| Message ID | 20210922124704.600087-13-tabba@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: arm64: Fixed features for protected VMs | expand |
On Wed, 22 Sep 2021 13:47:04 +0100, Fuad Tabba <tabba@google.com> wrote: > > Protected KVM does not support protected AArch32 guests. However, > it is possible for the guest to force run AArch32, potentially > causing problems. Add an extra check so that if the hypervisor > catches the guest doing that, it can prevent the guest from > running again by resetting vcpu->arch.target and returning > ARM_EXCEPTION_IL. > > If this were to happen, The VMM can try and fix it by re- > initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is > likely not possible for protected VMs. > > Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric > AArch32 systems") > > Signed-off-by: Fuad Tabba <tabba@google.com> > --- > arch/arm64/kvm/hyp/nvhe/switch.c | 40 ++++++++++++++++++++++++++++++++ > 1 file changed, 40 insertions(+) > > diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c > index 2bf5952f651b..d66226e49013 100644 > --- a/arch/arm64/kvm/hyp/nvhe/switch.c > +++ b/arch/arm64/kvm/hyp/nvhe/switch.c > @@ -235,6 +235,43 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm) > return hyp_exit_handlers; > } > > +/* > + * Some guests (e.g., protected VMs) might not be allowed to run in AArch32. > + * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a > + * guest from dropping to AArch32 EL0 if implemented by the CPU. If the > + * hypervisor spots a guest in such a state ensure it is handled, and don't > + * trust the host to spot or fix it. The check below is based on the one in > + * kvm_arch_vcpu_ioctl_run(). > + * > + * Returns false if the guest ran in AArch32 when it shouldn't have, and > + * thus should exit to the host, or true if a the guest run loop can continue. > + */ > +static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code) > +{ > + struct kvm *kvm = (struct kvm *) kern_hyp_va(vcpu->kvm); There is no need for an extra cast. kern_hyp_va() already provides a cast to the type of the parameter. > + bool is_aarch32_allowed = > + FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL0), > + get_pvm_id_aa64pfr0(vcpu)) >= > + ID_AA64PFR0_ELx_32BIT_64BIT; > + > + > + if (kvm_vm_is_protected(kvm) && > + vcpu_mode_is_32bit(vcpu) && > + !is_aarch32_allowed) { Do we really need to go through this is_aarch32_allowed check? Protected VMs don't have AArch32, and we don't have the infrastructure to handle 32bit at all. For non-protected VMs, we already have what we need at EL1. So the extra check only adds complexity. > + /* > + * As we have caught the guest red-handed, decide that it isn't > + * fit for purpose anymore by making the vcpu invalid. The VMM > + * can try and fix it by re-initializing the vcpu with > + * KVM_ARM_VCPU_INIT, however, this is likely not possible for > + * protected VMs. > + */ > + vcpu->arch.target = -1; > + *exit_code = ARM_EXCEPTION_IL; > + return false; > + } > + > + return true; > +} > + > /* Switch to the guest for legacy non-VHE systems */ > int __kvm_vcpu_run(struct kvm_vcpu *vcpu) > { > @@ -297,6 +334,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) > /* Jump in the fire! */ > exit_code = __guest_enter(vcpu); > > + if (unlikely(!handle_aarch32_guest(vcpu, &exit_code))) > + break; > + > /* And we're baaack! */ > } while (fixup_guest_exit(vcpu, &exit_code)); > Thanks, M.
Hi Marc, On Tue, Oct 5, 2021 at 9:48 AM Marc Zyngier <maz@kernel.org> wrote: > > On Wed, 22 Sep 2021 13:47:04 +0100, > Fuad Tabba <tabba@google.com> wrote: > > > > Protected KVM does not support protected AArch32 guests. However, > > it is possible for the guest to force run AArch32, potentially > > causing problems. Add an extra check so that if the hypervisor > > catches the guest doing that, it can prevent the guest from > > running again by resetting vcpu->arch.target and returning > > ARM_EXCEPTION_IL. > > > > If this were to happen, The VMM can try and fix it by re- > > initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is > > likely not possible for protected VMs. > > > > Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric > > AArch32 systems") > > > > Signed-off-by: Fuad Tabba <tabba@google.com> > > --- > > arch/arm64/kvm/hyp/nvhe/switch.c | 40 ++++++++++++++++++++++++++++++++ > > 1 file changed, 40 insertions(+) > > > > diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c > > index 2bf5952f651b..d66226e49013 100644 > > --- a/arch/arm64/kvm/hyp/nvhe/switch.c > > +++ b/arch/arm64/kvm/hyp/nvhe/switch.c > > @@ -235,6 +235,43 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm) > > return hyp_exit_handlers; > > } > > > > +/* > > + * Some guests (e.g., protected VMs) might not be allowed to run in AArch32. > > + * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a > > + * guest from dropping to AArch32 EL0 if implemented by the CPU. If the > > + * hypervisor spots a guest in such a state ensure it is handled, and don't > > + * trust the host to spot or fix it. The check below is based on the one in > > + * kvm_arch_vcpu_ioctl_run(). > > + * > > + * Returns false if the guest ran in AArch32 when it shouldn't have, and > > + * thus should exit to the host, or true if a the guest run loop can continue. > > + */ > > +static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code) > > +{ > > + struct kvm *kvm = (struct kvm *) kern_hyp_va(vcpu->kvm); > > There is no need for an extra cast. kern_hyp_va() already provides a > cast to the type of the parameter. Will drop it. > > + bool is_aarch32_allowed = > > + FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL0), > > + get_pvm_id_aa64pfr0(vcpu)) >= > > + ID_AA64PFR0_ELx_32BIT_64BIT; > > + > > + > > + if (kvm_vm_is_protected(kvm) && > > + vcpu_mode_is_32bit(vcpu) && > > + !is_aarch32_allowed) { > > Do we really need to go through this is_aarch32_allowed check? > Protected VMs don't have AArch32, and we don't have the infrastructure > to handle 32bit at all. For non-protected VMs, we already have what we > need at EL1. So the extra check only adds complexity. No. I could change it to a build-time assertion just to make sure that AArch32 is not allowed instead. Thanks, /fuad > > + /* > > + * As we have caught the guest red-handed, decide that it isn't > > + * fit for purpose anymore by making the vcpu invalid. The VMM > > + * can try and fix it by re-initializing the vcpu with > > + * KVM_ARM_VCPU_INIT, however, this is likely not possible for > > + * protected VMs. > > + */ > > + vcpu->arch.target = -1; > > + *exit_code = ARM_EXCEPTION_IL; > > + return false; > > + } > > + > > + return true; > > +} > > + > > /* Switch to the guest for legacy non-VHE systems */ > > int __kvm_vcpu_run(struct kvm_vcpu *vcpu) > > { > > @@ -297,6 +334,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) > > /* Jump in the fire! */ > > exit_code = __guest_enter(vcpu); > > > > + if (unlikely(!handle_aarch32_guest(vcpu, &exit_code))) > > + break; > > + > > /* And we're baaack! */ > > } while (fixup_guest_exit(vcpu, &exit_code)); > > > > Thanks, > > M. > > -- > Without deviation from the norm, progress is not possible.
diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c index 2bf5952f651b..d66226e49013 100644 --- a/arch/arm64/kvm/hyp/nvhe/switch.c +++ b/arch/arm64/kvm/hyp/nvhe/switch.c @@ -235,6 +235,43 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm) return hyp_exit_handlers; } +/* + * Some guests (e.g., protected VMs) might not be allowed to run in AArch32. + * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a + * guest from dropping to AArch32 EL0 if implemented by the CPU. If the + * hypervisor spots a guest in such a state ensure it is handled, and don't + * trust the host to spot or fix it. The check below is based on the one in + * kvm_arch_vcpu_ioctl_run(). + * + * Returns false if the guest ran in AArch32 when it shouldn't have, and + * thus should exit to the host, or true if a the guest run loop can continue. + */ +static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code) +{ + struct kvm *kvm = (struct kvm *) kern_hyp_va(vcpu->kvm); + bool is_aarch32_allowed = + FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL0), + get_pvm_id_aa64pfr0(vcpu)) >= + ID_AA64PFR0_ELx_32BIT_64BIT; + + if (kvm_vm_is_protected(kvm) && + vcpu_mode_is_32bit(vcpu) && + !is_aarch32_allowed) { + /* + * As we have caught the guest red-handed, decide that it isn't + * fit for purpose anymore by making the vcpu invalid. The VMM + * can try and fix it by re-initializing the vcpu with + * KVM_ARM_VCPU_INIT, however, this is likely not possible for + * protected VMs. + */ + vcpu->arch.target = -1; + *exit_code = ARM_EXCEPTION_IL; + return false; + } + + return true; +} + /* Switch to the guest for legacy non-VHE systems */ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) { @@ -297,6 +334,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) /* Jump in the fire! */ exit_code = __guest_enter(vcpu); + if (unlikely(!handle_aarch32_guest(vcpu, &exit_code))) + break; + /* And we're baaack! */ } while (fixup_guest_exit(vcpu, &exit_code));
Protected KVM does not support protected AArch32 guests. However, it is possible for the guest to force run AArch32, potentially causing problems. Add an extra check so that if the hypervisor catches the guest doing that, it can prevent the guest from running again by resetting vcpu->arch.target and returning ARM_EXCEPTION_IL. If this were to happen, The VMM can try and fix it by re- initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is likely not possible for protected VMs. Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric AArch32 systems") Signed-off-by: Fuad Tabba <tabba@google.com> --- arch/arm64/kvm/hyp/nvhe/switch.c | 40 ++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)