Message ID | 20201026133450.73304-1-maz@kernel.org (mailing list archive) |
---|---|
Headers | show |
Series | KVM: arm64: Move PC/ELR/SPSR/PSTATE updatess to EL2 | expand |
On Mon, Oct 26, 2020 at 01:34:42PM +0000, Marc Zyngier wrote: > In an effort to remove the vcpu PC manipulations from EL1 on nVHE > systems, move kvm_skip_instr() to be HYP-specific. EL1's intent > to increment PC post emulation is now signalled via a flag in the > vcpu structure. > > Signed-off-by: Marc Zyngier <maz@kernel.org> [...] > +/* > + * Adjust the guest PC on entry, depending on flags provided by EL1 > + * for the purpose of emulation (MMIO, sysreg). > + */ > +static inline void __adjust_pc(struct kvm_vcpu *vcpu) > +{ > + if (vcpu->arch.flags & KVM_ARM64_INCREMENT_PC) { > + kvm_skip_instr(vcpu); > + vcpu->arch.flags &= ~KVM_ARM64_INCREMENT_PC; > + } > +} What's your plan for restricting *when* EL1 can ask for the PC to be adjusted? I'm assuming that either: 1. You have EL2 sanity-check all responses from EL1 are permitted for the current state. e.g. if EL1 asks to increment the PC, EL2 must check that that was a sane response for the current state. 2. You raise the level of abstraction at the EL2/EL1 boundary, such that EL2 simply knows. e.g. if emulating a memory access, EL1 can either provide the response or signal an abort, but doesn't choose to manipulate the PC as EL2 will infer the right thing to do. I know that either are tricky in practice, so I'm curious what your view is. Generally option #2 is easier to fortify, but I guess we might have to do #1 since we also have to support unprotected VMs? Thanks, Mark.
On 2020-10-26 14:04, Mark Rutland wrote: > On Mon, Oct 26, 2020 at 01:34:42PM +0000, Marc Zyngier wrote: >> In an effort to remove the vcpu PC manipulations from EL1 on nVHE >> systems, move kvm_skip_instr() to be HYP-specific. EL1's intent >> to increment PC post emulation is now signalled via a flag in the >> vcpu structure. >> >> Signed-off-by: Marc Zyngier <maz@kernel.org> > > [...] > >> +/* >> + * Adjust the guest PC on entry, depending on flags provided by EL1 >> + * for the purpose of emulation (MMIO, sysreg). >> + */ >> +static inline void __adjust_pc(struct kvm_vcpu *vcpu) >> +{ >> + if (vcpu->arch.flags & KVM_ARM64_INCREMENT_PC) { >> + kvm_skip_instr(vcpu); >> + vcpu->arch.flags &= ~KVM_ARM64_INCREMENT_PC; >> + } >> +} > > What's your plan for restricting *when* EL1 can ask for the PC to be > adjusted? > > I'm assuming that either: > > 1. You have EL2 sanity-check all responses from EL1 are permitted for > the current state. e.g. if EL1 asks to increment the PC, EL2 must > check that that was a sane response for the current state. > > 2. You raise the level of abstraction at the EL2/EL1 boundary, such > that > EL2 simply knows. e.g. if emulating a memory access, EL1 can either > provide the response or signal an abort, but doesn't choose to > manipulate the PC as EL2 will infer the right thing to do. > > I know that either are tricky in practice, so I'm curious what your > view > is. Generally option #2 is easier to fortify, but I guess we might have > to do #1 since we also have to support unprotected VMs? To be honest, I'm still in two minds about it, which is why I have gone with this "middle of the road" option (moving the PC update to EL2, but leave the control at EL1). I guess the answer is "it depends". MMIO is easy to put in the #2 model, while things like WFI/WFE really need #1. sysregs are yet another can of worm. M.