From: Bharata B Rao <bharata@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org,
linux-mm@kvack.org
Cc: paulus@au1.ibm.com, aneesh.kumar@linux.vnet.ibm.com,
jglisse@redhat.com, cclaudio@linux.ibm.com, linuxram@us.ibm.com,
sukadev@linux.vnet.ibm.com, hch@lst.de,
Sukadev Bhattiprolu <sukadev@linux.ibm.com>,
Ram Pai <linuxram@linux.ibm.com>,
Bharata B Rao <bharata@linux.ibm.com>
Subject: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall
Date: Mon, 4 Nov 2019 09:47:59 +0530 [thread overview]
Message-ID: <20191104041800.24527-8-bharata@linux.ibm.com> (raw)
In-Reply-To: <20191104041800.24527-1-bharata@linux.ibm.com>
From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Implement the H_SVM_INIT_ABORT hcall which the Ultravisor can use to
abort an SVM after it has issued the H_SVM_INIT_START and before the
H_SVM_INIT_DONE hcalls. This hcall could be used when Ultravisor
encounters security violations or other errors when starting an SVM.
Note that this hcall is different from UV_SVM_TERMINATE ucall which
is used by HV to terminate/cleanup an SVM.
In case of H_SVM_INIT_ABORT, we should page-out all the pages back to
HV (i.e., we should not skip the page-out). Otherwise the VM's pages,
possibly including its text/data would be stuck in secure memory.
Since the SVM did not go secure, its MSR_S bit will be clear and the
VM wont be able to access its pages even to do a clean exit.
Based on patches and discussion with Ram Pai and Bharata Rao.
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Signed-off-by: Ram Pai <linuxram@linux.ibm.com>
Signed-off-by: Bharata B Rao <bharata@linux.ibm.com>
---
Documentation/powerpc/ultravisor.rst | 39 +++++++++++++++++++++
arch/powerpc/include/asm/hvcall.h | 1 +
arch/powerpc/include/asm/kvm_book3s_uvmem.h | 6 ++++
arch/powerpc/include/asm/kvm_host.h | 1 +
arch/powerpc/kvm/book3s_hv.c | 3 ++
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 23 ++++++++++--
arch/powerpc/kvm/book3s_hv_uvmem.c | 29 +++++++++++++++
7 files changed, 100 insertions(+), 2 deletions(-)
diff --git a/Documentation/powerpc/ultravisor.rst b/Documentation/powerpc/ultravisor.rst
index 730854f73830..286cabadc566 100644
--- a/Documentation/powerpc/ultravisor.rst
+++ b/Documentation/powerpc/ultravisor.rst
@@ -948,6 +948,45 @@ Use cases
up its internal state for this virtual machine.
+H_SVM_INIT_ABORT
+----------------
+
+ Abort the process of securing an SVM.
+
+Syntax
+~~~~~~
+
+.. code-block:: c
+
+ uint64_t hypercall(const uint64_t H_SVM_INIT_ABORT)
+
+Return values
+~~~~~~~~~~~~~
+
+ One of the following values:
+
+ * H_SUCCESS on success.
+ * H_UNSUPPORTED if called from the wrong context (e.g.
+ from an SVM or before an H_SVM_INIT_START
+ hypercall).
+
+Description
+~~~~~~~~~~~
+
+ Abort the process of securing a virtual machine. This call must
+ be made after a prior call to ``H_SVM_INIT_START`` hypercall.
+
+Use cases
+~~~~~~~~~
+
+
+ On successfully securing a virtual machine, the Ultravisor informs
+ If the Ultravisor is unable to secure a virtual machine either due
+ to lack of resources or because the VM's security information could
+ not be validated, Ultravisor informs the Hypervisor about it.
+ Hypervisor can use this call to clean up any internal state for this
+ virtual machine.
