From patchwork Thu Nov 26 15:54:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Brazdil X-Patchwork-Id: 11934307 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5448EC63697 for ; Thu, 26 Nov 2020 15:57:39 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D68FB21D40 for ; Thu, 26 Nov 2020 15:57:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="kCHJNvk1"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="ZzoISy5I" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D68FB21D40 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ZTb/6wuc1ppgVdUvEfSzLjYDOsKadqZcpJgn3h/wv6A=; b=kCHJNvk1HUVJEu19/MB+zaNzz HoAbFWL8RdMzp/toQXWQfzL+RlqHUyLfm1e3PaBaDx1M9Ahdf8xK1O7CLwKfrconGA3AMWGvSc1oH 2VaD8gXM05nkNre6OWJFUOXBMdhznfVcqZ3EaCy+JWWj6tnl3Y9Lrn2k4VcxvZOGZV0QwZdjF2pw0 4/j48LcR/DEB4/k4ETgjVIlvM3mR8iikd5sQoqTjw3K9JV8cLRxW5zxx0njxUT4zk4qOz42zmOJqT dFcw3VYKvncV1crUZJGsdu1/4R+fSG9ZFKmQlCeAhv7d6/nlhAVNztqpCOgQjFsPCZZg+7FH3QTW7 7mhGFMVyA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kiJcX-00084l-Ne; Thu, 26 Nov 2020 15:55:45 +0000 Received: from mail-wr1-x442.google.com ([2a00:1450:4864:20::442]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kiJbU-0007h7-C4 for linux-arm-kernel@lists.infradead.org; Thu, 26 Nov 2020 15:54:41 +0000 Received: by mail-wr1-x442.google.com with SMTP id z7so2645090wrn.3 for ; Thu, 26 Nov 2020 07:54:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=txa3gmLNZHrKqQEh2rRK806HAOB8/IMPENffeRn2Pp8=; b=ZzoISy5IBgKnYUDSKLr4ou3Hmpa7vhh20W36eivbCgG7/560M52OOFTXLUxAKoFV8a PBuwaGiqAm+4JH02iFzu3eb36E9VnlcDWPyev/kMaU5ucflRuB6CSahFxT5c2fcKIrXo OasaMJbdGe1vTJKcamZK55+4r8AGeP5kGb53s8a2v6LsQRwdh+hYYLMCS482yRa43LoZ vUsT+QqEFp0529JcVHSKd6+YmEnRYQD3E41jTl1KFycA4JB/gtHY4NXsHBziHtiOiOaO 2EuNnguAmi6l+obHw6xfXSKVBefA7yCJdjiN+URyOPsHKM0XDVNPWJACJNsnervf0jqO gtqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=txa3gmLNZHrKqQEh2rRK806HAOB8/IMPENffeRn2Pp8=; b=bUJGRBfiV0zwj1+aIs+xMvW6tBr7WhTWs8xDI0rNwwIWxKRzJyjAS0Suu91bEAT8bO yT8LoF5tEHQbWfDGHBLD3Jeas2h1+4qLUQ8MND+wnUnwu1GmE8o2XwNEeh7/+G1cTrR5 A6KwjM185yQKUUjZa1i7ZZKmomiucvLn2PCHfxNaM+JN47BW/82WRTgFs0/LbjA758X0 jYPuqWQFmjphfmGi3pcWqVVfMz1srqEve6k3s6h5W3Huz7j+eUiwUNffWr3/mWvf9Sal ntRbb6sr4JWd0TUZin0fuxjZi2jaxKMknYm9ZGlCrj5C7hncyrtXBOeqMmZVDiNsZ79u G2Qg== X-Gm-Message-State: AOAM5323oLJVc2wAr8cfDCWSOFasUyykGWEvdVPyMd1SPZt0zg9WtO3T p6z5llAD+m3sAa/vzRpJGPxnQQ== X-Google-Smtp-Source: ABdhPJwmwAB0qeB/yoQ0FYSa/sH0XxV6RjnpiuboG/gAt0L9d0uMTFj254pYIT1Ecf1dLKgj9sUIfQ== X-Received: by 2002:a5d:66cd:: with SMTP id k13mr4618637wrw.365.1606406079235; Thu, 26 Nov 2020 07:54:39 -0800 (PST) Received: from localhost ([2a01:4b00:8523:2d03:f008:704d:8d4b:9951]) by smtp.gmail.com with ESMTPSA id o4sm8750577wmh.33.2020.11.26.07.54.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Nov 2020 07:54:38 -0800 (PST) From: David Brazdil To: kvmarm@lists.cs.columbia.edu Subject: [PATCH v3 06/23] kvm: arm64: Add kvm-arm.protected early kernel parameter Date: Thu, 26 Nov 2020 15:54:04 +0000 Message-Id: <20201126155421.14901-7-dbrazdil@google.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201126155421.14901-1-dbrazdil@google.com> References: <20201126155421.14901-1-dbrazdil@google.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201126_105440_518668_6E6086BF X-CRM114-Status: GOOD ( 23.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Lorenzo Pieralisi , kernel-team@android.com, Jonathan Corbet , Catalin Marinas , Suzuki K Poulose , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Sudeep Holla , James Morse , linux-arm-kernel@lists.infradead.org, Marc Zyngier , Tejun Heo , Dennis Zhou , Christoph Lameter , David Brazdil , Will Deacon , Julien Thierry Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add an early parameter that allows users to opt into protected KVM mode when using the nVHE hypervisor. In this mode, guest state will be kept private from the host. This will primarily involve enabling stage-2 address translation for the host, restricting DMA to host memory, and filtering host SMCs. Capability ARM64_PROTECTED_KVM is set if the param is passed, CONFIG_KVM is enabled and the kernel was not booted with VHE. Signed-off-by: David Brazdil --- .../admin-guide/kernel-parameters.txt | 5 ++++ arch/arm64/include/asm/cpucaps.h | 3 +- arch/arm64/include/asm/virt.h | 8 +++++ arch/arm64/kernel/cpufeature.c | 29 +++++++++++++++++++ arch/arm64/kvm/arm.c | 4 ++- 5 files changed, 47 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 526d65d8573a..06c89975c29c 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2259,6 +2259,11 @@ for all guests. Default is 1 (enabled) if in 64-bit or 32-bit PAE mode. + kvm-arm.protected= + [KVM,ARM] Allow spawning protected guests whose state + is kept private from the host. Only valid for non-VHE. + Default is 0 (disabled). + kvm-arm.vgic_v3_group0_trap= [KVM,ARM] Trap guest accesses to GICv3 group-0 system registers diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h index 162539d4c8cd..9fab6cbffce2 100644 --- a/arch/arm64/include/asm/cpucaps.h +++ b/arch/arm64/include/asm/cpucaps.h @@ -66,7 +66,8 @@ #define ARM64_HAS_TLB_RANGE 56 #define ARM64_MTE 57 #define ARM64_WORKAROUND_1508412 58 +#define ARM64_PROTECTED_KVM 59 -#define ARM64_NCAPS 59 +#define ARM64_NCAPS 60 #endif /* __ASM_CPUCAPS_H */ diff --git a/arch/arm64/include/asm/virt.h b/arch/arm64/include/asm/virt.h index 6069be50baf9..2fde1186b962 100644 --- a/arch/arm64/include/asm/virt.h +++ b/arch/arm64/include/asm/virt.h @@ -97,6 +97,14 @@ static __always_inline bool has_vhe(void) return cpus_have_final_cap(ARM64_HAS_VIRT_HOST_EXTN); } +static __always_inline bool is_protected_kvm_enabled(void) +{ + if (is_vhe_hyp_code()) + return false; + else + return cpus_have_final_cap(ARM64_PROTECTED_KVM); +} + #endif /* __ASSEMBLY__ */ #endif /* ! __ASM__VIRT_H */ diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 6f36c4f62f69..dd5bc0f0cf0d 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1709,6 +1709,29 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap) } #endif /* CONFIG_ARM64_MTE */ +#ifdef CONFIG_KVM +static bool enable_protected_kvm; + +static bool has_protected_kvm(const struct arm64_cpu_capabilities *entry, int __unused) +{ + if (!enable_protected_kvm) + return false; + + if (is_kernel_in_hyp_mode()) { + pr_warn("Protected KVM not available with VHE\n"); + return false; + } + + return true; +} + +static int __init early_protected_kvm_cfg(char *buf) +{ + return strtobool(buf, &enable_protected_kvm); +} +early_param("kvm-arm.protected", early_protected_kvm_cfg); +#endif /* CONFIG_KVM */ + /* Internal helper functions to match cpu capability type */ static bool cpucap_late_cpu_optional(const struct arm64_cpu_capabilities *cap) @@ -1822,6 +1845,12 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .field_pos = ID_AA64PFR0_EL1_SHIFT, .min_field_value = ID_AA64PFR0_EL1_32BIT_64BIT, }, + { + .desc = "Protected KVM", + .capability = ARM64_PROTECTED_KVM, + .type = ARM64_CPUCAP_SYSTEM_FEATURE, + .matches = has_protected_kvm, + }, #endif { .desc = "Kernel page table isolation (KPTI)", diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index 2d0a37c75cda..b25035dc0478 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -1818,7 +1818,9 @@ int kvm_arch_init(void *opaque) if (err) goto out_hyp; - if (in_hyp_mode) + if (is_protected_kvm_enabled()) + kvm_info("Protected nVHE mode initialized successfully\n"); + else if (in_hyp_mode) kvm_info("VHE mode initialized successfully\n"); else kvm_info("Hyp mode initialized successfully\n");