From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Sean Christopherson <seanjc@google.com>,
Jim Mattson <jmattson@google.com>
Cc: David Rientjes <rientjes@google.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"Kleen, Andi" <andi.kleen@intel.com>,
"Yamahata, Isaku" <isaku.yamahata@intel.com>,
x86@kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: [RFCv1 2/7] x86/kvm: Introduce KVM memory protection feature
Date: Fri, 2 Apr 2021 18:26:40 +0300 [thread overview]
Message-ID: <20210402152645.26680-3-kirill.shutemov@linux.intel.com> (raw)
In-Reply-To: <20210402152645.26680-1-kirill.shutemov@linux.intel.com>
Provide basic helpers, KVM_FEATURE, CPUID flag and a hypercall.
Host side doesn't provide the feature yet, so it is a dead code for now.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/kvm_para.h | 5 +++++
arch/x86/include/uapi/asm/kvm_para.h | 3 ++-
arch/x86/kernel/kvm.c | 18 ++++++++++++++++++
include/uapi/linux/kvm_para.h | 3 ++-
5 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 84b887825f12..5b6f23e6edc4 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -238,6 +238,7 @@
#define X86_FEATURE_VMW_VMMCALL ( 8*32+19) /* "" VMware prefers VMMCALL hypercall instruction */
#define X86_FEATURE_SEV_ES ( 8*32+20) /* AMD Secure Encrypted Virtualization - Encrypted State */
#define X86_FEATURE_VM_PAGE_FLUSH ( 8*32+21) /* "" VM Page Flush MSR is supported */
+#define X86_FEATURE_KVM_MEM_PROTECTED ( 8*32+22) /* KVM memory protection extenstion */
/* Intel-defined CPU features, CPUID level 0x00000007:0 (EBX), word 9 */
#define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* RDFSBASE, WRFSBASE, RDGSBASE, WRGSBASE instructions*/
diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h
index 338119852512..74aea18f3130 100644
--- a/arch/x86/include/asm/kvm_para.h
+++ b/arch/x86/include/asm/kvm_para.h
@@ -11,11 +11,16 @@ extern void kvmclock_init(void);
#ifdef CONFIG_KVM_GUEST
bool kvm_check_and_clear_guest_paused(void);
+bool kvm_mem_protected(void);
#else
static inline bool kvm_check_and_clear_guest_paused(void)
{
return false;
}
+static inline bool kvm_mem_protected(void)
+{
+ return false;
+}
#endif /* CONFIG_KVM_GUEST */
#define KVM_HYPERCALL \
diff --git a/arch/x86/include/uapi/asm/kvm_para.h b/arch/x86/include/uapi/asm/kvm_para.h
index 950afebfba88..8d32c41861c9 100644
--- a/arch/x86/include/uapi/asm/kvm_para.h
+++ b/arch/x86/include/uapi/asm/kvm_para.h
@@ -28,11 +28,12 @@
#define KVM_FEATURE_PV_UNHALT 7
#define KVM_FEATURE_PV_TLB_FLUSH 9
#define KVM_FEATURE_ASYNC_PF_VMEXIT 10
-#define KVM_FEATURE_PV_SEND_IPI 11
+#define KVM_FEATURE_PV_SEND_IPI 11
#define KVM_FEATURE_POLL_CONTROL 12
#define KVM_FEATURE_PV_SCHED_YIELD 13
#define KVM_FEATURE_ASYNC_PF_INT 14
#define KVM_FEATURE_MSI_EXT_DEST_ID 15
+#define KVM_FEATURE_MEM_PROTECTED 16
#define KVM_HINTS_REALTIME 0
diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
index 5e78e01ca3b4..e6989e1b74eb 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -39,6 +39,13 @@
#include <asm/ptrace.h>
#include <asm/svm.h>
+static bool mem_protected;
+
+bool kvm_mem_protected(void)
+{
+ return mem_protected;
+}
+
DEFINE_STATIC_KEY_FALSE(kvm_async_pf_enabled);
static int kvmapf = 1;
@@ -749,6 +756,17 @@ static void __init kvm_init_platform(void)
{
kvmclock_init();
x86_platform.apic_post_init = kvm_apic_init;
+
+ if (kvm_para_has_feature(KVM_FEATURE_MEM_PROTECTED)) {
+ if (kvm_hypercall0(KVM_HC_ENABLE_MEM_PROTECTED)) {
+ pr_err("Failed to enable KVM memory protection\n");
+ return;
+ }
+
+ pr_info("KVM memory protection enabled\n");
+ mem_protected = true;
+ setup_force_cpu_cap(X86_FEATURE_KVM_MEM_PROTECTED);
+ }
}
#if defined(CONFIG_AMD_MEM_ENCRYPT)
diff --git a/include/uapi/linux/kvm_para.h b/include/uapi/linux/kvm_para.h
index 8b86609849b9..1a216f32e572 100644
--- a/include/uapi/linux/kvm_para.h
+++ b/include/uapi/linux/kvm_para.h
@@ -27,8 +27,9 @@
#define KVM_HC_MIPS_EXIT_VM 7
#define KVM_HC_MIPS_CONSOLE_OUTPUT 8
#define KVM_HC_CLOCK_PAIRING 9
-#define KVM_HC_SEND_IPI 10
+#define KVM_HC_SEND_IPI 10
#define KVM_HC_SCHED_YIELD 11
+#define KVM_HC_ENABLE_MEM_PROTECTED 12
/*
* hypercalls use architecture specific
--
2.26.3
next prev parent reply other threads:[~2021-04-02 15:27 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-02 15:26 [RFCv1 0/7] TDX and guest memory unmapping Kirill A. Shutemov
2021-04-02 15:26 ` [RFCv1 1/7] x86/mm: Move force_dma_unencrypted() to common code Kirill A. Shutemov
2021-04-02 15:26 ` Kirill A. Shutemov [this message]
2021-04-08 9:52 ` [RFCv1 2/7] x86/kvm: Introduce KVM memory protection feature Borislav Petkov
2021-04-09 13:36 ` Kirill A. Shutemov
2021-04-09 14:37 ` Borislav Petkov
2021-04-02 15:26 ` [RFCv1 3/7] x86/kvm: Make DMA pages shared Kirill A. Shutemov
2021-04-02 15:26 ` [RFCv1 4/7] x86/kvm: Use bounce buffers for KVM memory protection Kirill A. Shutemov
2021-04-02 15:26 ` [RFCv1 5/7] x86/kvmclock: Share hvclock memory with the host Kirill A. Shutemov
2021-04-02 15:26 ` [RFCv1 6/7] x86/realmode: Share trampoline area if KVM memory protection enabled Kirill A. Shutemov
2021-04-02 15:26 ` [RFCv1 7/7] KVM: unmap guest memory using poisoned pages Kirill A. Shutemov
2021-04-06 7:44 ` David Hildenbrand
2021-04-06 10:50 ` Kirill A. Shutemov
2021-04-06 14:33 ` Dave Hansen
2021-04-06 14:57 ` David Hildenbrand
2021-04-07 13:16 ` Kirill A. Shutemov
2021-04-07 13:31 ` Christophe de Dinechin
2021-04-07 14:09 ` Andi Kleen
2021-04-07 14:09 ` Andi Kleen
2021-04-07 14:09 ` David Hildenbrand
2021-04-07 14:36 ` Kirill A. Shutemov
2021-04-06 17:52 ` Tom Lendacky
2021-04-07 14:55 ` David Hildenbrand
2021-04-07 15:10 ` Andi Kleen
2021-04-07 15:10 ` Andi Kleen
2021-04-09 13:33 ` Kirill A. Shutemov
2021-04-09 13:50 ` David Hildenbrand
2021-04-09 14:12 ` Kirill A. Shutemov
2021-04-09 14:18 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210402152645.26680-3-kirill.shutemov@linux.intel.com \
--to=kirill@shutemov.name \
--cc=andi.kleen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=isaku.yamahata@intel.com \
--cc=jmattson@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.