[58/89] KVM: arm64: Restrict protected VM capabilities

Message ID	20220519134204.5379-59-will@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <kvm-owner@kernel.org> From: Will Deacon <will@kernel.org> To: kvmarm@lists.cs.columbia.edu Cc: Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>, Sean Christopherson <seanjc@google.com>, Alexandru Elisei <alexandru.elisei@arm.com>, Andy Lutomirski <luto@amacapital.net>, Catalin Marinas <catalin.marinas@arm.com>, James Morse <james.morse@arm.com>, Chao Peng <chao.p.peng@linux.intel.com>, Quentin Perret <qperret@google.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Michael Roth <michael.roth@amd.com>, Mark Rutland <mark.rutland@arm.com>, Fuad Tabba <tabba@google.com>, Oliver Upton <oupton@google.com>, Marc Zyngier <maz@kernel.org>, kernel-team@android.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH 58/89] KVM: arm64: Restrict protected VM capabilities Date: Thu, 19 May 2022 14:41:33 +0100 Message-Id: <20220519134204.5379-59-will@kernel.org> In-Reply-To: <20220519134204.5379-1-will@kernel.org> References: <20220519134204.5379-1-will@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	KVM: arm64: Base support for the pKVM hypervisor at EL2 \| expand [00/89] KVM: arm64: Base support for the pKVM hypervisor at EL2 [01/89] KVM: arm64: Handle all ID registers trapped for a protected VM [02/89] KVM: arm64: Remove redundant hyp_assert_lock_held() assertions [03/89] KVM: arm64: Return error from kvm_arch_init_vm() on allocation failure [04/89] KVM: arm64: Ignore 'kvm-arm.mode=protected' when using VHE [05/89] KVM: arm64: Extend comment in has_vhe() [06/89] KVM: arm64: Drop stale comment [07/89] KVM: arm64: Move hyp refcount manipulation helpers [08/89] KVM: arm64: Back hyp_vmemmap for all of memory [09/89] KVM: arm64: Unify identifiers used to distinguish host and hypervisor [10/89] KVM: arm64: Implement do_donate() helper for donating memory [11/89] KVM: arm64: Prevent the donation of no-map pages [12/89] KVM: arm64: Add helpers to pin memory shared with hyp [13/89] KVM: arm64: Include asm/kvm_mmu.h in nvhe/mem_protect.h [14/89] KVM: arm64: Add hyp_spinlock_t static initializer [15/89] KVM: arm64: Introduce shadow VM state at EL2 [16/89] KVM: arm64: Instantiate VM shadow data from EL1 [17/89] KVM: arm64: Make hyp stage-1 refcnt correct on the whole range [18/89] KVM: arm64: Factor out private range VA allocation [19/89] KVM: arm64: Add pcpu fixmap infrastructure at EL2 [20/89] KVM: arm64: Provide I-cache invalidation by VA at EL2 [21/89] KVM: arm64: Allow non-coallescable pages in a hyp_pool [22/89] KVM: arm64: Add generic hyp_memcache helpers [23/89] KVM: arm64: Instantiate guest stage-2 page-tables at EL2 [24/89] KVM: arm64: Return guest memory from EL2 via dedicated teardown memcache [25/89] KVM: arm64: Add flags to struct hyp_page [26/89] KVM: arm64: Provide a hypercall for the host to reclaim guest memory [27/89] KVM: arm64: Extend memory sharing to allow host-to-guest transitions [28/89] KVM: arm64: Consolidate stage-2 init in one function [29/89] KVM: arm64: Check for PTE validity when checking for executable/cacheable [30/89] KVM: arm64: Do not allow memslot changes after first VM run under pKVM [31/89] KVM: arm64: Disallow dirty logging and RO memslots with pKVM [32/89] KVM: arm64: Use the shadow vCPU structure in handle___kvm_vcpu_run() [33/89] KVM: arm64: Handle guest stage-2 page-tables entirely at EL2 [34/89] KVM: arm64: Don't access kvm_arm_hyp_percpu_base at EL1 [35/89] KVM: arm64: Unmap kvm_arm_hyp_percpu_base from the host [36/89] KVM: arm64: Maintain a copy of 'kvm_arm_vmid_bits' at EL2 [37/89] KVM: arm64: Explicitly map kvm_vgic_global_state at EL2 [38/89] KVM: arm64: Don't map host sections in pkvm [39/89] KVM: arm64: Extend memory donation to allow host-to-guest transitions [40/89] KVM: arm64: Split up nvhe/fixed_config.h [41/89] KVM: arm64: Make vcpu_{read,write}_sys_reg available to HYP code [42/89] KVM: arm64: Simplify vgic-v3 hypercalls [43/89] KVM: arm64: Add the {flush,sync}_vgic_state() primitives [44/89] KVM: arm64: Introduce predicates to check for protected state [45/89] KVM: arm64: Add the {flush,sync}_timer_state() primitives [46/89] KVM: arm64: Introduce the pkvm_vcpu_{load,put} hypercalls [47/89] KVM: arm64: Add current vcpu and shadow_state lookup primitive [48/89] KVM: arm64: Skip __kvm_adjust_pc() for protected vcpus [49/89] KVM: arm64: Add hyp per_cpu variable to track current physical cpu number [50/89] KVM: arm64: Ensure that TLBs and I-cache are private to each vcpu [51/89] KVM: arm64: Introduce per-EC entry/exit handlers [52/89] KVM: arm64: Introduce lazy-ish state sync for non-protected VMs [53/89] KVM: arm64: Lazy host FP save/restore [54/89] KVM: arm64: Reduce host/shadow vcpu state copying [55/89] KVM: arm64: Do not pass the vcpu to __pkvm_host_map_guest() [56/89] KVM: arm64: Check directly whether the vcpu is protected [57/89] KVM: arm64: Trap debug break and watch from guest [58/89] KVM: arm64: Restrict protected VM capabilities [59/89] KVM: arm64: Do not support MTE for protected VMs [60/89] KVM: arm64: Refactor reset_mpidr to extract its computation [61/89] KVM: arm64: Reset sysregs for protected VMs [62/89] KVM: arm64: Move pkvm_vcpu_init_traps to shadow vcpu init [63/89] KVM: arm64: Fix initializing traps in protected mode [64/89] KVM: arm64: Advertise GICv3 sysreg interface to protected guests [65/89] KVM: arm64: Force injection of a data abort on NISV MMIO exit [66/89] KVM: arm64: Donate memory to protected guests [67/89] KVM: arm64: Add EL2 entry/exit handlers for pKVM guests [68/89] KVM: arm64: Move vgic state between host and shadow vcpu structures [69/89] KVM: arm64: Do not update virtual timer state for protected VMs [70/89] KVM: arm64: Refactor kvm_vcpu_enable_ptrauth() for hyp use [71/89] KVM: arm64: Initialize shadow vm state at hyp [72/89] KVM: arm64: Track the SVE state in the shadow vcpu [73/89] KVM: arm64: Add HVC handling for protected guests at EL2 [74/89] KVM: arm64: Move pstate reset values to kvm_arm.h [75/89] KVM: arm64: Move some kvm_psci functions to a shared header [76/89] KVM: arm64: Factor out vcpu_reset code for core registers and PSCI [77/89] KVM: arm64: Handle PSCI for protected VMs in EL2 [78/89] KVM: arm64: Don't expose TLBI hypercalls after de-privilege [79/89] KVM: arm64: Add is_pkvm_initialized() helper [80/89] KVM: arm64: Refactor enter_exception64() [81/89] KVM: arm64: Inject SIGSEGV on illegal accesses [82/89] KVM: arm64: Support TLB invalidation in guest context [83/89] KVM: arm64: Avoid BBM when changing only s/w bits in Stage-2 PTE [84/89] KVM: arm64: Extend memory sharing to allow guest-to-host transitions [85/89] KVM: arm64: Document the KVM/arm64-specific calls in hypercalls.rst [86/89] KVM: arm64: Reformat/beautify PTP hypercall documentation [87/89] KVM: arm64: Expose memory sharing hypercalls to protected guests [88/89] KVM: arm64: Introduce KVM_VM_TYPE_ARM_PROTECTED machine type for PVMs [89/89] Documentation: KVM: Add some documentation for Protected KVM on arm64

Message ID

20220519134204.5379-59-will@kernel.org (mailing list archive)

State

New, archived

Headers

From: Will Deacon <will@kernel.org>
To: kvmarm@lists.cs.columbia.edu
Cc: Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>,
        Sean Christopherson <seanjc@google.com>,
        Alexandru Elisei <alexandru.elisei@arm.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Catalin Marinas <catalin.marinas@arm.com>,
        James Morse <james.morse@arm.com>,
        Chao Peng <chao.p.peng@linux.intel.com>,
        Quentin Perret <qperret@google.com>,
        Suzuki K Poulose <suzuki.poulose@arm.com>,
        Michael Roth <michael.roth@amd.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Fuad Tabba <tabba@google.com>,
        Oliver Upton <oupton@google.com>,
        Marc Zyngier <maz@kernel.org>, kernel-team@android.com,
        kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: [PATCH 58/89] KVM: arm64: Restrict protected VM capabilities
Date: Thu, 19 May 2022 14:41:33 +0100
Message-Id: <20220519134204.5379-59-will@kernel.org>
In-Reply-To: <20220519134204.5379-1-will@kernel.org>
References: <20220519134204.5379-1-will@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

KVM: arm64: Base support for the pKVM hypervisor at EL2 | expand

Commit Message

Will Deacon May 19, 2022, 1:41 p.m. UTC

From: Fuad Tabba <tabba@google.com>

Restrict protected VM capabilities based on the
fixed-configuration for protected VMs.

No functional change intended in current KVM-supported modes
(nVHE, VHE).

Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/include/asm/kvm_pkvm.h | 27 ++++++++++++
 arch/arm64/kvm/arm.c              | 69 ++++++++++++++++++++++++++++++-
 2 files changed, 95 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/kvm_pkvm.h b/arch/arm64/include/asm/kvm_pkvm.h
index b92440cfb5b4..6f13f62558dd 100644
--- a/arch/arm64/include/asm/kvm_pkvm.h
+++ b/arch/arm64/include/asm/kvm_pkvm.h
@@ -208,6 +208,33 @@  void kvm_shadow_destroy(struct kvm *kvm);
 	ARM64_FEATURE_MASK(ID_AA64ISAR2_APA3) \
 	)
 
+/*
+ * Returns the maximum number of breakpoints supported for protected VMs.
+ */
+static inline int pkvm_get_max_brps(void)
+{
+	int num = FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_BRPS),
+			    PVM_ID_AA64DFR0_ALLOW);
+
+	/*
+	 * If breakpoints are supported, the maximum number is 1 + the field.
+	 * Otherwise, return 0, which is not compliant with the architecture,
+	 * but is reserved and is used here to indicate no debug support.
+	 */
+	return num ? num + 1 : 0;
+}
+
+/*
+ * Returns the maximum number of watchpoints supported for protected VMs.
+ */
+static inline int pkvm_get_max_wrps(void)
+{
+	int num = FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_WRPS),
+			    PVM_ID_AA64DFR0_ALLOW);
+
+	return num ? num + 1 : 0;
+}
+
 extern struct memblock_region kvm_nvhe_sym(hyp_memory)[];
 extern unsigned int kvm_nvhe_sym(hyp_memblock_nr);
 
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 7c57c14e173a..10e036bf06e3 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -194,9 +194,10 @@  void kvm_arch_destroy_vm(struct kvm *kvm)
 	kvm_unshare_hyp(kvm, kvm + 1);
 }
 
-int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
+static int kvm_check_extension(struct kvm *kvm, long ext)
 {
 	int r;
+
 	switch (ext) {
 	case KVM_CAP_IRQCHIP:
 		r = vgic_present;
@@ -294,6 +295,72 @@  int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 	return r;
 }
 
+/*
+ * Checks whether the extension specified in ext is supported in protected
+ * mode for the specified vm.
+ * The capabilities supported by kvm in general are passed in kvm_cap.
+ */
+static int pkvm_check_extension(struct kvm *kvm, long ext, int kvm_cap)
+{
+	int r;
+
+	switch (ext) {
+	case KVM_CAP_IRQCHIP:
+	case KVM_CAP_ARM_PSCI:
+	case KVM_CAP_ARM_PSCI_0_2:
+	case KVM_CAP_NR_VCPUS:
+	case KVM_CAP_MAX_VCPUS:
+	case KVM_CAP_MAX_VCPU_ID:
+	case KVM_CAP_MSI_DEVID:
+	case KVM_CAP_ARM_VM_IPA_SIZE:
+		r = kvm_cap;
+		break;
+	case KVM_CAP_GUEST_DEBUG_HW_BPS:
+		r = min(kvm_cap, pkvm_get_max_brps());
+		break;
+	case KVM_CAP_GUEST_DEBUG_HW_WPS:
+		r = min(kvm_cap, pkvm_get_max_wrps());
+		break;
+	case KVM_CAP_ARM_PMU_V3:
+		r = kvm_cap && FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_PMUVER),
+					 PVM_ID_AA64DFR0_ALLOW);
+		break;
+	case KVM_CAP_ARM_SVE:
+		r = kvm_cap && FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_SVE),
+					 PVM_ID_AA64PFR0_RESTRICT_UNSIGNED);
+		break;
+	case KVM_CAP_ARM_PTRAUTH_ADDRESS:
+		r = kvm_cap &&
+		    FIELD_GET(ARM64_FEATURE_MASK(ID_AA64ISAR1_API),
+			      PVM_ID_AA64ISAR1_ALLOW) &&
+		    FIELD_GET(ARM64_FEATURE_MASK(ID_AA64ISAR1_APA),
+			      PVM_ID_AA64ISAR1_ALLOW);
+		break;
+	case KVM_CAP_ARM_PTRAUTH_GENERIC:
+		r = kvm_cap &&
+		    FIELD_GET(ARM64_FEATURE_MASK(ID_AA64ISAR1_GPI),
+			      PVM_ID_AA64ISAR1_ALLOW) &&
+		    FIELD_GET(ARM64_FEATURE_MASK(ID_AA64ISAR1_GPA),
+			      PVM_ID_AA64ISAR1_ALLOW);
+		break;
+	default:
+		r = 0;
+		break;
+	}
+
+	return r;
+}
+
+int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
+{
+	int r = kvm_check_extension(kvm, ext);
+
+	if (kvm && kvm_vm_is_protected(kvm))
+		r = pkvm_check_extension(kvm, ext, r);
+
+	return r;
+}
+
 long kvm_arch_dev_ioctl(struct file *filp,
 			unsigned int ioctl, unsigned long arg)
 {

[58/89] KVM: arm64: Restrict protected VM capabilities

Commit Message

Patch