From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <kvm-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CB268C433F5
	for <kvm@archiver.kernel.org>; Fri,  8 Oct 2021 15:59:05 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id B785060F4F
	for <kvm@archiver.kernel.org>; Fri,  8 Oct 2021 15:59:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243287AbhJHQA5 (ORCPT <rfc822;kvm@archiver.kernel.org>);
        Fri, 8 Oct 2021 12:00:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39718 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243261AbhJHQAz (ORCPT <rfc822;kvm@vger.kernel.org>);
        Fri, 8 Oct 2021 12:00:55 -0400
Received: from mail-wr1-x44a.google.com (mail-wr1-x44a.google.com [IPv6:2a00:1450:4864:20::44a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8AC1C061570
        for <kvm@vger.kernel.org>; Fri,  8 Oct 2021 08:58:59 -0700 (PDT)
Received: by mail-wr1-x44a.google.com with SMTP id r21-20020adfa155000000b001608162e16dso7641926wrr.15
        for <kvm@vger.kernel.org>; Fri, 08 Oct 2021 08:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
        b=bkkZXWvHXy0SOvqcTVfyEyTMLdSxme3xzkLNnyVMQIKtMfHOw9o7FMlaTNpoQbHd0l
         573fiZ7H6X+7w+Zvl0W1v4/zGGqX39Q83L4+hHRwBUywjjLL+i3JCoXI7V8XbSF1aWhf
         ag8Oow9SDCDz1pgQydp+eSPRLes0FCw9tuQ9WxdZ54V97xvUXFjOMrP2pbEP0LCyDRxq
         9EclHHjs8AVhqZckZsrNoICEACHtA/8MD0Ad5RtMPFZy/jVWZ1VRSxSAGy21y04wS9Ae
         EoOqh7x8+FzLEca90tftm7wz37rkPaI/OSV0/ekAUba4EhWtlctBVWCMPEM1mUNiz8HH
         EwyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
        b=LjQO44KdOvu22Y7g5al5A4e7sTr3TgdY5GbFJopsGuhLo4Y1VaMZwhqhboE7AumioS
         i8DAaQL8TxtXjif/F8h1ljGzDBhw83bsD19NbN75IjCM1kPvs7DwSb+a6Dgd45kKz2/K
         jpYBNZ3vIpUzOgJZJH0v11diBLC8lyiiNtHnUVSKtUsa35ODFDwsoU6pyD05T5BhCt+E
         +QmGSVCWZ7S4jmMJj2N2irGI3UhFfoatl2gBRnV4zVHuy5gc5p1IIgpRPcLg4MzyH01l
         f81Gj097OoFMmNKCvRO9aApZWWa6EnYmqgu+/h2TzHCprlvftVh/n6E9T4KkonI1DFe5
         Gyhg==
X-Gm-Message-State: AOAM530iifERA4Ml+HnhoLCLwoLwocPa3+C2qy9muqWc3OzR5GmweaV0
        sPBGyW9zvzEtN97+NHe9RAE1xklu1w==
X-Google-Smtp-Source: ABdhPJzU2h0ROk8Sq5UVDfvGO63XxvZxMKDO7VXZYWh/Ma9TOAK9WxoCj7FEDSVF/rrNof7KlIJt0t4MTg==
X-Received: from tabba.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:482])
 (user=tabba job=sendgmr) by 2002:a5d:5250:: with SMTP id k16mr5225506wrc.82.1633708738469;
 Fri, 08 Oct 2021 08:58:58 -0700 (PDT)
Date:   Fri,  8 Oct 2021 16:58:32 +0100
In-Reply-To: <20211008155832.1415010-1-tabba@google.com>
Message-Id: <20211008155832.1415010-12-tabba@google.com>
Mime-Version: 1.0
References: <20211008155832.1415010-1-tabba@google.com>
X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog
Subject: [PATCH v7 11/11] KVM: arm64: Handle protected guests at 32 bits
From:   Fuad Tabba <tabba@google.com>
To:     kvmarm@lists.cs.columbia.edu
Cc:     maz@kernel.org, will@kernel.org, james.morse@arm.com,
        alexandru.elisei@arm.com, suzuki.poulose@arm.com,
        mark.rutland@arm.com, christoffer.dall@arm.com,
        pbonzini@redhat.com, drjones@redhat.com, oupton@google.com,
        qperret@google.com, kvm@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org, kernel-team@android.com,
        tabba@google.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

Protected KVM does not support protected AArch32 guests. However,
it is possible for the guest to force run AArch32, potentially
causing problems. Add an extra check so that if the hypervisor
catches the guest doing that, it can prevent the guest from
running again by resetting vcpu->arch.target and returning
ARM_EXCEPTION_IL.

If this were to happen, The VMM can try and fix it by re-
initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is
likely not possible for protected VMs.

Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric
AArch32 systems")

Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/kvm/hyp/nvhe/switch.c | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 2c72c31e516e..f97e3012ef60 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -232,6 +232,37 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm)
 	return hyp_exit_handlers;
 }
 
+/*
+ * Some guests (e.g., protected VMs) are not be allowed to run in AArch32.
+ * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a
+ * guest from dropping to AArch32 EL0 if implemented by the CPU. If the
+ * hypervisor spots a guest in such a state ensure it is handled, and don't
+ * trust the host to spot or fix it.  The check below is based on the one in
+ * kvm_arch_vcpu_ioctl_run().
+ *
+ * Returns false if the guest ran in AArch32 when it shouldn't have, and
+ * thus should exit to the host, or true if a the guest run loop can continue.
+ */
+static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code)
+{
+	const struct kvm *kvm = kern_hyp_va(vcpu->kvm);
+
+	if (kvm_vm_is_protected(kvm) && vcpu_mode_is_32bit(vcpu)) {
+		/*
+		 * As we have caught the guest red-handed, decide that it isn't
+		 * fit for purpose anymore by making the vcpu invalid. The VMM
+		 * can try and fix it by re-initializing the vcpu with
+		 * KVM_ARM_VCPU_INIT, however, this is likely not possible for
+		 * protected VMs.
+		 */
+		vcpu->arch.target = -1;
+		*exit_code = ARM_EXCEPTION_IL;
+		return false;
+	}
+
+	return true;
+}
+
 /* Switch to the guest for legacy non-VHE systems */
 int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 {
@@ -294,6 +325,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 		/* Jump in the fire! */
 		exit_code = __guest_enter(vcpu);
 
+		if (unlikely(!handle_aarch32_guest(vcpu, &exit_code)))
+			break;
+
 		/* And we're baaack! */
 	} while (fixup_guest_exit(vcpu, &exit_code));
 
-- 
2.33.0.882.g93a45727a2-goog


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=WrEh=O4=lists.cs.columbia.edu=kvmarm-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D6CCFC433FE
	for <kvmarm@archiver.kernel.org>; Fri,  8 Oct 2021 15:59:03 +0000 (UTC)
Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253])
	by mail.kernel.org (Postfix) with ESMTP id 8F6D26101A
	for <kvmarm@archiver.kernel.org>; Fri,  8 Oct 2021 15:59:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8F6D26101A
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.cs.columbia.edu
Received: from localhost (localhost [127.0.0.1])
	by mm01.cs.columbia.edu (Postfix) with ESMTP id 42C824B16E;
	Fri,  8 Oct 2021 11:59:03 -0400 (EDT)
X-Virus-Scanned: at lists.cs.columbia.edu
Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail
	(fail, message has been altered) header.i=@google.com
Received: from mm01.cs.columbia.edu ([127.0.0.1])
	by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id OXAOceaO06iT; Fri,  8 Oct 2021 11:59:02 -0400 (EDT)
Received: from mm01.cs.columbia.edu (localhost [127.0.0.1])
	by mm01.cs.columbia.edu (Postfix) with ESMTP id 233634B0B3;
	Fri,  8 Oct 2021 11:59:02 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
 by mm01.cs.columbia.edu (Postfix) with ESMTP id BD5494B13E
 for <kvmarm@lists.cs.columbia.edu>; Fri,  8 Oct 2021 11:59:00 -0400 (EDT)
X-Virus-Scanned: at lists.cs.columbia.edu
Received: from mm01.cs.columbia.edu ([127.0.0.1])
 by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id sMqCgXX6Lc2j for <kvmarm@lists.cs.columbia.edu>;
 Fri,  8 Oct 2021 11:58:59 -0400 (EDT)
Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com
 [209.85.221.73])
 by mm01.cs.columbia.edu (Postfix) with ESMTPS id 450304B152
 for <kvmarm@lists.cs.columbia.edu>; Fri,  8 Oct 2021 11:58:59 -0400 (EDT)
Received: by mail-wr1-f73.google.com with SMTP id
 r16-20020adfbb10000000b00160958ed8acso7663086wrg.16
 for <kvmarm@lists.cs.columbia.edu>; Fri, 08 Oct 2021 08:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
 b=bkkZXWvHXy0SOvqcTVfyEyTMLdSxme3xzkLNnyVMQIKtMfHOw9o7FMlaTNpoQbHd0l
 573fiZ7H6X+7w+Zvl0W1v4/zGGqX39Q83L4+hHRwBUywjjLL+i3JCoXI7V8XbSF1aWhf
 ag8Oow9SDCDz1pgQydp+eSPRLes0FCw9tuQ9WxdZ54V97xvUXFjOMrP2pbEP0LCyDRxq
 9EclHHjs8AVhqZckZsrNoICEACHtA/8MD0Ad5RtMPFZy/jVWZ1VRSxSAGy21y04wS9Ae
 EoOqh7x8+FzLEca90tftm7wz37rkPaI/OSV0/ekAUba4EhWtlctBVWCMPEM1mUNiz8HH
 EwyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
 b=VKeC8mGgn1KWAse0CLiCSyWMkMHBxjlkGDTypwotmSfzhCj7M7kZacdVn3Z1nJereF
 O17Opf5l5yUnZNw7g1BTsK7jiBTr75mu6bQs2o9fSWxmLb/4kUv+5C3zPGwdb051XG65
 4tzZJ2cmsPYT/AKTFt69TLkZGMk93dKNXXHdNhw9NZkflxG+0eYPR5tQ6dMUULOp7iql
 XJ+EkHgJelLh8Davamu7qx2noXLtoSdfTl0TOqmm2pv8Dxg/GnEXAyRhaA+e2jDBLRbo
 moCTq99RAuqvocha0Cac8v4byAJ2ZiMcWceEcXF5AFu2LEE+gfWDkRb674a4rokZq3N3
 KW8Q==
X-Gm-Message-State: AOAM531guNdoa71Q4+gbYg19eu97yslC/fSXCafKPf9vn4MCAc43nyXM
 ZPTjXJlz0zkKG5lR0hi0KiQpvKnbJ12zbeUF7Dr7X10OaeLYSZV6Wpn90CekQkjS/cDGEV1Ab4k
 wTIclxXSKLrN49Mlf1yx8JugFy8fs+waGHVkdr6TpjsQzoGaj7W7T2Phv1/EYCc9xjns=
X-Google-Smtp-Source: ABdhPJzU2h0ROk8Sq5UVDfvGO63XxvZxMKDO7VXZYWh/Ma9TOAK9WxoCj7FEDSVF/rrNof7KlIJt0t4MTg==
X-Received: from tabba.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:482])
 (user=tabba job=sendgmr) by 2002:a5d:5250:: with SMTP id
 k16mr5225506wrc.82.1633708738469; 
 Fri, 08 Oct 2021 08:58:58 -0700 (PDT)
Date: Fri,  8 Oct 2021 16:58:32 +0100
In-Reply-To: <20211008155832.1415010-1-tabba@google.com>
Message-Id: <20211008155832.1415010-12-tabba@google.com>
Mime-Version: 1.0
References: <20211008155832.1415010-1-tabba@google.com>
X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog
Subject: [PATCH v7 11/11] KVM: arm64: Handle protected guests at 32 bits
From: Fuad Tabba <tabba@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: kernel-team@android.com, kvm@vger.kernel.org, maz@kernel.org,
 pbonzini@redhat.com, will@kernel.org, linux-arm-kernel@lists.infradead.org
X-BeenThere: kvmarm@lists.cs.columbia.edu
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Where KVM/ARM decisions are made <kvmarm.lists.cs.columbia.edu>
List-Unsubscribe: <https://lists.cs.columbia.edu/mailman/options/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=unsubscribe>
List-Archive: <https://lists.cs.columbia.edu/pipermail/kvmarm>
List-Post: <mailto:kvmarm@lists.cs.columbia.edu>
List-Help: <mailto:kvmarm-request@lists.cs.columbia.edu?subject=help>
List-Subscribe: <https://lists.cs.columbia.edu/mailman/listinfo/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kvmarm-bounces@lists.cs.columbia.edu
Sender: kvmarm-bounces@lists.cs.columbia.edu