+
H_SVM_PAGE_IN
-------------
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 13bd870609c3..e90c073e437e 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -350,6 +350,7 @@
#define H_SVM_PAGE_OUT 0xEF04
#define H_SVM_INIT_START 0xEF08
#define H_SVM_INIT_DONE 0xEF0C
+#define H_SVM_INIT_ABORT 0xEF14
/* Values for 2nd argument to H_SET_MODE */
#define H_SET_MODE_RESOURCE_SET_CIABR 1
diff --git a/arch/powerpc/include/asm/kvm_book3s_uvmem.h b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
index 3cf8425b9838..eaea400ea715 100644
--- a/arch/powerpc/include/asm/kvm_book3s_uvmem.h
+++ b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
@@ -18,6 +18,7 @@ unsigned long kvmppc_h_svm_page_out(struct kvm *kvm,
unsigned long page_shift);
unsigned long kvmppc_h_svm_init_start(struct kvm *kvm);
unsigned long kvmppc_h_svm_init_done(struct kvm *kvm);
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm);
int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn);
void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
struct kvm *kvm, bool skip_page_out);
@@ -62,6 +63,11 @@ static inline unsigned long kvmppc_h_svm_init_done(struct kvm *kvm)
return H_UNSUPPORTED;
}
+static inline unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ return H_UNSUPPORTED;
+}
+
static inline int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn)
{
return -EFAULT;
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index 577ca95fac7c..8310c0407383 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -278,6 +278,7 @@ struct kvm_resize_hpt;
/* Flag values for kvm_arch.secure_guest */
#define KVMPPC_SECURE_INIT_START 0x1 /* H_SVM_INIT_START has been called */
#define KVMPPC_SECURE_INIT_DONE 0x2 /* H_SVM_INIT_DONE completed */
+#define KVMPPC_SECURE_INIT_ABORT 0x4 /* H_SVM_INIT_ABORT issued */
struct kvm_arch {
unsigned int lpid;
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index d2bc4e9bbe7e..ad4e38ce7b55 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1099,6 +1099,9 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
case H_SVM_INIT_DONE:
ret = kvmppc_h_svm_init_done(vcpu->kvm);
break;
+ case H_SVM_INIT_ABORT:
+ ret = kvmppc_h_svm_init_abort(vcpu->kvm);
+ break;
default:
return RESUME_HOST;
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index faebcbb8c4db..8d192c9947cd 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -1112,10 +1112,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r6, VCPU_KVM(r4)
lbz r7, KVM_SECURE_GUEST(r6)
cmpdi r7, 0
+ bne check_svm_abort
+
ld r6, VCPU_GPR(R6)(r4)
ld r7, VCPU_GPR(R7)(r4)
- bne ret_to_ultra
-
lwz r0, VCPU_CR(r4)
mtcr r0
@@ -1125,6 +1125,21 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r4, VCPU_GPR(R4)(r4)
HRFI_TO_GUEST
b .
+
+/*
+ * If SVM is about to abort, return to UV one last time but clear the
+ * secure_guest state so future fast_guest_returns return to the normal
+ * VM. We expect following state and we will restore the state.
+ * R6 = kvm
+ * R7 = kvm->secure_guest
+ */
+check_svm_abort:
+
+ cmpdi r7, 4 /* KVMPPC_SECURE_INIT_ABORT */
+ bne ret_to_ultra
+ li r7, 0
+ stb r7, KVM_SECURE_GUEST(r6)
+
/*
* Use UV_RETURN ultracall to return control back to the Ultravisor after
* processing an hypercall or interrupt that was forwarded (a.k.a. reflected)
@@ -1134,8 +1149,12 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
* R0 = hcall result
* R2 = SRR1, so UV can detect a synthesized interrupt (if any)
* R3 = UV_RETURN
+ * R6 = kvm (to be restored)
+ * R7 = kvm->secure_guest (to be restored)
*/
ret_to_ultra:
+ ld r6, VCPU_GPR(R6)(r4)
+ ld r7, VCPU_GPR(R7)(r4)
lwz r0, VCPU_CR(r4)
mtcr r0
diff --git a/arch/powerpc/kvm/book3s_hv_uvmem.c b/arch/powerpc/kvm/book3s_hv_uvmem.c
index 2df0d3f80c60..627dfe4abf08 100644
--- a/arch/powerpc/kvm/book3s_hv_uvmem.c
+++ b/arch/powerpc/kvm/book3s_hv_uvmem.c
@@ -284,6 +284,35 @@ void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
}
}
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ int i;
+ int srcu_idx;
+
+ if (!(kvm->arch.secure_guest & KVMPPC_SECURE_INIT_START))
+ return H_UNSUPPORTED;
+
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+ for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
+ struct kvm_memory_slot *memslot;
+ struct kvm_memslots *slots = __kvm_memslots(kvm, i);
+
+ if (!slots)
+ continue;
+
+ kvm_for_each_memslot(memslot, slots) {
+ kvmppc_uvmem_drop_pages(memslot, kvm, false);
+ uv_unregister_mem_slot(kvm->arch.lpid, memslot->id);
+ kvmppc_uvmem_slot_free(kvm, memslot);
+ }
+ }
+ srcu_read_unlock(&kvm->srcu, srcu_idx);
+
+ kvm->arch.secure_guest = KVMPPC_SECURE_INIT_ABORT;
+ pr_info("LPID %d: Switching to secure aborted\n", kvm->arch.lpid);
+ return H_SUCCESS;
+}
+
/*
* Get a free device PFN from the pool
*
--
2.21.0
WARNING: multiple messages have this Message-ID (diff)
From: Bharata B Rao <bharata@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org,
linux-mm@kvack.org
Cc: Sukadev Bhattiprolu <sukadev@linux.ibm.com>,
linuxram@us.ibm.com, cclaudio@linux.ibm.com,
Bharata B Rao <bharata@linux.ibm.com>,
jglisse@redhat.com, Ram Pai <linuxram@linux.ibm.com>,
aneesh.kumar@linux.vnet.ibm.com, paulus@au1.ibm.com,
sukadev@linux.vnet.ibm.com, hch@lst.de
Subject: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall
Date: Mon, 4 Nov 2019 09:47:59 +0530 [thread overview]
Message-ID: <20191104041800.24527-8-bharata@linux.ibm.com> (raw)
In-Reply-To: <20191104041800.24527-1-bharata@linux.ibm.com>
From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Implement the H_SVM_INIT_ABORT hcall which the Ultravisor can use to
abort an SVM after it has issued the H_SVM_INIT_START and before the
H_SVM_INIT_DONE hcalls. This hcall could be used when Ultravisor
encounters security violations or other errors when starting an SVM.
Note that this hcall is different from UV_SVM_TERMINATE ucall which
is used by HV to terminate/cleanup an SVM.
In case of H_SVM_INIT_ABORT, we should page-out all the pages back to
HV (i.e., we should not skip the page-out). Otherwise the VM's pages,
possibly including its text/data would be stuck in secure memory.
Since the SVM did not go secure, its MSR_S bit will be clear and the
VM wont be able to access its pages even to do a clean exit.
Based on patches and discussion with Ram Pai and Bharata Rao.
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Signed-off-by: Ram Pai <linuxram@linux.ibm.com>
Signed-off-by: Bharata B Rao <bharata@linux.ibm.com>
---
Documentation/powerpc/ultravisor.rst | 39 +++++++++++++++++++++
arch/powerpc/include/asm/hvcall.h | 1 +
arch/powerpc/include/asm/kvm_book3s_uvmem.h | 6 ++++
arch/powerpc/include/asm/kvm_host.h | 1 +
arch/powerpc/kvm/book3s_hv.c | 3 ++
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 23 ++++++++++--
arch/powerpc/kvm/book3s_hv_uvmem.c | 29 +++++++++++++++
7 files changed, 100 insertions(+), 2 deletions(-)
diff --git a/Documentation/powerpc/ultravisor.rst b/Documentation/powerpc/ultravisor.rst
index 730854f73830..286cabadc566 100644
--- a/Documentation/powerpc/ultravisor.rst
+++ b/Documentation/powerpc/ultravisor.rst
@@ -948,6 +948,45 @@ Use cases
up its internal state for this virtual machine.
+H_SVM_INIT_ABORT
+----------------
+
+ Abort the process of securing an SVM.
+
+Syntax
+~~~~~~
+
+.. code-block:: c
+
+ uint64_t hypercall(const uint64_t H_SVM_INIT_ABORT)
+
+Return values
+~~~~~~~~~~~~~
+
+ One of the following values:
+
+ * H_SUCCESS on success.
+ * H_UNSUPPORTED if called from the wrong context (e.g.
+ from an SVM or before an H_SVM_INIT_START
+ hypercall).
+
+Description
+~~~~~~~~~~~
+
+ Abort the process of securing a virtual machine. This call must
+ be made after a prior call to ``H_SVM_INIT_START`` hypercall.
+
+Use cases
+~~~~~~~~~
+
+
+ On successfully securing a virtual machine, the Ultravisor informs
+ If the Ultravisor is unable to secure a virtual machine either due
+ to lack of resources or because the VM's security information could
+ not be validated, Ultravisor informs the Hypervisor about it.
