@@ -7241,3 +7241,16 @@ The argument to KVM_ENABLE_CAP is also a bitmask, and must be a subset
of the result of KVM_CHECK_EXTENSION. KVM will forward to userspace
the hypercalls whose corresponding bit is in the argument, and return
ENOSYS for the others.
+
+8.35 KVM_CAP_DISABLE_PTP_KVM
+----------------------------
+
+:Architectures: arm64
+
+This capability indicates that a VMM may disable the KVM virtual PTP
+service for a guest. KVM_CAP_PTP_KVM introduced support for this
+hypercall interface, but it is unconditionally enabled without any
+opt-out.
+
+When this capability is enabled, KVM will hide the KVM virtual PTP
+service from the guest.
@@ -136,6 +136,9 @@ struct kvm_arch {
/* Memory Tagging Extension enabled for the guest */
bool mte_enabled;
+
+ /* PTP KVM hypercall disabled for this guest */
+ bool ptp_kvm_disabled;
};
struct kvm_vcpu_fault_info {
@@ -103,6 +103,10 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
}
mutex_unlock(&kvm->lock);
break;
+ case KVM_CAP_DISABLE_PTP_KVM:
+ kvm->arch.ptp_kvm_disabled = true;
+ r = 0;
+ break;
default:
r = -EINVAL;
break;
@@ -217,6 +221,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
case KVM_CAP_SET_GUEST_DEBUG:
case KVM_CAP_VCPU_ATTRIBUTES:
case KVM_CAP_PTP_KVM:
+ case KVM_CAP_DISABLE_PTP_KVM:
r = 1;
break;
case KVM_CAP_SET_GUEST_DEBUG2:
@@ -62,6 +62,7 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu)
{
u32 func_id = smccc_get_function(vcpu);
u64 val[4] = {SMCCC_RET_NOT_SUPPORTED};
+ struct kvm *kvm = vcpu->kvm;
u32 feature;
gpa_t gpa;
@@ -128,10 +129,12 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu)
break;
case ARM_SMCCC_VENDOR_HYP_KVM_FEATURES_FUNC_ID:
val[0] = BIT(ARM_SMCCC_KVM_FUNC_FEATURES);
- val[0] |= BIT(ARM_SMCCC_KVM_FUNC_PTP);
+ if (!kvm->arch.ptp_kvm_disabled)
+ val[0] |= BIT(ARM_SMCCC_KVM_FUNC_PTP);
break;
case ARM_SMCCC_VENDOR_HYP_KVM_PTP_FUNC_ID:
- kvm_ptp_get_time(vcpu, val);
+ if (!kvm->arch.ptp_kvm_disabled)
+ kvm_ptp_get_time(vcpu, val);
break;
case ARM_SMCCC_TRNG_VERSION:
case ARM_SMCCC_TRNG_FEATURES:
@@ -1112,6 +1112,7 @@ struct kvm_ppc_resize_hpt {
#define KVM_CAP_BINARY_STATS_FD 203
#define KVM_CAP_EXIT_ON_EMULATION_FAILURE 204
#define KVM_CAP_ARM_MTE 205
+#define KVM_CAP_DISABLE_PTP_KVM 206
#ifdef KVM_CAP_IRQ_ROUTING
commit 3bf725699bf6 ("KVM: arm64: Add support for the KVM PTP service") introduced support for a hypercall-based interface through which a KVM guest may query the host's walltime relative to its physical or virtual counter. Unfortunately, KVM does not require opt-in for the feature, and unconditionally provides it to guests when available. This is extremely problematic for operators who want to ensure guest migrations are rollback safe. If an operator were to live migrate guests to a kernel with KVM_CAP_PTP_KVM and subsequently need to roll back the kernel, guests that discovered the hypercall will get fussy *very* quickly. Plug the hazard by introducing a new capability, KVM_CAP_DISABLE_PTP_KVM. To maintain ABI compatibility with the aforementioned change, this cap is off by default. When enabled, hide the KVM PTP hypercall from the guest. Fixes: 3bf725699bf6 ("KVM: arm64: Add support for the KVM PTP service") Signed-off-by: Oliver Upton <oupton@google.com> --- Patch cleanly applies on v5.14-rc7. Delightfully untested beyond building it :) Documentation/virt/kvm/api.rst | 13 +++++++++++++ arch/arm64/include/asm/kvm_host.h | 3 +++ arch/arm64/kvm/arm.c | 5 +++++ arch/arm64/kvm/hypercalls.c | 7 +++++-- include/uapi/linux/kvm.h | 1 + 5 files changed, 27 insertions(+), 2 deletions(-)