Message ID | 20210603183347.1695-4-will@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | kvm/arm64: Initial pKVM user ABI | expand |
On Thu, Jun 03, 2021 at 07:33:46PM +0100, Will Deacon wrote: > Add support for a "linux,pkvm-guest-firmware-memory" reserved memory > region, which can be used to identify a firmware image for protected > VMs. The idea that the guest's FW comes from the host's FW strikes me as unusual; what's the rationale for this coming from the host FW? IIUC other confidential compute VM environments allow you to load up whatever virtual FW you want, but this is measured such that the virtual FW used can be attested. Thanks, Mark. > > Signed-off-by: Will Deacon <will@kernel.org> > --- > arch/arm64/kvm/Makefile | 2 +- > arch/arm64/kvm/pkvm.c | 52 +++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 53 insertions(+), 1 deletion(-) > create mode 100644 arch/arm64/kvm/pkvm.c > > diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile > index 589921392cb1..61e054411831 100644 > --- a/arch/arm64/kvm/Makefile > +++ b/arch/arm64/kvm/Makefile > @@ -14,7 +14,7 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o $(KVM)/eventfd.o \ > $(KVM)/vfio.o $(KVM)/irqchip.o \ > arm.o mmu.o mmio.o psci.o perf.o hypercalls.o pvtime.o \ > inject_fault.o va_layout.o handle_exit.o \ > - guest.o debug.o reset.o sys_regs.o \ > + guest.o debug.o pkvm.o reset.o sys_regs.o \ > vgic-sys-reg-v3.o fpsimd.o pmu.o \ > arch_timer.o trng.o\ > vgic/vgic.o vgic/vgic-init.o \ > diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c > new file mode 100644 > index 000000000000..7af5d03a3941 > --- /dev/null > +++ b/arch/arm64/kvm/pkvm.c > @@ -0,0 +1,52 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * KVM host (EL1) interface to Protected KVM (pkvm) code at EL2. > + * > + * Copyright (C) 2021 Google LLC > + * Author: Will Deacon <will@kernel.org> > + */ > + > +#include <linux/kvm_host.h> > +#include <linux/mm.h> > +#include <linux/of_fdt.h> > +#include <linux/of_reserved_mem.h> > + > +static struct reserved_mem *pkvm_firmware_mem; > + > +static int __init pkvm_firmware_rmem_err(struct reserved_mem *rmem, > + const char *reason) > +{ > + phys_addr_t end = rmem->base + rmem->size; > + > + kvm_err("Ignoring pkvm guest firmware memory reservation [%pa - %pa]: %s\n", > + &rmem->base, &end, reason); > + return -EINVAL; > +} > + > +static int __init pkvm_firmware_rmem_init(struct reserved_mem *rmem) > +{ > + unsigned long node = rmem->fdt_node; > + > + if (kvm_get_mode() != KVM_MODE_PROTECTED) > + return pkvm_firmware_rmem_err(rmem, "protected mode not enabled"); > + > + if (pkvm_firmware_mem) > + return pkvm_firmware_rmem_err(rmem, "duplicate reservation"); > + > + if (!of_get_flat_dt_prop(node, "no-map", NULL)) > + return pkvm_firmware_rmem_err(rmem, "missing \"no-map\" property"); > + > + if (of_get_flat_dt_prop(node, "reusable", NULL)) > + return pkvm_firmware_rmem_err(rmem, "\"reusable\" property unsupported"); > + > + if (!PAGE_ALIGNED(rmem->base)) > + return pkvm_firmware_rmem_err(rmem, "base is not page-aligned"); > + > + if (!PAGE_ALIGNED(rmem->size)) > + return pkvm_firmware_rmem_err(rmem, "size is not page-aligned"); > + > + pkvm_firmware_mem = rmem; > + return 0; > +} > +RESERVEDMEM_OF_DECLARE(pkvm_firmware, "linux,pkvm-guest-firmware-memory", > + pkvm_firmware_rmem_init); > -- > 2.32.0.rc0.204.g9fa02ecfa5-goog >
Hi Mark, On Fri, Jun 04, 2021 at 03:21:41PM +0100, Mark Rutland wrote: > On Thu, Jun 03, 2021 at 07:33:46PM +0100, Will Deacon wrote: > > Add support for a "linux,pkvm-guest-firmware-memory" reserved memory > > region, which can be used to identify a firmware image for protected > > VMs. > > The idea that the guest's FW comes from the host's FW strikes me as > unusual; what's the rationale for this coming from the host FW? IIUC > other confidential compute VM environments allow you to load up whatever > virtual FW you want, but this is measured such that the virtual FW used > can be attested. The rationale is that, as far as possible, we're trying to keep the EL2 code simple and agnostic of the guest and the SoC. We therefore assign validation of the guest payload to this firmware image which is executed when first entering the guest and made inaccessible to the host kernel as part of the deprivilege operation during boot. The VMM could still provide its own virtual firmware, which would then be measured by the firmware here and chainloaded. We just deprivilege that logic from EL2 to EL1. For pKVM on Android, it is the Android Bootloader which loads both the host kernel and the guest firmware (which is actually just u-boot). Before entering the host, it verifies and measures the guest firmware, appending secrets to the reserved memory region which are later used by the firmware to generate per-VM identities. These certificates are then used by the guest to establish a communication channel with Android's "Keymint" [1] HAL on the host and get access to hardware-backed key resources. That way we have a certificate chain which ties directly into Android Verified Boot [2] and extends to the guest payload without KVM having to be aware of any of it. Since this is all pretty specific to Android, delegating it to the firmware allows others to use their own mechanisms without bloating the privileged code at EL2 or enforcing a specific flow. A straightforward extension in future would be to make this firmware optional when spawning a protected VM, but since we have no need for that in Android (where we require the firmware), we elected to keep things minimal at first. Cheers, Will [1] https://source.android.com/security/keystore [2] https://source.android.com/security/verifiedboot
diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile index 589921392cb1..61e054411831 100644 --- a/arch/arm64/kvm/Makefile +++ b/arch/arm64/kvm/Makefile @@ -14,7 +14,7 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o $(KVM)/eventfd.o \ $(KVM)/vfio.o $(KVM)/irqchip.o \ arm.o mmu.o mmio.o psci.o perf.o hypercalls.o pvtime.o \ inject_fault.o va_layout.o handle_exit.o \ - guest.o debug.o reset.o sys_regs.o \ + guest.o debug.o pkvm.o reset.o sys_regs.o \ vgic-sys-reg-v3.o fpsimd.o pmu.o \ arch_timer.o trng.o\ vgic/vgic.o vgic/vgic-init.o \ diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c new file mode 100644 index 000000000000..7af5d03a3941 --- /dev/null +++ b/arch/arm64/kvm/pkvm.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * KVM host (EL1) interface to Protected KVM (pkvm) code at EL2. + * + * Copyright (C) 2021 Google LLC + * Author: Will Deacon <will@kernel.org> + */ + +#include <linux/kvm_host.h> +#include <linux/mm.h> +#include <linux/of_fdt.h> +#include <linux/of_reserved_mem.h> + +static struct reserved_mem *pkvm_firmware_mem; + +static int __init pkvm_firmware_rmem_err(struct reserved_mem *rmem, + const char *reason) +{ + phys_addr_t end = rmem->base + rmem->size; + + kvm_err("Ignoring pkvm guest firmware memory reservation [%pa - %pa]: %s\n", + &rmem->base, &end, reason); + return -EINVAL; +} + +static int __init pkvm_firmware_rmem_init(struct reserved_mem *rmem) +{ + unsigned long node = rmem->fdt_node; + + if (kvm_get_mode() != KVM_MODE_PROTECTED) + return pkvm_firmware_rmem_err(rmem, "protected mode not enabled"); + + if (pkvm_firmware_mem) + return pkvm_firmware_rmem_err(rmem, "duplicate reservation"); + + if (!of_get_flat_dt_prop(node, "no-map", NULL)) + return pkvm_firmware_rmem_err(rmem, "missing \"no-map\" property"); + + if (of_get_flat_dt_prop(node, "reusable", NULL)) + return pkvm_firmware_rmem_err(rmem, "\"reusable\" property unsupported"); + + if (!PAGE_ALIGNED(rmem->base)) + return pkvm_firmware_rmem_err(rmem, "base is not page-aligned"); + + if (!PAGE_ALIGNED(rmem->size)) + return pkvm_firmware_rmem_err(rmem, "size is not page-aligned"); + + pkvm_firmware_mem = rmem; + return 0; +} +RESERVEDMEM_OF_DECLARE(pkvm_firmware, "linux,pkvm-guest-firmware-memory", + pkvm_firmware_rmem_init);
Add support for a "linux,pkvm-guest-firmware-memory" reserved memory region, which can be used to identify a firmware image for protected VMs. Signed-off-by: Will Deacon <will@kernel.org> --- arch/arm64/kvm/Makefile | 2 +- arch/arm64/kvm/pkvm.c | 52 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 arch/arm64/kvm/pkvm.c