From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
To: Yi-De Wu <yi-de.wu@mediatek.com>,
Yingshiuan Pan <yingshiuan.pan@mediatek.com>,
Ze-Yu Wang <ze-yu.wang@mediatek.com>,
Rob Herring <robh+dt@kernel.org>,
Krzysztof Kozlowski <krzysztof.kozlowski+dt@linaro.org>,
Conor Dooley <conor+dt@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Richard Cochran <richardcochran@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>
Cc: devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
netdev@vger.kernel.org, linux-mediatek@lists.infradead.org,
David Bradil <dbrazdil@google.com>,
Trilok Soni <quic_tsoni@quicinc.com>,
My Chuang <my.chuang@mediatek.com>,
Shawn Hsiao <shawn.hsiao@mediatek.com>,
PeiLun Suei <peilun.suei@mediatek.com>,
Liju Chen <liju-clr.chen@mediatek.com>,
Willix Yeh <chi-shen.yeh@mediatek.com>,
Kevenny Hsieh <kevenny.hsieh@mediatek.com>
Subject: Re: [PATCH v9 06/21] virt: geniezone: Add set_user_memory_region for vm
Date: Thu, 1 Feb 2024 10:44:12 +0100 [thread overview]
Message-ID: <e43a6f6e-6e95-4cbd-9e73-49c129d5724e@collabora.com> (raw)
In-Reply-To: <20240129083302.26044-7-yi-de.wu@mediatek.com>
Il 29/01/24 09:32, Yi-De Wu ha scritto:
> From: "Yingshiuan Pan" <yingshiuan.pan@mediatek.com>
>
> Direct use of physical memory from VMs is forbidden and designed to be
> dictated to the privilege models managed by GenieZone hypervisor for
> security reason. With the help of gzvm-ko, the hypervisor would be able
> to manipulate memory as objects. And the memory management is highly
> integrated with ARM 2-stage translation tables to convert VA to IPA to
> PA under proper security measures required by protected VMs.
>
> Signed-off-by: Yingshiuan Pan <yingshiuan.pan@mediatek.com>
> Signed-off-by: Jerry Wang <ze-yu.wang@mediatek.com>
> Signed-off-by: Liju Chen <liju-clr.chen@mediatek.com>
> Signed-off-by: Yi-De Wu <yi-de.wu@mediatek.com>
> ---
> arch/arm64/geniezone/gzvm_arch_common.h | 2 +
> arch/arm64/geniezone/vm.c | 9 ++
> drivers/virt/geniezone/Makefile | 1 -
> drivers/virt/geniezone/gzvm_vm.c | 110 ++++++++++++++++++++++++
> include/linux/gzvm_drv.h | 40 +++++++++
> include/uapi/linux/gzvm.h | 26 ++++++
> 6 files changed, 187 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/geniezone/gzvm_arch_common.h b/arch/arm64/geniezone/gzvm_arch_common.h
> index fdaa7849353d..2f66e496dfae 100644
> --- a/arch/arm64/geniezone/gzvm_arch_common.h
> +++ b/arch/arm64/geniezone/gzvm_arch_common.h
> @@ -11,6 +11,7 @@
> enum {
> GZVM_FUNC_CREATE_VM = 0,
> GZVM_FUNC_DESTROY_VM = 1,
> + GZVM_FUNC_SET_MEMREGION = 4,
> GZVM_FUNC_PROBE = 12,
> NR_GZVM_FUNC,
> };
> @@ -23,6 +24,7 @@ enum {
>
> #define MT_HVC_GZVM_CREATE_VM GZVM_HCALL_ID(GZVM_FUNC_CREATE_VM)
> #define MT_HVC_GZVM_DESTROY_VM GZVM_HCALL_ID(GZVM_FUNC_DESTROY_VM)
> +#define MT_HVC_GZVM_SET_MEMREGION GZVM_HCALL_ID(GZVM_FUNC_SET_MEMREGION)
> #define MT_HVC_GZVM_PROBE GZVM_HCALL_ID(GZVM_FUNC_PROBE)
>
> /**
> diff --git a/arch/arm64/geniezone/vm.c b/arch/arm64/geniezone/vm.c
> index a15bad13c2ee..998d6498ac5e 100644
> --- a/arch/arm64/geniezone/vm.c
> +++ b/arch/arm64/geniezone/vm.c
> @@ -49,6 +49,15 @@ int gzvm_arch_probe(void)
> return 0;
> }
>
> +int gzvm_arch_set_memregion(u16 vm_id, size_t buf_size,
> + phys_addr_t region)
> +{
> + struct arm_smccc_res res;
> +
> + return gzvm_hypcall_wrapper(MT_HVC_GZVM_SET_MEMREGION, vm_id,
> + buf_size, region, 0, 0, 0, 0, &res);
> +}
> +
> /**
> * gzvm_arch_create_vm() - create vm
> * @vm_type: VM type. Only supports Linux VM now.
> diff --git a/drivers/virt/geniezone/Makefile b/drivers/virt/geniezone/Makefile
> index 066efddc0b9c..25614ea3dea2 100644
> --- a/drivers/virt/geniezone/Makefile
> +++ b/drivers/virt/geniezone/Makefile
> @@ -7,4 +7,3 @@
> GZVM_DIR ?= ../../../drivers/virt/geniezone
>
> gzvm-y := $(GZVM_DIR)/gzvm_main.o $(GZVM_DIR)/gzvm_vm.o
> -
Don't remove this line here - actually, don't introduce it in the first place...
> diff --git a/drivers/virt/geniezone/gzvm_vm.c b/drivers/virt/geniezone/gzvm_vm.c
> index d5e850af924a..326cc9e93d92 100644
> --- a/drivers/virt/geniezone/gzvm_vm.c
> +++ b/drivers/virt/geniezone/gzvm_vm.c
> @@ -15,6 +15,115 @@
> static DEFINE_MUTEX(gzvm_list_lock);
> static LIST_HEAD(gzvm_list);
>
> +u64 gzvm_gfn_to_hva_memslot(struct gzvm_memslot *memslot, u64 gfn)
> +{
> + u64 offset = gfn - memslot->base_gfn;
I'd check if `gfn` is less than `memslot->base_gfn` - that's a potential security
issue.
This means that this function should be
int gzvm_gfn_to_hva_memslot(struct gzvm_memslot *memslot, u64 gfn, u64 *hva_memslot)
if (gfn < memslot->base_gfn)
return -EINVAL
offset = gfn - memslot->base_gfn;
*hva_memslot = memslot->userspace_addr + offset * PAGE_SIZE:
return 0;
> +
> + return memslot->userspace_addr + offset * PAGE_SIZE;
> +}
> +
> +/**
> + * register_memslot_addr_range() - Register memory region to GenieZone
> + * @gzvm: Pointer to struct gzvm
> + * @memslot: Pointer to struct gzvm_memslot
> + *
> + * Return: 0 for success, negative number for error
> + */
> +static int
> +register_memslot_addr_range(struct gzvm *gzvm, struct gzvm_memslot *memslot)
> +{
> + struct gzvm_memory_region_ranges *region;
> + u32 buf_size = PAGE_SIZE * 2;
> + u64 gfn;
> +
> + region = alloc_pages_exact(buf_size, GFP_KERNEL);
> + if (!region)
> + return -ENOMEM;
> +
> + region->slot = memslot->slot_id;
> + region->total_pages = memslot->npages;
> + gfn = memslot->base_gfn;
> + region->gpa = PFN_PHYS(gfn);
> +
> + if (gzvm_arch_set_memregion(gzvm->vm_id, buf_size,
> + virt_to_phys(region))) {
> + pr_err("Failed to register memregion to hypervisor\n");
> + free_pages_exact(region, buf_size);
> + return -EFAULT;
> + }
> +
> + free_pages_exact(region, buf_size);
> + return 0;
> +}
> +
> +/**
> + * gzvm_vm_ioctl_set_memory_region() - Set memory region of guest
> + * @gzvm: Pointer to struct gzvm.
> + * @mem: Input memory region from user.
> + *
> + * Return: 0 for success, negative number for error
> + *
> + * -EXIO - The memslot is out-of-range
> + * -EFAULT - Cannot find corresponding vma
> + * -EINVAL - Region size and VMA size mismatch
> + */
> +static int
> +gzvm_vm_ioctl_set_memory_region(struct gzvm *gzvm,
> + struct gzvm_userspace_memory_region *mem)
> +{
> + struct vm_area_struct *vma;
> + struct gzvm_memslot *memslot;
> + unsigned long size;
> + __u32 slot;
> +
Remove __u32 slot.....
if (mem->slot >= GZVM_MAX_MEM_REGION)
return -ENXIO;
memslot = &gzvm->memslot[mem->slot];
> + slot = mem->slot;
> + if (slot >= GZVM_MAX_MEM_REGION)
> + return -ENXIO;
> + memslot = &gzvm->memslot[slot];
> + > + vma = vma_lookup(gzvm->mm, mem->userspace_addr);
> + if (!vma)
> + return -EFAULT;
> +
> + size = vma->vm_end - vma->vm_start;
> + if (size != mem->memory_size)
> + return -EINVAL;
> +
> + memslot->base_gfn = __phys_to_pfn(mem->guest_phys_addr);
> + memslot->npages = size >> PAGE_SHIFT;
> + memslot->userspace_addr = mem->userspace_addr;
> + memslot->vma = vma;
> + memslot->flags = mem->flags;
> + memslot->slot_id = mem->slot;
> + return register_memslot_addr_range(gzvm, memslot);
> +}
> +
> +/* gzvm_vm_ioctl() - Ioctl handler of VM FD */
> +static long gzvm_vm_ioctl(struct file *filp, unsigned int ioctl,
> + unsigned long arg)
> +{
> + long ret;
> + void __user *argp = (void __user *)arg;
> + struct gzvm *gzvm = filp->private_data;
> +
> + switch (ioctl) {
> + case GZVM_SET_USER_MEMORY_REGION: {
> + struct gzvm_userspace_memory_region userspace_mem;
> +
> + if (copy_from_user(&userspace_mem, argp, sizeof(userspace_mem))) {
return -EFAULT;
> + ret = -EFAULT;
> + goto out;
> + }
> + ret = gzvm_vm_ioctl_set_memory_region(gzvm, &userspace_mem);
> + break;
> + }
> + default:
> + ret = -ENOTTY;
> + }
> +out:
> + return ret;
> +}
> +
> static void gzvm_destroy_vm(struct gzvm *gzvm)
> {
> pr_debug("VM-%u is going to be destroyed\n", gzvm->vm_id);
> @@ -42,6 +151,7 @@ static int gzvm_vm_release(struct inode *inode, struct file *filp)
>
> static const struct file_operations gzvm_vm_fops = {
> .release = gzvm_vm_release,
> + .unlocked_ioctl = gzvm_vm_ioctl,
> .llseek = noop_llseek,
> };
>
> diff --git a/include/linux/gzvm_drv.h b/include/linux/gzvm_drv.h
> index f1dce23838e4..81696b7b67cc 100644
> --- a/include/linux/gzvm_drv.h
> +++ b/include/linux/gzvm_drv.h
> @@ -7,9 +7,16 @@
> #define __GZVM_DRV_H__
>
> #include <linux/list.h>
> +#include <linux/mm.h>
> #include <linux/mutex.h>
> #include <linux/gzvm.h>
>
> +/*
> + * For the normal physical address, the highest 12 bits should be zero, so we
> + * can mask bit 62 ~ bit 52 to indicate the error physical address
> + */
> +#define GZVM_PA_ERR_BAD (0x7ffULL << 52)
> +
> #define INVALID_VM_ID 0xffff
>
> /*
> @@ -27,10 +34,39 @@
> * The following data structures are for data transferring between driver and
> * hypervisor, and they're aligned with hypervisor definitions
> */
> +#define GZVM_MAX_MEM_REGION 10
> +
> +/* struct mem_region_addr_range - Identical to ffa memory constituent */
> +struct mem_region_addr_range {
> + /* the base IPA of the constituent memory region, aligned to 4 kiB */
> + __u64 address;
> + /* the number of 4 kiB pages in the constituent memory region. */
> + __u32 pg_cnt;
> + __u32 reserved;
> +};
> +
> +struct gzvm_memory_region_ranges {
> + __u32 slot;
> + __u32 constituent_cnt;
> + __u64 total_pages;
> + __u64 gpa;
> + struct mem_region_addr_range constituents[];
> +};
> +
> +/* struct gzvm_memslot - VM's memory slot descriptor */
> +struct gzvm_memslot {
> + u64 base_gfn; /* begin of guest page frame */
> + unsigned long npages; /* number of pages this slot covers */
> + unsigned long userspace_addr; /* corresponding userspace va */
> + struct vm_area_struct *vma; /* vma related to this userspace addr */
kerneldoc please
> + u32 flags;
> + u32 slot_id;
> +};
>
Regards,
Angelo
next prev parent reply other threads:[~2024-02-01 9:44 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-29 8:32 [PATCH v9 00/21] GenieZone hypervisor drivers Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 01/21] virt: geniezone: enable gzvm-ko in defconfig Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 02/21] docs: geniezone: Introduce GenieZone hypervisor Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 03/21] dt-bindings: hypervisor: Add MediaTek " Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 04/21] virt: geniezone: Add GenieZone hypervisor driver Yi-De Wu
2024-02-01 9:44 ` AngeloGioacchino Del Regno
2024-01-29 8:32 ` [PATCH v9 05/21] virt: geniezone: Add vm support Yi-De Wu
2024-02-01 9:44 ` AngeloGioacchino Del Regno
2024-01-29 8:32 ` [PATCH v9 06/21] virt: geniezone: Add set_user_memory_region for vm Yi-De Wu
2024-02-01 9:44 ` AngeloGioacchino Del Regno [this message]
2024-01-29 8:32 ` [PATCH v9 07/21] virt: geniezone: Add vm capability check Yi-De Wu
2024-02-01 9:44 ` AngeloGioacchino Del Regno
2024-04-03 8:50 ` Yi-De Wu (吳一德)
2024-01-29 8:32 ` [PATCH v9 08/21] virt: geniezone: Optimize performance of protected VM memory Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 09/21] virt: geniezone: Add vcpu support Yi-De Wu
2024-02-01 9:44 ` AngeloGioacchino Del Regno
2024-01-29 8:32 ` [PATCH v9 10/21] virt: geniezone: Add irqchip support for virtual interrupt injection Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 11/21] virt: geniezone: Add irqfd support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 12/21] virt: geniezone: Add ioeventfd support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 13/21] virt: geniezone: Add memory region support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 14/21] virt: geniezone: Add dtb config support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 15/21] virt: geniezone: Add demand paging support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 16/21] virt: geniezone: Add block-based " Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 17/21] virt: geniezone: Add memory pin/unpin support Yi-De Wu
2024-01-29 8:32 ` [PATCH v9 18/21] virt: geniezone: Add memory relinquish support Yi-De Wu
2024-01-29 8:33 ` [PATCH v9 19/21] virt: geniezone: Provide individual VM memory statistics within debugfs Yi-De Wu
2024-01-29 8:33 ` [PATCH v9 20/21] virt: geniezone: Add tracing support for hyp call and vcpu exit_reason Yi-De Wu
2024-01-29 8:33 ` [PATCH v9 21/21] virt: geniezone: Enable PTP for synchronizing time between host and guest VMs Yi-De Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e43a6f6e-6e95-4cbd-9e73-49c129d5724e@collabora.com \
--to=angelogioacchino.delregno@collabora.com \
--cc=catalin.marinas@arm.com \
--cc=chi-shen.yeh@mediatek.com \
--cc=conor+dt@kernel.org \
--cc=corbet@lwn.net \
--cc=dbrazdil@google.com \
--cc=devicetree@vger.kernel.org \
--cc=kevenny.hsieh@mediatek.com \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=liju-clr.chen@mediatek.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=my.chuang@mediatek.com \
--cc=netdev@vger.kernel.org \
--cc=peilun.suei@mediatek.com \
--cc=quic_tsoni@quicinc.com \
--cc=richardcochran@gmail.com \
--cc=robh+dt@kernel.org \
--cc=shawn.hsiao@mediatek.com \
--cc=will@kernel.org \
--cc=yi-de.wu@mediatek.com \
--cc=yingshiuan.pan@mediatek.com \
--cc=ze-yu.wang@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox