From: Andre Przywara <andre.przywara@arm.com>
To: Marc Zyngier <marc.zyngier@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>
Cc: linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org
Subject: [PATCH 0/2] KVM: arm/arm64: Add VCPU workarounds firmware register
Date: Mon, 7 Jan 2019 12:05:35 +0000 [thread overview]
Message-ID: <20190107120537.184252-1-andre.przywara@arm.com> (raw)
Workarounds for Spectre variant 2 or 4 vulnerabilities require some help
from the firmware, so KVM implements an interface to provide that for
guests. When such a guest is migrated, we want to make sure we don't
loose the protection the guest relies on.
This introduces two new firmware registers in KVM's GET/SET_ONE_REG
interface, so userland can save the level of protection implemented by
the hypervisor and used by the guest. Upon restoring these registers,
we make sure we don't downgrade and reject any values that would mean
weaker protection.
There is some table in the code to describe the valid combinations.
Patch 1 implements the two firmware registers, patch 2 adds the
documentation.
This solution is using two hardcoded firmware registers for that. Not
sure if we should introduce something based on SMCCC instead, which
would allow us to report implementation of any SMCCC based service in a
generic way, or if this would be too generic.
ARM(32) is a bit of a pain (again), as the firmware register interface
is shared, but 32-bit does not implement all the workarounds.
For now I stuffed two wrappers into kvm_emulate.h, which doesn't sound
like the best solution. Happy to hear about better ideas.
This has been tested with a hack to allow faking the protection level
via a debugfs knob, then saving/restoring via some userland tool calling
the GET_ONE_REG/SET_ONE_REG ioctls.
Please have a look and comment!
Cheers,
Andre
Andre Przywara (2):
KVM: arm/arm64: Add save/restore support for firmware workaround state
KVM: doc: add API documentation on the KVM_REG_ARM_WORKAROUNDS
register
Documentation/virtual/kvm/arm/psci.txt | 20 ++++
arch/arm/include/asm/kvm_emulate.h | 10 ++
arch/arm/include/uapi/asm/kvm.h | 9 ++
arch/arm64/include/asm/kvm_emulate.h | 14 +++
arch/arm64/include/uapi/asm/kvm.h | 9 ++
virt/kvm/arm/psci.c | 138 ++++++++++++++++++++++++-
6 files changed, 198 insertions(+), 2 deletions(-)
--
2.17.1
next reply other threads:[~2019-01-07 12:05 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-07 12:05 Andre Przywara [this message]
2019-01-07 12:05 ` [PATCH 1/2] KVM: arm/arm64: Add save/restore support for firmware workaround state Andre Przywara
2019-01-07 13:17 ` Steven Price
2019-01-21 17:04 ` Andre Przywara
2019-02-22 12:26 ` Andre Przywara
2019-01-22 15:17 ` Dave Martin
2019-01-25 14:46 ` Andre Przywara
2019-01-29 21:32 ` Dave Martin
2019-01-30 11:39 ` Andre Przywara
2019-01-30 12:07 ` Dave Martin
2019-02-15 9:58 ` Andre Przywara
2019-02-15 11:42 ` Marc Zyngier
2019-02-15 17:26 ` Dave Martin
2019-02-18 9:07 ` Marc Zyngier
2019-02-18 10:28 ` Dave Martin
2019-02-18 10:59 ` Marc Zyngier
2019-02-18 11:29 ` André Przywara
2019-02-18 14:15 ` Marc Zyngier
2019-01-07 12:05 ` [PATCH 2/2] KVM: doc: add API documentation on the KVM_REG_ARM_WORKAROUNDS register Andre Przywara
2019-01-22 10:17 ` [PATCH 0/2] KVM: arm/arm64: Add VCPU workarounds firmware register Dave Martin
2019-01-22 10:41 ` Andre Przywara
2019-01-22 11:11 ` Marc Zyngier
2019-01-22 13:56 ` Dave Martin
2019-01-22 14:51 ` Marc Zyngier
2019-01-22 15:28 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190107120537.184252-1-andre.przywara@arm.com \
--to=andre.przywara@arm.com \
--cc=christoffer.dall@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox