From patchwork Tue Jun  8 14:11:28 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fuad Tabba <tabba@google.com>
X-Patchwork-Id: 12306917
Return-Path: 
 <SRS0=9x2F=LC=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 878DDC47082
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue,  8 Jun 2021 14:14:02 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 5770461078
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue,  8 Jun 2021 14:14:02 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5770461078
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=none
 smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=OxyZwZQEtc72HQNq4VDU+xplh4Z6BPbiChxBdIc7s/4=; b=PLY
	fLrVlSw0ObDvzhRJbMt5OUyIFgjE5rWHQPaq+phrU3VZMLBm4ZlBNWQpJ3tjw5My3NVWkW5PkB42y
	1WCzCfFhXhsXEYK7N4rFF+cDdxzv3ibZOXeglDU7XmeWqbJLQah76HUZYaXch1que0CutMs2BRWHn
	0Dlj/2An+dufyVrfqoqgQNy9dazc56Gg9JDHH0+EHqculjiCURfyI5YEJXrTsD07+GT2oBz0SsZwN
	QbSnfZfybpazeEngNkCUidcwrUsGKo/TtomFQA9C+VHUuv+LhiuWnEph+nTxns/xvVNyCKi2QEFIe
	oou6+Q9QqpKLB+65++jA1ap0hoOehUw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1lqcSM-008n35-GB; Tue, 08 Jun 2021 14:11:50 +0000
Received: from mail-qk1-x749.google.com ([2607:f8b0:4864:20::749])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1lqcSI-008myn-Fr
 for linux-arm-kernel@lists.infradead.org; Tue, 08 Jun 2021 14:11:48 +0000
Received: by mail-qk1-x749.google.com with SMTP id
 t131-20020a37aa890000b02903a9f6c1e8bfso12616917qke.10
 for <linux-arm-kernel@lists.infradead.org>;
 Tue, 08 Jun 2021 07:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=20161025;
 h=date:message-id:mime-version:subject:from:to:cc;
 bh=o2JaYusrSX5g5l6Yw6yxi3k3vNOoBMCguurDm0+l8Ag=;
 b=QAjX942AbHdhVv90FgSKKOKWthZhg07ww0LE/PswekVtnTIQ+FEJC3UffROIlD8Dqi
 fgh7Goj+WeuL8mRRRjE52DgNtl7QgztYNbPPb0cOEJ+CJybjuGH9Gd9ixwLvGMl7nH2A
 3Y3RtoKefMrohU2jN69vuRDjlCUBPvqwXoSXadqIP6UedKXV3CjK1LWzxOW7054rNCu/
 Dfp4baoOS0c0Xu58yoVwOZcfObIcAmPltdBbwjfhmsECkZ7zyIKmlD8ZNtzugWw8qBKn
 r17DF1FsZGIYjr6hITFWPLZwkDBo2z6oJDJKy5UYQmvSawpSgxAYHsEzgtLugeh3Myjj
 WWUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
 bh=o2JaYusrSX5g5l6Yw6yxi3k3vNOoBMCguurDm0+l8Ag=;
 b=pmZfNqeF8xjM8VjhyY+XYKbV53H0C//OmfTxZVcD0usLZpPf34Xx8Kq6H2rD7RXYs2
 /IXWoz8Y98KWtwCJCVRNPQRq2Dm9QwQCbTbFJuxM1Mzd2WxnAmWwDhwI12PzVsznCeFm
 3c7oR8Hdx9l0L5CtNkHNouqf8o9pMqB53wMkp3mC0if3DonXUugIESMaJHDAXdUPM1Q6
 6SZqC549Xej77nbv/Yzf7+jN9BFHpYJVNJv9hC/DtwfjPf6vIgYYWb4lB2m9G7xZwqWg
 BSa/n/dbSaDN0qb7ym+1ejV02Z7rEDGyDygkOkWiP10jqAxsTtT4gksBCbHxBacIlZio
 7iUw==
X-Gm-Message-State: AOAM530XwMrZ5YpD2ik+AMhocXouWS8flcCY7zQ5wZah5y5EnjngeGsN
 uGR4ciloXPD7Nbu3vf8pFgLtZ7bACA==
X-Google-Smtp-Source: 
 ABdhPJxSM4ceufbESyUI9a+fBHervXps3fjSrrAiV4eM0G4Dpr1cL3+sY1800798HV5X0kp4wyrcUszRNw==
X-Received: from tabba.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:482])
 (user=tabba job=sendgmr) by 2002:a0c:fa4a:: with SMTP id
 k10mr202563qvo.18.1623161503263;
 Tue, 08 Jun 2021 07:11:43 -0700 (PDT)
Date: Tue,  8 Jun 2021 15:11:28 +0100
Message-Id: <20210608141141.997398-1-tabba@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.32.0.rc1.229.g3e70b5a671-goog
Subject: [PATCH v1 00/13] KVM: arm64: Fixed features for protected VMs
From: Fuad Tabba <tabba@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: maz@kernel.org, will@kernel.org, james.morse@arm.com,
 alexandru.elisei@arm.com, suzuki.poulose@arm.com, mark.rutland@arm.com,
 christoffer.dall@arm.com, pbonzini@redhat.com, qperret@google.com,
 kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 kernel-team@android.com, tabba@google.com
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210608_071146_572483_3240C14B 
X-CRM114-Status: GOOD (  17.01  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Hi,

This patch series adds support for restricting CPU features for protected VMs
in KVM [1].

