diff mbox series

[RFC,kvmtool,v1,26/32] Use the new fd-based extended memory region

Message ID 20221202174417.1310826-27-tabba@google.com (mailing list archive)
State New, archived
Headers show
Series Add support for restricted guest memory in kvmtool | expand

Commit Message

Fuad Tabba Dec. 2, 2022, 5:44 p.m. UTC 
If restricted guest memory is enabled, use the new extended guest
memory region interface to pass the guest memory to kvm using the
restricted file descriptor.

In the future, pKVM will require this, and the successor of patch
will instead force the use of restricted guest memory for pKVM
(and other potential environments) that require restricted memory.

Signed-off-by: Fuad Tabba <tabba@google.com>
---
 kvm.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/kvm.c b/kvm.c
index fc0bfc4..bde6708 100644
--- a/kvm.c
+++ b/kvm.c
@@ -214,6 +214,41 @@  static int set_user_memory_region(int vm_fd, u32 slot, u32 flags,
 	return ret;
 }
 
+static int set_user_memory_region_ext(int vm_fd, u32 slot, u32 flags,
+				  u64 guest_phys, u64 size,
+				  u64 userspace_addr, u32 fd, u64 offset)
+{
+	int ret = 0;
+	struct kvm_enc_region range;
+	struct kvm_userspace_memory_region_ext mem = {
+		.region = {
+			.slot			= slot,
+			.flags			= flags,
+			.guest_phys_addr	= guest_phys,
+			.memory_size		= size,
+			.userspace_addr		= 0,
+		},
+		.restricted_fd = fd,
+		.restricted_offset = offset,
+	};
+
+	ret = ioctl(vm_fd, KVM_SET_USER_MEMORY_REGION, &mem);
+	if (ret < 0) {
+		ret = -errno;
+		goto out;
+	}
+
+	/* Inform KVM that the region is protected. */
+	range.addr = guest_phys;
+	range.size = size;
+	ret = ioctl(vm_fd, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
+	if (ret)
+		ret = -errno;
+
+out:
+	return ret;
+}
+
 int kvm__destroy_mem(struct kvm *kvm, u64 guest_phys, u64 size,
 		     void *userspace_addr)
 {
@@ -240,8 +275,13 @@  int kvm__destroy_mem(struct kvm *kvm, u64 guest_phys, u64 size,
 		goto out;
 	}
 
-	ret = set_user_memory_region(kvm->vm_fd, bank->slot, 0, guest_phys, 0,
-				     (u64) userspace_addr);
+	if (kvm->cfg.restricted_mem)
+		ret = set_user_memory_region_ext(kvm->vm_fd, bank->slot,
+			KVM_MEM_PRIVATE, guest_phys, 0, (u64) userspace_addr,
+			0, 0);
+	else
+		ret = set_user_memory_region(kvm->vm_fd, bank->slot, 0,
+			guest_phys, 0, (u64) userspace_addr);
 	if (ret < 0)
 		goto out;
 
@@ -339,9 +379,13 @@  int kvm__register_mem(struct kvm *kvm, u64 guest_phys, u64 size,
 		flags |= KVM_MEM_READONLY;
 
 	if (type != KVM_MEM_TYPE_RESERVED) {
-		ret = set_user_memory_region(kvm->vm_fd, slot, flags,
-					     guest_phys, size,
-					     (u64) userspace_addr);
+		if (kvm->cfg.restricted_mem)
+			ret = set_user_memory_region_ext(kvm->vm_fd, slot,
+				flags | KVM_MEM_PRIVATE, guest_phys, size,
+				(u64) userspace_addr, memfd, offset);
+		else
+			ret = set_user_memory_region(kvm->vm_fd, slot, flags,
+				guest_phys, size, (u64) userspace_addr);
 		if (ret < 0)
 			goto out;
 	}