From: sashiko-bot@kernel.org
To: tabba@google.com
Cc: kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>,
"Marc Zyngier" <maz@kernel.org>
Subject: Re: [PATCH v1 08/11] KVM: arm64: Add host and hypervisor vCPU lookup primitives
Date: Fri, 12 Jun 2026 07:08:18 +0000 [thread overview]
Message-ID: <20260612070819.64FE01F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612065925.755562-9-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] flush_hyp_vcpu() incorrectly copies MDCR_EL2 from the untrusted host context for protected VMs, violating EL2 security guidelines.
--
commit 11498ed516d4ebc65b4ad00086974239ee0e2eb4
Author: Marc Zyngier <maz@kernel.org>
KVM: arm64: Add host and hypervisor vCPU lookup primitives
This commit introduces primitives to translate a host vCPU into the
hypervisor's address space. It refactors handle___kvm_vcpu_run() to use
these new lookup primitives.
> diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
[ ... ]
> @@ -214,23 +245,16 @@ static void handle___kvm_vcpu_run(struct kvm_cpu_context *host_ctxt)
> goto out;
> }
>
> - if (!hyp_vcpu) {
> - ret = -EINVAL;
> - goto out;
> - }
> -
> flush_hyp_vcpu(hyp_vcpu);
[Severity: High]
This is a pre-existing issue, but does flush_hyp_vcpu() incorrectly copy
mdcr_el2 from the untrusted host context for protected VMs?
Looking at flush_hyp_vcpu() in arch/arm64/kvm/hyp/nvhe/hyp-main.c:
static void flush_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu)
{
struct kvm_vcpu *host_vcpu = hyp_vcpu->host_vcpu;
[ ... ]
hyp_vcpu->vcpu.arch.mdcr_el2 = host_vcpu->arch.mdcr_el2;
[ ... ]
}
According to the pKVM EL2 Security and Trust Boundary guidelines, trap
configuration registers like mdcr_el2 must be initialized in an EL2-private
context for protected VMs. They must not rely on values written by the host.
Because host_vcpu resides in untrusted host memory, this unconditional
assignment could allow a compromised host to overwrite the mdcr_el2
configuration of a protected VM. This could potentially allow the host to
manipulate guest debug exceptions and break guest confidentiality or
hypervisor isolation.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612065925.755562-1-tabba@google.com?part=8
next prev parent reply other threads:[~2026-06-12 7:08 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 6:59 [PATCH v1 00/11] KVM: arm64: Rework pKVM vCPU state synchronisation tabba
2026-06-12 6:59 ` [PATCH v1 01/11] KVM: arm64: Add scoped resource management (guard) for hyp_spinlock tabba
2026-06-12 6:59 ` [PATCH v1 02/11] KVM: arm64: Use guard(hyp_spinlock) in pKVM hypervisor code tabba
2026-06-12 6:59 ` [PATCH v1 03/11] KVM: arm64: Use guard()/scoped_guard() in arm64 KVM EL1 code tabba
2026-06-12 6:59 ` [PATCH v1 04/11] KVM: arm64: Extract MPIDR computation into a shared header tabba
2026-06-12 6:59 ` [PATCH v1 05/11] KVM: arm64: Make vcpu_{read,write}_sys_reg available to HYP code tabba
2026-06-12 7:17 ` sashiko-bot
2026-06-12 7:53 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 06/11] KVM: arm64: Factor out reusable vCPU reset helpers tabba
2026-06-12 6:59 ` [PATCH v1 07/11] KVM: arm64: Move PSCI helper functions to a shared header tabba
2026-06-12 6:59 ` [PATCH v1 08/11] KVM: arm64: Add host and hypervisor vCPU lookup primitives tabba
2026-06-12 7:08 ` sashiko-bot [this message]
2026-06-12 7:15 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 09/11] KVM: arm64: Minimise EL2's exposure of host VGIC state during world switch tabba
2026-06-12 7:24 ` sashiko-bot
2026-06-12 8:05 ` Fuad Tabba
2026-06-12 8:09 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 10/11] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2 tabba
2026-06-12 7:23 ` sashiko-bot
2026-06-12 8:14 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 11/11] KVM: arm64: Implement lazy vCPU state sync for non-protected guests tabba
2026-06-12 7:19 ` sashiko-bot
2026-06-12 9:51 ` Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612070819.64FE01F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.