From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29804C433EF for ; Tue, 19 Oct 2021 12:13:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0EFAC6115A for ; Tue, 19 Oct 2021 12:13:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235537AbhJSMPX (ORCPT ); Tue, 19 Oct 2021 08:15:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235571AbhJSMPV (ORCPT ); Tue, 19 Oct 2021 08:15:21 -0400 Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 218A9C061749 for ; Tue, 19 Oct 2021 05:13:08 -0700 (PDT) Received: by mail-wm1-x34a.google.com with SMTP id z26-20020a05600c221a00b0030da55bc454so2489397wml.4 for ; Tue, 19 Oct 2021 05:13:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=Nr4MJ1aI7q7w3UdTcVj6uCTcnUI7GEUmwq2F1i25CsIrzLEbTiVmLCgtKGbFFMtnzj A0IEcU+/iuEOzhIOixBDn/V6QiT02j8f644HbyG4nVN8ml3f/EdohG6B0Dxq5D0IpiLB q8LciAgHkLAV2t3dEYif+bOwdQrTAo0WQ0FPesXnFw1naWLXxBXnVxty6DMhm498g5lv 4lIDI0hW+WNGf3nm+DqiXlCC7heRmA/GZGmIlGDurd93+jhzyplTOVv/oiHJZz5ZzJso vpDCREebQW3sMC78QseUu6Z6tLs7JutRKfuaPJ69qU40glehGG/wmTOkqSjBra3jh4+l PgQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=7ujJcxQyikEpw9oqCQqnqg4qg+bH6XuhNb4EI74DDI3gIvgY+OLr/wlkY+TB9lrm9F GjoVpob0tJ5sROqNR4/mtcIVaVgr2rkCbx6UQTQxd5CikVLyTbuvPlkzeb2cptfvtoQQ 02RLki2VQwfdROfWlFK6Zl+RTT3hYbbYUGhXD8YJfuEFEkmtCusEy76O/TguFWmFC4CB tfJdRRuBK6xOMfq5lo6JRM357oJ3y0j3PlEtQyFQL1rXjQlYtD4bkhnN906eP8BGbVLw 4S+UCeLgUucjnU7JaEdP+97rk7KnyXptBM3MI6EMP6I03H0vUq0klYOOh/pE4Q/rjx80 irhA== X-Gm-Message-State: AOAM531LfEu+od5O2hihLiMFDnERvu3mY+j4744SZuyrCLs6U2HBHHds kmG1vR+CyjtsHJ2oI9su3WHgdDV1WZGR X-Google-Smtp-Source: ABdhPJyrcmjf8nedcASO5PXz/po0MxrFVu8ZXOjfZXlzQFBuQrME6M29/wyaWdnny2GWZzG1UFy/1PGuR63M X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:59ca:401f:83a8:de6d]) (user=qperret job=sendgmr) by 2002:a05:600c:3b88:: with SMTP id n8mr5585459wms.93.1634645586407; Tue, 19 Oct 2021 05:13:06 -0700 (PDT) Date: Tue, 19 Oct 2021 13:12:49 +0100 Message-Id: <20211019121304.2732332-1-qperret@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog Subject: [PATCH v2 00/15] KVM: arm64: pkvm: Implement unshare hypercall From: Quentin Perret To: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil , Andrew Walbran Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com, qperret@google.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, This is v2 of the series previously posted here: https://lore.kernel.org/kvmarm/20211013155831.943476-1-qperret@google.com/ This series implements an unshare hypercall at EL2 in nVHE protected mode, and makes use of it to unmmap guest-specific data-structures from EL2 stage-1 during guest tear-down. Crucially, the implementation of the share and unshare routines use page refcounts in the host kernel to avoid accidentally unmapping data-structures that overlap a common page. This series has two main benefits. Firstly it allows EL2 to track the state of shared pages cleanly, as they can now transition from SHARED back to OWNED. This will simplify permission checks once e.g. pkvm implements a donation hcall to provide memory to protected guests, as there should then be no reason for the host to donate a page that is currently marked shared. And secondly, it avoids having dangling mappings in the hypervisor's stage-1, which should be a good idea from a security perspective as the hypervisor is obviously running with elevated privileges. And perhaps worth noting is that this also refactors the EL2 page-tracking checks in a more scalable way, which should allow to implement other memory transitions (host donating memory to a guest, a guest sharing back with the host, ...) much more easily in the future. Changes since v2: - moved the refcounting of pages shared more than once to the host in order to simplify and optimize the hyp code; - synchronized lifetime of the vcpu and its parent task struct using get_task_struct() / put_task_struct(); - rebased on kvmarm/next - rebased on Marc's v2 refactoring of the first vcpu run: https://lore.kernel.org/kvmarm/20211018211158.3050779-1-maz@kernel.org - small improvements/refactoring throughout; This has been lightly tested on Qemu, by spawning and powering off a guest 50 times. You can find a branch with everything applied here: https://android-kvm.googlesource.com/linux qperret/hyp-unshare-v2 Thanks! Quentin Quentin Perret (7): KVM: arm64: Check if running in VHE from kvm_host_owns_hyp_mappings() KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator KVM: arm64: Refcount hyp stage-1 pgtable pages KVM: arm64: Fixup hyp stage-1 refcount KVM: arm64: Introduce kvm_share_hyp() KVM: arm64: pkvm: Refcount the pages shared with EL2 KVM: arm64: pkvm: Unshare guest structs during teardown Will Deacon (8): KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2 KVM: arm64: Extend pkvm_page_state enumeration to handle absent pages KVM: arm64: Introduce wrappers for host and hyp spin lock accessors KVM: arm64: Implement do_share() helper for sharing memory KVM: arm64: Implement __pkvm_host_share_hyp() using do_share() KVM: arm64: Implement do_unshare() helper for unsharing memory KVM: arm64: Expose unshare hypercall to the host arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 2 + arch/arm64/include/asm/kvm_mmu.h | 2 + arch/arm64/include/asm/kvm_pgtable.h | 21 + arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/fpsimd.c | 33 +- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 6 + arch/arm64/kvm/hyp/nvhe/early_alloc.c | 5 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 500 +++++++++++++++--- arch/arm64/kvm/hyp/nvhe/setup.c | 32 +- arch/arm64/kvm/hyp/pgtable.c | 80 ++- arch/arm64/kvm/mmu.c | 132 ++++- arch/arm64/kvm/reset.c | 10 +- 14 files changed, 733 insertions(+), 105 deletions(-) -- 2.33.0.1079.g6e70778dc9-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC347C433F5 for ; Tue, 19 Oct 2021 12:13:11 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 4C71F61360 for ; Tue, 19 Oct 2021 12:13:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4C71F61360 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id AFF654B14D; Tue, 19 Oct 2021 08:13:10 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@google.com Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nau21Hr-TF5; Tue, 19 Oct 2021 08:13:09 -0400 (EDT) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 93F714B10A; Tue, 19 Oct 2021 08:13:09 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 0F5544B0CE for ; Tue, 19 Oct 2021 08:13:09 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdzR-ZCcLABE for ; Tue, 19 Oct 2021 08:13:07 -0400 (EDT) Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id B2DBD4AC78 for ; Tue, 19 Oct 2021 08:13:07 -0400 (EDT) Received: by mail-wr1-f74.google.com with SMTP id k2-20020adfc702000000b0016006b2da9bso10082499wrg.1 for ; Tue, 19 Oct 2021 05:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=Nr4MJ1aI7q7w3UdTcVj6uCTcnUI7GEUmwq2F1i25CsIrzLEbTiVmLCgtKGbFFMtnzj A0IEcU+/iuEOzhIOixBDn/V6QiT02j8f644HbyG4nVN8ml3f/EdohG6B0Dxq5D0IpiLB q8LciAgHkLAV2t3dEYif+bOwdQrTAo0WQ0FPesXnFw1naWLXxBXnVxty6DMhm498g5lv 4lIDI0hW+WNGf3nm+DqiXlCC7heRmA/GZGmIlGDurd93+jhzyplTOVv/oiHJZz5ZzJso vpDCREebQW3sMC78QseUu6Z6tLs7JutRKfuaPJ69qU40glehGG/wmTOkqSjBra3jh4+l PgQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=k6pf9eJ3gr7h5A5l4viS6ivdF38PwROXv41RRX0isEn7Rqy8Lmz7efw4mLvAnUTPeB h9LX9ydOZbFCR3EqucAe5aV5VxJNsYWv+BOrHO/+vb3Zr1sZ7ng7Fv4T8ou2sp2IsU/Q hRt8y67oLOWV7NTIFgrABz+/BUBymi4vM6rOpzYFfr+N/HmHGJWpSgDOwvl0wAfVJi5r LRbMCTIxew5lm4FqhqKrUc4p5njzCPv1bT/4oUlVwJJ2keTKe8ULgGQZUnv8fZCVRCa/ 2EZyNZ+XD+G8sLAT9Wtuv3Nh/AhIfj1ezRIq6Q0MZ9/6Qp5SuUaAcKECB46ftkAK0Et+ ermQ== X-Gm-Message-State: AOAM532IuldZgXgPiG5uRwEzXBMTWUBftSFS3pRtBlohuINJVxwg1LDm FVnja8Gyqe9hp3eLjTP+XM9PYNVBXtBX X-Google-Smtp-Source: ABdhPJyrcmjf8nedcASO5PXz/po0MxrFVu8ZXOjfZXlzQFBuQrME6M29/wyaWdnny2GWZzG1UFy/1PGuR63M X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:59ca:401f:83a8:de6d]) (user=qperret job=sendgmr) by 2002:a05:600c:3b88:: with SMTP id n8mr5585459wms.93.1634645586407; Tue, 19 Oct 2021 05:13:06 -0700 (PDT) Date: Tue, 19 Oct 2021 13:12:49 +0100 Message-Id: <20211019121304.2732332-1-qperret@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog Subject: [PATCH v2 00/15] KVM: arm64: pkvm: Implement unshare hypercall From: Quentin Perret To: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil , Andrew Walbran Cc: kernel-team@android.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu Hi all, This is v2 of the series previously posted here: https://lore.kernel.org/kvmarm/20211013155831.943476-1-qperret@google.com/ This series implements an unshare hypercall at EL2 in nVHE protected mode, and makes use of it to unmmap guest-specific data-structures from EL2 stage-1 during guest tear-down. Crucially, the implementation of the share and unshare routines use page refcounts in the host kernel to avoid accidentally unmapping data-structures that overlap a common page. This series has two main benefits. Firstly it allows EL2 to track the state of shared pages cleanly, as they can now transition from SHARED back to OWNED. This will simplify permission checks once e.g. pkvm implements a donation hcall to provide memory to protected guests, as there should then be no reason for the host to donate a page that is currently marked shared. And secondly, it avoids having dangling mappings in the hypervisor's stage-1, which should be a good idea from a security perspective as the hypervisor is obviously running with elevated privileges. And perhaps worth noting is that this also refactors the EL2 page-tracking checks in a more scalable way, which should allow to implement other memory transitions (host donating memory to a guest, a guest sharing back with the host, ...) much more easily in the future. Changes since v2: - moved the refcounting of pages shared more than once to the host in order to simplify and optimize the hyp code; - synchronized lifetime of the vcpu and its parent task struct using get_task_struct() / put_task_struct(); - rebased on kvmarm/next - rebased on Marc's v2 refactoring of the first vcpu run: https://lore.kernel.org/kvmarm/20211018211158.3050779-1-maz@kernel.org - small improvements/refactoring throughout; This has been lightly tested on Qemu, by spawning and powering off a guest 50 times. You can find a branch with everything applied here: https://android-kvm.googlesource.com/linux qperret/hyp-unshare-v2 Thanks! Quentin Quentin Perret (7): KVM: arm64: Check if running in VHE from kvm_host_owns_hyp_mappings() KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator KVM: arm64: Refcount hyp stage-1 pgtable pages KVM: arm64: Fixup hyp stage-1 refcount KVM: arm64: Introduce kvm_share_hyp() KVM: arm64: pkvm: Refcount the pages shared with EL2 KVM: arm64: pkvm: Unshare guest structs during teardown Will Deacon (8): KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2 KVM: arm64: Extend pkvm_page_state enumeration to handle absent pages KVM: arm64: Introduce wrappers for host and hyp spin lock accessors KVM: arm64: Implement do_share() helper for sharing memory KVM: arm64: Implement __pkvm_host_share_hyp() using do_share() KVM: arm64: Implement do_unshare() helper for unsharing memory KVM: arm64: Expose unshare hypercall to the host arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 2 + arch/arm64/include/asm/kvm_mmu.h | 2 + arch/arm64/include/asm/kvm_pgtable.h | 21 + arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/fpsimd.c | 33 +- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 6 + arch/arm64/kvm/hyp/nvhe/early_alloc.c | 5 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 500 +++++++++++++++--- arch/arm64/kvm/hyp/nvhe/setup.c | 32 +- arch/arm64/kvm/hyp/pgtable.c | 80 ++- arch/arm64/kvm/mmu.c | 132 ++++- arch/arm64/kvm/reset.c | 10 +- 14 files changed, 733 insertions(+), 105 deletions(-) -- 2.33.0.1079.g6e70778dc9-goog _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17023C433F5 for ; Tue, 19 Oct 2021 12:14:42 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E35A56115B for ; Tue, 19 Oct 2021 12:14:41 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org E35A56115B Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=hdvSfE2AISH1o8OnlYmDBX2YNqJ4g9CKOekP9dWctz0=; b=Iw5 XZ2R/NbfU1FDjsRCwWT2Mi4PXZW3Wr5XnVwUMA64mbLG2xaAluxz4BcVMGPb2N2/CIYRoiY4zVPqT teY/Lc5NGVQHpgEYvt2f4OKIXWdFs5ipSOvJ2o5fXXGS1mLfkJRJolDrfVlifWO9dMHvH2eo/qxv0 Mqaow4SU7uz0kZ1Y0iN64auoavb/k48A+uaIa0XNNdkFsGGPRFG3u5pAFdi8X6u8fQfOCMlzrDzIL 6uSzT3N/uOqvITNyPaNyoYyLTg96jjiXNIq8XmhOZeacKN6i05S5HcVdt9xuc8tplD+KfyQ7yCGxH qBvOdooZJNYbTZqLTMCnLKV/UVaJ4jg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mcnzV-0015AH-J2; Tue, 19 Oct 2021 12:13:13 +0000 Received: from mail-wm1-x34a.google.com ([2a00:1450:4864:20::34a]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mcnzR-00158D-DX for linux-arm-kernel@lists.infradead.org; Tue, 19 Oct 2021 12:13:11 +0000 Received: by mail-wm1-x34a.google.com with SMTP id 128-20020a1c0486000000b0030dcd45476aso2489791wme.0 for ; Tue, 19 Oct 2021 05:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=Nr4MJ1aI7q7w3UdTcVj6uCTcnUI7GEUmwq2F1i25CsIrzLEbTiVmLCgtKGbFFMtnzj A0IEcU+/iuEOzhIOixBDn/V6QiT02j8f644HbyG4nVN8ml3f/EdohG6B0Dxq5D0IpiLB q8LciAgHkLAV2t3dEYif+bOwdQrTAo0WQ0FPesXnFw1naWLXxBXnVxty6DMhm498g5lv 4lIDI0hW+WNGf3nm+DqiXlCC7heRmA/GZGmIlGDurd93+jhzyplTOVv/oiHJZz5ZzJso vpDCREebQW3sMC78QseUu6Z6tLs7JutRKfuaPJ69qU40glehGG/wmTOkqSjBra3jh4+l PgQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Fy4DNJg+LJGIWoeCxYMWIL1CKlINKgnhRdgDVyd1Xho=; b=7++QdOB3X5dSJkxHKmgAnt+h+A6n+JyAySwWUaYLfN+KKBR5dk32/AD+4e0PBue73y /OngfF82jgF3lo3iOyXcaAgdn3T4TQE4Ba4K8EZQjLsYJZB5pduWS+d/n/kq8YCcV48M n/DKv0c0XMskaUvJKtCClm4KkfR69mbauGYfNCTGbUsm0dabsqaqkdi2qXqeKVDxdLT3 vt2UidNeFp0aMFGpDbUXuPvS7fzdGX+REcZjG/WQ18jYuVf+RgefrORy0W89wABJnWJJ IqRRqZPDyHUg8Ob2ljFnGkN8Zy8gq1rICFGOuxsazAgSjXsojkBWXAu1lx+R20AK01Zp VKSg== X-Gm-Message-State: AOAM532mpIctHBx24YozsRKDgCMUejoEaURCVcWJHe8EAdOMEcqbWfQW VjizUkDZYSI54vfe0GIjgxwOXEblfzsF X-Google-Smtp-Source: ABdhPJyrcmjf8nedcASO5PXz/po0MxrFVu8ZXOjfZXlzQFBuQrME6M29/wyaWdnny2GWZzG1UFy/1PGuR63M X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:59ca:401f:83a8:de6d]) (user=qperret job=sendgmr) by 2002:a05:600c:3b88:: with SMTP id n8mr5585459wms.93.1634645586407; Tue, 19 Oct 2021 05:13:06 -0700 (PDT) Date: Tue, 19 Oct 2021 13:12:49 +0100 Message-Id: <20211019121304.2732332-1-qperret@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog Subject: [PATCH v2 00/15] KVM: arm64: pkvm: Implement unshare hypercall From: Quentin Perret To: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil , Andrew Walbran Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com, qperret@google.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211019_051309_484086_E1A678AB X-CRM114-Status: GOOD ( 14.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi all, This is v2 of the series previously posted here: https://lore.kernel.org/kvmarm/20211013155831.943476-1-qperret@google.com/ This series implements an unshare hypercall at EL2 in nVHE protected mode, and makes use of it to unmmap guest-specific data-structures from EL2 stage-1 during guest tear-down. Crucially, the implementation of the share and unshare routines use page refcounts in the host kernel to avoid accidentally unmapping data-structures that overlap a common page. This series has two main benefits. Firstly it allows EL2 to track the state of shared pages cleanly, as they can now transition from SHARED back to OWNED. This will simplify permission checks once e.g. pkvm implements a donation hcall to provide memory to protected guests, as there should then be no reason for the host to donate a page that is currently marked shared. And secondly, it avoids having dangling mappings in the hypervisor's stage-1, which should be a good idea from a security perspective as the hypervisor is obviously running with elevated privileges. And perhaps worth noting is that this also refactors the EL2 page-tracking checks in a more scalable way, which should allow to implement other memory transitions (host donating memory to a guest, a guest sharing back with the host, ...) much more easily in the future. Changes since v2: - moved the refcounting of pages shared more than once to the host in order to simplify and optimize the hyp code; - synchronized lifetime of the vcpu and its parent task struct using get_task_struct() / put_task_struct(); - rebased on kvmarm/next - rebased on Marc's v2 refactoring of the first vcpu run: https://lore.kernel.org/kvmarm/20211018211158.3050779-1-maz@kernel.org - small improvements/refactoring throughout; This has been lightly tested on Qemu, by spawning and powering off a guest 50 times. You can find a branch with everything applied here: https://android-kvm.googlesource.com/linux qperret/hyp-unshare-v2 Thanks! Quentin Quentin Perret (7): KVM: arm64: Check if running in VHE from kvm_host_owns_hyp_mappings() KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator KVM: arm64: Refcount hyp stage-1 pgtable pages KVM: arm64: Fixup hyp stage-1 refcount KVM: arm64: Introduce kvm_share_hyp() KVM: arm64: pkvm: Refcount the pages shared with EL2 KVM: arm64: pkvm: Unshare guest structs during teardown Will Deacon (8): KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2 KVM: arm64: Extend pkvm_page_state enumeration to handle absent pages KVM: arm64: Introduce wrappers for host and hyp spin lock accessors KVM: arm64: Implement do_share() helper for sharing memory KVM: arm64: Implement __pkvm_host_share_hyp() using do_share() KVM: arm64: Implement do_unshare() helper for unsharing memory KVM: arm64: Expose unshare hypercall to the host arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 2 + arch/arm64/include/asm/kvm_mmu.h | 2 + arch/arm64/include/asm/kvm_pgtable.h | 21 + arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/fpsimd.c | 33 +- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 6 + arch/arm64/kvm/hyp/nvhe/early_alloc.c | 5 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 500 +++++++++++++++--- arch/arm64/kvm/hyp/nvhe/setup.c | 32 +- arch/arm64/kvm/hyp/pgtable.c | 80 ++- arch/arm64/kvm/mmu.c | 132 ++++- arch/arm64/kvm/reset.c | 10 +- 14 files changed, 733 insertions(+), 105 deletions(-) -- 2.33.0.1079.g6e70778dc9-goog _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel