From: Amit Daniel Kachhap <amit.kachhap@arm.com>
To: James Morse <james.morse@arm.com>
Cc: linux-arm-kernel@lists.infradead.org,
Marc Zyngier <marc.zyngier@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Kristina Martsenko <kristina.martsenko@arm.com>,
kvmarm@lists.cs.columbia.edu,
Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
Dave Martin <Dave.Martin@arm.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 4/5] arm64/kvm: add a userspace option to enable pointer authentication
Date: Thu, 14 Feb 2019 16:17:57 +0530 [thread overview]
Message-ID: <b462c85b-8312-f1f3-e0b1-d9dcc0f616b4@arm.com> (raw)
In-Reply-To: <1e3f2a9a-e3f7-bb06-495a-24f77a73cae0@arm.com>
Hi,
On 1/31/19 9:57 PM, James Morse wrote:
> Hi Amit,
>
> On 28/01/2019 06:58, Amit Daniel Kachhap wrote:
>> This feature will allow the KVM guest to allow the handling of
>> pointer authentication instructions or to treat them as undefined
>> if not set. It uses the existing vcpu API KVM_ARM_VCPU_INIT to
>> supply this parameter instead of creating a new API.
>>
>> A new register is not created to pass this parameter via
>> SET/GET_ONE_REG interface as just a flag (KVM_ARM_VCPU_PTRAUTH)
>> supplied is enough to enable this feature.
>
>
>> diff --git a/Documentation/arm64/pointer-authentication.txt
> b/Documentation/arm64/pointer-authentication.txt
>> index a25cd21..0529a7d 100644
>> --- a/Documentation/arm64/pointer-authentication.txt
>> +++ b/Documentation/arm64/pointer-authentication.txt
>> @@ -82,7 +82,8 @@ pointers).
>> Virtualization
>> --------------
>>
>> -Pointer authentication is not currently supported in KVM guests. KVM
>> -will mask the feature bits from ID_AA64ISAR1_EL1, and attempted use of
>> -the feature will result in an UNDEFINED exception being injected into
>> -the guest.
>> +Pointer authentication is enabled in KVM guest when virtual machine is
>> +created by passing a flag (KVM_ARM_VCPU_PTRAUTH)
>
> Isn't that a VCPU flag? Shouldn't this be when each VCPU is created?
Yes it is a VCPU flag.
>
>
>> requesting this feature
>> +to be enabled. Without this flag, pointer authentication is not enabled
>> +in KVM guests and attempted use of the feature will result in an UNDEFINED
>> +exception being injected into the guest.
>
> ... what happens if KVM's user-space enables ptrauth on some vcpus, but not on
> others?
Yes seems to be issue. Let me check more on this if there are other ways
of passing the userspace parameter such as in CREATE_VM type ioctl.
>
> You removed the id-register suppression in the previous patch, but it doesn't
> get hooked up to kvm_arm_vcpu_ptrauth_allowed() here. (you could add
> kvm_arm_vcpu_ptrauth_allowed() earlier, and default it to true to make it easier).
>
> Doesn't this mean that if the CPU supports pointer auth, but user-space doesn't
> specify this flag, the guest gets mysterious undef's whenever it tries to use
> the advertised feature?
Agree, ID registers should be masked when userspace disables it.
>
> (whether we support big/little virtual-machines is probably a separate issue,
> but the id registers need to be consistent with our trap-and-undef behaviour)
>
>
>> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
>> index c798d0c..4a6ec40 100644
>> --- a/arch/arm64/include/asm/kvm_host.h
>> +++ b/arch/arm64/include/asm/kvm_host.h
>> @@ -453,14 +453,15 @@ static inline bool kvm_arch_requires_vhe(void)
>>
>> void kvm_arm_vcpu_ptrauth_enable(struct kvm_vcpu *vcpu);
>> void kvm_arm_vcpu_ptrauth_disable(struct kvm_vcpu *vcpu);
>> +bool kvm_arm_vcpu_ptrauth_allowed(struct kvm_vcpu *vcpu);
>>
>> static inline void kvm_arm_vcpu_ptrauth_reset(struct kvm_vcpu *vcpu)
>> {
>> /* Disable ptrauth and use it in a lazy context via traps */
>> - if (has_vhe() && kvm_supports_ptrauth())
>> + if (has_vhe() && kvm_supports_ptrauth()
>> + && kvm_arm_vcpu_ptrauth_allowed(vcpu))
>> kvm_arm_vcpu_ptrauth_disable(vcpu);
>> }
>> -
>> void kvm_arm_vcpu_ptrauth_trap(struct kvm_vcpu *vcpu);
>>
>
>> diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
>> index 5b980e7..c0e5dcd 100644
>> --- a/arch/arm64/kvm/handle_exit.c
>> +++ b/arch/arm64/kvm/handle_exit.c
>> @@ -179,7 +179,8 @@ static int handle_sve(struct kvm_vcpu *vcpu, struct kvm_run *run)
>> */
>> void kvm_arm_vcpu_ptrauth_trap(struct kvm_vcpu *vcpu)
>> {
>> - if (has_vhe() && kvm_supports_ptrauth())
>> + if (has_vhe() && kvm_supports_ptrauth()
>> + && kvm_arm_vcpu_ptrauth_allowed(vcpu))
>
> Duplication. If has_vhe() moved into kvm_supports_ptrauth(), and
> kvm_supports_ptrauth() was called from kvm_arm_vcpu_ptrauth_allowed() it would
> be clearer that use of this feature was becoming user-controlled policy.
>
> (We don't need to list the dependencies at every call site)
ok.
>
>
>> diff --git a/arch/arm64/kvm/hyp/ptrauth-sr.c b/arch/arm64/kvm/hyp/ptrauth-sr.c
>> index 0576c01..369624f 100644
>> --- a/arch/arm64/kvm/hyp/ptrauth-sr.c
>> +++ b/arch/arm64/kvm/hyp/ptrauth-sr.c
>> @@ -42,3 +42,16 @@ void __no_ptrauth __hyp_text __ptrauth_switch_to_host(struct kvm_vcpu *vcpu,
>> ptrauth_keys_store((struct ptrauth_keys *) &guest_ctxt->sys_regs[APIAKEYLO_EL1]);
>> ptrauth_keys_switch((struct ptrauth_keys *) &host_ctxt->sys_regs[APIAKEYLO_EL1]);
>> }
>> +
>> +/**
>> + * kvm_arm_vcpu_ptrauth_allowed - checks if ptrauth feature is present in vcpu
>
> ('enabled by KVM's user-space' may be clearer. 'Present in vcpu' could be down
> to a cpufeature thing)
ok.
>
>
>> + *
>> + * @vcpu: The VCPU pointer
>> + *
>> + * This function will be used to enable/disable ptrauth in guest as configured
>
> ... but it just tests the bit ...
>
>> + * by the KVM userspace API.
>> + */
>> +bool kvm_arm_vcpu_ptrauth_allowed(struct kvm_vcpu *vcpu)
>> +{
>> + return test_bit(KVM_ARM_VCPU_PTRAUTH, vcpu->arch.features);
>> +}
>
>
> Thanks,
>
> James
>
//Amit
next prev parent reply other threads:[~2019-02-14 10:48 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-28 6:58 [PATCH v5 0/6] Add ARMv8.3 pointer authentication for kvm guest Amit Daniel Kachhap
2019-01-28 6:58 ` [PATCH v5 1/5] arm64: Add utilities to save restore pointer authentication keys Amit Daniel Kachhap
2019-01-31 16:20 ` James Morse
2019-02-13 17:32 ` Kristina Martsenko
2019-02-14 10:53 ` Amit Daniel Kachhap
2019-01-28 6:58 ` [PATCH v5 2/5] arm64/kvm: preserve host HCR_EL2/MDCR_EL2 value Amit Daniel Kachhap
2019-01-31 16:22 ` James Morse
2019-02-14 9:49 ` Amit Daniel Kachhap
2019-02-13 17:34 ` Kristina Martsenko
2019-02-14 11:03 ` Amit Daniel Kachhap
2019-02-15 15:50 ` Kristina Martsenko
2019-01-28 6:58 ` [PATCH v5 3/5] arm64/kvm: context-switch ptrauth registers Amit Daniel Kachhap
2019-01-28 14:25 ` Julien Thierry
2019-01-31 16:25 ` [PATCH v5 3/5] arm64/kvm: context-switch ptrauth register James Morse
2019-02-13 17:35 ` Kristina Martsenko
2019-02-15 4:00 ` Amit Daniel Kachhap
2019-02-14 10:16 ` Amit Daniel Kachhap
2019-02-13 17:34 ` [PATCH v5 3/5] arm64/kvm: context-switch ptrauth registers Kristina Martsenko
2019-02-14 11:06 ` Amit Daniel Kachhap
2019-01-28 6:58 ` [PATCH v5 4/5] arm64/kvm: add a userspace option to enable pointer authentication Amit Daniel Kachhap
2019-01-28 14:35 ` Julien Thierry
2019-01-31 16:27 ` James Morse
2019-02-14 10:47 ` Amit Daniel Kachhap [this message]
2019-02-13 17:35 ` Kristina Martsenko
2019-02-15 4:49 ` Amit Daniel Kachhap
2019-01-28 6:58 ` [PATCH v5 5/5] arm64/kvm: control accessibility of ptrauth key registers Amit Daniel Kachhap
2019-02-13 17:35 ` Kristina Martsenko
2019-02-13 17:54 ` Dave P Martin
2019-02-15 4:57 ` Amit Daniel Kachhap
2019-01-28 6:58 ` [kvmtool PATCH v5 6/6] arm/kvm: arm64: Add a vcpu feature for pointer authentication Amit Daniel Kachhap
2019-01-28 14:56 ` Julien Thierry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b462c85b-8312-f1f3-e0b1-d9dcc0f616b4@arm.com \
--to=amit.kachhap@arm.com \
--cc=Dave.Martin@arm.com \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=kristina.martsenko@arm.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=ramana.radhakrishnan@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).