This patch series continues the work Michael Roth has done in supporting
SEV guests in selftests. It continues on top of the work Sean
Christopherson has sent to support ucalls from SEV guests. Along with a
very simple version of the SEV selftests Michael originally proposed.
V6
* Updated SEV VM create function based on Seanjc's feedback and new
changes to VM creation functions.
* Removed pte_me_mask based on feedback.
* Fixed s_bit usage based on TDX
* Fixed bugs and took Ackerly's code for enc_region setup code.
V5
* Rebase onto seanjc@'s latest ucall pool series.
* More review changes based on seanjc:
** use protected instead of encrypted outside of SEV specific files
** Swap memcrypt struct for kvm_vm_arch arch specific struct
** Make protected page table data agnostic of address bit stealing specifics
of SEV
** Further clean up for SEV library to just vm_sev_create_one_vcpu()
* Due to large changes moved more authorships from mroth@ to pgonda@. Gave
originally-by tags to mroth@ as suggested by Seanjc for this.
V4
* Rebase ontop of seanjc@'s latest Ucall Pool series:
https://lore.kernel.org/linux-arm-kernel/[email protected]/
* Fix up review comments from seanjc
* Switch authorship on 2 patches because of significant changes, added
* Michael as suggested-by or originally-by.
V3
* Addressed more of andrew.jones@ in ucall patches.
* Fix build in non-x86 archs.
V2
* Dropped RFC tag
* Correctly separated Sean's ucall patches into 2 as originally
intended.
* Addressed andrew.jones@ in ucall patches.
* Fixed ucall pool usage to work for other archs
V1
* https://lore.kernel.org/all/[email protected]/
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Sean Christopherson <[email protected]>
Cc: Ackerley Tng <[email protected]>
Michael Roth (2):
KVM: selftests: sparsebit: add const where appropriate
KVM: selftests: add support for protected vm_vaddr_* allocations
Peter Gonda (5):
KVM: selftests: add hooks for managing protected guest memory
KVM: selftests: handle protected bits in page tables
KVM: selftests: add library for creating/interacting with SEV guests
KVM: selftests: Update ucall pool to allocate from shared memory
KVM: selftests: Add simple sev vm testing
tools/arch/arm64/include/asm/kvm_host.h | 7 +
tools/arch/riscv/include/asm/kvm_host.h | 7 +
tools/arch/s390/include/asm/kvm_host.h | 7 +
tools/arch/x86/include/asm/kvm_host.h | 14 +
tools/testing/selftests/kvm/.gitignore | 84 ++++++
tools/testing/selftests/kvm/Makefile | 4 +-
.../selftests/kvm/include/kvm_util_base.h | 49 +++-
.../testing/selftests/kvm/include/sparsebit.h | 36 +--
.../selftests/kvm/include/x86_64/processor.h | 1 +
.../selftests/kvm/include/x86_64/sev.h | 27 ++
tools/testing/selftests/kvm/lib/kvm_util.c | 66 ++++-
tools/testing/selftests/kvm/lib/sparsebit.c | 48 ++--
.../testing/selftests/kvm/lib/ucall_common.c | 2 +-
.../selftests/kvm/lib/x86_64/processor.c | 62 ++++-
tools/testing/selftests/kvm/lib/x86_64/sev.c | 254 ++++++++++++++++++
.../selftests/kvm/x86_64/sev_all_boot_test.c | 84 ++++++
16 files changed, 685 insertions(+), 67 deletions(-)
create mode 100644 tools/arch/arm64/include/asm/kvm_host.h
create mode 100644 tools/arch/riscv/include/asm/kvm_host.h
create mode 100644 tools/arch/s390/include/asm/kvm_host.h
create mode 100644 tools/arch/x86/include/asm/kvm_host.h
create mode 100644 tools/testing/selftests/kvm/include/x86_64/sev.h
create mode 100644 tools/testing/selftests/kvm/lib/x86_64/sev.c
create mode 100644 tools/testing/selftests/kvm/x86_64/sev_all_boot_test.c
--
2.39.0.314.g84b9a713c41-goog
Add kvm_vm.protected metadata. Protected VMs memory, potentially
register and other state may not be accessible to KVM. This combined
with a new protected_phy_pages bitmap will allow the selftests to check
if a given pages is accessible.
