[04/13] KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2

Message ID	20240219092014.783809-5-maz@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> From: Marc Zyngier <maz@kernel.org> To: kvmarm@lists.linux.dev, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: James Morse <james.morse@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Oliver Upton <oliver.upton@linux.dev>, Zenghui Yu <yuzenghui@huawei.com>, Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com> Subject: [PATCH 04/13] KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2 Date: Mon, 19 Feb 2024 09:20:05 +0000 Message-Id: <20240219092014.783809-5-maz@kernel.org> In-Reply-To: <20240219092014.783809-1-maz@kernel.org> References: <20240219092014.783809-1-maz@kernel.org> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	KVM/arm64: Add NV support for ERET and PAuth \| expand [00/13] KVM/arm64: Add NV support for ERET and PAuth [01/13] KVM: arm64: Harden __ctxt_sys_reg() against out-of-range values [02/13] KVM: arm64: Clarify ESR_ELx_ERET_ISS_ERET* [03/13] KVM: arm64: nv: Drop VCPU_HYP_CONTEXT flag [04/13] KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2 [05/13] KVM: arm64: nv: Add trap forwarding for ERET and SMC [06/13] KVM: arm64: nv: Fast-track 'InHost' exception returns [07/13] KVM: arm64: nv: Honor HFGITR_EL2.ERET being set [08/13] KVM: arm64: nv: Handle HCR_EL2.{API,APK} independantly [09/13] KVM: arm64: nv: Reinject PAC exceptions caused by HCR_EL2.API==0 [10/13] KVM: arm64: nv: Add kvm_has_pauth() helper [11/13] KVM: arm64: nv: Add emulation for ERETAx instructions [12/13] KVM: arm64: nv: Handle ERETA[AB] instructions [13/13] KVM: arm64: nv: Advertise support for PAuth

Message ID

20240219092014.783809-5-maz@kernel.org (mailing list archive)

State

New, archived

Headers

From: Marc Zyngier <maz@kernel.org>
To: kvmarm@lists.linux.dev,
	kvm@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org
Cc: James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Oliver Upton <oliver.upton@linux.dev>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Will Deacon <will@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH 04/13] KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2
Date: Mon, 19 Feb 2024 09:20:05 +0000
Message-Id: <20240219092014.783809-5-maz@kernel.org>
In-Reply-To: <20240219092014.783809-1-maz@kernel.org>
References: <20240219092014.783809-1-maz@kernel.org>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Series

KVM/arm64: Add NV support for ERET and PAuth | expand

Commit Message

Marc Zyngier Feb. 19, 2024, 9:20 a.m. UTC

Add the HCR_EL2 configuration for FEAT_NV2, adding the required
bits for running a guest hypervisor, and overall merging the
allowed bits provided by the guest.

This heavily replies on unavaliable features being sanitised
when the HCR_EL2 shadow register is accessed, and only a couple
of bits must be explicitly disabled.

Non-NV guests are completely unaffected by any of this.

Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 arch/arm64/include/asm/sysreg.h         |  1 +
 arch/arm64/kvm/hyp/include/hyp/switch.h |  4 +--
 arch/arm64/kvm/hyp/nvhe/switch.c        |  2 +-
 arch/arm64/kvm/hyp/vhe/switch.c         | 34 ++++++++++++++++++++++++-
 4 files changed, 36 insertions(+), 5 deletions(-)

Comments

Joey Gouly Feb. 20, 2024, 3:16 p.m. UTC | #1

Hi,

On Mon, Feb 19, 2024 at 09:20:05AM +0000, Marc Zyngier wrote:
> Add the HCR_EL2 configuration for FEAT_NV2, adding the required
> bits for running a guest hypervisor, and overall merging the
> allowed bits provided by the guest.
> 
> This heavily replies on unavaliable features being sanitised
> when the HCR_EL2 shadow register is accessed, and only a couple
> of bits must be explicitly disabled.
> 
> Non-NV guests are completely unaffected by any of this.
> 
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> ---
>  arch/arm64/include/asm/sysreg.h         |  1 +
>  arch/arm64/kvm/hyp/include/hyp/switch.h |  4 +--
>  arch/arm64/kvm/hyp/nvhe/switch.c        |  2 +-
>  arch/arm64/kvm/hyp/vhe/switch.c         | 34 ++++++++++++++++++++++++-
>  4 files changed, 36 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
> index 9e8999592f3a..a5361d9032a4 100644
> --- a/arch/arm64/include/asm/sysreg.h
> +++ b/arch/arm64/include/asm/sysreg.h
> @@ -498,6 +498,7 @@
>  #define SYS_TCR_EL2			sys_reg(3, 4, 2, 0, 2)
>  #define SYS_VTTBR_EL2			sys_reg(3, 4, 2, 1, 0)
>  #define SYS_VTCR_EL2			sys_reg(3, 4, 2, 1, 2)
> +#define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)
>  
>  #define SYS_TRFCR_EL2			sys_reg(3, 4, 1, 2, 1)
>  #define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)

I'm seeing double! (SYS_VNCR_EL2 is already defined a few lines down)

> diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
> index e3fcf8c4d5b4..f5f701f309a9 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/switch.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
> @@ -271,10 +271,8 @@ static inline void __deactivate_traps_common(struct kvm_vcpu *vcpu)
>  	__deactivate_traps_hfgxtr(vcpu);
>  }
>  
> -static inline void ___activate_traps(struct kvm_vcpu *vcpu)
> +static inline void ___activate_traps(struct kvm_vcpu *vcpu, u64 hcr)
>  {
> -	u64 hcr = vcpu->arch.hcr_el2;
> -
>  	if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM))
>  		hcr |= HCR_TVM;
>  
> diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> index c50f8459e4fc..4103625e46c5 100644
> --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> @@ -40,7 +40,7 @@ static void __activate_traps(struct kvm_vcpu *vcpu)
>  {
>  	u64 val;
>  
> -	___activate_traps(vcpu);
> +	___activate_traps(vcpu, vcpu->arch.hcr_el2);
>  	__activate_traps_common(vcpu);
>  
>  	val = vcpu->arch.cptr_el2;
> diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c
> index 58415783fd53..29f59c374f7a 100644
> --- a/arch/arm64/kvm/hyp/vhe/switch.c
> +++ b/arch/arm64/kvm/hyp/vhe/switch.c
> @@ -33,11 +33,43 @@ DEFINE_PER_CPU(struct kvm_host_data, kvm_host_data);
>  DEFINE_PER_CPU(struct kvm_cpu_context, kvm_hyp_ctxt);
>  DEFINE_PER_CPU(unsigned long, kvm_hyp_vector);
>  
> +/*
> + * HCR_EL2 bits that the NV guest can freely change (no RES0/RES1
> + * semantics, irrespective of the configuration), but that cannot be
> + * applied to the actual HW as things would otherwise break badly.
> + *
> + * - TGE: we want to use EL1, which is incompatible with it being set

Can you make this a bit clearer:

	we want the guest to use EL1

Assuming I've understood correctly. I first read it as 'we' == kvm.

> + *
> + * - API/APK: for hysterical raisins, we enable PAuth lazily, which
> + *   means that the guest's bits cannot be directly applied (we really
> + *   want to see the traps). Revisit this at some point.
> + */
> +#define NV_HCR_GUEST_EXCLUDE	(HCR_TGE | HCR_API | HCR_APK)
> +
> +static u64 __compute_hcr(struct kvm_vcpu *vcpu)
> +{
> +	u64 hcr = vcpu->arch.hcr_el2;
> +
> +	if (!vcpu_has_nv(vcpu))
> +		return hcr;
> +
> +	if (is_hyp_ctxt(vcpu)) {
> +		hcr |= HCR_NV | HCR_NV2 | HCR_AT | HCR_TTLB;
> +
> +		if (!vcpu_el2_e2h_is_set(vcpu))
> +			hcr |= HCR_NV1;
> +
> +		write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2);
> +	}
> +
> +	return hcr | (__vcpu_sys_reg(vcpu, HCR_EL2) & ~NV_HCR_GUEST_EXCLUDE);
> +}
> +
>  static void __activate_traps(struct kvm_vcpu *vcpu)
>  {
>  	u64 val;
>  
> -	___activate_traps(vcpu);
> +	___activate_traps(vcpu, __compute_hcr(vcpu));
>  
>  	if (has_cntpoff()) {
>  		struct timer_map map;

Otherwise,

Reviewed-by: Joey Gouly <joey.gouly@arm.com>

Thanks,
Joey

Marc Zyngier Feb. 20, 2024, 3:41 p.m. UTC | #2

On Tue, 20 Feb 2024 15:16:00 +0000,
Joey Gouly <joey.gouly@arm.com> wrote:
> 
> Hi,
> 
> On Mon, Feb 19, 2024 at 09:20:05AM +0000, Marc Zyngier wrote:
> > Add the HCR_EL2 configuration for FEAT_NV2, adding the required
> > bits for running a guest hypervisor, and overall merging the
> > allowed bits provided by the guest.
> > 
> > This heavily replies on unavaliable features being sanitised
> > when the HCR_EL2 shadow register is accessed, and only a couple
> > of bits must be explicitly disabled.
> > 
> > Non-NV guests are completely unaffected by any of this.
> > 
> > Signed-off-by: Marc Zyngier <maz@kernel.org>
> > ---
> >  arch/arm64/include/asm/sysreg.h         |  1 +
> >  arch/arm64/kvm/hyp/include/hyp/switch.h |  4 +--
> >  arch/arm64/kvm/hyp/nvhe/switch.c        |  2 +-
> >  arch/arm64/kvm/hyp/vhe/switch.c         | 34 ++++++++++++++++++++++++-
> >  4 files changed, 36 insertions(+), 5 deletions(-)
> > 
> > diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
> > index 9e8999592f3a..a5361d9032a4 100644
> > --- a/arch/arm64/include/asm/sysreg.h
> > +++ b/arch/arm64/include/asm/sysreg.h
> > @@ -498,6 +498,7 @@
> >  #define SYS_TCR_EL2			sys_reg(3, 4, 2, 0, 2)
> >  #define SYS_VTTBR_EL2			sys_reg(3, 4, 2, 1, 0)
> >  #define SYS_VTCR_EL2			sys_reg(3, 4, 2, 1, 2)
> > +#define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)
> >  
> >  #define SYS_TRFCR_EL2			sys_reg(3, 4, 1, 2, 1)
> >  #define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)
> 
> I'm seeing double! (SYS_VNCR_EL2 is already defined a few lines
> down)

Ah, it got added by Miguel and my rebase didn't weed it out. It also
doesn't help that SYS_TRFCR_EL2 is out of sequence... Anyway, I'll
drop this, thanks for spotting it.

> 
> > diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
> > index e3fcf8c4d5b4..f5f701f309a9 100644
> > --- a/arch/arm64/kvm/hyp/include/hyp/switch.h
> > +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
> > @@ -271,10 +271,8 @@ static inline void __deactivate_traps_common(struct kvm_vcpu *vcpu)
> >  	__deactivate_traps_hfgxtr(vcpu);
> >  }
> >  
> > -static inline void ___activate_traps(struct kvm_vcpu *vcpu)
> > +static inline void ___activate_traps(struct kvm_vcpu *vcpu, u64 hcr)
> >  {
> > -	u64 hcr = vcpu->arch.hcr_el2;
> > -
> >  	if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM))
> >  		hcr |= HCR_TVM;
> >  
> > diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> > index c50f8459e4fc..4103625e46c5 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> > @@ -40,7 +40,7 @@ static void __activate_traps(struct kvm_vcpu *vcpu)
> >  {
> >  	u64 val;
> >  
> > -	___activate_traps(vcpu);
> > +	___activate_traps(vcpu, vcpu->arch.hcr_el2);
> >  	__activate_traps_common(vcpu);
> >  
> >  	val = vcpu->arch.cptr_el2;
> > diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c
> > index 58415783fd53..29f59c374f7a 100644
> > --- a/arch/arm64/kvm/hyp/vhe/switch.c
> > +++ b/arch/arm64/kvm/hyp/vhe/switch.c
> > @@ -33,11 +33,43 @@ DEFINE_PER_CPU(struct kvm_host_data, kvm_host_data);
> >  DEFINE_PER_CPU(struct kvm_cpu_context, kvm_hyp_ctxt);
> >  DEFINE_PER_CPU(unsigned long, kvm_hyp_vector);
> >  
> > +/*
> > + * HCR_EL2 bits that the NV guest can freely change (no RES0/RES1
> > + * semantics, irrespective of the configuration), but that cannot be
> > + * applied to the actual HW as things would otherwise break badly.
> > + *
> > + * - TGE: we want to use EL1, which is incompatible with it being set
> 
> Can you make this a bit clearer:
> 
> 	we want the guest to use EL1
> 
> Assuming I've understood correctly. I first read it as 'we' == kvm.

Sure thing, happy to update that.