Various feature configurations are allowed in KVM/arm64. Supporting all
these features in pKVM is difficult, as it either involves moving much of
the handling code to EL2, which adds bloat and results in a less verifiable
trusted code base. Or it involves leaving the code handling at EL1, which
risks having an untrusted host kernel feeding wrong information to the EL2
and to the protected guests.

This series attempts to mitigate this by reducing the configuration space,
providing a reduced amount of feature support at EL2 with the least amount of
compromise of protected guests' capabilities.

This is done by restricting CPU features exposed to protected guests through
feature registers. These restrictions are enforced by trapping register
accesses as well as instructions associated with these features, and injecting
an undefined exception into the guest if it attempts to use a restricted
feature.

The features being restricted (only for protected VMs in protected mode) are
the following:
- Debug, Trace, and DoubleLock
- Performance Monitoring (PMU)
- Statistical Profiling (SPE)
- Scalable Vector Extension (SVE)
- Memory Partitioning and Monitoring (MPAM)
- Activity Monitoring (AMU)
- Memory Tagging (MTE)
- Limited Ordering Regions (LOR)
- AArch32 State
- Generic Interrupt Controller (GIC) (depending on rVIC support)
- Nested Virtualization (NV)
- Reliability, Availability, and Serviceability (RAS) above V1
- Implementation-defined Features

This series is based on kvmarm/next and Will's patches for an Initial pKVM user
ABI [1]. You can find the applied series here [2].

Cheers,
/fuad

[1] https://lore.kernel.org/kvmarm/20210603183347.1695-1-will@kernel.org/

For more details about pKVM, please refer to Will's talk at KVM Forum 2020:
https://www.youtube.com/watch?v=edqJSzsDRxk

[2] https://android-kvm.googlesource.com/linux/+/refs/heads/tabba/el2_fixed_feature_v1

To: kvmarm@lists.cs.columbia.edu
Cc: Marc Zyngier <maz@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: James Morse <james.morse@arm.com>
Cc: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Quentin Perret <qperret@google.com>
Cc: kvm@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: kernel-team@android.com

Fuad Tabba (13):
  KVM: arm64: Remove trailing whitespace in comments
  KVM: arm64: MDCR_EL2 is a 64-bit register
  KVM: arm64: Fix name of HCR_TACR to match the spec
  KVM: arm64: Refactor sys_regs.h,c for nVHE reuse
  KVM: arm64: Restore mdcr_el2 from vcpu
  KVM: arm64: Add feature register flag definitions
  KVM: arm64: Add config register bit definitions
  KVM: arm64: Guest exit handlers for nVHE hyp
  KVM: arm64: Add trap handlers for protected VMs
  KVM: arm64: Move sanitized copies of CPU features
  KVM: arm64: Trap access to pVM restricted features
  KVM: arm64: Handle protected guests at 32 bits
  KVM: arm64: Check vcpu features at pVM creation

 arch/arm64/include/asm/kvm_arm.h        |  34 +-
 arch/arm64/include/asm/kvm_asm.h        |   2 +-
 arch/arm64/include/asm/kvm_host.h       |   2 +-
 arch/arm64/include/asm/kvm_hyp.h        |   4 +
 arch/arm64/include/asm/sysreg.h         |   6 +
 arch/arm64/kvm/arm.c                    |   4 +
 arch/arm64/kvm/debug.c                  |   5 +-
 arch/arm64/kvm/hyp/include/hyp/switch.h |  42 ++
 arch/arm64/kvm/hyp/nvhe/Makefile        |   2 +-
 arch/arm64/kvm/hyp/nvhe/debug-sr.c      |   2 +-
 arch/arm64/kvm/hyp/nvhe/mem_protect.c   |   6 -
 arch/arm64/kvm/hyp/nvhe/switch.c        | 114 +++++-
 arch/arm64/kvm/hyp/nvhe/sys_regs.c      | 501 ++++++++++++++++++++++++
 arch/arm64/kvm/hyp/vhe/debug-sr.c       |   2 +-
 arch/arm64/kvm/pkvm.c                   |  31 ++
 arch/arm64/kvm/sys_regs.c               |  62 +--
 arch/arm64/kvm/sys_regs.h               |  35 ++
 17 files changed, 782 insertions(+), 72 deletions(-)
 create mode 100644 arch/arm64/kvm/hyp/nvhe/sys_regs.c


base-commit: 35b256a5eebe3ac715b4ea6234aa4236a10d1a88