Cc: Paolo Bonzini <[email protected]>
Cc: Sean Christopherson <[email protected]>
Cc: Vishal Annapurve <[email protected]>
Cc: Ackerley Tng <[email protected]>
cc: Andrew Jones <[email protected]>
Originally-by: Michael Roth <[email protected]>
Signed-off-by: Peter Gonda <[email protected]>
---
.../selftests/kvm/include/kvm_util_base.h | 14 ++++++++++++--
tools/testing/selftests/kvm/lib/kvm_util.c | 16 +++++++++++++---
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
index fbc2a79369b8..015b59a0b80e 100644
--- a/tools/testing/selftests/kvm/include/kvm_util_base.h
+++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
@@ -45,6 +45,7 @@ typedef uint64_t vm_vaddr_t; /* Virtual Machine (Guest) virtual address */
struct userspace_mem_region {
struct kvm_userspace_memory_region region;
struct sparsebit *unused_phy_pages;
+ struct sparsebit *protected_phy_pages;
int fd;
off_t offset;
enum vm_mem_backing_src_type backing_src_type;
@@ -111,6 +112,9 @@ struct kvm_vm {
vm_vaddr_t handlers;
uint32_t dirty_ring_size;
+ /* VM protection enabled: SEV, etc*/
+ bool protected;
+
/* Cache of information for binary stats interface */
int stats_fd;
struct kvm_stats_header stats_header;
@@ -679,10 +683,16 @@ const char *exit_reason_str(unsigned int exit_reason);
vm_paddr_t vm_phy_page_alloc(struct kvm_vm *vm, vm_paddr_t paddr_min,
uint32_t memslot);
-vm_paddr_t vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
- vm_paddr_t paddr_min, uint32_t memslot);
+vm_paddr_t _vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
+ vm_paddr_t paddr_min, uint32_t memslot, bool protected);
vm_paddr_t vm_alloc_page_table(struct kvm_vm *vm);
+static inline vm_paddr_t vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
+ vm_paddr_t paddr_min, uint32_t memslot)
+{
+ return _vm_phy_pages_alloc(vm, num, paddr_min, memslot, vm->protected);
+}
+
/*
* ____vm_create() does KVM_CREATE_VM and little else. __vm_create() also
* loads the test binary into guest memory and creates an IRQ chip (x86 only).
diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
index 56d5ea949cbb..63913b219b42 100644
--- a/tools/testing/selftests/kvm/lib/kvm_util.c
+++ b/tools/testing/selftests/kvm/lib/kvm_util.c
@@ -663,6 +663,7 @@ static void __vm_mem_region_delete(struct kvm_vm *vm,
vm_ioctl(vm, KVM_SET_USER_MEMORY_REGION, ®ion->region);
sparsebit_free(®ion->unused_phy_pages);
+ sparsebit_free(®ion->protected_phy_pages);
ret = munmap(region->mmap_start, region->mmap_size);
TEST_ASSERT(!ret, __KVM_SYSCALL_ERROR("munmap()", ret));
if (region->fd >= 0) {
@@ -1010,6 +1011,7 @@ void vm_userspace_mem_region_add(struct kvm_vm *vm,
region->backing_src_type = src_type;
region->unused_phy_pages = sparsebit_alloc();
+ region->protected_phy_pages = sparsebit_alloc();
sparsebit_set_num(region->unused_phy_pages,
guest_paddr >> vm->page_shift, npages);
region->region.slot = slot;
@@ -1799,6 +1801,10 @@ void vm_dump(FILE *stream, struct kvm_vm *vm, uint8_t indent)
region->host_mem);
fprintf(stream, "%*sunused_phy_pages: ", indent + 2, "");
sparsebit_dump(stream, region->unused_phy_pages, 0);
+ if (vm->protected) {
+ fprintf(stream, "%*sprotected_phy_pages: ", indent + 2, "");
+ sparsebit_dump(stream, region->protected_phy_pages, 0);
+ }
}
fprintf(stream, "%*sMapped Virtual Pages:\n", indent, "");
sparsebit_dump(stream, vm->vpages_mapped, indent + 2);
@@ -1895,8 +1901,9 @@ const char *exit_reason_str(unsigned int exit_reason)
* and their base address is returned. A TEST_ASSERT failure occurs if
* not enough pages are available at or above paddr_min.
*/
-vm_paddr_t vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
- vm_paddr_t paddr_min, uint32_t memslot)
+vm_paddr_t _vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
+ vm_paddr_t paddr_min, uint32_t memslot,
+ bool protected)
{
struct userspace_mem_region *region;
sparsebit_idx_t pg, base;
@@ -1929,8 +1936,11 @@ vm_paddr_t vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
abort();
}
- for (pg = base; pg < base + num; ++pg)
+ for (pg = base; pg < base + num; ++pg) {
sparsebit_clear(region->unused_phy_pages, pg);
+ if (protected)
+ sparsebit_set(region->protected_phy_pages, pg);
+ }
return base * vm->page_size;
}
--
2.39.0.314.g84b9a713c41-goog
From: Michael Roth <[email protected]>
Test programs may wish to allocate shared vaddrs for things like
sharing memory with the guest. Since protected vms will have their
memory encrypted by default an interface is needed to explicitly
request shared pages.
Implement this by splitting the common code out from vm_vaddr_alloc()
and introducing a new vm_vaddr_alloc_shared().
Cc: Paolo Bonzini <[email protected]>
Cc: Sean Christopherson <[email protected]>
Cc: Vishal Annapurve <[email protected]>
Cc: Ackerley Tng <[email protected]>
cc: Andrew Jones <[email protected]>
Signed-off-by: Michael Roth <[email protected]>
Signed-off-by: Peter Gonda <[email protected]>
---
.../selftests/kvm/include/kvm_util_base.h | 1 +
tools/testing/selftests/kvm/lib/kvm_util.c | 21 +++++++++++++++----
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
index f84d7777d5ca..5f3150ecfbbf 100644
--- a/tools/testing/selftests/kvm/include/kvm_util_base.h
+++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
@@ -435,6 +435,7 @@ vm_vaddr_t vm_vaddr_unused_gap(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_mi
vm_vaddr_t vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min);
vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
enum kvm_mem_region_type type);
+vm_vaddr_t vm_vaddr_alloc_shared(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min);
vm_vaddr_t vm_vaddr_alloc_pages(struct kvm_vm *vm, int nr_pages);
vm_vaddr_t __vm_vaddr_alloc_page(struct kvm_vm *vm,
enum kvm_mem_region_type type);
diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
index ba771c2d949d..0d0a7ad7632d 100644
--- a/tools/testing/selftests/kvm/lib/kvm_util.c
+++ b/tools/testing/selftests/kvm/lib/kvm_util.c
@@ -1305,15 +1305,17 @@ vm_vaddr_t vm_vaddr_unused_gap(struct kvm_vm *vm, size_t sz,
return pgidx_start * vm->page_size;
}
-vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
- enum kvm_mem_region_type type)
+static vm_vaddr_t ____vm_vaddr_alloc(struct kvm_vm *vm, size_t sz,
+ vm_vaddr_t vaddr_min,
+ enum kvm_mem_region_type type,
+ bool encrypt)
{
uint64_t pages = (sz >> vm->page_shift) + ((sz % vm->page_size) != 0);
virt_pgd_alloc(vm);
- vm_paddr_t paddr = vm_phy_pages_alloc(vm, pages,
+ vm_paddr_t paddr = _vm_phy_pages_alloc(vm, pages,
KVM_UTIL_MIN_PFN * vm->page_size,
- vm->memslots[type]);
+ vm->memslots[type], encrypt);
/*
* Find an unused range of virtual page addresses of at least
@@ -1333,6 +1335,17 @@ vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
return vaddr_start;
}
+vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
+ enum kvm_mem_region_type type)
+{
+ return ____vm_vaddr_alloc(vm, sz, vaddr_min, type, vm->protected);
+}
+
+vm_vaddr_t vm_vaddr_alloc_shared(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min)
+{
+ return ____vm_vaddr_alloc(vm, sz, vaddr_min, MEM_REGION_TEST_DATA, false);
+}
+
/*
* VM Virtual Address Allocate
*
--
2.39.0.314.g84b9a713c41-goog
On Tue, Jan 10, 2023, Peter Gonda wrote:
> This patch series continues the work Michael Roth has done in supporting
> SEV guests in selftests. It continues on top of the work Sean
> Christopherson has sent to support ucalls from SEV guests. Along with a
> very simple version of the SEV selftests Michael originally proposed.
I got two copies of this series. AFAICT, the only difference is that LKML is
Cc'd on the second send. When resending an _identical_ series, e.g. because you
forgot to Cc' someone or because mails got lost in transit, add RESEND in between
the square braces in the subject of all patches so as not to confuse folks that
get both (or multiple) copies.
On Wed, Jan 18, 2023 at 1:50 PM Sean Christopherson <[email protected]> wrote:
>
> On Tue, Jan 10, 2023, Peter Gonda wrote:
> > This patch series continues the work Michael Roth has done in supporting
> > SEV guests in selftests. It continues on top of the work Sean
> > Christopherson has sent to support ucalls from SEV guests. Along with a
> > very simple version of the SEV selftests Michael originally proposed.
>
> I got two copies of this series. AFAICT, the only difference is that LKML is
> Cc'd on the second send. When resending an _identical_ series, e.g. because you
> forgot to Cc' someone or because mails got lost in transit, add RESEND in between
> the square braces in the subject of all patches so as not to confuse folks that
> get both (or multiple) copies.
Will do. My mistake, sorry.
On Tue, Jan 10, 2023, Peter Gonda wrote:
> Add kvm_vm.protected metadata. Protected VMs memory, potentially
> register and other state may not be accessible to KVM. This combined
> with a new protected_phy_pages bitmap will allow the selftests to check
> if a given pages is accessible.
>
> Cc: Paolo Bonzini <[email protected]>
> Cc: Sean Christopherson <[email protected]>
> Cc: Vishal Annapurve <[email protected]>
> Cc: Ackerley Tng <[email protected]>
> cc: Andrew Jones <[email protected]>
> Originally-by: Michael Roth <[email protected]>
> Signed-off-by: Peter Gonda <[email protected]>
> ---
> .../selftests/kvm/include/kvm_util_base.h | 14 ++++++++++++--
> tools/testing/selftests/kvm/lib/kvm_util.c | 16 +++++++++++++---
> 2 files changed, 25 insertions(+), 5 deletions(-)
>
> diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
> index fbc2a79369b8..015b59a0b80e 100644
> --- a/tools/testing/selftests/kvm/include/kvm_util_base.h
> +++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
> @@ -45,6 +45,7 @@ typedef uint64_t vm_vaddr_t; /* Virtual Machine (Guest) virtual address */
> struct userspace_mem_region {
> struct kvm_userspace_memory_region region;
> struct sparsebit *unused_phy_pages;
> + struct sparsebit *protected_phy_pages;
> int fd;
> off_t offset;
> enum vm_mem_backing_src_type backing_src_type;
> @@ -111,6 +112,9 @@ struct kvm_vm {
> vm_vaddr_t handlers;
> uint32_t dirty_ring_size;
>
> + /* VM protection enabled: SEV, etc*/
> + bool protected;
> +
> /* Cache of information for binary stats interface */
> int stats_fd;
> struct kvm_stats_header stats_header;
> @@ -679,10 +683,16 @@ const char *exit_reason_str(unsigned int exit_reason);
>
> vm_paddr_t vm_phy_page_alloc(struct kvm_vm *vm, vm_paddr_t paddr_min,
> uint32_t memslot);
> -vm_paddr_t vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
> - vm_paddr_t paddr_min, uint32_t memslot);
> +vm_paddr_t _vm_phy_pages_alloc(struct kvm_vm *vm, size_t num,
Two underscores please. Ignore the terrible precedent that has been set, we're
slowly purging that crud.
> + vm_paddr_t paddr_min, uint32_t memslot, bool protected);
Wrap, no strong justification for running long in this case since the declaration
has already wrapped, and the definition does wrap.
On Tue, Jan 10, 2023, Peter Gonda wrote:
> From: Michael Roth <[email protected]>
>
> Test programs may wish to allocate shared vaddrs for things like
> sharing memory with the guest. Since protected vms will have their
> memory encrypted by default an interface is needed to explicitly
> request shared pages.
>
> Implement this by splitting the common code out from vm_vaddr_alloc()
> and introducing a new vm_vaddr_alloc_shared().
>
> Cc: Paolo Bonzini <[email protected]>
> Cc: Sean Christopherson <[email protected]>
> Cc: Vishal Annapurve <[email protected]>
> Cc: Ackerley Tng <[email protected]>
> cc: Andrew Jones <[email protected]>
> Signed-off-by: Michael Roth <[email protected]>
> Signed-off-by: Peter Gonda <[email protected]>
> ---
> .../selftests/kvm/include/kvm_util_base.h | 1 +
> tools/testing/selftests/kvm/lib/kvm_util.c | 21 +++++++++++++++----
> 2 files changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
> index f84d7777d5ca..5f3150ecfbbf 100644
> --- a/tools/testing/selftests/kvm/include/kvm_util_base.h
> +++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
> @@ -435,6 +435,7 @@ vm_vaddr_t vm_vaddr_unused_gap(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_mi
> vm_vaddr_t vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min);
> vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
> enum kvm_mem_region_type type);
> +vm_vaddr_t vm_vaddr_alloc_shared(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min);
Wrap.
> vm_vaddr_t vm_vaddr_alloc_pages(struct kvm_vm *vm, int nr_pages);
> vm_vaddr_t __vm_vaddr_alloc_page(struct kvm_vm *vm,
> enum kvm_mem_region_type type);
> diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
> index ba771c2d949d..0d0a7ad7632d 100644
> --- a/tools/testing/selftests/kvm/lib/kvm_util.c
> +++ b/tools/testing/selftests/kvm/lib/kvm_util.c
> @@ -1305,15 +1305,17 @@ vm_vaddr_t vm_vaddr_unused_gap(struct kvm_vm *vm, size_t sz,
> return pgidx_start * vm->page_size;
> }
>
> -vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
> - enum kvm_mem_region_type type)
> +static vm_vaddr_t ____vm_vaddr_alloc(struct kvm_vm *vm, size_t sz,
> + vm_vaddr_t vaddr_min,
> + enum kvm_mem_region_type type,
> + bool encrypt)
s/encrypt/protected, or maybe mark_protected so that it's clear that it's a command.
> {
> uint64_t pages = (sz >> vm->page_shift) + ((sz % vm->page_size) != 0);
>
> virt_pgd_alloc(vm);
> - vm_paddr_t paddr = vm_phy_pages_alloc(vm, pages,
> + vm_paddr_t paddr = _vm_phy_pages_alloc(vm, pages,
> KVM_UTIL_MIN_PFN * vm->page_size,
> - vm->memslots[type]);
> + vm->memslots[type], encrypt);
>
> /*
> * Find an unused range of virtual page addresses of at least
> @@ -1333,6 +1335,17 @@ vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
> return vaddr_start;
> }
>
> +vm_vaddr_t __vm_vaddr_alloc(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min,
> + enum kvm_mem_region_type type)
> +{
> + return ____vm_vaddr_alloc(vm, sz, vaddr_min, type, vm->protected);
> +}
> +
> +vm_vaddr_t vm_vaddr_alloc_shared(struct kvm_vm *vm, size_t sz, vm_vaddr_t vaddr_min)
> +{
> + return ____vm_vaddr_alloc(vm, sz, vaddr_min, MEM_REGION_TEST_DATA, false);
This shouldn't be MEM_REGION_TEST_DATA, because then the ucall patches changes
from MEM_REGION_DATA to MEM_REGION_TEST_DATA, which I suspect will break ARM's
page_fault_test. So, we probably need to have vm_vaddr_alloc_shared() be a true
mirror of the non-shared version and take @type.
On Tue, Jan 10, 2023, Peter Gonda wrote:
> This patch series continues the work Michael Roth has done in supporting
> SEV guests in selftests. It continues on top of the work Sean
> Christopherson has sent to support ucalls from SEV guests. Along with a
> very simple version of the SEV selftests Michael originally proposed.
...
> Michael Roth (2):
> KVM: selftests: sparsebit: add const where appropriate
> KVM: selftests: add support for protected vm_vaddr_* allocations
>
> Peter Gonda (5):
> KVM: selftests: add hooks for managing protected guest memory
> KVM: selftests: handle protected bits in page tables
> KVM: selftests: add library for creating/interacting with SEV guests
> KVM: selftests: Update ucall pool to allocate from shared memory
> KVM: selftests: Add simple sev vm testing
Lot's of non-trivial feedback. To help move things along, I pushed a completely
untested (probably doesn't compile) branch to
https://github.com/sean-jc/linux/tree/x86/sev_selftests_for_peter
that has most of the feedback incorporated. Feel free to massage/rework things
as needed (and again, it needs testing+polishing), my goal is purely to avoid you
having to duplicate what I've already done as part of working through the review.