From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA4C7C4338F for ; Fri, 23 Jul 2021 13:30:20 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 5CFE560EFD for ; Fri, 23 Jul 2021 13:30:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5CFE560EFD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id D40444B11A; Fri, 23 Jul 2021 09:30:19 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KFuI-S0uhtUD; Fri, 23 Jul 2021 09:30:18 -0400 (EDT) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 99E564B139; Fri, 23 Jul 2021 09:30:18 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 6CF2A4B11A for ; Fri, 23 Jul 2021 09:30:17 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSjCLSvF1UfE for ; Fri, 23 Jul 2021 09:30:16 -0400 (EDT) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id 29A3F4B117 for ; Fri, 23 Jul 2021 09:30:16 -0400 (EDT) Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3A3D360EB4; Fri, 23 Jul 2021 13:30:15 +0000 (UTC) Received: from disco-boy.misterjones.org ([51.254.78.96] helo=www.loen.fr) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1m6vFl-000UyF-5x; Fri, 23 Jul 2021 14:30:13 +0100 MIME-Version: 1.0 Date: Fri, 23 Jul 2021 14:30:13 +0100 From: Marc Zyngier To: Andrew Jones Subject: Re: [PATCH 10/16] KVM: arm64: Add some documentation for the MMIO guard feature In-Reply-To: <20210721211743.hb2cxghhwl2y22yh@gator> References: <20210715163159.1480168-1-maz@kernel.org> <20210715163159.1480168-11-maz@kernel.org> <20210721211743.hb2cxghhwl2y22yh@gator> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <60d8e9e95ee4640cf3b457c53cb4cc7a@kernel.org> X-Sender: maz@kernel.org X-SA-Exim-Connect-IP: 51.254.78.96 X-SA-Exim-Rcpt-To: drjones@redhat.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, vatsa@codeaurora.org, sdonthineni@nvidia.com, will@kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Cc: kvm@vger.kernel.org, will@kernel.org, Srivatsa Vaddagiri , linux-kernel@vger.kernel.org, Shanker R Donthineni , kernel-team@android.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu On 2021-07-21 22:17, Andrew Jones wrote: > On Thu, Jul 15, 2021 at 05:31:53PM +0100, Marc Zyngier wrote: >> Document the hypercalls user for the MMIO guard infrastructure. >> >> Signed-off-by: Marc Zyngier >> --- >> Documentation/virt/kvm/arm/index.rst | 1 + >> Documentation/virt/kvm/arm/mmio-guard.rst | 73 >> +++++++++++++++++++++++ >> 2 files changed, 74 insertions(+) >> create mode 100644 Documentation/virt/kvm/arm/mmio-guard.rst >> >> diff --git a/Documentation/virt/kvm/arm/index.rst >> b/Documentation/virt/kvm/arm/index.rst >> index 78a9b670aafe..e77a0ee2e2d4 100644 >> --- a/Documentation/virt/kvm/arm/index.rst >> +++ b/Documentation/virt/kvm/arm/index.rst >> @@ -11,3 +11,4 @@ ARM >> psci >> pvtime >> ptp_kvm >> + mmio-guard >> diff --git a/Documentation/virt/kvm/arm/mmio-guard.rst >> b/Documentation/virt/kvm/arm/mmio-guard.rst >> new file mode 100644 >> index 000000000000..a5563a3e12cc >> --- /dev/null >> +++ b/Documentation/virt/kvm/arm/mmio-guard.rst >> @@ -0,0 +1,73 @@ >> +.. SPDX-License-Identifier: GPL-2.0 >> + >> +============== >> +KVM MMIO guard >> +============== >> + >> +KVM implements device emulation by handling translation faults to any >> +IPA range that is not contained a memory slot. Such translation fault > ^ in ^ a > >> +is in most cases passed on to userspace (or in rare cases to the host >> +kernel) with the address, size and possibly data of the access for >> +emulation. >> + >> +Should the guest exit with an address that is not one that >> corresponds >> +to an emulatable device, userspace may take measures that are not the >> +most graceful as far as the guest is concerned (such as terminating >> it >> +or delivering a fatal exception). >> + >> +There is also an element of trust: by forwarding the request to >> +userspace, the kernel asumes that the guest trusts userspace to do >> the > > assumes > >> +right thing. >> + >> +The KVM MMIO guard offers a way to mitigate this last point: a guest >> +can request that only certainly regions of the IPA space are valid as > > certain Thanks, all corrections applied. > >> +MMIO. Only these regions will be handled as an MMIO, and any other >> +will result in an exception being delivered to the guest. >> + >> +This relies on a set of hypercalls defined in the KVM-specific range, >> +using the HVC64 calling convention. >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_INFO >> + >> + ============== ======== ================================ >> + Function ID: (uint32) 0xC6000002 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + (uint64) Protection Granule (PG) size in >> + bytes (r0) >> + ============== ======== ================================ >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL >> + >> + ============== ======== ============================== >> + Function ID: (uint32) 0xC6000003 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== ============================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is allowed to be accessed as >> + MMIO. Must aligned to the PG size (r1) > > align Hmmm. Ugly mix of tab and spaces. I have no idea what the norm is here, so I'll just put spaces. I'm sure someone will let me know if I'm wrong! ;-) > >> + (uint64) Index in the MAIR_EL1 register >> + providing the memory attribute that >> + is used by the guest (r2) >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== >> ====================================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 > > copy+paste error, should be 0xC6000005 Gah, well cpotted. > >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is forbidden to be accessed as > > is now forbidden > > or > > was allowed > > or just drop that part of the sentence because its covered by the "and > have been previously mapped" part. Something like > > PG-sized IPA range aligned to the PG size which has been previously > mapped > (r1) Picked the latter. Thanks again, M. -- Jazz is not dead. It just smells funny... _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0BCCC432BE for ; Fri, 23 Jul 2021 13:33:28 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BC11360EB4 for ; Fri, 23 Jul 2021 13:33:28 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org BC11360EB4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-ID:References:In-Reply-To:Subject:Cc:To:From :Date:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Joa89pTcwr7274uJWHHI7XKJsg5azD5MO21NsPE69qs=; b=hBe3isztsAjS7SCoit3UnhOgqp 3+gMxNACja55H8AaD6ADb2gYqtf+jvp+rx2P2Swg4ZQqhLafaFtj4sDO0dDsLm63cnFfdadCjxdpE 5oYr4FtAGXtxXAK0VcgHFRbHzLwod6zwgQRwSU+dxLSqXJNQX3tWIEjTtfO64oBe7tMIMi5jMZcE1 NrzKOW7EjDGDHkXJ8fP7YXNtZVkjlgReaGHe+9EeT5y8ZZtu6hZ7vZwkDz+AjtHc8qbdS/F/nBQFF LCIt8rTnjDYmTxg5P67MHMllefaLtJDlqQQnbf8oi+Rfha9CAaSRkvKdh7hlq0ABJBGk+VBeQDSku oRADYKKQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6vH6-004qLZ-DX; Fri, 23 Jul 2021 13:31:37 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6vFn-004plf-IP for linux-arm-kernel@lists.infradead.org; Fri, 23 Jul 2021 13:30:17 +0000 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3A3D360EB4; Fri, 23 Jul 2021 13:30:15 +0000 (UTC) Received: from disco-boy.misterjones.org ([51.254.78.96] helo=www.loen.fr) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1m6vFl-000UyF-5x; Fri, 23 Jul 2021 14:30:13 +0100 MIME-Version: 1.0 Date: Fri, 23 Jul 2021 14:30:13 +0100 From: Marc Zyngier To: Andrew Jones Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, Srivatsa Vaddagiri , Shanker R Donthineni , will@kernel.org Subject: Re: [PATCH 10/16] KVM: arm64: Add some documentation for the MMIO guard feature In-Reply-To: <20210721211743.hb2cxghhwl2y22yh@gator> References: <20210715163159.1480168-1-maz@kernel.org> <20210715163159.1480168-11-maz@kernel.org> <20210721211743.hb2cxghhwl2y22yh@gator> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <60d8e9e95ee4640cf3b457c53cb4cc7a@kernel.org> X-Sender: maz@kernel.org X-SA-Exim-Connect-IP: 51.254.78.96 X-SA-Exim-Rcpt-To: drjones@redhat.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, vatsa@codeaurora.org, sdonthineni@nvidia.com, will@kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210723_063015_697129_4CAEE11B X-CRM114-Status: GOOD ( 28.50 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 2021-07-21 22:17, Andrew Jones wrote: > On Thu, Jul 15, 2021 at 05:31:53PM +0100, Marc Zyngier wrote: >> Document the hypercalls user for the MMIO guard infrastructure. >> >> Signed-off-by: Marc Zyngier >> --- >> Documentation/virt/kvm/arm/index.rst | 1 + >> Documentation/virt/kvm/arm/mmio-guard.rst | 73 >> +++++++++++++++++++++++ >> 2 files changed, 74 insertions(+) >> create mode 100644 Documentation/virt/kvm/arm/mmio-guard.rst >> >> diff --git a/Documentation/virt/kvm/arm/index.rst >> b/Documentation/virt/kvm/arm/index.rst >> index 78a9b670aafe..e77a0ee2e2d4 100644 >> --- a/Documentation/virt/kvm/arm/index.rst >> +++ b/Documentation/virt/kvm/arm/index.rst >> @@ -11,3 +11,4 @@ ARM >> psci >> pvtime >> ptp_kvm >> + mmio-guard >> diff --git a/Documentation/virt/kvm/arm/mmio-guard.rst >> b/Documentation/virt/kvm/arm/mmio-guard.rst >> new file mode 100644 >> index 000000000000..a5563a3e12cc >> --- /dev/null >> +++ b/Documentation/virt/kvm/arm/mmio-guard.rst >> @@ -0,0 +1,73 @@ >> +.. SPDX-License-Identifier: GPL-2.0 >> + >> +============== >> +KVM MMIO guard >> +============== >> + >> +KVM implements device emulation by handling translation faults to any >> +IPA range that is not contained a memory slot. Such translation fault > ^ in ^ a > >> +is in most cases passed on to userspace (or in rare cases to the host >> +kernel) with the address, size and possibly data of the access for >> +emulation. >> + >> +Should the guest exit with an address that is not one that >> corresponds >> +to an emulatable device, userspace may take measures that are not the >> +most graceful as far as the guest is concerned (such as terminating >> it >> +or delivering a fatal exception). >> + >> +There is also an element of trust: by forwarding the request to >> +userspace, the kernel asumes that the guest trusts userspace to do >> the > > assumes > >> +right thing. >> + >> +The KVM MMIO guard offers a way to mitigate this last point: a guest >> +can request that only certainly regions of the IPA space are valid as > > certain Thanks, all corrections applied. > >> +MMIO. Only these regions will be handled as an MMIO, and any other >> +will result in an exception being delivered to the guest. >> + >> +This relies on a set of hypercalls defined in the KVM-specific range, >> +using the HVC64 calling convention. >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_INFO >> + >> + ============== ======== ================================ >> + Function ID: (uint32) 0xC6000002 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + (uint64) Protection Granule (PG) size in >> + bytes (r0) >> + ============== ======== ================================ >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL >> + >> + ============== ======== ============================== >> + Function ID: (uint32) 0xC6000003 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== ============================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is allowed to be accessed as >> + MMIO. Must aligned to the PG size (r1) > > align Hmmm. Ugly mix of tab and spaces. I have no idea what the norm is here, so I'll just put spaces. I'm sure someone will let me know if I'm wrong! ;-) > >> + (uint64) Index in the MAIR_EL1 register >> + providing the memory attribute that >> + is used by the guest (r2) >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== >> ====================================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 > > copy+paste error, should be 0xC6000005 Gah, well cpotted. > >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is forbidden to be accessed as > > is now forbidden > > or > > was allowed > > or just drop that part of the sentence because its covered by the "and > have been previously mapped" part. Something like > > PG-sized IPA range aligned to the PG size which has been previously > mapped > (r1) Picked the latter. Thanks again, M. -- Jazz is not dead. It just smells funny... _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADCBDC4338F for ; Fri, 23 Jul 2021 13:30:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 97C6560EB4 for ; Fri, 23 Jul 2021 13:30:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235072AbhGWMuB (ORCPT ); Fri, 23 Jul 2021 08:50:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:52118 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233037AbhGWMtl (ORCPT ); Fri, 23 Jul 2021 08:49:41 -0400 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3A3D360EB4; Fri, 23 Jul 2021 13:30:15 +0000 (UTC) Received: from disco-boy.misterjones.org ([51.254.78.96] helo=www.loen.fr) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1m6vFl-000UyF-5x; Fri, 23 Jul 2021 14:30:13 +0100 MIME-Version: 1.0 Date: Fri, 23 Jul 2021 14:30:13 +0100 From: Marc Zyngier To: Andrew Jones Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, Srivatsa Vaddagiri , Shanker R Donthineni , will@kernel.org Subject: Re: [PATCH 10/16] KVM: arm64: Add some documentation for the MMIO guard feature In-Reply-To: <20210721211743.hb2cxghhwl2y22yh@gator> References: <20210715163159.1480168-1-maz@kernel.org> <20210715163159.1480168-11-maz@kernel.org> <20210721211743.hb2cxghhwl2y22yh@gator> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <60d8e9e95ee4640cf3b457c53cb4cc7a@kernel.org> X-Sender: maz@kernel.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 51.254.78.96 X-SA-Exim-Rcpt-To: drjones@redhat.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, vatsa@codeaurora.org, sdonthineni@nvidia.com, will@kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On 2021-07-21 22:17, Andrew Jones wrote: > On Thu, Jul 15, 2021 at 05:31:53PM +0100, Marc Zyngier wrote: >> Document the hypercalls user for the MMIO guard infrastructure. >> >> Signed-off-by: Marc Zyngier >> --- >> Documentation/virt/kvm/arm/index.rst | 1 + >> Documentation/virt/kvm/arm/mmio-guard.rst | 73 >> +++++++++++++++++++++++ >> 2 files changed, 74 insertions(+) >> create mode 100644 Documentation/virt/kvm/arm/mmio-guard.rst >> >> diff --git a/Documentation/virt/kvm/arm/index.rst >> b/Documentation/virt/kvm/arm/index.rst >> index 78a9b670aafe..e77a0ee2e2d4 100644 >> --- a/Documentation/virt/kvm/arm/index.rst >> +++ b/Documentation/virt/kvm/arm/index.rst >> @@ -11,3 +11,4 @@ ARM >> psci >> pvtime >> ptp_kvm >> + mmio-guard >> diff --git a/Documentation/virt/kvm/arm/mmio-guard.rst >> b/Documentation/virt/kvm/arm/mmio-guard.rst >> new file mode 100644 >> index 000000000000..a5563a3e12cc >> --- /dev/null >> +++ b/Documentation/virt/kvm/arm/mmio-guard.rst >> @@ -0,0 +1,73 @@ >> +.. SPDX-License-Identifier: GPL-2.0 >> + >> +============== >> +KVM MMIO guard >> +============== >> + >> +KVM implements device emulation by handling translation faults to any >> +IPA range that is not contained a memory slot. Such translation fault > ^ in ^ a > >> +is in most cases passed on to userspace (or in rare cases to the host >> +kernel) with the address, size and possibly data of the access for >> +emulation. >> + >> +Should the guest exit with an address that is not one that >> corresponds >> +to an emulatable device, userspace may take measures that are not the >> +most graceful as far as the guest is concerned (such as terminating >> it >> +or delivering a fatal exception). >> + >> +There is also an element of trust: by forwarding the request to >> +userspace, the kernel asumes that the guest trusts userspace to do >> the > > assumes > >> +right thing. >> + >> +The KVM MMIO guard offers a way to mitigate this last point: a guest >> +can request that only certainly regions of the IPA space are valid as > > certain Thanks, all corrections applied. > >> +MMIO. Only these regions will be handled as an MMIO, and any other >> +will result in an exception being delivered to the guest. >> + >> +This relies on a set of hypercalls defined in the KVM-specific range, >> +using the HVC64 calling convention. >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_INFO >> + >> + ============== ======== ================================ >> + Function ID: (uint32) 0xC6000002 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + (uint64) Protection Granule (PG) size in >> + bytes (r0) >> + ============== ======== ================================ >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_ENROLL >> + >> + ============== ======== ============================== >> + Function ID: (uint32) 0xC6000003 >> + Arguments: none >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== ============================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_MAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is allowed to be accessed as >> + MMIO. Must aligned to the PG size (r1) > > align Hmmm. Ugly mix of tab and spaces. I have no idea what the norm is here, so I'll just put spaces. I'm sure someone will let me know if I'm wrong! ;-) > >> + (uint64) Index in the MAIR_EL1 register >> + providing the memory attribute that >> + is used by the guest (r2) >> + Return Values: (int64) NOT_SUPPORTED(-1) on error, or >> + RET_SUCCESS(0) (r0) >> + ============== ======== >> ====================================== >> + >> +* ARM_SMCCC_KVM_FUNC_MMIO_GUARD_UNMAP >> + >> + ============== ======== >> ====================================== >> + Function ID: (uint32) 0xC6000004 > > copy+paste error, should be 0xC6000005 Gah, well cpotted. > >> + Arguments: (uint64) The base of the PG-sized IPA range >> + that is forbidden to be accessed as > > is now forbidden > > or > > was allowed > > or just drop that part of the sentence because its covered by the "and > have been previously mapped" part. Something like > > PG-sized IPA range aligned to the PG size which has been previously > mapped > (r1) Picked the latter. Thanks again, M. -- Jazz is not dead. It just smells funny...