Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1697764imj; Thu, 14 Feb 2019 10:29:29 -0800 (PST) X-Google-Smtp-Source: AHgI3IbId4u71kkw4m3gbCmfpgV51Xo1AHtlN9AsLi2OjTRUAfdHSjvwKXF6CUfZWNCLjbhbkJlD X-Received: by 2002:a17:902:bc3:: with SMTP id 61mr5665672plr.15.1550168969599; Thu, 14 Feb 2019 10:29:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550168969; cv=none; d=google.com; s=arc-20160816; b=xhzgCNsYtECgf1qLJbiyxqvdbsLtcju0n5+l2YQLUR3kjKfbpyCoduAbR44v+XKbMc XNwABdTeGIJUszq+PQQMhNlWxopr8heHE/rQyP1/IMss460libUmm5fcRmOsztkvEd7X XW64s1ll/4rkAQiFOep/tVizYKA93x4ZPt9CZSp38C9QNEV0fBxPMf6JUGQ13zQ+Dp7x 8uvJKIn7nnduzPAkk4OooraKMnzTlNrBokSSLuUXomoKj+kYg54AndYnGMlrw+MNaCKc TnZtiasm/OMQ7RjIM6B+Czb6KSWL7JaGM3/6cWFNWZsEEQztWtzwNWAHgBCB7jC/DZkt dZsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=CZZS1II3U2oud/6IFftvio1MRrABdVQ6zWhVMrPoiyk=; b=VRTei8aOxV+wCFVEvrFTvHc35Q0tBmCMY8/EWYN+GXVVdnQCugkYumvLbMGMw29Qer hUqZqX8WiPc0u4+9iLfdwagGd+8WVZitxZJiXWeTjVQuGuAVnhq6jlR+OW0AVow9DJTe KOG/+5/qO3OzvFb+U9MCgTELkYXFfNe9HBCJ6QPg4yupgiNcCqdc3lGYIXPWeMnl2I45 5+s1W0ub8MJBTP4z6fLwYrqFSbeajEc+imvsTYXdpS4LRCl3y+FpTQ0Ucb1l+i2NGYBq qdM0ZzBkH6wGzLL4q/HViYiuLBVFAEf3viVTz6i8rKGd70WMk0RpxYrENL/F1rT+xJ9i vGoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 193si2997079pgc.220.2019.02.14.10.29.13; Thu, 14 Feb 2019 10:29:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726453AbfBNLGd (ORCPT + 99 others); Thu, 14 Feb 2019 06:06:33 -0500 Received: from foss.arm.com ([217.140.101.70]:41538 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726365AbfBNLGd (ORCPT ); Thu, 14 Feb 2019 06:06:33 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AEFEFEBD; Thu, 14 Feb 2019 03:06:32 -0800 (PST) Received: from [10.162.0.144] (a075553-lin.blr.arm.com [10.162.0.144]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5E4253F575; Thu, 14 Feb 2019 03:06:29 -0800 (PST) Subject: Re: [PATCH v5 3/5] arm64/kvm: context-switch ptrauth registers To: Kristina Martsenko , linux-arm-kernel@lists.infradead.org Cc: Christoffer Dall , Marc Zyngier , Catalin Marinas , Will Deacon , Andrew Jones , Dave Martin , Ramana Radhakrishnan , kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, Mark Rutland References: <1548658727-14271-1-git-send-email-amit.kachhap@arm.com> <1548658727-14271-4-git-send-email-amit.kachhap@arm.com> <0a2df488-a80d-ef08-6241-7f4695f2a578@arm.com> From: Amit Daniel Kachhap Message-ID: Date: Thu, 14 Feb 2019 16:36:27 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <0a2df488-a80d-ef08-6241-7f4695f2a578@arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 2/13/19 11:04 PM, Kristina Martsenko wrote: > Hi Amit, > > (Please always Cc: everyone who commented on previous versions of the > series.) > > On 28/01/2019 06:58, Amit Daniel Kachhap wrote: >> When pointer authentication is supported, a guest may wish to use it. >> This patch adds the necessary KVM infrastructure for this to work, with >> a semi-lazy context switch of the pointer auth state. >> >> Pointer authentication feature is only enabled when VHE is built >> into the kernel and present into CPU implementation so only VHE code >> paths are modified. >> >> When we schedule a vcpu, we disable guest usage of pointer >> authentication instructions and accesses to the keys. While these are >> disabled, we avoid context-switching the keys. When we trap the guest >> trying to use pointer authentication functionality, we change to eagerly >> context-switching the keys, and enable the feature. The next time the >> vcpu is scheduled out/in, we start again. >> >> Pointer authentication consists of address authentication and generic >> authentication, and CPUs in a system might have varied support for >> either. Where support for either feature is not uniform, it is hidden >> from guests via ID register emulation, as a result of the cpufeature >> framework in the host. >> >> Unfortunately, address authentication and generic authentication cannot >> be trapped separately, as the architecture provides a single EL2 trap >> covering both. If we wish to expose one without the other, we cannot >> prevent a (badly-written) guest from intermittently using a feature >> which is not uniformly supported (when scheduled on a physical CPU which >> supports the relevant feature). When the guest is scheduled on a >> physical CPU lacking the feature, these attempts will result in an UNDEF >> being taken by the guest. > > [...] > >> /* >> + * Handle the guest trying to use a ptrauth instruction, or trying to access a >> + * ptrauth register. >> + */ >> +void kvm_arm_vcpu_ptrauth_trap(struct kvm_vcpu *vcpu) >> +{ >> + if (has_vhe() && kvm_supports_ptrauth()) >> + kvm_arm_vcpu_ptrauth_enable(vcpu); >> + else >> + kvm_inject_undefined(vcpu); >> +} >> + >> +/* >> * Guest usage of a ptrauth instruction (which the guest EL1 did not turn into >> - * a NOP). >> + * a NOP), or guest EL1 access to a ptrauth register. > > Doesn't guest EL1 access of ptrauth registers go through trap_ptrauth > instead? Yes you are right. > >> */ >> static int kvm_handle_ptrauth(struct kvm_vcpu *vcpu, struct kvm_run *run) >> { >> - /* >> - * We don't currently support ptrauth in a guest, and we mask the ID >> - * registers to prevent well-behaved guests from trying to make use of >> - * it. >> - * >> - * Inject an UNDEF, as if the feature really isn't present. >> - */ >> - kvm_inject_undefined(vcpu); >> + kvm_arm_vcpu_ptrauth_trap(vcpu); >> return 1; >> } >> > > [...] > >> +static __always_inline bool __hyp_text __ptrauth_is_enabled(struct kvm_vcpu *vcpu) >> +{ >> + return IS_ENABLED(CONFIG_ARM64_PTR_AUTH) && >> + vcpu->arch.ctxt.hcr_el2 & (HCR_API | HCR_APK); >> +} >> + >> +void __no_ptrauth __hyp_text __ptrauth_switch_to_guest(struct kvm_vcpu *vcpu, >> + struct kvm_cpu_context *host_ctxt, >> + struct kvm_cpu_context *guest_ctxt) >> +{ >> + if (!__ptrauth_is_enabled(vcpu)) >> + return; >> + >> + ptrauth_keys_store((struct ptrauth_keys *) &host_ctxt->sys_regs[APIAKEYLO_EL1]); >> + ptrauth_keys_switch((struct ptrauth_keys *) &guest_ctxt->sys_regs[APIAKEYLO_EL1]); >> +} >> + >> +void __no_ptrauth __hyp_text __ptrauth_switch_to_host(struct kvm_vcpu *vcpu, > > We don't call this code in the !VHE case anymore, so are the __hyp_text > annotations still needed? Yes they can be removed. > >> + struct kvm_cpu_context *host_ctxt, >> + struct kvm_cpu_context *guest_ctxt) >> +{ >> + if (!__ptrauth_is_enabled(vcpu)) >> + return; >> + >> + ptrauth_keys_store((struct ptrauth_keys *) &guest_ctxt->sys_regs[APIAKEYLO_EL1]); >> + ptrauth_keys_switch((struct ptrauth_keys *) &host_ctxt->sys_regs[APIAKEYLO_EL1]); >> +} > > [...] > >> @@ -1040,14 +1066,6 @@ static u64 read_id_reg(struct sys_reg_desc const *r, bool raz) >> kvm_debug("SVE unsupported for guests, suppressing\n"); >> >> val &= ~(0xfUL << ID_AA64PFR0_SVE_SHIFT); >> - } else if (id == SYS_ID_AA64ISAR1_EL1) { >> - const u64 ptrauth_mask = (0xfUL << ID_AA64ISAR1_APA_SHIFT) | >> - (0xfUL << ID_AA64ISAR1_API_SHIFT) | >> - (0xfUL << ID_AA64ISAR1_GPA_SHIFT) | >> - (0xfUL << ID_AA64ISAR1_GPI_SHIFT); >> - if (val & ptrauth_mask) >> - kvm_debug("ptrauth unsupported for guests, suppressing\n"); >> - val &= ~ptrauth_mask; > > If all CPUs support address authentication, but no CPUs support generic > authentication, then I think the guest will still see address auth in > the ID register and try to use it, but since kvm_supports_ptrauth() == > false, then kvm will enable trapping and inject an undef. So I think we > still need to zero the ID register bits here if !kvm_supports_ptrauth(). Yes even James Morse suggested same thing. > > In the following patch, I think we also need to zero the bits if > !kvm_arm_vcpu_ptrauth_allowed(), as done in v4 [1], because otherwise > the guest will see that ptrauth is available, but will receive an undef > when it tries to use it. ok. > > Regarding the patch in v4, most of the work is passing the vcpu down to > read_id_reg(). Dave has a similar patch in his SVE series [2]. I think > it might make sense to rebase onto that patch and mention that patch as > a dependency in the cover letter. Yes it is helpful. Will check it. //Amit D > > [1] https://lore.kernel.org/linux-arm-kernel/1545119810-12182-5-git-send-email-amit.kachhap@arm.com/ > [2] https://lore.kernel.org/linux-arm-kernel/1547757219-19439-11-git-send-email-Dave.Martin@arm.com/ > > Thanks, > Kristina >