From: Quentin Perret <qperret@google.com>
To: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org,
Marc Zyngier <maz@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
kvmarm@lists.cs.columbia.edu
Subject: Re: [PATCH 3/5] KVM: arm64: Propagate errors from __pkvm_prot_finalize hypercall
Date: Wed, 29 Sep 2021 14:36:47 +0100 [thread overview]
Message-ID: <YVRr76aI+5zhq3nY@google.com> (raw)
In-Reply-To: <20210923112256.15767-4-will@kernel.org>
On Thursday 23 Sep 2021 at 12:22:54 (+0100), Will Deacon wrote:
> If the __pkvm_prot_finalize hypercall returns an error, we WARN but fail
> to propagate the failure code back to kvm_arch_init().
>
> Pass a pointer to a zero-initialised return variable so that failure
> to finalise the pKVM protections on a host CPU can be reported back to
> KVM.
>
> Cc: Marc Zyngier <maz@kernel.org>
> Cc: Quentin Perret <qperret@google.com>
> Signed-off-by: Will Deacon <will@kernel.org>
> ---
> arch/arm64/kvm/arm.c | 30 +++++++++++++++++++-----------
> 1 file changed, 19 insertions(+), 11 deletions(-)
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 9506cf88fa0e..13bbf35896cd 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -1986,9 +1986,25 @@ static int init_hyp_mode(void)
> return err;
> }
>
> -static void _kvm_host_prot_finalize(void *discard)
> +static void _kvm_host_prot_finalize(void *arg)
> {
> - WARN_ON(kvm_call_hyp_nvhe(__pkvm_prot_finalize));
> + int *err = arg;
> +
> + if (WARN_ON(kvm_call_hyp_nvhe(__pkvm_prot_finalize)))
> + WRITE_ONCE(*err, -EINVAL);
> +}
I was going to suggest to propagate the hypercall's error code directly,
but this becomes very racy so n/m...
But this got me thinking about what we should do when the hyp init fails
while the protected mode has been explicitly enabled on the kernel
cmdline. That is, if we continue and boot the kernel w/o KVM support,
then I don't know how e.g. EL3 can know that it shouldn't give keys to
VMs because the kernel (and EL2) can't be trusted. It feels like it is
the kernel's responsibility to do something while it _is_ still
trustworthy.
I guess we could make any error code fatal in kvm_arch_init() when
is_protected_kvm_enabled() is on, or something along those lines? Maybe
dependent on CONFIG_NVHE_EL2_DEBUG=n?
It's probably a bit theoretical because there really shouldn't be any
reason to fail hyp init in production when using a signed kernel image
etc etc, but then if that is the case the additional check I'm
suggesting shouldn't hurt and will give us some peace of mind. Thoughts?
Thanks,
Quentin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-09-29 13:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 11:22 [PATCH 0/5] KVM: arm64: Restrict host hypercalls when pKVM is enabled Will Deacon
2021-09-23 11:22 ` [PATCH 1/5] arm64: Prevent kexec and hibernation if is_protected_kvm_enabled() Will Deacon
2021-09-23 11:45 ` Mark Rutland
2021-09-23 12:29 ` Will Deacon
2021-09-23 11:22 ` [PATCH 2/5] KVM: arm64: Reject stub hypercalls after pKVM has been initialised Will Deacon
2021-09-29 13:37 ` Quentin Perret
2021-09-23 11:22 ` [PATCH 3/5] KVM: arm64: Propagate errors from __pkvm_prot_finalize hypercall Will Deacon
2021-09-29 13:36 ` Quentin Perret [this message]
2021-10-05 11:30 ` Will Deacon
2021-09-23 11:22 ` [PATCH 4/5] KVM: arm64: Prevent re-finalisation of pKVM for a given CPU Will Deacon
2021-09-29 13:41 ` Quentin Perret
2021-09-23 11:22 ` [PATCH 5/5] KVM: arm64: Disable privileged hypercalls after pKVM finalisation Will Deacon
2021-09-23 12:56 ` Marc Zyngier
2021-09-23 13:02 ` Will Deacon
2021-09-23 13:11 ` Marc Zyngier
2021-09-23 12:58 ` Will Deacon
2021-09-23 12:21 ` [PATCH 0/5] KVM: arm64: Restrict host hypercalls when pKVM is enabled Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVRr76aI+5zhq3nY@google.com \
--to=qperret@google.com \
--cc=alexandru.elisei@arm.com \
--cc=catalin.marinas@arm.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=maz@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).