+ Hypervisor can use this call to clean up any internal state for this
+ virtual machine.
+
H_SVM_PAGE_IN
-------------
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 13bd870609c3..e90c073e437e 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -350,6 +350,7 @@
#define H_SVM_PAGE_OUT 0xEF04
#define H_SVM_INIT_START 0xEF08
#define H_SVM_INIT_DONE 0xEF0C
+#define H_SVM_INIT_ABORT 0xEF14
/* Values for 2nd argument to H_SET_MODE */
#define H_SET_MODE_RESOURCE_SET_CIABR 1
diff --git a/arch/powerpc/include/asm/kvm_book3s_uvmem.h b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
index 3cf8425b9838..eaea400ea715 100644
--- a/arch/powerpc/include/asm/kvm_book3s_uvmem.h
+++ b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
@@ -18,6 +18,7 @@ unsigned long kvmppc_h_svm_page_out(struct kvm *kvm,
unsigned long page_shift);
unsigned long kvmppc_h_svm_init_start(struct kvm *kvm);
unsigned long kvmppc_h_svm_init_done(struct kvm *kvm);
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm);
int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn);
void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
struct kvm *kvm, bool skip_page_out);
@@ -62,6 +63,11 @@ static inline unsigned long kvmppc_h_svm_init_done(struct kvm *kvm)
return H_UNSUPPORTED;
}
+static inline unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ return H_UNSUPPORTED;
+}
+
static inline int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn)
{
return -EFAULT;
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index 577ca95fac7c..8310c0407383 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -278,6 +278,7 @@ struct kvm_resize_hpt;
/* Flag values for kvm_arch.secure_guest */
#define KVMPPC_SECURE_INIT_START 0x1 /* H_SVM_INIT_START has been called */
#define KVMPPC_SECURE_INIT_DONE 0x2 /* H_SVM_INIT_DONE completed */
+#define KVMPPC_SECURE_INIT_ABORT 0x4 /* H_SVM_INIT_ABORT issued */
struct kvm_arch {
unsigned int lpid;
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index d2bc4e9bbe7e..ad4e38ce7b55 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1099,6 +1099,9 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
case H_SVM_INIT_DONE:
ret = kvmppc_h_svm_init_done(vcpu->kvm);
break;
+ case H_SVM_INIT_ABORT:
+ ret = kvmppc_h_svm_init_abort(vcpu->kvm);
+ break;
default:
return RESUME_HOST;
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index faebcbb8c4db..8d192c9947cd 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -1112,10 +1112,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r6, VCPU_KVM(r4)
lbz r7, KVM_SECURE_GUEST(r6)
cmpdi r7, 0
+ bne check_svm_abort
+
ld r6, VCPU_GPR(R6)(r4)
ld r7, VCPU_GPR(R7)(r4)
- bne ret_to_ultra
-
lwz r0, VCPU_CR(r4)
mtcr r0
@@ -1125,6 +1125,21 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r4, VCPU_GPR(R4)(r4)
HRFI_TO_GUEST
b .
+
+/*
+ * If SVM is about to abort, return to UV one last time but clear the
+ * secure_guest state so future fast_guest_returns return to the normal
+ * VM. We expect following state and we will restore the state.
+ * R6 = kvm
+ * R7 = kvm->secure_guest
+ */
+check_svm_abort:
+
+ cmpdi r7, 4 /* KVMPPC_SECURE_INIT_ABORT */
+ bne ret_to_ultra
+ li r7, 0
+ stb r7, KVM_SECURE_GUEST(r6)
+
/*
* Use UV_RETURN ultracall to return control back to the Ultravisor after
* processing an hypercall or interrupt that was forwarded (a.k.a. reflected)
@@ -1134,8 +1149,12 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
* R0 = hcall result
* R2 = SRR1, so UV can detect a synthesized interrupt (if any)
* R3 = UV_RETURN
+ * R6 = kvm (to be restored)
+ * R7 = kvm->secure_guest (to be restored)
*/
ret_to_ultra:
+ ld r6, VCPU_GPR(R6)(r4)
+ ld r7, VCPU_GPR(R7)(r4)
lwz r0, VCPU_CR(r4)
mtcr r0
diff --git a/arch/powerpc/kvm/book3s_hv_uvmem.c b/arch/powerpc/kvm/book3s_hv_uvmem.c
index 2df0d3f80c60..627dfe4abf08 100644
--- a/arch/powerpc/kvm/book3s_hv_uvmem.c
+++ b/arch/powerpc/kvm/book3s_hv_uvmem.c
@@ -284,6 +284,35 @@ void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
}
}
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ int i;
+ int srcu_idx;
+
+ if (!(kvm->arch.secure_guest & KVMPPC_SECURE_INIT_START))
+ return H_UNSUPPORTED;
+
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+ for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
+ struct kvm_memory_slot *memslot;
+ struct kvm_memslots *slots = __kvm_memslots(kvm, i);
+
+ if (!slots)
+ continue;
+
+ kvm_for_each_memslot(memslot, slots) {
+ kvmppc_uvmem_drop_pages(memslot, kvm, false);
+ uv_unregister_mem_slot(kvm->arch.lpid, memslot->id);
+ kvmppc_uvmem_slot_free(kvm, memslot);
+ }
+ }
+ srcu_read_unlock(&kvm->srcu, srcu_idx);
+
+ kvm->arch.secure_guest = KVMPPC_SECURE_INIT_ABORT;
+ pr_info("LPID %d: Switching to secure aborted\n", kvm->arch.lpid);
+ return H_SUCCESS;
+}
+
/*
* Get a free device PFN from the pool
*
--
2.21.0
WARNING: multiple messages have this Message-ID (diff)
From: Bharata B Rao <bharata@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org,
linux-mm@kvack.org
Cc: paulus@au1.ibm.com, aneesh.kumar@linux.vnet.ibm.com,
jglisse@redhat.com, cclaudio@linux.ibm.com, linuxram@us.ibm.com,
sukadev@linux.vnet.ibm.com, hch@lst.de,
Sukadev Bhattiprolu <sukadev@linux.ibm.com>,
Ram Pai <linuxram@linux.ibm.com>,
Bharata B Rao <bharata@linux.ibm.com>
Subject: [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall
Date: Mon, 04 Nov 2019 04:29:59 +0000 [thread overview]
Message-ID: <20191104041800.24527-8-bharata@linux.ibm.com> (raw)
In-Reply-To: <20191104041800.24527-1-bharata@linux.ibm.com>
From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Implement the H_SVM_INIT_ABORT hcall which the Ultravisor can use to
abort an SVM after it has issued the H_SVM_INIT_START and before the
H_SVM_INIT_DONE hcalls. This hcall could be used when Ultravisor
encounters security violations or other errors when starting an SVM.
Note that this hcall is different from UV_SVM_TERMINATE ucall which
is used by HV to terminate/cleanup an SVM.
In case of H_SVM_INIT_ABORT, we should page-out all the pages back to
HV (i.e., we should not skip the page-out). Otherwise the VM's pages,
possibly including its text/data would be stuck in secure memory.
Since the SVM did not go secure, its MSR_S bit will be clear and the
VM wont be able to access its pages even to do a clean exit.
Based on patches and discussion with Ram Pai and Bharata Rao.
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Signed-off-by: Ram Pai <linuxram@linux.ibm.com>
Signed-off-by: Bharata B Rao <bharata@linux.ibm.com>
---
Documentation/powerpc/ultravisor.rst | 39 +++++++++++++++++++++
arch/powerpc/include/asm/hvcall.h | 1 +
arch/powerpc/include/asm/kvm_book3s_uvmem.h | 6 ++++
arch/powerpc/include/asm/kvm_host.h | 1 +
arch/powerpc/kvm/book3s_hv.c | 3 ++
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 23 ++++++++++--
arch/powerpc/kvm/book3s_hv_uvmem.c | 29 +++++++++++++++
7 files changed, 100 insertions(+), 2 deletions(-)
diff --git a/Documentation/powerpc/ultravisor.rst b/Documentation/powerpc/ultravisor.rst
index 730854f73830..286cabadc566 100644
--- a/Documentation/powerpc/ultravisor.rst
+++ b/Documentation/powerpc/ultravisor.rst
@@ -948,6 +948,45 @@ Use cases
up its internal state for this virtual machine.
+H_SVM_INIT_ABORT
+----------------
+
+ Abort the process of securing an SVM.
+
+Syntax
+~~~~~~
+
+.. code-block:: c
+
+ uint64_t hypercall(const uint64_t H_SVM_INIT_ABORT)
+
+Return values
+~~~~~~~~~~~~~
+
+ One of the following values:
+
+ * H_SUCCESS on success.
+ * H_UNSUPPORTED if called from the wrong context (e.g.
+ from an SVM or before an H_SVM_INIT_START
+ hypercall).
+
+Description
+~~~~~~~~~~~
+
+ Abort the process of securing a virtual machine. This call must
+ be made after a prior call to ``H_SVM_INIT_START`` hypercall.
+
+Use cases
+~~~~~~~~~
+
+
+ On successfully securing a virtual machine, the Ultravisor informs
+ If the Ultravisor is unable to secure a virtual machine either due
+ to lack of resources or because the VM's security information could
+ not be validated, Ultravisor informs the Hypervisor about it.
+ Hypervisor can use this call to clean up any internal state for this
+ virtual machine.
+
H_SVM_PAGE_IN
-------------
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 13bd870609c3..e90c073e437e 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -350,6 +350,7 @@
#define H_SVM_PAGE_OUT 0xEF04
#define H_SVM_INIT_START 0xEF08
#define H_SVM_INIT_DONE 0xEF0C
+#define H_SVM_INIT_ABORT 0xEF14
/* Values for 2nd argument to H_SET_MODE */
#define H_SET_MODE_RESOURCE_SET_CIABR 1
diff --git a/arch/powerpc/include/asm/kvm_book3s_uvmem.h b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
index 3cf8425b9838..eaea400ea715 100644
--- a/arch/powerpc/include/asm/kvm_book3s_uvmem.h
+++ b/arch/powerpc/include/asm/kvm_book3s_uvmem.h
@@ -18,6 +18,7 @@ unsigned long kvmppc_h_svm_page_out(struct kvm *kvm,
unsigned long page_shift);
unsigned long kvmppc_h_svm_init_start(struct kvm *kvm);
unsigned long kvmppc_h_svm_init_done(struct kvm *kvm);
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm);
int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn);
void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
struct kvm *kvm, bool skip_page_out);
@@ -62,6 +63,11 @@ static inline unsigned long kvmppc_h_svm_init_done(struct kvm *kvm)
return H_UNSUPPORTED;
}
+static inline unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ return H_UNSUPPORTED;
+}
+
static inline int kvmppc_send_page_to_uv(struct kvm *kvm, unsigned long gfn)
{
return -EFAULT;
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index 577ca95fac7c..8310c0407383 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -278,6 +278,7 @@ struct kvm_resize_hpt;
/* Flag values for kvm_arch.secure_guest */
#define KVMPPC_SECURE_INIT_START 0x1 /* H_SVM_INIT_START has been called */
#define KVMPPC_SECURE_INIT_DONE 0x2 /* H_SVM_INIT_DONE completed */
+#define KVMPPC_SECURE_INIT_ABORT 0x4 /* H_SVM_INIT_ABORT issued */
struct kvm_arch {
unsigned int lpid;
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index d2bc4e9bbe7e..ad4e38ce7b55 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1099,6 +1099,9 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
case H_SVM_INIT_DONE:
ret = kvmppc_h_svm_init_done(vcpu->kvm);
break;
+ case H_SVM_INIT_ABORT:
+ ret = kvmppc_h_svm_init_abort(vcpu->kvm);
+ break;
default:
return RESUME_HOST;
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index faebcbb8c4db..8d192c9947cd 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -1112,10 +1112,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r6, VCPU_KVM(r4)
lbz r7, KVM_SECURE_GUEST(r6)
cmpdi r7, 0
+ bne check_svm_abort
+
ld r6, VCPU_GPR(R6)(r4)
ld r7, VCPU_GPR(R7)(r4)
- bne ret_to_ultra
-
lwz r0, VCPU_CR(r4)
mtcr r0
@@ -1125,6 +1125,21 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
ld r4, VCPU_GPR(R4)(r4)
HRFI_TO_GUEST
b .
+
+/*
+ * If SVM is about to abort, return to UV one last time but clear the
+ * secure_guest state so future fast_guest_returns return to the normal
+ * VM. We expect following state and we will restore the state.
+ * R6 = kvm
+ * R7 = kvm->secure_guest
+ */
+check_svm_abort:
+
+ cmpdi r7, 4 /* KVMPPC_SECURE_INIT_ABORT */
+ bne ret_to_ultra
+ li r7, 0
+ stb r7, KVM_SECURE_GUEST(r6)
+
/*
* Use UV_RETURN ultracall to return control back to the Ultravisor after
* processing an hypercall or interrupt that was forwarded (a.k.a. reflected)
@@ -1134,8 +1149,12 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
* R0 = hcall result
* R2 = SRR1, so UV can detect a synthesized interrupt (if any)
* R3 = UV_RETURN
+ * R6 = kvm (to be restored)
+ * R7 = kvm->secure_guest (to be restored)
*/
ret_to_ultra:
+ ld r6, VCPU_GPR(R6)(r4)
+ ld r7, VCPU_GPR(R7)(r4)
lwz r0, VCPU_CR(r4)
mtcr r0
diff --git a/arch/powerpc/kvm/book3s_hv_uvmem.c b/arch/powerpc/kvm/book3s_hv_uvmem.c
index 2df0d3f80c60..627dfe4abf08 100644
--- a/arch/powerpc/kvm/book3s_hv_uvmem.c
+++ b/arch/powerpc/kvm/book3s_hv_uvmem.c
@@ -284,6 +284,35 @@ void kvmppc_uvmem_drop_pages(const struct kvm_memory_slot *free,
}
}
+unsigned long kvmppc_h_svm_init_abort(struct kvm *kvm)
+{
+ int i;
+ int srcu_idx;
+
+ if (!(kvm->arch.secure_guest & KVMPPC_SECURE_INIT_START))
+ return H_UNSUPPORTED;
+
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+ for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
+ struct kvm_memory_slot *memslot;
+ struct kvm_memslots *slots = __kvm_memslots(kvm, i);
+
+ if (!slots)
+ continue;
+
+ kvm_for_each_memslot(memslot, slots) {
+ kvmppc_uvmem_drop_pages(memslot, kvm, false);
+ uv_unregister_mem_slot(kvm->arch.lpid, memslot->id);
+ kvmppc_uvmem_slot_free(kvm, memslot);
+ }
+ }
+ srcu_read_unlock(&kvm->srcu, srcu_idx);
+
+ kvm->arch.secure_guest = KVMPPC_SECURE_INIT_ABORT;
+ pr_info("LPID %d: Switching to secure aborted\n", kvm->arch.lpid);
+ return H_SUCCESS;
+}
+
/*
* Get a free device PFN from the pool
*
--
2.21.0
next prev parent reply other threads:[~2019-11-04 4:18 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 4:17 [PATCH v10 0/8] KVM: PPC: Driver to manage pages of secure guest Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 1/8] mm: ksm: Export ksm_madvise() Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-06 4:33 ` Paul Mackerras
2019-11-06 4:33 ` Paul Mackerras
2019-11-06 4:33 ` Paul Mackerras
2019-11-06 6:45 ` Bharata B Rao
2019-11-06 6:57 ` Bharata B Rao
2019-11-06 6:45 ` Bharata B Rao
2019-11-07 5:45 ` Paul Mackerras
2019-11-07 5:45 ` Paul Mackerras
2019-11-07 5:45 ` Paul Mackerras
2019-11-15 14:10 ` Bharata B Rao
2019-11-15 14:22 ` Bharata B Rao
2019-11-15 14:10 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 2/8] KVM: PPC: Support for running secure guests Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-06 4:34 ` Paul Mackerras
2019-11-06 4:34 ` Paul Mackerras
2019-11-06 4:34 ` Paul Mackerras
2019-11-04 4:17 ` [PATCH v10 3/8] KVM: PPC: Shared pages support for " Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-06 4:52 ` Paul Mackerras
2019-11-06 4:52 ` Paul Mackerras
2019-11-06 4:52 ` Paul Mackerras
2019-11-06 8:22 ` Bharata B Rao
2019-11-06 8:34 ` Bharata B Rao
2019-11-06 8:22 ` Bharata B Rao
2019-11-06 8:29 ` Bharata B Rao
2019-11-06 8:41 ` Bharata B Rao
2019-11-06 8:29 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 4/8] KVM: PPC: Radix changes for secure guest Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-06 5:58 ` Paul Mackerras
2019-11-06 5:58 ` Paul Mackerras
2019-11-06 5:58 ` Paul Mackerras
2019-11-06 8:36 ` Bharata B Rao
2019-11-06 8:48 ` Bharata B Rao
2019-11-06 8:36 ` Bharata B Rao
2019-11-04 4:17 ` [PATCH v10 5/8] KVM: PPC: Handle memory plug/unplug to secure VM Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-11 4:25 ` Paul Mackerras
2019-11-11 4:25 ` Paul Mackerras
2019-11-11 4:25 ` Paul Mackerras
2019-11-04 4:17 ` [PATCH v10 6/8] KVM: PPC: Support reset of secure guest Bharata B Rao
2019-11-04 4:29 ` Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-11 5:28 ` Paul Mackerras
2019-11-11 5:28 ` Paul Mackerras
2019-11-11 5:28 ` Paul Mackerras
2019-11-11 6:55 ` Bharata B Rao
2019-11-11 6:55 ` Bharata B Rao
2019-11-11 6:55 ` Bharata B Rao
2019-11-12 5:34 ` Paul Mackerras
2019-11-12 5:34 ` Paul Mackerras
2019-11-12 5:34 ` Paul Mackerras
2019-11-13 15:29 ` Bharata B Rao
2019-11-13 15:41 ` Bharata B Rao
2019-11-13 15:29 ` Bharata B Rao
2019-11-14 5:07 ` Paul Mackerras
2019-11-14 5:07 ` Paul Mackerras
2019-11-14 5:07 ` Paul Mackerras
2019-11-04 4:17 ` Bharata B Rao [this message]
2019-11-04 4:29 ` [PATCH v10 7/8] KVM: PPC: Implement H_SVM_INIT_ABORT hcall Bharata B Rao
2019-11-04 4:17 ` Bharata B Rao
2019-11-11 4:19 ` Paul Mackerras
2019-11-11 4:19 ` Paul Mackerras
2019-11-11 4:19 ` Paul Mackerras
2019-11-12 1:01 ` Ram Pai
2019-11-12 1:01 ` Ram Pai
2019-11-12 1:01 ` Ram Pai
2019-11-12 5:38 ` Paul Mackerras
2019-11-12 5:38 ` Paul Mackerras
2019-11-12 5:38 ` Paul Mackerras
2019-11-12 7:52 ` Ram Pai
2019-11-12 7:52 ` Ram Pai
2019-11-12 7:52 ` Ram Pai
2019-11-12 11:32 ` Paul Mackerras
2019-11-12 11:32 ` Paul Mackerras
2019-11-12 11:32 ` Paul Mackerras
2019-11-12 14:45 ` Ram Pai
2019-11-12 14:45 ` Ram Pai
2019-11-12 14:45 ` Ram Pai
2019-11-13 0:14 ` Paul Mackerras
2019-11-13 0:14 ` Paul Mackerras
2019-11-13 0:14 ` Paul Mackerras
2019-11-13 6:32 ` Ram Pai
2019-11-13 6:32 ` Ram Pai
2019-11-13 6:32 ` Ram Pai
2019-11-13 21:18 ` Paul Mackerras
2019-11-13 21:18 ` Paul Mackerras
2019-11-13 21:18 ` Paul Mackerras
2019-11-13 21:50 ` Ram Pai
2019-11-13 21:50 ` Ram Pai
2019-11-13 21:50 ` Ram Pai
2019-11-14 5:08 ` Paul Mackerras
2019-11-14 5:08 ` Paul Mackerras
2019-11-14 5:08 ` Paul Mackerras
2019-11-14 7:02 ` Ram Pai
2019-11-14 7:02 ` Ram Pai
2019-11-14 7:02 ` Ram Pai
2019-11-04 4:18 ` [PATCH v10 8/8] KVM: PPC: Ultravisor: Add PPC_UV config option Bharata B Rao
2019-11-04 4:30 ` Bharata B Rao
2019-11-04 4:18 ` Bharata B Rao
2019-11-06 4:30 ` [PATCH v10 0/8] KVM: PPC: Driver to manage pages of secure guest Paul Mackerras
2019-11-06 4:30 ` Paul Mackerras
2019-11-06 4:30 ` Paul Mackerras
2019-11-06 6:20 ` Bharata B Rao
2019-11-06 6:32 ` Bharata B Rao
2019-11-06 6:20 ` Bharata B Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191104041800.24527-8-bharata@linux.ibm.com \
--to=bharata@linux.ibm.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=cclaudio@linux.ibm.com \
--cc=hch@lst.de \
--cc=jglisse@redhat.com \
--cc=kvm-ppc@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=linuxram@linux.ibm.com \
--cc=linuxram@us.ibm.com \
--cc=paulus@au1.ibm.com \
--cc=sukadev@linux.ibm.com \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.