Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3594643pxb; Wed, 13 Oct 2021 09:02:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYxAyCdFZ922fDgcL8re+oqffD/9s1rxycEE3yir+abqSK7f1AfDX5vgynovC9KX2W5fW1 X-Received: by 2002:a17:906:6d0a:: with SMTP id m10mr141985ejr.90.1634140957905; Wed, 13 Oct 2021 09:02:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634140957; cv=none; d=google.com; s=arc-20160816; b=fr41osya1R89ZDEXg6oG9n0nEzKO6Qt8IWTDvRi8cNH1Xq5mOWN+mP+MYMMxlQiWF3 /d1jcqe2NETXjXKTih3bmrO3uHNJVFJ3wkklYbTSp2Ryk8Q2IiSgtYKXKu5KsF7kpJ0E Hb9luL4cHn2DlfmKsA+Vtx6vjYBlIL8OutxdE3MPeHgVniDbgxdgPCN+UZraagIY1TC3 i720wyC+0aDRhQsyXIUD/+JzmxwXf4WF3D42t656k0qbNxzMlNt9Ae0Tnv3kY6Kgxy1i /cTzw52Z0rsuN5rOuqlcjBvCGG8PkeVVf+89o+s0CM9zY7soE3ZCYfc/9ynBYvu/iJC5 7rYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=Eht9NEYnyeNXZ9GC0V0N+PJToFUkivNq3A15CtLZoHQ=; b=x/UGUttwkX/0tWEtVE5YFbT6mtiI9AtAjveg0s+udga00NwW1oXr98IbH7kmNjtG9W UTg+GukgWO0OcQ2FA7HOCMlDmAf2GaO8x30J++PwsVVQW0pZc+pbYJlMTtlnaan4jiAl LkTmF2osWAe9REdtIlXuWVhU4gv3jW71zEagdfb3Q8PeufmHMNiYT2ALwmf6MikadJYA Bcsb6p/eoVSwZKe1TeCIOhvlHTsCUCeU8TPygiaTsK7+qWZuNVa26fZWM5FycYW4UbT3 3HUFobp/OulhUk7x1J9e9m5hGp+2exIHl+qABxdjA1qssAeuKsL6OCdFQ5GIvEEOQPOM 7V1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=MmrT+s8m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l3si33392732ejo.634.2021.10.13.09.02.06; Wed, 13 Oct 2021 09:02:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=MmrT+s8m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234266AbhJMQAk (ORCPT + 99 others); Wed, 13 Oct 2021 12:00:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231414AbhJMQAj (ORCPT ); Wed, 13 Oct 2021 12:00:39 -0400 Received: from mail-wr1-x449.google.com (mail-wr1-x449.google.com [IPv6:2a00:1450:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECE4EC061570 for ; Wed, 13 Oct 2021 08:58:35 -0700 (PDT) Received: by mail-wr1-x449.google.com with SMTP id a15-20020a056000188f00b00161068d8461so2358175wri.11 for ; Wed, 13 Oct 2021 08:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=Eht9NEYnyeNXZ9GC0V0N+PJToFUkivNq3A15CtLZoHQ=; b=MmrT+s8muELqT2L44AG8+lk0AywU/F2urJDOsAWd0K9der7aYqNb7QeEmpJr61jjDJ ktPaVPfr9Um/DkE+sBzpnuPozNyp6CQ+MtznYTvTt4wDgqSdOkw9M3DVjAPywJYCv8V/ zflAJefyFMKPyYkjOQMiINYeddoxDo7z6hdWUMN0HOvwQHdW00FFAeG+92esLUP8C1E+ zneGPi2fokr5vos/ibfeJwBKG8GSSV9xYqTD3faz8aL7hRURTFEOjeGJufrj7gWmhW2u pYfTxgeNY741mtX6j+fZtTb7vRXRx4KkLWMdK5IbhZnKd9AIAIS/+TedR6F/JZd1rqzO v0Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Eht9NEYnyeNXZ9GC0V0N+PJToFUkivNq3A15CtLZoHQ=; b=BS5FhMpqiLRfPNCYL6SgBAZCSW01NjRdqD9aS+OR0MwJEOwDzpyQCrlchAOx4/M+lc 7rW6pFOEEGpEshXsHUKsjtvsKD2Wn1dYsCoRaexOlwISzLi/mlt2eH7vU+6WU8nNVIH5 BUdgSB5hRqE9xUmTFb7vSrsw2SLzh1H/b4pwid0m2CVMQ6Z7TR/jo1p0FWZmm5R021dC Z4FI/TegynFVuQu9ChXk/2BRCub1IVmH+uSmSDoHLzC8Ka/1yYbsfkhBdYNDYJ15h3yb xOcM2/LGkTFk6hh/htaolpXT+yB3HZBG6RVDez/73V8ACxsqzdlIqmGpNKw1EWuJUvsF Qjbw== X-Gm-Message-State: AOAM532mGexhVea8MyWbRyfllEwBocL1KznBuDgAJtDNiOJqYV7O/+EC qHWQETYisB2OafzkNK5o66l+nzKFyZnc X-Received: from luke.lon.corp.google.com ([2a00:79e0:d:210:65b5:73d3:1558:b9ae]) (user=qperret job=sendgmr) by 2002:a05:600c:1c05:: with SMTP id j5mr141830wms.1.1634140714059; Wed, 13 Oct 2021 08:58:34 -0700 (PDT) Date: Wed, 13 Oct 2021 16:58:15 +0100 Message-Id: <20211013155831.943476-1-qperret@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog Subject: [PATCH 00/16] KVM: arm64: Implement unshare hypercall for pkvm From: Quentin Perret To: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, This series implements an unshare hypercall at EL2 in nVHE protected mode, and makes use of it to unmmap guest-specific data-structures from EL2 stage-1 during guest tear-down. Crucially, the implementation of the share and unshare hypercall implements page refcounts at EL2 to avoid accidentally unmapping data-structures that overlap a common page. This series has two main benefits. Firstly it allows EL2 to track the state of shared pages cleanly, as they can now transition from SHARED back to OWNED. This will simplify permission checks once e.g. pkvm implements a donation hcall to provide memory to protected guests, as there should then be no reason for the host to donate a page that is currently marked shared. And secondly, it avoids having dangling mappings in the hypervisor's stage-1, which should be a good idea from a security perspective as the hypervisor is obviously running with elevated privileges. And perhaps worth noting is that this also refactors the EL2 page-tracking checks in a more scalable way, which should allow to implement other memory transitions (host donating memory to a guest, a guest sharing back with the host, ...) much more easily in the future. The series is organized as follows: - patches 01-05 refactor the implementation of the existing share hypercall; - patches 06-10 introduce infrastructure to allow unmapping pages from EL2 stage-1; - patches 11-14 allow to refcount pages that are shared more than once with EL2; - patches 15-16 add the unshare hypercall, and make use of it when tearing down guests. This has been lightly tested on Qemu, by spawning and powering off a guest 50 times. Feedback welcome :) ! Thanks, Quentin Quentin Perret (11): KVM: arm64: Avoid remapping the SVE state in the hyp stage-1 KVM: arm64: Introduce kvm_share_hyp() KVM: arm64: Accept page ranges in pkvm share hypercall KVM: arm64: Provide {get,put}_page() stubs for early hyp allocator KVM: arm64: Refcount hyp stage-1 pgtable pages KVM: arm64: Fixup hyp stage-1 refcount KVM: arm64: Back hyp_vmemmap for all of memory KVM: arm64: Move hyp refcount helpers to header files KVM: arm64: Refcount shared pages at EL2 KVM: arm64: pkvm: Introduce an unshare hypercall KVM: arm64: pkvm: Unshare guest structs during teardown Will Deacon (5): KVM: arm64: Introduce do_share() helper for memory sharing between components KVM: arm64: Implement __pkvm_host_share_hyp() using do_share() KVM: arm64: Hook up ->page_count() for hypervisor stage-1 page-table KVM: arm64: Implement kvm_pgtable_hyp_unmap() at EL2 KVM: arm64: Move double-sharing logic into hyp-specific function arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/kvm_host.h | 2 + arch/arm64/include/asm/kvm_mmu.h | 2 + arch/arm64/include/asm/kvm_pgtable.h | 21 + arch/arm64/kvm/arm.c | 17 +- arch/arm64/kvm/fpsimd.c | 25 +- arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 8 +- arch/arm64/kvm/hyp/include/nvhe/memory.h | 18 + arch/arm64/kvm/hyp/include/nvhe/mm.h | 29 +- arch/arm64/kvm/hyp/nvhe/early_alloc.c | 5 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 12 +- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 596 ++++++++++++++++-- arch/arm64/kvm/hyp/nvhe/mm.c | 31 +- arch/arm64/kvm/hyp/nvhe/page_alloc.c | 22 +- arch/arm64/kvm/hyp/nvhe/setup.c | 39 +- arch/arm64/kvm/hyp/pgtable.c | 80 ++- arch/arm64/kvm/hyp/reserved_mem.c | 17 +- arch/arm64/kvm/mmu.c | 48 +- arch/arm64/kvm/reset.c | 13 +- 19 files changed, 814 insertions(+), 172 deletions(-) -- 2.33.0.882.g93a45727a2-goog