| Message ID | 20201202184122.26046-1-dbrazdil@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Opt-in always-on nVHE hypervisor | expand |
On Wed, 2 Dec 2020 18:40:56 +0000, David Brazdil wrote: > As we progress towards being able to keep guest state private to the > host running nVHE hypervisor, this series allows the hypervisor to > install itself on newly booted CPUs before the host is allowed to run > on them. > > All functionality described below is opt-in, guarded by an early param > 'kvm-arm.mode=protected'. Future patches specific to the new protected > mode should be hidden behind the same param. > > [...] Applied to kvm-arm64/psci-relay, thanks! Note that although I pushed it to -next, I still need people to eyeball it and give it some Acks. The commit-IDs below will thus change as I apply tags, if any. [01/26] KVM: arm64: Add kvm-arm.mode early kernel parameter commit: 2d4b0ce5c9b62398522b4b078cfd2cc0fa3fb604 [02/26] KVM: arm64: Add ARM64_KVM_PROTECTED_MODE CPU capability commit: 44e88d43c442adcebebec5b9e23f260a03a25120 [03/26] psci: Support psci_ops.get_version for v0.1 commit: 47e4000e4f6ea4496accf7e3e68c29f38ca4e179 [04/26] psci: Split functions to v0.1 and v0.2+ variants commit: 1fbb7db86fb5f1cd7a2c9ec9c477acb67ac986a7 [05/26] psci: Replace psci_function_id array with a struct commit: c801a91084f382ab8f9707bd33e6ccb7012e1e50 [06/26] psci: Add accessor for psci_0_1_function_ids commit: 26c9988c7330b2225ba39cae9de43b0bfff57e2a [07/26] arm64: Make cpu_logical_map() take unsigned int commit: 2346f8b8ea0bb140d67ba6f06b67aec06e238dde [08/26] arm64: Extract parts of el2_setup into a macro commit: 9c322020286c60fbdd97f6a8c41362be5f4f8bb9 [09/26] KVM: arm64: Remove vector_ptr param of hyp-init commit: 1db5bd14716029c8859551e9c38fe76818959b7b [10/26] KVM: arm64: Move hyp-init params to a per-CPU struct commit: 4a836c1e69dbeb14f69d554e1fe36d2e619d94fc [11/26] KVM: arm64: Init MAIR/TCR_EL2 from params struct commit: 5e664b8539c396dbceaccb6bef2a9ed48964906a [12/26] KVM: arm64: Add .hyp.data..ro_after_init ELF section commit: 89f3705ca070900a127f181ce724aa6c1e9c9479 [13/26] KVM: arm64: Support per_cpu_ptr in nVHE hyp code commit: 2091f4271a400169d8fa8004bf743aa815c3c5d4 [14/26] KVM: arm64: Create nVHE copy of cpu_logical_map commit: 626aa81e14f9d723fe91fdb5c1030f73f929d0ad [15/26] KVM: arm64: Add SMC handler in nVHE EL2 commit: 0ec63d737071f483ab6fc63e2d9b59d0d4cc59fd [16/26] KVM: arm64: Bootstrap PSCI SMC handler in nVHE EL2 commit: 5988416e2234db36b80c510c1ae99a6de0c1431d [17/26] KVM: arm64: Add offset for hyp VA <-> PA conversion commit: bf9dc203286ce42de948dbb0d3fdaea51e2ab37f [18/26] KVM: arm64: Forward safe PSCI SMCs coming from host commit: 0e11d688605f1772098add3a755503688db2d06f [19/26] KVM: arm64: Extract __do_hyp_init into a helper function commit: 294f71ad53625f75531dd43d775efc3507cd9b0a [20/26] KVM: arm64: Add function to enter host from KVM nVHE hyp code commit: cb9773719fc405e8cc2041cd457fcd8655863a78 [21/26] KVM: arm64: Intercept host's CPU_ON SMCs commit: 6ed1b8bd3c623d4e0e4441a2a73dbda162e3ebe7 [22/26] KVM: arm64: Intercept host's CPU_SUSPEND PSCI SMCs commit: 5f51e7f65258cea36833c793625f4fb6d0e38426 [23/26] KVM: arm64: Intercept host's SYSTEM_SUSPEND PSCI SMCs commit: dfa751cfd54b3f9ac1d89050cf0ad6c6bc3a9dc5 [24/26] KVM: arm64: Keep nVHE EL2 vector installed commit: 0c8078f56aa99ab4350d9ae3dabd3504d2f11fbd [25/26] KVM: arm64: Trap host SMCs in protected mode commit: 4e3e6c3acb741a9692e0b772e92368fee85dced8 [26/26] KVM: arm64: Fix EL2 mode availability checks commit: 5e7953174eb1966d4cdc70caf3708afc8c4dd5f9 Cheers, M.
Hey Marc, On Thu, Dec 03, 2020 at 07:23:19PM +0000, Marc Zyngier wrote: > On Wed, 2 Dec 2020 18:40:56 +0000, David Brazdil wrote: > > As we progress towards being able to keep guest state private to the > > host running nVHE hypervisor, this series allows the hypervisor to > > install itself on newly booted CPUs before the host is allowed to run > > on them. > > > > All functionality described below is opt-in, guarded by an early param > > 'kvm-arm.mode=protected'. Future patches specific to the new protected > > mode should be hidden behind the same param. > > > > [...] > > Applied to kvm-arm64/psci-relay, thanks! > > Note that although I pushed it to -next, I still need people to > eyeball it and give it some Acks. The commit-IDs below will > thus change as I apply tags, if any. > I'm looking at -next and I think the merge with Mark Rutland's el2_setup refactor didn't go as planned. The `#ifdef CONFIG_ARM64_VHE` section needs to cover everything between init_el2 and init_el2_nvhe. Currently the code falls through into VHE init when CONFIG_ARM64_VHE is not set. Here's the snippet: SYM_INNER_LABEL(init_el2, SYM_L_LOCAL) #ifdef CONFIG_ARM64_VHE /* * Check for VHE being present. x2 being non-zero indicates that we * do have VHE, and that the kernel is intended to run at EL2. */ mrs x2, id_aa64mmfr1_el1 ubfx x2, x2, #ID_AA64MMFR1_VHE_SHIFT, #4 cbz x2, init_el2_nvhe #endif // <--- THIS <... initialize VHE ...> msr elr_el2, lr mov w0, #BOOT_CPU_MODE_EL2 eret // <--- NEEDS TO MOVE HERE SYM_INNER_LABEL(init_el2_nvhe, SYM_L_LOCAL) <... initialize nVHE ...> -David
On Tue, 08 Dec 2020 19:14:47 +0000, David Brazdil <dbrazdil@google.com> wrote: > > Hey Marc, > > On Thu, Dec 03, 2020 at 07:23:19PM +0000, Marc Zyngier wrote: > > On Wed, 2 Dec 2020 18:40:56 +0000, David Brazdil wrote: > > > As we progress towards being able to keep guest state private to the > > > host running nVHE hypervisor, this series allows the hypervisor to > > > install itself on newly booted CPUs before the host is allowed to run > > > on them. > > > > > > All functionality described below is opt-in, guarded by an early param > > > 'kvm-arm.mode=protected'. Future patches specific to the new protected > > > mode should be hidden behind the same param. > > > > > > [...] > > > > Applied to kvm-arm64/psci-relay, thanks! > > > > Note that although I pushed it to -next, I still need people to > > eyeball it and give it some Acks. The commit-IDs below will > > thus change as I apply tags, if any. > > > > I'm looking at -next and I think the merge with Mark Rutland's el2_setup > refactor didn't go as planned. > > The `#ifdef CONFIG_ARM64_VHE` section needs to cover everything between > init_el2 and init_el2_nvhe. Currently the code falls through into VHE init > when CONFIG_ARM64_VHE is not set. Oops, well spotted. I wasn't thinking straight. I came up with a slightly different fix though, keeping the whole of the VHE code and instead restoring the "mov x2, xzr" we had before. I've pushed something out, do yell if you spot anything else. Thanks again, M.
As we progress towards being able to keep guest state private to the host running nVHE hypervisor, this series allows the hypervisor to install itself on newly booted CPUs before the host is allowed to run on them. All functionality described below is opt-in, guarded by an early param 'kvm-arm.mode=protected'. Future patches specific to the new protected mode should be hidden behind the same param. The hypervisor starts trapping host SMCs and intercepting host's PSCI calls which boot CPUs. It replaces the host's entry point with its own, initializes the EL2 state of the new CPU and installs the nVHE hyp vector before ERETing to the host's entry point. The kernel checks new cores' features against the finalized system capabilities. To avoid the need to move this code/data to EL2, the implementation only allows to boot cores that were online at the time of KVM initialization and therefore had been checked already. Other PSCI SMCs are forwarded to EL3, though only the known set of SMCs implemented in the kernel is allowed. Non-PSCI SMCs are also forwarded to EL3. Future changes will need to ensure the safety of all SMCs wrt. protected guests. The host is still allowed to reset EL2 back to the stub vector, eg. for hibernation or kexec, but will not disable nVHE when there are no VMs. Tested on Rock Pi 4B, based on kvmarm/queue, itself on top of 5.10-rc4. Patches also available at: https://android-kvm.googlesource.com/linux topic/psci-on-master_v4 changes since v3: * generic 'kvm-arm.mode' kernel param instead of 'kvm-arm.protected' * implement SYSTEM_SUSPEND * refactor PSCI driver to expose fn IDs more cleanly * init MAIR_EL2, TCR_EL2 from nVHE params struct changes since v2: * avoid non-spec error in CPU_SUSPEND * refuse to init without PSCI * compute hyp VA args of hyp-init in hyp instead of using params struct * use hyp_symbol_addr in per-cpu calls * simplify memory.h/sysreg.h includes * rebase on kvmarm/queue, use trap handler args macros changes since v1: * early param sets a capability instead of a static key * assume SMCCC v1.2 for host SMC forwarding * fix reserved SMC ID range for PSCI * split init_el2_state into smaller macros, move to el2_setup.h * many small cleanups changes since RFC: * add early param to make features opt-in * simplify CPU_ON/SUSPEND implementation * replace spinlocks with CAS atomic * make cpu_logical_map ro_after_init David Brazdil (26): kvm: arm64: Add kvm-arm.mode early kernel parameter kvm: arm64: Add ARM64_KVM_PROTECTED_MODE CPU capability psci: Support psci_ops.get_version for v0.1 psci: Split functions to v0.1 and v0.2+ variants psci: Replace psci_function_id array with a struct psci: Add accessor for psci_0_1_function_ids arm64: Make cpu_logical_map() take unsigned int arm64: Extract parts of el2_setup into a macro kvm: arm64: Remove vector_ptr param of hyp-init kvm: arm64: Move hyp-init params to a per-CPU struct kvm: arm64: Init MAIR/TCR_EL2 from params struct kvm: arm64: Add .hyp.data..ro_after_init ELF section kvm: arm64: Support per_cpu_ptr in nVHE hyp code kvm: arm64: Create nVHE copy of cpu_logical_map kvm: arm64: Add SMC handler in nVHE EL2 kvm: arm64: Bootstrap PSCI SMC handler in nVHE EL2 kvm: arm64: Add offset for hyp VA <-> PA conversion kvm: arm64: Forward safe PSCI SMCs coming from host kvm: arm64: Extract __do_hyp_init into a helper function kvm: arm64: Add function to enter host from KVM nVHE hyp code kvm: arm64: Intercept host's CPU_ON SMCs kvm: arm64: Intercept host's CPU_SUSPEND PSCI SMCs kvm: arm64: Intercept host's SYSTEM_SUSPEND PSCI SMCs kvm: arm64: Keep nVHE EL2 vector installed kvm: arm64: Trap host SMCs in protected mode kvm: arm64: Fix EL2 mode availability checks .../admin-guide/kernel-parameters.txt | 10 + arch/arm64/include/asm/cpucaps.h | 3 +- arch/arm64/include/asm/el2_setup.h | 182 ++++++++++ arch/arm64/include/asm/kvm_arm.h | 1 + arch/arm64/include/asm/kvm_asm.h | 10 +- arch/arm64/include/asm/kvm_host.h | 10 + arch/arm64/include/asm/kvm_hyp.h | 4 +- arch/arm64/include/asm/kvm_mmu.h | 24 ++ arch/arm64/include/asm/percpu.h | 6 + arch/arm64/include/asm/sections.h | 1 + arch/arm64/include/asm/smp.h | 4 +- arch/arm64/include/asm/virt.h | 26 ++ arch/arm64/kernel/asm-offsets.c | 5 + arch/arm64/kernel/cpufeature.c | 22 ++ arch/arm64/kernel/head.S | 144 +------- arch/arm64/kernel/image-vars.h | 6 +- arch/arm64/kernel/setup.c | 2 +- arch/arm64/kernel/vmlinux.lds.S | 10 + arch/arm64/kvm/arm.c | 139 +++++++- .../arm64/kvm/hyp/include/nvhe/trap_handler.h | 18 + arch/arm64/kvm/hyp/nvhe/Makefile | 3 +- arch/arm64/kvm/hyp/nvhe/host.S | 47 +++ arch/arm64/kvm/hyp/nvhe/hyp-init.S | 152 +++++--- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 45 ++- arch/arm64/kvm/hyp/nvhe/hyp-smp.c | 40 +++ arch/arm64/kvm/hyp/nvhe/hyp.lds.S | 1 + arch/arm64/kvm/hyp/nvhe/psci-relay.c | 324 ++++++++++++++++++ arch/arm64/kvm/hyp/nvhe/switch.c | 5 +- arch/arm64/kvm/va_layout.c | 30 +- drivers/firmware/psci/psci.c | 126 ++++--- include/linux/psci.h | 9 + 31 files changed, 1150 insertions(+), 259 deletions(-) create mode 100644 arch/arm64/include/asm/el2_setup.h create mode 100644 arch/arm64/kvm/hyp/include/nvhe/trap_handler.h create mode 100644 arch/arm64/kvm/hyp/nvhe/hyp-smp.c create mode 100644 arch/arm64/kvm/hyp/nvhe/psci-relay.c -- 2.29.2.454.gaff20da3a2-goog