From: "Mickaël Salaün" <mic@digikod.net>
To: Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Kees Cook <keescook@chromium.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexander Graf" <graf@amazon.com>,
"Chao Peng" <chao.p.peng@linux.intel.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"Forrest Yuan Yu" <yuanyu@google.com>,
"James Gowans" <jgowans@amazon.com>,
"James Morris" <jamorris@linux.microsoft.com>,
"John Andersen" <john.s.andersen@intel.com>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
"Marian Rotariu" <marian.c.rotariu@gmail.com>,
"Mihai Donțu" <mdontu@bitdefender.com>,
"Nicușor Cîțu" <nicu.citu@icloud.com>,
"Thara Gopinath" <tgopinath@microsoft.com>,
"Trilok Soni" <quic_tsoni@quicinc.com>,
"Wei Liu" <wei.liu@kernel.org>, "Will Deacon" <will@kernel.org>,
"Yu Zhang" <yu.c.zhang@linux.intel.com>,
"Zahra Tarkhani" <ztarkhani@microsoft.com>,
"Ștefan Șicleru" <ssicleru@bitdefender.com>,
dev@lists.cloudhypervisor.org, kvm@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, qemu-devel@nongnu.org,
virtualization@lists.linux-foundation.org, x86@kernel.org,
xen-devel@lists.xenproject.org
Subject: [RFC PATCH v2 03/19] KVM: x86: Add notifications for Heki policy configuration and violation
Date: Sun, 12 Nov 2023 21:23:10 -0500 [thread overview]
Message-ID: <20231113022326.24388-4-mic@digikod.net> (raw)
In-Reply-To: <20231113022326.24388-1-mic@digikod.net>
Add an interface for user space to be notified about guests' Heki policy
and related violations.
Extend the KVM_ENABLE_CAP IOCTL with KVM_CAP_HEKI_CONFIGURE and
KVM_CAP_HEKI_DENIAL. Each one takes a bitmask as first argument that can
contains KVM_HEKI_EXIT_REASON_CR0 and KVM_HEKI_EXIT_REASON_CR4. The
returned value is the bitmask of known Heki exit reasons, for now:
KVM_HEKI_EXIT_REASON_CR0 and KVM_HEKI_EXIT_REASON_CR4.
If KVM_CAP_HEKI_CONFIGURE is set, a VM exit will be triggered for each
KVM_HC_LOCK_CR_UPDATE hypercalls according to the requested control
register. This enables to enlighten the VMM with the guest
auto-restrictions.
If KVM_CAP_HEKI_DENIAL is set, a VM exit will be triggered for each
pinned CR violation. This enables the VMM to react to a policy
violation.
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Madhavan T. Venkataraman <madvenka@linux.microsoft.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
Changes since v1:
* New patch. Making user space aware of Heki properties was requested by
Sean Christopherson.
---
arch/x86/kvm/vmx/vmx.c | 5 +-
arch/x86/kvm/x86.c | 114 +++++++++++++++++++++++++++++++++++----
arch/x86/kvm/x86.h | 7 +--
include/linux/kvm_host.h | 2 +
include/uapi/linux/kvm.h | 22 ++++++++
5 files changed, 136 insertions(+), 14 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index f487bf16dd96..b631b1d7ba30 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5444,6 +5444,7 @@ static int handle_cr(struct kvm_vcpu *vcpu)
int reg;
int err;
int ret;
+ bool exit = false;
exit_qualification = vmx_get_exit_qual(vcpu);
cr = exit_qualification & 15;
@@ -5453,8 +5454,8 @@ static int handle_cr(struct kvm_vcpu *vcpu)
val = kvm_register_read(vcpu, reg);
trace_kvm_cr_write(cr, val);
- ret = heki_check_cr(vcpu, cr, val);
- if (ret)
+ ret = heki_check_cr(vcpu, cr, val, &exit);
+ if (exit)
return ret;
switch (cr) {
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4e6c4c21f12c..43c28a6953bf 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -119,6 +119,10 @@ static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS;
#define KVM_CAP_PMU_VALID_MASK KVM_PMU_CAP_DISABLE
+#define KVM_HEKI_EXIT_REASON_VALID_MASK ( \
+ KVM_HEKI_EXIT_REASON_CR0 | \
+ KVM_HEKI_EXIT_REASON_CR4)
+
#define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \
KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK)
@@ -4644,6 +4648,10 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
if (kvm_is_vm_type_supported(KVM_X86_SW_PROTECTED_VM))
r |= BIT(KVM_X86_SW_PROTECTED_VM);
break;
+ case KVM_CAP_HEKI_CONFIGURE:
+ case KVM_CAP_HEKI_DENIAL:
+ r = KVM_HEKI_EXIT_REASON_VALID_MASK;
+ break;
default:
break;
}
@@ -6518,6 +6526,22 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
}
mutex_unlock(&kvm->lock);
break;
+#ifdef CONFIG_HEKI
+ case KVM_CAP_HEKI_CONFIGURE:
+ r = -EINVAL;
+ if (cap->args[0] & ~KVM_HEKI_EXIT_REASON_VALID_MASK)
+ break;
+ kvm->heki_configure_exit_reason = cap->args[0];
+ r = 0;
+ break;
+ case KVM_CAP_HEKI_DENIAL:
+ r = -EINVAL;
+ if (cap->args[0] & ~KVM_HEKI_EXIT_REASON_VALID_MASK)
+ break;
+ kvm->heki_denial_exit_reason = cap->args[0];
+ r = 0;
+ break;
+#endif
default:
r = -EINVAL;
break;
@@ -8056,11 +8080,60 @@ static unsigned long emulator_get_cr(struct x86_emulate_ctxt *ctxt, int cr)
#ifdef CONFIG_HEKI
+static int complete_heki_configure_exit(struct kvm_vcpu *const vcpu)
+{
+ kvm_rax_write(vcpu, 0);
+ ++vcpu->stat.hypercalls;
+ return kvm_skip_emulated_instruction(vcpu);
+}
+
+static int complete_heki_denial_exit(struct kvm_vcpu *const vcpu)
+{
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+}
+
+/* Returns true if the @exit_reason is handled by @vcpu->kvm. */
+static bool heki_exit_cr(struct kvm_vcpu *const vcpu, const __u32 exit_reason,
+ const u64 heki_reason, unsigned long value)
+{
+ switch (exit_reason) {
+ case KVM_EXIT_HEKI_CONFIGURE:
+ if (!(vcpu->kvm->heki_configure_exit_reason & heki_reason))
+ return false;
+
+ vcpu->run->heki_configure.reason = heki_reason;
+ memset(vcpu->run->heki_configure.reserved, 0,
+ sizeof(vcpu->run->heki_configure.reserved));
+ vcpu->run->heki_configure.cr_pinned = value;
+ vcpu->arch.complete_userspace_io = complete_heki_configure_exit;
+ break;
+ case KVM_EXIT_HEKI_DENIAL:
+ if (!(vcpu->kvm->heki_denial_exit_reason & heki_reason))
+ return false;
+
+ vcpu->run->heki_denial.reason = heki_reason;
+ memset(vcpu->run->heki_denial.reserved, 0,
+ sizeof(vcpu->run->heki_denial.reserved));
+ vcpu->run->heki_denial.cr_value = value;
+ vcpu->arch.complete_userspace_io = complete_heki_denial_exit;
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ return false;
+ }
+
+ vcpu->run->exit_reason = exit_reason;
+ return true;
+}
+
#define HEKI_ABI_VERSION 1
static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
- unsigned long pin, unsigned long flags)
+ unsigned long pin, unsigned long flags, bool *exit)
{
+ *exit = false;
+
if (flags) {
if ((flags == KVM_LOCK_CR_UPDATE_VERSION) && !cr && !pin)
return HEKI_ABI_VERSION;
@@ -8080,6 +8153,8 @@ static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
return -KVM_EINVAL;
atomic_long_or(pin, &vcpu->kvm->heki_pinned_cr0);
+ *exit = heki_exit_cr(vcpu, KVM_EXIT_HEKI_CONFIGURE,
+ KVM_HEKI_EXIT_REASON_CR0, pin);
return 0;
case 4:
/* Checks for irrelevant bits. */
@@ -8089,24 +8164,37 @@ static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
/* Ignores bits not present in host. */
pin &= __read_cr4();
atomic_long_or(pin, &vcpu->kvm->heki_pinned_cr4);
+ *exit = heki_exit_cr(vcpu, KVM_EXIT_HEKI_CONFIGURE,
+ KVM_HEKI_EXIT_REASON_CR4, pin);
return 0;
}
return -KVM_EINVAL;
}
+/*
+ * Sets @exit to true if the caller must exit (i.e. denied access) with the
+ * returned value:
+ * - 0 when kvm_run is configured;
+ * - 1 when there is no user space handler.
+ */
int heki_check_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
- const unsigned long val)
+ const unsigned long val, bool *exit)
{
unsigned long pinned;
+ *exit = false;
+
switch (cr) {
case 0:
pinned = atomic_long_read(&vcpu->kvm->heki_pinned_cr0);
if ((val & pinned) != pinned) {
pr_warn_ratelimited(
"heki: Blocked CR0 update: 0x%lx\n", val);
- kvm_inject_gp(vcpu, 0);
- return 1;
+ *exit = true;
+ if (heki_exit_cr(vcpu, KVM_EXIT_HEKI_DENIAL,
+ KVM_HEKI_EXIT_REASON_CR0, val))
+ return 0;
+ return complete_heki_denial_exit(vcpu);
}
return 0;
case 4:
@@ -8114,8 +8202,11 @@ int heki_check_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
if ((val & pinned) != pinned) {
pr_warn_ratelimited(
"heki: Blocked CR4 update: 0x%lx\n", val);
- kvm_inject_gp(vcpu, 0);
- return 1;
+ *exit = true;
+ if (heki_exit_cr(vcpu, KVM_EXIT_HEKI_DENIAL,
+ KVM_HEKI_EXIT_REASON_CR4, val))
+ return 0;
+ return complete_heki_denial_exit(vcpu);
}
return 0;
}
@@ -8129,9 +8220,10 @@ static int emulator_set_cr(struct x86_emulate_ctxt *ctxt, int cr, ulong val)
{
struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
int res = 0;
+ bool exit = false;
- res = heki_check_cr(vcpu, cr, val);
- if (res)
+ res = heki_check_cr(vcpu, cr, val, &exit);
+ if (exit)
return res;
switch (cr) {
@@ -9998,7 +10090,11 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
if (a0 > U32_MAX) {
ret = -KVM_EINVAL;
} else {
- ret = heki_lock_cr(vcpu, a0, a1, a2);
+ bool exit = false;
+
+ ret = heki_lock_cr(vcpu, a0, a1, a2, &exit);
+ if (exit)
+ return ret;
}
break;
#endif /* CONFIG_HEKI */
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 193093112b55..f8f5c32bedd9 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -292,18 +292,19 @@ static inline bool kvm_check_has_quirk(struct kvm *kvm, u64 quirk)
#ifdef CONFIG_HEKI
-int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr, unsigned long val);
+int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr, unsigned long val,
+ bool *exit);
#else /* CONFIG_HEKI */
static inline int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr,
- unsigned long val)
+ unsigned long val, bool *exit)
{
return 0;
}
static inline int heki_lock_cr(struct kvm_vcpu *const vcpu, unsigned long cr,
- unsigned long pin)
+ unsigned long pin, bool *exit)
{
return 0;
}
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 6864c80ff936..ec32af17add8 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -838,6 +838,8 @@ struct kvm {
#ifdef CONFIG_HEKI
atomic_long_t heki_pinned_cr0;
atomic_long_t heki_pinned_cr4;
+ u64 heki_configure_exit_reason;
+ u64 heki_denial_exit_reason;
#endif /* CONFIG_HEKI */
#ifdef CONFIG_HAVE_KVM_PM_NOTIFIER
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 5b5820d19e71..2477b4a16126 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -279,6 +279,8 @@ struct kvm_xen_exit {
#define KVM_EXIT_RISCV_CSR 36
#define KVM_EXIT_NOTIFY 37
#define KVM_EXIT_MEMORY_FAULT 38
+#define KVM_EXIT_HEKI_CONFIGURE 39
+#define KVM_EXIT_HEKI_DENIAL 40
/* For KVM_EXIT_INTERNAL_ERROR */
/* Emulate instruction failed. */
@@ -532,6 +534,24 @@ struct kvm_run {
__u64 gpa;
__u64 size;
} memory_fault;
+ /* KVM_EXIT_HEKI_CONFIGURE */
+ struct {
+#define KVM_HEKI_EXIT_REASON_CR0 (1ULL << 0)
+#define KVM_HEKI_EXIT_REASON_CR4 (1ULL << 1)
+ __u64 reason;
+ union {
+ __u64 cr_pinned;
+ __u64 reserved[7]; /* ignored */
+ };
+ } heki_configure;
+ /* KVM_EXIT_HEKI_DENIAL */
+ struct {
+ __u64 reason;
+ union {
+ __u64 cr_value;
+ __u64 reserved[7]; /* ignored */
+ };
+ } heki_denial;
/* Fix the size of the union. */
char padding[256];
};
@@ -1219,6 +1239,8 @@ struct kvm_ppc_resize_hpt {
#define KVM_CAP_MEMORY_ATTRIBUTES 232
#define KVM_CAP_GUEST_MEMFD 233
#define KVM_CAP_VM_TYPES 234
+#define KVM_CAP_HEKI_CONFIGURE 235
+#define KVM_CAP_HEKI_DENIAL 236
#ifdef KVM_CAP_IRQ_ROUTING
--
2.42.1
next prev parent reply other threads:[~2023-11-13 2:24 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-13 2:23 [RFC PATCH v2 00/19] Hypervisor-Enforced Kernel Integrity Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 01/19] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki) Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 02/19] KVM: x86: Add new hypercall to lock control registers Mickaël Salaün
2023-11-13 2:23 ` Mickaël Salaün [this message]
2023-11-13 2:23 ` [RFC PATCH v2 04/19] heki: Lock guest control registers at the end of guest kernel init Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 05/19] KVM: VMX: Add MBEC support Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 06/19] KVM: x86: Add kvm_x86_ops.fault_gva() Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 07/19] KVM: x86: Make memory attribute helpers more generic Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 08/19] KVM: x86: Extend kvm_vm_set_mem_attributes() with a mask Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 09/19] KVM: x86: Extend kvm_range_has_memory_attributes() with match_all Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 11/19] KVM: x86: Add new hypercall to set EPT permissions Mickaël Salaün
2023-11-13 4:45 ` kernel test robot
2023-11-13 2:23 ` [RFC PATCH v2 12/19] x86: Implement the Memory Table feature to store arbitrary per-page data Mickaël Salaün
2023-11-22 7:19 ` kernel test robot
2023-11-13 2:23 ` [RFC PATCH v2 13/19] heki: Implement a kernel page table walker Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 14/19] heki: x86: Initialize permissions counters for pages mapped into KVA Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 15/19] heki: x86: Initialize permissions counters for pages in vmap()/vunmap() Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 16/19] heki: x86: Update permissions counters when guest page permissions change Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching Mickaël Salaün
2023-11-13 8:19 ` Peter Zijlstra
2023-11-27 16:48 ` Madhavan T. Venkataraman
2023-11-27 20:08 ` Peter Zijlstra
2023-11-29 21:07 ` Madhavan T. Venkataraman
2023-11-30 11:33 ` Peter Zijlstra
2023-12-06 16:37 ` Madhavan T. Venkataraman
2023-12-06 18:51 ` Peter Zijlstra
2023-12-08 18:41 ` Madhavan T. Venkataraman
2023-12-01 0:45 ` Edgecombe, Rick P
2023-12-06 16:41 ` Madhavan T. Venkataraman
2023-11-13 2:23 ` [RFC PATCH v2 18/19] heki: x86: Protect guest kernel memory using the KVM hypervisor Mickaël Salaün
2023-11-13 8:54 ` Peter Zijlstra
2023-11-27 17:05 ` Madhavan T. Venkataraman
2023-11-27 20:03 ` Peter Zijlstra
2023-11-29 19:47 ` Madhavan T. Venkataraman
2023-11-13 2:23 ` [RFC PATCH v2 19/19] virt: Add Heki KUnit tests Mickaël Salaün
2023-11-13 5:18 [RFC PATCH v2 14/19] heki: x86: Initialize permissions counters for pages mapped into KVA kernel test robot
2023-11-14 1:22 ` kernel test robot
2023-11-13 7:42 [RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions kernel test robot
2023-11-14 1:27 ` kernel test robot
2023-11-13 8:14 [RFC PATCH v2 18/19] heki: x86: Protect guest kernel memory using the KVM hypervisor kernel test robot
2023-11-14 1:30 ` kernel test robot
2023-11-13 12:37 [RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions kernel test robot
2023-11-14 1:29 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231113022326.24388-4-mic@digikod.net \
--to=mic@digikod.net \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dev@lists.cloudhypervisor.org \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jamorris@linux.microsoft.com \
--cc=jgowans@amazon.com \
--cc=john.s.andersen@intel.com \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=marian.c.rotariu@gmail.com \
--cc=mdontu@bitdefender.com \
--cc=mingo@redhat.com \
--cc=nicu.citu@icloud.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quic_tsoni@quicinc.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=ssicleru@bitdefender.com \
--cc=tglx@linutronix.de \
--cc=tgopinath@microsoft.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=yu.c.zhang@linux.intel.com \
--cc=yuanyu@google.com \
--cc=ztarkhani@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.