From patchwork Tue Oct 5 11:37:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 12536437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 328FCC433EF for ; Tue, 5 Oct 2021 11:40:37 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 07FA461371 for ; Tue, 5 Oct 2021 11:40:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 07FA461371 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=VgJuXK3feL4zf1XQOo1pYkgJWVpEKhKxmPMvNhqZjYw=; b=qLC0bJVXro1qrV AGPl3NFj1w8e0+iP/GVR7ShwnYTl64tAlwUuwEvEojBfgZOYjHExQ1Py2gPEigm8ENAnID6U91BbS yksHZbHwiTXA1oMZtXQliaaN8iIYRRM3lD4eZDXTk6PXG4wgdzD6/hNketC5WD2iNBC7bS+lmHVsf s1pSf7FDYU1RCE0XgxoU4GLEg7Z6xj0K9svycRfK7zmTC5weYG3fej7ubVvY/8NMs6D3/k7CejwT9 JztEd4urA3SHtaiIvNXhLQyf+EulOHbFelAV9YgwezS/wjOcVNsMyrCTiXKXimOkpPdr9/KJeXC8d xjKMtDn+1RM/w7xI7u9A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mXimo-00AAcW-1b; Tue, 05 Oct 2021 11:39:06 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mXilW-00A9tA-3m for linux-arm-kernel@lists.infradead.org; Tue, 05 Oct 2021 11:37:47 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id 43EC4610A2; Tue, 5 Oct 2021 11:37:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1633433865; bh=vZRSH0NmMYFtmmfRnRM8uIc0XaXXLPFQu8SIAIVXB84=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MtlNbx1hrLBB4VAPkGP/dzRH81Mxihkni1QtwXOYOd+6Ol0jAd8+w5IMwxqgZ/2Ou 1M4WFuYVjYkSxuWHBE5VBe6eUhl5OgaXKsvtlrNoYpKdBYebottdQ3ZnsrlKTppYoF oyDT7BiIXGGzIhZydkgpHNj1lSFD6Qw7Lwpi1UZaBOGQ4JEVEnfHJYw3zxSaS85ef+ 065Wt8S93UPutzj8H/FKVTY2CDKyP71ApgIe169+8iDSd7Og+3m5oZrR+n0s6IJzDi hpGYR0y0ySfkTebC7DennjS4clly8BAH3fGu6k+YqIRNHG1nIgxxIT5NLQWecMgzUG 7MtcdG6fd4xcw== From: Will Deacon To: linux-arm-kernel@lists.infradead.org Cc: Will Deacon , Marc Zyngier , Quentin Perret , Catalin Marinas , Alexandru Elisei , Suzuki K Poulose , Mark Rutland , kvmarm@lists.cs.columbia.edu Subject: [PATCH v2 5/5] KVM: arm64: Disable privileged hypercalls after pKVM finalisation Date: Tue, 5 Oct 2021 12:37:21 +0100 Message-Id: <20211005113721.29441-6-will@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20211005113721.29441-1-will@kernel.org> References: <20211005113721.29441-1-will@kernel.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211005_043746_226116_6364C4C2 X-CRM114-Status: GOOD ( 17.16 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org After pKVM has been 'finalised' using the __pkvm_prot_finalize hypercall, the calling CPU will have a Stage-2 translation enabled to prevent access to memory pages owned by EL2. Although this forms a significant part of the process to deprivilege the host kernel, we also need to ensure that the hypercall interface is reduced so that the EL2 code cannot, for example, be re-initialised using a new set of vectors. Re-order the hypercalls so that only a suffix remains available after finalisation of pKVM. Cc: Marc Zyngier Cc: Quentin Perret Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier Acked-by: Will Deacon --- arch/arm64/include/asm/kvm_asm.h | 43 ++++++++++++++++-------------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 37 +++++++++++++++++-------- 2 files changed, 49 insertions(+), 31 deletions(-) diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h index e86045ac43ba..68630fd382c5 100644 --- a/arch/arm64/include/asm/kvm_asm.h +++ b/arch/arm64/include/asm/kvm_asm.h @@ -43,27 +43,30 @@ #define KVM_HOST_SMCCC_FUNC(name) KVM_HOST_SMCCC_ID(__KVM_HOST_SMCCC_FUNC_##name) +/* Hypercalls available only prior to pKVM finalisation */ #define __KVM_HOST_SMCCC_FUNC___kvm_hyp_init 0 -#define __KVM_HOST_SMCCC_FUNC___kvm_vcpu_run 1 -#define __KVM_HOST_SMCCC_FUNC___kvm_flush_vm_context 2 -#define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid_ipa 3 -#define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid 4 -#define __KVM_HOST_SMCCC_FUNC___kvm_flush_cpu_context 5 -#define __KVM_HOST_SMCCC_FUNC___kvm_timer_set_cntvoff 6 -#define __KVM_HOST_SMCCC_FUNC___kvm_enable_ssbs 7 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_get_gic_config 8 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_read_vmcr 9 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_write_vmcr 10 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_init_lrs 11 -#define __KVM_HOST_SMCCC_FUNC___kvm_get_mdcr_el2 12 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_save_aprs 13 -#define __KVM_HOST_SMCCC_FUNC___vgic_v3_restore_aprs 14 -#define __KVM_HOST_SMCCC_FUNC___pkvm_init 15 -#define __KVM_HOST_SMCCC_FUNC___pkvm_host_share_hyp 16 -#define __KVM_HOST_SMCCC_FUNC___pkvm_create_private_mapping 17 -#define __KVM_HOST_SMCCC_FUNC___pkvm_cpu_set_vector 18 -#define __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize 19 -#define __KVM_HOST_SMCCC_FUNC___kvm_adjust_pc 20 +#define __KVM_HOST_SMCCC_FUNC___kvm_get_mdcr_el2 1 +#define __KVM_HOST_SMCCC_FUNC___pkvm_init 2 +#define __KVM_HOST_SMCCC_FUNC___pkvm_create_private_mapping 3 +#define __KVM_HOST_SMCCC_FUNC___pkvm_cpu_set_vector 4 +#define __KVM_HOST_SMCCC_FUNC___kvm_enable_ssbs 5 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_init_lrs 6 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_get_gic_config 7 +#define __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize 8 + +/* Hypercalls available after pKVM finalisation */ +#define __KVM_HOST_SMCCC_FUNC___pkvm_host_share_hyp 9 +#define __KVM_HOST_SMCCC_FUNC___kvm_adjust_pc 10 +#define __KVM_HOST_SMCCC_FUNC___kvm_vcpu_run 11 +#define __KVM_HOST_SMCCC_FUNC___kvm_flush_vm_context 12 +#define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid_ipa 13 +#define __KVM_HOST_SMCCC_FUNC___kvm_tlb_flush_vmid 14 +#define __KVM_HOST_SMCCC_FUNC___kvm_flush_cpu_context 15 +#define __KVM_HOST_SMCCC_FUNC___kvm_timer_set_cntvoff 16 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_read_vmcr 17 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_write_vmcr 18 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_save_aprs 19 +#define __KVM_HOST_SMCCC_FUNC___vgic_v3_restore_aprs 20 #ifndef __ASSEMBLY__ diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c index 2da6aa8da868..8566805ef62c 100644 --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c @@ -165,36 +165,51 @@ typedef void (*hcall_t)(struct kvm_cpu_context *); #define HANDLE_FUNC(x) [__KVM_HOST_SMCCC_FUNC_##x] = (hcall_t)handle_##x static const hcall_t host_hcall[] = { - HANDLE_FUNC(__kvm_vcpu_run), + /* ___kvm_hyp_init */ + HANDLE_FUNC(__kvm_get_mdcr_el2), + HANDLE_FUNC(__pkvm_init), + HANDLE_FUNC(__pkvm_create_private_mapping), + HANDLE_FUNC(__pkvm_cpu_set_vector), + HANDLE_FUNC(__kvm_enable_ssbs), + HANDLE_FUNC(__vgic_v3_init_lrs), + HANDLE_FUNC(__vgic_v3_get_gic_config), + HANDLE_FUNC(__pkvm_prot_finalize), + + HANDLE_FUNC(__pkvm_host_share_hyp), HANDLE_FUNC(__kvm_adjust_pc), + HANDLE_FUNC(__kvm_vcpu_run), HANDLE_FUNC(__kvm_flush_vm_context), HANDLE_FUNC(__kvm_tlb_flush_vmid_ipa), HANDLE_FUNC(__kvm_tlb_flush_vmid), HANDLE_FUNC(__kvm_flush_cpu_context), HANDLE_FUNC(__kvm_timer_set_cntvoff), - HANDLE_FUNC(__kvm_enable_ssbs), - HANDLE_FUNC(__vgic_v3_get_gic_config), HANDLE_FUNC(__vgic_v3_read_vmcr), HANDLE_FUNC(__vgic_v3_write_vmcr), - HANDLE_FUNC(__vgic_v3_init_lrs), - HANDLE_FUNC(__kvm_get_mdcr_el2), HANDLE_FUNC(__vgic_v3_save_aprs), HANDLE_FUNC(__vgic_v3_restore_aprs), - HANDLE_FUNC(__pkvm_init), - HANDLE_FUNC(__pkvm_cpu_set_vector), - HANDLE_FUNC(__pkvm_host_share_hyp), - HANDLE_FUNC(__pkvm_create_private_mapping), - HANDLE_FUNC(__pkvm_prot_finalize), }; static void handle_host_hcall(struct kvm_cpu_context *host_ctxt) { DECLARE_REG(unsigned long, id, host_ctxt, 0); + unsigned long hcall_min = 0; hcall_t hfn; + /* + * If pKVM has been initialised then reject any calls to the + * early "privileged" hypercalls. Note that we cannot reject + * calls to __pkvm_prot_finalize for two reasons: (1) The static + * key used to determine initialisation must be toggled prior to + * finalisation and (2) finalisation is performed on a per-CPU + * basis. This is all fine, however, since __pkvm_prot_finalize + * returns -EPERM after the first call for a given CPU. + */ + if (static_branch_unlikely(&kvm_protected_mode_initialized)) + hcall_min = __KVM_HOST_SMCCC_FUNC___pkvm_prot_finalize; + id -= KVM_HOST_SMCCC_ID(0); - if (unlikely(id >= ARRAY_SIZE(host_hcall))) + if (unlikely(id < hcall_min || id >= ARRAY_SIZE(host_hcall))) goto inval; hfn = host_hcall[id];