From patchwork Mon Jul 19 16:03:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fuad Tabba X-Patchwork-Id: 12386169 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15A1AC07E95 for ; Mon, 19 Jul 2021 16:07:18 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CA622600EF for ; Mon, 19 Jul 2021 16:07:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CA622600EF Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=NOaLkp3KtDF9/YogeLz7ahhuuq3it1ZYBALQ7jMdb2I=; b=ADt wkwLZkehq3SWMuKX6g2ri6TkEfClafZrOn5pbnR1xB3tPDeFoPy/wcezRuSeimjbG2U2PYBugO0mJ G+KTCzMxY//9vmZLh+ViFJ4sfiU+C2nETVIDEO9426LwfW70ceaY0Tp3hPSPRL40MFciWVmIKSkDY FTiQKs7KOOxBdZtIk6hJSnvpij2PM/S4ddcluklaz5ClyT5P1Gy5op6ev+t4Wp63CLEyQPftSiijE F6c5ftF4QRbYyuRe2PNLqtVFUYnk6KIGFJv6Qdy9qmsFCfUY4eYfe1u61l70jXHImO7YroQo7vsPh mDad1SmRURBGHuATV/Hrdno7vicgLRg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m5Vli-00ALCH-PO; Mon, 19 Jul 2021 16:05:25 +0000 Received: from mail-qv1-xf49.google.com ([2607:f8b0:4864:20::f49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m5VkE-00AKbs-VL for linux-arm-kernel@lists.infradead.org; Mon, 19 Jul 2021 16:03:53 +0000 Received: by mail-qv1-xf49.google.com with SMTP id kj25-20020a0562145299b02902fbda5d4988so12161388qvb.11 for ; Mon, 19 Jul 2021 09:03:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=X3IdqzKtSdKmEHqu0gSKjOdvCta/WPAlxOlzNq5U9KI=; b=uIH6aFAEogBPjp3JnJ8pNTafadhbYdKOoTiFg87snBwSlO47nkKZDDP+0OgB23SsPL pYWETb0wm0ULN8PK5q0FWytbFLfdGggAjYKU5gxU5joDMl09vDKWz3a12uCby8wabOJD Sohhdf4JtNvB5/Zc0yoOKHLeKVOxr5nbmtux2Aj4cN1eWopNkVAacAnCsEiWUXQ9UGP/ yKoGei+fcSWgZrKVqzWWZKGh1m0xsx46brxd4R6EAaVVn+Mdxrf9llPIzADcvJ8r8ahH v+eATGrXiMuzHkQHUOAOfOIdacdGXDQLYHt5pGRvRSMaBQHGSFjE6vNg6pxkHqWmB5Q4 N4Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=X3IdqzKtSdKmEHqu0gSKjOdvCta/WPAlxOlzNq5U9KI=; b=G28FS+SlA9//raJlX5X1SWua+i5mT2/ix+RIPOTUI5Z/mbfJXMP53hB86OfaH5rLEf ImKGtrnCXevhFtuqEFbwm4Fy6wC78R1f5j1REd41IGRKcYdOhtPS/QGIAGmSMoJMueYW hXlUu4rm2ysApMqwwlGZxEH0bab9mz5D653wCAaBcHRNB9qKOgOwzHp5VPlv+3FMN7hS ojtfXDje6F/UIaWel1QEk9IvLrZPAhmISeSTb23wOkwr8vl5Ki5AWPKwYu9eqeW78Z7M 62CFWnUo46r0l/5yfj1vSG35/Orlxe5Lyk8ElIIZYAUQMLX40n6ZEkJLyBlfyhybfViR 5sRQ== X-Gm-Message-State: AOAM530Yl2EXp49+JMbHCL1iPycEw0RaT/xRihlnVGJHO6BF/l/Eyt/Q C8jglXQb/hlrXndejgtdFxqmOOVUvQ== X-Google-Smtp-Source: ABdhPJxAOglNWseu0wn6j1VK16OzeLqCOGgMEktN+EBmxudy9HH20JMPvsgut3x+BTUFeB3mBdJqAyMDUQ== X-Received: from tabba.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:482]) (user=tabba job=sendgmr) by 2002:a05:6214:29e9:: with SMTP id jv9mr25278307qvb.18.1626710628711; Mon, 19 Jul 2021 09:03:48 -0700 (PDT) Date: Mon, 19 Jul 2021 17:03:31 +0100 Message-Id: <20210719160346.609914-1-tabba@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.32.0.402.g57bb445576-goog Subject: [PATCH v3 00/15] KVM: arm64: Fixed features for protected VMs From: Fuad Tabba To: kvmarm@lists.cs.columbia.edu Cc: maz@kernel.org, will@kernel.org, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, mark.rutland@arm.com, christoffer.dall@arm.com, pbonzini@redhat.com, drjones@redhat.com, qperret@google.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-team@android.com, tabba@google.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210719_090351_109130_0FEB242C X-CRM114-Status: GOOD ( 19.85 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, Changes since v2 [1]: - Both trapping and setting of feature id registers are toggled by an allowed features bitmap of the feature id registers (Will) - Documentation explaining the rationale behind allowed/blocked features (Drew) - Restrict protected VM features by checking and restricting VM capabilities - Misc small fixes and tidying up (mostly Will) - Remove dependency on Will's protected VM user ABI series [2] - Rebase on 5.14-rc2 - Carried Will's acks Changes since v1 [3]: - Restrict protected VM features based on an allowed features rather than rejected ones (Drew) - Add more background describing protected KVM to the cover letter (Alex) This patch series adds support for restricting CPU features for protected VMs in KVM (pKVM) [4]. Various VM feature configurations are allowed in KVM/arm64, each