From patchwork Wed Oct 13 15:58:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quentin Perret X-Patchwork-Id: 12556227 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAE5BC433F5 for ; Wed, 13 Oct 2021 16:01:52 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9795961163 for ; Wed, 13 Oct 2021 16:01:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9795961163 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=9ezqCdkFAG/zjtlujToKVIIjxOJPHIwxXUlpkMAYeLM=; b=PWS GzHc7e5rs0KWoHWQzhnKZjKQJ2qP+5Z5wIpCKixp2stgOKbsEufh5vfjSv0UsMo45Fm/tnE+GzEMd uurfoN7oOJfCDl5T15J/DEADpyQZzEf7/kfebloNbtlJVSFgkY25GHbkhVr62jNVTb30Yi0UnRBo+ lTLuQcqHD06EyMHgB087MsJ9W8el/MLhsMlD6Tr7/nDBM1LH75AWj6TbyyMrK7xnszX+cxTyRm88c Bp/YMto8U0nLkqv1uLN3oYtwFh7ni2nB/Bi8tQU88JJNs+6vuADMv3HsyFXV2zdWW35Lcp1BlK/Nb k5q+B6kVtekKcz4ERTXwd3zShyK5r3w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mageQ-00HTJA-4V; Wed, 13 Oct 2021 15:58:42 +0000 Received: from mail-wr1-x44a.google.com ([2a00:1450:4864:20::44a]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mageL-00HTHZ-23 for linux-arm-kernel@lists.infradead.org; Wed, 13 Oct 2021 15:58:38 +0000 Received: by mail-wr1-x44a.google.com with SMTP id v15-20020adfa1cf000000b00160940b17a2so2325761wrv.19 for ; Wed, 13 Oct 2021 08:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=Eht9NEYnyeNXZ9GC0V0N+PJToFUkivNq3A15CtLZoHQ=; b=MmrT+s8muELqT2L44AG8+lk0AywU/F2urJDOsAWd0K9der7aYqNb7QeEmpJr61jjDJ ktPaVPfr9Um/DkE+sBzpnuPozNyp6CQ+MtznYTvTt4wDgqSdOkw9M3DVjAPywJYCv8V/ zflAJefyFMKPyYkjOQMiINYeddoxDo7z6hdWUMN0HOvwQHdW00FFAeG+92esLUP8C1E+ zneGPi2fokr5vos/ibfeJwBKG8GSSV9xYqTD3faz8aL7hRURTFEOjeGJufrj7gWmhW2u pYfTxgeNY741mtX6j+fZtTb7vRXRx4KkLWMdK5IbhZnKd9AIAIS/+TedR6F/JZd1rqzO v0Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Eht9NEYnyeNXZ9GC0V0N+PJToFUkivNq3A15CtLZoHQ=; b=RwLkkWqknxHOi/wBCBsQalVmBjFJrco0hdAAAY37RYkeQSBi6OVvI4gViyZC3bfhgn VwdkajKeRbgQ9pF1Xl522QrO+3UbEs1Li+qr0ilblDOnYccGwJG3FqPvZV4CCrSvOXBt /Dchk66WvcwEhY6sM7UBvL7ElTCvnwcMiuER8HYtZfx+5NvxgQmqZc0yCMM8q1Y0iJLW q6h7+jt3ozhXU+wc6TK61oVZ1NsJQUaFcpczv81Ui1ukXmsQyGFHV+1W8zqiKEgQfjYz XUz8C9QuF6BDxrDnqDBf8oJ3MNH9xyD23zstSaXqVV5MHoZ0eb4mFuxRCJRUPqfF4C54 8w2A== X-Gm-Message-State: AOAM530bMXNrrEDZ5vC5e1ZT/rIlILhPvmKQon4QNT3SHFnTsKOQOTGw 2LwrbNjthfTgfjkrZJiDvbV/YGUHjwhL X-Google-Smtp-Source: ABdhPJwUVK1oAUnrbwA0NBbH6MgXKCoPORRCUhS/cSQ3NHCwSOfsKuOk9OgrZX4VXp9Bg29A4CFrD6RFznFb X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:65b5:73d3:1558:b9ae]) (user=qperret job=sendgmr) by 2002:a05:600c:1c05:: with SMTP id j5mr141830wms.1.1634140714059; Wed, 13 Oct 2021 08:58:34 -0700 (PDT) Date: Wed, 13 Oct 2021 16:58:15 +0100 Message-Id: <20211013155831.943476-1-qperret@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog Subject: [PATCH 00/16] KVM: arm64: Implement unshare hypercall for pkvm From: Quentin Perret To: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211013_085837_146037_28B7E41D X-CRM114-Status: GOOD ( 15.46 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi all, This series implements an unshare hypercall at EL2 in nVHE protected mode, and makes use of it to unmmap guest-specific data-structures from EL2 stage-1 during guest tear-down. Crucially, the implementation of the share and unshare hypercall implements page refcounts at EL2 to avoid accidentally unmapping data-structures that overlap a common page. This series has two main benefits. Firstly it allows EL2 to track the state of shared pages cleanly, as they can now transition from SHARED back to OWNED. This will simplify permission checks once e.g. pkvm implements a donation hcall to provide memory to protected guests, as there should then be no reason for the host to donate a page that is currently marked shared. And secondly, it avoids having dangling mappings in the hypervisor's stage-1, which should be a good idea from a security perspective as the hypervisor is obviously running with elevated privileges. And perhaps worth noting is that this also refactors the EL2 page-tracking checks in a more scalable way, which should allow to implement other memory transitions (host donating memory to a guest, a guest sharing back with the host, ...) much more easily in the future. The series is organized as follows: - patches 01-05 refactor the implementation of the existing share hypercall; - patches 06-10 introduce infrastructure to allow unmapping pages from EL2 stage-1; - patches 11-14 allow to refcount pages that are shared more than once with EL2; - patches 15-16 add the unshare hypercall, and make use of it when tearing down guests. This has been lightly tested on Qemu, by spawning and powering off a guest 50 times. Feedback welcome :) ! Thanks, Quentin Quentin Perret (11): KVM: arm64: Avoid remapping the SVE state in the hyp stage-1 KVM: arm64: Introduce kvm_share_hyp() KVM: arm64: Accept page ranges in pkvm share hypercall KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator KVM: arm64: Refcount hyp stage-1 pgtable pages KVM: arm64: Fixup hyp stage-1 refcount KVM: arm64: Back hyp_vmemmap for all of memory KVM: arm64: Move hyp refcount helpers to header files KVM: arm64: Refcount shared pages at EL2 KVM: arm64: pkvm: Introduce an unshare hypercall KVM: arm64: pkvm: Unshare guest structs during teardown Will Deacon (5): KVM: arm64: Introduce do_share() helper for memory sharing between components KVM: arm64: Implement __pkvm_host_share_hyp() using do_share() KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2 KVM: arm64: Move double-sharing logic into hyp-specific function arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 2 + arch/arm64/include/asm/kvm_mmu.h | 2 + arch/arm64/include/asm/kvm_pgtable.h | 21 + arch/arm64/kvm/arm.c | 17 +- arch/arm64/kvm/fpsimd.c | 25 +- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 8 +- arch/arm64/kvm/hyp/include/nvhe/memory.h | 18 + arch/arm64/kvm/hyp/include/nvhe/mm.h | 29 +- arch/arm64/kvm/hyp/nvhe/early_alloc.c | 5 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 12 +- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 596 ++++++++++++++++-- arch/arm64/kvm/hyp/nvhe/mm.c | 31 +- arch/arm64/kvm/hyp/nvhe/page_alloc.c | 22 +- arch/arm64/kvm/hyp/nvhe/setup.c | 39 +- arch/arm64/kvm/hyp/pgtable.c | 80 ++- arch/arm64/kvm/hyp/reserved_mem.c | 17 +- arch/arm64/kvm/mmu.c | 48 +- arch/arm64/kvm/reset.c | 13 +- 19 files changed, 814 insertions(+), 172 deletions(-)