From patchwork Thu Jun 23 02:19:23 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12891723
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 1A6EDC433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 23 Jun 2022 02:26:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=vMHIQ3QrHl9t1vOhD2zjsLI6iXZO+hoNfk9wlKMApLM=; b=w2q
	cXPylmPi3prRjQiKS8E+IJxum2b6Nw1xyTJDvZJ9RLOVXkc3mHDTrRCntj0lPB5MfiaUfEwNI4cSH
	JPseqwwr8lQm24ukwnTEPapoJuk4TUx2YbJBZkphSeIOhuHw9nT5t7QcQkIpLCJVuqHout8rcjK/b
	+RvT35XKP4IvW1FWa+DkF/oBaWwijazpENT5xdEjVdPZFoy/N5eLaxsTP/y3jLKCTQX36473XxuIf
	ojn7aiR464ixcZPaOGF+SwehWdNwGV16PeeOIgm/DvkNfUTxC2PBanbHl0bukbB0AFwRmLWGL86WY
	RKvSq8Haf2bmN6AscxapJxsLvSLjrOQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o4CWz-00Cytn-QH; Thu, 23 Jun 2022 02:25:18 +0000
Received: from mail-yw1-x114a.google.com ([2607:f8b0:4864:20::114a])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o4CRW-00CwP6-Pa
	for linux-arm-kernel@lists.infradead.org; Thu, 23 Jun 2022 02:19:40 +0000
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-31797057755so108807017b3.16
        for <linux-arm-kernel@lists.infradead.org>;
 Wed, 22 Jun 2022 19:19:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=clGwED0aj4iCkpRX962hKSp2BNMhn+u4O4Dfvr+4TFo=;
        b=QIc7ryIuzZq7OzN7qncavyfDB+dbKXmztSbltzJfaHp1hfv5Y5C7ooLKoq0+zPKBFW
         Yb0/BwS6ZEfxF45IEKThJ2MueA04/+OqWzX470xd1LnNts5nGxalTSLvPuyQYFShfxVY
         fr4wYm+DZCv+ppd68WfEA3gHFWzd+l9k/IeA3ejN3UEhM2Mgzid5sCvby/eJdNVuWRpQ
         T0hYRgEzg4XuwmsYlfvFW+IIAB7fjU1loFiyTbwdYIVKiDrgd9GjTDFXVUeSo350hrx5
         PUr8oLhkHA9+OABNIyny8ozoHdOiM1g4AmYdxtdgzxsW7Kh9yYaDEBQC7KQPY5UXS7ff
         SqLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=clGwED0aj4iCkpRX962hKSp2BNMhn+u4O4Dfvr+4TFo=;
        b=sL9XiUABBL9rrEVaqwT1Wf9rYM3nRC14KXjNg0lKrc29uWtxbOD3j7zSNfMsKahtXb
         NtZofH1Vktv7t8k6M5sJWoGyqX/ttCAiYh0w1r2HOLt1Boj5rM8Dm3CCYBD83vXHVAf7
         GpBF0dUfhvMso9QRLBUBgLuck5fKEICl8fq923MStXUSiHf/4wlah077YNID/7TuVvKi
         pB1o7N4sxDy9T5CTPediLXW/S23x0nRtkDAEAA5ZaeERBfS3xsGFzLBis0Du9GQUXEIp
         QdyYkslKr74+sE1MUn5KtEa5mLevLMCRtQ1V3u+cS16p6mhHcC0T+QmOxUvAM5zkdyhM
         suKw==
X-Gm-Message-State: AJIora9w11aUdMylMNFTn+XHSWw98OIsbxbuVF7aD5YaTPHChlkc3dZ8
	6gzn26WfRiiCMeTlN/4jVvx+v7k=
X-Google-Smtp-Source: 
 AGRyM1tFAzIf0LizFYNaF+FpbBnP7KTyC21L9xOk3A4wFYiTKAd03Hngi8vpnd587mAKhdzQ+Cp3fcs=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:ba6f:123c:d287:a160])
 (user=pcc job=sendgmr) by 2002:a81:9c47:0:b0:313:31e7:dc16 with SMTP id
 n7-20020a819c47000000b0031331e7dc16mr7974663ywa.227.1655950776012; Wed, 22
 Jun 2022 19:19:36 -0700 (PDT)
Date: Wed, 22 Jun 2022 19:19:23 -0700
Message-Id: <20220623021926.3443240-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.0.rc0.104.g0611611a94-goog
Subject: [PATCH 0/3] KVM: arm64: support MTE in protected VMs
From: Peter Collingbourne <pcc@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: Peter Collingbourne <pcc@google.com>, Marc Zyngier <maz@kernel.org>,
 kvm@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>, linux-arm-kernel@lists.infradead.org,
	Michael Roth <michael.roth@amd.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
	Chao Peng <chao.p.peng@linux.intel.com>, Will Deacon <will@kernel.org>,
	Evgenii Stepanov <eugenis@google.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220622_191938_887155_659C90AB 
X-CRM114-Status: GOOD (  13.31  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Hi,

This patch series contains a proposed extension to pKVM that allows MTE
to be exposed to the protected guests. It is based on the base pKVM
series previously sent to the list [1] and later rebased to 5.19-rc2
and uploaded to [2].

This series takes precautions against host compromise of the guests
via direct access to their tag storage, by preventing the host from
accessing the tag storage via stage 2 page tables. The device tree
must describe the physical memory address of the tag storage, if any,
and the memory nodes must declare that the tag storage location is
described. Otherwise, the MTE feature is disabled in protected guests.

Now that we can easily do so, we also prevent the host from accessing
any unmapped reserved-memory regions without a driver, as the host
has no business accessing that memory.

A proposed extension to the devicetree specification is available at
[3], a patched version of QEMU that produces the required device tree
nodes is available at [4] and a patched version of the crosvm hypervisor
that enables MTE is available at [5].

[1] https://lore.kernel.org/all/20220519134204.5379-1-will@kernel.org/
[2] https://android-kvm.googlesource.com/linux/ for-upstream/pkvm-base-v2
[3] https://github.com/pcc/devicetree-specification mte-alloc
[4] https://github.com/pcc/qemu mte-shared-alloc
[5] https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3719324

Peter Collingbourne (3):
  KVM: arm64: add a hypercall for disowning pages
  KVM: arm64: disown unused reserved-memory regions
  KVM: arm64: allow MTE in protected VMs if the tag storage is known

 arch/arm64/include/asm/kvm_asm.h              |  1 +
 arch/arm64/include/asm/kvm_host.h             |  6 ++
 arch/arm64/include/asm/kvm_pkvm.h             |  4 +-
 arch/arm64/kernel/image-vars.h                |  3 +
 arch/arm64/kvm/arm.c                          | 83 ++++++++++++++++++-
 arch/arm64/kvm/hyp/include/nvhe/mem_protect.h |  1 +
 arch/arm64/kvm/hyp/include/nvhe/pkvm.h        |  1 +
 arch/arm64/kvm/hyp/nvhe/hyp-main.c            |  9 ++
 arch/arm64/kvm/hyp/nvhe/mem_protect.c         | 11 +++
 arch/arm64/kvm/hyp/nvhe/pkvm.c                |  8 +-
 arch/arm64/kvm/hyp/pgtable.c                  |  5 +-
 arch/arm64/kvm/mmu.c                          |  4 +-
 12 files changed, 126 insertions(+), 10 deletions(-)