Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp266915yba; Wed, 24 Apr 2019 00:24:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwEbKpWBracLbPfJocp6QQ2Fcq4LB7VEniou3nn1ewMyWeCQFjLnA9uh1wZi1mupG2E/3Wd X-Received: by 2002:a17:902:f81:: with SMTP id 1mr30941449plz.216.1556090685384; Wed, 24 Apr 2019 00:24:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556090685; cv=none; d=google.com; s=arc-20160816; b=RWJQxBIL4Bwz+p+jMqPbGlKRaZneIPyV1J2jVMKLH/hzoP/Zf2dg9T3cxKgGMG8OYo lFwHnvpwp3m7OEnKZV2kFRG3OMeXS8OSiRevgZmiv/Elr5UmXg8y/seADBW2yX0zCLOS uc8y1dRM/TUodUgn+5AIa0UysDkdcpSAbXsYdmjMQf310X6GGCNvrzKhG6F9ciKGseql X8D9TODdqbjJtnZmIaGAWVlCFEjRSQaZcoO8NcAchn41eFwj+tnhHb0XWjLL3QgwDCvR bWYZyhv1xfLRWqgff2xJelNBI80sxj9HNYCsUVgKdyMJ8V3RfUwxs9MyMpvmgBZgisiW g/hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=LkKt7clXz9LLDKJQtyexfZkqRQH5m0fQzaViB7Rz5+k=; b=v8t86W1M25SGYuArT0roIiUAQRgUPUjNzH6HSpfGfh7YHRqDK9nlGRfQZwXGPY3n7Q 0MS7R367jqpuSxYvdDGKqeG/Z5itthlM2lB1Qu7g4AgCAX5qRei53uOPKE6ZzVCpifoy s2mW7KFAOnrE2MPUmCNYO2lH+iw/8MhTTL/Uwuo9iGXoXRU+6znodCmOgPTLs/sAQD+T LRjXEvb3dptGxKP01R8cIeHj/9BAfu98v2s3SKSuyYqPLCISMuAf2j+/XzeVI862Ulbi 4mmhNbgr3z8pQIz6lGMTLVBHxkRofgiaenI5a3zWdD6QuRK0S2z8HDf2eDJP4XguFItk ZHAw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a9si17765208pls.395.2019.04.24.00.24.29; Wed, 24 Apr 2019 00:24:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729602AbfDXGjd (ORCPT + 99 others); Wed, 24 Apr 2019 02:39:33 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:38326 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729219AbfDXGjd (ORCPT ); Wed, 24 Apr 2019 02:39:33 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5703FA78; Tue, 23 Apr 2019 23:39:32 -0700 (PDT) Received: from [10.162.0.144] (a075553-lin.blr.arm.com [10.162.0.144]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C54083F238; Tue, 23 Apr 2019 23:39:29 -0700 (PDT) Subject: Re: [PATCH v10 3/5] KVM: arm64: Add userspace flag to enable pointer authentication To: Dave Martin Cc: linux-arm-kernel@lists.infradead.org, Marc Zyngier , Catalin Marinas , Will Deacon , Kristina Martsenko , kvmarm@lists.cs.columbia.edu, Ramana Radhakrishnan , linux-kernel@vger.kernel.org References: <1555994558-26349-1-git-send-email-amit.kachhap@arm.com> <1555994558-26349-4-git-send-email-amit.kachhap@arm.com> <20190423154523.GN3567@e103592.cambridge.arm.com> From: Amit Daniel Kachhap Message-ID: <5cdb3c42-028c-cfdd-a595-2c3f63f91dad@arm.com> Date: Wed, 24 Apr 2019 12:09:27 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190423154523.GN3567@e103592.cambridge.arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 4/23/19 9:15 PM, Dave Martin wrote: > On Tue, Apr 23, 2019 at 10:12:36AM +0530, Amit Daniel Kachhap wrote: >> Now that the building blocks of pointer authentication are present, lets >> add userspace flags KVM_ARM_VCPU_PTRAUTH_ADDRESS and >> KVM_ARM_VCPU_PTRAUTH_GENERIC. These flags will enable pointer >> authentication for the KVM guest on a per-vcpu basis through the ioctl >> KVM_ARM_VCPU_INIT. >> >> This features will allow the KVM guest to allow the handling of >> pointer authentication instructions or to treat them as undefined >> if not set. >> >> Necessary documentations are added to reflect the changes done. >> >> Reviewed-by: Dave Martin >> Signed-off-by: Amit Daniel Kachhap >> Cc: Mark Rutland >> Cc: Marc Zyngier >> Cc: Christoffer Dall >> Cc: kvmarm@lists.cs.columbia.edu >> --- >> Changed since v9: >> * Fixed tab alignment at few places [Dave Martin]. >> * Split the system capability checks [Dave Martin]. >> >> Documentation/arm64/pointer-authentication.txt | 22 +++++++++++++++++---- >> Documentation/virtual/kvm/api.txt | 10 ++++++++++ >> arch/arm64/include/asm/kvm_host.h | 2 +- >> arch/arm64/include/uapi/asm/kvm.h | 2 ++ >> arch/arm64/kvm/reset.c | 27 ++++++++++++++++++++++++++ >> 5 files changed, 58 insertions(+), 5 deletions(-) >> >> diff --git a/Documentation/arm64/pointer-authentication.txt b/Documentation/arm64/pointer-authentication.txt >> index 5baca42..fc71b33 100644 >> --- a/Documentation/arm64/pointer-authentication.txt >> +++ b/Documentation/arm64/pointer-authentication.txt >> @@ -87,7 +87,21 @@ used to get and set the keys for a thread. >> Virtualization >> -------------- >> >> -Pointer authentication is not currently supported in KVM guests. KVM >> -will mask the feature bits from ID_AA64ISAR1_EL1, and attempted use of >> -the feature will result in an UNDEFINED exception being injected into >> -the guest. >> +Pointer authentication is enabled in KVM guest when each virtual cpu is >> +initialised by passing flags KVM_ARM_VCPU_PTRAUTH_[ADDRESS/GENERIC] and >> +requesting these two separate cpu features to be enabled. The current KVM >> +guest implementation works by enabling both features together, so both >> +these userspace flags are checked before enabling pointer authentication. >> +The separate userspace flag will allow to have no userspace ABI changes >> +if support is added in the future to allow these two features to be >> +enabled independently of one another. >> + >> +As Arm Architecture specifies that Pointer Authentication feature is >> +implemented along with the VHE feature so KVM arm64 ptrauth code relies >> +on VHE mode to be present. >> + >> +Additionally, when these vcpu feature flags are not set then KVM will >> +filter out the Pointer Authentication system key registers from >> +KVM_GET/SET_REG_* ioctls and mask those features from cpufeature ID >> +register. Any attempt to use the Pointer Authentication instructions will >> +result in an UNDEFINED exception being injected into the guest. >> diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt >> index e410a9f..32afe7f 100644 >> --- a/Documentation/virtual/kvm/api.txt >> +++ b/Documentation/virtual/kvm/api.txt >> @@ -2761,6 +2761,16 @@ Possible features: >> - KVM_ARM_VCPU_PMU_V3: Emulate PMUv3 for the CPU. >> Depends on KVM_CAP_ARM_PMU_V3. >> >> + - KVM_ARM_VCPU_PTRAUTH_ADDRESS: Enables Address Pointer authentication >> + for arm64 only. >> + Both KVM_ARM_VCPU_PTRAUTH_ADDRESS and KVM_ARM_VCPU_PTRAUTH_GENERIC >> + must be requested or neither must be requested. >> + >> + - KVM_ARM_VCPU_PTRAUTH_GENERIC: Enables Generic Pointer authentication >> + for arm64 only. >> + Both KVM_ARM_VCPU_PTRAUTH_ADDRESS and KVM_ARM_VCPU_PTRAUTH_GENERIC >> + must be requested or neither must be requested. >> + > > This looks pretty clear now. > >> - KVM_ARM_VCPU_SVE: Enables SVE for the CPU (arm64 only). >> Depends on KVM_CAP_ARM_SVE. >> Requires KVM_ARM_VCPU_FINALIZE(KVM_ARM_VCPU_SVE): >> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h >> index 7eebea7..f772ac2 100644 >> --- a/arch/arm64/include/asm/kvm_host.h >> +++ b/arch/arm64/include/asm/kvm_host.h >> @@ -49,7 +49,7 @@ >> >> #define KVM_MAX_VCPUS VGIC_V3_MAX_CPUS >> >> -#define KVM_VCPU_MAX_FEATURES 5 >> +#define KVM_VCPU_MAX_FEATURES 7 >> >> #define KVM_REQ_SLEEP \ >> KVM_ARCH_REQ_FLAGS(0, KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) >> diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h >> index edd2db8..7b7ac0f 100644 >> --- a/arch/arm64/include/uapi/asm/kvm.h >> +++ b/arch/arm64/include/uapi/asm/kvm.h >> @@ -104,6 +104,8 @@ struct kvm_regs { >> #define KVM_ARM_VCPU_PSCI_0_2 2 /* CPU uses PSCI v0.2 */ >> #define KVM_ARM_VCPU_PMU_V3 3 /* Support guest PMUv3 */ >> #define KVM_ARM_VCPU_SVE 4 /* enable SVE for this CPU */ >> +#define KVM_ARM_VCPU_PTRAUTH_ADDRESS 5 /* VCPU uses address authentication */ >> +#define KVM_ARM_VCPU_PTRAUTH_GENERIC 6 /* VCPU uses generic authentication */ >> >> struct kvm_vcpu_init { >> __u32 target; >> diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c >> index 3402543..028d0c6 100644 >> --- a/arch/arm64/kvm/reset.c >> +++ b/arch/arm64/kvm/reset.c >> @@ -221,6 +221,27 @@ static void kvm_vcpu_reset_sve(struct kvm_vcpu *vcpu) >> memset(vcpu->arch.sve_state, 0, vcpu_sve_state_size(vcpu)); >> } >> >> +static int kvm_vcpu_enable_ptrauth(struct kvm_vcpu *vcpu) >> +{ >> + /* Support ptrauth only if the system supports these capabilities. */ >> + if (!has_vhe()) >> + return -EINVAL; >> + >> + if (!system_supports_address_auth() || >> + !system_supports_generic_auth()) >> + return -EINVAL; > > Since pointer auth implies v8.3 and v8.3 implies v8.1 and v8.1 implies VHE: > > ((system_supports_address_auth() || system_supports_generic_auth()) && > !has_vhe()) implies that the hardware is broken or the kernel is buggy. > > So, it probably makes sense to write > > if (!system_supports_address_auth() || > !system_supports_generic_auth()) > return -EINVAL; > > if (WARN_ON(!has_vhe())) > return -EINVAL; Yes agree with you. Now with config VHE restriction set it makes more sense that this situation will only occur now in buggy h/w case. > > This is not essential, and doesn't affect the ABI -- so we could apply > it on top later on. > > [...] > > FWIW: > > Reviewed-by: Dave Martin (for the updates) Thanks for the review effort. Thanks, Amit D > > Cheers > ---Dave >