>> > + *
> > + * - API/APK: for hysterical raisins, we enable PAuth lazily, which
> > + *   means that the guest's bits cannot be directly applied (we really
> > + *   want to see the traps). Revisit this at some point.
> > + */
> > +#define NV_HCR_GUEST_EXCLUDE	(HCR_TGE | HCR_API | HCR_APK)
> > +
> > +static u64 __compute_hcr(struct kvm_vcpu *vcpu)
> > +{
> > +	u64 hcr = vcpu->arch.hcr_el2;
> > +
> > +	if (!vcpu_has_nv(vcpu))
> > +		return hcr;
> > +
> > +	if (is_hyp_ctxt(vcpu)) {
> > +		hcr |= HCR_NV | HCR_NV2 | HCR_AT | HCR_TTLB;
> > +
> > +		if (!vcpu_el2_e2h_is_set(vcpu))
> > +			hcr |= HCR_NV1;
> > +
> > +		write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2);
> > +	}
> > +
> > +	return hcr | (__vcpu_sys_reg(vcpu, HCR_EL2) & ~NV_HCR_GUEST_EXCLUDE);
> > +}
> > +
> >  static void __activate_traps(struct kvm_vcpu *vcpu)
> >  {
> >  	u64 val;
> >  
> > -	___activate_traps(vcpu);
> > +	___activate_traps(vcpu, __compute_hcr(vcpu));
> >  
> >  	if (has_cntpoff()) {
> >  		struct timer_map map;
> 
> Otherwise,
> 
> Reviewed-by: Joey Gouly <joey.gouly@arm.com>

Thanks!

	M.

diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
index 9e8999592f3a..a5361d9032a4 100644
--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -498,6 +498,7 @@ 
 #define SYS_TCR_EL2			sys_reg(3, 4, 2, 0, 2)
 #define SYS_VTTBR_EL2			sys_reg(3, 4, 2, 1, 0)
 #define SYS_VTCR_EL2			sys_reg(3, 4, 2, 1, 2)
+#define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)
 
 #define SYS_TRFCR_EL2			sys_reg(3, 4, 1, 2, 1)
 #define SYS_VNCR_EL2			sys_reg(3, 4, 2, 2, 0)
diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
index e3fcf8c4d5b4..f5f701f309a9 100644
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -271,10 +271,8 @@  static inline void __deactivate_traps_common(struct kvm_vcpu *vcpu)
 	__deactivate_traps_hfgxtr(vcpu);
 }
 
-static inline void ___activate_traps(struct kvm_vcpu *vcpu)
+static inline void ___activate_traps(struct kvm_vcpu *vcpu, u64 hcr)
 {
-	u64 hcr = vcpu->arch.hcr_el2;
-
 	if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM))
 		hcr |= HCR_TVM;
 
diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index c50f8459e4fc..4103625e46c5 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -40,7 +40,7 @@  static void __activate_traps(struct kvm_vcpu *vcpu)
 {
 	u64 val;
 
-	___activate_traps(vcpu);
+	___activate_traps(vcpu, vcpu->arch.hcr_el2);
 	__activate_traps_common(vcpu);
 
 	val = vcpu->arch.cptr_el2;
diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c
index 58415783fd53..29f59c374f7a 100644
--- a/arch/arm64/kvm/hyp/vhe/switch.c
+++ b/arch/arm64/kvm/hyp/vhe/switch.c
@@ -33,11 +33,43 @@  DEFINE_PER_CPU(struct kvm_host_data, kvm_host_data);
 DEFINE_PER_CPU(struct kvm_cpu_context, kvm_hyp_ctxt);
 DEFINE_PER_CPU(unsigned long, kvm_hyp_vector);
 
+/*
+ * HCR_EL2 bits that the NV guest can freely change (no RES0/RES1
+ * semantics, irrespective of the configuration), but that cannot be
+ * applied to the actual HW as things would otherwise break badly.
+ *
+ * - TGE: we want to use EL1, which is incompatible with it being set
+ *
+ * - API/APK: for hysterical raisins, we enable PAuth lazily, which
+ *   means that the guest's bits cannot be directly applied (we really
+ *   want to see the traps). Revisit this at some point.
+ */
+#define NV_HCR_GUEST_EXCLUDE	(HCR_TGE | HCR_API | HCR_APK)
+
+static u64 __compute_hcr(struct kvm_vcpu *vcpu)
+{
+	u64 hcr = vcpu->arch.hcr_el2;
+
+	if (!vcpu_has_nv(vcpu))
+		return hcr;
+
+	if (is_hyp_ctxt(vcpu)) {
+		hcr |= HCR_NV | HCR_NV2 | HCR_AT | HCR_TTLB;
+
+		if (!vcpu_el2_e2h_is_set(vcpu))
+			hcr |= HCR_NV1;
+
+		write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2);
+	}
+
+	return hcr | (__vcpu_sys_reg(vcpu, HCR_EL2) & ~NV_HCR_GUEST_EXCLUDE);
+}
+
 static void __activate_traps(struct kvm_vcpu *vcpu)
 {
 	u64 val;
 
-	___activate_traps(vcpu);
+	___activate_traps(vcpu, __compute_hcr(vcpu));
 
 	if (has_cntpoff()) {
 		struct timer_map map;

[04/13] KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2

Commit Message

Comments

Patch