From: Will Deacon <will@kernel.org>
To: Mark Rutland <mark.rutland@arm.com>
Cc: kvmarm@lists.cs.columbia.edu, Marc Zyngier <maz@kernel.org>,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Fuad Tabba <tabba@google.com>,
Quentin Perret <qperret@google.com>,
Sean Christopherson <seanjc@google.com>,
David Brazdil <dbrazdil@google.com>,
kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/4] KVM: arm64: Ignore 'kvm-arm.mode=protected' when using VHE
Date: Mon, 7 Jun 2021 20:28:18 +0100 [thread overview]
Message-ID: <20210607192818.GA7929@willie-the-truck> (raw)
In-Reply-To: <20210604140117.GA69333@C02TD0UTHF1T.local>
On Fri, Jun 04, 2021 at 03:01:17PM +0100, Mark Rutland wrote:
> On Thu, Jun 03, 2021 at 07:33:44PM +0100, Will Deacon wrote:
> > Ignore 'kvm-arm.mode=protected' when using VHE so that kvm_get_mode()
> > only returns KVM_MODE_PROTECTED on systems where the feature is available.
>
> IIUC, since the introduction of the idreg-override code, and the
> mutate_to_vhe stuff, passing 'kvm-arm.mode=protected' should make the
> kernel stick to EL1, right? So this should only affect M1 (or other HW
> with a similar impediment).
It's not just about the M1, unfortunately. You can boot with:
"kvm-arm.mode=protected id_aa64mmfr1.vh=1"
which will force VHE mode, so we should fail protected mode in that case.
> One minor comment below; otherwise:
>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks, I'll keep the tag but please yell if you want me to drop it.
> > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > index efed2830d141..dc1f2e747828 100644
> > --- a/arch/arm64/kernel/cpufeature.c
> > +++ b/arch/arm64/kernel/cpufeature.c
> > @@ -1773,15 +1773,7 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
> > #ifdef CONFIG_KVM
> > static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused)
> > {
> > - if (kvm_get_mode() != KVM_MODE_PROTECTED)
> > - return false;
> > -
> > - if (is_kernel_in_hyp_mode()) {
> > - pr_warn("Protected KVM not available with VHE\n");
> > - return false;
> > - }
> > -
> > - return true;
> > + return kvm_get_mode() == KVM_MODE_PROTECTED;
> > }
> > #endif /* CONFIG_KVM */
> >
> > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> > index 1cb39c0803a4..8d5e23198dfd 100644
> > --- a/arch/arm64/kvm/arm.c
> > +++ b/arch/arm64/kvm/arm.c
> > @@ -2121,7 +2121,11 @@ static int __init early_kvm_mode_cfg(char *arg)
> > return -EINVAL;
> >
> > if (strcmp(arg, "protected") == 0) {
> > - kvm_mode = KVM_MODE_PROTECTED;
> > + if (!is_kernel_in_hyp_mode())
> > + kvm_mode = KVM_MODE_PROTECTED;
> > + else
> > + pr_warn_once("Protected KVM not available with VHE\n");
>
> ... assuming this is only for M1, it might be better to say:
>
> Protected KVM not available on this hardware
>
> ... since that doesn't suggest that other VHE-capable HW is also not
> PKVM-capable.
I'm just moving the existing string here, but as above, it's not M1
specific.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will@kernel.org>
To: Mark Rutland <mark.rutland@arm.com>
Cc: kvm@vger.kernel.org, Marc Zyngier <maz@kernel.org>,
linux-arm-kernel@lists.infradead.org,
Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
kvmarm@lists.cs.columbia.edu
Subject: Re: [PATCH 1/4] KVM: arm64: Ignore 'kvm-arm.mode=protected' when using VHE
Date: Mon, 7 Jun 2021 20:28:18 +0100 [thread overview]
Message-ID: <20210607192818.GA7929@willie-the-truck> (raw)
In-Reply-To: <20210604140117.GA69333@C02TD0UTHF1T.local>
On Fri, Jun 04, 2021 at 03:01:17PM +0100, Mark Rutland wrote:
> On Thu, Jun 03, 2021 at 07:33:44PM +0100, Will Deacon wrote:
> > Ignore 'kvm-arm.mode=protected' when using VHE so that kvm_get_mode()
> > only returns KVM_MODE_PROTECTED on systems where the feature is available.
