Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp122934lqo; Thu, 16 May 2024 00:48:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWom0OiEc8RFNoYH1Za9vfz0FRrWQArQJv4Mek7/Grd+kHApnU3TiC126RLLIIPbVmudIWvDFoedtZWRudYUC/pZnLPdelF7EqGyPkmfg== X-Google-Smtp-Source: AGHT+IGFBMMWS50Cj8iOsaZMVb6r2RnRsp/qaCvVbxIXt4egufbE+hEKgZFKudYJrwpoeTikx4IH X-Received: by 2002:a05:6a21:2709:b0:1af:ceb8:221e with SMTP id adf61e73a8af0-1afd1483b5fmr27299979637.29.1715845737322; Thu, 16 May 2024 00:48:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715845737; cv=pass; d=google.com; s=arc-20160816; b=GccfshGLWcbKsLgJ2O9si35E+vbWb7aepM3gd84pE9+z7qh3y541AtMSNxGU8Sg667 FkR0GYG4tXNeZzVpMhW/gv0Q3Rj3ZA1Xn8rRoWZ33P9PEspusBRZRlFcJM6h8lA4z2aa 9X1PCCVVXXGc2XI3p/uMu6paderVTk//Bh8/9lZxY+crSFwZMtlVrd9TJPbA21ES4RwR 03QNdsIFEDyKk7wwZFs6qootP056P5zDBJ9tgCFlAfQt1Kk/GvBfQV4m13kgaJAarYUP QZGD+KP99MWxaaG+8mN1vz/CwdebQ2vz5WlvH4pNIl2bKtgA4AvWms976EhGB1bv+o41 SNZA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=+4vZysZGfIWwpOz2TC4VJf0vNCzWO2GfnsxUA1OLSHA=; fh=G29TNm1SPKOdkPiMgR4lPdfuvE1iCuUApv97m/oVJCw=; b=yxS655BMB6Spm0JOwNaomn4F87/EVsP8CdudaaeMLnfu2IA/2KpEZNTCFRBShopOiS P6+fb5qz2H/nktqd0NfOoKzLYcvLjKQwgza/EYGS6qWdDgWuQUIVhlEFebYiAPfKQ6rs dkEgME0ENOwzb5XYo1sJFRxvPjNAvnwKvTZkVjMbnz0IPsMOnUjxvtyNnvyaiSE79l8J 46OVv1iOtc/djxSjcuvbdxdaWudlUEBRCkyjweNVfHF+kgAjdbCTuK1cJi8EJ3dgiio+ VLo9U1KwbR1q+8SltqZ5SEZTnCo7iq6h5VdnoaISMYPnIncgQx1VDz9tB5OQVgB5Kq+f xikg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-180719-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-180719-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-634103f6f8dsi15158462a12.276.2024.05.16.00.48.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 May 2024 00:48:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-180719-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-180719-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-180719-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3DA20B21429 for ; Thu, 16 May 2024 07:48:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 763BC69D2B; Thu, 16 May 2024 07:48:40 +0000 (UTC) Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2D1A2EB10; Thu, 16 May 2024 07:48:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715845720; cv=none; b=IM7gPUOG4xioYPH6hmu+naZD3FbvD6sRoqtxb15/D1edwPOA8bClFv/MoR3Nugoe04gFo5fRg4QnbGSWvhoDocqeYyNnD5sGbGG91mxUamv1saf9xZM/KjXwiy585pebNtleQZ+mtbhQFMTmUDUxze/X1bwKfOfk+8YQhpd0ipg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715845720; c=relaxed/simple; bh=T4oOZ1LmeWclvKPglpSa/G3iKDDHJ/ls07wv3wVQ2EA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fCfYru8rA1osYyQngV4iyQF1QlOqFJsEl6P1hNu9PIi7Qa3T8qquMgVSewkPU0BgC+FojIdcsYAbrUy2nfhf1DpWWNxupGSTcOZljQx+OWxhdpUfOVKsLuxk8HY9y/voSZDvmYaGGTmCJvV/mJn7LbGRuHWa4TZPSxvrOSJA5I4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F562C113CC; Thu, 16 May 2024 07:48:36 +0000 (UTC) Date: Thu, 16 May 2024 08:48:34 +0100 From: Catalin Marinas To: Suzuki K Poulose Cc: Steven Price , kvm@vger.kernel.org, kvmarm@lists.linux.dev, Marc Zyngier , Will Deacon , James Morse , Oliver Upton , Zenghui Yu , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Joey Gouly , Alexandru Elisei , Christoffer Dall , Fuad Tabba , linux-coco@lists.linux.dev, Ganapatrao Kulkarni Subject: Re: [PATCH v2 09/14] arm64: Enable memory encrypt for Realms Message-ID: References: <20240412084213.1733764-1-steven.price@arm.com> <20240412084213.1733764-10-steven.price@arm.com> <5b2db977-7f0f-4c3a-b278-f195c7ddbd80@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5b2db977-7f0f-4c3a-b278-f195c7ddbd80@arm.com> On Wed, May 15, 2024 at 11:47:02AM +0100, Suzuki K Poulose wrote: > On 14/05/2024 19:00, Catalin Marinas wrote: > > On Fri, Apr 12, 2024 at 09:42:08AM +0100, Steven Price wrote: > > Can someone summarise what the point of this protection bit is? The IPA > > memory is marked as protected/unprotected already via the RSI call and > > presumably the RMM disables/permits sharing with a non-secure hypervisor > > accordingly irrespective of which alias the realm guest has the linear > > mapping mapped to. What does it do with the top bit of the IPA? Is it > > that the RMM will prevent (via Stage 2) access if the IPA does not match > > the requested protection? IOW, it unmaps one or the other at Stage 2? > > The Realm's IPA space is split in half. The lower half is "protected" > and all pages backing the "protected" IPA is in the Realm world and > thus cannot be shared with the hypervisor. The upper half IPA is > "unprotected" (backed by Non-secure PAS pages) and can be accessed > by the Host/hyp. What about emulated device I/O where there's no backing RAM at an IPA. Does it need to have the top bit set? > The RSI call (RSI_IPA_STATE_SET) doesn't make an IPA unprotected. It > simply "invalidates" a (protected) IPA to "EMPTY" implying the Realm doesn't > intend to use the "ipa" as RAM anymore and any access to it from > the Realm would trigger an SEA into the Realm. The RSI call triggers an exit > to the host with the information and is a hint to the hypervisor to reclaim > the page backing the IPA. > > Now, given we need dynamic "sharing" of pages (instead of a dedicated > set of shared pages), "aliasing" of an IPA gives us shared pages. > i.e., If OS wants to share a page "x" (protected IPA) with the host, > we mark that as EMPTY via RSI call and then access the "x" with top-bit > set (aliasing the IPA x). This fault allows the hyp to map the page backing > IPA "x" as "unprotected" at ALIAS(x) address. Does the RMM sanity-checks that the NS hyp mappings are protected or unprotected depending on the IPA range? I assume that's also the case if the NS hyp is the first one to access a page before the realm (e.g. inbound virtio transfer; no page allocated yet because of a realm access). -- Catalin