Protected KVM does not support protected AArch32 guests. However,
it is possible for the guest to force run AArch32, potentially
causing problems. Add an extra check so that if the hypervisor
catches the guest doing that, it can prevent the guest from
running again by resetting vcpu->arch.target and returning
ARM_EXCEPTION_IL.

If this were to happen, The VMM can try and fix it by re-
initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is
likely not possible for protected VMs.

Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric
AArch32 systems")

Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/kvm/hyp/nvhe/switch.c | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 2c72c31e516e..f97e3012ef60 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -232,6 +232,37 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm)
 	return hyp_exit_handlers;
 }
 
+/*
+ * Some guests (e.g., protected VMs) are not be allowed to run in AArch32.
+ * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a
+ * guest from dropping to AArch32 EL0 if implemented by the CPU. If the
+ * hypervisor spots a guest in such a state ensure it is handled, and don't
+ * trust the host to spot or fix it.  The check below is based on the one in
+ * kvm_arch_vcpu_ioctl_run().
+ *
+ * Returns false if the guest ran in AArch32 when it shouldn't have, and
+ * thus should exit to the host, or true if a the guest run loop can continue.
+ */
+static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code)
+{
+	const struct kvm *kvm = kern_hyp_va(vcpu->kvm);
+
+	if (kvm_vm_is_protected(kvm) && vcpu_mode_is_32bit(vcpu)) {
+		/*
+		 * As we have caught the guest red-handed, decide that it isn't
+		 * fit for purpose anymore by making the vcpu invalid. The VMM
+		 * can try and fix it by re-initializing the vcpu with
+		 * KVM_ARM_VCPU_INIT, however, this is likely not possible for
+		 * protected VMs.
+		 */
+		vcpu->arch.target = -1;
+		*exit_code = ARM_EXCEPTION_IL;
+		return false;
+	}
+
+	return true;
+}
+
 /* Switch to the guest for legacy non-VHE systems */
 int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 {
@@ -294,6 +325,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 		/* Jump in the fire! */
 		exit_code = __guest_enter(vcpu);
 
+		if (unlikely(!handle_aarch32_guest(vcpu, &exit_code)))
+			break;
+
 		/* And we're baaack! */
 	} while (fixup_guest_exit(vcpu, &exit_code));
 
