From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 039E8C83F17 for ; Tue, 15 Jul 2025 09:33:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 31D486B0089; Tue, 15 Jul 2025 05:33:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2CE1D6B008A; Tue, 15 Jul 2025 05:33:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1E3D16B0092; Tue, 15 Jul 2025 05:33:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0A80A6B0089 for ; Tue, 15 Jul 2025 05:33:56 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 7B55B1A0383 for ; Tue, 15 Jul 2025 09:33:55 +0000 (UTC) X-FDA: 83665987230.02.EDCC3E7 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) by imf13.hostedemail.com (Postfix) with ESMTP id AFF9420003 for ; Tue, 15 Jul 2025 09:33:53 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=DhPtjZ9j; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of 3fyB2aAUKCOIXEFFEKSSKPI.GSQPMRYb-QQOZEGO.SVK@flex--tabba.bounces.google.com designates 209.85.221.74 as permitted sender) smtp.mailfrom=3fyB2aAUKCOIXEFFEKSSKPI.GSQPMRYb-QQOZEGO.SVK@flex--tabba.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752572033; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=j4t1n4nwyoQBKZNhO7jMcqNzHzTkyclHCojNDUTYuIc=; b=AjeTeKLckWPpOxu593shZxDV6UbJygSmkF/kXl7JOQNy7fLvyNCIYQ2feQeYl2eIiq6v5l JIIgkMT2XgkmUl5wMTjBx8QXqjpBDsGvHqHGfC5PJ2TuoSOqVCfFG7x+DUarTz4TVx7q6s C/HKhBKbtGaBj/n+Zfui6N4i/3TaD18= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752572033; a=rsa-sha256; cv=none; b=beHzVNsbGUQKe8F+6s5H4TnwulRuquNl1uY7gmxXYfC3S6sz22SqXiECvd63RWVbiCaXrp 29TXk02gaA6mERvF2wcki+KjzaT9j+7Z73sYG6CuqfShynNEYmpf4ZiNiyYEJyFsNu08EF zguV/oE6fOxTTOOMRFFwh+uiSgf0oR0= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=DhPtjZ9j; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of 3fyB2aAUKCOIXEFFEKSSKPI.GSQPMRYb-QQOZEGO.SVK@flex--tabba.bounces.google.com designates 209.85.221.74 as permitted sender) smtp.mailfrom=3fyB2aAUKCOIXEFFEKSSKPI.GSQPMRYb-QQOZEGO.SVK@flex--tabba.bounces.google.com Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-3a6d90929d6so2355903f8f.2 for ; Tue, 15 Jul 2025 02:33:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1752572032; x=1753176832; darn=kvack.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=j4t1n4nwyoQBKZNhO7jMcqNzHzTkyclHCojNDUTYuIc=; b=DhPtjZ9jh5Wkk3kYnm3B0E14agLtnl3mwSa6mjPQi5C9XmscFvJp3sIMzJI4fnZPTj QUvGfe3JCdVvmG3GuKuJ6Z2h5XUCkdEkFn1X05HJ2U/Atr/fUE5K57bGTdmznhRLbiqs 2OaLnjPDTDwJJNQp69A8uOFASbEjSpAkW10T32O/j2FO6rovqXffbKWdGnk7x6fGT4aR xzKeiCDYPNgn5z146AodCL8lkyuuKqblVstls0B2BGAmL2SFOC54lcAPVS3RaS7URSAp MP4fR7TdGz5OA9U+0MLRTCxdf7oM/f+m6MVRm4K9m2pg+rmjcMqqM/zg9YzVn8DrmUHp aTyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752572032; x=1753176832; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=j4t1n4nwyoQBKZNhO7jMcqNzHzTkyclHCojNDUTYuIc=; b=izsq1GhbttubmOz7aODI3ebLzKd7swXP8Yrd5woC/zkNcbdvKDWO2zfg/FQAm0f5r/ E13jthV7L9k+nsg04XYuqYXWBdYECcwEtiVraoS0hp6PObswfJ1mWgVJUheY5eKyykpE S9s7CfkvNDJVuZKYAalVwgPWCiJkv8XOemEF2YyxFT/Dh2oUfhkCHl+LvicBCq0eWABs xE822I0uFqfTgY4IIpddAol000RyB8s4IV7VaJtyGBxsKj3eWEpuUBxoyCR3+xqoSWN0 LzEzWtasqlEL6oSBohrmABi8EYCLq/iRlRMpo7rvOTzKutb0fOgEe1vq+NqQRm1S3Ejf aqjw== X-Forwarded-Encrypted: i=1; AJvYcCXBVWzASYv+04LFUAELMhmYWh6C4G11oy8Dg/Y9ocqru2Xrcv3I/bzQfcQJIK/+dSV0SfIO9PFFCA==@kvack.org X-Gm-Message-State: AOJu0Ywutmx+K+3VxpTSDtTVWdtOcrTzdatBm/8E94XGbpYIDILNnjfu axYvtbVpP+ug26aL8u46hqOsohn3ijHYjG6evzGPolLQ/+k6I35WvoKLy6CFS84ES3OocAZTT0K Ckw== X-Google-Smtp-Source: AGHT+IGz/WL5Nm2M8E0afS2hsyGmPGgazwMmwD3sXKJKeTBCyM54UVdaP4fiGdQY16/I+BzGEw8xAOzLrQ== X-Received: from wrce6.prod.google.com ([2002:adf:9bc6:0:b0:3a5:7dbc:4d24]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a5d:5e8a:0:b0:3b5:e5c9:93c5 with SMTP id ffacd0b85a97d-3b5f2e28d8bmr10048876f8f.49.1752572031962; Tue, 15 Jul 2025 02:33:51 -0700 (PDT) Date: Tue, 15 Jul 2025 10:33:29 +0100 Mime-Version: 1.0 X-Mailer: git-send-email 2.50.0.727.gbf7dc18ff4-goog Message-ID: <20250715093350.2584932-1-tabba@google.com> Subject: [PATCH v14 00/21] KVM: Enable host userspace mapping for guest_memfd-backed memory for non-CoCo VMs From: Fuad Tabba To: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, kvmarm@lists.linux.dev Cc: pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, jthoughton@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com, tabba@google.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: AFF9420003 X-Stat-Signature: 51w7ioaxpp6yppxhu7nrmb9jp5fkyiox X-Rspam-User: X-Rspamd-Server: rspam11 X-HE-Tag: 1752572033-782162 X-HE-Meta: U2FsdGVkX1/Yj3HvYmk2siI/9o/4oO270DvNnLvfuR/sglBn8Emx5apsq+H3BWKmNafjXEALnKLGkZmpSuaJrMt3rERAkliSFHwlzi2pH9jEvxS5GNhd2ZwhFz03yriZuofxDti+KZD5jDirvnZRCMfw46piLKmOpnocUDNZ/9au6UpgqsB+Vn4pCXywX2YY5KbzjD1biGoV/6QnDL46UdoAb080QA220mJCp3ivzV8+2tAAQP3b7Nd1I6vppTa/03EvsPuGu4V6/stw4Rgx2IeS+CD0tIcwI8yo1BHEP+V2/eLYKcYV3O/cYZ+GZ/EzyO3gP8M2gGVXvwr/gdDzBYoWuwFgcSaY54R/5s0BswHBDVRYxPqishDRMqHnQf3Gcfl1EF5jzJfYi8HGEOjpyqYA0FQDgWtVLMvpvgtxgCA5g2Sz5bhpU1vA1/vLuAPvUfnT6RMwOh+V6qJru7dk8KqVqCMUhP9kZWJUJdOXaVrqi3/Eda8Qtky0l60TvHe9qwDiKcyA7r6aJDxvydllJFY1UZpyZW3x62xEPPdnW+JqENWc4vgQ15posxO+y3oD0i0cOWJ74tUPQ2m8PtafcJeeB4o840fOrHAXhtTjccyapOa947HUL+rCyvuKfHkOVy5XWBh5HSi4ObZ7lvQq0K8bE3d5aKf01AERhunpjaTe5o17NgTXJRVyGyhrL/5BWRAXjnlXAnpBI3dXflCYL854EfhGmvGVVELU0f/pdmD009UQOAr02qXf31aAxtphSB/makRL0bs4CijZIaEDIp0loOlmXx1LhtNCdaVmvW/+f3cJmKJH6K6BK3S/APXCb4KnbsgRHJLtl+QC6iQxxPzVcGI0vmJ/BkBUfgSnWM9D6xLRR9iJsBaheb10zsWX0/OJKxYZ7B/GBxxmAjGsJAW1WuyOvFTKl9g0Fzo/c3bPMq6zVb0R8EMRVETjFDEjFnCMc+4ppf4FSPkSL+M UMSAk1Ob Y6yFaXQ9N8odV5zOvH6PNTE1c51yQ51s7aAJ5nBTePt0qcJ9Do2WGUl1IYLSpuv/sGNMmqgcciTnErbMnz+GI7Eug/vhiU34dzFuQtcbUXW1AcycOlGWTIqWL8XnbNndml7Ef2BifGgIDv4Rhp83d5ukFTQgqQYYaG583OGVXGeBTS3RuLqjFxju0bZJh4lrlTpO4KR6y/96N7wTTo3U3LkX/wKk3uunE0dq4fP0dYlXcslk9vX/mBcPJF3Qw38QGD4L176E40wVydKp7ajtkinXMrVDuOijD7pAiaUQPKLfmN0w714lWMaJTTF9sWQHxZczTtzZ5izmlgDP+uYxqrYcIAQP4b3nq+nUi+jlD1K2v78RKh9GSAjufzcxLuP0TA4ZrcJpnVZmr8PSDG0FDkGHg32lZqGf/+eLnhZuQKDz7YZVycGo1j9PFi6OL+A3yb4MatEZBhx1CohD9sgFk3Rk1WhJPKNMnN1KVGtoOe1BJXYGlIKZvffE+lZCe1jw1e2GUnjB0WA6KgjwrtVAf5Hq/GuYrfRIW4tN9dUW/K8vl0WdASaQoRvtOiRlnLuQvuVe2l/wIc0GeYiXG8/KxAbTb8RtTmCCKWSOUkdpFTSfjWCIfxIfUu1n+viS22SiQeFi5tsm7I5jFD54Lo5ANRrG0yFGpyDkpk6mFklr2V3h+26JPm2H+AMpoAx5xUO/8tNLTOrrIn5s1S0SMWx0Q7pSpD8jJLO6w2f1+SJXA3b9hTJU90OmZaAXv1r6wcJHi1sUwPrq8x0LPO8Iv8l6nYvXbCg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Main changes since v13 [1]: * Fixed handling of guest faults in case of invalidation in arm64 * Handle VNCR_EL2-triggered faults backed by guest_memfd (arm64 nested virt) * Applied suggestions from latest feedback * Rebase on Linux 6.16-rc6 This patch series enables host userspace mapping of guest_memfd-backed memory for non-CoCo VMs. This is required for several evolving KVM use cases: * Allows VMMs like Firecracker to run guests entirely backed by guest_memfd [2]. This provides a unified memory management model for both confidential and non-confidential guests, simplifying VMM design. * Enhanced Security via direct map removal: When combined with Patrick's series for direct map removal [3], this provides additional hardening against Spectre-like transient execution attacks by eliminating the need for host kernel direct maps of guest memory. * Lays the groundwork for *restricted* mmap() support for guest_memfd-backed memory on CoCo platforms [4] that permit in-place sharing of guest memory with the host. Patch breakdown: Patches 1-7: Primarily infrastructure refactorings and renames to decouple guest_memfd from the concept of "private" memory. Patches 8-9: Add support for the host to map guest_memfd backed memory for non-CoCo VMs, which includes support for mmap() and fault handling. This is gated by a new configuration option, toggled by a new flag, and advertised to userspace by a new capability (introduced in patch 18). Patches 10-14: Implement x86 guest_memfd mmap support. Patches 15-18: Implement arm64 guest_memfd mmap support. Patch 19: Introduce the new capability to advertise this support and update the documentation. Patches 20-21: Update and expand selftests for guest_memfd to include mmap functionality and improve portability. To test this patch series and boot a guest utilizing the new features, please refer to the instructions in v8 of the series [5]. Note that kvmtool for Linux 6.16 (available at [6]) is required, as the KVM_CAP_GMEM_MMAP capability number has changed, additionally, drop the --sw_protected kvmtool parameter to test with the default VM type. Cheers, /fuad [1] https://lore.kernel.org/all/20250709105946.4009897-1-tabba@google.com/ [2] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding [3] https://lore.kernel.org/all/20250221160728.1584559-1-roypat@amazon.co.uk/ [4] https://lore.kernel.org/all/20250328153133.3504118-1-tabba@google.com/ [5] https://lore.kernel.org/all/20250430165655.605595-1-tabba@google.com/ [6] https://android-kvm.googlesource.com/kvmtool/+/refs/heads/tabba/guestmem-basic-6.16 Ackerley Tng (4): KVM: x86/mmu: Generalize private_max_mapping_level x86 op to max_mapping_level KVM: x86/mmu: Allow NULL-able fault in kvm_max_private_mapping_level KVM: x86/mmu: Consult guest_memfd when computing max_mapping_level KVM: x86/mmu: Handle guest page faults for guest_memfd with shared memory Fuad Tabba (17): KVM: Rename CONFIG_KVM_PRIVATE_MEM to CONFIG_KVM_GMEM KVM: Rename CONFIG_KVM_GENERIC_PRIVATE_MEM to CONFIG_KVM_GENERIC_GMEM_POPULATE KVM: Introduce kvm_arch_supports_gmem() KVM: x86: Introduce kvm->arch.supports_gmem KVM: Rename kvm_slot_can_be_private() to kvm_slot_has_gmem() KVM: Fix comments that refer to slots_lock KVM: Fix comment that refers to kvm uapi header path KVM: guest_memfd: Allow host to map guest_memfd pages KVM: guest_memfd: Track guest_memfd mmap support in memslot KVM: x86: Enable guest_memfd mmap for default VM type KVM: arm64: Refactor user_mem_abort() KVM: arm64: Handle guest_memfd-backed guest page faults KVM: arm64: nv: Handle VNCR_EL2-triggered faults backed by guest_memfd KVM: arm64: Enable host mapping of shared guest_memfd memory KVM: Introduce the KVM capability KVM_CAP_GMEM_MMAP KVM: selftests: Do not use hardcoded page sizes in guest_memfd test KVM: selftests: guest_memfd mmap() test when mmap is supported Documentation/virt/kvm/api.rst | 9 + arch/arm64/include/asm/kvm_host.h | 4 + arch/arm64/kvm/Kconfig | 2 + arch/arm64/kvm/mmu.c | 203 ++++++++++++----- arch/arm64/kvm/nested.c | 41 +++- arch/x86/include/asm/kvm-x86-ops.h | 2 +- arch/x86/include/asm/kvm_host.h | 18 +- arch/x86/kvm/Kconfig | 7 +- arch/x86/kvm/mmu/mmu.c | 114 ++++++---- arch/x86/kvm/svm/sev.c | 12 +- arch/x86/kvm/svm/svm.c | 3 +- arch/x86/kvm/svm/svm.h | 4 +- arch/x86/kvm/vmx/main.c | 6 +- arch/x86/kvm/vmx/tdx.c | 6 +- arch/x86/kvm/vmx/x86_ops.h | 2 +- arch/x86/kvm/x86.c | 5 +- include/linux/kvm_host.h | 64 +++++- include/uapi/linux/kvm.h | 2 + tools/testing/selftests/kvm/Makefile.kvm | 1 + .../testing/selftests/kvm/guest_memfd_test.c | 208 +++++++++++++++--- virt/kvm/Kconfig | 14 +- virt/kvm/Makefile.kvm | 2 +- virt/kvm/guest_memfd.c | 96 +++++++- virt/kvm/kvm_main.c | 14 +- virt/kvm/kvm_mm.h | 4 +- 25 files changed, 664 insertions(+), 179 deletions(-) base-commit: 347e9f5043c89695b01e66b3ed111755afcf1911 -- 2.50.0.727.gbf7dc18ff4-goog