From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19975C433EF for ; Thu, 17 Feb 2022 16:29:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241912AbiBQQ3f (ORCPT ); Thu, 17 Feb 2022 11:29:35 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:41770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239068AbiBQQ3c (ORCPT ); Thu, 17 Feb 2022 11:29:32 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CAAC5B8238 for ; Thu, 17 Feb 2022 08:29:00 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DCB3D113E; Thu, 17 Feb 2022 08:28:54 -0800 (PST) Received: from monolith.localdoman (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 896CA3F718; Thu, 17 Feb 2022 08:28:51 -0800 (PST) Date: Thu, 17 Feb 2022 16:29:06 +0000 From: Alexandru Elisei To: Marc Zyngier Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, Andre Przywara , Christoffer Dall , Jintack Lim , Haibo Xu , Ganapatrao Kulkarni , Chase Conklin , "Russell King (Oracle)" , James Morse , Suzuki K Poulose , karl.heubaum@oracle.com, mihai.carabas@oracle.com, miguel.luis@oracle.com, kernel-team@android.com Subject: Re: [PATCH v6 37/64] KVM: arm64: nv: Restrict S2 RD/WR permissions to match the guest's Message-ID: References: <20220128121912.509006-1-maz@kernel.org> <20220128121912.509006-38-maz@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220128121912.509006-38-maz@kernel.org> Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Hi, On Fri, Jan 28, 2022 at 12:18:45PM +0000, Marc Zyngier wrote: > When mapping a page in a shadow stage-2, special care must be > taken not to be more permissive than the guest is (writable or > readable page when the guest hasn't set that permission). > > Signed-off-by: Marc Zyngier > --- > arch/arm64/include/asm/kvm_nested.h | 15 +++++++++++++++ > arch/arm64/kvm/mmu.c | 14 +++++++++++++- > arch/arm64/kvm/nested.c | 2 +- > 3 files changed, 29 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/include/asm/kvm_nested.h b/arch/arm64/include/asm/kvm_nested.h > index 4fad4d3848ce..f4b846d09d86 100644 > --- a/arch/arm64/include/asm/kvm_nested.h > +++ b/arch/arm64/include/asm/kvm_nested.h > @@ -97,6 +97,21 @@ static inline u32 kvm_s2_trans_esr(struct kvm_s2_trans *trans) > return trans->esr; > } > > +static inline bool kvm_s2_trans_readable(struct kvm_s2_trans *trans) > +{ > + return trans->readable; > +} > + > +static inline bool kvm_s2_trans_writable(struct kvm_s2_trans *trans) > +{ > + return trans->writable; > +} > + > +static inline bool kvm_s2_trans_executable(struct kvm_s2_trans *trans) > +{ > + return !(trans->upper_attr & BIT(54)); > +} > + > extern int kvm_walk_nested_s2(struct kvm_vcpu *vcpu, phys_addr_t gipa, > struct kvm_s2_trans *result); > > diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c > index 36f7ecb4f81b..7c56e1522d3c 100644 > --- a/arch/arm64/kvm/mmu.c > +++ b/arch/arm64/kvm/mmu.c > @@ -1247,6 +1247,17 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > if (exec_fault && device) > return -ENOEXEC; > > + /* > + * Potentially reduce shadow S2 permissions to match the guest's own > + * S2. For exec faults, we'd only reach this point if the guest > + * actually allowed it (see kvm_s2_handle_perm_fault). > + */ > + if (kvm_is_shadow_s2_fault(vcpu)) { > + writable &= kvm_s2_trans_writable(nested); I was a bit confused about writable being true when write_fault is false. After some digging, it turns out that hva_to_pfn() oportunistically makes writable true, even for read faults. > + if (!kvm_s2_trans_readable(nested)) > + prot &= ~KVM_PGTABLE_PROT_R; The local variable "prot" is initialized to KVM_PGTABLE_PROT_R, so this check makes sense. > + } > + > spin_lock(&kvm->mmu_lock); > pgt = vcpu->arch.hw_mmu->pgt; > if (mmu_notifier_retry(kvm, mmu_seq)) > @@ -1285,7 +1296,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > > if (device) > prot |= KVM_PGTABLE_PROT_DEVICE; > - else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC)) > + else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC) && > + kvm_s2_trans_executable(nested)) > prot |= KVM_PGTABLE_PROT_X; > > /* > diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c > index 0a9708f776fc..a74ffb1d2064 100644 > --- a/arch/arm64/kvm/nested.c > +++ b/arch/arm64/kvm/nested.c > @@ -481,7 +481,7 @@ int kvm_s2_handle_perm_fault(struct kvm_vcpu *vcpu, struct kvm_s2_trans *trans) > return 0; > > if (kvm_vcpu_trap_is_iabt(vcpu)) { > - forward_fault = (trans->upper_attr & BIT(54)); > + forward_fault = !kvm_s2_trans_executable(trans); > } else { > bool write_fault = kvm_is_write_fault(vcpu); The patch looks good to me: Reviewed-by: Alexandru Elisei Thanks, Alex From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD163C433F5 for ; Thu, 17 Feb 2022 16:29:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 4E89F49F4E; Thu, 17 Feb 2022 11:29:00 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45vMCPKQIhEb; Thu, 17 Feb 2022 11:28:58 -0500 (EST) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 6F8FD49F33; Thu, 17 Feb 2022 11:28:58 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 69CF549F2F for ; Thu, 17 Feb 2022 11:28:57 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17n2KpEkhOcg for ; Thu, 17 Feb 2022 11:28:55 -0500 (EST) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mm01.cs.columbia.edu (Postfix) with ESMTP id B1AEE49E46 for ; Thu, 17 Feb 2022 11:28:55 -0500 (EST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DCB3D113E; Thu, 17 Feb 2022 08:28:54 -0800 (PST) Received: from monolith.localdoman (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 896CA3F718; Thu, 17 Feb 2022 08:28:51 -0800 (PST) Date: Thu, 17 Feb 2022 16:29:06 +0000 From: Alexandru Elisei To: Marc Zyngier Subject: Re: [PATCH v6 37/64] KVM: arm64: nv: Restrict S2 RD/WR permissions to match the guest's Message-ID: References: <20220128121912.509006-1-maz@kernel.org> <20220128121912.509006-38-maz@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220128121912.509006-38-maz@kernel.org> Cc: kernel-team@android.com, kvm@vger.kernel.org, Andre Przywara , Christoffer Dall , Chase Conklin , kvmarm@lists.cs.columbia.edu, mihai.carabas@oracle.com, Ganapatrao Kulkarni , "Russell King \(Oracle\)" , linux-arm-kernel@lists.infradead.org X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu Hi, On Fri, Jan 28, 2022 at 12:18:45PM +0000, Marc Zyngier wrote: > When mapping a page in a shadow stage-2, special care must be > taken not to be more permissive than the guest is (writable or > readable page when the guest hasn't set that permission). > > Signed-off-by: Marc Zyngier > --- > arch/arm64/include/asm/kvm_nested.h | 15 +++++++++++++++ > arch/arm64/kvm/mmu.c | 14 +++++++++++++- > arch/arm64/kvm/nested.c | 2 +- > 3 files changed, 29 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/include/asm/kvm_nested.h b/arch/arm64/include/asm/kvm_nested.h > index 4fad4d3848ce..f4b846d09d86 100644 > --- a/arch/arm64/include/asm/kvm_nested.h > +++ b/arch/arm64/include/asm/kvm_nested.h > @@ -97,6 +97,21 @@ static inline u32 kvm_s2_trans_esr(struct kvm_s2_trans *trans) > return trans->esr; > } > > +static inline bool kvm_s2_trans_readable(struct kvm_s2_trans *trans) > +{ > + return trans->readable; > +} > + > +static inline bool kvm_s2_trans_writable(struct kvm_s2_trans *trans) > +{ > + return trans->writable; > +} > + > +static inline bool kvm_s2_trans_executable(struct kvm_s2_trans *trans) > +{ > + return !(trans->upper_attr & BIT(54)); > +} > + > extern int kvm_walk_nested_s2(struct kvm_vcpu *vcpu, phys_addr_t gipa, > struct kvm_s2_trans *result); > > diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c > index 36f7ecb4f81b..7c56e1522d3c 100644 > --- a/arch/arm64/kvm/mmu.c > +++ b/arch/arm64/kvm/mmu.c > @@ -1247,6 +1247,17 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > if (exec_fault && device) > return -ENOEXEC; > > + /* > + * Potentially reduce shadow S2 permissions to match the guest's own > + * S2. For exec faults, we'd only reach this point if the guest > + * actually allowed it (see kvm_s2_handle_perm_fault). > + */ > + if (kvm_is_shadow_s2_fault(vcpu)) { > + writable &= kvm_s2_trans_writable(nested); I was a bit confused about writable being true when write_fault is false. After some digging, it turns out that hva_to_pfn() oportunistically makes writable true, even for read faults. > + if (!kvm_s2_trans_readable(nested)) > + prot &= ~KVM_PGTABLE_PROT_R; The local variable "prot" is initialized to KVM_PGTABLE_PROT_R, so this check makes sense. > + } > + > spin_lock(&kvm->mmu_lock); > pgt = vcpu->arch.hw_mmu->pgt; > if (mmu_notifier_retry(kvm, mmu_seq)) > @@ -1285,7 +1296,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > > if (device) > prot |= KVM_PGTABLE_PROT_DEVICE; > - else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC)) > + else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC) && > + kvm_s2_trans_executable(nested)) > prot |= KVM_PGTABLE_PROT_X; > > /* > diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c > index 0a9708f776fc..a74ffb1d2064 100644 > --- a/arch/arm64/kvm/nested.c > +++ b/arch/arm64/kvm/nested.c > @@ -481,7 +481,7 @@ int kvm_s2_handle_perm_fault(struct kvm_vcpu *vcpu, struct kvm_s2_trans *trans) > return 0; > > if (kvm_vcpu_trap_is_iabt(vcpu)) { > - forward_fault = (trans->upper_attr & BIT(54)); > + forward_fault = !kvm_s2_trans_executable(trans); > } else { > bool write_fault = kvm_is_write_fault(vcpu); The patch looks good to me: Reviewed-by: Alexandru Elisei Thanks, Alex _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2F234C433F5 for ; Thu, 17 Feb 2022 16:30:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=HfzhiLnOdGICAs1tFtN48/5daBwE6VFsWdl5DX2VJqc=; b=lF6+LXPQmWuiSF q0mnR3xpbZTIiUoXlEOPOrCrkSfb0fMs+FvNexjduPY9+aenwY5WBegPKI+hm2czfByzsp/eCd7fO GYK5LQ72XGjW+uOHoa56Dkd6Nniip4i3wCJNnUrxvjegDx1InBubU9hT8S1odValXFU7wUhdES005 x47HclJWIAU4jtbXfI/7wnOyExr3FCqjskT4tEfLFXrMXh7a6G0yptEovPV5xuLfIIkHixhsVskW4 r+9BFb7aWIZKpP5riQfQkuEwQpBK2+CTOJn+hISRowFwP/RGf0HD1LKh6XEUmBqiDG1+dC45Gl8xN f5O++Ziii0Wsbqf88AOQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nKjeR-00BRjH-I7; Thu, 17 Feb 2022 16:29:03 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nKjeL-00BRf9-Nc for linux-arm-kernel@lists.infradead.org; Thu, 17 Feb 2022 16:29:01 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DCB3D113E; Thu, 17 Feb 2022 08:28:54 -0800 (PST) Received: from monolith.localdoman (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 896CA3F718; Thu, 17 Feb 2022 08:28:51 -0800 (PST) Date: Thu, 17 Feb 2022 16:29:06 +0000 From: Alexandru Elisei To: Marc Zyngier Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, Andre Przywara , Christoffer Dall , Jintack Lim , Haibo Xu , Ganapatrao Kulkarni , Chase Conklin , "Russell King (Oracle)" , James Morse , Suzuki K Poulose , karl.heubaum@oracle.com, mihai.carabas@oracle.com, miguel.luis@oracle.com, kernel-team@android.com Subject: Re: [PATCH v6 37/64] KVM: arm64: nv: Restrict S2 RD/WR permissions to match the guest's Message-ID: References: <20220128121912.509006-1-maz@kernel.org> <20220128121912.509006-38-maz@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220128121912.509006-38-maz@kernel.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220217_082857_909750_666742E4 X-CRM114-Status: GOOD ( 22.83 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, On Fri, Jan 28, 2022 at 12:18:45PM +0000, Marc Zyngier wrote: > When mapping a page in a shadow stage-2, special care must be > taken not to be more permissive than the guest is (writable or > readable page when the guest hasn't set that permission). > > Signed-off-by: Marc Zyngier > --- > arch/arm64/include/asm/kvm_nested.h | 15 +++++++++++++++ > arch/arm64/kvm/mmu.c | 14 +++++++++++++- > arch/arm64/kvm/nested.c | 2 +- > 3 files changed, 29 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/include/asm/kvm_nested.h b/arch/arm64/include/asm/kvm_nested.h > index 4fad4d3848ce..f4b846d09d86 100644 > --- a/arch/arm64/include/asm/kvm_nested.h > +++ b/arch/arm64/include/asm/kvm_nested.h > @@ -97,6 +97,21 @@ static inline u32 kvm_s2_trans_esr(struct kvm_s2_trans *trans) > return trans->esr; > } > > +static inline bool kvm_s2_trans_readable(struct kvm_s2_trans *trans) > +{ > + return trans->readable; > +} > + > +static inline bool kvm_s2_trans_writable(struct kvm_s2_trans *trans) > +{ > + return trans->writable; > +} > + > +static inline bool kvm_s2_trans_executable(struct kvm_s2_trans *trans) > +{ > + return !(trans->upper_attr & BIT(54)); > +} > + > extern int kvm_walk_nested_s2(struct kvm_vcpu *vcpu, phys_addr_t gipa, > struct kvm_s2_trans *result); > > diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c > index 36f7ecb4f81b..7c56e1522d3c 100644 > --- a/arch/arm64/kvm/mmu.c > +++ b/arch/arm64/kvm/mmu.c > @@ -1247,6 +1247,17 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > if (exec_fault && device) > return -ENOEXEC; > > + /* > + * Potentially reduce shadow S2 permissions to match the guest's own > + * S2. For exec faults, we'd only reach this point if the guest > + * actually allowed it (see kvm_s2_handle_perm_fault). > + */ > + if (kvm_is_shadow_s2_fault(vcpu)) { > + writable &= kvm_s2_trans_writable(nested); I was a bit confused about writable being true when write_fault is false. After some digging, it turns out that hva_to_pfn() oportunistically makes writable true, even for read faults. > + if (!kvm_s2_trans_readable(nested)) > + prot &= ~KVM_PGTABLE_PROT_R; The local variable "prot" is initialized to KVM_PGTABLE_PROT_R, so this check makes sense. > + } > + > spin_lock(&kvm->mmu_lock); > pgt = vcpu->arch.hw_mmu->pgt; > if (mmu_notifier_retry(kvm, mmu_seq)) > @@ -1285,7 +1296,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, > > if (device) > prot |= KVM_PGTABLE_PROT_DEVICE; > - else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC)) > + else if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC) && > + kvm_s2_trans_executable(nested)) > prot |= KVM_PGTABLE_PROT_X; > > /* > diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c > index 0a9708f776fc..a74ffb1d2064 100644 > --- a/arch/arm64/kvm/nested.c > +++ b/arch/arm64/kvm/nested.c > @@ -481,7 +481,7 @@ int kvm_s2_handle_perm_fault(struct kvm_vcpu *vcpu, struct kvm_s2_trans *trans) > return 0; > > if (kvm_vcpu_trap_is_iabt(vcpu)) { > - forward_fault = (trans->upper_attr & BIT(54)); > + forward_fault = !kvm_s2_trans_executable(trans); > } else { > bool write_fault = kvm_is_write_fault(vcpu); The patch looks good to me: Reviewed-by: Alexandru Elisei Thanks, Alex _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel