From: "Mickaël Salaün" <mic@digikod.net>
To: Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Kees Cook <keescook@chromium.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"Alexander Graf" <graf@amazon.com>,
"Angelina Vu" <angelinavu@linux.microsoft.com>,
"Anna Trikalinou" <atrikalinou@microsoft.com>,
"Chao Peng" <chao.p.peng@linux.intel.com>,
"Forrest Yuan Yu" <yuanyu@google.com>,
"James Gowans" <jgowans@amazon.com>,
"James Morris" <jamorris@linux.microsoft.com>,
"John Andersen" <john.s.andersen@intel.com>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
"Marian Rotariu" <marian.c.rotariu@gmail.com>,
"Mihai Donțu" <mdontu@bitdefender.com>,
"Nicușor Cîțu" <nicu.citu@icloud.com>,
"Thara Gopinath" <tgopinath@microsoft.com>,
"Trilok Soni" <quic_tsoni@quicinc.com>,
"Wei Liu" <wei.liu@kernel.org>, "Will Deacon" <will@kernel.org>,
"Yu Zhang" <yu.c.zhang@linux.intel.com>,
"Ștefan Șicleru" <ssicleru@bitdefender.com>,
dev@lists.cloudhypervisor.org, kvm@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, qemu-devel@nongnu.org,
virtualization@lists.linux-foundation.org, x86@kernel.org,
xen-devel@lists.xenproject.org
Subject: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Date: Fri, 3 May 2024 15:19:08 +0200 [thread overview]
Message-ID: <20240503131910.307630-4-mic@digikod.net> (raw)
In-Reply-To: <20240503131910.307630-1-mic@digikod.net>
Add an interface for user space to be notified about guests' Heki policy
and related violations.
Extend the KVM_ENABLE_CAP IOCTL with KVM_CAP_HEKI_CONFIGURE and
KVM_CAP_HEKI_DENIAL. Each one takes a bitmask as first argument that can
contains KVM_HEKI_EXIT_REASON_CR0 and KVM_HEKI_EXIT_REASON_CR4. The
returned value is the bitmask of known Heki exit reasons, for now:
KVM_HEKI_EXIT_REASON_CR0 and KVM_HEKI_EXIT_REASON_CR4.
If KVM_CAP_HEKI_CONFIGURE is set, a VM exit will be triggered for each
KVM_HC_LOCK_CR_UPDATE hypercalls according to the requested control
register. This enables to enlighten the VMM with the guest
auto-restrictions.
If KVM_CAP_HEKI_DENIAL is set, a VM exit will be triggered for each
pinned CR violation. This enables the VMM to react to a policy
violation.
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Madhavan T. Venkataraman <madvenka@linux.microsoft.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20240503131910.307630-4-mic@digikod.net
---
Changes since v1:
* New patch. Making user space aware of Heki properties was requested by
Sean Christopherson.
---
arch/x86/kvm/vmx/vmx.c | 5 +-
arch/x86/kvm/x86.c | 114 +++++++++++++++++++++++++++++++++++----
arch/x86/kvm/x86.h | 7 +--
include/linux/kvm_host.h | 2 +
include/uapi/linux/kvm.h | 22 ++++++++
5 files changed, 136 insertions(+), 14 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 7ba970b525f7..5869a1ed7866 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5445,6 +5445,7 @@ static int handle_cr(struct kvm_vcpu *vcpu)
int reg;
int err;
int ret;
+ bool exit = false;
exit_qualification = vmx_get_exit_qual(vcpu);
cr = exit_qualification & 15;
@@ -5454,8 +5455,8 @@ static int handle_cr(struct kvm_vcpu *vcpu)
val = kvm_register_read(vcpu, reg);
trace_kvm_cr_write(cr, val);
- ret = heki_check_cr(vcpu, cr, val);
- if (ret)
+ ret = heki_check_cr(vcpu, cr, val, &exit);
+ if (exit)
return ret;
switch (cr) {
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a5f47be59abc..865e88f2b0fc 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -119,6 +119,10 @@ static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS;
#define KVM_CAP_PMU_VALID_MASK KVM_PMU_CAP_DISABLE
+#define KVM_HEKI_EXIT_REASON_VALID_MASK ( \
+ KVM_HEKI_EXIT_REASON_CR0 | \
+ KVM_HEKI_EXIT_REASON_CR4)
+
#define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \
KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK)
@@ -4836,6 +4840,10 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
if (kvm_is_vm_type_supported(KVM_X86_SW_PROTECTED_VM))
r |= BIT(KVM_X86_SW_PROTECTED_VM);
break;
+ case KVM_CAP_HEKI_CONFIGURE:
+ case KVM_CAP_HEKI_DENIAL:
+ r = KVM_HEKI_EXIT_REASON_VALID_MASK;
+ break;
default:
break;
}
@@ -6729,6 +6737,22 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
}
mutex_unlock(&kvm->lock);
break;
+#ifdef CONFIG_HEKI
+ case KVM_CAP_HEKI_CONFIGURE:
+ r = -EINVAL;
+ if (cap->args[0] & ~KVM_HEKI_EXIT_REASON_VALID_MASK)
+ break;
+ kvm->heki_configure_exit_reason = cap->args[0];
+ r = 0;
+ break;
+ case KVM_CAP_HEKI_DENIAL:
+ r = -EINVAL;
+ if (cap->args[0] & ~KVM_HEKI_EXIT_REASON_VALID_MASK)
+ break;
+ kvm->heki_denial_exit_reason = cap->args[0];
+ r = 0;
+ break;
+#endif
default:
r = -EINVAL;
break;
@@ -8283,11 +8307,60 @@ static unsigned long emulator_get_cr(struct x86_emulate_ctxt *ctxt, int cr)
#ifdef CONFIG_HEKI
+static int complete_heki_configure_exit(struct kvm_vcpu *const vcpu)
+{
+ kvm_rax_write(vcpu, 0);
+ ++vcpu->stat.hypercalls;
+ return kvm_skip_emulated_instruction(vcpu);
+}
+
+static int complete_heki_denial_exit(struct kvm_vcpu *const vcpu)
+{
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+}
+
+/* Returns true if the @exit_reason is handled by @vcpu->kvm. */
+static bool heki_exit_cr(struct kvm_vcpu *const vcpu, const __u32 exit_reason,
+ const u64 heki_reason, unsigned long value)
+{
+ switch (exit_reason) {
+ case KVM_EXIT_HEKI_CONFIGURE:
+ if (!(vcpu->kvm->heki_configure_exit_reason & heki_reason))
+ return false;
+
+ vcpu->run->heki_configure.reason = heki_reason;
+ memset(vcpu->run->heki_configure.reserved, 0,
+ sizeof(vcpu->run->heki_configure.reserved));
+ vcpu->run->heki_configure.cr_pinned = value;
+ vcpu->arch.complete_userspace_io = complete_heki_configure_exit;
+ break;
+ case KVM_EXIT_HEKI_DENIAL:
+ if (!(vcpu->kvm->heki_denial_exit_reason & heki_reason))
+ return false;
+
+ vcpu->run->heki_denial.reason = heki_reason;
+ memset(vcpu->run->heki_denial.reserved, 0,
+ sizeof(vcpu->run->heki_denial.reserved));
+ vcpu->run->heki_denial.cr_value = value;
+ vcpu->arch.complete_userspace_io = complete_heki_denial_exit;
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ return false;
+ }
+
+ vcpu->run->exit_reason = exit_reason;
+ return true;
+}
+
#define HEKI_ABI_VERSION 1
static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
- unsigned long pin, unsigned long flags)
+ unsigned long pin, unsigned long flags, bool *exit)
{
+ *exit = false;
+
if (flags) {
if ((flags == KVM_LOCK_CR_UPDATE_VERSION) && !cr && !pin)
return HEKI_ABI_VERSION;
@@ -8307,6 +8380,8 @@ static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
return -KVM_EINVAL;
atomic_long_or(pin, &vcpu->kvm->heki_pinned_cr0);
+ *exit = heki_exit_cr(vcpu, KVM_EXIT_HEKI_CONFIGURE,
+ KVM_HEKI_EXIT_REASON_CR0, pin);
return 0;
case 4:
/* Checks for irrelevant bits. */
@@ -8316,24 +8391,37 @@ static int heki_lock_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
/* Ignores bits not present in host. */
pin &= __read_cr4();
atomic_long_or(pin, &vcpu->kvm->heki_pinned_cr4);
+ *exit = heki_exit_cr(vcpu, KVM_EXIT_HEKI_CONFIGURE,
+ KVM_HEKI_EXIT_REASON_CR4, pin);
return 0;
}
return -KVM_EINVAL;
}
+/*
+ * Sets @exit to true if the caller must exit (i.e. denied access) with the
+ * returned value:
+ * - 0 when kvm_run is configured;
+ * - 1 when there is no user space handler.
+ */
int heki_check_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
- const unsigned long val)
+ const unsigned long val, bool *exit)
{
unsigned long pinned;
+ *exit = false;
+
switch (cr) {
case 0:
pinned = atomic_long_read(&vcpu->kvm->heki_pinned_cr0);
if ((val & pinned) != pinned) {
pr_warn_ratelimited(
"heki: Blocked CR0 update: 0x%lx\n", val);
- kvm_inject_gp(vcpu, 0);
- return 1;
+ *exit = true;
+ if (heki_exit_cr(vcpu, KVM_EXIT_HEKI_DENIAL,
+ KVM_HEKI_EXIT_REASON_CR0, val))
+ return 0;
+ return complete_heki_denial_exit(vcpu);
}
return 0;
case 4:
@@ -8341,8 +8429,11 @@ int heki_check_cr(struct kvm_vcpu *const vcpu, const unsigned long cr,
if ((val & pinned) != pinned) {
pr_warn_ratelimited(
"heki: Blocked CR4 update: 0x%lx\n", val);
- kvm_inject_gp(vcpu, 0);
- return 1;
+ *exit = true;
+ if (heki_exit_cr(vcpu, KVM_EXIT_HEKI_DENIAL,
+ KVM_HEKI_EXIT_REASON_CR4, val))
+ return 0;
+ return complete_heki_denial_exit(vcpu);
}
return 0;
}
@@ -8356,9 +8447,10 @@ static int emulator_set_cr(struct x86_emulate_ctxt *ctxt, int cr, ulong val)
{
struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
int res = 0;
+ bool exit = false;
- res = heki_check_cr(vcpu, cr, val);
- if (res)
+ res = heki_check_cr(vcpu, cr, val, &exit);
+ if (exit)
return res;
switch (cr) {
@@ -10222,7 +10314,11 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
if (a0 > U32_MAX) {
ret = -KVM_EINVAL;
} else {
- ret = heki_lock_cr(vcpu, a0, a1, a2);
+ bool exit = false;
+
+ ret = heki_lock_cr(vcpu, a0, a1, a2, &exit);
+ if (exit)
+ return ret;
}
break;
#endif /* CONFIG_HEKI */
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index ade7d68ddaff..2740b74ab583 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -292,18 +292,19 @@ static inline bool kvm_check_has_quirk(struct kvm *kvm, u64 quirk)
#ifdef CONFIG_HEKI
-int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr, unsigned long val);
+int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr, unsigned long val,
+ bool *exit);
#else /* CONFIG_HEKI */
static inline int heki_check_cr(struct kvm_vcpu *vcpu, unsigned long cr,
- unsigned long val)
+ unsigned long val, bool *exit)
{
return 0;
}
static inline int heki_lock_cr(struct kvm_vcpu *const vcpu, unsigned long cr,
- unsigned long pin)
+ unsigned long pin, bool *exit)
{
return 0;
}
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 6ff13937929a..cf8e271d47aa 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -839,6 +839,8 @@ struct kvm {
#ifdef CONFIG_HEKI
atomic_long_t heki_pinned_cr0;
atomic_long_t heki_pinned_cr4;
+ u64 heki_configure_exit_reason;
+ u64 heki_denial_exit_reason;
#endif /* CONFIG_HEKI */
#ifdef CONFIG_HAVE_KVM_PM_NOTIFIER
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 2190adbe3002..1051c2f817ba 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -178,6 +178,8 @@ struct kvm_xen_exit {
#define KVM_EXIT_NOTIFY 37
#define KVM_EXIT_LOONGARCH_IOCSR 38
#define KVM_EXIT_MEMORY_FAULT 39
+#define KVM_EXIT_HEKI_CONFIGURE 40
+#define KVM_EXIT_HEKI_DENIAL 41
/* For KVM_EXIT_INTERNAL_ERROR */
/* Emulate instruction failed. */
@@ -433,6 +435,24 @@ struct kvm_run {
__u64 gpa;
__u64 size;
} memory_fault;
+ /* KVM_EXIT_HEKI_CONFIGURE */
+ struct {
+#define KVM_HEKI_EXIT_REASON_CR0 (1ULL << 0)
+#define KVM_HEKI_EXIT_REASON_CR4 (1ULL << 1)
+ __u64 reason;
+ union {
+ __u64 cr_pinned;
+ __u64 reserved[7]; /* ignored */
+ };
+ } heki_configure;
+ /* KVM_EXIT_HEKI_DENIAL */
+ struct {
+ __u64 reason;
+ union {
+ __u64 cr_value;
+ __u64 reserved[7]; /* ignored */
+ };
+ } heki_denial;
/* Fix the size of the union. */
char padding[256];
};
@@ -917,6 +937,8 @@ struct kvm_enable_cap {
#define KVM_CAP_MEMORY_ATTRIBUTES 233
#define KVM_CAP_GUEST_MEMFD 234
#define KVM_CAP_VM_TYPES 235
+#define KVM_CAP_HEKI_CONFIGURE 236
+#define KVM_CAP_HEKI_DENIAL 237
struct kvm_irq_routing_irqchip {
__u32 irqchip;
--
2.45.0
next prev parent reply other threads:[~2024-05-03 13:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 13:19 [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 1/5] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki) Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 2/5] KVM: x86: Add new hypercall to lock control registers Mickaël Salaün
2024-05-03 13:19 ` Mickaël Salaün [this message]
2024-05-03 14:03 ` [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation Sean Christopherson
2024-05-06 17:50 ` Mickaël Salaün
2024-05-07 1:34 ` Sean Christopherson
2024-05-07 9:30 ` Mickaël Salaün
2024-05-07 16:16 ` Sean Christopherson
2024-05-10 10:07 ` Nicolas Saenz Julienne
2024-05-14 12:23 ` Mickaël Salaün
2024-05-15 20:32 ` Sean Christopherson
2024-06-03 18:39 ` Mickaël Salaün
2024-06-04 0:30 ` Sean Christopherson
2024-05-16 14:02 ` Nicolas Saenz Julienne
2024-05-14 12:15 ` Mickaël Salaün
2024-06-04 0:29 ` Sean Christopherson
2024-05-03 13:19 ` [RFC PATCH v3 4/5] heki: Lock guest control registers at the end of guest kernel init Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 5/5] virt: Add Heki KUnit tests Mickaël Salaün
2024-05-03 13:49 ` [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240503131910.307630-4-mic@digikod.net \
--to=mic@digikod.net \
--cc=angelinavu@linux.microsoft.com \
--cc=atrikalinou@microsoft.com \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dev@lists.cloudhypervisor.org \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jamorris@linux.microsoft.com \
--cc=jgowans@amazon.com \
--cc=john.s.andersen@intel.com \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=marian.c.rotariu@gmail.com \
--cc=mdontu@bitdefender.com \
--cc=mingo@redhat.com \
--cc=nicu.citu@icloud.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quic_tsoni@quicinc.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=ssicleru@bitdefender.com \
--cc=tglx@linutronix.de \
--cc=tgopinath@microsoft.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=yu.c.zhang@linux.intel.com \
--cc=yuanyu@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox