From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 767FCC07E9B for ; Mon, 19 Jul 2021 10:48:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5EAA561026 for ; Mon, 19 Jul 2021 10:48:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236857AbhGSKID (ORCPT ); Mon, 19 Jul 2021 06:08:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236740AbhGSKHk (ORCPT ); Mon, 19 Jul 2021 06:07:40 -0400 Received: from mail-wm1-x349.google.com (mail-wm1-x349.google.com [IPv6:2a00:1450:4864:20::349]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30D85C0613E7 for ; Mon, 19 Jul 2021 02:56:11 -0700 (PDT) Received: by mail-wm1-x349.google.com with SMTP id k16-20020a7bc3100000b02901d849b41038so3810061wmj.7 for ; Mon, 19 Jul 2021 03:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=pDxR+oOIO361IE8JTpjXvK01glJPoXIl5CKZaNz+ZEfkmqJ2xvk3unbPd+7kb+OWda trEZrnZ3NzpP8uHCTZzYftalFdx/5wIdaoBQhrxNPVxgdiIghwpg+2wP8M3OPqfirjTd xnwKYQbjP84kmxrLM9ZxQ2L+sfZUek62Dy3owBDZGm0aQ2qax8dWHJG04y1UCCQkOeuM PcvsBY4gP2Eu0tIv5EGGfrTI+RlXVojwsHLkOMz6yutWmR06OxR8yq1klADXa4P0bQwV ool2uXbjJpW+F45cx8urCBsHAnKEob82EgvPFM7Eq5WwW85p/LaSm12Ccfkyebt5WyL7 ovvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=a03V4oHmPF2DZSJwkB5SBGvnXE6wV61hsxafCAeuqZ6WvO6nm1l9k8sSXu8hnzj5i6 z/pVh8a8uBPKwGVIsVSQdBVMLfm/b6UIhYxLpcSFbJt1Gp7qHXSEHMtCSkNx+qYNVCU4 xLCA+bp8Keb9YDpK7WBIzAzibFUA0VSsq2A2BpzCxRnUM6gWeSipWthNQe2jsT0S/qfw +IQOyzEyXGp0fXaZCuJba8kHc9lqrzsWWvTATczFgoSJk/fYDjVoBGMOfoUp0n/AHtJl MzjrdgtETvLM3WDOwTLd2MGuPWhX52729i/DVwe9we/zxVEbFVQRaNxezM63R/1CkpBa 7psw== X-Gm-Message-State: AOAM532XOBwc8YfboeawTfzWx25PkLWoy9bJ8Ur6BwJdzOd/4MBdRlIs DE4BcTMYxdGgtz0l6y4Fcyh9ImcrP7cc X-Google-Smtp-Source: ABdhPJyIruRnm597DeIoz+H4lQk2XaV0lp7fhRFMVmFaiZHZyDX1vs7MSEJSK9DYDl49AjGViAobxaMPEAN7 X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:1a96:a43f:6c2e:bb5a]) (user=qperret job=sendgmr) by 2002:a1c:4c18:: with SMTP id z24mr32007850wmf.168.1626691692999; Mon, 19 Jul 2021 03:48:12 -0700 (PDT) Date: Mon, 19 Jul 2021 11:47:35 +0100 In-Reply-To: <20210719104735.3681732-1-qperret@google.com> Message-Id: <20210719104735.3681732-15-qperret@google.com> Mime-Version: 1.0 References: <20210719104735.3681732-1-qperret@google.com> X-Mailer: git-send-email 2.32.0.402.g57bb445576-goog Subject: [PATCH 14/14] KVM: arm64: Prevent late calls to __pkvm_create_private_mapping() From: Quentin Perret To: maz@kernel.org, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, ardb@kernel.org, qwandor@google.com, tabba@google.com, dbrazdil@google.com, kernel-team@android.com, Quentin Perret Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org __pkvm_create_private_mapping() allows the host kernel to create arbitrary mappings the hypervisor's "private" range. However, this is only needed early on, and there should be no good reason for the host to need this past the point where the pkvm static is set. Make sure to stub the hypercall past this point to ensure it can't be used by a malicious host. Signed-off-by: Quentin Perret --- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c index f05ecbd382d0..e1d12f8122a7 100644 --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c @@ -154,7 +154,10 @@ static void handle___pkvm_create_private_mapping(struct kvm_cpu_context *host_ct DECLARE_REG(size_t, size, host_ctxt, 2); DECLARE_REG(enum kvm_pgtable_prot, prot, host_ctxt, 3); - cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); + if (static_branch_unlikely(&kvm_protected_mode_initialized)) + cpu_reg(host_ctxt, 1) = -EPERM; + else + cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); } static void handle___pkvm_prot_finalize(struct kvm_cpu_context *host_ctxt) -- 2.32.0.402.g57bb445576-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4966FC07E9D for ; Mon, 19 Jul 2021 10:48:19 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 001D261006 for ; Mon, 19 Jul 2021 10:48:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 001D261006 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvmarm-bounces@lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id A70054A00B; Mon, 19 Jul 2021 06:48:18 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@google.com Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKk-HWPlhxm2; Mon, 19 Jul 2021 06:48:17 -0400 (EDT) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 8020B4B0BB; Mon, 19 Jul 2021 06:48:17 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id EB50049F92 for ; Mon, 19 Jul 2021 06:48:15 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBuM7cYxTQ9b for ; Mon, 19 Jul 2021 06:48:15 -0400 (EDT) Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id BC0044B0DD for ; Mon, 19 Jul 2021 06:48:13 -0400 (EDT) Received: by mail-wm1-f74.google.com with SMTP id g13-20020a05600c4ecdb0290242a8f4cf9cso1437618wmq.5 for ; Mon, 19 Jul 2021 03:48:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=pDxR+oOIO361IE8JTpjXvK01glJPoXIl5CKZaNz+ZEfkmqJ2xvk3unbPd+7kb+OWda trEZrnZ3NzpP8uHCTZzYftalFdx/5wIdaoBQhrxNPVxgdiIghwpg+2wP8M3OPqfirjTd xnwKYQbjP84kmxrLM9ZxQ2L+sfZUek62Dy3owBDZGm0aQ2qax8dWHJG04y1UCCQkOeuM PcvsBY4gP2Eu0tIv5EGGfrTI+RlXVojwsHLkOMz6yutWmR06OxR8yq1klADXa4P0bQwV ool2uXbjJpW+F45cx8urCBsHAnKEob82EgvPFM7Eq5WwW85p/LaSm12Ccfkyebt5WyL7 ovvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=FxsHmI3+r0+DpZbb5fdiXPXyMvEUYn56JdsjGmiNFNsN8UiYzKw5Hev261p0UyC5Lh CcpJRRvX+OKiIz6GmjXNz7O+nH7x/FBTRfwfZcaZDNFhVZ37QsL6kurUMGVv7oiLWn1g C0+SQUNBWA/JlPvZoV4Ll8+IZrYyQwPtEbN7rsZA4Xy5Sx3946SUZZr+Icq01WagtHH5 PtPbSOwwGeyDuAHZJ2qYIrfPoLyH5BncKxtBdL0QHrE6/dAbHWQ8XZqgALIPWVxzCECx E4pxFKDpyWdM4Qz64r0skGVQtd9qLg/P7XZrChCZTA09rW9UQ4wrSwF9ZjceTHedHtBk tfdQ== X-Gm-Message-State: AOAM532WImJ0kDWgsjWqsFCWklpoz7LkpwL+s4nIeL72QX5MCO5AU243 yMHezaIE6RK2Pq3CU9vf1Gfyw24XOLUI X-Google-Smtp-Source: ABdhPJyIruRnm597DeIoz+H4lQk2XaV0lp7fhRFMVmFaiZHZyDX1vs7MSEJSK9DYDl49AjGViAobxaMPEAN7 X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:1a96:a43f:6c2e:bb5a]) (user=qperret job=sendgmr) by 2002:a1c:4c18:: with SMTP id z24mr32007850wmf.168.1626691692999; Mon, 19 Jul 2021 03:48:12 -0700 (PDT) Date: Mon, 19 Jul 2021 11:47:35 +0100 In-Reply-To: <20210719104735.3681732-1-qperret@google.com> Message-Id: <20210719104735.3681732-15-qperret@google.com> Mime-Version: 1.0 References: <20210719104735.3681732-1-qperret@google.com> X-Mailer: git-send-email 2.32.0.402.g57bb445576-goog Subject: [PATCH 14/14] KVM: arm64: Prevent late calls to __pkvm_create_private_mapping() From: Quentin Perret To: maz@kernel.org, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org Cc: qwandor@google.com, linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, kernel-team@android.com X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu __pkvm_create_private_mapping() allows the host kernel to create arbitrary mappings the hypervisor's "private" range. However, this is only needed early on, and there should be no good reason for the host to need this past the point where the pkvm static is set. Make sure to stub the hypercall past this point to ensure it can't be used by a malicious host. Signed-off-by: Quentin Perret --- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c index f05ecbd382d0..e1d12f8122a7 100644 --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c @@ -154,7 +154,10 @@ static void handle___pkvm_create_private_mapping(struct kvm_cpu_context *host_ct DECLARE_REG(size_t, size, host_ctxt, 2); DECLARE_REG(enum kvm_pgtable_prot, prot, host_ctxt, 3); - cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); + if (static_branch_unlikely(&kvm_protected_mode_initialized)) + cpu_reg(host_ctxt, 1) = -EPERM; + else + cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); } static void handle___pkvm_prot_finalize(struct kvm_cpu_context *host_ctxt) -- 2.32.0.402.g57bb445576-goog _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45FB4C07E9B for ; Mon, 19 Jul 2021 11:00:42 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1196C600EF for ; Mon, 19 Jul 2021 11:00:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1196C600EF Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=Xx9UIsbFUTITBWpVDGhqgwUYMQLAuDaswC/EJ3Az6po=; b=Oy+JlAgSaAB+GnW+eyoXtoHegq nT/yGC0IUw8sG9F3+QeQdRctyQfzh7QB+LHEski08Ddpu6o8zBZkHB5RjI5gXZTtzwct1mYOxjg70 uD5rXUsLKCfFAkS20YjeUYsfuAqlx0q7NJG23g+wQQmLgAD2r1pJkClSi2DRJT9fK63OCjD5ttLnT tF6nPfsa0lBaP3QqPh4llj9gLl+X1fa2GVPwUhvqPI/c+jBuk5rXg3TN3v+q7Tdq79vUfOoMRsBmT bEV+LekJ4H0PooDh01yXHjO4+0Zs9i2w3di/awgRHxztSy0x4VZv4nGYnrGdb4cmSJZvbXpl5hD4c INyv2B/w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m5Qxv-009OQg-Ti; Mon, 19 Jul 2021 10:57:40 +0000 Received: from mail-wr1-x449.google.com ([2a00:1450:4864:20::449]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m5Qoo-009Ke8-TK for linux-arm-kernel@lists.infradead.org; Mon, 19 Jul 2021 10:48:16 +0000 Received: by mail-wr1-x449.google.com with SMTP id y15-20020a5d614f0000b029013cd60e9baaso8580607wrt.7 for ; Mon, 19 Jul 2021 03:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=pDxR+oOIO361IE8JTpjXvK01glJPoXIl5CKZaNz+ZEfkmqJ2xvk3unbPd+7kb+OWda trEZrnZ3NzpP8uHCTZzYftalFdx/5wIdaoBQhrxNPVxgdiIghwpg+2wP8M3OPqfirjTd xnwKYQbjP84kmxrLM9ZxQ2L+sfZUek62Dy3owBDZGm0aQ2qax8dWHJG04y1UCCQkOeuM PcvsBY4gP2Eu0tIv5EGGfrTI+RlXVojwsHLkOMz6yutWmR06OxR8yq1klADXa4P0bQwV ool2uXbjJpW+F45cx8urCBsHAnKEob82EgvPFM7Eq5WwW85p/LaSm12Ccfkyebt5WyL7 ovvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=xCrkHvgx5Vjp7sEk2L8Nl84wrwMoF/axMUKdY9pah24=; b=E38LnR47gG3sNS1JS+AzeHDUP5Cbj+k+cb7MzjGm5NTDQckFBaolMN4EhBl31dxWXZ YAsf+2kYEI/FIhCUDwnZyQ8JO6OHTQEPPPa07FObJtv8jKcE9r8olf8eyZEpwVzucdrq qKseq/QJdSsCB4P/uK3/qXw7bBUxP0/0MGGkUgSyPWnvaZnyi6YD0pj4/RgNupKNGlF3 a/zds61j73tjlG7WboTsZ1xSZrOqY/TBBZGrRGTfEH7wIvfKJ+6/98ofgZ6Az1GO+s4S yvbkYwioir5LdkEDOpgFVEKKaZzLo/JLKOEYxFjpuJUQ8XiLJK/Csx8PFbWw51AKa4WO +0rQ== X-Gm-Message-State: AOAM530fr85j8JL+gfOTctcznF7wbico1NYMmqJbbUquSayjBYLCKKT7 XSCMIlxUuY4GYMUws/JdalA0V8FNBNXY X-Google-Smtp-Source: ABdhPJyIruRnm597DeIoz+H4lQk2XaV0lp7fhRFMVmFaiZHZyDX1vs7MSEJSK9DYDl49AjGViAobxaMPEAN7 X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:1a96:a43f:6c2e:bb5a]) (user=qperret job=sendgmr) by 2002:a1c:4c18:: with SMTP id z24mr32007850wmf.168.1626691692999; Mon, 19 Jul 2021 03:48:12 -0700 (PDT) Date: Mon, 19 Jul 2021 11:47:35 +0100 In-Reply-To: <20210719104735.3681732-1-qperret@google.com> Message-Id: <20210719104735.3681732-15-qperret@google.com> Mime-Version: 1.0 References: <20210719104735.3681732-1-qperret@google.com> X-Mailer: git-send-email 2.32.0.402.g57bb445576-goog Subject: [PATCH 14/14] KVM: arm64: Prevent late calls to __pkvm_create_private_mapping() From: Quentin Perret To: maz@kernel.org, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, ardb@kernel.org, qwandor@google.com, tabba@google.com, dbrazdil@google.com, kernel-team@android.com, Quentin Perret X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210719_034815_047629_361491FC X-CRM114-Status: GOOD ( 14.26 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org __pkvm_create_private_mapping() allows the host kernel to create arbitrary mappings the hypervisor's "private" range. However, this is only needed early on, and there should be no good reason for the host to need this past the point where the pkvm static is set. Make sure to stub the hypercall past this point to ensure it can't be used by a malicious host. Signed-off-by: Quentin Perret --- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c index f05ecbd382d0..e1d12f8122a7 100644 --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c @@ -154,7 +154,10 @@ static void handle___pkvm_create_private_mapping(struct kvm_cpu_context *host_ct DECLARE_REG(size_t, size, host_ctxt, 2); DECLARE_REG(enum kvm_pgtable_prot, prot, host_ctxt, 3); - cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); + if (static_branch_unlikely(&kvm_protected_mode_initialized)) + cpu_reg(host_ctxt, 1) = -EPERM; + else + cpu_reg(host_ctxt, 1) = __pkvm_create_private_mapping(phys, size, prot); } static void handle___pkvm_prot_finalize(struct kvm_cpu_context *host_ctxt) -- 2.32.0.402.g57bb445576-goog _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel