From: Gavin Shan <gshan@redhat.com>
To: Steven Price <steven.price@arm.com>,
kvm@vger.kernel.org, kvmarm@lists.linux.dev
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
James Morse <james.morse@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Joey Gouly <joey.gouly@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Fuad Tabba <tabba@google.com>,
linux-coco@lists.linux.dev,
Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>,
Shanker Donthineni <sdonthineni@nvidia.com>,
Alper Gun <alpergun@google.com>
Subject: Re: [PATCH v5 07/19] arm64: rsi: Add support for checking whether an MMIO is protected
Date: Fri, 6 Sep 2024 14:32:11 +1000 [thread overview]
Message-ID: <fe3da777-c6de-451d-8a8a-19fdda8e82e5@redhat.com> (raw)
In-Reply-To: <20240819131924.372366-8-steven.price@arm.com>
Hi Steven,
On 8/19/24 11:19 PM, Steven Price wrote:
> From: Suzuki K Poulose <suzuki.poulose@arm.com>
>
> On Arm CCA, with RMM-v1.0, all MMIO regions are shared. However, in
> the future, an Arm CCA-v1.0 compliant guest may be run in a lesser
> privileged partition in the Realm World (with Arm CCA-v1.1 Planes
> feature). In this case, some of the MMIO regions may be emulated
> by a higher privileged component in the Realm world, i.e, protected.
>
> Thus the guest must decide today, whether a given MMIO region is shared
> vs Protected and create the stage1 mapping accordingly. On Arm CCA, this
> detection is based on the "IPA State" (RIPAS == RIPAS_IO). Provide a
> helper to run this check on a given range of MMIO.
>
> Also, provide a arm64 helper which may be hooked in by other solutions.
>
> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> New patch for v5
> ---
> arch/arm64/include/asm/io.h | 8 ++++++++
> arch/arm64/include/asm/rsi.h | 3 +++
> arch/arm64/include/asm/rsi_cmds.h | 21 +++++++++++++++++++++
> arch/arm64/kernel/rsi.c | 26 ++++++++++++++++++++++++++
> 4 files changed, 58 insertions(+)
>
> diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
> index 1ada23a6ec19..a6c551c5e44e 100644
> --- a/arch/arm64/include/asm/io.h
> +++ b/arch/arm64/include/asm/io.h
> @@ -17,6 +17,7 @@
> #include <asm/early_ioremap.h>
> #include <asm/alternative.h>
> #include <asm/cpufeature.h>
> +#include <asm/rsi.h>
>
> /*
> * Generic IO read/write. These perform native-endian accesses.
> @@ -318,4 +319,11 @@ extern bool arch_memremap_can_ram_remap(resource_size_t offset, size_t size,
> unsigned long flags);
> #define arch_memremap_can_ram_remap arch_memremap_can_ram_remap
>
> +static inline bool arm64_is_iomem_private(phys_addr_t phys_addr, size_t size)
> +{
> + if (unlikely(is_realm_world()))
> + return arm64_rsi_is_protected_mmio(phys_addr, size);
> + return false;
> +}
> +
> #endif /* __ASM_IO_H */
> diff --git a/arch/arm64/include/asm/rsi.h b/arch/arm64/include/asm/rsi.h
> index 2bc013badbc3..e31231b50b6a 100644
> --- a/arch/arm64/include/asm/rsi.h
> +++ b/arch/arm64/include/asm/rsi.h
> @@ -13,6 +13,9 @@ DECLARE_STATIC_KEY_FALSE(rsi_present);
>
> void __init arm64_rsi_init(void);
> void __init arm64_rsi_setup_memory(void);
> +
> +bool arm64_rsi_is_protected_mmio(phys_addr_t base, size_t size);
> +
> static inline bool is_realm_world(void)
> {
> return static_branch_unlikely(&rsi_present);
> diff --git a/arch/arm64/include/asm/rsi_cmds.h b/arch/arm64/include/asm/rsi_cmds.h
> index 968b03f4e703..c2363f36d167 100644
> --- a/arch/arm64/include/asm/rsi_cmds.h
> +++ b/arch/arm64/include/asm/rsi_cmds.h
> @@ -45,6 +45,27 @@ static inline unsigned long rsi_get_realm_config(struct realm_config *cfg)
> return res.a0;
> }
>
> +static inline unsigned long rsi_ipa_state_get(phys_addr_t start,
> + phys_addr_t end,
> + enum ripas *state,
> + phys_addr_t *top)
> +{
> + struct arm_smccc_res res;
> +
> + arm_smccc_smc(SMC_RSI_IPA_STATE_GET,
> + start, end, 0, 0, 0, 0, 0,
> + &res);
> +
> + if (res.a0 == RSI_SUCCESS) {
> + if (top)
> + *top = res.a1;
> + if (state)
> + *state = res.a2;
> + }
> +
> + return res.a0;
> +}
> +
> static inline unsigned long rsi_set_addr_range_state(phys_addr_t start,
> phys_addr_t end,
> enum ripas state,
> diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c
> index e968a5c9929e..381a5b9a5333 100644
> --- a/arch/arm64/kernel/rsi.c
> +++ b/arch/arm64/kernel/rsi.c
> @@ -67,6 +67,32 @@ void __init arm64_rsi_setup_memory(void)
> }
> }
>
> +bool arm64_rsi_is_protected_mmio(phys_addr_t base, size_t size)
> +{
> + enum ripas ripas;
> + phys_addr_t end, top;
> +
> + /* Overflow ? */
> + if (WARN_ON(base + size < base))
> + return false;
> +
> + end = ALIGN(base + size, RSI_GRANULE_SIZE);
> + base = ALIGN_DOWN(base, RSI_GRANULE_SIZE);
> +
> + while (base < end) {
> + if (WARN_ON(rsi_ipa_state_get(base, end, &ripas, &top)))
> + break;
> + if (WARN_ON(top <= base))
> + break;
> + if (ripas != RSI_RIPAS_IO)
> + break;
> + base = top;
> + }
> +
> + return (size && base >= end);
> +}
I don't understand why @size needs to be checked here. Its initial value
taken from the input parameter should be larger than zero and its value
is never updated in the loop. So I'm understanding @size is always larger
than zero, and the condition would be something like below if I'm correct.
return (base >= end); /* RSI_RIPAS_IO returned for all granules */
Another issue is @top is always zero with the latest tf-rmm. More details
are provided below.
> +EXPORT_SYMBOL(arm64_rsi_is_protected_mmio);
> +
> void __init arm64_rsi_init(void)
> {
> /*
The unexpected calltrace is continuously observed with host/v4, guest/v5 and
latest upstream tf-rmm on 'WARN_ON(top <= base)' because @top is never updated
by the latest tf-rmm. The following call path indicates how SMC_RSI_IPA_STATE_GET
is handled by tf-rmm. I don't see RSI_RIPAS_IO is defined there and @top is
updated.
