| Message ID | 20190415111542.119788-4-andre.przywara@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: arm/arm64: Add VCPU workarounds firmware register | expand |
On 15/04/2019 12:15, Andre Przywara wrote: > Add documentation for the newly defined firmware registers to save and > restore any vulnerability mitigation status. > > Signed-off-by: Andre Przywara <andre.przywara@arm.com> Reviewed-by: Steven Price <steven.price@arm.com> Thanks, Steve > --- > Documentation/virtual/kvm/arm/psci.txt | 31 ++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/Documentation/virtual/kvm/arm/psci.txt b/Documentation/virtual/kvm/arm/psci.txt > index aafdab887b04..a876c1baa56e 100644 > --- a/Documentation/virtual/kvm/arm/psci.txt > +++ b/Documentation/virtual/kvm/arm/psci.txt > @@ -28,3 +28,34 @@ The following register is defined: > - Allows any PSCI version implemented by KVM and compatible with > v0.2 to be set with SET_ONE_REG > - Affects the whole VM (even if the register view is per-vcpu) > + > +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1: > + Holds the state of the firmware support to mitigate CVE-2017-5715, as > + offered by KVM to the guest via a HVC call. The workaround is described > + under SMCCC_ARCH_WORKAROUND_1 in [1]. > + Accepted values are: > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_AVAIL: KVM does not offer > + firmware support for the workaround. The mitigation status for the > + guest is unknown. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_AVAIL: The workaround HVC call is > + available to the guest and required for the mitigation. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_UNAFFECTED: The workaround HVC call > + is available to the guest, but it is not needed on this VCPU. > + > +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2: > + Holds the state of the firmware support to mitigate CVE-2018-3639, as > + offered by KVM to the guest via a HVC call. The workaround is described > + under SMCCC_ARCH_WORKAROUND_2 in [1]. > + Accepted values are: > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_NOT_AVAIL: A workaround is not > + available. KVM does not offer firmware support for the workaround. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNKNOWN: The workaround state is > + unknown. KVM does not offer firmware support for the workaround. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_AVAIL: The workaround is available, > + and can be disabled by a vCPU. If > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_ENABLED is set, it is active for > + this vCPU. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNAFFECTED: The workaround is always > + active on this vCPU or it is not needed. > + > +[1] https://developer.arm.com/-/media/developer/pdf/ARM_DEN_0070A_Firmware_interfaces_for_mitigating_CVE-2017-5715.pdf >
Hi Andre, On 4/15/19 1:15 PM, Andre Przywara wrote: > Add documentation for the newly defined firmware registers to save and > restore any vulnerability mitigation status. > > Signed-off-by: Andre Przywara <andre.przywara@arm.com> > --- > Documentation/virtual/kvm/arm/psci.txt | 31 ++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/Documentation/virtual/kvm/arm/psci.txt b/Documentation/virtual/kvm/arm/psci.txt > index aafdab887b04..a876c1baa56e 100644 > --- a/Documentation/virtual/kvm/arm/psci.txt > +++ b/Documentation/virtual/kvm/arm/psci.txt > @@ -28,3 +28,34 @@ The following register is defined: > - Allows any PSCI version implemented by KVM and compatible with > v0.2 to be set with SET_ONE_REG > - Affects the whole VM (even if the register view is per-vcpu) > + > +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1: > + Holds the state of the firmware support to mitigate CVE-2017-5715, as > + offered by KVM to the guest via a HVC call. The workaround is described > + under SMCCC_ARCH_WORKAROUND_1 in [1]. > + Accepted values are: Why not simplifying overall: > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_AVAIL: KVM does not offer > + firmware support for the workaround. The mitigation status for the > + guest is unknown. The workaround is not supported by KVM > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_AVAIL: The workaround HVC call is > + available to the guest and required for the mitigation. Mitigation is needed for this vCPU and the workaround is supported by KVM > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_UNAFFECTED: The workaround HVC call > + is available to the guest, but it is not needed on this VCPU. Mitigation is not needed for this vCPU(. The workaround is supported though.) > + > +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2: > + Holds the state of the firmware support to mitigate CVE-2018-3639, as > + offered by KVM to the guest via a HVC call. The workaround is described > + under SMCCC_ARCH_WORKAROUND_2 in [1]. > + Accepted values are: > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_NOT_AVAIL: A workaround is not > + available. KVM does not offer firmware support for the workaround. The workaround is not supported by KVM > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNKNOWN: The workaround state is > + unknown. KVM does not offer firmware support for the workaround. The workaround state is unknown > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_AVAIL: The workaround is available, > + and can be disabled by a vCPU. If s/by a vCPU/per vCPU? The workaround is available and can be set per vCPU > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_ENABLED is set, it is active for > + this vCPU. > + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNAFFECTED: The workaround is always > + active on this vCPU or it is not needed. Thanks Eric > + > +[1] https://developer.arm.com/-/media/developer/pdf/ARM_DEN_0070A_Firmware_interfaces_for_mitigating_CVE-2017-5715.pdf >
diff --git a/Documentation/virtual/kvm/arm/psci.txt b/Documentation/virtual/kvm/arm/psci.txt index aafdab887b04..a876c1baa56e 100644 --- a/Documentation/virtual/kvm/arm/psci.txt +++ b/Documentation/virtual/kvm/arm/psci.txt @@ -28,3 +28,34 @@ The following register is defined: - Allows any PSCI version implemented by KVM and compatible with v0.2 to be set with SET_ONE_REG - Affects the whole VM (even if the register view is per-vcpu) + +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1: + Holds the state of the firmware support to mitigate CVE-2017-5715, as + offered by KVM to the guest via a HVC call. The workaround is described + under SMCCC_ARCH_WORKAROUND_1 in [1]. + Accepted values are: + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_AVAIL: KVM does not offer + firmware support for the workaround. The mitigation status for the + guest is unknown. + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_AVAIL: The workaround HVC call is + available to the guest and required for the mitigation. + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_UNAFFECTED: The workaround HVC call + is available to the guest, but it is not needed on this VCPU. + +* KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2: + Holds the state of the firmware support to mitigate CVE-2018-3639, as + offered by KVM to the guest via a HVC call. The workaround is described + under SMCCC_ARCH_WORKAROUND_2 in [1]. + Accepted values are: + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_NOT_AVAIL: A workaround is not + available. KVM does not offer firmware support for the workaround. + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNKNOWN: The workaround state is + unknown. KVM does not offer firmware support for the workaround. + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_AVAIL: The workaround is available, + and can be disabled by a vCPU. If + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_ENABLED is set, it is active for + this vCPU. + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNAFFECTED: The workaround is always + active on this vCPU or it is not needed. + +[1] https://developer.arm.com/-/media/developer/pdf/ARM_DEN_0070A_Firmware_interfaces_for_mitigating_CVE-2017-5715.pdf
Add documentation for the newly defined firmware registers to save and restore any vulnerability mitigation status. Signed-off-by: Andre Przywara <andre.przywara@arm.com> --- Documentation/virtual/kvm/arm/psci.txt | 31 ++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)