From patchwork Fri Jul  8 21:21:03 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12911895
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id D0A39C43334
	for <linux-arm-kernel@archiver.kernel.org>;
 Fri,  8 Jul 2022 21:22:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=+XB8XroAI/lCvm6DVchH9fHXj7K6sSSARmvLWEodrt8=; b=pyp
	+jlUM2GXuJhebWV6USYp+i1euIOVImYyVxIW9H3brPg+QaINKxTvjvLimndHcmBUCrYd8FMPjufAV
	WurSwr7HV//bTiZzr7z07j0YgG/6osnc/V57l8PMDMY4ErnezUl/s+BNPF72nxVNtIQFaQeBkJyXV
	IPzb7vf2+lNidFRj0H2ySiKBJ6u3p1YcLhwDX7PKXo2ZlzXtExmMfhbc5tBSfOi9SqlNn/PTL0TV3
	WdLgmg692tofHKkzHloeraPnXXbd3NtkJ8VpT9ZJna1oBFhCtH1KOUlv4ffAWt2eRJc/J0jlrHlNp
	4U+AmtmiLTOGceyU38zuqbgUUVGP/YQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o9vPn-0060iX-1p; Fri, 08 Jul 2022 21:21:31 +0000
Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o9vPa-0060e1-Ik
	for linux-arm-kernel@lists.infradead.org; Fri, 08 Jul 2022 21:21:21 +0000
Received: by mail-yb1-xb49.google.com with SMTP id
 w2-20020a25ef42000000b0066d68be3fbcso16968188ybm.13
        for <linux-arm-kernel@lists.infradead.org>;
 Fri, 08 Jul 2022 14:21:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=ZsW33TkaPVzGGAiF9Xw3rp8pMfW3pJDcP2sjUehOYU4=;
        b=Khnt/FKK2tmsglb39aHaXQe/85L0TtdEJmytldtpcB7PdifoCaJXvAu2CXcRmW1fzx
         y39SxrSY7BKqQOhMItRgS/Cx13UN/kBbrwQ/Gam0nbaR+8Q7CoY1CiXg5B71WoRePh2j
         BmY3lKiwS2ycyhg1BS16LXD9Z7aJPS0FkC2pQXd9qzhTDIpI2i7CD++lRaDj6QF8edbp
         dmfRRneCPKYpTwMrDrz8fnENuy1IXO5JIE+xD92f0pgT98gAriCpCX0P3s1Ps91yxQy7
         2hW2FGKbnGGRHuFURNW1H5Kl/eN3DF8tCmpGMZd4C4s8/P7ZhEauaDouX1m50xPL/K5r
         KtKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=ZsW33TkaPVzGGAiF9Xw3rp8pMfW3pJDcP2sjUehOYU4=;
        b=M3P2EBvpFonl4KnrBpZqlqyP+52gO17km39IDT2PYg0egXDEtgRQZJk68nGNJa/tGX
         SjT1G5XTYBzEOQJ8gw7Eh98WlUhx8Lk017LJbmqNYBplc/N9AWhA/PLgvlgNrAtjaBH3
         VjmIvDWCXFllhpxmOStNjLg5MW3VD1m9u4yU1h0r25ThJOui22H7ElTFoyj2C0h38K3g
         PsHA4VkPsA7NkIA3mp3gMqr0FcNzEZ/aGPetScdmhkutZT8WTgTwA7IKZ75qat8NNk2X
         hqZ4qBn/hCi/Q4b1TcwU+Zs4GjImOwBXr108M5OS0BDrRztbF4kvXEJ6TYmhCYncFLN+
         SZCg==
X-Gm-Message-State: AJIora8NI9jn7g11XoIzEThMiGwGhdv8FcUB2/5AHUFN7hK1ZpXxfNuB
	hWl3uF84obosma6zyFkXBrL/Owo=
X-Google-Smtp-Source: 
 AGRyM1vp5D7KtAIwbZuWBcV6WXvCFoP7Sbed2vVEKCoE284wiEj/Qi2clX5cWcAQ3mb99Pg3ce7swR0=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:ff27:d65:6bb8:b084])
 (user=pcc job=sendgmr) by 2002:a5b:18e:0:b0:66e:ca1c:bab0 with SMTP id
 r14-20020a5b018e000000b0066eca1cbab0mr6050295ybl.298.1657315274526; Fri, 08
 Jul 2022 14:21:14 -0700 (PDT)
Date: Fri,  8 Jul 2022 14:21:03 -0700
Message-Id: <20220708212106.325260-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.0.144.g8ac04bfd2-goog
Subject: [PATCH v2 0/3] KVM: arm64: support MTE in protected VMs
From: Peter Collingbourne <pcc@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: Peter Collingbourne <pcc@google.com>, Marc Zyngier <maz@kernel.org>,
 kvm@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>, linux-arm-kernel@lists.infradead.org,
	Michael Roth <michael.roth@amd.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
	Chao Peng <chao.p.peng@linux.intel.com>, Will Deacon <will@kernel.org>,
	Evgenii Stepanov <eugenis@google.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220708_142118_637833_47A9044D 
X-CRM114-Status: GOOD (  14.47  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Hi,

This patch series contains a proposed extension to pKVM that allows MTE
to be exposed to the protected guests. It is based on the base pKVM
series previously sent to the list [1] and later rebased to 5.19-rc3
and uploaded to [2].

This series takes precautions against host compromise of the guests
via direct access to their tag storage, by preventing the host from
accessing the tag storage via stage 2 page tables. The device tree
must describe the physical memory address of the tag storage, if any,
and the memory nodes must declare that the tag storage location is
described. Otherwise, the MTE feature is disabled in protected guests.

Now that we can easily do so, we also prevent the host from accessing
any unmapped reserved-memory regions without a driver, as the host
has no business accessing that memory.

A proposed extension to the devicetree specification is available at
[3], a patched version of QEMU that produces the required device tree
nodes is available at [4] and a patched version of the crosvm hypervisor
that enables MTE is available at [5].

v2:
- refcount the PTEs owned by NOBODY

[1] https://lore.kernel.org/all/20220519134204.5379-1-will@kernel.org/
[2] https://android-kvm.googlesource.com/linux/ for-upstream/pkvm-base-v2
[3] https://github.com/pcc/devicetree-specification mte-alloc
[4] https://github.com/pcc/qemu mte-shared-alloc
[5] https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3719324

Peter Collingbourne (3):
  KVM: arm64: add a hypercall for disowning pages
  KVM: arm64: disown unused reserved-memory regions
  KVM: arm64: allow MTE in protected VMs if the tag storage is known

 arch/arm64/include/asm/kvm_asm.h              |  1 +
 arch/arm64/include/asm/kvm_host.h             |  6 ++
 arch/arm64/include/asm/kvm_pkvm.h             |  4 +-
 arch/arm64/kernel/image-vars.h                |  3 +
 arch/arm64/kvm/arm.c                          | 83 ++++++++++++++++++-
 arch/arm64/kvm/hyp/include/nvhe/mem_protect.h |  1 +
 arch/arm64/kvm/hyp/include/nvhe/pkvm.h        |  1 +
 arch/arm64/kvm/hyp/nvhe/hyp-main.c            |  9 ++
 arch/arm64/kvm/hyp/nvhe/mem_protect.c         | 11 +++
 arch/arm64/kvm/hyp/nvhe/pkvm.c                |  8 +-
 arch/arm64/kvm/mmu.c                          |  4 +-
 11 files changed, 123 insertions(+), 8 deletions(-)