>
> IIUC, since the introduction of the idreg-override code, and the
> mutate_to_vhe stuff, passing 'kvm-arm.mode=protected' should make the
> kernel stick to EL1, right? So this should only affect M1 (or other HW
> with a similar impediment).
It's not just about the M1, unfortunately. You can boot with:
"kvm-arm.mode=protected id_aa64mmfr1.vh=1"
which will force VHE mode, so we should fail protected mode in that case.
> One minor comment below; otherwise:
>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks, I'll keep the tag but please yell if you want me to drop it.
> > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > index efed2830d141..dc1f2e747828 100644
> > --- a/arch/arm64/kernel/cpufeature.c
> > +++ b/arch/arm64/kernel/cpufeature.c
> > @@ -1773,15 +1773,7 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
> > #ifdef CONFIG_KVM
> > static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused)
> > {
> > - if (kvm_get_mode() != KVM_MODE_PROTECTED)
> > - return false;
> > -
> > - if (is_kernel_in_hyp_mode()) {
> > - pr_warn("Protected KVM not available with VHE\n");
> > - return false;
> > - }
> > -
> > - return true;
> > + return kvm_get_mode() == KVM_MODE_PROTECTED;
> > }
> > #endif /* CONFIG_KVM */
> >
> > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> > index 1cb39c0803a4..8d5e23198dfd 100644
> > --- a/arch/arm64/kvm/arm.c
> > +++ b/arch/arm64/kvm/arm.c
> > @@ -2121,7 +2121,11 @@ static int __init early_kvm_mode_cfg(char *arg)
> > return -EINVAL;
> >
> > if (strcmp(arg, "protected") == 0) {
> > - kvm_mode = KVM_MODE_PROTECTED;
> > + if (!is_kernel_in_hyp_mode())
> > + kvm_mode = KVM_MODE_PROTECTED;
> > + else
> > + pr_warn_once("Protected KVM not available with VHE\n");
>
> ... assuming this is only for M1, it might be better to say:
>
> Protected KVM not available on this hardware
>
> ... since that doesn't suggest that other VHE-capable HW is also not
> PKVM-capable.
I'm just moving the existing string here, but as above, it's not M1
specific.
Will
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will@kernel.org>
To: Mark Rutland <mark.rutland@arm.com>
Cc: kvmarm@lists.cs.columbia.edu, Marc Zyngier <maz@kernel.org>,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Fuad Tabba <tabba@google.com>,
Quentin Perret <qperret@google.com>,
Sean Christopherson <seanjc@google.com>,
David Brazdil <dbrazdil@google.com>,
kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/4] KVM: arm64: Ignore 'kvm-arm.mode=protected' when using VHE
Date: Mon, 7 Jun 2021 20:28:18 +0100 [thread overview]
Message-ID: <20210607192818.GA7929@willie-the-truck> (raw)
In-Reply-To: <20210604140117.GA69333@C02TD0UTHF1T.local>
On Fri, Jun 04, 2021 at 03:01:17PM +0100, Mark Rutland wrote:
> On Thu, Jun 03, 2021 at 07:33:44PM +0100, Will Deacon wrote:
> > Ignore 'kvm-arm.mode=protected' when using VHE so that kvm_get_mode()
> > only returns KVM_MODE_PROTECTED on systems where the feature is available.
>
> IIUC, since the introduction of the idreg-override code, and the
> mutate_to_vhe stuff, passing 'kvm-arm.mode=protected' should make the
> kernel stick to EL1, right? So this should only affect M1 (or other HW
> with a similar impediment).
It's not just about the M1, unfortunately. You can boot with:
"kvm-arm.mode=protected id_aa64mmfr1.vh=1"
which will force VHE mode, so we should fail protected mode in that case.
> One minor comment below; otherwise:
>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks, I'll keep the tag but please yell if you want me to drop it.
> > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > index efed2830d141..dc1f2e747828 100644
> > --- a/arch/arm64/kernel/cpufeature.c
> > +++ b/arch/arm64/kernel/cpufeature.c
> > @@ -1773,15 +1773,7 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
> > #ifdef CONFIG_KVM
> > static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused)
> > {
> > - if (kvm_get_mode() != KVM_MODE_PROTECTED)
> > - return false;
> > -
> > - if (is_kernel_in_hyp_mode()) {
> > - pr_warn("Protected KVM not available with VHE\n");
> > - return false;
> > - }
> > -
> > - return true;
> > + return kvm_get_mode() == KVM_MODE_PROTECTED;
> > }
> > #endif /* CONFIG_KVM */
> >
> > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> > index 1cb39c0803a4..8d5e23198dfd 100644
> > --- a/arch/arm64/kvm/arm.c
> > +++ b/arch/arm64/kvm/arm.c
> > @@ -2121,7 +2121,11 @@ static int __init early_kvm_mode_cfg(char *arg)
> > return -EINVAL;
> >
> > if (strcmp(arg, "protected") == 0) {
> > - kvm_mode = KVM_MODE_PROTECTED;
> > + if (!is_kernel_in_hyp_mode())
> > + kvm_mode = KVM_MODE_PROTECTED;
> > + else
> > + pr_warn_once("Protected KVM not available with VHE\n");
>
> ... assuming this is only for M1, it might be better to say:
>
> Protected KVM not available on this hardware
>
> ... since that doesn't suggest that other VHE-capable HW is also not
> PKVM-capable.
I'm just moving the existing string here, but as above, it's not M1
specific.
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-06-07 19:28 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 18:33 [PATCH 0/4] kvm/arm64: Initial pKVM user ABI Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` [PATCH 1/4] KVM: arm64: Ignore 'kvm-arm.mode=protected' when using VHE Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-04 14:01 ` Mark Rutland
2021-06-04 14:01 ` Mark Rutland
2021-06-04 14:01 ` Mark Rutland
2021-06-07 19:28 ` Will Deacon [this message]
2021-06-07 19:28 ` Will Deacon
2021-06-07 19:28 ` Will Deacon
2021-06-03 18:33 ` [PATCH 2/4] KVM: arm64: Extend comment in has_vhe() Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-04 14:09 ` Mark Rutland
2021-06-04 14:09 ` Mark Rutland
2021-06-04 14:09 ` Mark Rutland
2021-06-03 18:33 ` [PATCH 3/4] KVM: arm64: Parse reserved-memory node for pkvm guest firmware region Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-04 14:21 ` Mark Rutland
2021-06-04 14:21 ` Mark Rutland
2021-06-04 14:21 ` Mark Rutland
2021-06-08 12:03 ` Will Deacon
2021-06-08 12:03 ` Will Deacon
2021-06-08 12:03 ` Will Deacon
2021-06-03 18:33 ` [RFC PATCH 4/4] KVM: arm64: Introduce KVM_CAP_ARM_PROTECTED_VM Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 18:33 ` Will Deacon
2021-06-03 20:15 ` Sean Christopherson
2021-06-03 20:15 ` Sean Christopherson
2021-06-03 20:15 ` Sean Christopherson
2021-06-08 12:08 ` Will Deacon
2021-06-08 12:08 ` Will Deacon
2021-06-08 12:08 ` Will Deacon
2021-06-11 13:25 ` Alexandru Elisei
2021-06-11 13:25 ` Alexandru Elisei
2021-06-11 13:25 ` Alexandru Elisei
2021-06-04 14:41 ` Mark Rutland
2021-06-04 14:41 ` Mark Rutland
2021-06-04 14:41 ` Mark Rutland
2021-06-08 12:06 ` Will Deacon
2021-06-08 12:06 ` Will Deacon
2021-06-08 12:06 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210607192818.GA7929@willie-the-truck \
--to=will@kernel.org \
--cc=alexandru.elisei@arm.com \
--cc=christoffer.dall@arm.com \
--cc=dbrazdil@google.com \
--cc=james.morse@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=pbonzini@redhat.com \
--cc=qperret@google.com \
--cc=seanjc@google.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.