/*ARGSUSED*/
static void
xen_uppc_shutdown(int cmd, int fcn)
{
XEN_UPPC_VERBOSE_POWEROFF(("xen_uppc_shutdown(%d,%d);\n", cmd, fcn));
switch (cmd) {
case A_SHUTDOWN:
switch (fcn) {
case AD_BOOT:
case AD_IBOOT:
(void) HYPERVISOR_shutdown(SHUTDOWN_reboot);
break;
case AD_POWEROFF:
/* fall through if domU or if poweroff fails */
if (DOMAIN_IS_INITDOMAIN(xen_info))
if (xen_uppc_enable_acpi)
(void) acpi_poweroff();
/* FALLTHRU */
case AD_HALT:
default:
(void) HYPERVISOR_shutdown(SHUTDOWN_poweroff);
break;
}
break;
case A_REBOOT:
(void) HYPERVISOR_shutdown(SHUTDOWN_reboot);
break;
default:
return;
}
}
static void
xen_pv_shutdown_final(void *arg, int howto)
{
/*
* Inform the hypervisor that shutdown is complete.
* This is not necessary in HVM domains since Xen
* emulates ACPI in that mode and FreeBSD's ACPI
* support will request this transition.
*/
if (howto & (RB_HALT | RB_POWEROFF))
HYPERVISOR_shutdown(SHUTDOWN_poweroff);
else
HYPERVISOR_shutdown(SHUTDOWN_reboot);
}
static void
xen_panic_hypercall(struct unw_frame_info *info, void *arg)
{
current->thread.ksp = (__u64)info->sw - 16;
HYPERVISOR_shutdown(SHUTDOWN_crash);
/* we're never actually going to get here... */
}
void machine_power_off(void)
{
/* We really want to get pending console data out before we die. */
xencons_force_flush();
// if (pm_power_off)
// pm_power_off();
HYPERVISOR_shutdown(SHUTDOWN_poweroff);
}
/*
* halt on the hypervisor after a delay to drain console output
*/
void
dboot_halt(void)
{
uint_t i = 10000;
while (--i)
(void) HYPERVISOR_yield();
(void) HYPERVISOR_shutdown(SHUTDOWN_poweroff);
}
void machine_power_off(void)
{
/* We really want to get pending console data out before we die. */
xencons_force_flush();
#if defined(__i386__) || defined(__x86_64__)
if (pm_power_off)
pm_power_off();
#endif
HYPERVISOR_shutdown(SHUTDOWN_poweroff);
}
void
reset(void)
{
extern void acpi_reset_system();
#if !defined(__xpv)
ushort_t *bios_memchk;
/*
* Can't use psm_map_phys or acpi_reset_system before the hat is
* initialized.
*/
if (khat_running) {
bios_memchk = (ushort_t *)psm_map_phys(0x472,
sizeof (ushort_t), PROT_READ | PROT_WRITE);
if (bios_memchk)
*bios_memchk = 0x1234; /* bios memory check disable */
if (options_dip != NULL &&
ddi_prop_exists(DDI_DEV_T_ANY, ddi_root_node(), 0,
"efi-systab")) {
if (bootops == NULL)
acpi_reset_system();
efi_reset();
}
/*
* The problem with using stubs is that we can call
* acpi_reset_system only after the kernel is up and running.
*
* We should create a global state to keep track of how far
* up the kernel is but for the time being we will depend on
* bootops. bootops cleared in startup_end().
*/
if (bootops == NULL)
acpi_reset_system();
}
pc_reset();
#else
if (IN_XPV_PANIC()) {
if (khat_running && bootops == NULL) {
acpi_reset_system();
}
pc_reset();
}
(void) HYPERVISOR_shutdown(SHUTDOWN_reboot);
panic("HYPERVISOR_shutdown() failed");
#endif
/*NOTREACHED*/
}
void
mp_leave_barrier(void)
{
int i;
ASSERT(MUTEX_HELD(&cpu_lock));
for (i = 0; i < NCPU; i++) {
cpu_t *cp = cpu_get(i);
if (cp == NULL || cp == CPU)
continue;
switch (cpu_phase[i]) {
/*
* If we see a CPU in one of these phases, something has
* gone badly wrong with the guarantees
* mp_enter_barrier() is supposed to provide. Rather
* than attempt to stumble along (and since we can't
* panic properly in this context), we tell the
* hypervisor we've crashed.
*/
case CPU_PHASE_NONE:
case CPU_PHASE_WAIT_SAFE:
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
break;
case CPU_PHASE_POWERED_OFF:
break;
case CPU_PHASE_SAFE:
cpu_phase[i] = CPU_PHASE_NONE;
}
}
start_cpus();
}
void machine_emergency_restart(void)
{
/* We really want to get pending console data out before we die. */
xencons_force_flush();
HYPERVISOR_shutdown(SHUTDOWN_reboot);
}
/*
* Top level routine to direct suspend/resume of a domain.
*/
void
xen_suspend_domain(void)
{
extern void rtcsync(void);
extern hrtime_t hres_last_tick;
mfn_t start_info_mfn;
ulong_t flags;
pfn_t pfn;
int i;
/*
* Check that we are happy to suspend on this hypervisor.
*/
if (xen_hypervisor_supports_solaris(XEN_SUSPEND_CHECK) == 0) {
cpr_err(CE_WARN, "Cannot suspend on this hypervisor "
"version: v%lu.%lu%s, need at least version v3.0.4 or "
"-xvm based hypervisor", XENVER_CURRENT(xv_major),
XENVER_CURRENT(xv_minor), XENVER_CURRENT(xv_ver));
return;
}
/*
* XXPV - Are we definitely OK to suspend by the time we've connected
* the handler?
*/
cpr_err(CE_NOTE, "Domain suspending for save/migrate");
SUSPEND_DEBUG("xen_suspend_domain\n");
/*
* suspend interrupts and devices
* XXPV - we use suspend/resume for both save/restore domains (like sun
* cpr) and for migration. Would be nice to know the difference if
* possible. For save/restore where down time may be a long time, we
* may want to do more of the things that cpr does. (i.e. notify user
* processes, shrink memory footprint for faster restore, etc.)
*/
xen_suspend_devices();
SUSPEND_DEBUG("xenbus_suspend\n");
xenbus_suspend();
pfn = hat_getpfnum(kas.a_hat, (caddr_t)xen_info);
start_info_mfn = pfn_to_mfn(pfn);
/*
* XXPV: cpu hotplug can hold this under a xenbus watch. Are we safe
* wrt xenbus being suspended here?
*/
mutex_enter(&cpu_lock);
/*
* Suspend must be done on vcpu 0, as no context for other CPUs is
* saved.
*
* XXPV - add to taskq API ?
*/
thread_affinity_set(curthread, 0);
kpreempt_disable();
SUSPEND_DEBUG("xen_start_migrate\n");
xen_start_migrate();
if (ncpus > 1)
suspend_cpus();
/*
* We can grab the ec_lock as it's a spinlock with a high SPL. Hence
* any holder would have dropped it to get through suspend_cpus().
*/
mutex_enter(&ec_lock);
/*
* From here on in, we can't take locks.
*/
SUSPEND_DEBUG("ec_suspend\n");
ec_suspend();
SUSPEND_DEBUG("gnttab_suspend\n");
gnttab_suspend();
flags = intr_clear();
xpv_time_suspend();
/*
* Currently, the hypervisor incorrectly fails to bring back
* powered-down VCPUs. Thus we need to record any powered-down VCPUs
* to prevent any attempts to operate on them. But we have to do this
* *after* the very first time we do ec_suspend().
*/
for (i = 1; i < ncpus; i++) {
if (cpu[i] == NULL)
continue;
if (cpu_get_state(cpu[i]) == P_POWEROFF)
CPUSET_ATOMIC_ADD(cpu_suspend_lost_set, i);
}
/*
* The dom0 save/migrate code doesn't automatically translate
* these into PFNs, but expects them to be, so we do it here.
* We don't use mfn_to_pfn() because so many OS services have
* been disabled at this point.
*/
xen_info->store_mfn = mfn_to_pfn_mapping[xen_info->store_mfn];
xen_info->console.domU.mfn =
mfn_to_pfn_mapping[xen_info->console.domU.mfn];
if (CPU->cpu_m.mcpu_vcpu_info->evtchn_upcall_mask == 0) {
prom_printf("xen_suspend_domain(): "
"CPU->cpu_m.mcpu_vcpu_info->evtchn_upcall_mask not set\n");
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
}
if (HYPERVISOR_update_va_mapping((uintptr_t)HYPERVISOR_shared_info,
0, UVMF_INVLPG)) {
prom_printf("xen_suspend_domain(): "
"HYPERVISOR_update_va_mapping() failed\n");
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
}
SUSPEND_DEBUG("HYPERVISOR_suspend\n");
/*
* At this point we suspend and sometime later resume.
*/
if (HYPERVISOR_suspend(start_info_mfn)) {
prom_printf("xen_suspend_domain(): "
"HYPERVISOR_suspend() failed\n");
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
}
/*
* Point HYPERVISOR_shared_info to its new value.
*/
if (HYPERVISOR_update_va_mapping((uintptr_t)HYPERVISOR_shared_info,
xen_info->shared_info | PT_NOCONSIST | PT_VALID | PT_WRITABLE,
UVMF_INVLPG))
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
if (xen_info->nr_pages != mfn_count) {
prom_printf("xen_suspend_domain(): number of pages"
" changed, was 0x%lx, now 0x%lx\n", mfn_count,
xen_info->nr_pages);
(void) HYPERVISOR_shutdown(SHUTDOWN_crash);
}
xpv_time_resume();
cached_max_mfn = 0;
SUSPEND_DEBUG("gnttab_resume\n");
gnttab_resume();
/* XXPV: add a note that this must be lockless. */
SUSPEND_DEBUG("ec_resume\n");
ec_resume();
intr_restore(flags);
if (ncpus > 1)
resume_cpus();
mutex_exit(&ec_lock);
xen_end_migrate();
mutex_exit(&cpu_lock);
/*
* Now we can take locks again.
*/
/*
* Force the tick value used for tv_nsec in hres_tick() to be up to
* date. rtcsync() will reset the hrestime value appropriately.
*/
hres_last_tick = xpv_gethrtime();
/*
* XXPV: we need to have resumed the CPUs since this takes locks, but
* can remote CPUs see bad state? Presumably yes. Should probably nest
* taking of todlock inside of cpu_lock, or vice versa, then provide an
* unlocked version. Probably need to call clkinitf to reset cpu freq
* and re-calibrate if we migrated to a different speed cpu. Also need
* to make a (re)init_cpu_info call to update processor info structs
* and device tree info. That remains to be written at the moment.
*/
rtcsync();
rebuild_mfn_list();
SUSPEND_DEBUG("xenbus_resume\n");
xenbus_resume();
SUSPEND_DEBUG("xenbus_resume_devices\n");
xen_resume_devices();
thread_affinity_clear(curthread);
kpreempt_enable();
SUSPEND_DEBUG("finished xen_suspend_domain\n");
/*
* We have restarted our suspended domain, update the hypervisor
* details. NB: This must be done at the end of this function,
* since we need the domain to be completely resumed before
* these functions will work correctly.
*/
xen_set_version(XENVER_CURRENT_IDX);
/*
* We can check and report a warning, but we don't stop the
* process.
*/
if (xen_hypervisor_supports_solaris(XEN_SUSPEND_CHECK) == 0)
cmn_err(CE_WARN, "Found hypervisor version: v%lu.%lu%s "
"but need at least version v3.0.4",
XENVER_CURRENT(xv_major), XENVER_CURRENT(xv_minor),
XENVER_CURRENT(xv_ver));
cmn_err(CE_NOTE, "domain restore/migrate completed");
}
/*
* First function called by the Xen PVH boot sequence.
*
* Set some Xen global variables and prepare the environment so it is
* as similar as possible to what native FreeBSD init function expects.
*/
uint64_t
hammer_time_xen(start_info_t *si, uint64_t xenstack)
{
uint64_t physfree;
uint64_t *PT4 = (u_int64_t *)xenstack;
uint64_t *PT3 = (u_int64_t *)(xenstack + PAGE_SIZE);
uint64_t *PT2 = (u_int64_t *)(xenstack + 2 * PAGE_SIZE);
int i;
xen_domain_type = XEN_PV_DOMAIN;
vm_guest = VM_GUEST_XEN;
if ((si == NULL) || (xenstack == 0)) {
xc_printf("ERROR: invalid start_info or xen stack, halting\n");
HYPERVISOR_shutdown(SHUTDOWN_crash);
}
xc_printf("FreeBSD PVH running on %s\n", si->magic);
/* We use 3 pages of xen stack for the boot pagetables */
physfree = xenstack + 3 * PAGE_SIZE - KERNBASE;
/* Setup Xen global variables */
HYPERVISOR_start_info = si;
HYPERVISOR_shared_info =
(shared_info_t *)(si->shared_info + KERNBASE);
/*
* Setup some misc global variables for Xen devices
*
* XXX: Devices that need these specific variables should
* be rewritten to fetch this info by themselves from the
* start_info page.
*/
xen_store = (struct xenstore_domain_interface *)
(ptoa(si->store_mfn) + KERNBASE);
console_page = (char *)(ptoa(si->console.domU.mfn) + KERNBASE);
/*
* Use the stack Xen gives us to build the page tables
* as native FreeBSD expects to find them (created
* by the boot trampoline).
*/
for (i = 0; i < (PAGE_SIZE / sizeof(uint64_t)); i++) {
/*
* Each slot of the level 4 pages points
* to the same level 3 page
*/
PT4[i] = ((uint64_t)&PT3[0]) - KERNBASE;
PT4[i] |= PG_V | PG_RW | PG_U;
/*
* Each slot of the level 3 pages points
* to the same level 2 page
*/
PT3[i] = ((uint64_t)&PT2[0]) - KERNBASE;
PT3[i] |= PG_V | PG_RW | PG_U;
/*
* The level 2 page slots are mapped with
* 2MB pages for 1GB.
*/
PT2[i] = i * (2 * 1024 * 1024);
PT2[i] |= PG_V | PG_RW | PG_PS | PG_U;
}
load_cr3(((uint64_t)&PT4[0]) - KERNBASE);
/* Set the hooks for early functions that diverge from bare metal */
init_ops = xen_init_ops;
apic_ops = xen_apic_ops;
/* Now we can jump into the native init function */
return (hammer_time(0, physfree));
}
/*ARGSUSED*/
void
mdboot(int cmd, int fcn, char *mdep, boolean_t invoke_cb)
{
processorid_t bootcpuid = 0;
static int is_first_quiesce = 1;
static int is_first_reset = 1;
int reset_status = 0;
static char fallback_str[] = "Falling back to regular reboot.\n";
if (fcn == AD_FASTREBOOT && !newkernel.fi_valid)
fcn = AD_BOOT;
if (!panicstr) {
kpreempt_disable();
if (fcn == AD_FASTREBOOT) {
mutex_enter(&cpu_lock);
if (CPU_ACTIVE(cpu_get(bootcpuid))) {
affinity_set(bootcpuid);
}
mutex_exit(&cpu_lock);
} else {
affinity_set(CPU_CURRENT);
}
}
if (force_shutdown_method != AD_UNKNOWN)
fcn = force_shutdown_method;
/*
* XXX - rconsvp is set to NULL to ensure that output messages
* are sent to the underlying "hardware" device using the
* monitor's printf routine since we are in the process of
* either rebooting or halting the machine.
*/
rconsvp = NULL;
/*
* Print the reboot message now, before pausing other cpus.
* There is a race condition in the printing support that
* can deadlock multiprocessor machines.
*/
if (!(fcn == AD_HALT || fcn == AD_POWEROFF))
prom_printf("rebooting...\n");
if (IN_XPV_PANIC())
reset();
/*
* We can't bring up the console from above lock level, so do it now
*/
pm_cfb_check_and_powerup();
/* make sure there are no more changes to the device tree */
devtree_freeze();
if (invoke_cb)
(void) callb_execute_class(CB_CL_MDBOOT, NULL);
/*
* Clear any unresolved UEs from memory.
*/
page_retire_mdboot();
#if defined(__xpv)
/*
* XXPV Should probably think some more about how we deal
* with panicing before it's really safe to panic.
* On hypervisors, we reboot very quickly.. Perhaps panic
* should only attempt to recover by rebooting if,
* say, we were able to mount the root filesystem,
* or if we successfully launched init(1m).
*/
if (panicstr && proc_init == NULL)
(void) HYPERVISOR_shutdown(SHUTDOWN_poweroff);
#endif
/*
* stop other cpus and raise our priority. since there is only
* one active cpu after this, and our priority will be too high
* for us to be preempted, we're essentially single threaded
* from here on out.
*/
(void) spl6();
if (!panicstr) {
mutex_enter(&cpu_lock);
pause_cpus(NULL, NULL);
mutex_exit(&cpu_lock);
}
/*
* If the system is panicking, the preloaded kernel is valid, and
* fastreboot_onpanic has been set, and the system has been up for
* longer than fastreboot_onpanic_uptime (default to 10 minutes),
* choose Fast Reboot.
*/
if (fcn == AD_BOOT && panicstr && newkernel.fi_valid &&
fastreboot_onpanic &&
(panic_lbolt - lbolt_at_boot) > fastreboot_onpanic_uptime) {
fcn = AD_FASTREBOOT;
}
/*
* Try to quiesce devices.
*/
if (is_first_quiesce) {
/*
* Clear is_first_quiesce before calling quiesce_devices()
* so that if quiesce_devices() causes panics, it will not
* be invoked again.
*/
is_first_quiesce = 0;
quiesce_active = 1;
quiesce_devices(ddi_root_node(), &reset_status);
if (reset_status == -1) {
if (fcn == AD_FASTREBOOT && !force_fastreboot) {
prom_printf("Driver(s) not capable of fast "
"reboot.\n");
prom_printf(fallback_str);
fastreboot_capable = 0;
fcn = AD_BOOT;
} else if (fcn != AD_FASTREBOOT)
fastreboot_capable = 0;
}
quiesce_active = 0;
}
/*
* Try to reset devices. reset_leaves() should only be called
* a) when there are no other threads that could be accessing devices,
* and
* b) on a system that's not capable of fast reboot (fastreboot_capable
* being 0), or on a system where quiesce_devices() failed to
* complete (quiesce_active being 1).
*/
if (is_first_reset && (!fastreboot_capable || quiesce_active)) {
/*
* Clear is_first_reset before calling reset_devices()
* so that if reset_devices() causes panics, it will not
* be invoked again.
*/
is_first_reset = 0;
reset_leaves();
}
/* Verify newkernel checksum */
if (fastreboot_capable && fcn == AD_FASTREBOOT &&
fastboot_cksum_verify(&newkernel) != 0) {
fastreboot_capable = 0;
prom_printf("Fast reboot: checksum failed for the new "
"kernel.\n");
prom_printf(fallback_str);
}
(void) spl8();
if (fastreboot_capable && fcn == AD_FASTREBOOT) {
/*
* psm_shutdown is called within fast_reboot()
*/
fast_reboot();
} else {
(*psm_shutdownf)(cmd, fcn);
if (fcn == AD_HALT || fcn == AD_POWEROFF)
halt((char *)NULL);
else
prom_reboot("");
}
/*NOTREACHED*/
}
/*
* Top level routine to direct suspend/resume of a domain.
*/
void
xen_suspend_domain(void)
{
extern void rtcsync(void);
extern void ec_resume(void);
extern kmutex_t ec_lock;
struct xen_add_to_physmap xatp;
ulong_t flags;
int err;
cmn_err(CE_NOTE, "Domain suspending for save/migrate");
SUSPEND_DEBUG("xen_suspend_domain\n");
/*
* We only want to suspend the PV devices, since the emulated devices
* are suspended by saving the emulated device state. The PV devices
* are all children of the xpvd nexus device. So we search the
* device tree for the xpvd node to use as the root of the tree to
* be suspended.
*/
if (xpvd_dip == NULL)
ddi_walk_devs(ddi_root_node(), check_xpvd, NULL);
/*
* suspend interrupts and devices
*/
if (xpvd_dip != NULL)
(void) xen_suspend_devices(ddi_get_child(xpvd_dip));
else
cmn_err(CE_WARN, "No PV devices found to suspend");
SUSPEND_DEBUG("xenbus_suspend\n");
xenbus_suspend();
mutex_enter(&cpu_lock);
/*
* Suspend on vcpu 0
*/
thread_affinity_set(curthread, 0);
kpreempt_disable();
if (ncpus > 1)
pause_cpus(NULL, NULL);
/*
* We can grab the ec_lock as it's a spinlock with a high SPL. Hence
* any holder would have dropped it to get through pause_cpus().
*/
mutex_enter(&ec_lock);
/*
* From here on in, we can't take locks.
*/
flags = intr_clear();
SUSPEND_DEBUG("HYPERVISOR_suspend\n");
/*
* At this point we suspend and sometime later resume.
* Note that this call may return with an indication of a cancelled
* for now no matter ehat the return we do a full resume of all
* suspended drivers, etc.
*/
(void) HYPERVISOR_shutdown(SHUTDOWN_suspend);
/*
* Point HYPERVISOR_shared_info to the proper place.
*/
xatp.domid = DOMID_SELF;
xatp.idx = 0;
xatp.space = XENMAPSPACE_shared_info;
xatp.gpfn = xen_shared_info_frame;
if ((err = HYPERVISOR_memory_op(XENMEM_add_to_physmap, &xatp)) != 0)
panic("Could not set shared_info page. error: %d", err);
SUSPEND_DEBUG("gnttab_resume\n");
gnttab_resume();
SUSPEND_DEBUG("ec_resume\n");
ec_resume();
intr_restore(flags);
if (ncpus > 1)
start_cpus();
mutex_exit(&ec_lock);
mutex_exit(&cpu_lock);
/*
* Now we can take locks again.
*/
rtcsync();
SUSPEND_DEBUG("xenbus_resume\n");
xenbus_resume();
SUSPEND_DEBUG("xen_resume_devices\n");
if (xpvd_dip != NULL)
(void) xen_resume_devices(ddi_get_child(xpvd_dip), 0);
thread_affinity_clear(curthread);
kpreempt_enable();
SUSPEND_DEBUG("finished xen_suspend_domain\n");
cmn_err(CE_NOTE, "domain restore/migrate completed");
}
