From patchwork Wed Dec 15 16:12:17 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quentin Perret <qperret@google.com>
X-Patchwork-Id: 12696297
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 7E2C1C433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Wed, 15 Dec 2021 16:22:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=HsuA6npUUKXlB4hprUfi8VNO/8i+zpR9nn0W6VNXYvQ=; b=pby
	Z/IX6ttJbPRX9oJSatwEzR94QD1lA1Q3C1ovT2wbsbM3Zck2a2Cgn77KQpkf8RYhA8JQClqe0Y1bn
	DnhqnyR5cYTJWPhv7y2Wv1vmgSIYomo4uPlCgo97E26aThDf57imqOaqymiz5pVW93SnKQKaAvFlK
	8lFCl3GChA4gAwk42f0AHbUdBhNPUOHKckfwkhLdqHSzhqDKkIKFNz3PmZNTDnV/gGKSnCLIk2ksw
	y7Cs87x1XIvuZUO3GNT55jjP51ceHLjeCg5e+C5GEPFXeZTtq87+/tmoGpbkXhHtwW2mAIJLx8mBb
	kdm1lzUZZnxjgXYnTDZy6trQ+CRxPGw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mxX1T-001fTv-FG; Wed, 15 Dec 2021 16:20:56 +0000
Received: from mail-ed1-x549.google.com ([2a00:1450:4864:20::549])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mxWtS-001btm-EV
 for linux-arm-kernel@lists.infradead.org; Wed, 15 Dec 2021 16:12:40 +0000
Received: by mail-ed1-x549.google.com with SMTP id
 w4-20020aa7cb44000000b003e7c0f7cfffso20628600edt.2
 for <linux-arm-kernel@lists.infradead.org>;
 Wed, 15 Dec 2021 08:12:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=20210112;
 h=date:message-id:mime-version:subject:from:to:cc;
 bh=gh8KjSqD+Gc0lGrXKkXUwKXftGOINm+/3g+rQSFyxWY=;
 b=mvUV2rLW2bE/wMqFxQtQBTjqGeZL/2uRbbFno2rXvMcXnzTvVpAKEfDbisv5+ZeOiY
 kE8zK+LLhzCFdANCSEB7/UD3rZ9RO0tU66W3TU4HaIJy8jia2/Fi7gM1Az93Krq1mhyO
 8Y48sl/9UYQqxMV6MOUp4/NCWjGVrsclvr4WijEQ7cx6rGv8JTN0N2BreDS4dDjJeJuO
 JOiz3glrxDgStiMnH7WXzesQ9y7TSmtP2BdYUQX/+jjIQeGkw3ivlvsYgzFwMZz/FBWs
 jF7Npo+Pxy20rY3QZPbsXmEfotJMR+MEv+yElm0xtNa/usgNqzA1ufNqd8L87i3v9ohM
 LbJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
 bh=gh8KjSqD+Gc0lGrXKkXUwKXftGOINm+/3g+rQSFyxWY=;
 b=4AALzjjdkM/ivgH3gkO54WtE5AeV2xFBM47BWpjdYkBuEiQD4dbyDxxTJ5DsumBrWh
 KZ7+Bno7/5aG/wHhMWoPraF4CwuUVrA2r3gHgI2+BjI9v8IwmWtNAwEq2n2HVV4QNhYW
 sJBgNezDZp4/cSm8/XTWwm6UB9ZwdLzdopy24DU3TQkfFYW32A/qdhtz57V1xJUarcRk
 2grTxLcdtIrWMqlBG732+AYQ9KNhkNwgh+5j1w4/Ku25G8yhzRCpxhzkWyPghDevyKii
 0va8h7IL2kmh9Lw6JUKSbFfOdvwI5RWh4Y80VXozpjLzK+4XjT94+tATZCBw/Aygpj8d
 ELqA==
X-Gm-Message-State: AOAM530GQtTGNi3c3r6YderrRC66HBKyunsPx70kHWC+7HBMqBkOX1cC
 hURecR7OGsRwxImF77nOfWDNc/hANwTE
X-Google-Smtp-Source: 
 ABdhPJycFMZbkSRIWU7DZP+pHUTh7fzng+TT819dNHf7jxannLR27sBg7Xk9IbC9vypPO2DBRS4BDmj9lWWe
X-Received: from luke.lon.corp.google.com
 ([2a00:79e0:d:210:fc03:4f5b:4e9b:3ec1])
 (user=qperret job=sendgmr) by 2002:a17:906:2a44:: with SMTP id
 k4mr11733665eje.629.1639584755202; Wed, 15 Dec 2021 08:12:35 -0800 (PST)
Date: Wed, 15 Dec 2021 16:12:17 +0000
Message-Id: <20211215161232.1480836-1-qperret@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog
Subject: [PATCH v4 00/14] KVM: arm64: Introduce kvm_{un}share_hyp()
From: Quentin Perret <qperret@google.com>
To: Marc Zyngier <maz@kernel.org>, James Morse <james.morse@arm.com>,
 Alexandru Elisei <alexandru.elisei@arm.com>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>
Cc: qperret@google.com, qwandor@google.com,
 linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu,
 linux-kernel@vger.kernel.org, kernel-team@android.com
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20211215_081238_568261_9260484E 
X-CRM114-Status: GOOD (  12.15  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Hi all,

