From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oliver.upton@linux.dev>
Cc: kvmarm@lists.linux.dev, James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>, Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Fuad Tabba <tabba@google.com>,
linux-arm-kernel@lists.infradead.org, surajjs@amazon.com,
Cornelia Huck <cohuck@redhat.com>,
Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>,
Jing Zhang <jingzhangos@google.com>
Subject: Re: [PATCH v12 07/11] KVM: arm64: Use arm64_ftr_bits to sanitise ID register writes
Date: Thu, 15 Jun 2023 13:38:34 +0100 [thread overview]
Message-ID: <878rckrjcl.wl-maz@kernel.org> (raw)
In-Reply-To: <20230609190054.1542113-8-oliver.upton@linux.dev>
Hi Oliver,
On Fri, 09 Jun 2023 20:00:50 +0100,
Oliver Upton <oliver.upton@linux.dev> wrote:
>
> From: Jing Zhang <jingzhangos@google.com>
>
> Rather than reinventing the wheel in KVM to do ID register sanitisation
> we can rely on the work already done in the core kernel. Implement a
> generalized sanitisation of ID registers based on the combination of the
> arm64_ftr_bits definitions from the core kernel and (optionally) a set
> of KVM-specific overrides.
>
> This all amounts to absolutely nothing for now, but will be used in
> subsequent changes to realize user-configurable ID registers.
>
> Signed-off-by: Jing Zhang <jingzhangos@google.com>
> [Oliver: split off from monster patch, rewrote commit description,
> reworked RAZ handling]
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
> ---
> arch/arm64/include/asm/cpufeature.h | 1 +
> arch/arm64/kernel/cpufeature.c | 2 +-
> arch/arm64/kvm/sys_regs.c | 113 +++++++++++++++++++++++++++-
> 3 files changed, 111 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
> index 6bf013fb110d..dc769c2eb7a4 100644
> --- a/arch/arm64/include/asm/cpufeature.h
> +++ b/arch/arm64/include/asm/cpufeature.h
> @@ -915,6 +915,7 @@ static inline unsigned int get_vmid_bits(u64 mmfr1)
> return 8;
> }
>
> +s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new, s64 cur);
> struct arm64_ftr_reg *get_arm64_ftr_reg(u32 sys_id);
>
> extern struct arm64_ftr_override id_aa64mmfr1_override;
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 7d7128c65161..3317a7b6deac 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -798,7 +798,7 @@ static u64 arm64_ftr_set_value(const struct arm64_ftr_bits *ftrp, s64 reg,
> return reg;
> }
>
> -static s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new,
> +s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new,
> s64 cur)
> {
> s64 ret = 0;
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 3015c860deca..0fbdb6ef68e4 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -1201,6 +1201,91 @@ static u8 vcpu_pmuver(const struct kvm_vcpu *vcpu)
> return 0;
> }
>
> +static s64 kvm_arm64_ftr_safe_value(u32 id, const struct arm64_ftr_bits *ftrp,
> + s64 new, s64 cur)
> +{
> + struct arm64_ftr_bits kvm_ftr = *ftrp;
> +
> + /* Some features have different safe value type in KVM than host features */
> + switch (id) {
> + case SYS_ID_AA64DFR0_EL1:
> + if (kvm_ftr.shift == ID_AA64DFR0_EL1_PMUVer_SHIFT)
> + kvm_ftr.type = FTR_LOWER_SAFE;
> + break;
> + case SYS_ID_DFR0_EL1:
> + if (kvm_ftr.shift == ID_DFR0_EL1_PerfMon_SHIFT)
> + kvm_ftr.type = FTR_LOWER_SAFE;
> + break;
> + }
> +
> + return arm64_ftr_safe_value(&kvm_ftr, new, cur);
> +}
> +
> +/**
> + * arm64_check_features() - Check if a feature register value constitutes
> + * a subset of features indicated by the idreg's KVM sanitised limit.
> + *
> + * This function will check if each feature field of @val is the "safe" value
> + * against idreg's KVM sanitised limit return from reset() callback.
> + * If a field value in @val is the same as the one in limit, it is always
> + * considered the safe value regardless For register fields that are not in
> + * writable, only the value in limit is considered the safe value.
> + *
> + * Return: 0 if all the fields are safe. Otherwise, return negative errno.
