Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp6922116pxv; Fri, 30 Jul 2021 05:59:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyPjEqYz45G3l89F3W94287uyLj3MnfS7106L/j1nGAVcmNGx032diN0+FD3Xg1oPdECCUX X-Received: by 2002:a6b:db18:: with SMTP id t24mr2377318ioc.163.1627649989571; Fri, 30 Jul 2021 05:59:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627649989; cv=none; d=google.com; s=arc-20160816; b=pPrZiPzxWGYKirTk8knRrXcxE4gU611ufsrfvdxuf52ILav6At0cCUGG+qEKTgD7iN zvnI+dZh2e7teb05hyEn73eeCNZ5TfHCaXCrqyhiMISXZA6OxRFs+LnhufkPcOsZVeod nMam9ivDtawRk8vz4qyvpB8SQN5oppfuQj0IgbJ2Wos0Cgk9PE3CRoUqAChFEqojGYgN aaaAG4+mG8GyGmMlBYS9F8l8WG7XfkTVfnU6VK6Hy3uYiSN8Pqqg7Yc570BPaCy3xMMZ 86BbRoaq4L70SAA97E4d36EhtIKFV883te5rqpbbSyM4A9sSnllyV5yY8FqzNGflcyuB YrxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=j8hwjM/QSzVbDdpvE5AeYjXhEWiO5+EcdPNYuJTkjFg=; b=aDC58rKiwHa6lZ7sA7MfbXXmTps8UZq1Dkyrx7GQPGhtQruOch/OXw476jWoaIpQwf QS4Cdz8o0t7Wj1Zgml1g8Glox1Uxsk59kkqsXVHh0ndQXdJ7vRtIfaG0/qqCbeStmT91 mkWF15qIXEIaTBEz6F1c/8VnEynSENCLi/7WrrZUkDLEzqdHtPgGh+JHm5pF3Oak8GfC Wkbi2mUIHC5chUE5Zx9xssue0J7Y20ibHIWd3zxXmB61aJVayLHqWOnqajLyvWgMw3F9 qFCsibHQUrI3ke08b0f0B8xNnOVMSGM4PXfGfzKSJMha6f65mBgsss2i7mMfo0a+eyBz 60vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TsfEJZvy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k12si1605179ilu.161.2021.07.30.05.59.36; Fri, 30 Jul 2021 05:59:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TsfEJZvy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231266AbhG3M64 (ORCPT + 99 others); Fri, 30 Jul 2021 08:58:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45662 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230328AbhG3M64 (ORCPT ); Fri, 30 Jul 2021 08:58:56 -0400 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6977FC061765 for ; Fri, 30 Jul 2021 05:58:51 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id l18so11224592wrv.5 for ; Fri, 30 Jul 2021 05:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=j8hwjM/QSzVbDdpvE5AeYjXhEWiO5+EcdPNYuJTkjFg=; b=TsfEJZvy1y2u50cLgrLLYofgWvuIMkgvXW0S+vvSU9GzX3mFKvG6124i06yOC8eb27 20oETj/Pf8KSzJbb8oyT+eGuILBv/+i1pZ1yYPBDlVQCRZHWC4CrsXkwUFlGcwmS3eMC j1k6mWNpgiiH44Wu1eF0cfG2ZCnBWvtdaIBVuugBYUy6Xt3I9AlfYgi3SCEbxomhC9vU 2RGxTWO+cEpbNB2ViIzHIEnFw8U9NRenXL5JGiiD8tz/wL4ygy6t/NEK5VwNqnS7obW7 ob0CwQ821wKM68qZa6pKGtKOBElIFnHxra9+PupVE5JcWVCd4j53gRNXxHm0UbJDwPnP ejOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=j8hwjM/QSzVbDdpvE5AeYjXhEWiO5+EcdPNYuJTkjFg=; b=tJBRc4zd6iNRFHqKbb/GkPIZQpVxZLxo1o7l0aPfvwSpf3v56M2RzD4t/sll380AO7 1lFtP7Rd+AWTlraDVkPBRbR9tbRpGBqgmwVWi2lH4bfnzlA6mfmHk/mYVkNEmmUnUQYQ CjbBVwuqvYdhg/HVNcRGGGzj1Gtd37EsRPbgx3d9W609DTg+1AO2D8um6taylVPWIP8x EtAgtCHxnoJd12zlGU3tNUNmVV68vMpBzqaIdmZS/1ahS8/cqkC2pSBN50VglX6yqKjx 7f/i735fciOte02u/Q1H8cwz6QzqtIaOCfiL/Rv57SJgc2atgB2XsnkEoXiMfI0A874n Yzlw== X-Gm-Message-State: AOAM530/D6Syjj71fqwQC+dW8DOaRx4WwJyXr2yFLbb3/ffHnpKddPlY MPlyCyEMm/Vniwa14/z362Pc6w== X-Received: by 2002:adf:d087:: with SMTP id y7mr2868579wrh.323.1627649929764; Fri, 30 Jul 2021 05:58:49 -0700 (PDT) Received: from google.com ([2a00:79e0:d:210:26d7:991f:a808:7661]) by smtp.gmail.com with ESMTPSA id h12sm1678791wrm.62.2021.07.30.05.58.