Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5369801rwb;
        Mon, 14 Nov 2022 03:46:18 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5OQ497dSQ5U2g4VtQCOKLjsn0cEZf7IgFWnwxN6XIyWQMPv1HrkswcYNw9LqhTZU3UNLLI
X-Received: by 2002:a17:90b:3145:b0:212:f2be:bc38 with SMTP id ip5-20020a17090b314500b00212f2bebc38mr13207905pjb.175.1668426378225;
        Mon, 14 Nov 2022 03:46:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668426378; cv=none;
        d=google.com; s=arc-20160816;
        b=GEcHAnkCiL+VbVa4fZhZxFdK9Bac+DUE14vMnWOVcBYCnyoh7NfjCWsTyxmQikwZBh
         X/bZjPC1CWhIUq6bWLMlTsF4Sm3gdMGhLoYhZaoSSXCS3hxYJoxe6wmChJmDw1P9zKaw
         yJwsUgLgKEulQBDCA57Qy4L8pa3KaW1/QQyNNYeQ4ai0UmT4gp7y+kx6rQVkY7JQ+oAI
         n/7HMJ0kfGNLdxg2L3axl+n8fsJBCp9xZoHVftG3DZHDPlbkH0LTg6EAC4MWeDn6RRPv
         O+Km0MfJUBEGEEWQm2kcyZ+y8zH3GPM09Dlhw4mFyRAmBT1Qwi2lo2DVAn9NOVuzAtja
         Wc/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date:dkim-signature;
        bh=E60yfS++z8BTHZthb4bPYadXUmStpscSaA6C6oTcbmI=;
        b=wwBRVMx10FKQrr8fwHAMG3m8WzrDlP/xZAsRc75rFj+XoElsy4VanuXfMbKj6wMoHl
         Sue+zAc5gucRiTK08dW11e7vB+0mDLh+KxJMVBIBzMXqwud2MYl0VD6yQFphHlb3sF75
         TW3bms8ZA1ghIWFL1RDSaTaHTZVL4eVMr4RnM43A2Owui2I1wPy+ZUMzyhSEAtsn/GUH
         Gg++3rsTlevNEq4wvHextGlleFh9k4tmG7pC4LoAdbABdz2FoQVXJbzlXfn4BrXRoqC9
         aOK+dRr8wtrMQk0MaFIikVTwi+T+hTLhsZbpiBVFhfpbTHiTWcqY0xb6aZGCCQXM+F3J
         rLLg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=W8W7cT4G;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id li2-20020a17090b48c200b00205f49b70fdsi9236782pjb.127.2022.11.14.03.46.04;
        Mon, 14 Nov 2022 03:46:18 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=W8W7cT4G;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236124AbiKNLh3 (ORCPT <rfc822;xiejw.io@gmail.com> + 89 others);
        Mon, 14 Nov 2022 06:37:29 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33782 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229484AbiKNLh1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Nov 2022 06:37:27 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 622D3E0C7;
        Mon, 14 Nov 2022 03:37:26 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id EFDF061044;
        Mon, 14 Nov 2022 11:37:25 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5718EC433C1;
        Mon, 14 Nov 2022 11:37:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1668425845;
        bh=X1WXUuEiCKYnCaSnllroe9lO9yo1oclX61iorR2hfP8=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=W8W7cT4G0eRhxxQtb/fG1Agad036i8WDiWbKv+7fyVCRbtdWrMK0YRAUyw3aA0cHv
         ZixjCxb6xkWxqH5vTFUokG6TPXIq7Ol4JOU4fSPj46hFKxF9o6LqvVYGAf/qIj0dRx
         fzjrxfpBWMiGe9oed60NTUh8lNzyzzztJ24pcs+XFTQKWOSURKyt2/4vkP2VMwB4hU
         2AXgwCfpB9N9TCctCLljVhTZhCWNhexgwkpNsr3ukcvsbqh3zrRDfkPWGGY5+s3sqc
         uNh4JUM9cFMn4VTneWbR/GZGzDkGHZVvYV/vwdjfN4/ZrdQ+0qVyexESqBNmYgvaoh
         sm39gLiANN6CA==
Received: from [82.3.55.76] (helo=wait-a-minute.misterjones.org)
        by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.95)
        (envelope-from <maz@kernel.org>)
        id 1ouXmE-005wky-Vy;
        Mon, 14 Nov 2022 11:37:23 +0000
Date:   Mon, 14 Nov 2022 11:36:56 +0000
Message-ID: <878rkdvkbr.wl-maz@kernel.org>
From:   Marc Zyngier <maz@kernel.org>
To:     Oliver Upton <oliver.upton@linux.dev>
Cc:     James Morse <james.morse@arm.com>,
        Alexandru Elisei <alexandru.elisei@arm.com>,
        Suzuki K Poulose <suzuki.poulose@arm.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Raghavendra Rao Ananta <rananta@google.com>,
        linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
        kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org
Subject: Re: [RFC PATCH 2/3] KVM: arm64: Allow userspace to trap SMCCC sub-ranges
In-Reply-To: <Y27dHf+PRt+G4jNg@google.com>
References: <20221110015327.3389351-1-oliver.upton@linux.dev>
        <20221110015327.3389351-3-oliver.upton@linux.dev>
        <86o7tfov7v.wl-maz@kernel.org>
        <Y21pktYPLPM6eYga@google.com>
        <87fsepvqw5.wl-maz@kernel.org>
        <Y27dHf+PRt+G4jNg@google.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1
 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 82.3.55.76
X-SA-Exim-Rcpt-To: oliver.upton@linux.dev, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org, pbonzini@redhat.com, rananta@google.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kvm@vger.kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false
X-Spam-Status: No, score=-3.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 11 Nov 2022 23:39:09 +0000,
Oliver Upton <oliver.upton@linux.dev> wrote:
> 
> On Fri, Nov 11, 2022 at 08:26:02AM +0000, Marc Zyngier wrote:
> > On Thu, 10 Nov 2022 21:13:54 +0000, Oliver Upton <oliver.upton@linux.dev> wrote:
> > > The goal of what I was trying to get at is that either the kernel or
> > > userspace takes ownership of a range that has an ABI, but not both. i.e.
> > > you really wouldn't want some VMM or cloud provider trapping portions of
> > > KVM's vendor-specific range while still reporting a 'vanilla' ABI at the
> > > time of discovery. Same goes for PSCI, TRNG, etc.
> > 
> > But I definitely think this is one of the major use cases. For
> > example, there is value in taking PSCI to userspace in order to
> > implement a newer version of the spec, or to support sub-features that
> > KVM doesn't (want to) implement. I don't think this changes the ABI from
> > the guest perspective.
> 
> I disagree for the implications of partially trapping the 'Vendor
> Specific Hypervisor Service'. If the UID for the range still reports KVM
> but userspace decided to add some new widget, then from the guest
> perspective that widget is now part of KVM's own ABI with the guest.

But that's what I mean by "I don't think this changes the ABI from the
guest perspective". The guest cannot know who is doing the emulation
anyway, so it is userspace's duty to preserve the illusion. At the
end of the day, this is only a configuration mechanism, and it is no
different from all other configuration bits (i.e. they need to be
identical on both side for migration).

> Trapping the whole range is a bit of a hack to workaround the need for
> more complicated verification of a hypercall filter.

We already need these things for architected hypercalls. Once we have
the infrastructure, it doesn't matter anymore which range this is for.

> 
> But for everything else, I'm fine with arbitrary function filtering.
> Userspace is always welcome to shoot itself in the foot.
> 
> > pKVM also has a use case for this where userspace gets a notification
> > of the hypercall that a guest has performed to share memory.
> 
> Is that hypercall in the 'Vendor Specific Hypervisor Service' range?

Yes. It is get another KVM hypercall.

> 
> > Communication with a TEE also is on the cards, as would be a FFA
> > implementation. All of this could be implemented in KVM, or in
> > userspace, depending what users of these misfeatures want to do.
> 
> I'm very hopeful that by forwarding all of this to userspace we can get
> out of the business of implementing every darn spec that comes along.

Good luck. All the TEEs have private, home grown APIs, and every
vendor will want to implement their own crap (i.e. there is no spec).

	M.

-- 
Without deviation from the norm, progress is not possible.