From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 763041A629 for ; Thu, 10 Nov 2022 19:03:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21631C433D6; Thu, 10 Nov 2022 19:03:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1668107014; bh=JgjPNMsT0WSQCwCn0ZQGT0/MFqkRr7GuwaW4Dnu5rVI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bkPekOPYPdgKhNfQ0gIkDI57HbSIivzyKO2LUyIQ8gH9935eTQmB05D8Q9M9DUCl1 CgM/TXolElVh+H+a7GC9/PYZnV8G/PQM62QtNPo1ik31pi+tys/nIylBBZp8b+VZNP gvcczqPxHnUFYsgNE1z88RKuz7yvDNvM2T0uaEdTETQSMtmC6OFlcP59eYv1BM5Bi2 luJV8n3XweV53K25Tg0kbdRtKDXtG9TqvzPFanzh0MjyvOJXkuLKpOFeoQJoAHVu/T ikVVmXYEIV6L3ITBxtIXg2CfrXiTFC4LEjNgkQsIhyDUPkool8PstGOH5Pq3CqtBrH Tp5Cgpaar49Jg== From: Will Deacon To: kvmarm@lists.linux.dev Cc: Will Deacon , Sean Christopherson , Vincent Donnefort , Alexandru Elisei , Catalin Marinas , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , James Morse , Chao Peng , Quentin Perret , Suzuki K Poulose , Mark Rutland , Fuad Tabba , Oliver Upton , Marc Zyngier , kernel-team@android.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH v6 07/26] KVM: arm64: Prevent the donation of no-map pages Date: Thu, 10 Nov 2022 19:02:40 +0000 Message-Id: <20221110190259.26861-8-will@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20221110190259.26861-1-will@kernel.org> References: <20221110190259.26861-1-will@kernel.org> Precedence: bulk X-Mailing-List: kvmarm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Quentin Perret Memory regions marked as "no-map" in the host device-tree routinely include TrustZone carev-outs and DMA pools. Although donating such pages to the hypervisor may not breach confidentiality, it could be used to corrupt its state in uncontrollable ways. To prevent this, let's block host-initiated memory transitions targeting "no-map" pages altogether in nVHE protected mode as there should be no valid reason to do this in current operation. Thankfully, the pKVM EL2 hypervisor has a full copy of the host's list of memblock regions, so we can easily check for the presence of the MEMBLOCK_NOMAP flag on a region containing pages being donated from the host. Reviewed-by: Philippe Mathieu-Daudé Tested-by: Vincent Donnefort Signed-off-by: Quentin Perret Signed-off-by: Will Deacon --- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c index 10069cd32787..f7e3afaf9f11 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -193,7 +193,7 @@ struct kvm_mem_range { u64 end; }; -static bool find_mem_range(phys_addr_t addr, struct kvm_mem_range *range) +static struct memblock_region *find_mem_range(phys_addr_t addr, struct kvm_mem_range *range) { int cur, left = 0, right = hyp_memblock_nr; struct memblock_region *reg; @@ -216,18 +216,28 @@ static bool find_mem_range(phys_addr_t addr, struct kvm_mem_range *range) } else { range->start = reg->base; range->end = end; - return true; + return reg; } } - return false; + return NULL; } bool addr_is_memory(phys_addr_t phys) { struct kvm_mem_range range; - return find_mem_range(phys, &range); + return !!find_mem_range(phys, &range); +} + +static bool addr_is_allowed_memory(phys_addr_t phys) +{ + struct memblock_region *reg; + struct kvm_mem_range range; + + reg = find_mem_range(phys, &range); + + return reg && !(reg->flags & MEMBLOCK_NOMAP); } static bool is_in_mem_range(u64 addr, struct kvm_mem_range *range) @@ -346,7 +356,7 @@ static bool host_stage2_force_pte_cb(u64 addr, u64 end, enum kvm_pgtable_prot pr static int host_stage2_idmap(u64 addr) { struct kvm_mem_range range; - bool is_memory = find_mem_range(addr, &range); + bool is_memory = !!find_mem_range(addr, &range); enum kvm_pgtable_prot prot; int ret; @@ -424,7 +434,7 @@ static int __check_page_state_visitor(u64 addr, u64 end, u32 level, struct check_walk_data *d = arg; kvm_pte_t pte = *ptep; - if (kvm_pte_valid(pte) && !addr_is_memory(kvm_pte_to_phys(pte))) + if (kvm_pte_valid(pte) && !addr_is_allowed_memory(kvm_pte_to_phys(pte))) return -EINVAL; return d->get_page_state(pte) == d->desired ? 0 : -EPERM; -- 2.38.1.431.g37b22c650d-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6DA6FC4332F for ; Thu, 10 Nov 2022 19:07:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=+dtUlrCMjUbeVQ3h7URi2y1TaIJLBqKR3FrbVYrfma0=; b=VGa5Zbz7zcyO7Z NSoUiAtk1qQQfQfA1GIrB7y3qHq6zBCKX/3dPzDdIU9ZqUygMOxyXMyP84+9TeHFOaCuCGWLP5jCz EWozY3tGoDtobb+3hSlHsudQVtqyuvBl73MknDR2N4mXjL8pq21nPQimunMegjkwWgvhos8xjV9aj ibrRtr8hKqXUvhKia2hCshHp+67E0tAcRTtfkPiDcJgp3eiKDKPddAmZqkCeymQzuMmIyD4R3S+BW ndCbbYcMeyzCenJP93MvVY7T3eo1PAz/kcXfeiYt1ttpJXUMVWq01DjRvRjea7xaHr2hwvafkUBkj R72PRLPRpZ/FnKrDOoZQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1otCs7-008TmX-4P; Thu, 10 Nov 2022 19:05:55 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1otCpr-008SAL-A1 for linux-arm-kernel@lists.infradead.org; Thu, 10 Nov 2022 19:03:36 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D859B61E16; Thu, 10 Nov 2022 19:03:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21631C433D6; Thu, 10 Nov 2022 19:03:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1668107014; bh=JgjPNMsT0WSQCwCn0ZQGT0/MFqkRr7GuwaW4Dnu5rVI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bkPekOPYPdgKhNfQ0gIkDI57HbSIivzyKO2LUyIQ8gH9935eTQmB05D8Q9M9DUCl1 CgM/TXolElVh+H+a7GC9/PYZnV8G/PQM62QtNPo1ik31pi+tys/nIylBBZp8b+VZNP