Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp449722img; Thu, 21 Mar 2019 01:31:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqylef6PTd3lM2gz5jJlDpRx7dqCU5UhXm+VTK+dXflI5P8I+RbSSiB4ddnxysC8YPFs2odJ X-Received: by 2002:a62:1881:: with SMTP id 123mr2130939pfy.25.1553157061653; Thu, 21 Mar 2019 01:31:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553157061; cv=none; d=google.com; s=arc-20160816; b=I4pZ/kVJr7Z+cUd+PgfKBhTd4eGw8kRPMRC21NInJN67LrgHZvywLodJWHPFgjJYh4 M8ENguKJ5ZxrwUzw9jyvun6JRHslRQivNmYlFMEV8fBdMBfvMAUN6KEJnUlgH7xmy0hG YsCCikno1YTH4vlxIHLZR/gqPDn2Fy+lp01qhZRTYRzQWTNrRClTqNpUpBFxcp/taQMd iz42Z6L1ZMhNfv9DdKAY/BfIu6s7CawlxePRoWM4rPFTDeUZKhqI4/CU4aR96Rq5K5Ry wm+NnkgC2tdAWoSAGvZMBpkeJx5UBgopQuWR5+oXXif8pc4XUvQLw9gB7vCoWdLaIIW3 DpMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=GhDdN4bMXSOzsPAdNF1ry6Fmy4t3JDHmsll9NtumgHk=; b=FUe11mSBP1/EJP2fxoaxSVPxwhvHruxQpZPW1o5QCeSLAgIXWOXhnawjduBrsrYKca 4kQMMceA/3ohAeDkuc3XBhoMtEoQ6eFvAmm08U9xNomM+yaUvbsBTO03U2T4e2fNdHhr ZjCoZdEgXR4fAQ1GbLqBQYjqGA7jh1IRQ+WlfcSTGS7ZFndJASEKOnBzLz3QyQlyUIAb yKmRs9jDUNVzz1urafg+2+Q6ydRti9+xzRBjgozGx15/xUq1TneulMPo7MBgk8xgBF+a ffwYbHPwsdLZerTXoyjdbqHcRq7PRPgOJ8vxdIhXJck7E+rS4A1M1dTKYZB7mGJbP5qU GqPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x9si3836565pll.228.2019.03.21.01.30.46; Thu, 21 Mar 2019 01:31:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727967AbfCUIaF (ORCPT + 99 others); Thu, 21 Mar 2019 04:30:05 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:52266 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726253AbfCUIaF (ORCPT ); Thu, 21 Mar 2019 04:30:05 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 722F580D; Thu, 21 Mar 2019 01:30:04 -0700 (PDT) Received: from [10.1.197.45] (e112298-lin.cambridge.arm.com [10.1.197.45]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1EDE53F71A; Thu, 21 Mar 2019 01:30:00 -0700 (PDT) Subject: Re: [PATCH v7 7/10] KVM: arm/arm64: context-switch ptrauth registers To: Amit Daniel Kachhap , linux-arm-kernel@lists.infradead.org Cc: Christoffer Dall , Marc Zyngier , Catalin Marinas , Will Deacon , Andrew Jones , Dave Martin , Ramana Radhakrishnan , kvmarm@lists.cs.columbia.edu, Kristina Martsenko , linux-kernel@vger.kernel.org, Mark Rutland , James Morse References: <1552984243-7689-1-git-send-email-amit.kachhap@arm.com> <1552984243-7689-8-git-send-email-amit.kachhap@arm.com> <44e16529-4792-0ec2-d2d5-f5c14c6bb2c4@arm.com> From: Julien Thierry Message-ID: <7e17333e-c05f-0f05-82dc-2185e023e905@arm.com> Date: Thu, 21 Mar 2019 08:29:52 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <44e16529-4792-0ec2-d2d5-f5c14c6bb2c4@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21/03/2019 06:08, Amit Daniel Kachhap wrote: > Hi Julien, > > On 3/20/19 5:43 PM, Julien Thierry wrote: >> Hi Amit, >> >> On 19/03/2019 08:30, Amit Daniel Kachhap wrote: >>> From: Mark Rutland >>> >>> When pointer authentication is supported, a guest may wish to use it. >>> This patch adds the necessary KVM infrastructure for this to work, with >>> a semi-lazy context switch of the pointer auth state. >>> >>> Pointer authentication feature is only enabled when VHE is built >>> in the kernel and present in the CPU implementation so only VHE code >>> paths are modified. >>> >>> When we schedule a vcpu, we disable guest usage of pointer >>> authentication instructions and accesses to the keys. While these are >>> disabled, we avoid context-switching the keys. When we trap the guest >>> trying to use pointer authentication functionality, we change to eagerly >>> context-switching the keys, and enable the feature. The next time the >>> vcpu is scheduled out/in, we start again. However the host key save is >>> optimized and implemented inside ptrauth instruction/register access >>> trap. >>> >>> Pointer authentication consists of address authentication and generic >>> authentication, and CPUs in a system might have varied support for >>> either. Where support for either feature is not uniform, it is hidden >>> from guests via ID register emulation, as a result of the cpufeature >>> framework in the host. >>> >>> Unfortunately, address authentication and generic authentication cannot >>> be trapped separately, as the architecture provides a single EL2 trap >>> covering both. If we wish to expose one without the other, we cannot >>> prevent a (badly-written) guest from intermittently using a feature >>> which is not uniformly supported (when scheduled on a physical CPU which >>> supports the relevant feature). Hence, this patch expects both type of >>> authentication to be present in a cpu. >>> >>> This switch of key is done from guest enter/exit assembly as preperation >>> for the upcoming in-kernel pointer authentication support. Hence, these >>> key switching routines are not implemented in C code as they may cause >>> pointer authentication key signing error in some situations. >>> >>> Signed-off-by: Mark Rutland >>> [Only VHE, key switch in full assembly, vcpu_has_ptrauth checks >>> , save host key in ptrauth exception trap] >>> Signed-off-by: Amit Daniel Kachhap >>> Reviewed-by: Julien Thierry >>> Cc: Marc Zyngier >>> Cc: Christoffer Dall >>> Cc: kvmarm@lists.cs.columbia.edu >>> --- >>>   arch/arm64/include/asm/kvm_host.h        |  17 ++++++ >>>   arch/arm64/include/asm/kvm_ptrauth_asm.h | 100 >>> +++++++++++++++++++++++++++++++ >>>   arch/arm64/kernel/asm-offsets.c          |   6 ++ >>>   arch/arm64/kvm/guest.c                   |  14 +++++ >>>   arch/arm64/kvm/handle_exit.c             |  24 +++++--- >>>   arch/arm64/kvm/hyp/entry.S               |   7 +++ >>>   arch/arm64/kvm/reset.c                   |   7 +++ >>>   arch/arm64/kvm/sys_regs.c                |  46 +++++++++++++- >>>   virt/kvm/arm/arm.c                       |   2 + >>>   9 files changed, 212 insertions(+), 11 deletions(-) >>>   create mode 100644 arch/arm64/include/asm/kvm_ptrauth_asm.h >>> > [...] >>> +#ifdef    CONFIG_ARM64_PTR_AUTH >>> + >>> +#define PTRAUTH_REG_OFFSET(x)    (x - CPU_APIAKEYLO_EL1) >> >> I don't really see the point of this macro. You move the pointers of >> kvm_cpu_contexts to point to where the ptr auth registers are (which is >> in the middle of an array) by adding the offset of APIAKEYLO and then we >> have to recompute all offsets with this macro. >> >> Why not just pass the kvm_cpu_context pointers to >> ptrauth_save/restore_state and use the already defined offsets >> (CPU_AP*_EL1) directly? >> >> I think this would also allow to use one less register for the >> ptrauth_switch_to_* macros. > Actually the values of CPU_AP*_EL1 are exceeding the immediate range > (i.e 512), so this was done to keep the immediate offset within the range. > The other way would have been to calculate the destination register but > these would add one more add instruction everywhere. > I should have mentioned them as comments somewhere. Oh, I see. Yes, it would definitely be worth a comment. Thanks, -- Julien Thierry