This is v4 of the series previously posted here:

  https://lore.kernel.org/kvmarm/20211201170411.1561936-1-qperret@google.com/

This series implements an unshare hypercall at EL2 in nVHE protected
mode, and makes use of it to unmmap guest-specific data-structures from
EL2 stage-1 during guest tear-down. Crucially, the implementation of the
share and unshare routines use page refcounts in the host kernel to
avoid accidentally unmapping data-structures that overlap a common page.

This series has two main benefits. Firstly it allows EL2 to track the
state of shared pages cleanly, as they can now transition from SHARED
back to OWNED. This will simplify permission checks once e.g. pkvm
implements a donation hcall to provide memory to protected guests, as
there should then be no reason for the host to donate a page that is
currently marked shared. And secondly, it avoids having dangling
mappings in the hypervisor's stage-1, which should be a good idea from
a security perspective as the hypervisor is obviously running with
elevated privileges. And perhaps worth noting is that this also
refactors the EL2 page-tracking checks in a more scalable way, which
should allow to implement other memory transitions (host donating memory
to a guest, a guest sharing back with the host, ...) much more easily in
the future.

Changes since v3:
 - fixed refcount of hyp stage-1 page-table pages when only changing SW
   bits (Will)
 - misc minor cleanups (Will, Andrew)
 - rebased on kvmarm/next

Quentin Perret (6):
  KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator
  KVM: arm64: Refcount hyp stage-1 pgtable pages
  KVM: arm64: Fixup hyp stage-1 refcount
  KVM: arm64: Introduce kvm_share_hyp()
  KVM: arm64: pkvm: Refcount the pages shared with EL2
  KVM: arm64: pkvm: Unshare guest structs during teardown

Will Deacon (8):
  KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table
  KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2
  KVM: arm64: Extend pkvm_page_state enumeration to handle absent pages
  KVM: arm64: Introduce wrappers for host and hyp spin lock accessors
  KVM: arm64: Implement do_share() helper for sharing memory
  KVM: arm64: Implement __pkvm_host_share_hyp() using do_share()
  KVM: arm64: Implement do_unshare() helper for unsharing memory
  KVM: arm64: Expose unshare hypercall to the host

 arch/arm64/include/asm/kvm_asm.h              |   1 +
 arch/arm64/include/asm/kvm_host.h             |   2 +
 arch/arm64/include/asm/kvm_mmu.h              |   2 +
 arch/arm64/include/asm/kvm_pgtable.h          |  21 +
 arch/arm64/kvm/arm.c                          |   6 +-
 arch/arm64/kvm/fpsimd.c                       |  36 +-
 arch/arm64/kvm/hyp/include/nvhe/mem_protect.h |   6 +
 arch/arm64/kvm/hyp/nvhe/early_alloc.c         |   5 +
 arch/arm64/kvm/hyp/nvhe/hyp-main.c            |   8 +
 arch/arm64/kvm/hyp/nvhe/mem_protect.c         | 500 +++++++++++++++---
 arch/arm64/kvm/hyp/nvhe/setup.c               |  22 +-
 arch/arm64/kvm/hyp/pgtable.c                  | 102 +++-
 arch/arm64/kvm/mmu.c                          | 137 ++++-
 arch/arm64/kvm/reset.c                        |  10 +-
 14 files changed, 739 insertions(+), 119 deletions(-)