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jul 2021 05:58:49 -0700 (PDT) Date: Fri, 30 Jul 2021 13:58:46 +0100 From: Quentin Perret To: Will Deacon Cc: Marc Zyngier , linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, dbrazdil@google.com, Srivatsa Vaddagiri , Shanker R Donthineni , James Morse , Suzuki K Poulose , Alexandru Elisei , kernel-team@android.com Subject: Re: [PATCH 04/16] KVM: arm64: Add MMIO checking infrastructure Message-ID: References: <20210715163159.1480168-1-maz@kernel.org> <20210715163159.1480168-5-maz@kernel.org> <20210727181107.GC19173@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210727181107.GC19173@willie-the-truck> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday 27 Jul 2021 at 19:11:08 (+0100), Will Deacon wrote: > On Thu, Jul 15, 2021 at 05:31:47PM +0100, Marc Zyngier wrote: > > Introduce the infrastructure required to identify an IPA region > > that is expected to be used as an MMIO window. > > > > This include mapping, unmapping and checking the regions. Nothing > > calls into it yet, so no expected functional change. > > > > Signed-off-by: Marc Zyngier > > --- > > arch/arm64/include/asm/kvm_host.h | 2 + > > arch/arm64/include/asm/kvm_mmu.h | 5 ++ > > arch/arm64/kvm/mmu.c | 115 ++++++++++++++++++++++++++++++ > > 3 files changed, 122 insertions(+) > > > > diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h > > index 4add6c27251f..914c1b7bb3ad 100644 > > --- a/arch/arm64/include/asm/kvm_host.h > > +++ b/arch/arm64/include/asm/kvm_host.h > > @@ -125,6 +125,8 @@ struct kvm_arch { > > #define KVM_ARCH_FLAG_RETURN_NISV_IO_ABORT_TO_USER 0 > > /* Memory Tagging Extension enabled for the guest */ > > #define KVM_ARCH_FLAG_MTE_ENABLED 1 > > + /* Gues has bought into the MMIO guard extension */ > > +#define KVM_ARCH_FLAG_MMIO_GUARD 2 > > unsigned long flags; > > > > /* > > diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h > > index b52c5c4b9a3d..f6b8fc1671b3 100644 > > --- a/arch/arm64/include/asm/kvm_mmu.h > > +++ b/arch/arm64/include/asm/kvm_mmu.h > > @@ -170,6 +170,11 @@ phys_addr_t kvm_mmu_get_httbr(void); > > phys_addr_t kvm_get_idmap_vector(void); > > int kvm_mmu_init(u32 *hyp_va_bits); > > > > +/* MMIO guard */ > > +bool kvm_install_ioguard_page(struct kvm_vcpu *vcpu, gpa_t ipa); > > +bool kvm_remove_ioguard_page(struct kvm_vcpu *vcpu, gpa_t ipa); > > +bool kvm_check_ioguard_page(struct kvm_vcpu *vcpu, gpa_t ipa); > > + > > static inline void *__kvm_vector_slot2addr(void *base, > > enum arm64_hyp_spectre_vector slot) > > { > > diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c > > index 3155c9e778f0..638827c8842b 100644 > > --- a/arch/arm64/kvm/mmu.c > > +++ b/arch/arm64/kvm/mmu.c > > @@ -1120,6 +1120,121 @@ static void handle_access_fault(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa) > > kvm_set_pfn_accessed(pte_pfn(pte)); > > } > > > > +#define MMIO_NOTE ('M' << 24 | 'M' << 16 | 'I' << 8 | '0') > > Although this made me smile, maybe we should carve up the bit space a bit > more carefully ;) Also, you know somebody clever will "fix" that typo to > 'O'! > > Quentin, as the other user of this stuff at the moment, how do you see the > annotation space being allocated? Feels like we should have some 'type' > bits which decide how to parse the rest of the entry. Yes, that's probably worth doing. I've been thinking about using fancy data structures with bitfields and such, but none of that really seems to bit a simpler approach. So how about we make the annotate() function accept two arguments instead of one: an 'enum kvm_pte_inval_type type' and 'u64 payload', and then we provide a static inline helper in pgtable.h to unpack an invalid PTE into type/payload members? I'd guess 7 bits for the type should be more than enough and the payload can use the rest. Thoughts? Thanks, Quentin