requiring specific handling logic to deal with traps, context-switching and potentially emulation. Achieving feature parity in pKVM therefore requires either elevating this logic to EL2 (and substantially increasing the TCB) or continuing to trust the host handlers at EL1. Since neither of these options are especially appealing, pKVM instead limits the CPU features exposed to a guest to a fixed configuration based on the underlying hardware and which can mostly be provided straightforwardly by EL2. This series approaches that by restricting CPU features exposed to protected guests. Features advertised through feature registers are limited, which pKVM enforces by trapping register accesses and instructions associated with these features. This series is based on 5.14-rc2. You can find the applied series here [5]. Cheers, /fuad [1] https://lore.kernel.org/kvmarm/20210615133950.693489-1-tabba@google.com/ [2] https://lore.kernel.org/kvmarm/20210603183347.1695-1-will@kernel.org/ [3] https://lore.kernel.org/kvmarm/20210608141141.997398-1-tabba@google.com/ [4] Once complete, protected KVM adds the ability to create protected VMs. These protected VMs are protected from the host Linux kernel (and from other VMs), where the host does not have access to guest memory,even if compromised. Normal (nVHE) guests can still be created and run in parallel with protected VMs. Their functionality should not be affected. For protected VMs, the host should not even have access to a protected guest's state or anything that would enable it to manipulate it (e.g., vcpu register context and el2 system registers); only hyp would have that access. If the host could access that state, then it might be able to get around the protection provided. Therefore, anything that is sensitive and that would require such access needs to happen at hyp, hence the code in nvhe running only at hyp. For more details about pKVM, please refer to Will's talk at KVM Forum 2020: https://mirrors.edge.kernel.org/pub/linux/kernel/people/will/slides/kvmforum-2020-edited.pdf https://www.youtube.com/watch?v=edqJSzsDRxk [5] https://android-kvm.googlesource.com/linux/+/refs/heads/tabba/el2_fixed_feature_v3 Fuad Tabba (15): KVM: arm64: placeholder to check if VM is protected KVM: arm64: Remove trailing whitespace in comment KVM: arm64: MDCR_EL2 is a 64-bit register KVM: arm64: Fix names of config register fields KVM: arm64: Refactor sys_regs.h,c for nVHE reuse KVM: arm64: Restore mdcr_el2 from vcpu KVM: arm64: Track value of cptr_el2 in struct kvm_vcpu_arch KVM: arm64: Add feature register flag definitions KVM: arm64: Add config register bit definitions KVM: arm64: Guest exit handlers for nVHE hyp KVM: arm64: Add trap handlers for protected VMs KVM: arm64: Move sanitized copies of CPU features KVM: arm64: Trap access to pVM restricted features KVM: arm64: Handle protected guests at 32 bits KVM: arm64: Restrict protected VM capabilities arch/arm64/include/asm/cpufeature.h | 4 +- arch/arm64/include/asm/kvm_arm.h | 54 ++- arch/arm64/include/asm/kvm_asm.h | 2 +- arch/arm64/include/asm/kvm_fixed_config.h | 188 +++++++++ arch/arm64/include/asm/kvm_host.h | 15 +- arch/arm64/include/asm/kvm_hyp.h | 5 +- arch/arm64/include/asm/sysreg.h | 15 +- arch/arm64/kernel/cpufeature.c | 8 +- arch/arm64/kvm/Makefile | 2 +- arch/arm64/kvm/arm.c | 75 +++- arch/arm64/kvm/debug.c | 2 +- arch/arm64/kvm/hyp/include/hyp/switch.h | 76 +++- arch/arm64/kvm/hyp/nvhe/Makefile | 2 +- arch/arm64/kvm/hyp/nvhe/debug-sr.c | 2 +- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 6 - arch/arm64/kvm/hyp/nvhe/switch.c | 72 +++- arch/arm64/kvm/hyp/nvhe/sys_regs.c | 445 ++++++++++++++++++++++ arch/arm64/kvm/hyp/vhe/debug-sr.c | 2 +- arch/arm64/kvm/hyp/vhe/switch.c | 12 +- arch/arm64/kvm/hyp/vhe/sysreg-sr.c | 2 +- arch/arm64/kvm/pkvm.c | 213 +++++++++++ arch/arm64/kvm/sys_regs.c | 34 +- arch/arm64/kvm/sys_regs.h | 31 ++ 23 files changed, 1172 insertions(+), 95 deletions(-) create mode 100644 arch/arm64/include/asm/kvm_fixed_config.h create mode 100644 arch/arm64/kvm/hyp/nvhe/sys_regs.c create mode 100644 arch/arm64/kvm/pkvm.c base-commit: 2734d6c1b1a089fb593ef6a23d4b70903526fe0c