> + */
> +static int arm64_check_features(struct kvm_vcpu *vcpu,
> + const struct sys_reg_desc *rd,
> + u64 val)
> +{
> + const struct arm64_ftr_reg *ftr_reg;
> + const struct arm64_ftr_bits *ftrp = NULL;
> + u32 id = reg_to_encoding(rd);
> + u64 writable_mask = rd->val;
> + u64 limit = rd->reset(vcpu, rd);
> + u64 mask = 0;
> +
> + /*
> + * Hidden and unallocated ID registers may not have a corresponding
> + * struct arm64_ftr_reg. Of course, if the register is RAZ we know the
> + * only safe value is 0.
> + */
> + if (sysreg_visible_as_raz(vcpu, rd))
> + return val ? -E2BIG : 0;
This -E2BIG is certainly reflecting the error here. However...
> +
> + ftr_reg = get_arm64_ftr_reg(id);
> + if (!ftr_reg)
> + return -EINVAL;
> +
> + ftrp = ftr_reg->ftr_bits;
> +
> + for (; ftrp && ftrp->width; ftrp++) {
> + s64 f_val, f_lim, safe_val;
> + u64 ftr_mask;
> +
> + ftr_mask = arm64_ftr_mask(ftrp);
> + if ((ftr_mask & writable_mask) != ftr_mask)
> + continue;
> +
> + f_val = arm64_ftr_value(ftrp, val);
> + f_lim = arm64_ftr_value(ftrp, limit);
> + mask |= ftr_mask;
> +
> + if (f_val == f_lim)
> + safe_val = f_val;
> + else
> + safe_val = kvm_arm64_ftr_safe_value(id, ftrp, f_val, f_lim);
> +
> + if (safe_val != f_val)
> + return -E2BIG;
> + }
> +
> + /* For fields that are not writable, values in limit are the safe values. */
> + if ((val & ~mask) != (limit & ~mask))
> + return -E2BIG;
> +
> + return 0;
> +}
> +
> static u8 perfmon_to_pmuver(u8 perfmon)
> {
> switch (perfmon) {
> @@ -1528,11 +1613,31 @@ static int get_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
> static int set_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
> u64 val)
> {
> - /* This is what we mean by invariant: you can't change it. */
> - if (val != read_id_reg(vcpu, rd))
> - return -EINVAL;
> + u32 id = reg_to_encoding(rd);
> + int ret;
>
> - return 0;
> + mutex_lock(&vcpu->kvm->arch.config_lock);
> +
> + /*
> + * Once the VM has started the ID registers are immutable. Reject any
> + * write that does not match the final register value.
> + */
> + if (kvm_vm_has_ran_once(vcpu->kvm)) {
> + if (val != read_id_reg(vcpu, rd))
> + ret = -EBUSY;
> + else
> + ret = 0;
> +
> + mutex_unlock(&vcpu->kvm->arch.config_lock);
> + return ret;
> + }
> +
> + ret = arm64_check_features(vcpu, rd, val);
> + if (!ret)
> + IDREG(vcpu->kvm, id) = val;
> +
> + mutex_unlock(&vcpu->kvm->arch.config_lock);
> + return ret;
... we now end-up with a *new* error code that userspace was never
able to see so far.
This may not be a big deal, but I'd rather err on the side of caution
by keeping the current, slightly less precise error code.
Thoughts?
M.
--
Without deviation from the norm, progress is not possible.
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oliver.upton@linux.dev>
Cc: kvmarm@lists.linux.dev, James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>, Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Fuad Tabba <tabba@google.com>,
linux-arm-kernel@lists.infradead.org, surajjs@amazon.com,
Cornelia Huck <cohuck@redhat.com>,
Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>,
Jing Zhang <jingzhangos@google.com>
Subject: Re: [PATCH v12 07/11] KVM: arm64: Use arm64_ftr_bits to sanitise ID register writes
Date: Thu, 15 Jun 2023 13:38:34 +0100 [thread overview]
Message-ID: <878rckrjcl.wl-maz@kernel.org> (raw)
In-Reply-To: <20230609190054.1542113-8-oliver.upton@linux.dev>
Hi Oliver,
On Fri, 09 Jun 2023 20:00:50 +0100,
Oliver Upton <oliver.upton@linux.dev> wrote:
>
> From: Jing Zhang <jingzhangos@google.com>
>
> Rather than reinventing the wheel in KVM to do ID register sanitisation
> we can rely on the work already done in the core kernel. Implement a
> generalized sanitisation of ID registers based on the combination of the
> arm64_ftr_bits definitions from the core kernel and (optionally) a set
> of KVM-specific overrides.
>
> This all amounts to absolutely nothing for now, but will be used in
> subsequent changes to realize user-configurable ID registers.
>
> Signed-off-by: Jing Zhang <jingzhangos@google.com>
> [Oliver: split off from monster patch, rewrote commit description,
> reworked RAZ handling]
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
> ---
> arch/arm64/include/asm/cpufeature.h | 1 +
> arch/arm64/kernel/cpufeature.c | 2 +-
> arch/arm64/kvm/sys_regs.c | 113 +++++++++++++++++++++++++++-
> 3 files changed, 111 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
> index 6bf013fb110d..dc769c2eb7a4 100644
> --- a/arch/arm64/include/asm/cpufeature.h
> +++ b/arch/arm64/include/asm/cpufeature.h
> @@ -915,6 +915,7 @@ static inline unsigned int get_vmid_bits(u64 mmfr1)
> return 8;
> }
>
> +s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new, s64 cur);
> struct arm64_ftr_reg *get_arm64_ftr_reg(u32 sys_id);
>
> extern struct arm64_ftr_override id_aa64mmfr1_override;
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 7d7128c65161..3317a7b6deac 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -798,7 +798,7 @@ static u64 arm64_ftr_set_value(const struct arm64_ftr_bits *ftrp, s64 reg,
> return reg;
> }
>
> -static s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new,
> +s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new,
> s64 cur)
> {
> s64 ret = 0;
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 3015c860deca..0fbdb6ef68e4 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -1201,6 +1201,91 @@ static u8 vcpu_pmuver(const struct kvm_vcpu *vcpu)
> return 0;
> }
>
> +static s64 kvm_arm64_ftr_safe_value(u32 id, const struct arm64_ftr_bits *ftrp,
> + s64 new, s64 cur)
> +{
> + struct arm64_ftr_bits kvm_ftr = *ftrp;
> +
> + /* Some features have different safe value type in KVM than host features */
> + switch (id) {
> + case SYS_ID_AA64DFR0_EL1:
> + if (kvm_ftr.shift == ID_AA64DFR0_EL1_PMUVer_SHIFT)
> + kvm_ftr.type = FTR_LOWER_SAFE;
> + break;
> + case SYS_ID_DFR0_EL1:
> + if (kvm_ftr.shift == ID_DFR0_EL1_PerfMon_SHIFT)
> + kvm_ftr.type = FTR_LOWER_SAFE;
> + break;
> + }
> +
> + return arm64_ftr_safe_value(&kvm_ftr, new, cur);
> +}
> +
> +/**
> + * arm64_check_features() - Check if a feature register value constitutes
> + * a subset of features indicated by the idreg's KVM sanitised limit.
> + *
> + * This function will check if each feature field of @val is the "safe" value
> + * against idreg's KVM sanitised limit return from reset() callback.
> + * If a field value in @val is the same as the one in limit, it is always
> + * considered the safe value regardless For register fields that are not in
> + * writable, only the value in limit is considered the safe value.
> + *
> + * Return: 0 if all the fields are safe. Otherwise, return negative errno.
> + */
> +static int arm64_check_features(struct kvm_vcpu *vcpu,
> + const struct sys_reg_desc *rd,
> + u64 val)
> +{
> + const struct arm64_ftr_reg *ftr_reg;
> + const struct arm64_ftr_bits *ftrp = NULL;
> + u32 id = reg_to_encoding(rd);
> + u64 writable_mask = rd->val;
> + u64 limit = rd->reset(vcpu, rd);
> + u64 mask = 0;
> +
> + /*
> + * Hidden and unallocated ID registers may not have a corresponding
> + * struct arm64_ftr_reg. Of course, if the register is RAZ we know the
> + * only safe value is 0.
> + */
> + if (sysreg_visible_as_raz(vcpu, rd))
> + return val ? -E2BIG : 0;
This -E2BIG is certainly reflecting the error here. However...
> +
> + ftr_reg = get_arm64_ftr_reg(id);
> + if (!ftr_reg)
> + return -EINVAL;
> +
> + ftrp = ftr_reg->ftr_bits;
> +
> + for (; ftrp && ftrp->width; ftrp++) {
> + s64 f_val, f_lim, safe_val;
> + u64 ftr_mask;
> +
> + ftr_mask = arm64_ftr_mask(ftrp);
> + if ((ftr_mask & writable_mask) != ftr_mask)
> + continue;
> +
> + f_val = arm64_ftr_value(ftrp, val);
> + f_lim = arm64_ftr_value(ftrp, limit);
> + mask |= ftr_mask;
> +
> + if (f_val == f_lim)
> + safe_val = f_val;
> + else
> + safe_val = kvm_arm64_ftr_safe_value(id, ftrp, f_val, f_lim);
> +
> + if (safe_val != f_val)
> + return -E2BIG;
> + }
> +
> + /* For fields that are not writable, values in limit are the safe values. */
> + if ((val & ~mask) != (limit & ~mask))
> + return -E2BIG;
> +
> + return 0;
> +}
> +
> static u8 perfmon_to_pmuver(u8 perfmon)
> {
> switch (perfmon) {
> @@ -1528,11 +1613,31 @@ static int get_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
> static int set_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
> u64 val)
> {
> - /* This is what we mean by invariant: you can't change it. */
> - if (val != read_id_reg(vcpu, rd))
> - return -EINVAL;
> + u32 id = reg_to_encoding(rd);
> + int ret;
>
> - return 0;
> + mutex_lock(&vcpu->kvm->arch.config_lock);
> +
> + /*
> + * Once the VM has started the ID registers are immutable. Reject any
> + * write that does not match the final register value.
> + */
> + if (kvm_vm_has_ran_once(vcpu->kvm)) {
> + if (val != read_id_reg(vcpu, rd))
> + ret = -EBUSY;
> + else
> + ret = 0;
> +
> + mutex_unlock(&vcpu->kvm->arch.config_lock);
> + return ret;
> + }
> +
> + ret = arm64_check_features(vcpu, rd, val);
> + if (!ret)
> + IDREG(vcpu->kvm, id) = val;
> +
> + mutex_unlock(&vcpu->kvm->arch.config_lock);
> + return ret;
... we now end-up with a *new* error code that userspace was never
able to see so far.
This may not be a big deal, but I'd rather err on the side of caution
by keeping the current, slightly less precise error code.
Thoughts?
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2023-06-15 12:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-09 19:00 [PATCH v12 00/11] Support writable CPU ID registers from userspace Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 01/11] KVM: arm64: Separate out feature sanitisation and initialisation Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 02/11] KVM: arm64: Relax invariance of KVM_ARM_VCPU_POWER_OFF Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 03/11] KVM: arm64: Make vCPU feature flags consistent VM-wide Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 04/11] KVM: arm64: Rewrite IMPDEF PMU version as NI Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 05/11] KVM: arm64: Reuse fields of sys_reg_desc for idreg Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 06/11] KVM: arm64: Save ID registers' sanitized value per guest Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 07/11] KVM: arm64: Use arm64_ftr_bits to sanitise ID register writes Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-15 12:38 ` Marc Zyngier [this message]
2023-06-15 12:38 ` Marc Zyngier
2023-06-15 12:45 ` Oliver Upton
2023-06-15 12:45 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 08/11] KVM: arm64: Use generic sanitisation for ID_(AA64)DFR0_EL1 Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 09/11] KVM: arm64: Use generic sanitisation for ID_AA64PFR0_EL1 Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 10/11] KVM: arm64: Handle ID register reads using the VM-wide values Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:00 ` [PATCH v12 11/11] KVM: arm64: Rip out the vestiges of the 'old' ID register scheme Oliver Upton
2023-06-09 19:00 ` Oliver Upton
2023-06-09 19:08 ` [PATCH v12 00/11] Support writable CPU ID registers from userspace Oliver Upton
2023-06-09 19:08 ` Oliver Upton
2023-06-15 13:20 ` Oliver Upton
2023-06-15 13:20 ` Oliver Upton
2023-06-15 13:30 ` Marc Zyngier
2023-06-15 13:30 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878rckrjcl.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=cohuck@redhat.com \
--cc=james.morse@arm.com \
--cc=jingzhangos@google.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=oliver.upton@linux.dev \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=surajjs@amazon.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.