From patchwork Thu Jun 23 02:19:25 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12891726
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 11570C433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 23 Jun 2022 02:28:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References:
	Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=SaxRVALBpH+9AoouVEGxO4mjr7fD7FEFebqkgG50FA4=; b=LfF+QHrnmHceoJHVhNuH0+7emu
	0Esg55TXiwP67xbDDlGXAW4TrteffDYEQUmGCsA4yRxWyr3rIaFhgdSakiG26Au6ul6byJyQc6yXg
	KhikEITOjjEkXVpPWqbOXNWCYp8wqyEhXivVBfSVX7ZGAnCu1ZRT45xZzdom8vcdoMjZXo9FrU1Oy
	vUkkz1Wfxgdw9WoOekUmzWZ2ivpP/m84iUlqoGj+nLlAOGWom5/RrhSIl9yGweShWjcT7qFQoaOWW
	EN+90II83baAKCgwGMUpqeVeiD3otx/9qoF/MKK+ka3lMMAgnHjeV2vi8ezYDMKO5aGUVZRr/E8hL
	lodIIoLg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o4CZN-00D00k-D2; Thu, 23 Jun 2022 02:27:47 +0000
Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o4CRc-00CwQP-Ac
	for linux-arm-kernel@lists.infradead.org; Thu, 23 Jun 2022 02:19:47 +0000
Received: by mail-yb1-xb49.google.com with SMTP id
 r6-20020a5b06c6000000b006693f6a6d67so7006980ybq.7
        for <linux-arm-kernel@lists.infradead.org>;
 Wed, 22 Jun 2022 19:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=qmRSFVhsEhDBpfnqm4N8Fhb131UT2F+11PJ2keCwIs4=;
        b=qrU4bfPKoBkwTTiKfPve9s0Kfjp8vuFN1z7yGqlBJDfwPofkgZxH2msgkZnA46WpIg
         xG8zlJh5lI5v7J36zFE22Nf4NWZoPrVMg2ZGyQAjnuv5G1AZbdvGSHrUyzMRK9Md+7ud
         1l+fT1dftAhQYN7yJbaLAe0h/bU/teWnLgJkcRE+HPWctxwxdny1yeGSXwyiJLs2wifH
         kRrK6R/eCfVs5VOt4N6yOFX7UOnpfqC0hY/mE58OymHm0B7puwmwgCi+WonKm5WK/X0+
         BSndrmaGkVBWfm99WMNnpXqmrQMZdXDd+7IJAb0CsRMbaBZlDHus7yiwLKlGb0ZGx+r/
         LX5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=qmRSFVhsEhDBpfnqm4N8Fhb131UT2F+11PJ2keCwIs4=;
        b=Ceo9te9vv1aB5ADxXauXHq1hcIG3NpedabP0yxOvIX76hX6JCIF2FOoa9MjLTqYiHX
         BRM6AEchzAKuaBBwfrU60lnhcE35d9Y9oKqrgk/NXTbtGeZRryOOgXcwtUT9CclkMuhD
         RSWEAHR3V9f4kmw08hBo18xMEXrN1/1kYgQdXD6TH3WiYPUZLcqG3bL3P5KHNaoqK0pv
         2xVQWZv+VFTzvpOS64BJt6L3Ng0YSnCok++jPfNiV81PGL++ZES50VR91ZjHhDIaiUCR
         iqsQLGzsq/dsytElAxLjWZe8BmlOzqYEC8eV1LsX22+hPEFhqbX/3ubYVCfJnzfWxpM7
         SuZQ==
X-Gm-Message-State: AJIora+aw6MpG1wv5+Ed8pHdArcJDqZ5d9siPVO/rhvQfnYfaLVhP4hY
	BVja1bg+MWl/jvOILu8620gsG0o=
X-Google-Smtp-Source: 
 AGRyM1vvw84U2jyg/dWdtxTfS7KweL0nv+g/AhyHvwsGSckCZTqHtjS95hVvHN66mkERZ2IvAJ3TsBk=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:ba6f:123c:d287:a160])
 (user=pcc job=sendgmr) by 2002:a25:8887:0:b0:669:97f5:d0b8 with SMTP id
 d7-20020a258887000000b0066997f5d0b8mr5089027ybl.432.1655950780321; Wed, 22
 Jun 2022 19:19:40 -0700 (PDT)
Date: Wed, 22 Jun 2022 19:19:25 -0700
In-Reply-To: <20220623021926.3443240-1-pcc@google.com>
Message-Id: <20220623021926.3443240-3-pcc@google.com>
Mime-Version: 1.0
References: <20220623021926.3443240-1-pcc@google.com>
X-Mailer: git-send-email 2.37.0.rc0.104.g0611611a94-goog
Subject: [PATCH 2/3] KVM: arm64: disown unused reserved-memory regions
From: Peter Collingbourne <pcc@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: Peter Collingbourne <pcc@google.com>, Marc Zyngier <maz@kernel.org>,
 kvm@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>, linux-arm-kernel@lists.infradead.org,
	Michael Roth <michael.roth@amd.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
	Chao Peng <chao.p.peng@linux.intel.com>, Will Deacon <will@kernel.org>,
	Evgenii Stepanov <eugenis@google.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220622_191944_565129_6A522E02 
X-CRM114-Status: GOOD (  15.96  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

The meaning of no-map on a reserved-memory node is as follows:

      Indicates the operating system must not create a virtual mapping
      of the region as part of its standard mapping of system memory,
      nor permit speculative access to it under any circumstances other
      than under the control of the device driver using the region.

If there is no compatible property, there is no device driver, so the
host kernel has no business accessing the reserved-memory region. Since
these regions may represent a route through which the host kernel
can gain additional privileges, disown any such memory regions before
deprivileging ourselves.

Signed-off-by: Peter Collingbourne <pcc@google.com>
---
 arch/arm64/kvm/arm.c | 46 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index db7cbca6ace4..38f0900b7ddb 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -4,6 +4,7 @@
  * Author: Christoffer Dall <c.dall@virtualopensystems.com>
  */
 
+#include <linux/acpi.h>
 #include <linux/bug.h>
 #include <linux/cpu_pm.h>
 #include <linux/entry-kvm.h>
@@ -12,6 +13,7 @@
 #include <linux/kvm_host.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/of.h>
 #include <linux/vmalloc.h>
 #include <linux/fs.h>
 #include <linux/mman.h>
@@ -1907,6 +1909,48 @@ static bool init_psci_relay(void)
 	return true;
 }
 
+static void disown_reserved_memory(struct device_node *node)
+{
+	int addr_cells = of_n_addr_cells(node);
+	int size_cells = of_n_size_cells(node);
+	const __be32 *reg, *end;
+	int len;
+
+	reg = of_get_property(node, "reg", &len);
+	if (len % (4 * (addr_cells + size_cells)))
+		return;
+
+	end = reg + (len / 4);
+	while (reg != end) {
+		u64 addr, size;
+
+		addr = of_read_number(reg, addr_cells);
+		reg += addr_cells;
+		size = of_read_number(reg, size_cells);
+		reg += size_cells;
+
+		kvm_call_hyp_nvhe(__pkvm_disown_pages, addr, size);
+	}
+}
+
+static void kvm_reserved_memory_init(void)
+{
+	struct device_node *parent, *node;
+
+	if (!acpi_disabled || !is_protected_kvm_enabled())
+		return;
+
+	parent = of_find_node_by_path("/reserved-memory");
+	if (!parent)
+		return;
+
+	for_each_child_of_node(parent, node) {
+		if (!of_get_property(node, "compatible", NULL) &&
+		    of_get_property(node, "no-map", NULL))
+			disown_reserved_memory(node);
+	}
+}
+
 static int init_subsystems(void)
 {
 	int err = 0;
@@ -1947,6 +1991,8 @@ static int init_subsystems(void)
 
 	kvm_register_perf_callbacks(NULL);
 
+	kvm_reserved_memory_init();
+
 out:
 	if (err || !is_protected_kvm_enabled())
 		on_each_cpu(_kvm_arch_hardware_disable, NULL, 1);