Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3882436pxb; Mon, 4 Oct 2021 11:43:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwQ2IegQS/LBkaFeLZJYUe4hkYXHXJiakVz1nAk8XhIIikYAlDljKIiuvetyCncldwDNwG X-Received: by 2002:a05:6402:d5a:: with SMTP id ec26mr5560264edb.247.1633373008013; Mon, 04 Oct 2021 11:43:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633373008; cv=none; d=google.com; s=arc-20160816; b=u40q1wO4FqXwAUCEVZgiWmCoZUIkqyFZHdQCbD+pDzHT4P+guZC/7AGcCCjrtHbeqZ mxjAWGc8glnv9uw34atY2779zSfnQKvwUXR14qFSutjxYOklKGcqAootNz2lYbfuEArh WIEDLEt/eTNhqPS3dX3hCJxUKDiHUynoGKaDSR/45AdGyVwwG3Fpqem0oMompg7eiRMw 7GDJgHc+jo4YR0llIkKJh8N8Bt8otu5s2pnCG0InUYeG/+6p4XZ8+zyhIMLGvmdOxHtr PXDHpWsKtD3wYzx5bOrBEFECygC67E1n5TlAOzbLL0SR77x3FqXR1z9+pBOhGfYoFFRS ZFSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=w4LIesWU04Iz87gE6AkKG2IODAVNvmsjm50dP+J2BjI=; b=PVVyk1vt7brK5Ak2QpdnVKKZ7zpXc4k2TGVj3M7oPFW2zT77fDHDb9uP4H4Nc8+iz6 DBtoDONQ4jCJH2s4sE+8ZBr0RARUTbkWcgzjsXWm9dEBBQnD/k5rr0ZQ7kPsD+n8cP9I nHYvCN9Vlc7CLurJQ48z/CuBHCxgnJq87YgxO0+fVkE3K0X2+5fiXf3mqciIemCgAZJ8 qp4MDBcJaCY/3hJ1NhIsYdkPmcgGEJrvUICQZYO9H+M62KVRqFCdSbKHKnpr+JEDOIq6 a7kzNSs9Iu5n01ho0nyzS5VpP0mm9Xy3HgAT5wcg/ba64bTXdvdZoD/ost14lfyunY5t yaeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q6si11884181edd.80.2021.10.04.11.43.03; Mon, 04 Oct 2021 11:43:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235927AbhJDR7F (ORCPT + 99 others); Mon, 4 Oct 2021 13:59:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:36522 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235765AbhJDR66 (ORCPT ); Mon, 4 Oct 2021 13:58:58 -0400 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C6EDE61269; Mon, 4 Oct 2021 17:57:09 +0000 (UTC) Received: from sofa.misterjones.org ([185.219.108.64] helo=why.lan) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mXS5G-00EhBv-MO; Mon, 04 Oct 2021 18:49:02 +0100 From: Marc Zyngier To: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: will@kernel.org, qperret@google.com, dbrazdil@google.com, Steven Price , Andrew Jones , Fuad Tabba , Srivatsa Vaddagiri , Shanker R Donthineni , James Morse , Suzuki K Poulose , Alexandru Elisei , kernel-team@android.com Subject: [PATCH v2 10/16] KVM: arm64: Add some documentation for the MMIO guard feature Date: Mon, 4 Oct 2021 18:48:43 +0100 Message-Id: <20211004174849.2831548-11-maz@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211004174849.2831548-1-maz@kernel.org> References: <20211004174849.2831548-1-maz@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, will@kernel.org, qperret@google.com, dbrazdil@google.com, steven.price@arm.com, drjones@redhat.com, tabba@google.com, vatsa@codeaurora.org, sdonthineni@nvidia.com, james.morse@arm.com, suzuki.poulose@arm.com, alexandru.elisei@arm.com, kernel-team@android.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Document the hypercalls user for the MMIO guard infrastructure. Signed-off-by: Marc Zyngier --- Documentation/virt/kvm/arm/index.rst | 1 + Documentation/virt/kvm/arm/mmio-guard.rst | 74 +++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 Documentation/virt/kvm/arm/mmio-guard.rst diff --git a/Documentation/virt/kvm/arm/index.rst b/Documentation/virt/kvm/arm/index.rst index 78a9b670aafe..e77a0ee2e2d4 100644 --- a/Documentation/virt/kvm/arm/index.rst +++ b/Documentation/virt/kvm/arm/index.rst @@ -11,3 +11,4 @@ ARM psci pvtime ptp_kvm + mmio-guard diff --git a/Documentation/virt/kvm/arm/mmio-guard.rst b/Documentation/virt/kvm/arm/mmio-guard.rst new file mode 100644 index 000000000000..8b3c852c5d92 --- /dev/null +++ b/Documentation/virt/kvm/arm/mmio-guard.rst @@ -0,0 +1,74 @@ +.. SPDX-License-Identifier: GPL-2.0 + +============== +KVM MMIO guard +============== + +KVM implements device emulation by handling translation faults to any +IPA range that is not contained in a memory slot. Such a translation +fault is in most cases passed on to userspace (or in rare cases to the +host kernel) with the address, size and possibly data of the access +for emulation. + +Should the guest exit with an address that is not one that corresponds +to an emulatable device, userspace may take measures that are not the +most graceful as far as the guest is concerned (such as terminating it +or delivering a fatal exception). + +There is also an element of trust: by forwarding the request to +userspace, the kernel assumes that the guest trusts userspace to do +the right thing. + +The KVM MMIO guard offers a way to mitigate this last point: a guest +can request that only certain regions of the IPA space are valid as +MMIO. Only these regions will be handled as an MMIO, and any other +will result in an exception being delivered to the guest. + +This relies on a set of hypercalls defined in the KVM-specific range, +using the HVC64 calling convention. + +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_INFO + + ============== ======== ================================ + Function ID: (uint32) 0xC6000002 + Arguments: none + Return Values: (int64) NOT_SUPPORTED(-1) on error, or + (uint64) Protection Granule (PG) size in + bytes (r0) + ============== ======== ================================ + +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL + + ============== ======== ============================== + Function ID: (uint32) 0xC6000003 + Arguments: none + Return Values: (int64) NOT_SUPPORTED(-1) on error, or + RET_SUCCESS(0) (r0) + ============== ======== ============================== + +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP + + ============== ======== ==================================== + Function ID: (uint32) 0xC6000004 + Arguments: (uint64) The base of the PG-sized IPA range + that is allowed to be accessed as + MMIO. Must be aligned to the PG size + (r1) + (uint64) Index in the MAIR_EL1 register + providing the memory attribute that + is used by the guest (r2) + Return Values: (int64) NOT_SUPPORTED(-1) on error, or + RET_SUCCESS(0) (r0) + ============== ======== ==================================== + +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP + + ============== ======== ====================================== + Function ID: (uint32) 0xC6000005 + Arguments: (uint64) PG-sized IPA range aligned to the PG + size which has been previously mapped. + Must be aligned to the PG size and + have been previously mapped (r1) + Return Values: (int64) NOT_SUPPORTED(-1) on error, or + RET_SUCCESS(0) (r0) + ============== ======== ====================================== -- 2.30.2