-- 
2.33.0.882.g93a45727a2-goog

_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=fGbl=O4=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C2AA7C433EF
	for <linux-arm-kernel@archiver.kernel.org>; Fri,  8 Oct 2021 16:05:36 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 79C1E6101E
	for <linux-arm-kernel@archiver.kernel.org>; Fri,  8 Oct 2021 16:05:36 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 79C1E6101E
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References:
	Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=PfB/nmQmoKdm8WnokByLshzFg0mGFe4tsXIGgh1LG5s=; b=snlGd5Gmu6o5Pu46nKDTDe+re6
	dhR3FEjzzjnMHbZN0lDGh3UHDwYaZYhA+Na7wV5qk8IHidsYtkYor2Bl/XbG6YKxF6DyAQW0Gl80M
	e1G1z8hjPjJt2/zgwGea207tLLXu0jrWJhAyD/wnUprBOOdMU3cOtj3nniEqUB78BtfBftBwWCe8t
	+eGeuKBreHVNzh4kjCuckgCI0byhvOseWD7NJGH9CAvsLgK2uwH1RfETfPCYdj+rHIqCQBmSDlQUq
	SnrDkTMai1Ff4CWwipcRKWYgNRP4zBsnUNhW4/Xs6fKSPQJ2ISwOocmW9rHP2/+ucKpA6lwUVkcfj
	8KSlqskw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mYsLU-003OcA-3a; Fri, 08 Oct 2021 16:03:40 +0000
Received: from mail-wr1-x44a.google.com ([2a00:1450:4864:20::44a])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mYsGy-003MRn-HM
 for linux-arm-kernel@lists.infradead.org; Fri, 08 Oct 2021 15:59:01 +0000
Received: by mail-wr1-x44a.google.com with SMTP id
 k16-20020a5d6290000000b00160753b430fso7702139wru.11
 for <linux-arm-kernel@lists.infradead.org>;
 Fri, 08 Oct 2021 08:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
 b=bkkZXWvHXy0SOvqcTVfyEyTMLdSxme3xzkLNnyVMQIKtMfHOw9o7FMlaTNpoQbHd0l
 573fiZ7H6X+7w+Zvl0W1v4/zGGqX39Q83L4+hHRwBUywjjLL+i3JCoXI7V8XbSF1aWhf
 ag8Oow9SDCDz1pgQydp+eSPRLes0FCw9tuQ9WxdZ54V97xvUXFjOMrP2pbEP0LCyDRxq
 9EclHHjs8AVhqZckZsrNoICEACHtA/8MD0Ad5RtMPFZy/jVWZ1VRSxSAGy21y04wS9Ae
 EoOqh7x8+FzLEca90tftm7wz37rkPaI/OSV0/ekAUba4EhWtlctBVWCMPEM1mUNiz8HH
 EwyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=0Epvk7fyUEu9mwVCJWkvWNY079YeUJZah0Cu5fJzAEQ=;
 b=lk58F1u7xtentJ+AUNsuJSCnWkUe43VpE3JKEWAc1R6qYs6KZRcFuKpgJVFLG3lCp5
 1wKY3LVPxepXPTDeJ80XEX46KiTNhOvmAopO9hTTmTc1HSIux1TfEXKEkRqiihRaFRu+
 VrASvgU6ZJxsuZHgju9ahEJ7T+hBLkVGOTVUZTVThuIT5CFDViMAs/YyjPglWtmBoBBD
 KerZdJ6mq21TuMDr71f6/GJDekF9lHHs8pm9+p34Me/59ZhR/AzIrayxBtJxJnIJmU9d
 DUG5ykWqb3cwRT2/ErwaR4t7FaJZ3GMYUItRld+xtwmuH3fBK66Gk/qUQMLnUQcYubga
 u4xQ==
X-Gm-Message-State: AOAM533W6x6Ldon7KbfQzheLOKqLpw9rMHAutd2HvT1ccxl+OeCMMs9M
 Tt7EIKVfB5BAWF3eaQOX9f/URGF05w==
X-Google-Smtp-Source: ABdhPJzU2h0ROk8Sq5UVDfvGO63XxvZxMKDO7VXZYWh/Ma9TOAK9WxoCj7FEDSVF/rrNof7KlIJt0t4MTg==
X-Received: from tabba.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:482])
 (user=tabba job=sendgmr) by 2002:a5d:5250:: with SMTP id
 k16mr5225506wrc.82.1633708738469; 
 Fri, 08 Oct 2021 08:58:58 -0700 (PDT)
Date: Fri,  8 Oct 2021 16:58:32 +0100
In-Reply-To: <20211008155832.1415010-1-tabba@google.com>
Message-Id: <20211008155832.1415010-12-tabba@google.com>
Mime-Version: 1.0
References: <20211008155832.1415010-1-tabba@google.com>
X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog
Subject: [PATCH v7 11/11] KVM: arm64: Handle protected guests at 32 bits
From: Fuad Tabba <tabba@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: maz@kernel.org, will@kernel.org, james.morse@arm.com, 
 alexandru.elisei@arm.com, suzuki.poulose@arm.com, mark.rutland@arm.com, 
 christoffer.dall@arm.com, pbonzini@redhat.com, drjones@redhat.com, 
 oupton@google.com, qperret@google.com, kvm@vger.kernel.org, 
 linux-arm-kernel@lists.infradead.org, kernel-team@android.com, 
 tabba@google.com
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20211008_085900_597257_169A01F7 
X-CRM114-Status: GOOD (  18.26  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Protected KVM does not support protected AArch32 guests. However,
it is possible for the guest to force run AArch32, potentially
causing problems. Add an extra check so that if the hypervisor
catches the guest doing that, it can prevent the guest from
running again by resetting vcpu->arch.target and returning
ARM_EXCEPTION_IL.

If this were to happen, The VMM can try and fix it by re-
initializing the vcpu with KVM_ARM_VCPU_INIT, however, this is
likely not possible for protected VMs.

Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric
AArch32 systems")

Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/kvm/hyp/nvhe/switch.c | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 2c72c31e516e..f97e3012ef60 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -232,6 +232,37 @@ static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm *kvm)
 	return hyp_exit_handlers;
 }
 
+/*
+ * Some guests (e.g., protected VMs) are not be allowed to run in AArch32.
+ * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a
+ * guest from dropping to AArch32 EL0 if implemented by the CPU. If the
+ * hypervisor spots a guest in such a state ensure it is handled, and don't
+ * trust the host to spot or fix it.  The check below is based on the one in
+ * kvm_arch_vcpu_ioctl_run().
+ *
+ * Returns false if the guest ran in AArch32 when it shouldn't have, and
+ * thus should exit to the host, or true if a the guest run loop can continue.
+ */
+static bool handle_aarch32_guest(struct kvm_vcpu *vcpu, u64 *exit_code)
+{
+	const struct kvm *kvm = kern_hyp_va(vcpu->kvm);
+
+	if (kvm_vm_is_protected(kvm) && vcpu_mode_is_32bit(vcpu)) {
+		/*
+		 * As we have caught the guest red-handed, decide that it isn't
+		 * fit for purpose anymore by making the vcpu invalid. The VMM
+		 * can try and fix it by re-initializing the vcpu with
+		 * KVM_ARM_VCPU_INIT, however, this is likely not possible for
+		 * protected VMs.
+		 */
+		vcpu->arch.target = -1;
+		*exit_code = ARM_EXCEPTION_IL;
+		return false;
+	}
+
+	return true;
+}
+
 /* Switch to the guest for legacy non-VHE systems */
 int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 {
@@ -294,6 +325,9 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
 		/* Jump in the fire! */
 		exit_code = __guest_enter(vcpu);
 
+		if (unlikely(!handle_aarch32_guest(vcpu, &exit_code)))
+			break;
+
 		/* And we're baaack! */
 	} while (fixup_guest_exit(vcpu, &exit_code));
 
-- 
2.33.0.882.g93a45727a2-goog


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel