Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755013AbdHYIcU (ORCPT ); Fri, 25 Aug 2017 04:32:20 -0400 Received: from mail-db5eur01on0042.outbound.protection.outlook.com ([104.47.2.42]:44352 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754949AbdHYIcO (ORCPT ); Fri, 25 Aug 2017 04:32:14 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Florent.Revest@arm.com; From: Florent Revest To: linux-arm-kernel@lists.infradead.org Cc: matt@codeblueprint.co.uk, ard.biesheuvel@linaro.org, pbonzini@redhat.com, rkrcmar@redhat.com, christoffer.dall@linaro.org, catalin.marinas@arm.com, will.deacon@arm.com, mark.rutland@arm.com, marc.zyngier@arm.com, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu, leif.lindholm@arm.com, revestflo@gmail.com, Florent Revest Subject: [RFC 00/11] KVM, EFI, arm64: EFI Runtime Services Sandboxing Date: Fri, 25 Aug 2017 09:31:30 +0100 Message-Id: <1503649901-5834-1-git-send-email-florent.revest@arm.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [217.140.96.140] X-ClientProxiedBy: HE1PR09CA0051.eurprd09.prod.outlook.com (2603:10a6:7:3c::19) To HE1PR08MB0812.eurprd08.prod.outlook.com (2a01:111:e400:59b1::30) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 76255eac-1881-4b58-4979-08d4eb93c615 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:HE1PR08MB0812; X-Microsoft-Exchange-Diagnostics: 1;HE1PR08MB0812;3:EMC/JO+EaX+sJWNJHZemw8nOrDANwGB0vWnqoYND6u6n8KZb2ilVG/mSRJyx2NhUtjCz4CeGPjDYYWi9ZpvfvkwhxAS1lZSKrC4IX55YqpD0evZRjAx8P9yrI5Qy2dV+TogSiXl8Vh7k2h02umF68Bsl7ZdopoaoAqDR6KjUg9ZDsHOQ6+S0kYaBanRmfZvIdoaed0NMs861ZymkxputYXk26NfNCKlPCeRws7eZaKwfq/sQBx6/Oe96YQ+RbTmR;25:hKM3T2FjvwIPSh1yAxBQKl2nrA5w1jqzoDT+uG3VYUVwwrENwyFtWSRjevao/MOItWlMLCe2Z4RuN1osFlJN4M2FiPY9XB1B2NLI22ghQIIyk9+T3hDxyQxK42Do6TDPD7sTO2uUp5oHNdaLY4zbGsEH4xUXeCzOGXIKMlt9fvNj7m3a5Dc73yOXq4QWonnl3JlXX9+7Cjmz686JmIUcPA1CrS+rxG35WEjcnRS43IriufXt9wWTy5/Nql35BdkrFASBlhnZeRy4VFD31DlGQG9Kib0SxrK+0fPcV0Z8rC4bg346wsfFByqV8NZFoBRGpxWUeEqjM3hN7st87Em9wA==;31:SMx2jHOIAM2UUBBQaUkO+IUGi6n9snCc+/WBfMEsG8V1V/99fyU8Tu6+Oq7lxdO/1LKkZtump2GiiQJZs/bY7VpG2qcb3ny3apBYZImHWYXZX3QWjzpy02YWhmNoac7TjflecETa0E9+HIe8CE08MzNfx+Q63+MSK+I3XmZ0KEMXyH0DPgdXoiMVbaUarDZPtBiwDPzDgNi74nsx9EQLFgbUyiUe6nEzAHXLoyJ+3vk= X-MS-TrafficTypeDiagnostic: HE1PR08MB0812: X-Microsoft-Exchange-Diagnostics: 1;HE1PR08MB0812;20:uWuEQzNFyhqqXF86lawJCgFXcNQZ1SGOA8251h56ncoHTDmkHe4rDjU5PkIvjsiMzVT629a5nsXvvvLkruwEkLpkBHCgOqWut4QIZH3LKBpHhI5HZLMqMjXdtjj110/u5pbx+cA1+gp8dfAZXfl5fDYSADwm1xS/hJDD/TdCg0drH0kowP/Ds2W6Xgibv8aBNfs9Xs+05Qt56J4D0MT/Kc9tyTyzpWP966V3PT69pytR5nlFF5e4qe9+6C7yIWeOKaVXZDsU2YcS7S2+lb+8I/PAjymKemyFeqyTRr05HTwG98JPU/gVDAFLIdP2tu2/3EKaUHvkwk4unUiX7W3YKTnjBXtbWm1EIKg1Mr/rYTHZALkFmUHN9fUraN/z2TCQJjDOV95s/kTnMaksCHOGG1DS1j+wmP8uG/8nrJasRjzQL2b0xmNbqzubD4LGjwVnaeX9/kf3GxdxzgPJ6jkQnU9ROxZZCqTkoBLdWaXYBVxhWZhwEy2EpjaumwL7xMT1;4:YhBOglJps+XuZcXa0KNS6G7Ac7lf6UHafvSMaqqqwI2Blf+TaaYniYG2ro/KKd5WgqPUq7KHXqsC9B8XzBrAdek9Q16ZEWp6gSxoh7eoWac+LJOUzFag3OCU/Je+1Mul/r3mHy98j3kQRezvnxNlZEo8yp0fWDEBi8B4DA+UPkJ3V+YxENCAmRb/VVxSiQQWoldZGU/xG4utQbhN08ansVahvdp/uCNuVU0ujthGk/dpkd/mjgmGGAKZmyEqpIRbot+ZysLK/iPIARAQg4QqUjp9yKv/UcOVVmr1KFVeCU4= X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(20161123560025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:HE1PR08MB0812;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:HE1PR08MB0812; X-Forefront-PRVS: 041032FF37 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(7370300001)(6009001)(39860400002)(199003)(40434004)(189002)(478600001)(68736007)(25786009)(5660300001)(97736004)(36756003)(6486002)(50226002)(47776003)(50986999)(50466002)(4326008)(48376002)(7350300001)(110136004)(66066001)(7416002)(8676002)(189998001)(305945005)(5890100001)(6916009)(2351001)(105586002)(42186005)(6116002)(2361001)(8746002)(3846002)(86362001)(2906002)(72206003)(81156014)(81166006)(106356001)(6666003)(7736002)(33646002)(101416001)(5003940100001)(53936002);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR08MB0812;H:e106757-lin.cambridge.arm.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1PR08MB0812;23:Wq1rXrtG/khsZsdeXIKF3R+4h0tHFuwBnZA4SO/QE?= =?us-ascii?Q?vyVRllTQfQh0ozp7OLKQftMgpLV1NtgzCpjDa/5yAUhJOQ6N5CDkdZ6LVdFx?= =?us-ascii?Q?d8dwa44y03zRSycuO8wVtw//mgMVaBG5KwAldDia8r6Hs5MEpreROYYWTWMD?= =?us-ascii?Q?m7D2nsrp+6BRyme72I9oPjnrrXZiSd6IfeLe1++YZYQ6gERFp9V61yVentfA?= =?us-ascii?Q?zzVmtAddr/JL2rj7fHLNXXS2M11ibU8kh5aaQ4KV7OhNgFHBW9QfSD35Qbeq?= =?us-ascii?Q?xIWsjTQ1WFNdfLLrn/p1CGAnNngqnftefhi+fk51SPbukvztqvHHX0yl5iJG?= =?us-ascii?Q?LHpaGf0UuNQoFUtL9QochkKXJIMIIx3JwQii/+/qYCouHgvqqLsphFj3/pA0?= =?us-ascii?Q?uQ9NChTdtiqMI/mzI9v2v5KX02MXAFScVjrylHAE3z5AD1G0ODLD9H+lmE/b?= =?us-ascii?Q?CapV5QDcndAl0/WUadh7Iic+Fly3ewvTqF4wBykIpzpzNhrWKJYizHTOHE6f?= =?us-ascii?Q?pv6zaxxICgzctDJvRRdqrGV0jDVIa9wBIgfbqQs0IxvkNm+22Ux83JHtIkp+?= =?us-ascii?Q?lVN+G34aCHJYJnF3XyIeyATflprIbUvApA5U+UcezUVMVGWAc0ub7Z40ihfp?= =?us-ascii?Q?lfEu6LIkDiQBu6mj4gcozi/03uYNMPRK3lneM68tDB4Qt+LJ5IDE5//Ncq2x?= =?us-ascii?Q?B2PZuvxCFVdpelkf56+AyAMGXoFltDd/6ZMoO5ZS5DpFDa0DwrscRD86BYrv?= =?us-ascii?Q?W1OXK5NBtkEQ78BB9kHWAKWQYGrSirH6/UMe5P4QHSjbbcNiXV8hWpmC6WLJ?= =?us-ascii?Q?1mkpxKSYp9op5iRjke0iq++CV70/irgeQsNGY1WjKQ+VUsb94GuWzddpTakH?= =?us-ascii?Q?8u+mTNjh0YljErkn7Fo1C3Nkuk5BmUw7qbULwozcT4q5ljXBUbUvAvRZd45+?= =?us-ascii?Q?zCaTbiXxU8iRAHjgjVjvIRph06OVA62/T6+wUi87v1RVKU5ZbhSH8Y2IdFIN?= =?us-ascii?Q?XGwNwZcACUP7ENPNfpxdH/91oEcM1kl11fdWNsgN8g09HAYsOAV5aenAn/JU?= =?us-ascii?Q?2VxTuMZuJgJ+DIX9jrHDAYUjgBOtyZiUc0ioGfVK+IyEBpY9rB9dVh6a+nOg?= =?us-ascii?Q?U7sAexgC1U2wLlesHrlTAP4ioOf2GoKCo1wnFlhl5ziX9QvPb6AwA=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;HE1PR08MB0812;6:AEy2z0XiUQSomTGlpuiuPmttSdgtN1zkyjoEplsefxOqgZVxGg8+wrUyJZYGJ4LbZ8cPmTcH56LaVzjY+m3wH819+3KLxVV2hFWR30B1XydP31vI4JzCOscb7MudDukh4nhcp7KkbcOJvrtgzwAcmKHDnRrxUO99vDbfQrn0N77yKD99bIKyVGtmEghw2zx1pcOkJoAw3Faum6auzBRnrXK4+jmir5yc1TOq/sC6SLJtiivobYasXG/svwgLh/gabb1j88KznEttrvFV85KeBTtQgkZ8eABw0uHI4YS70KYkuWJfoO/1RxUVwPJIinKjCDdRK1fp9PUvBOOfQcHISA==;5:xWCnf+2lEVpCoSQTUGyl7r+7aCrCr8dJG8TQUNS3PwnfS0U8OOg9LLRF2q7/uP4HO3jmr0ZmFtdzy8lPYddnHfOHthe42/dBjD1rZthq+0PZuOwg4kkwB9bAULcjE2w2z/Hz3ImF6T7M87VLKvR9Xw==;24:wJQtdblXIQnj4abGCG3GlsmUHI41DP6r9I/twPsRU8UCViAb5ldwkCouzMi8T7rrGfEfNdT1Egd0Elm730zdXHw43UrbnWxrCtlC1iY0DAI=;7:udfJsD8t2/84DjwcxoHdBJ0cmV6SgfuakiKT2Dwi+w8n29piBuobkddaDIxfHn1pj0YCLARuers7bUo34mINX0lYwL2V74RcmfXA+ppp4YvPaodCWXTYjdozEKoCh025R6+SumZQpS36dbdwFCVPdarRzXtulJGJtesWSYCqLNYOXfIiNxVai3sQ5e3+jtQrQ1yfYM6V70bfV2RV6A5D7H3IBVls8+kKNyR+qvKx5i4= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2017 08:32:07.1304 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR08MB0812 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v7P8WOrw009926 Content-Length: 3608 Lines: 71 Hi, This series implements a mechanism to sandbox EFI Runtime Services on arm64. It can be enabled with CONFIG_EFI_SANDBOX. At boot it spawns an internal KVM virtual machine that is ran everytime an EFI Runtime Service is called. This limits the possible security and stability impact of EFI runtime on the kernel. The patch set is split as follow: - Patches 1 and 2: Give more control over HVC handling to KVM - Patches 3 to 6: Introduce the concept of KVM "internal VMs" - Patches 7 to 9: Reorder KVM and EFI initialization on ARM - Patch 10: Introduces the EFI sandboxing VM and wrappers - Patch 11: Workarounds some EFI Runtime Services relying on EL3 The sandboxing has been tested to work reliably (rtc and efivars) on a SoftIron OverDrive 1000 box and on a ARMv8.3 model with VHE enabled. Normal userspace KVM instance have also been tested to still work correctly. Those patches apply cleanly on the Linus' v4.13-rc6 tag and have no other dependencies. Florent Revest (11): arm64: Add an SMCCC function IDs header KVM: arm64: Return an Unknown ID on unhandled HVC KVM: Allow VM lifecycle management without userspace KVM, arm, arm64: Offer PAs to IPAs idmapping to internal VMs KVM: Expose VM/VCPU creation functions KVM, arm64: Expose a VCPU initialization function KVM: Allow initialization before the module target KVM, arm, arm64: Initialize KVM's core earlier EFI, arm, arm64: Enable EFI Runtime Services later efi, arm64: Sandbox Runtime Services in a VM KVM, arm64: Don't trap internal VMs SMC calls arch/arm/include/asm/efi.h | 7 + arch/arm/include/asm/kvm_coproc.h | 3 + arch/arm/include/asm/kvm_host.h | 1 + arch/arm/include/asm/kvm_psci.h | 1 + arch/arm/kvm/coproc.c | 6 + arch/arm/kvm/coproc_a15.c | 3 +- arch/arm/kvm/coproc_a7.c | 3 +- arch/arm64/include/asm/efi.h | 71 ++++ arch/arm64/include/asm/kvm_emulate.h | 3 + arch/arm64/include/asm/kvm_host.h | 4 + arch/arm64/include/asm/kvm_psci.h | 1 + arch/arm64/kernel/asm-offsets.c | 3 + arch/arm64/kvm/handle_exit.c | 27 +- arch/arm64/kvm/sys_regs_generic_v8.c | 8 +- arch/x86/include/asm/efi.h | 2 + drivers/firmware/efi/Kconfig | 10 + drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-runtime.c | 5 +- drivers/firmware/efi/arm-sandbox-payload.S | 96 +++++ drivers/firmware/efi/arm-sandbox.c | 569 +++++++++++++++++++++++++++++ drivers/firmware/efi/efi.c | 3 + include/linux/kvm_host.h | 4 + include/linux/smccc_fn.h | 53 +++ include/uapi/linux/psci.h | 2 + virt/kvm/arm/arm.c | 18 +- virt/kvm/arm/mmu.c | 76 +++- virt/kvm/arm/psci.c | 21 ++ virt/kvm/kvm_main.c | 102 ++++-- 28 files changed, 1050 insertions(+), 53 deletions(-) create mode 100644 drivers/firmware/efi/arm-sandbox-payload.S create mode 100644 drivers/firmware/efi/arm-sandbox.c create mode 100644 include/linux/smccc_fn.h -- 1.9.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.