gvcczqPxHnUFYsgNE1z88RKuz7yvDNvM2T0uaEdTETQSMtmC6OFlcP59eYv1BM5Bi2 luJV8n3XweV53K25Tg0kbdRtKDXtG9TqvzPFanzh0MjyvOJXkuLKpOFeoQJoAHVu/T ikVVmXYEIV6L3ITBxtIXg2CfrXiTFC4LEjNgkQsIhyDUPkool8PstGOH5Pq3CqtBrH Tp5Cgpaar49Jg== From: Will Deacon To: kvmarm@lists.linux.dev Cc: Will Deacon , Sean Christopherson , Vincent Donnefort , Alexandru Elisei , Catalin Marinas , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , James Morse , Chao Peng , Quentin Perret , Suzuki K Poulose , Mark Rutland , Fuad Tabba , Oliver Upton , Marc Zyngier , kernel-team@android.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH v6 07/26] KVM: arm64: Prevent the donation of no-map pages Date: Thu, 10 Nov 2022 19:02:40 +0000 Message-Id: <20221110190259.26861-8-will@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20221110190259.26861-1-will@kernel.org> References: <20221110190259.26861-1-will@kernel.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221110_110335_446467_8D099F15 X-CRM114-Status: GOOD ( 17.17 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org RnJvbTogUXVlbnRpbiBQZXJyZXQgPHFwZXJyZXRAZ29vZ2xlLmNvbT4KCk1lbW9yeSByZWdpb25z IG1hcmtlZCBhcyAibm8tbWFwIiBpbiB0aGUgaG9zdCBkZXZpY2UtdHJlZSByb3V0aW5lbHkKaW5j bHVkZSBUcnVzdFpvbmUgY2FyZXYtb3V0cyBhbmQgRE1BIHBvb2xzLiBBbHRob3VnaCBkb25hdGlu ZyBzdWNoIHBhZ2VzCnRvIHRoZSBoeXBlcnZpc29yIG1heSBub3QgYnJlYWNoIGNvbmZpZGVudGlh bGl0eSwgaXQgY291bGQgYmUgdXNlZCB0bwpjb3JydXB0IGl0cyBzdGF0ZSBpbiB1bmNvbnRyb2xs YWJsZSB3YXlzLiBUbyBwcmV2ZW50IHRoaXMsIGxldCdzIGJsb2NrCmhvc3QtaW5pdGlhdGVkIG1l bW9yeSB0cmFuc2l0aW9ucyB0YXJnZXRpbmcgIm5vLW1hcCIgcGFnZXMgYWx0b2dldGhlciBpbgpu VkhFIHByb3RlY3RlZCBtb2RlIGFzIHRoZXJlIHNob3VsZCBiZSBubyB2YWxpZCByZWFzb24gdG8g ZG8gdGhpcyBpbgpjdXJyZW50IG9wZXJhdGlvbi4KClRoYW5rZnVsbHksIHRoZSBwS1ZNIEVMMiBo eXBlcnZpc29yIGhhcyBhIGZ1bGwgY29weSBvZiB0aGUgaG9zdCdzIGxpc3QKb2YgbWVtYmxvY2sg cmVnaW9ucywgc28gd2UgY2FuIGVhc2lseSBjaGVjayBmb3IgdGhlIHByZXNlbmNlIG9mIHRoZQpN RU1CTE9DS19OT01BUCBmbGFnIG9uIGEgcmVnaW9uIGNvbnRhaW5pbmcgcGFnZXMgYmVpbmcgZG9u YXRlZCBmcm9tIHRoZQpob3N0LgoKUmV2aWV3ZWQtYnk6IFBoaWxpcHBlIE1hdGhpZXUtRGF1ZMOp IDxwaGlsbWRAbGluYXJvLm9yZz4KVGVzdGVkLWJ5OiBWaW5jZW50IERvbm5lZm9ydCA8dmRvbm5l Zm9ydEBnb29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBRdWVudGluIFBlcnJldCA8cXBlcnJldEBn b29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBXaWxsIERlYWNvbiA8d2lsbEBrZXJuZWwub3JnPgot LS0KIGFyY2gvYXJtNjQva3ZtL2h5cC9udmhlL21lbV9wcm90ZWN0LmMgfCAyMiArKysrKysrKysr KysrKysrLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTYgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS9hcmNoL2FybTY0L2t2bS9oeXAvbnZoZS9tZW1fcHJvdGVjdC5j IGIvYXJjaC9hcm02NC9rdm0vaHlwL252aGUvbWVtX3Byb3RlY3QuYwppbmRleCAxMDA2OWNkMzI3 ODcuLmY3ZTNhZmFmOWYxMSAxMDA2NDQKLS0tIGEvYXJjaC9hcm02NC9rdm0vaHlwL252aGUvbWVt X3Byb3RlY3QuYworKysgYi9hcmNoL2FybTY0L2t2bS9oeXAvbnZoZS9tZW1fcHJvdGVjdC5jCkBA IC0xOTMsNyArMTkzLDcgQEAgc3RydWN0IGt2bV9tZW1fcmFuZ2UgewogCXU2NCBlbmQ7CiB9Owog Ci1zdGF0aWMgYm9vbCBmaW5kX21lbV9yYW5nZShwaHlzX2FkZHJfdCBhZGRyLCBzdHJ1Y3Qga3Zt X21lbV9yYW5nZSAqcmFuZ2UpCitzdGF0aWMgc3RydWN0IG1lbWJsb2NrX3JlZ2lvbiAqZmluZF9t ZW1fcmFuZ2UocGh5c19hZGRyX3QgYWRkciwgc3RydWN0IGt2bV9tZW1fcmFuZ2UgKnJhbmdlKQog ewogCWludCBjdXIsIGxlZnQgPSAwLCByaWdodCA9IGh5cF9tZW1ibG9ja19ucjsKIAlzdHJ1Y3Qg bWVtYmxvY2tfcmVnaW9uICpyZWc7CkBAIC0yMTYsMTggKzIxNiwyOCBAQCBzdGF0aWMgYm9vbCBm aW5kX21lbV9yYW5nZShwaHlzX2FkZHJfdCBhZGRyLCBzdHJ1Y3Qga3ZtX21lbV9yYW5nZSAqcmFu Z2UpCiAJCX0gZWxzZSB7CiAJCQlyYW5nZS0+c3RhcnQgPSByZWctPmJhc2U7CiAJCQlyYW5nZS0+ ZW5kID0gZW5kOwotCQkJcmV0dXJuIHRydWU7CisJCQlyZXR1cm4gcmVnOwogCQl9CiAJfQogCi0J cmV0dXJuIGZhbHNlOworCXJldHVybiBOVUxMOwogfQogCiBib29sIGFkZHJfaXNfbWVtb3J5KHBo eXNfYWRkcl90IHBoeXMpCiB7CiAJc3RydWN0IGt2bV9tZW1fcmFuZ2UgcmFuZ2U7CiAKLQlyZXR1 cm4gZmluZF9tZW1fcmFuZ2UocGh5cywgJnJhbmdlKTsKKwlyZXR1cm4gISFmaW5kX21lbV9yYW5n ZShwaHlzLCAmcmFuZ2UpOworfQorCitzdGF0aWMgYm9vbCBhZGRyX2lzX2FsbG93ZWRfbWVtb3J5 KHBoeXNfYWRkcl90IHBoeXMpCit7CisJc3RydWN0IG1lbWJsb2NrX3JlZ2lvbiAqcmVnOworCXN0 cnVjdCBrdm1fbWVtX3JhbmdlIHJhbmdlOworCisJcmVnID0gZmluZF9tZW1fcmFuZ2UocGh5cywg JnJhbmdlKTsKKworCXJldHVybiByZWcgJiYgIShyZWctPmZsYWdzICYgTUVNQkxPQ0tfTk9NQVAp OwogfQogCiBzdGF0aWMgYm9vbCBpc19pbl9tZW1fcmFuZ2UodTY0IGFkZHIsIHN0cnVjdCBrdm1f bWVtX3JhbmdlICpyYW5nZSkKQEAgLTM0Niw3ICszNTYsNyBAQCBzdGF0aWMgYm9vbCBob3N0X3N0 YWdlMl9mb3JjZV9wdGVfY2IodTY0IGFkZHIsIHU2NCBlbmQsIGVudW0ga3ZtX3BndGFibGVfcHJv dCBwcgogc3RhdGljIGludCBob3N0X3N0YWdlMl9pZG1hcCh1NjQgYWRkcikKIHsKIAlzdHJ1Y3Qg a3ZtX21lbV9yYW5nZSByYW5nZTsKLQlib29sIGlzX21lbW9yeSA9IGZpbmRfbWVtX3JhbmdlKGFk ZHIsICZyYW5nZSk7CisJYm9vbCBpc19tZW1vcnkgPSAhIWZpbmRfbWVtX3JhbmdlKGFkZHIsICZy YW5nZSk7CiAJZW51bSBrdm1fcGd0YWJsZV9wcm90IHByb3Q7CiAJaW50IHJldDsKIApAQCAtNDI0 LDcgKzQzNCw3IEBAIHN0YXRpYyBpbnQgX19jaGVja19wYWdlX3N0YXRlX3Zpc2l0b3IodTY0IGFk ZHIsIHU2NCBlbmQsIHUzMiBsZXZlbCwKIAlzdHJ1Y3QgY2hlY2tfd2Fsa19kYXRhICpkID0gYXJn OwogCWt2bV9wdGVfdCBwdGUgPSAqcHRlcDsKIAotCWlmIChrdm1fcHRlX3ZhbGlkKHB0ZSkgJiYg IWFkZHJfaXNfbWVtb3J5KGt2bV9wdGVfdG9fcGh5cyhwdGUpKSkKKwlpZiAoa3ZtX3B0ZV92YWxp ZChwdGUpICYmICFhZGRyX2lzX2FsbG93ZWRfbWVtb3J5KGt2bV9wdGVfdG9fcGh5cyhwdGUpKSkK IAkJcmV0dXJuIC1FSU5WQUw7CiAKIAlyZXR1cm4gZC0+Z2V0X3BhZ2Vfc3RhdGUocHRlKSA9PSBk LT5kZXNpcmVkID8gMCA6IC1FUEVSTTsKLS0gCjIuMzguMS40MzEuZzM3YjIyYzY1MGQtZ29vZwoK Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmxpbnV4LWFy bS1rZXJuZWwgbWFpbGluZyBsaXN0CmxpbnV4LWFybS1rZXJuZWxAbGlzdHMuaW5mcmFkZWFkLm9y ZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4LWFybS1r ZXJuZWwK