From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A917C07E9B for ; Wed, 21 Jul 2021 09:00:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 425C66120C for ; Wed, 21 Jul 2021 09:00:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237157AbhGUIUS (ORCPT ); Wed, 21 Jul 2021 04:20:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235695AbhGUH74 (ORCPT ); Wed, 21 Jul 2021 03:59:56 -0400 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF139C061574 for ; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id b18-20020a0568303112b02904cf73f54f4bso1403471ots.2 for ; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=qIC8YvCO8PbewH0w8Yp4rcJ1AhQE2Vo9Hct4hWBUB7+021hwzAn0ncwjQeJD1Dk2Se FYnIfLHKTMXuCV78XdB7ApfT5HGJomGrLtrh3fS6MzHN/FVMOdga2/0hWeYYntPdswcv AGJq23LtpbRpnIBA3A68fqj7mb1AZoq5/Vf3++fP2lzaOZgXh312jg8SrgowAoch5v7n ggBQlLH7ec2PvPQGLOlGIgaveOzYLsnAgH0Ww3m8at54fuwV1us6Jyyfli31oeTuh0ee StjcmdKjtG7J71ziWLcw64ph9GPnZUFFfOwYzHGlV0d11Tu11c0LCy9jS7+WxjqAjvPh iqkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=PhqTgrUiSuolrL+Jh3sUpP/5doRaxfd1whywiKOFSAYZJndfNFSf1b6fQWrRDIPANw CFRzT8+6/M7b3Ivxhjbqk3+ehFMSSN+tCcmIzQOmRB2xdx/5ZxjQcBvvWKfNI+k03SCz v4echOv+ULJ4j5uqGG6SW+F09GIuFLpOy0Q6Ww8sS54n0eAIKwj372NYIBbiU/ovwtVT gKhkcHpIUC5lXusIHIaqw1//bY067Y5UBsihpdfG8VYlo5gyngBbvTD7Yz5fk9e6+QlY XPuMenoSA3PTYUP5B3Kns+vgSPOEvsC9wczQ0yy5mPdbew93KLOOp/dHTB7rpHL5xFt1 xQXw== X-Gm-Message-State: AOAM530EHKH9B1AzphJg664iRxzgwF1JGMmzwlB0VGourpjtS7U+U4pK iI/oIX9At9kCAQbNm894xA97XKyYIDAwggfawT0/fw== X-Google-Smtp-Source: ABdhPJz8wMJl99b6XXHrZ5unyCNp0pMN0AtIw+pAluMMpktoXDkoKasGVZ+UTnYKTHRgtx0Nj0isPvGyNhvgkEReXmo= X-Received: by 2002:a05:6830:1455:: with SMTP id w21mr25392148otp.365.1626856803030; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) MIME-Version: 1.0 References: <20210719160346.609914-1-tabba@google.com> <20210719160346.609914-15-tabba@google.com> In-Reply-To: From: Fuad Tabba Date: Wed, 21 Jul 2021 09:39:26 +0100 Message-ID: Subject: Re: [PATCH v3 14/15] KVM: arm64: Handle protected guests at 32 bits To: Oliver Upton Cc: kvmarm@lists.cs.columbia.edu, kernel-team@android.com, kvm@vger.kernel.org, maz@kernel.org, pbonzini@redhat.com, will@kernel.org, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Hi Oliver, On Mon, Jul 19, 2021 at 8:43 PM Oliver Upton wrote: > > On Mon, Jul 19, 2021 at 9:04 AM Fuad Tabba wrote: > > > > Protected KVM does not support protected AArch32 guests. However, > > it is possible for the guest to force run AArch32, potentially > > causing problems. Add an extra check so that if the hypervisor > > catches the guest doing that, it can prevent the guest from > > running again by resetting vcpu->arch.target and returning > > ARM_EXCEPTION_IL. > > > > Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric > > AArch32 systems") > > > > Signed-off-by: Fuad Tabba > > Would it make sense to document how we handle misbehaved guests, in > case a particular VMM wants to clean up the mess afterwards? I agree, especially since with this patch this could happen in more than one place. Thanks, /fuad > -- > Thanks, > Oliver > > > --- > > arch/arm64/kvm/hyp/include/hyp/switch.h | 24 ++++++++++++++++++++++++ > > 1 file changed, 24 insertions(+) > > > > diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h > > index 8431f1514280..f09343e15a80 100644 > > --- a/arch/arm64/kvm/hyp/include/hyp/switch.h > > +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h > > @@ -23,6 +23,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -477,6 +478,29 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code) > > write_sysreg_el2(read_sysreg_el2(SYS_ELR) - 4, SYS_ELR); > > } > > > > + /* > > + * Protected VMs might not be allowed to run in AArch32. The check below > > + * is based on the one in kvm_arch_vcpu_ioctl_run(). > > + * The ARMv8 architecture doesn't give the hypervisor a mechanism to > > + * prevent a guest from dropping to AArch32 EL0 if implemented by the > > + * CPU. If the hypervisor spots a guest in such a state ensure it is > > + * handled, and don't trust the host to spot or fix it. > > + */ > > + if (unlikely(is_nvhe_hyp_code() && > > + kvm_vm_is_protected(kern_hyp_va(vcpu->kvm)) && > > + FIELD_GET(FEATURE(ID_AA64PFR0_EL0), > > + PVM_ID_AA64PFR0_ALLOW) < > > + ID_AA64PFR0_ELx_32BIT_64BIT && > > + vcpu_mode_is_32bit(vcpu))) { > > + /* > > + * As we have caught the guest red-handed, decide that it isn't > > + * fit for purpose anymore by making the vcpu invalid. > > + */ > > + vcpu->arch.target = -1; > > + *exit_code = ARM_EXCEPTION_IL; > > + goto exit; > > + } > > + > > /* > > * We're using the raw exception code in order to only process > > * the trap if no SError is pending. We will come back to the > > -- > > 2.32.0.402.g57bb445576-goog > > > > _______________________________________________ > > kvmarm mailing list > > kvmarm@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6855C07E9B for ; Wed, 21 Jul 2021 08:40:07 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 2CB2A61242 for ; Wed, 21 Jul 2021 08:40:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2CB2A61242 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvmarm-bounces@lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 9847C4B13C; Wed, 21 Jul 2021 04:40:06 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@google.com Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tooNSFkixMIS; Wed, 21 Jul 2021 04:40:05 -0400 (EDT) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 892554B0E9; Wed, 21 Jul 2021 04:40:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 074E14B0E1 for ; Wed, 21 Jul 2021 04:40:05 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KkMyaOHp5J6S for ; Wed, 21 Jul 2021 04:40:03 -0400 (EDT) Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id B4AA84B0E9 for ; Wed, 21 Jul 2021 04:40:03 -0400 (EDT) Received: by mail-ot1-f47.google.com with SMTP id f12-20020a056830204cb029048bcf4c6bd9so1374907otp.8 for ; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=qIC8YvCO8PbewH0w8Yp4rcJ1AhQE2Vo9Hct4hWBUB7+021hwzAn0ncwjQeJD1Dk2Se FYnIfLHKTMXuCV78XdB7ApfT5HGJomGrLtrh3fS6MzHN/FVMOdga2/0hWeYYntPdswcv AGJq23LtpbRpnIBA3A68fqj7mb1AZoq5/Vf3++fP2lzaOZgXh312jg8SrgowAoch5v7n ggBQlLH7ec2PvPQGLOlGIgaveOzYLsnAgH0Ww3m8at54fuwV1us6Jyyfli31oeTuh0ee StjcmdKjtG7J71ziWLcw64ph9GPnZUFFfOwYzHGlV0d11Tu11c0LCy9jS7+WxjqAjvPh iqkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=lz090TXUgrPNoEv/tB+EYPyX2MjIEIVcaqfLnZszdRLTWByFMTDgtWse29yK7fQ4+d exl/0nO5zQmOD62LjP+KD11R33nFpyB0pA0NR4px1kaVIzCnzBqzHeTtJ6MMwgiThj+A Fd5hYlfX8ZhK/B9Csf+PaNWyddFdWH4eJ+yMH1daPxScE9wqBP9d0WCMYN5u7QUA49Lq VPX+mPqv9kcCKp2m2RP1+S4JnbX5+ifsGRHzt3SRDt1CM3x0wtRZmmofw4HOc5oOek1r yvtl4X6QLLgogfYetcMiVKk2+eOH/Xp6ADMZRD4W75RQDp+qawGnmDFC6hsPcjyu/+QY XQeQ== X-Gm-Message-State: AOAM5310RuDKNwcdCRvgX4gqkkP86i9IDRhfPO83rTiInC5v6RrtpInc GXQsVc+IzgJ2VSu1svpVRvuJHN3BD3T1k7Invt2tuw== X-Google-Smtp-Source: ABdhPJz8wMJl99b6XXHrZ5unyCNp0pMN0AtIw+pAluMMpktoXDkoKasGVZ+UTnYKTHRgtx0Nj0isPvGyNhvgkEReXmo= X-Received: by 2002:a05:6830:1455:: with SMTP id w21mr25392148otp.365.1626856803030; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) MIME-Version: 1.0 References: <20210719160346.609914-1-tabba@google.com> <20210719160346.609914-15-tabba@google.com> In-Reply-To: From: Fuad Tabba Date: Wed, 21 Jul 2021 09:39:26 +0100 Message-ID: Subject: Re: [PATCH v3 14/15] KVM: arm64: Handle protected guests at 32 bits To: Oliver Upton Cc: kernel-team@android.com, kvm@vger.kernel.org, maz@kernel.org, pbonzini@redhat.com, will@kernel.org, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu Hi Oliver, On Mon, Jul 19, 2021 at 8:43 PM Oliver Upton wrote: > > On Mon, Jul 19, 2021 at 9:04 AM Fuad Tabba wrote: > > > > Protected KVM does not support protected AArch32 guests. However, > > it is possible for the guest to force run AArch32, potentially > > causing problems. Add an extra check so that if the hypervisor > > catches the guest doing that, it can prevent the guest from > > running again by resetting vcpu->arch.target and returning > > ARM_EXCEPTION_IL. > > > > Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric > > AArch32 systems") > > > > Signed-off-by: Fuad Tabba > > Would it make sense to document how we handle misbehaved guests, in > case a particular VMM wants to clean up the mess afterwards? I agree, especially since with this patch this could happen in more than one place. Thanks, /fuad > -- > Thanks, > Oliver > > > --- > > arch/arm64/kvm/hyp/include/hyp/switch.h | 24 ++++++++++++++++++++++++ > > 1 file changed, 24 insertions(+) > > > > diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h > > index 8431f1514280..f09343e15a80 100644 > > --- a/arch/arm64/kvm/hyp/include/hyp/switch.h > > +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h > > @@ -23,6 +23,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -477,6 +478,29 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code) > > write_sysreg_el2(read_sysreg_el2(SYS_ELR) - 4, SYS_ELR); > > } > > > > + /* > > + * Protected VMs might not be allowed to run in AArch32. The check below > > + * is based on the one in kvm_arch_vcpu_ioctl_run(). > > + * The ARMv8 architecture doesn't give the hypervisor a mechanism to > > + * prevent a guest from dropping to AArch32 EL0 if implemented by the > > + * CPU. If the hypervisor spots a guest in such a state ensure it is > > + * handled, and don't trust the host to spot or fix it. > > + */ > > + if (unlikely(is_nvhe_hyp_code() && > > + kvm_vm_is_protected(kern_hyp_va(vcpu->kvm)) && > > + FIELD_GET(FEATURE(ID_AA64PFR0_EL0), > > + PVM_ID_AA64PFR0_ALLOW) < > > + ID_AA64PFR0_ELx_32BIT_64BIT && > > + vcpu_mode_is_32bit(vcpu))) { > > + /* > > + * As we have caught the guest red-handed, decide that it isn't > > + * fit for purpose anymore by making the vcpu invalid. > > + */ > > + vcpu->arch.target = -1; > > + *exit_code = ARM_EXCEPTION_IL; > > + goto exit; > > + } > > + > > /* > > * We're using the raw exception code in order to only process > > * the trap if no SError is pending. We will come back to the > > -- > > 2.32.0.402.g57bb445576-goog > > > > _______________________________________________ > > kvmarm mailing list > > kvmarm@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/mailman/listinfo/kvmarm _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5D9CC636C9 for ; Wed, 21 Jul 2021 08:41:56 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 81E4D610D2 for ; Wed, 21 Jul 2021 08:41:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 81E4D610D2 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=qB7fgXyWP5gP8sI5o3I4UKWqQ0BjCAQOG+zFjPkYUUI=; b=e1Xu5JgXkvowfq twE3oh61DqHWUO/smwS911irzGyJF7bCqAKnbQM7Os5kXSeooxk5MTXZbR59PeMpbuxmlq89iMGsB Lv0zlIoAAyVS+2E6eLlTaOvj/A5Kfz6IrtkXHkgZ1LKjVTu+jwi6kGBVSSSQa2dRo4RCKQsmJQO17 Dewe9Malf18KsCWRV8cBvV8wHFrZxwSpOPw6oNGNlWKeDEGpGAzn1aVXBBfI5TSzcFQBzvCdRNhNv nM3xs6ilLPEn7V9jxH4XSBfbdWI6wMs0EKcML+3ibbABEGUY9Ar+8cc4XlEbf9wE+Oq7RhMHjkZG/ HJz026kwmgMpUgGA7uSg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m67lz-00EwVc-C1; Wed, 21 Jul 2021 08:40:11 +0000 Received: from mail-ot1-x32f.google.com ([2607:f8b0:4864:20::32f]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m67ls-00EwSs-CE for linux-arm-kernel@lists.infradead.org; Wed, 21 Jul 2021 08:40:08 +0000 Received: by mail-ot1-x32f.google.com with SMTP id f93-20020a9d03e60000b02904b1f1d7c5f4so1366950otf.9 for ; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=qIC8YvCO8PbewH0w8Yp4rcJ1AhQE2Vo9Hct4hWBUB7+021hwzAn0ncwjQeJD1Dk2Se FYnIfLHKTMXuCV78XdB7ApfT5HGJomGrLtrh3fS6MzHN/FVMOdga2/0hWeYYntPdswcv AGJq23LtpbRpnIBA3A68fqj7mb1AZoq5/Vf3++fP2lzaOZgXh312jg8SrgowAoch5v7n ggBQlLH7ec2PvPQGLOlGIgaveOzYLsnAgH0Ww3m8at54fuwV1us6Jyyfli31oeTuh0ee StjcmdKjtG7J71ziWLcw64ph9GPnZUFFfOwYzHGlV0d11Tu11c0LCy9jS7+WxjqAjvPh iqkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j0mH812Q+H6nf50XosopteGpGbFozpi9Pxd4x5dKswI=; b=o4UxZzpJGDFvfhG+pgoHJsrfepO8q4yiqKXOe0BkP42QWP6xnmbDdwOw/Q1X8hU1kJ BSuvUMIDhGGDVapGYhPPJR8JEsJL7N9kusmO/VHd4TZbjgGGuhYP0ObROap+fJgY6FPT OstfHKKYH5Z9Gh2/tf8Zc3NNeVWo5gadAw4XXKrfkkoqK40G9xrfta3RcqvTFxV9QbDv vcWIhjuUb2/GIua3qlOphnhLH9Q3sQGL3jIZeA3YtSiip2B/S5Sli1CCIx9mLkx8bnIh t4P8NntE5kVE6IvGK4fF+Uxud4+Awbv2kZ82pEvKC2OqXIBB7xIshjePY9ehOtg2+oMn nIsg== X-Gm-Message-State: AOAM531OQgY0VqSChjZ6sYe6wYyi0ThdCWJ+yYVaMjfRG7p2RtlabDfB rmW9QtKo4PZw9G2dDLUHCY34jmDKsGkiOl2kekN2aQ== X-Google-Smtp-Source: ABdhPJz8wMJl99b6XXHrZ5unyCNp0pMN0AtIw+pAluMMpktoXDkoKasGVZ+UTnYKTHRgtx0Nj0isPvGyNhvgkEReXmo= X-Received: by 2002:a05:6830:1455:: with SMTP id w21mr25392148otp.365.1626856803030; Wed, 21 Jul 2021 01:40:03 -0700 (PDT) MIME-Version: 1.0 References: <20210719160346.609914-1-tabba@google.com> <20210719160346.609914-15-tabba@google.com> In-Reply-To: From: Fuad Tabba Date: Wed, 21 Jul 2021 09:39:26 +0100 Message-ID: Subject: Re: [PATCH v3 14/15] KVM: arm64: Handle protected guests at 32 bits To: Oliver Upton Cc: kvmarm@lists.cs.columbia.edu, kernel-team@android.com, kvm@vger.kernel.org, maz@kernel.org, pbonzini@redhat.com, will@kernel.org, linux-arm-kernel@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210721_014004_495053_881E3E36 X-CRM114-Status: GOOD ( 32.65 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Oliver, On Mon, Jul 19, 2021 at 8:43 PM Oliver Upton wrote: > > On Mon, Jul 19, 2021 at 9:04 AM Fuad Tabba wrote: > > > > Protected KVM does not support protected AArch32 guests. However, > > it is possible for the guest to force run AArch32, potentially > > causing problems. Add an extra check so that if the hypervisor > > catches the guest doing that, it can prevent the guest from > > running again by resetting vcpu->arch.target and returning > > ARM_EXCEPTION_IL. > > > > Adapted from commit 22f553842b14 ("KVM: arm64: Handle Asymmetric > > AArch32 systems") > > > > Signed-off-by: Fuad Tabba > > Would it make sense to document how we handle misbehaved guests, in > case a particular VMM wants to clean up the mess afterwards? I agree, especially since with this patch this could happen in more than one place. Thanks, /fuad > -- > Thanks, > Oliver > > > --- > > arch/arm64/kvm/hyp/include/hyp/switch.h | 24 ++++++++++++++++++++++++ > > 1 file changed, 24 insertions(+) > > > > diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h > > index 8431f1514280..f09343e15a80 100644 > > --- a/arch/arm64/kvm/hyp/include/hyp/switch.h > > +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h > > @@ -23,6 +23,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -477,6 +478,29 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code) > > write_sysreg_el2(read_sysreg_el2(SYS_ELR) - 4, SYS_ELR); > > } > > > > + /* > > + * Protected VMs might not be allowed to run in AArch32. The check below > > + * is based on the one in kvm_arch_vcpu_ioctl_run(). > > + * The ARMv8 architecture doesn't give the hypervisor a mechanism to > > + * prevent a guest from dropping to AArch32 EL0 if implemented by the > > + * CPU. If the hypervisor spots a guest in such a state ensure it is > > + * handled, and don't trust the host to spot or fix it. > > + */ > > + if (unlikely(is_nvhe_hyp_code() && > > + kvm_vm_is_protected(kern_hyp_va(vcpu->kvm)) && > > + FIELD_GET(FEATURE(ID_AA64PFR0_EL0), > > + PVM_ID_AA64PFR0_ALLOW) < > > + ID_AA64PFR0_ELx_32BIT_64BIT && > > + vcpu_mode_is_32bit(vcpu))) { > > + /* > > + * As we have caught the guest red-handed, decide that it isn't > > + * fit for purpose anymore by making the vcpu invalid. > > + */ > > + vcpu->arch.target = -1; > > + *exit_code = ARM_EXCEPTION_IL; > > + goto exit; > > + } > > + > > /* > > * We're using the raw exception code in order to only process > > * the trap if no SError is pending. We will come back to the > > -- > > 2.32.0.402.g57bb445576-goog > > > > _______________________________________________ > > kvmarm mailing list > > kvmarm@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/mailman/listinfo/kvmarm _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel