitigate Meltdown (CVE-2017-5754) on x86-64

Introduces a kernel option that, when enabled, reduces the kernel window in a user address
space to just be Static Kernel Image and Microstate (SKIM), instead of the full kernel
address space. This isolates the important kernel data from the user preventing a
Meltdown style attack being able to violate secrecy. The kernel text and read only data,
i.e. anything that is static from boot, is not secret and can be allowed in the SKIM window
and potentially read by the user. Additionally to switch to and from the actual kernel
address space a small amount of state needs to also be in the SKIM window.

This is only an implementation for x86-64, although the same design is applicable to ia32

x86: Define per node arch global state

Global state in this context is state/datastructures that need to be available at all times,
both in user and kernel mode, by the hardware for correct operation. The purpose of creating
a separate per-node structure for it is so that there is the option of treating it specially
in the future from other per node state

attemptSwitchTo --> possibleSwitchTo

This was missed in 8028066a652 where attemptSwitchTo was removed.

SMP: Introduce ENABLE_SMP_SUPPORT

- Make it more readable and less confusing compared to the 'CONFIG_MAX_NUM_NODES > 1' check

Fix licenses (the rest)

rename arch_tcb.vcpu -> arch_tcb.tcbVCPU, vcpu.tcb -> vcpu.vcpuTCB

struct vcpu { struct tcb* tcb; ...
struct arch_tcb { struct vcpu* vcpu; ...
and
struct tcb { struct arch_tcb tcbArch; ...

These conspire to generate a type error on verification side due to
assumptions about non-colliding names.

smp: fix bugs when stalling remote core

- Restart TCB from inside the lock if it is waiting for anything other than IRQ
- Only replace the TCB with idle thread if it is in ThreadState_RunningVM state

Also, this makes the design generic to be shared with arm.

s/D61/DATA61/ in license headers for consistency

x86: Handle pending interrupt before scheduling thread in handleSyscall

In handleSyscall the current thread may be preempted to handle a pending interrupt.
With kernel mode interrupts in x86 this handling was delayed until we were about
to switch back to user mode. This change unifies the handling with ARM, where the
interrupt is handled prior to calling the thread scheduler.

x86: Send explicit TCB when handling remote VMs withs pending notifications

Previously if the `ksCurThread` of the destination core is not the thread that is
receiving the notification in `sendSignal` then the notification would be delayed
until the VMM for that VM next did a `seL4_VMEnter`. This adds a `tcb_t*` parameter
to `VMCheckBoundNotification` instead of having it implicitly talk about `ksCurThread`.
A TCB parameter is safe to send here as the `doRemoteVMCheckBoundNotification`
happens synchronously and so the TCB is guaranteed to still exist.

x86: Make acknowledge on exit a run time feature

x86: Make Load IA32_PERF_GLOBAL_CTRL a run time feature

x86: Lock feature control MSR

x86: Make VPID a run time feature

x86: Ensure vt-x features are consistent across cores

x86: Mark init_vtx_fixed_values as BOOT_CODE

x86: Fix printouts of 'v-xt' to 'vt-x'

x64: Maintain 64-bit on VM exit

The exit control in the VMCS controls what the host address-space size is
after a VM exit. On x86-64 this must be enforced to be 64-bit

x86: Comment on 0 value for PERF_GLOBAL_CTRL

This adds a comment explaining that a VM exit will clear any
performance controls

x86: Load actual EFER MSR on vmexit

Previously we threw away any modifications the kernel may have made
to the EFER when a VM exit happens. In x86-64 there are modifications
to the EFER that must be preserved

x86: Make `vmread`/`vmwrite` functions public

It is useful (largely for debugging/logging code) to be able to access
these functions outside of the internal VCPU implementation

x86: Use kpptr_to_paddr for kernel symbols

This is needed to be compatible with x86-64, where kernel symbols
have a different translation to physical address than other symbols

x86: Check against CR3 instead of PD to be mode generic

We need to check against CR3, and not just the PD or vspace root,
because any PCID bits that are in the previous/current CR3 matter
for the comparison

x86: Correct register allocation of inline assembly

The constant `1` is of type `int` in C, which is not guaranteed to be
the machine word size. The `invvpid` instruction requires its operand
be of machine word size, casting the constant fixes this and ensures
a full machine sized register is allocated

x86: Explicitly define VCPU general purpose registers

Previously the GP registers for a VCPU were defined in the 32-bit
arch registerset. This does not actually make sense as the mode
for the VCPU should be decoupled (and well defined) regardless of
the execution mode of the kernel. This commit provides an explicit
definition and register order for VCPU GP registers.

[STYLE_FIX]

x86: Avoid modifying thread running on different core in sendSignal

When sending a signal to a notification object that has a bound thread that is
in the 'runningVM' start we, ordinarily, want to deliver it by switching back
to the native execution of that thread and delivering the message. If the thread
is in the 'runningVM' state on a different core, then we must not modify its
thread state. Previously we would modify the thread state (changing it to
Running) and then attemptSwitchTo. Switching would fail, as its affinity would
be for a different core, resulting in us enqueing the thread into the
scheduling queue, despite the thread also presently running.

This commit both adds a check to prevent us manipulating a thread that
is actively running on a different core, as well as a remote operation
to tell that core that if it is running a VM it should recheck its
endpoint for a message.

x86: Use clearCurrentVCPU wrapper for vmclear

The clearCurrentVCPU wrapper additionally sets the 'launched' status
to 'false' in the current VCPU. This flag is used elsewhere in seL4
to distinguish whether a VM should be run by 'vmlaunch' or 'vmresume',
and the hardware mandates that after performing a vmclear you must
use vmlaunch and not vmresume.

x86: Save guest PAT and EFER

We already load our host PAT and EFER back out in case the guest
has changed it, this will allow for the guest to use its changed
version next time it is run

x86: Save debug controls on VM exit

This setting is forcively enabled on early vt-x versions, however
as newer versions are capable of not having this set we make sure
that we do in fact set it

[STYLE_FIX]

x86: Initial support for SMP vt-x

Enables vt-x code to compile when CONFIG_MAX_NUM_NODES is set to
greater than 1 and adds code to manage VMCS state on different cores

Clean up x86KScurInterrupt:

1. Remove the locking dependancy on the value of x86KScurInterrupt
2. Remove confusing set/unset of x86KScurInterrupt

Store remote FPU state

[STYLE_FIX]

SELFOUR-287: 32-bit vt-x implementation

This is an implementation of vt-x for x86 kernels running in
ia32 mode.