[ 0.000000] ------------[ cut here ]------------
[ 0.000000] WARNING: CPU: 0 PID: 0 at arch/arm64/kernel/rsi.c:103 arm64_rsi_is_protected_mmio+0xf0/0x110
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc1-gavin-g3527d001084e #1
[ 0.000000] Hardware name: linux,dummy-virt (DT)
[ 0.000000] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.000000] pc : arm64_rsi_is_protected_mmio+0xf0/0x110
[ 0.000000] lr : arm64_rsi_is_protected_mmio+0x80/0x110
[ 0.000000] sp : ffffcd7097053bf0
[ 0.000000] x29: ffffcd7097053c30 x28: 0000000000000000 x27: 0000000000000000
[ 0.000000] x26: 00000000000003d0 x25: 00000000ffffff8e x24: ffffcd7096831bd0
[ 0.000000] x23: ffffcd7097053c08 x22: 00000000c4000198 x21: 0000000000001000
[ 0.000000] x20: 0000000001001000 x19: 0000000001000000 x18: 0000000000000002
[ 0.000000] x17: 0000000000000000 x16: 0000000000000010 x15: 0001000080000000
[ 0.000000] x14: 0068000000000703 x13: ffffffffff5fe000 x12: ffffcd7097053ba4
[ 0.000000] x11: 00000000000003d0 x10: ffffcd7097053bc4 x9 : 0000000000000444
[ 0.000000] x8 : ffffffffff5fe000 x7 : 0000000000000000 x6 : 0000000000000000
[ 0.000000] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 0.000000] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[ 0.000000] Call trace:
[ 0.000000] arm64_rsi_is_protected_mmio+0xf0/0x110
[ 0.000000] set_fixmap_io+0x8c/0xd0
[ 0.000000] of_setup_earlycon+0xa0/0x294
[ 0.000000] early_init_dt_scan_chosen_stdout+0x104/0x1dc
[ 0.000000] acpi_boot_table_init+0x1a4/0x2d8
[ 0.000000] setup_arch+0x240/0x610
[ 0.000000] start_kernel+0x6c/0x708
[ 0.000000] __primary_switched+0x80/0x88
===> tf-rmm: git@github.com:TF-RMM/tf-rmm.git
handle_realm_rsi
handle_rsi_ipa_state_get
realm_ipa_get_ripas
===> tf-rmm/lib/s2tt/include/ripas.h
enum ripas {
RIPAS_EMPTY = RMI_EMPTY, /* Unused IPA for Realm */
RIPAS_RAM = RMI_RAM, /* IPA used for Code/Data by Realm */
RIPAS_DESTROYED = RMI_DESTROYED /* IPA is inaccessible to the Realm */
};
===> tf-rmm/runtime/rsi/memory.c
void handle_rsi_ipa_state_get(struct rec *rec,
struct rsi_result *res)
{
unsigned long ipa = rec->regs[1];
enum s2_walk_status ws;
enum ripas ripas_val = RIPAS_EMPTY;
res->action = UPDATE_REC_RETURN_TO_REALM;
if (!GRANULE_ALIGNED(ipa) || !addr_in_rec_par(rec, ipa)) {
res->smc_res.x[0] = RSI_ERROR_INPUT;
return;
}
ws = realm_ipa_get_ripas(rec, ipa, &ripas_val);
if (ws == WALK_SUCCESS) {
res->smc_res.x[0] = RSI_SUCCESS;
res->smc_res.x[1] = (unsigned long)ripas_val;
} else {
res->smc_res.x[0] = RSI_ERROR_INPUT;
}
}
Thanks,
Gavin
next prev parent reply other threads:[~2024-09-06 4:32 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-19 13:19 [PATCH v5 00/19] arm64: Support for running as a guest in Arm CCA Steven Price
2024-08-19 13:19 ` [PATCH v5 01/19] arm64: mm: Add top-level dispatcher for internal mem_encrypt API Steven Price
2024-08-26 10:00 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 02/19] arm64: mm: Add confidential computing hook to ioremap_prot() Steven Price
2024-08-26 10:01 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 03/19] arm64: rsi: Add RSI definitions Steven Price
2024-08-26 10:01 ` Catalin Marinas
2024-09-09 5:10 ` Gavin Shan
2024-09-09 9:12 ` Steven Price
2024-08-19 13:19 ` [PATCH v5 04/19] firmware/psci: Add psci_early_test_conduit() Steven Price
2024-08-23 13:29 ` Will Deacon
2024-08-30 15:54 ` Steven Price
2024-08-26 10:03 ` Catalin Marinas
2024-09-13 13:52 ` Suzuki K Poulose
2024-09-09 23:56 ` Gavin Shan
2024-08-19 13:19 ` [PATCH v5 05/19] arm64: Detect if in a realm and set RIPAS RAM Steven Price
2024-08-19 14:04 ` Suzuki K Poulose
2024-08-19 14:10 ` Steven Price
2024-09-09 15:15 ` Shanker Donthineni
2024-08-26 10:03 ` Catalin Marinas
2024-08-30 15:54 ` Steven Price
2024-09-10 0:09 ` Gavin Shan
2024-09-06 18:58 ` Shanker Donthineni
2024-08-19 13:19 ` [PATCH v5 06/19] arm64: realm: Query IPA size from the RMM Steven Price
2024-08-26 10:04 ` Catalin Marinas
2024-09-10 0:18 ` Gavin Shan
2024-08-19 13:19 ` [PATCH v5 07/19] arm64: rsi: Add support for checking whether an MMIO is protected Steven Price
2024-08-26 10:04 ` Catalin Marinas
2024-09-06 4:32 ` Gavin Shan [this message]
2024-09-06 4:52 ` Gavin Shan
2024-09-06 13:55 ` Steven Price
2024-09-08 23:53 ` Gavin Shan
2024-09-09 9:31 ` Steven Price
2024-09-10 3:51 ` Gavin Shan
2024-08-19 13:19 ` [PATCH v5 08/19] fixmap: Allow architecture overriding set_fixmap_io Steven Price
2024-08-19 13:19 ` [PATCH v5 09/19] fixmap: Pass down the full phys address for set_fixmap_io Steven Price
2024-08-26 10:05 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 10/19] arm64: Override set_fixmap_io Steven Price
2024-08-19 14:13 ` Suzuki K Poulose
2024-08-30 15:54 ` Steven Price
2024-08-19 13:19 ` [PATCH v5 11/19] arm64: rsi: Map unprotected MMIO as decrypted Steven Price
2024-08-19 14:11 ` Suzuki K Poulose
2024-08-30 15:54 ` Steven Price
2024-08-19 13:19 ` [PATCH v5 12/19] efi: arm64: Map Device with Prot Shared Steven Price
2024-08-26 10:13 ` Catalin Marinas
2024-09-09 13:55 ` Matias Ezequiel Vara Larsen
2024-09-10 4:15 ` Gavin Shan
2024-09-10 9:15 ` Suzuki K Poulose
2024-08-19 13:19 ` [PATCH v5 13/19] arm64: Make the PHYS_MASK_SHIFT dynamic Steven Price
2024-08-26 10:31 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 14/19] arm64: Enforce bounce buffers for realm DMA Steven Price
2024-08-26 10:39 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 15/19] arm64: mm: Avoid TLBI when marking pages as valid Steven Price
2024-08-26 10:41 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 16/19] arm64: Enable memory encrypt for Realms Steven Price
2024-08-26 10:46 ` Catalin Marinas
2024-08-19 13:19 ` [PATCH v5 17/19] irqchip/gic-v3-its: Share ITS tables with a non-trusted hypervisor Steven Price
2024-08-19 14:27 ` Marc Zyngier
2024-08-19 14:51 ` Suzuki K Poulose
2024-08-19 15:24 ` Marc Zyngier
2024-08-19 22:19 ` Suzuki K Poulose
2024-10-18 4:49 ` Shanker Donthineni
2024-08-19 13:19 ` [PATCH v5 18/19] irqchip/gic-v3-its: Rely on genpool alignment Steven Price
2024-08-19 13:19 ` [PATCH v5 19/19] virt: arm-cca-guest: TSM_REPORT support for realms Steven Price
2024-09-02 3:53 ` Aneesh Kumar K.V
2024-09-27 15:21 ` Steven Price
2024-09-09 4:13 ` Gavin Shan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe3da777-c6de-451d-8a8a-19fdda8e82e5@redhat.com \
--to=gshan@redhat.com \
--cc=alexandru.elisei@arm.com \
--cc=alpergun@google.com \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@arm.com \
--cc=gankulkarni@os.amperecomputing.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=sdonthineni@nvidia.com \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).