From: Fuad Tabba <tabba@google.com>
To: kvmarm@lists.cs.columbia.edu
Cc: maz@kernel.org, will@kernel.org, james.morse@arm.com,
alexandru.elisei@arm.com, suzuki.poulose@arm.com,
mark.rutland@arm.com, christoffer.dall@arm.com,
drjones@redhat.com, qperret@google.com, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kernel-team@android.com,
tabba@google.com
Subject: [RFC PATCH v1 00/30] Reduce scope of vcpu state at hyp by refactoring out state hyp needs
Date: Fri, 24 Sep 2021 13:53:29 +0100 [thread overview]
Message-ID: <20210924125359.2587041-1-tabba@google.com> (raw)
Hi,
This is a prolog to a series where we try to maintain virtual machine and vcpu
state for protected VMs at the hypervisor [1].
The main issue is that in KVM, the VM state (struct kvm) and the vcpu state
(struct kvm_vcpu) are created by the host and are always accessible by it. For
protected VMs (pKVM [2]), only the hypervisor should have access to their state
and not trust the host to access it. Therefore, the hypervisor should maintain
a copy of VM state for all protected VMs to use that is not accessible by the
host.
The problem with using and with maintaining a copy of the existing kvm_vcpu
struct at the hypervisor is that it's big. Depending on the configuration, it
is in the order of 10kB (ymmv) per vcpu. Whereas most of what it needs to run a
VM is the kvm_cpu_ctxt and some hyp-related registers and flags, which amount
to less than 2kB. Many of the functions use the vcpu struct when all they
access is kvm_cpu_ctxt. Other functions only need that as well as a few
hypervisor state variables. Moreover, we would like to use the existing code,
rather than write new code for protected VMs that use new or special
structures.
This patch series reduces the scope of the functions that only need
kvm_cpu_ctxt to just that. It also takes out the few elements that are relevant
to the hypervisor from kvm_vcpu_arch into a new structure, vcpu_hyp_state. This
allows the remainder of the series to reduce the scope of everything accessed
by the hypervisor, at least for protected VMs, to kvm_cpu_ctxt and
vcpu_hyp_state (and maybe vgic if supported for protected VMs).
This series uses coccinelle semantic patches [3] as much as possible when
changes are made repetitively across many files. All patches that use
coccinelle are prefixed with COCCI.
Based on Linux 5.13-rc6.
Cheers,
/fuad
[1] https://android-kvm.googlesource.com/linux/+/refs/heads/tabba/el2-state-cocci-out
[2] Once complete, protected KVM adds the ability to create protected VMs.
These protected VMs are protected from the host Linux kernel (and from other
VMs), where the host does not have access to guest memory,even if compromised.
Normal (nVHE) guests can still be created and run in parallel with protected
VMs. Their functionality should not be affected.
For protected VMs, the host should not even have access to a protected guest's
state or anything that would enable it to manipulate it (e.g., vcpu register
context and el2 system registers); only hyp would have that access. If the host
could access that state, then it might be able to get around the protection
provided. Therefore, anything that is sensitive and that would require such
access needs to happen at hyp, hence the code in nvhe running only at hyp.
For more details about pKVM, please refer to Will's talk at KVM Forum 2020:
https://mirrors.edge.kernel.org/pub/linux/kernel/people/will/slides/kvmforum-2020-edited.pdf
https://www.youtube.com/watch?v=edqJSzsDRxk
[3] https://coccinelle.gitlabpages.inria.fr/website/
Fuad Tabba (30):
KVM: arm64: placeholder to check if VM is protected
[DONOTMERGE] Temporarily disable unused variable warning
[DONOTMERGE] Coccinelle scripts for refactoring
KVM: arm64: remove unused parameters and asm offsets
KVM: arm64: add accessors for kvm_cpu_context
KVM: arm64: COCCI: use_ctxt_access.cocci: use kvm_cpu_context
accessors
KVM: arm64: COCCI: add_ctxt.cocci use_ctxt.cocci: reduce scope of
functions to kvm_cpu_ctxt
KVM: arm64: add hypervisor state accessors
KVM: arm64: COCCI: vcpu_hyp_accessors.cocci: use accessors for
hypervisor state vcpu variables
KVM: arm64: Add accessors for hypervisor state in kvm_vcpu_arch
KVM: arm64: create and use a new vcpu_hyp_state struct
KVM: arm64: COCCI: add_hypstate.cocci use_hypstate.cocci: Reduce scope
of functions to hyp_state
KVM: arm64: change function parameters to use kvm_cpu_ctxt and
hyp_state
KVM: arm64: reduce scope of vgic v2
KVM: arm64: COCCI: vgic3_cpu.cocci: reduce scope of vgic v3
KVM: arm64: reduce scope of vgic_v3 access parameters
KVM: arm64: access __hyp_running_vcpu via accessors only
KVM: arm64: reduce scope of __guest_exit to only depend on
kvm_cpu_context
KVM: arm64: change calls of get_loaded_vcpu to get_loaded_vcpu_ctxt
KVM: arm64: add __hyp_running_ctxt and __hyp_running_hyps
KVM: arm64: transition code to __hyp_running_ctxt and
__hyp_running_hyps
KVM: arm64: reduce scope of __guest_enter to depend only on
kvm_cpu_ctxt
KVM: arm64: COCCI: remove_unused.cocci: remove unused ctxt and
hypstate variables
KVM: arm64: remove unused functions
KVM: arm64: separate kvm_run() for protected VMs
KVM: arm64: pVM activate_traps to use vcpu_ctxt and vcpu_hyp_state
KVM: arm64: remove unsupported pVM features
KVM: arm64: reduce scope of pVM fixup_guest_exit to hyp_state and
kvm_cpu_ctxt
[DONOTMERGE] Remove Coccinelle scripts added for refactoring
[DONOTMERGE] Re-enable warnings
arch/arm64/include/asm/kvm_asm.h | 33 ++-
arch/arm64/include/asm/kvm_emulate.h | 292 ++++++++++++++++-----
arch/arm64/include/asm/kvm_host.h | 110 ++++++--
arch/arm64/include/asm/kvm_hyp.h | 14 +-
arch/arm64/kernel/asm-offsets.c | 7 +-
arch/arm64/kvm/arm.c | 2 +-
arch/arm64/kvm/debug.c | 28 +-
arch/arm64/kvm/fpsimd.c | 22 +-
arch/arm64/kvm/guest.c | 30 +--
arch/arm64/kvm/handle_exit.c | 8 +-
arch/arm64/kvm/hyp/aarch32.c | 26 +-
arch/arm64/kvm/hyp/entry.S | 23 +-
arch/arm64/kvm/hyp/exception.c | 113 ++++----
arch/arm64/kvm/hyp/hyp-entry.S | 8 +-
arch/arm64/kvm/hyp/include/hyp/adjust_pc.h | 26 +-
arch/arm64/kvm/hyp/include/hyp/debug-sr.h | 6 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 101 ++++---
arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h | 43 +--
arch/arm64/kvm/hyp/nvhe/debug-sr.c | 8 +-
arch/arm64/kvm/hyp/nvhe/host.S | 4 +-
arch/arm64/kvm/hyp/nvhe/switch.c | 155 ++++++++---
arch/arm64/kvm/hyp/nvhe/timer-sr.c | 4 +-
arch/arm64/kvm/hyp/vgic-v2-cpuif-proxy.c | 32 ++-
arch/arm64/kvm/hyp/vgic-v3-sr.c | 242 +++++++++++------
arch/arm64/kvm/hyp/vhe/switch.c | 40 +--
arch/arm64/kvm/hyp/vhe/sysreg-sr.c | 3 +-
arch/arm64/kvm/inject_fault.c | 10 +-
arch/arm64/kvm/reset.c | 16 +-
arch/arm64/kvm/sys_regs.c | 4 +-
29 files changed, 951 insertions(+), 459 deletions(-)
base-commit: 6d53b3be3b9be497fbe054f35154f508deac729c
--
2.33.0.685.g46640cef36-goog
next reply other threads:[~2021-09-24 13:23 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-24 12:53 Fuad Tabba [this message]
2021-09-24 12:53 ` [RFC PATCH v1 01/30] KVM: arm64: placeholder to check if VM is protected Fuad Tabba
2021-09-27 15:50 ` Quentin Perret
2021-09-24 12:53 ` [RFC PATCH v1 02/30] [DONOTMERGE] Temporarily disable unused variable warning Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 03/30] [DONOTMERGE] Coccinelle scripts for refactoring Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 04/30] KVM: arm64: remove unused parameters and asm offsets Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 05/30] KVM: arm64: add accessors for kvm_cpu_context Fuad Tabba
2021-09-27 15:57 ` Quentin Perret
2021-09-24 12:53 ` [RFC PATCH v1 06/30] KVM: arm64: COCCI: use_ctxt_access.cocci: use kvm_cpu_context accessors Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 07/30] KVM: arm64: COCCI: add_ctxt.cocci use_ctxt.cocci: reduce scope of functions to kvm_cpu_ctxt Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 08/30] KVM: arm64: add hypervisor state accessors Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 09/30] KVM: arm64: COCCI: vcpu_hyp_accessors.cocci: use accessors for hypervisor state vcpu variables Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 10/30] KVM: arm64: Add accessors for hypervisor state in kvm_vcpu_arch Fuad Tabba
2021-09-27 16:10 ` Quentin Perret
2021-09-24 12:53 ` [RFC PATCH v1 11/30] KVM: arm64: create and use a new vcpu_hyp_state struct Fuad Tabba
2021-09-27 16:32 ` Quentin Perret
2021-09-24 12:53 ` [RFC PATCH v1 12/30] KVM: arm64: COCCI: add_hypstate.cocci use_hypstate.cocci: Reduce scope of functions to hyp_state Fuad Tabba
2021-09-27 16:40 ` Quentin Perret
2021-09-24 12:53 ` [RFC PATCH v1 13/30] KVM: arm64: change function parameters to use kvm_cpu_ctxt and hyp_state Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 14/30] KVM: arm64: reduce scope of vgic v2 Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 15/30] KVM: arm64: COCCI: vgic3_cpu.cocci: reduce scope of vgic v3 Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 16/30] KVM: arm64: reduce scope of vgic_v3 access parameters Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 17/30] KVM: arm64: access __hyp_running_vcpu via accessors only Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 18/30] KVM: arm64: reduce scope of __guest_exit to only depend on kvm_cpu_context Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 19/30] KVM: arm64: change calls of get_loaded_vcpu to get_loaded_vcpu_ctxt Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 20/30] KVM: arm64: add __hyp_running_ctxt and __hyp_running_hyps Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 21/30] KVM: arm64: transition code to " Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 22/30] KVM: arm64: reduce scope of __guest_enter to depend only on kvm_cpu_ctxt Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 23/30] KVM: arm64: COCCI: remove_unused.cocci: remove unused ctxt and hypstate variables Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 24/30] KVM: arm64: remove unused functions Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 25/30] KVM: arm64: separate kvm_run() for protected VMs Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 26/30] KVM: arm64: pVM activate_traps to use vcpu_ctxt and vcpu_hyp_state Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 27/30] KVM: arm64: remove unsupported pVM features Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 28/30] KVM: arm64: reduce scope of pVM fixup_guest_exit to hyp_state and kvm_cpu_ctxt Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 29/30] [DONOTMERGE] Remove Coccinelle scripts added for refactoring Fuad Tabba
2021-09-24 12:53 ` [RFC PATCH v1 30/30] [DONOTMERGE] Re-enable warnings Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210924125359.2587041-1-tabba@google.com \
--to=tabba@google.com \
--cc=alexandru.elisei@arm.com \
--cc=christoffer.dall@arm.com \
--cc=drjones@redhat.com \
--cc=james.morse@arm.com \
--cc=kernel-team@android.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=qperret@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).